What is NetSecure?
The Malwarebytes research team has determined that NetSecure is adware. These adware applications display advertisements not originating from the sites you are browsing.
How do I know if my computer is affected by NetSecure?
You may see these proxy-setting in Internet Explorer > Internet Options > Connections > LAN Settings :
and find this visual basic script in your Windows directory:
How did NetSecure get on my computer?
Adware applications use different methods for distributing themselves. This particular one was bundled with other software.
How do I remove NetSecure?
Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.
- Please download Malwarebytes Anti-Malware to your desktop.
- Double-click mbam-setup-{version}.exe and follow the prompts to install the program.
- At the end, be sure a check-mark is placed next to:
- Launch Malwarebytes Anti-Malware
- Then click Finish.
- Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
- If an update is available, it will be implemented before the rest of the scanning procedure.
- When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
- Restart your computer when prompted to do so.
- Is there anything else I need to do to get rid of NetSecure?
- No, Malwarebytes' Anti-Malware removes NetSecure completely.
We hope our application and this guide have helped you eradicate this hijacker.
As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the NetSecure adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late.
Technical details for experts
Possible signs in FRST logs:(The Privoxy team - www.privoxy.org) C:\Windows\{computername}_020716\oxy.exe (www.searchz.co) C:\Windows\{username}-pc_020716\netsafe.exe HKLM-x32\...\Run: [Secured Net] => "C:\Windows\{computername}_020716\netsafe.exe" ProxyEnable: [{UserID}] => Proxy is enabled. ProxyServer: [{UserID}] => 127.0.0.1:8118 R2 NetSecure; C:\Windows\{computername}_020716\oxy.exe [373248 2016-01-22] (The Privoxy team - www.privoxy.org) [File not signed] C:\Windows\{computername}_020716 C:\Windows\ie.vbs () C:\Windows\{computername}_020716\mgwz.dll () C:\Windows\{computername}_020716\Trackerbird.Tracker.dll
Alterations made by the installer:File system details [View: All details] (Selection) --------------------------------------------------- In the existing folder C:\Windows Adds the file ie.vbs"="7/2/2016 8:58 AM, 133 bytes, A Adds the folder C:\Windows\{computername}_020716 Adds the file config.txt"="3/28/2016 3:22 PM, 407 bytes, A Adds the file default.action"="2/7/2016 6:10 AM, 21 bytes, A Adds the file default.filter"="12/31/2003 10:52 AM, 108 bytes, A Adds the file Interop.SHDocVw.dll"="4/4/2016 6:03 AM, 143872 bytes, A Adds the file mgwz.dll"="1/22/2016 4:45 AM, 86528 bytes, A Adds the file netsafe.exe"="7/2/2016 9:15 AM, 393216 bytes, A Adds the file netsafe.exe.config"="5/26/2016 3:53 PM, 146 bytes, A Adds the file oxy.exe"="1/22/2016 4:45 AM, 373248 bytes, A Adds the file oxy.log"="7/6/2016 8:38 AM, 0 bytes, A Adds the file tbconfig.xml"="7/6/2016 8:38 AM, 4711 bytes, A Adds the file tbinfo.xml"="7/6/2016 8:38 AM, 1041 bytes, A Adds the file tblog.log"="7/6/2016 8:38 AM, 211 bytes, A Adds the file Trackerbird.Tracker.dll"="12/7/2015 5:00 AM, 20600 bytes, A Adds the file Trackerbird.Tracker.xml"="12/7/2015 4:59 AM, 20874 bytes, A Adds the file Trackerbird.x64.dll"="12/7/2015 5:00 AM, 1265784 bytes, A Adds the file Trackerbird.x86.dll"="12/7/2015 5:00 AM, 900216 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "Secured Net"="REG_SZ", ""C:\Windows\{computername}_020716\netsafe.exe"" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB71BAC7-A250-4A3D-8FDB-AF92D73FD1F9}_is1] "DisplayVersion"="REG_SZ", "4.01.0" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetSecure] "Description"="REG_SZ", "Secured Layered Network Service" "DisplayName"="REG_SZ", "NetSecure" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, "C:\Windows\{computername}_020716\oxy.exe --service" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "ProxyEnable"= REG_DWORD, 1 "ProxyServer"="REG_SZ", "127.0.0.1:8118"
Malwarebytes Anti-Malware log:Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 7/6/2016 Scan Time: 8:59 AM Logfile: mbamNetSecure.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.07.06.02 Rootkit Database: v2016.05.27.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 314697 Time Elapsed: 9 min, 14 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 2 PUP.Optional.Privoxy, C:\Windows\{computername}_020716\netsafe.exe, 2680, Delete-on-Reboot, [0bbf9b85732711257110d0d9f41029d7] PUP.Optional.Privoxy, C:\Windows\{computername}_020716\oxy.exe, 3564, Delete-on-Reboot, [6664f030871391a5ff818623be460bf5] Modules: 3 PUP.Optional.Privoxy, C:\Windows\{computername}_020716\mgwz.dll, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Trackerbird.Tracker.dll, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Trackerbird.x86.dll, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], Registry Keys: 1 PUP.Optional.Privoxy, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NETSECURE, Quarantined, [6664f030871391a5ff818623be460bf5], Registry Values: 3 PUP.Optional.Privoxy, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Secured Net, "C:\Windows\{computername}_020716\netsafe.exe", Quarantined, [0bbf9b85732711257110d0d9f41029d7] PUP.Optional.Privoxy, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NETSECURE|ImagePath, C:\Windows\{computername}_020716\oxy.exe --service, Quarantined, [6664f030871391a5ff818623be460bf5] PUM.Optional.ProxyHijacker, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, 127.0.0.1:8118, Quarantined, [7951968af7a3e4520054d5fdbb48dc24] Registry Data: 0 (No malicious items detected) Folders: 1 PUP.Optional.Privoxy, C:\Windows\{computername}_020716, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], Files: 18 PUP.Optional.NetSecure, C:\Users\{username}\Desktop\NetSecure.exe, Quarantined, [399166ba5d3d2412b9dab3f63cc8f907], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\netsafe.exe, Delete-on-Reboot, [0bbf9b85732711257110d0d9f41029d7], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\oxy.exe, Delete-on-Reboot, [6664f030871391a5ff818623be460bf5], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\config.txt, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\default.action, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\default.filter, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Interop.SHDocVw.dll, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\mgwz.dll, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\netsafe.exe.config, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\oxy.log, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\tbconfig.xml, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\tbinfo.xml, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\tblog.log, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Trackerbird.Tracker.dll, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Trackerbird.Tracker.xml, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Trackerbird.x64.dll, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Trackerbird.x86.dll, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], PUP.Optional.AdServer, C:\Windows\ie.vbs, Quarantined, [5971829e099178bea1f718918a7a8878], Physical Sectors: 0 (No malicious items detected) (end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention