SecureFighter

Last Updated on Friday, 15 January 2010 13:05 Tuesday, 06 October 2009 13:50

Rogue - Antispyware

SecureFighter is reported to be a rogue application. There are several ways a fake/rogue application may enter into your computer.

1) You may have downloaded it knowingly or unknowingly mistaking it to be something else.
2) It may have automatically downloaded while you were visiting some harmful website
3) Your computer may have a trojan virus which in turn downloads such an application.


Recently I have noticed that the malware authors are also keeping track of the removal instructions published on the internet. As soon as they think that the malware is exposed, they change the file/folder names and the locations where they are saved on the hard disk. So keeping this in mind you will require the latest information of the malware in order to be able to remove it.

If you are unable to search and delete its files as mentioned in this article, try to do a memory scan using your antivirus application, Also do a scheduled boot time scan in order to find and delete the virus infected files during the boot time. Usually most of the antivirus applications can do a memory scan as well as a scheduled boot scan. 

I have categorized this rogue application as nsProcess.dll group. You can  find information of other rogue applications belonging to this group on this link You can find latest ThreatExpert analysis reports of this rogue on this link

If you happen to have the rogue installer, you can submit it to threatexpert site and get it analyzed. That will help you to get the precise information about the virus.  


Files Associated

 These are the different EXE file names that are used in this malware

SecureFighter.exe
SecureFighterSvc.exe
Its first installer creates its executables in temp folder, which then further downloads and installs this rogue and several semi randomly generated files in the C:\Windows directory , so that it can treat them as infected files in its report.


 The Installer

The installers of this rogue applications seem to enter your computer unsolicited. It creates randomly named exe files in your Temp folder such as kt90eq15.exe, v8at5ihw.exe, ghclb.tmp which then further tries to download several additional files from [securefighter.com]

 

The Website

You can find more info about the owner of the site [securefighter.com], when it was registered, who is the registrar, where is it currently hosted etc on this site

Trying system restore

If you know the duration since your computer is infected, you can try to restore your computer at a prior date, that will work like a miracle in removing the infection

Free removal tools

  • Special tools to remove a single virus or a family of virus.
  • Free Online virus scanners
  • Fully functioning antivirus/ antispyware
All these tools are listed below

Manual Removal

These are the steps to be taken, if you want to or need to remove the infected files manuall. You may not find all the files that are mentioned below on an infected computer. The virus adds different files depending on its variation. I have listed all the names found in the reports available. 

Boot in safe mode

Sometimes you will not be able to delete a file even if you find it, in that case you should boot in safe mode and then try to delete it/ them.

 Remove Processes from Task Manager 

Press Ctrl Shift Esc to open Task Manager. See in the list of the processes for SecureFighter.exe, SecureFighterSvc.exe and any random looking name  Select and press End Process button, Confirm to terminate the process and Close Task Manager.

Alternately you can use Windows Defender to see the path of a currently running program/ process and its publisher, so as to differentiate malware processes from processes belonging to legitimate publishers. You may find such processes listed under Unknown Publisher in windows defender.

Or you can use Sysinternal's Process Explorer for easy detection and removal of virus processes. 

Removing entry from windows startup

The system configuration can be started in xp and in vista by typing msconfig in the run box/ start menu search box. In xp by clicking on Start > run . The windows startup is reversible, therefore you can check / uncheck any entry from windows startup any number of times.

After the system configuration window is open, Click on the Startup tab, that will list all the programs that are scheduled to start with windows. Expand the middle column using your mouse pointer so that you can see the full path of the program. Locate and uncheck  "SecureFighter", "SecureFighter Software" or SecureFighter.exe, SecureFighterSvc.exe, and any random looking name (look for any other suspicious names)  Press Apply , Press Close/Ok , Select  "do not restart" at the next prompt.

Removing windows Service

This malware creates a new windows service named "SecureFighterSvc" or SecureFighter Security Service. By default is is stopped. This service can be removed after deleting the file "SecureFighterSvc.exe" and then removing it from the registry, easily done by running CCleaner.

 View Hidden Files

Before you could delete SecureFighter and its associated files you need to search for them, and before doing that you need to enable to view hidden files and folders 

  •  How to Enable to View Hidden Files and Folders in Windows XP
    •         How to Enable to View Hidden Files and Folders in Windows Vista

Deleting files

After restarting the computer, use the windows search utility to search for "SecureFighter" and also search for the names that you found and removed in the task manager or in the startup list. This search should find all its folders on the hard disk , delete the folders from the hard disk. 

These are some folders that were found on different infected computers.

C:\Documents and Settings\All Users\Start Menu\Programs\SecureFighter
C:\Program Files\SecureFighter Software
C:\Program Files\SecureFighter Software\SecureFighter
(the folders in temp are also semi randomly generated names)
%Temp%\2v252ry7.exe
%Temp%\7twts0zq.exe
%Temp%\nsc6.tmp
%Temp%\nsy8.tmp
C:\Windows\System32\2v252ry7.exe
C:\Program Files\SecureFighter Software\SecureFighter\SecureFighter.exe
(the file names in temp folder also differ from computer to computer)
Delete the above folders.

%Temp%\nsq2.tmp\nsProcess.dll
C:\Windows\System32\ntvdm.exe
(these two files seem to be common in this group)These are the additional files that the rogue attempts to download. If it suceeds, it saves these files in the C:\Windows directory . These are semi random named, you need to look inside the C:\Windows directoy and delete similar files if found. These files were found on a single computer.  These names will be different on every infected computer, these filenames are in an incremental series, so the latest infections will begin with a higher number than the previous one. These files have OCX, BIN, CPL, EXE, DLL extentions. They will be approx 13-20 characters long. Will include letters and numbers. And some garbled text will be found inserted in between, such as not-a-virus, virus, hack, backdoor, worm , spambot and so on. This is the analysis report where I found these files. These files are probably harmless and are primarily used to display them by the rogue application as fake viruses found on your computer.
10633s5z990.ocx
10645not9a-vizus2e1.exe
107255zc9toolff.bin
10799spy555z.bin
10885not-a9viru5zfc.dll
108b9par5e1014z.exe
10east9al1z685.dll
11354tz9j4e9.ocx
11997n9t-a5zirus569.ocx
1255sparse5z109.cpl
13409zr5s54e.cpl
134ba9dwarz8565.exe
134z9spy745.cpl
1357backd9zr252.bin
13696szam5ot965.bin
138z3sp9mb5tfc.ocx
13964spy53z.exe
1397ha5ktool5d2z.cpl
13z9vir2455.bin
1407659oz6d.exe
140z15roj923.dll
145aadd9a5e27z0.ocx
15293not-9-vzrus475.exe
1547zt9oj4ab5.bin
1547zvir955d5.cpl
1549azdware1062.ocx
154zsteal2329.dll
1552895cktzol771.ocx
155bspar9e22z9.exe
15899vi5us39z.bin
1592z9y5are2064.dll
15965tr9j4z1.bin
15985v5rus705z.bin
160z35ackt9ol130.dll
16583wzrm948.exe
166espar5e22z9.bin
169ezhreat51901.exe
175579roj3az.ocx
1852zot-a-v9rus34d5.ocx
18558vz9us18d.bin
18896viz5s2d5.exe
18952virus59z5.dll
1895viruz196.ocx
19053zot-a-virus5699.bin
19159py5fz.ocx
1918not-azv5rus3a39.dll
19209not-a-v9zus503.exe
1933down5oadez951.ocx
19359no5za-virus799.dll
19486not-a-v95us5z9.bin
19678not-z-virus596.dll
19905zor55a5.bin
19957tzo945c.bin
199d5waze1903.exe
19a49iz25815.bin
1ac8baz9doo52496.ocx
1ba59hiefz90.bin
1bb8vir159z.bin
1bd3downlo5dez9207.bin
1c2evi957z2.bin
1c92downlozder24405.cpl
1cz5th9eat28508.cpl
1dza9p5ware203.dll
1e685pzware1297.exe
1f09z5arse1694.ocx
1z090worm352.bin
1z196not-a9virus565.ocx
1z316virus395.cpl
1z93worm385.exe
1z9455orm17e.cpl
20z675ot-a-virus599.cpl
2101s5arz91610.bin
21356spamz9te5.bin
21558not-z-v9rus47c.exe
2203795yz6.bin
2206worz5295.dll
22558hzc9too5156.cpl
229fzackdoo518189.bin
235729irzs5b8.bin
24957spamzot196.exe
25059iruz1ec5.bin
25195parse59z.bin
251est95z1081.dll
25249zirus2449.dll
25299zorm695.exe
2542zsp5794.ocx

 Run CCleaner

After deleting SecureFighter and its associated files , as there will be leftover entries in the windows regitry. CCleaner is a free temp files/registry cleaner, that will automatically clean the registry as well as remove the temp files . Click here to read more

 Edit Registry

if you are comfortable in using the regedit command. You  can find the registry modifications in any of the reports mentioned in the begining of this article.

More Problems

If you are unable to open Task Manager, registry editor, system restore, Folder Options etc

If the virus has disabled them. There are free tools and techniques to solve this problem.  They are listed here.

Tools for Windows XP

Tools for Windows Vista

Use the system file checker

If you want to make sure that the windows system files are not altered by the virus, and in case if they are altered then to repair them.

  •  How to run System File checker utility in windows XP
    •          How to run System File checker utility in windows Vista

Unable to access security related sites

It can happen if your Hosts file has been altered. To repair/ edit the hosts file. Login as administrator. open the following file in notepad
C:\ WINDOWS \system32 \drivers \etc \hosts
remove anything other than 127.0.0.1 Localhost, and save and close the file.

Using Firewall

Check your firewall for any suspicious communication from your computer to the internet and block it using firewall.

Communincates with the following sites

  • SecureFighter.com
  • 212.175.87.195 port 80

 Reprinted with permission from ThreatExpert.com


Search within this site

Read in your language


Main Menu

Home
----Sections----
Harmful Files
Virus Removal
Trojan Removal
Worms Removal
Rogues Removal
Unwanted Apps
Removal Tools
Current News
----Articles----
Warning/ Disclaimer
Common Folders
Preventive Measures
Removal Instructions
Video Tutorials
----Site Info----
Sitemap
About/Contact

Useful Links

Privacy Policy