|
Posted by Dustin Cook on January 26, 2007, 12:58 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Thank you Vladimir,
>
>
>> check following registry keys on infected machine:
>>
>> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
>> HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>> HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
>>
>> is there any mention of your file ? (note registry value can have
>> another name, but path should include secure32).
>>
>
> I had checked those registry keys but found nothing recognizable.
>
> But what I did do (and it seems so deceptively simple!) is to locate
> the binary itself, change
> its attribute to "visible", then reboot in safe mode and delete it.
> There was no problem after
> that.
>
> It would be good, however, to find ant vestigal components of this
> thing. For example, how did
> it get launched? Its name must be somewhere, in a startup command file
> (or in the registry?). What
> kind of search could be used - I tried to search files that had the
> text "secure32" or "secure32.exe"
> but found nothing.
>
>
>> Why can't you remove it from Task Manager ? Seems like module has
>> it's protection? Open this process in the Far and look at the list of
>> modules
> it
>> uses.
>
>
> I wasn't allowed to kill the task in the Task Manager, nor could I
> erase the file while the system ran.
> In "safe" mode however, the offending process did not run, so its
> protection (of what sort I do not
> know) was absent.
>
>
>> Try to find "not-usual" dlls that are loaded it secure32.exe. More
>> likely, that secure32.exe extracts dll from it's resrouces and
>> injects it
> somewhere,
>> after been injecting this dll may monitor system for occurences of
>> secure32.exe and if its absent(somebody terminated it) start it. If
>> you
> will
>> find this "unusual dll" try to find it in all processes - if there
>> are any occurences in another processes, then most likely secure32
>> uses SetWindowsHook to map it in all processes.
>> Try to find that dll (and remove) in
>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
>> NT\CurrentVersion\Winlogon\Notify.
>>
>> In addition to all that I wrote you may use ProcessExplorer from
>> www.sysinternals.com (it's free) to see what mutexes, events, threads
>> secure32.exe creates; and play with them. Most mailware creates
>> protection threads - a piece of code that monitors OS items to
>> protect (registry, processes, etc), so if you will terminate
>> protection thread (if you will find it) you will be able to remove
>> it.
>>
>> I usually perform these simple steps to remove mailware, and if I
>> fail I take debugger (SoftIce or OllyDbg, IDA pro) and begin
>> debugging to make
> sure
>> how to remove that stuff from system.
>>
>> --
>> Vladimir
>>
>
> Thanks again. I'll try to follow up on your suggestions to the extent
> of my present
> understanding.
>
> Regards,
>
> MB
>
>> >I want *manual* instructions. Registry Keys, etc.
>> >
>> >
>> >
>> > David H. Lipman wrote in message ...
>> >>
>> >>| I suspect that this binary is a parasite. I can't kill it in the
>> >>| Task Manager and don't know where to find it in the registry.
>> >>|
>> >>| I am having problems with the system - the computer keeps sending
>> >>| 100s
>> >>of
>> >>| Kbytes upon dial-up connection, and cannot even load a URL
>> >>| because of
>> > this
>> >>| degraded bandwidth.
>> >>|
>> >>| Am I right about this binary? If so, I will want to *manually*
>> >>| remove
>> >>it,
>> >>| hence need the instructions. (OS = Win2000, browser is IE5).
>> >>| Needless
> to
>> >>| say, I am using a different machine to post this.
>> >>|
>> >>| Thanks for any help!
>> >>|
>> >>| MB
>> >>|
>> >>
>> >>It is a Downloader Trojan so it may have associates that it has
> installed.
>> >>
>> >>Download MULTI_AV.EXE from the URL --
>> >>http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>> >
>> > <snip>.....
>> >
>> >>
>> >>* * * Please report back your results * * *
>> >>
>> >>
>> >>
>> >>--
>> >>Dave
>> >>http://www.claymania.com/removal-trojan-adware.html
>> >>http://www.ik-cs.com/got-a-virus.htm
>> >>
>> >>
>> >
>> >
>>
>>
>
>
>
It's a shame you didn't preserve a copy for analysis... It could have
been studied and your questions answered...
--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - V2.1
web: http://bughunter.it-mate.co.uk
email: bughunter.dustin@gmail.com.removethis
Last updated: January 25th, 2007
| 
XML site map