JamiiSMS
    Show/Hide This

    Topic: Secret.exe Infection and Removal Instructions

    Report Post
    Results 1 to 2 of 2
    1. Invisible's Avatar
      Robot Array
      Join Date : 11th February 2006
      Location : Here...!
      Posts : 9,479
      Rep Power : 100000
      Likes Received
      5922
      Likes Given
      9137

      Default Secret.exe Infection and Removal Instructions

      This is an undesirable program.

      This file has been identified as a program that is undesirable to have running on your computer. This consists of programs that are misleading, harmful, or undesirable.

      If the description states that it is a piece of malware, you should immediately run an antivirus and antispyware program. If that does not help, feel free to ask and we might help you here.

      This infection will attempt to delete every file on your computer. It hides under %System%\Secret.exe

      %System% is a variable that refers to the Windows System folder. By default this is C:\Windows\System for Windows 95/98/ME, C:\Winnt\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP and Vista.

      If your pc has a process called secret.exe running, your system could be infected with a form of the verify trojan.

      secret.exe is considered to be a security risk, not only because antivirus programs flag verify trojan as a trojan, but also because other sites consider it a Trojan as well.

      Verify Trojan is likely a Trojan and as such, presents a serious vulnerability which should be fixed immediately! Delaying the removal of secret.exe may cause serious harm to your system and will likely cause a number of problems, loss of data, loss of control or leaking private information.

      This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.

      How these infections start

      Just like any program, in order for the program to work, it must be started. Malware programs are no different in this respect and must be started in some fashion in order to do what they were designed to do. For the most part these infections run by creating a configuration entry in the Windows Registry in order to make these programs start when your computer starts.

      Unfortunately, though, in the Windows operating system there are many different ways to make a program start which can make it difficult for the average computer user to find manually. Luckily for us, though, there are programs that allow us to cut through this confusion and see the various programs that are automatically starting when windows boots. The program we recommend for this, because its free and detailed, is Autorunsfrom Sysinternals.

      When you run this program it will list all the various programs that start when your computer is booted into Windows. For the most part, the majority of these programs are safe and should be left alone unless you know what you are doing or know you do not need them to run at startup.

      At this point, you should download Autoruns and try it out. Just run the Autoruns.exe and look at all the programs that start automatically. Don't uncheck or delete anything at this point. Just examine the information to see an overview of the amount of programs that are starting automatically. When you feel comfortable with what you are seeing, move on to the next section.

      How to remove these infections
      If you have identified the particular program that is part of the malware, and you want to remove it, please follow these steps.

      1. Download and extract the Autoruns program by Sysinternals to C:\Autoruns
      2. Reboot into Safe Mode (by pressing F8 while rebooting your pc) so that the malware is not started when you are doing these steps. Many malware monitor the keys that allow them to start and if they notice they have been removed, will automatically replace that startup key. For this reason booting into safe mode allows us to get past that defense in most cases.
      3. Navigate to the C:\Autoruns folder you created in Step 1 and double-click on autoruns.exe.
      4. When the program starts, click on the Options menu and enable the following options by clicking on them. This will place a checkmark next to each of these options.
        1. Include empty locations
        2. Verify Code Signatures
        3. Hide Signed Microsoft Entries

      5. Then press the F5 key on your keyboard to refresh the startups list using these new settings.
      6. The program shows information about your startup entries in 8 different tabs. For the most part, the filename you are looking for will be found under the Logon or the Services tabs, but you should check all the other tabs to make sure they are not loading elsewhere as well. Click on each tab and look through the list for the filename that you want to remove. The filename will be found under the Image Path column. There may be more than one entry associated with the same file as it is common for malware to create multiple startup entries. It is important to note that many malware programs disguise themselves by using the same filenames as valid Microsoft files. It is therefore important to know exactly which file, and the folder they are in, that you want to remove.
      7. Once you find the entry that is associated with the malware, you want to delete that entry so it will not start again on the next reboot. To do that right click on the entry and select delete. This startup entry will now be removed from the Registry.
      8. Now that we made it so it will not start on boot up, you should delete the file using My Computer or Windows Explorer. If you can not see the file, it may be hidden. You will need to unhide all hidden files from the Folder Options.
      9. When you are finished removing the malware entries from the Registry and deleting the files, reboot into normal mode as you will now be clean from the infection.

      HOW CAN I IDENTIFY START UP PROGRAMS?
      (Not using AutoRuns application)

      Win9x/Me/2K/XP users:

      Use the "System Configuration Utility" (MSCONFIG) to identify startup programs. MSCONFIG is available for all Win9x/Me/2K/XP users (Win95/2K user can use the respective versions from here).

      You invoke it by clicking Start then Run. In the Open box, type msconfig.exe followed by enter. Once displayed, click on the "Startup" tab. You will see a list of items and the 2 columns that we're interested in are "Name" (WinME) or "Startup Item" (WinXP) and "Command". For Win98 the columns aren't named but the one on the left is the equivalent of "Name" and the one on the right is the equivalent of "Command":


      WinNT users:

      Use a free utility from SysInternals called AutoRuns which displays all the startup locations. Highlight an item and click on "Jump to" and it will take you to the appropriate startup location, including the registry keys where appropriate:


      If the registry editor is opened (REGEDIT), you will see a list of items and the 2 columns I'm interested in are "Name" and "Data":

      Alternatively, you can use a startup manager.

      Notes:

      (1) The "Close Program" window in Win9x/Me and "Task Manager" window in WinNT/2K/XP (both can be accessed via the CTRL+ALT+DEL key combination) displays some startup programs AND other background tasks and "Services". This site is concerned with startup programs ONLY (from the common startup locations). For a list of tasks/processes you should try WinTasks 5 Standard/Professional from Uniblue Systems Ltd or the list at AnswersThatWork.

      (2) I won't be including "Services" from the WinNT/2K/XP operating systems. I fully understand that some programs with these OS's use "Services" as an alternative to load their component parts at startup but I don't have the time available to include these as well. For Win2K services information see TechSpot's article here. For WinXP services see TechSpot's article here or The Elder Geek's article here.

      HOW CAN I DISABLE THEM FROM RUNNING AT START-UP?
      A number of methods can be prevent programs from running at startup. What these are how you use them is described here.

      My recommendations are that you try each of the methods listed below in that order. Each method has an indication of which Windows operating system it is applicable to.

      1) Using a program's own configuration options - Windows 95/98/Me/NT/2000/XP
      The best option is to check if a program gives you an option to disable the function you're interested in - via a right-click on a System Tray icon or maybe an "options" menu within the program. If this isn't available then you have to try something else.

      For example, Norton SystemWorks has an "Options" tab on the main start-up screen that allows you to configure the utilities in the suite - Norton Utilities, Norton AntiVirus and Norton Cleansweep.

      2) Windows StartUp folder - Windows 95/98/Me/NT/2000/XP
      If you click on Start -> Programs -> StartUp (Win9x/Me/NT/2K) or Start -> All Programs -> StartUp (WinXP) you may find programs loading from here via shortcuts. If this is the case, you have two options :-

      Delete the shortcut from the StartUp directory (based on your OS):

      Win9x/98/Me - C:\Windows\Start Menu\Programs\StartUp

      WinNT/2K - C:\Winnt\Profiles\All Users\Start Menu\Programs\StartUp

      WinXP - C:\Documents and Settings\All Users\Start Menu\Programs\Startup

      Create a temporary directory for your OS called "Disabled StartUp Programs" and move the shortcuts there. If a program doesn't work as expected you can always move the relevant shortcut back again

      Win9x/98/Me - C:\Windows\Start Menu\Programs

      WinNT/2K - C:\Winnt\Profiles\All Users\Start Menu\Programs

      WinXP - C:\Documents and Settings\All Users\Start Menu\Programs

      3) System Configuration Utility (MSCONFIG) - Windows 95/98/Me/2000/XP
      Work your way through the list of programs included here and deselect the appropriate boxes in your version then click OK followed by re-starting Windows.

      WinME and WinXP display items for the same program in different ways in MSCONFIG. WinME uses the same descriptive text under the MSCONFIG "Name" and registry Run keys "Name" columns. WinXP often uses the first part of the filename under the "Startup Item" column and the equivalent descriptive part in the "Name" column of the registry "Run" keys. For instance, on my WinXP Home machine I have ZoneAlarm and see:

      MSCONFIG : "Startup Item" = zlclient & "Command" = zlclient.exe
      REGISTRY : "Name" = Zone Labs Client & "Data" = zlclient.exe
      Virus entries in the program list are only shown using the registry version in this case to prevent unnecessary duplication due the number of them.

      Notes:

      When you have deselected an item in MSCONFIG, you will be starting in "Selective startup" mode. This can be seen under the "General" tab. Working in "Selective startup" mode is perfectly acceptable - I do and don't have a problem. Warning: If you subsequently decide to choose "Normal startup", all disabled items will be re-enabled

      Some disabled items may disappear from MSCONFIG when you re-start Windows

      MSCONFIG is intended to be used to temporarily disable programs from running at system start-up. In some cases, disabled items may be added to a new category under Start -> Programs (Win9x/Me/NT/2K) or Start -> All Programs (WinXP) called "Disabled Startup Items". If the entry has disappeared from MSCONFIG and is available here they can be copied back into the appropriate OS StartUp directory:

      Win9x/98/Me - C:\Windows\Start Menu\Programs\StartUp

      WinNT/2K - C:\Winnt\Profiles\All Users\Start Menu\Programs\StartUp

      WinXP - C:\Documents and Settings\All Users\Start Menu\Programs\Startup

      For WinME users - If you have disabled items in MSCONFIG and at a later date uninstall the program they are associated with, you can click on the "Cleanup" button to verify and remove all invalid entries from the startup sections of the reigistry



      For Win9x/XP user - If you have disabled items in MSCONFIG and at a later date uninstall the program they are associated with, you can try a free application from Virtuoza called MSConfig Cleanup


      If there is an option within a program to disable parts of it running at start-up (see here) and you don't use that method to disable them, you may find they are re-enabled in MSCONFIG the next time the program runs


      4) Use a 3rd party utility to control start-up programs - Windows 95/98/Me/NT/2000/XP
      There are a number of programs widely available as shareware or freeware that achieve the same purpose. Each can identify what programs are running at startup and allow you to control them to differing degrees. I cannot personally recommend an individual program as I don't use them and am happy enough with MSCONFIG (even though it is only intended to be a temporary solution while troubleshooting - see above).

      Want to try a start-up manager? Try from the list given here.

      5) The System Registry - Windows 95/98/Me/NT/2000/XP
      Note: if you are running NT and don't have a startup manager you only have this choice remaining, which is a last resort.

      You can both disable and permanently stop programs from running during start-up by editing the relevant entries from the System Registry using REGEDIT. This option isn't for the faint hearted and should only be used by those who are comfortable with editing the System Registry and understand what implications any changes may have. If you delete something from the System Registry accidentally, it may be corrupted to the extent that Windows may not re-start at all so beware.

      For information about the Windows registry and editing it's contents try the Windows Guide Network registry pages.

      To invoke the Registry Editor, click Start then Run. In the Open box, type regedit.exe followed by enter.

      The keys you're interested in are as follows:-

      HKLM\Software\Microsoft\Window s\CurrentVersion\Run
      HKLM\Software\Microsoft\Window s\CurrentVersion\RunOnce
      HKLM\Software\Microsoft\Window s\CurrentVersion\RunServices
      HKLM\Software\Microsoft\Window s\CurrentVersion\RunServicesOn ce
      HKCU\Software\Microsoft\Window s\CurrentVersion\Run
      HKCU\Software\Microsoft\Window s\CurrentVersion\RunOnce

      For Windows 98 & Me, disabled items were placed in the registry keys named above with a "-" after it, ie:

      HKLM\Software\Microsoft\Window s\CurrentVersion\Run-

      For Windows XP this is changed:-

      For items that were in the Start -> Programs -> Startup folder:

      HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

      You'll find a subkey for each disabled item.

      For items loaded from the Registry:

      HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

      Again, you'll find a subkey for each disabled item.

      6) WIN.INI - Windows 95/98/Me
      The WIN.INI file is located in C:\Windows (Win9x/Me/XP) or C:\Winnt (WinNT/2k) and can be seen if you have enabled "Show hidden files and folders" via My Computer -> Tools -> Folder Options then the "View" tab. This file is executed at Windows startup.

      Some valid programs and a lot of virusses load at startup via this method under the [windows] section via "run=" or "load=" as follows:

      [windows]
      run=hpfsched
      run=%Windows%\CapsideRed.pif
      load=asistat.exe
      Load = "C:\Windows\System32.exe"

      In the first example, "hpfsched" is a valid entry to remind you to clean the cartridges in your HP DeskJet from time to time in
      order to keep print quality high. It can be removed from the run line in win.ini file if you do not want that feature.

      In the second example, "CapsideRed.pif" has been added by the CASPID virus and is obviously not desired (where %Windows% is C:\Windows or C:\Winnt).

      In the third example, "asistat.exe" is a valid entry that is the status monitor for an NEC SuperScript printer. It can be removed from the load line in win.ini if you do not want that feature.

      In the final example, "System32.exe" has been added by the MARI virus and is obviously not desired.

      Note: From WinMe onwards MSCONFIG includes the "run=" and "load=" entries so this section is only included for completeness. Only valid "run=" entries are included in the programs list to save against repitition from the many virusses that use this method.

      7) SYSTEM.INI - Windows 95/98/Me
      The SYSTEM.INI file is located in C:\Windows (Win9x/Me/XP) or C:\Winnt (WinNT/2k) and can be seen if you have enabled "Show hidden files and folders" via My Computer -> Tools -> Folder Options then the "View" tab. This file is executed at Windows startup.

      The only valid entry under the "shell=" line here is:

      [boot]
      shell=Explorer.exe

      However, some virusses use this line to execute themselves at startup. For example:

      [boot]
      shell=Explorer.exe %Windows%\Capside.exe

      This has been added by the CASPID virus and is obviously not desired (where %Windows% is C:\Windows or C:\Winnt).


      Hope this helps!
      Ficha Upumbavu wako; Usiifiche Hekima yako!
      24/7 Email SUPPORT: [email protected]



    2. khayanda's Avatar
      Senior Member Array
      Join Date : 6th November 2007
      Posts : 242
      Rep Power : 707
      Likes Received
      22
      Likes Given
      0

      Default Re: Secret.exe Infection and Removal Instructions

      asante, maana ni leo tu nimeathiriwa na huyu jamaa, BRAVO

    3. Clean9

    Similar Topics

    1. AVPO.EXE Spyware removal Instructions
      By Invisible in forum Tech, Gadgets & Science Forum
      Replies: 47
      Last Post: 28th February 2009, 08:25
    2. e-Card.exe Removal Instructions
      By Invisible in forum Tech, Gadgets & Science Forum
      Replies: 2
      Last Post: 11th November 2008, 09:03
    3. amvo Virus detailed removal instructions
      By Invisible in forum Tech, Gadgets & Science Forum
      Replies: 0
      Last Post: 21st June 2008, 18:56
    4. amvo0.dll Removal Instructions
      By Invisible in forum Tech, Gadgets & Science Forum
      Replies: 2
      Last Post: 17th January 2008, 17:49
    5. PestTrap Removal Instructions
      By Invisible in forum Tech, Gadgets & Science Forum
      Replies: 0
      Last Post: 19th December 2007, 17:05

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •  

    Who are WE?

    JamiiForums is a 'User Generated Content' site; anyone can register (MUST) and comment or start a new topic.

    You are always welcome! Read more...

    Where are we?

    We have our offices in Dar es Salaam but we still work virtually.

    For anything related to this site please Contact us.

    Contact us now...

    DISCLAIMER

    JamiiForums, its partners, affiliates and advertisers are not responsible for the content of threads/topics that are submitted by users..

    Read more...

    Forum Rules

    JamiiForums is moderated under the rules set by users and moderators to safeguard you.

    You MUST read them and comply accordingly. Read more...

    Privacy Policy

    We are committed to respecting your privacy rights when visiting any JamiiForums.com page, such as this one.

    Read our Privacy Policy. Proceed here...