Re: secure32.exe

Thank you Vladimir,


"Scherbina Vladimir" <vladimir.scherbina@xxxxxxxxx> wrote in message
news:#OrZxvYHGHA.312@xxxxxxxxxxxxxxxxxxxxxxx
> check following registry keys on infected machine:
>
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
> HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
>
> is there any mention of your file ? (note registry value can have another
> name, but path should include secure32).
>

I had checked those registry keys but found nothing recognizable.

But what I did do (and it seems so deceptively simple!) is to locate the
binary itself, change
its attribute to "visible", then reboot in safe mode and delete it. There
was no problem after
that.

It would be good, however, to find ant vestigal components of this thing.
For example, how did
it get launched? Its name must be somewhere, in a startup command file (or
in the registry?). What
kind of search could be used - I tried to search files that had the text
"secure32" or "secure32.exe"
but found nothing.


> Why can't you remove it from Task Manager ? Seems like module has it's
> protection? Open this process in the Far and look at the list of modules
it
> uses.


I wasn't allowed to kill the task in the Task Manager, nor could I erase the
file while the system ran.
In "safe" mode however, the offending process did not run, so its protection
(of what sort I do not
know) was absent.


> Try to find "not-usual" dlls that are loaded it secure32.exe. More likely,
> that secure32.exe extracts dll from it's resrouces and injects it
somewhere,
> after been injecting this dll may monitor system for occurences of
> secure32.exe and if its absent(somebody terminated it) start it. If you
will
> find this "unusual dll" try to find it in all processes - if there are any
> occurences in another processes, then most likely secure32 uses
> SetWindowsHook to map it in all processes.
> Try to find that dll (and remove) in
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Winlogon\Notify.
>
> In addition to all that I wrote you may use ProcessExplorer from
> www.sysinternals.com (it's free) to see what mutexes, events, threads
> secure32.exe creates; and play with them. Most mailware creates protection
> threads - a piece of code that monitors OS items to protect (registry,
> processes, etc), so if you will terminate protection thread (if you will
> find it) you will be able to remove it.
>
> I usually perform these simple steps to remove mailware, and if I fail I
> take debugger (SoftIce or OllyDbg, IDA pro) and begin debugging to make
sure
> how to remove that stuff from system.
>
> --
> Vladimir
>

Thanks again. I'll try to follow up on your suggestions to the extent of my
present
understanding.

Regards,

MB

> "Michael Blanc" <mblanc@xxxxxxxx> wrote in message
> news:fJydnb4gJ-MTgU3enZ2dnUVZ_sidnZ2d@xxxxxxxxxxxxxx
> >I want *manual* instructions. Registry Keys, etc.
> >
> >
> >
> > David H. Lipman wrote in message ...
> >>From: "Michael Blanc" <mblanc@xxxxxxxx>
> >>
> >>| I suspect that this binary is a parasite. I can't kill it in the Task
> >>| Manager and don't know where to find it in the registry.
> >>|
> >>| I am having problems with the system - the computer keeps sending 100s
> >>of
> >>| Kbytes upon dial-up connection, and cannot even load a URL because of
> > this
> >>| degraded bandwidth.
> >>|
> >>| Am I right about this binary? If so, I will want to *manually* remove
> >>it,
> >>| hence need the instructions. (OS = Win2000, browser is IE5). Needless
to
> >>| say, I am using a different machine to post this.
> >>|
> >>| Thanks for any help!
> >>|
> >>| MB
> >>|
> >>
> >>It is a Downloader Trojan so it may have associates that it has
installed.
> >>
> >>Download MULTI_AV.EXE from the URL --
> >>http://www.ik-cs.com/programs/virtools/Multi_AV.exe
> >
> > <snip>.....
> >
> >>
> >>* * * Please report back your results * * *
> >>
> >>
> >>
> >>--
> >>Dave
> >>http://www.claymania.com/removal-trojan-adware.html
> >>http://www.ik-cs.com/got-a-virus.htm
> >>
> >>
> >
> >
>
>


.

Relevant Pages

  • Re: Is there some sort of portable Copy Protection??
    ... efforts have been expended to provide protection and look at the plethora of ... information about basic protection schemes and hacker tools. ... broken in a couple of minutes by watching registry transactions with tools ... he also suggested encrypting strings ... ...
    (borland.public.delphi.thirdpartytools.general)
  • Re: secure32.exe
    ... check following registry keys on infected machine: ... that secure32.exe extracts dll from it's resrouces and injects it somewhere, ... Most mailware creates protection ...
    (microsoft.public.security.virus)
  • Re: Outlook Express takes over 30 seconds to open
    ... The reference in the registry, related to Windows Messenger, was ... I probably disabled Windows Messenger. ... Disable email scanning by your anti-virus application. ... > additional protection and even Symantec says it's not necessary: ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: FBWF Related
    ... FBWF allows you to create holes in the protection so you could open a hole to the location of the virus definition files. ... Registry filer by default protects two registry keys - TSCALs and domain secret key. ... 1.If write filter is enabled we can perform commit operation on protected ...
    (microsoft.public.windowsxp.embedded)
  • Re: Keying an installation to a single machine
    ... Sure, it'd provide simple protection, but probably any ... I get Windows' ProductID from the Registry. ... unlocks the program by typing in a license code), ...
    (microsoft.public.vb.general.discussion)