Hi,
I have been searching a lot on the internet for a solution to remove “Personal Shield Pro” virus and at different occassions have been able to delete files and remove them from registry from the solutions provided, but in the end whenever i restart within one hour the virus is always back.
I have tried earlier fixes of stopping it from loading by rkill and then using malware bytes to clean it in safe mode but it always returns back. Have been reading this forum and also installed avast in the system, but didnt restart it yet. Right now the Malware byte also shows the PC as clean. but to be on safe side i needed more help.
I saw similar problem with other ppl and for the purpose I installed and scanned with OTL, right now I am attaching Hijackthis and OTL logs to know if it is clean or what measures should i take.
Would appreciate any help.
Note: The system is EeePC1000H and there is no CDROM in it.
For sure attach the logs and I will have a look see
malwarebytes is designed to work best when run in normal mode…
and was it updated when you did the scan ?
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:17:13 AM, on 7/6/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\user\Desktop\OTS.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Mozilla Firefox 3.6 Beta 2\firefox.exe
C:\Documents and Settings\user\My Documents\Downloads\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx
F2 - REG:system.ini: UserInit=userinit.exe,c:\program files\microsoft\watermark.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Common Files\Java\Java Update\jusched.exe”
O4 - HKLM..\Run: [ETDWare] C:\Program Files\Elantech\ETDCtrl.exe
O4 - HKLM..\Run: [ETDWareDetect] C:\Program Files\Elantech\ETDDect.exe
O4 - HKLM..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe
O4 - HKLM..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
O4 - HKLM..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [GrooveMonitor] “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [IRIS_XRX_S2P] C:\Program Files\Xerox\Xerox Phaser 6110MFP\PSU\Scan2pc.exe
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t
O4 - HKLM..\Run: [niwout] C:\WINDOWS\system32\sogafouwou.exe
O4 - HKLM..\Run: [avast] “C:\Program Files\AVAST Software\Avast\avastUI.exe” /nogui
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\Run: [niwout] C:\Documents and Settings\LocalService\Application Data\Microsoft\sogafouwou.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: SuperHybridEngine.lnk = ?
O8 - Extra context menu item: Send to &Bluetooth Device… - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O8 - Extra context menu item: &’œÌ— ≈·Ï Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra ‘Tools’ menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: ???C? ??? OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: ??&?C? ??? OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll ,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm (file missing)
O9 - Extra ‘Tools’ menuitem: @btrez.dll ,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll ,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Change Modem Device Service - Unknown owner - C:\WINDOWS\System32\ChgService.exe
O23 - Service: Ati HotKey Poller (eunuu46uoke) - - C:\WINDOWS\system32\fynuwyl.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes’ Anti-Malware\mbamservice.exe
O23 - Service: Network Connectivity Service (ribyuyabuqg) - - C:\WINDOWS\system32\gobazou.exe
O23 - Service: C-DillaSrv (uu40yeiae) - Unknown owner - C:\WINDOWS\system32\monnikyze.exe (file missing)
O23 - Service: RUMBA AS/400 Shared Folders (yoipogrfeaicq) - Unknown owner - C:\WINDOWS\system32\rouwoow.exe (file missing)
–
End of file - 9405 bytes
to avoid multiple posts with copy and paste if the log is big
lower left corner > addtional options > attach
Ah OK Hijackthis - to be honest - is worthless against this sort of malware. If you have an OTL log could you attach that please
The OTS log text is attached.
I did update Malware bytes but didnt scan it in normal mode, only in safe mode.
The size is just a little bit big, I’m splitting it in 2
Hi you have saved it in unicode - could you resave as ANSI and then it will attach as one and I will be able to read it
http://i1224.photobucket.com/albums/ee362/Essexboy3/Untitled.gif
system
July 5, 2011, 10:52pm
10
Hi,
Actually the pc shut down due to low battery, and i had to restart it. So thought of scanning it once again with OTS, but it will freeze while scanning drivers (some file named ozwscus…). Tried it twice and the same thing happened, so I am attaching the same log that I gave before in ANSI coding.
system
July 6, 2011, 5:49am
11
Hi,
Did you get the chance to review the log
Pondus
July 6, 2011, 6:15am
12
Essexboy will be back later today…
he is usually in here from 8:00pm - 11:59pm UK time
system
July 6, 2011, 2:41pm
13
Fix This in Hijack
F2 - REG:system.ini: UserInit=userinit.exe,c:\program files\microsoft\watermark.exe,
/////////////////////////////////////////////////////////////
O4 - HKLM..\Run: [niwout] C:\WINDOWS\system32\sogafouwou.exe
O4 - HKUS\S-1-5-18..\Run: [niwout] C:\Documents and Settings\LocalService\Application Data\Microsoft\sogafouwou.exe (User ‘SYSTEM’)
O23 - Service: Network Connectivity Service (ribyuyabuqg) - - C:\WINDOWS\system32\gobazou.exe
//////////////////////////////////////////////////////////
watermark.exe, sogafouwou.exe, gobazou.exe - Check in VT http://www.virustotal.com , and enter the result on the forum,it’s probably viruses.
http://www.freedrweb.com/cureit/?lng=en - Download and scan
Hi you are running three malware drivers including your safe boot. So I do not know if OTS will be strong enough to kill this but lets go for it
As the fix is so large the forum software will not allow me to paste it
Download the attached fix.txt to your desktop
Start OTS. Click the Run Fix button.
A dialogue will open asking for the fix.txt. Navigate to the one downloaded and press run fix again
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.
This is no sign of malfunction, do not panic!
OK having problems attaching the fix.txt
system
August 6, 2011, 9:52am
16
It cost a whole day to wipe away personal shield pro, I’ve found this removal video, you may check out,make sure every step you done is right: http://www.youtube.com/watch?v=FWqbZAvh6HE works for me…
DavidR
August 6, 2011, 11:31am
17
Sorry but this poor quality, too fast (to be really helpful) video (horrendous music) seems more to be an advert for tee support a paid support site.
As soon as there is a variant, e.g. they change the folder/file names, etc. this video is worthless. Which is why detailed analysis of the system by a specialist should win out over this.
You don’t happen to have anything to do with tee support do you ?
Not to mention this topic is a month old, which is one of the reasons for questioning the purpose of the post. As you can imagine I’m a trusting sort and take everything at face value.
system
August 6, 2011, 11:59am
18
@eepchelp
The recommendation that you install this program.
MCShield
It will prevent infection by computer via USB flash drive, mobile phone or any memory card.
And not only will prevent infection, but will immediately clean Memory card or external HDD
You have the infection via USB drive.