Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winsecure


  • Please log in to reply
3 replies to this topic

#1 CaptainAmerica9

CaptainAmerica9

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 26 April 2005 - 04:49 PM

Hey. I usally am very safe with the websites I go to and stuff, by my little brother got on and now we get pop-up ads when the our web brower isn't open. I ran SpyBot and it found 5 problems and only could delete 4. The last one is Winsecure. How do I remove it?

BC AdBot (Login to Remove)

 


#2 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:06:19 AM

Posted 27 April 2005 - 01:21 AM

I suggest you post a HijackThis log for examination.

Read the pinned post in the HijackThis forum, here
Please read, and follow, all directions carefully.

Then, run a log, and post it in the HJT forum, at this link. Do not, fix anything, yet.
A member, of the HJT Team, will help you out.
It may take a while to get a response, because the HJT Team are very busy. Please, be patient, these people are volunteers. They will help you out, as soon as possible.

NOTE:
Once you have made the post, please, DO NOT make another post in the HJT forum, until it has been responded to by a member of the HJT Team. The first thing they look for, when looking for logs to reply to, is 0 replies. If you make another post, there will be 1 reply. The team member, glancing over the replies, might assume someone is already helping you out, and will not respond. So, just make your post, and let it sit there, until a team member responds. This way you will be taken care of, in the most timely manner.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#3 agitarius

agitarius

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 27 April 2005 - 01:53 AM

Hi.
I think you ought to do:
1. Update your Spybot S&D.
2. Download Hijackthis 1.99.1.
3. Restart the computer in Safe mode.
4. Run Hijackthis and fix false problems.
5. Run Spybot S&D and scan computer.

If problem will come back than:
1. Close all open Internet Explorer windows.
2. Make registry backup.
3. Delete the value that was added to the registry (if they exists):

START>>RUN>>REGEDIT
Navigate to following the key:
KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
And In the right pane, delete the values:
"Microsoft Cab Manager" = "c:\exec.exe"
"Windows Security Manager" = "c:\winsecure.exe"
"Windows Security Update" = "%Windir%\security32.exe"

Navigate to following the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
And In the right pane, delete the values:
"WinTask" = "c:\wintask.exe"
"Userinit" = "%System%\userinit.exe,"

Navigate to following the key:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
And In the right pane, delete the values:
"Memory Manager" = "%System%\memorymanager.pif"

Navigate to and delete the following subkeys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{77566C2A-2987-44BC-AC81-A02D19EE271B}
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{C0DADD7E-D3F1-430D-B735-39DC6033592C} 
HKEY_CLASSES_ROOT\CLSID\{1BB87441-6B7F-4B60-885C-B7AF9F9AFDE3}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1BB87441-6B7F-4B60-885C-B7AF9F9AFDE3}

4. Exit the Registry Editor.
5. Delete files (if exists):
%System%\comnt32.dll
C:\cab.exe 
C:\winsecure.exe 
%Windir%\msupdate.exe 
%System%\security32.exe 
%System%\iProtect.exe 
%System%\axe.exe 
%System%\memorymanager.pif

6. Restart the computer in Safe mode.
7. Run Spybot S&D and then give to check hijackthis1.99.1 log.
8. Remove entries from the Hosts file:

Click Start > Search.
Click All files and folders.
In the "All or part of the file name" box, type: hosts
Then open this file with Notepad and delete this entries:
127.0.0.1      www.1-online-coupons.com
127.0.0.1      www.smartqpon.com
127.0.0.1      www.jumpondeals.com
127.0.0.1      www.1-coupon.com
127.0.0.1      www.ahugedeal.com
127.0.0.1      www.1st-in-mens-clothing.com
127.0.0.1      www.discounts-coupons.com
127.0.0.1      www.shoppersresource.com
127.0.0.1      www.1-free-coupons.com
127.0.0.1      www.coupon-coupon.com
127.0.0.1      www.online-coupons-discounts.com
127.0.0.1      www.ebates.com
127.0.0.1      www.247coupon.com
127.0.0.1      www.couponmountain.com
127.0.0.1      www.coupon-deals.com
127.0.0.1      www.coupon-codes.us
127.0.0.1      www.coupons-coupon-codes.com
127.0.0.1 www.coupons-coupons-codes.com
127.0.0.1      www.ahugedeal.com
127.0.0.1      www.findsavings.com
127.0.0.1      www.xpcoupons.com
127.0.0.1 www.xpbargains.com
127.0.0.1 www.best-cards.com
127.0.0.1 www.voucherfreebies.co.uk
127.0.0.1      www.ukshops.co.uk
127.0.0.1 www.247ukshopping.com
127.0.0.1 www.somucheasier.co.uk
127.0.0.1 www.uk-online-store.co.uk
127.0.0.1 www.deals-coupons.com
127.0.0.1 www.shopping.net
127.0.0.1 www.eshops.co.uk
127.0.0.1 www.247ukshopping.com
127.0.0.1 www.ukfrenzy.co.uk
127.0.0.1 www.asmartshop.com
127.0.0.1 www.couponmountain.co.uk
127.0.0.1 www.redtagdeals.com
127.0.0.1 www.freecoupons.co.uk
127.0.0.1 www.shop-uk-online.co.uk
127.0.0.1 www.best-online-coupons.com
127.0.0.1 www.rather-be-shopping.com
127.0.0.1 www.clothes-coupons.com
127.0.0.1 www.online-coupons-coupons.com
127.0.0.1 www.momsview.com
127.0.0.1 www.pricezilla.com
127.0.0.1 www.mygo.com
127.0.0.1 www.ultimatecoupons.com
127.0.0.1 www.specialoffers.com
127.0.0.1 www.galacticgalaxy.com
127.0.0.1 www.thewinnersclub.net
And remove other ones witch you think are bad.

9. Download WWDC (freeware) and set ENABLE all services.
10. Read pinned topics all the time and more add more. :thumbsup:

:flowers:

Edited by agitarius, 27 April 2005 - 02:11 AM.


#4 lucent

lucent

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:19 AM

Posted 09 May 2005 - 10:50 PM

hello, just curious Agitarius as to why you would delete the entries from the HOSTS file? wont they just resolve the IP to the local loopback address? Unless the HOSTS file was bloated and slowing traffic down it should add a little more security to malware connection attempts.
Posted Image
Special thanks to efizzer for the signature




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users