Security Shield Rogueware

lightsout · March 20, 2012

So, this thing popped up about 30 minutes ago. I hit the "x" in the corner because I didn't recognize it. Then it said my computer found all these viruses and whatnot. I ran Microsoft Security Essentials scan, said my computer was A-OK. I searched and found out this is a virus. Anybody know how to get rid of it? Conveniently, every link I click to try and figure out how to remove it doesn't work. So, somebody is going to have to spell it out on here.

LifeisaGarden · March 20, 2012

Hmm, what site were you looking at when it happened?

mav1234 · March 20, 2012

Try downloading and running Malwarebytes

If that does not work, post here again. I don't want to go through manual removal instructions if I do not need to.

lightsout · March 20, 2012

I wasn't looking at anything but the huddle and facebook. It popped up and said it found 6 issues. I closed it, it waited 3 minutes, and popped up again as a different window interface.

I have malwarebytes. Unfortunately, this virus claims it is affected by a Trojan (ran Microsoft Security Essentials check on it, says it is clear) and won't let me open it.

Doyle · March 20, 2012

This happened to me once and my computer was never the same.

mav1234 · March 20, 2012

Blargh...

EDIT: Try this first:

Important note: If Malwarebytes is blocked by malware then run Chameleon (Start Menu → All Programs → MalwareBytes' Anti-Malware → Tools → Malwarebytes' Anti-Malware Chameleon).

NOTE: I Have NOT used this method. Use at your own risk. But, this is the list of files related to it supposedly. Deleting them, as well as the registry keys, could fix the issue. Or it might not...

Affected Files and Registry Keys:

c:Documents and SettingsAll UsersApplication Data345d567

c:Documents and SettingsAll UsersApplication Data345d5674475.mof

c:Documents and SettingsAll UsersApplication Data345d567mozcrt19.dll

c:Documents and SettingsAll UsersApplication Data345d567MS345d_2129.exe

c:Documents and SettingsAll UsersApplication Data345d567MSS.ico

c:Documents and SettingsAll UsersApplication Data345d567sqlite3.dll

c:Documents and SettingsAll UsersApplication Data345d567BackUp

c:Documents and SettingsAll UsersApplication Data345d567MSSSys

c:Documents and SettingsAll UsersApplication Data345d567MSSSysvd952342.bd

c:Documents and SettingsAll UsersApplication Data345d567Quarantine Item

c:Documents and SettingsAll UsersApplication DataMSHBXRCOBWS

c:Documents and SettingsAll UsersApplication DataMSHBXRCOBWSMSJYQMS.cfg

%UserProfile%Application DataMicrosoftInternet ExplorerQuick LaunchMy Security Shield.lnk

%UserProfile%Application DataMy Security Shield

%UserProfile%Application DataMy Security Shieldcookies.sqlite

%UserProfile%Application DataMy Security ShieldInstructions.ini

%UserProfile%DesktopMy Security Shield.lnk

%UserProfile%Recentcid.drv

%UserProfile%RecentCLSV.tmp

%UserProfile%RecentDBOLE.exe

%UserProfile%Recentdelfile.sys

%UserProfile%Recentfan.dll

%UserProfile%Recentgrid.sys

%UserProfile%Recentkernel32.exe

%UserProfile%Recentkernel32.sys

%UserProfile%RecentPE.dll

%UserProfile%RecentPE.tmp

%UserProfile%Recentrunddlkey.drv

%UserProfile%RecentSICKBOY.drv

%UserProfile%Recentstd.dll

%UserProfile%Recenttempdoc.tmp

%UserProfile%Recenttjd.sys

%UserProfile%Start MenuMy Security Shield.lnk

%UserProfile%Start MenuProgramsMy S

HKEY_CURRENT_USERSoftware3

HKEY_CLASSES_ROOTCLSID{3F2BBC05-40DF-11D2-9455-00104BC936FF}

HKEY_CLASSES_ROOTMS345d_2129.DocHostUIHandler

HKEY_USERS.DEFAULTSoftwareMicrosoftInternet ExplorerSearchScopes "URL" = "http://findgala.com/?&uid=2129&q={searchTerms}"

HKEY_CURRENT_USERSoftwareClassesSoftwareMicrosoftInternet ExplorerSearchScopes "URL" = "http://findgala.com/?&uid=2129&q={searchTerms}"

HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer "PRS" = "http://127.0.0.1:27777/?inj=%ORIGINAL%"

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerDownload "RunInvalidSignatures" = "1"

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings5.0User AgentPost Platform "control/7.02129"

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun "My Security Shield"

HKEY_CLASSES_ROOTSoftwareMicrosoftInternet ExplorerSearchScopes "URL" = "http://findgala.com/?&uid=2129&q={searchTerms}"

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerDownload "CheckExeSignatures" = "no" ecurity Shield.lnk

EDIT2: Note that 345d567 is a random number/key that is created, so yours may be different. Look for some random string of numbers. Also, check if you can use ctrl alt del to open up the task manager; if so, see if you can find a random number.exe file and end the process. If not, proceed with the other stuff...

mav1234 · March 20, 2012

Malwarebytes may actually still be able to run if you go to your programs folder, find it, and click "Tools." Try Malwarebytes Chameleon.

lymelizzard · March 20, 2012

So, this thing popped up about 30 minutes ago. I hit the "x" in the corner because I didn't recognize it. Then it said my computer found all these viruses and whatnot. I ran Microsoft Security Essentials scan, said my computer was A-OK. I searched and found out this is a virus. Anybody know how to get rid of it? Conveniently, every link I click to try and figure out how to remove it doesn't work. So, somebody is going to have to spell it out on here.

Download and run combofix

Floppin · March 20, 2012

Is this the virus that redirects the IP for antivirus websites and update services? If so, that's a fun one.

mav1234 · March 20, 2012

it is malware that can do that, yeah. it also blocks malware removal programs and can sometimes prevent the task manager from being opened.

Floppin · March 20, 2012

Yeah I got that one once, but it was on a computer that I was upgrading so it wasn't a big deal since I trashed that OS and HDD anyhow.

mav1234 · March 20, 2012

amusingly enough it can be easier to format and reinstall everything than dealing with removing that poo.

Floppin · March 20, 2012

amusingly enough it can be easier to format and reinstall everything than dealing with removing that poo.

Indeed.

ChefAdam · March 20, 2012

Ive never gotten a bug from The Huddle for the past 6 or 7 years that I have been lurking around here. Not once.

I dont know where you got your bug from, my machine is running just fine. I doubt it was from here.

OP said he was on facebook.....that place is a breeding ground for viruses/malware/spybots

I got a malware like that once, had to format and reinstall everything.....hope you have back ups or use a cloud service

Sign In

Welcome!

Security Shield Rogueware

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Archived

Topics

Posts