Jump to content

Removal instructions for NetSecure


Recommended Posts

  • Staff
What is NetSecure?

The Malwarebytes research team has determined that NetSecure is adware. These adware applications display advertisements not originating from the sites you are browsing.

How do I know if my computer is affected by NetSecure?

You may see these proxy-setting in Internet Explorer > Internet Options > Connections > LAN Settings :

proxy.png

and find this visual basic script in your Windows directory:

adserver.png

How did NetSecure get on my computer?

Adware applications use different methods for distributing themselves. This particular one was bundled with other software.

How do I remove NetSecure?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.
  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-{version}.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to:
  • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
  • If an update is available, it will be implemented before the rest of the scanning procedure.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
  • Is there anything else I need to do to get rid of NetSecure?
    • No, Malwarebytes' Anti-Malware removes NetSecure completely.
    How would the full version of Malwarebytes Anti-Malware help protect me?

    We hope our application and this guide have helped you eradicate this hijacker.

    As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the NetSecure adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late.
     

    protection1.png


    Technical details for experts

    Possible signs in FRST logs:
     (The Privoxy team - www.privoxy.org) C:\Windows\{computername}_020716\oxy.exe
     (www.searchz.co) C:\Windows\{username}-pc_020716\netsafe.exe
     HKLM-x32\...\Run: [Secured Net] => "C:\Windows\{computername}_020716\netsafe.exe"
     ProxyEnable: [{UserID}] => Proxy is enabled.
     ProxyServer: [{UserID}] => 127.0.0.1:8118
     R2 NetSecure; C:\Windows\{computername}_020716\oxy.exe [373248 2016-01-22] (The Privoxy team - www.privoxy.org) [File not signed]
     C:\Windows\{computername}_020716
     C:\Windows\ie.vbs
    
    () C:\Windows\{computername}_020716\mgwz.dll
    () C:\Windows\{computername}_020716\Trackerbird.Tracker.dll
    Alterations made by the installer:
    File system details [View: All details] (Selection)
    ---------------------------------------------------
        In the existing folder C:\Windows
           Adds the file ie.vbs"="7/2/2016 8:58 AM, 133 bytes, A
        Adds the folder C:\Windows\{computername}_020716
           Adds the file config.txt"="3/28/2016 3:22 PM, 407 bytes, A
           Adds the file default.action"="2/7/2016 6:10 AM, 21 bytes, A
           Adds the file default.filter"="12/31/2003 10:52 AM, 108 bytes, A
           Adds the file Interop.SHDocVw.dll"="4/4/2016 6:03 AM, 143872 bytes, A
           Adds the file mgwz.dll"="1/22/2016 4:45 AM, 86528 bytes, A
           Adds the file netsafe.exe"="7/2/2016 9:15 AM, 393216 bytes, A
           Adds the file netsafe.exe.config"="5/26/2016 3:53 PM, 146 bytes, A
           Adds the file oxy.exe"="1/22/2016 4:45 AM, 373248 bytes, A
           Adds the file oxy.log"="7/6/2016 8:38 AM, 0 bytes, A
           Adds the file tbconfig.xml"="7/6/2016 8:38 AM, 4711 bytes, A
           Adds the file tbinfo.xml"="7/6/2016 8:38 AM, 1041 bytes, A
           Adds the file tblog.log"="7/6/2016 8:38 AM, 211 bytes, A
           Adds the file Trackerbird.Tracker.dll"="12/7/2015 5:00 AM, 20600 bytes, A
           Adds the file Trackerbird.Tracker.xml"="12/7/2015 4:59 AM, 20874 bytes, A
           Adds the file Trackerbird.x64.dll"="12/7/2015 5:00 AM, 1265784 bytes, A
           Adds the file Trackerbird.x86.dll"="12/7/2015 5:00 AM, 900216 bytes, A
    
    Registry details [View: All details] (Selection)
    ------------------------------------------------
        [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
           "Secured Net"="REG_SZ", ""C:\Windows\{computername}_020716\netsafe.exe""
        [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB71BAC7-A250-4A3D-8FDB-AF92D73FD1F9}_is1]
           "DisplayVersion"="REG_SZ", "4.01.0"
        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetSecure]
           "Description"="REG_SZ", "Secured Layered Network Service"
           "DisplayName"="REG_SZ", "NetSecure"
           "ErrorControl"="REG_DWORD", 1
           "ImagePath"="REG_EXPAND_SZ, "C:\Windows\{computername}_020716\oxy.exe --service"
           "ObjectName"="REG_SZ", "LocalSystem"
           "Start"="REG_DWORD", 2
           "Type"="REG_DWORD", 16
           "WOW64"="REG_DWORD", 1
        [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
           "ProxyEnable"= REG_DWORD, 1
           "ProxyServer"="REG_SZ", "127.0.0.1:8118"
    
    
    Malwarebytes Anti-Malware log:
    Malwarebytes Anti-Malware
    www.malwarebytes.org
    
    Scan Date: 7/6/2016
    Scan Time: 8:59 AM
    Logfile: mbamNetSecure.txt
    Administrator: Yes
    
    Version: 2.2.1.1043
    Malware Database: v2016.07.06.02
    Rootkit Database: v2016.05.27.01
    License: Premium
    Malware Protection: Disabled
    Malicious Website Protection: Enabled
    Self-protection: Enabled
    
    OS: Windows 7 Service Pack 1
    CPU: x64
    File System: NTFS
    User: {username}
    
    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 314697
    Time Elapsed: 9 min, 14 sec
    
    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Enabled
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled
    
    Processes: 2
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\netsafe.exe, 2680, Delete-on-Reboot, [0bbf9b85732711257110d0d9f41029d7]
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\oxy.exe, 3564, Delete-on-Reboot, [6664f030871391a5ff818623be460bf5]
    
    Modules: 3
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\mgwz.dll, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Trackerbird.Tracker.dll, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Trackerbird.x86.dll, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], 
    
    Registry Keys: 1
    PUP.Optional.Privoxy, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NETSECURE, Quarantined, [6664f030871391a5ff818623be460bf5], 
    
    Registry Values: 3
    PUP.Optional.Privoxy, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Secured Net, "C:\Windows\{computername}_020716\netsafe.exe", Quarantined, [0bbf9b85732711257110d0d9f41029d7]
    PUP.Optional.Privoxy, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NETSECURE|ImagePath, C:\Windows\{computername}_020716\oxy.exe --service, Quarantined, [6664f030871391a5ff818623be460bf5]
    PUM.Optional.ProxyHijacker, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, 127.0.0.1:8118, Quarantined, [7951968af7a3e4520054d5fdbb48dc24]
    
    Registry Data: 0
    (No malicious items detected)
    
    Folders: 1
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], 
    
    Files: 18
    PUP.Optional.NetSecure, C:\Users\{username}\Desktop\NetSecure.exe, Quarantined, [399166ba5d3d2412b9dab3f63cc8f907], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\netsafe.exe, Delete-on-Reboot, [0bbf9b85732711257110d0d9f41029d7], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\oxy.exe, Delete-on-Reboot, [6664f030871391a5ff818623be460bf5], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\config.txt, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\default.action, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\default.filter, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Interop.SHDocVw.dll, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\mgwz.dll, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\netsafe.exe.config, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\oxy.log, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\tbconfig.xml, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\tbinfo.xml, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\tblog.log, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Trackerbird.Tracker.dll, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Trackerbird.Tracker.xml, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Trackerbird.x64.dll, Quarantined, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.Privoxy, C:\Windows\{computername}_020716\Trackerbird.x86.dll, Delete-on-Reboot, [f2d8a57b9ffbec4a99fe51580400f50b], 
    PUP.Optional.AdServer, C:\Windows\ie.vbs, Quarantined, [5971829e099178bea1f718918a7a8878], 
    
    Physical Sectors: 0
    (No malicious items detected)
    
    
    (end)
    As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
    We use different ways of protecting your computer(s):
    • Dynamically Blocks Malware Sites & Servers
    • Malware Execution Prevention
    Save yourself the hassle and get protected.
Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.