Jump to content

Welcome to Geeks to Go
Geeks to Go Welcome
Create Account Login to Account
Photo

Removal instructions for NetSecure

- - - - -

  • Please log in to reply
No replies to this topic

#1
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Content is republished with permission from Malwarebytes.

What is NetSecure?

The Malwarebytes research team has determined that NetSecure is adware. These adware applications display advertisements not originating from the sites you are browsing.

How do I know if my computer is affected by NetSecure?

You may see these proxy-setting in Internet Explorer > Internet Options > Connections > LAN Settings :

proxy.png

and find this visual basic script in your Windows directory:

adserver.png

How did NetSecure get on my computer?

Adware applications use different methods for distributing themselves. This particular one was bundled with other software.

How do I remove NetSecure?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.
  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-{version}.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to:
  • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
  • If an update is available, it will be implemented before the rest of the scanning procedure.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
  • Is there anything else I need to do to get rid of NetSecure?
    • No, Malwarebytes' Anti-Malware removes NetSecure completely.
    How would the full version of Malwarebytes Anti-Malware help protect me?

    We hope our application and this guide have helped you eradicate this hijacker.

    As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the NetSecure adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late.

    protection1.png


    Technical details for experts

    Possible signs in FRST logs:
     (The Privoxy team - www.privoxy.org) C:\Windows\{computername}_020716\oxy.exe
     (www.searchz.co) C:\Windows\{username}-pc_020716\netsafe.exe
     HKLM-x32\...\Run: [Secured Net] => "C:\Windows\{computername}_020716\netsafe.exe"
     ProxyEnable: [{UserID}] => Proxy is enabled.
     ProxyServer: [{UserID}] => 127.0.0.1:8118
     R2 NetSecure; C:\Windows\{computername}_020716\oxy.exe [373248 2016-01-22] (The Privoxy team - www.privoxy.org) [File not signed]
     C:\Windows\{computername}_020716
     C:\Windows\ie.vbs
    
    () C:\Windows\{computername}_020716\mgwz.dll
    () C:\Windows\{computername}_020716\Trackerbird.Tracker.dll
    
    Alterations made by the installer:
    File system details [View: All details] (Selection)
    ---------------------------------------------------
        In the existing folder C:\Windows
           Adds the file ie.vbs"="7/2/2016 8:58 AM, 133 bytes, A
        Adds the folder C:\Windows\{computername}_020716
           Adds the file config.txt"="3/28/2016 3:22 PM, 407 bytes, A
           Adds the file default.action"="2/7/2016 6:10 AM, 21 bytes, A
           Adds the file default.filter"="12/31/2003 10:52 AM, 108 bytes, A
           Adds the file Interop.SHDocVw.dll"="4/4/2016 6:03 AM, 143872 bytes, A
           Adds the file mgwz.dll"="1/22/2016 4:45 AM, 86528 bytes, A
           Adds the file netsafe.exe"="7/2/2016 9:15 AM, 393216 bytes, A
           Adds the file netsafe.exe.config"="5/26/2016 3:53 PM, 146 bytes, A
           Adds the file oxy.exe"="1/22/2016 4:45 AM, 373248 bytes, A
           Adds the file oxy.log"="7/6/2016 8:38 AM, 0 bytes, A
           Adds the file tbconfig.xml"="7/6/2016 8:38 AM, 4711 bytes, A
           Adds the file tbinfo.xml"="7/6/2016 8:38 AM, 1041 bytes, A
           Adds the file tblog.log"="7/6/2016 8:38 AM, 211 bytes, A
           Adds the file Trackerbird.Tracker.dll"="12/7/2015 5:00 AM, 20600 bytes, A
           Adds the file Trackerbird.Tracker.xml"="12/7/2015 4:59 AM, 20874 bytes, A
           Adds the file Trackerbird.x64.dll"="12/7/2015 5:00 AM, 1265784 bytes, A
           Adds the file Trackerbird.x86.dll"="12/7/2015 5:00 AM, 900216 bytes, A
    
    Registry details [View: All details] (Selection)
    ------------------------------------------------
        [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
           "Secured Net"="REG_SZ", ""C:\Windows\{computername}_020716\netsafe.exe""
        [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB71BAC7-A250-4A3D-8FDB-AF92D73FD1F9}_is1]
           "DisplayVersion"="REG_SZ", "4.01.0"
        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetSecure]
           "Description"="REG_SZ", "Secured Layered Network Service"
           "DisplayName"="REG_SZ", "NetSecure"
           "ErrorControl"="REG_DWORD", 1
           "ImagePath"="REG_EXPAND_SZ, "C:\Windows\{computername}_020716\oxy.exe --service"
           "ObjectName"="REG_SZ", "LocalSystem"
           "Start"="REG_DWORD", 2
           "Type"="REG_DWORD", 16
           "WOW64"="REG_DWORD", 1
        [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
           "ProxyEnable"= REG_DWORD, 1
           "ProxyServer"="REG_SZ", "127.0.0.1:8118"
    
    
    
    Malwarebytes Anti-Malware log:
    Malwarebytes Anti-Malware
    www.malwarebytes.org
    
    Scan Date: 7/6/2016
    Scan Time: 8:59 AM
    Logfile: mbamNetSecure.txt
    Administrator: Yes
    
    Version: 2.2.1.1043
    Malware Database: v2016.07.06.02
    Rootkit Database: v2016.05.27.01
    License: Premium
    Malware Protection: Disabled
    Malicious Website Protection: Enabled
    Self-protection: Enabled
    
    OS: Windows 7 Service Pack 1
    CPU: x64
    File System: NTFS
    User: {username}
    
    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 314697
    Time Elapsed: 9 min, 14 sec
    
    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Enabled
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled
    
    Processes: 2
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\netsafe.exe, 2680, Delete-on-Reboot, [0bbf9b85732711257110d0d9f41029d7]
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\oxy.exe, 3564, Delete-on-Reboot, [6664f030871391a5ff818623be460bf5]
    
    Modules: 3
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\mgwz.dll, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Trackerbird.Tracker.dll, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Trackerbird.x86.dll, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], 
    
    Registry Keys: 1
    PUP.Optional.Privoxy, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NETSECURE, Quarantined, [6664f030871391a5ff818623be460bf5], 
    
    Registry Values: 3
    PUP.Optional.Privoxy, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Secured Net, "C:\Windows\{computername}_020716\netsafe.exe", Quarantined, [0bbf9b85732711257110d0d9f41029d7]
    PUP.Optional.Privoxy, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NETSECURE|ImagePath, C:\Windows\{computername}_020716\oxy.exe --service, Quarantined, [6664f030871391a5ff818623be460bf5]
    PUM.Optional.ProxyHijacker, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, 127.0.0.1:8118, Quarantined, [7951968af7a3e4520054d5fdbb48dc24]
    
    Registry Data: 0
    (No malicious items detected)
    
    Folders: 1
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], 
    
    Files: 18
    PUP.Optional.NetSecure, C:\Users\{username}\Desktop\NetSecure.exe, Quarantined, [399166ba5d3d2412b9dab3f63cc8f907], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\netsafe.exe, Delete-on-Reboot, [0bbf9b85732711257110d0d9f41029d7], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\oxy.exe, Delete-on-Reboot, [6664f030871391a5ff818623be460bf5], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\config.txt, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\default.action, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\default.filter, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Interop.SHDocVw.dll, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\mgwz.dll, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\netsafe.exe.config, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\oxy.log, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\tbconfig.xml, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\tbinfo.xml, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\tblog.log, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Trackerbird.Tracker.dll, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Trackerbird.Tracker.xml, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Trackerbird.x64.dll, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Trackerbird.x86.dll, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.AdServer, C:\Windows\ie.vbs, Quarantined, [5971829e099178bea1f718918a7a8878], 
    
    Physical Sectors: 0
    (No malicious items detected)
    
    
    (end)
    As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
    We use different ways of protecting your computer(s):
    • Dynamically Blocks Malware Sites & Servers
    • Malware Execution Prevention
    Save yourself the hassle and get protected.

  • 0

Advertisements





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured
Malware Removal How to Guides Windows 7 System Building Download Files Register welcome

Never used a forum? Learn how.