Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by My Security Shield


  • This topic is locked This topic is locked
2 replies to this topic

#1 theminja

theminja

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 13 August 2010 - 09:50 PM

Hi, I've been infected since around August 8th, and I have used your removal guide for My Security Shield (Running Malwarebytes and etc.) but it seems I am still infected. I can't load the Microsoft Updates website and I'm redirected to other websites when I use google to find more solutions. I also cannot run a system restore (it fails every time I try to do it.) I'm not sure what to do now! Also, in my Security Center, it says my Virus Protection is "My Security Shield" and there are two firewalls running on the computer (the one provided by Windows XP along with what I'm assuming is some sort of spyware.) There are no particular errors other than that as far as messages and whatnot. Hope ya'll can help!

Note: Also, for some reason the GMER scan can never finish. The computer restarts itself in the middle of the scan every time, so it doesn't ever finish. (I also had to post this from my laptop since it wouldn't let me post this post with the DDS text in the post on the infected desktop. It also wouldn't let me send the DDS text in an e-mail from the infected computer, claiming that I wasn't connected to the internet.)


Edit: After running the GMER scan multiple times after posting this, I was finally able to save one of the scans and have attached it to this post.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Tao Vu at 20:51:51.28 on Fri 08/13/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.538 [GMT -5:00]

AV: My Security Shield *On-access scanning enabled* (Updated) {1079F87F-12A4-423D-97C1-9BE81A6950F8}
FW: My Security Shield *enabled* {191A5C26-E978-4658-A53E-E4D2973939CB}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\UniKey\UniKey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Tao Vu\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Documents and Settings\Tao Vu\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Tao Vu\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Tao Vu\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Tao Vu\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Tao Vu\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [UniKey] c:\program files\unikey\UniKey.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\tao vu\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [jpwmqmsbkt] c:\documents and settings\tao vu\local settings\application data\ecvqhk\cdngpte.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [BackupNowEZtray] "c:\program files\newtech infosystems\backup now ez\BackupNowEZtray.exe" -k
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1261530481843
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1261530603750
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
IFEO: image file execution options - svchost.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\taovu~1\applic~1\mozilla\firefox\profiles\0qnkqm9a.default\
FF - prefs.js: browser.search.selectedEngine - search
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101049100&s=
FF - plugin: c:\documents and settings\tao vu\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101049100&s=c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2009-12-22 58016]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-1-30 304464]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2009-12-22 102463]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2004-8-18 221191]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2004-8-18 28672]
R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\newtech infosystems\backup now ez\BackupNowEZSvr.exe [2009-9-19 45312]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-1-30 20952]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2009-12-22 108256]
R3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [2010-8-8 20480]
S0 ttkqh;ttkqh; [x]

=============== Created Last 30 ================

2010-08-12 15:12:18 0 d-----w- c:\docume~1\taovu~1\applic~1\SUPERAntiSpyware.com
2010-08-12 15:12:18 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-08-12 15:12:09 0 d-----w- c:\program files\SUPERAntiSpyware
2010-08-11 19:03:38 0 d-sh--w- c:\docume~1\alluse~1\applic~1\MSSKMFYMZXS
2010-08-11 19:03:38 0 d-sh--w- c:\docume~1\alluse~1\applic~1\e1bee31
2010-08-11 01:37:58 0 d-----w- c:\program files\Wise Registry Cleaner
2010-08-10 22:56:50 0 d-----w- c:\windows\pss
2010-08-08 21:47:18 5 ----a-w- C:\zrpt.xml
2010-08-08 20:15:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-08 16:25:07 20480 ----a-w- c:\windows\system32\drivers\ndisrd.sys
2010-08-08 16:25:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-07-26 22:28:18 0 d-----w- C:\cmos
2010-07-15 02:43:57 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2010-03-21 23:44:10 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2010-03-21 23:44:10 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010032120100322\index.dat

============= FINISH: 20:53:58.26 ===============

Attached Files


Edited by theminja, 13 August 2010 - 11:10 PM.


BC AdBot (Login to Remove)

 


#2 theminja

theminja
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 19 August 2010 - 02:06 AM

I no longer need any help, this thread may be closed. thank you.

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:18 AM

Posted 19 August 2010 - 04:15 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users