Dezinstaleaza My Security Shield – Ghid pentru Devirusare Completa

My Security Shield este un program anti-spyware de tip rogue.
Acest program fals este promovat prin intermediul scannerelor antivirus online (false de asemenea) care pretind ca PC-ul este infectat si ofera ca solutie pentru devirusare acest produs.

Odata instalat va crea o sumedenie de fisiere, ce vor fi apoi detectate ca infectate:
%UserProfile%\Recent\cid.drv
%UserProfile%\Recent\CLSV.tmp
%UserProfile%\Recent\DBOLE.exe
%UserProfile%\Recent\delfile.sys
%UserProfile%\Recent\fan.dll
%UserProfile%\Recent\grid.sys
%UserProfile%\Recent\kernel32.exe
%UserProfile%\Recent\kernel32.sys
%UserProfile%\Recent\PE.dll
%UserProfile%\Recent\PE.tmp
%UserProfile%\Recent\runddlkey.drv
%UserProfile%\Recent\SICKBOY.drv
%UserProfile%\Recent\std.dll
%UserProfile%\Recent\tempdoc.tmp
%UserProfile%\Recent\tjd.sys

Toate acestea au scopul de a induce in eroare utilizatorul, cu scopul de a achizitiona acest program. Fisierele detectate sunt curate, sau nefunctionale, iar alertele nu trebuie luate in considerare. NU achizitionati acest produs, iar daca ati fost infectati, urmati ghidul de mai jos:

My Security Shield

Programul creeaza urmatoarele fisiere\foldere:

c:\Documents and Settings\All Users\Application Data\345d567\
c:\Documents and Settings\All Users\Application Data\345d567\4475.mof
c:\Documents and Settings\All Users\Application Data\345d567\mozcrt19.dll
c:\Documents and Settings\All Users\Application Data\345d567\MS345d_2129.exe
c:\Documents and Settings\All Users\Application Data\345d567\MSS.ico
c:\Documents and Settings\All Users\Application Data\345d567\sqlite3.dll
c:\Documents and Settings\All Users\Application Data\345d567\BackUp\
c:\Documents and Settings\All Users\Application Data\345d567\MSSSys\
c:\Documents and Settings\All Users\Application Data\345d567\MSSSys\vd952342.bd
c:\Documents and Settings\All Users\Application Data\345d567\Quarantine Item\
c:\Documents and Settings\All Users\Application Data\MSHBXRCOBWS\
c:\Documents and Settings\All Users\Application Data\MSHBXRCOBWS\MSJYQMS.cfg
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\My Security Shield.lnk
%UserProfile%\Application Data\My Security Shield\
%UserProfile%\Application Data\My Security Shield\cookies.sqlite
%UserProfile%\Application Data\My Security Shield\Instructions.ini
%UserProfile%\Desktop\My Security Shield.lnk
%UserProfile%\Recent\cid.drv
%UserProfile%\Recent\CLSV.tmp
%UserProfile%\Recent\DBOLE.exe
%UserProfile%\Recent\delfile.sys
%UserProfile%\Recent\fan.dll
%UserProfile%\Recent\grid.sys
%UserProfile%\Recent\kernel32.exe
%UserProfile%\Recent\kernel32.sys
%UserProfile%\Recent\PE.dll
%UserProfile%\Recent\PE.tmp
%UserProfile%\Recent\runddlkey.drv
%UserProfile%\Recent\SICKBOY.drv
%UserProfile%\Recent\std.dll
%UserProfile%\Recent\tempdoc.tmp
%UserProfile%\Recent\tjd.sys
%UserProfile%\Start Menu\My Security Shield.lnk
%UserProfile%\Start Menu\Programs\My Security Shield.lnk

Ii sunt asociate cheile registry:

HKEY_CURRENT_USER\Software\3
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_CLASSES_ROOT\MS345d_2129.DocHostUIHandler
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes “URL” = “http://findgala.com/?&uid=2129&q={searchTerms}”
HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes “URL” = “http://findgala.com/?&uid=2129&q={searchTerms}”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer “PRS” = “http://127.0.0.1:27777/?inj=%ORIGINAL%”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform “control/7.02129″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “My Security Shield”
HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes “URL” = “http://findgala.com/?&uid=2129&q={searchTerms}”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = “no”

In log-ul HijackThis apare urmatoarea intrare:

O4 – HKCU\..\Run: [My Security Shield] “C:\Documents and Settings\All Users\Application Data\345d567\MS345d_2129.exe” /s /d

DEVIRUSARE:

1.Descarcati si rulati rkill.com. Acest lucru este ncesar pentru a opri procesul activ folosit de virus. Veti primi probabil o atentionare ca rkill.com este infectat. Ignorati-l, este doar o alarma falsa generata de My Security Shield.
Rulati rkill.com din nou, pana cand virusul nu mai este activ. Alternativ puteti incerca eXplorer.exe sau iExplore.exe

2. Descarcati Malwarebytes Anti-Malware. Scanati PC-ul complet si stergeti la final infectiile gasite apasand Remove selected.

Daca ai reusit sa cureti aceasta infectie, iti recomand sa cumperi versiunea PRO a Malwarebytes Anti-Malware pentru a te proteja si pe viitor de astfel de amenintari, avand in vedere ca nu au fost detectate\eliminate de antivirusul tau actual.

3 responses to “Dezinstaleaza My Security Shield – Ghid pentru Devirusare Completa”

Gigi
August 9, 2010 at 11:20 PM | Permalink | Reply

Si lui Cristi i-am spus: MSS modifica ‘hosts’ astfel incat trebuie modificate permisiunile asupra fisierului. Deci devirusarea nu e chiar completa; youtube e printre saiturile blocate.
Eze
September 4, 2010 at 2:11 AM | Permalink | Reply

Salut, am aceeasi problema… cine ma poate ajuta va rog, dati-mi add, multumesc.
x
September 20, 2010 at 6:54 PM | Permalink | Reply

foarte tare 10 +