Trojaner-Board - MySecurityWall / My Security Wall entfernen

Trojaner-Board (https://www.trojaner-board.de/)

- Anleitungen, FAQs & Links (https://www.trojaner-board.de/anleitungen-faqs-links/)

- - MySecurityWall / My Security Wall entfernen (https://www.trojaner-board.de/82926-mysecuritywall-my-security-wall-entfernen.html)

MySecurityWall / My Security Wall entfernen

My Security Wall entfernen

Was ist My Security Wall?
My Security Wall ist eine weitere gefälschte Scan-Software, die mittels eines trojanischen Pferdes in den PC eindringt und weissmacht, den PC nach Malware abzusuchen. Diese Software ist ein Fake und selbst eine Schadsoftware und sollte nicht gekauft werden.

Verbreitet wird My Security Wall nicht mehr ausschliesslich über 'dubiose Seiten' für Cracks, KeyGens und Warez, sondern auch seriöse Seiten werden zunehmend für die Verbreitung dieser mißbraucht (http://www.trojaner-board.de/90880-d...tallation.html).

http://www.trojaner-board.de/attachm...1&d=1266438195 http://www.trojaner-board.de/attachm...1&d=1266438195 http://www.trojaner-board.de/attachm...1&d=1266438195

Symptome von My Security Wall:

Ständige Warnmeldungen
Veränderung der HOSTS-datei
PC ist langsamer als üblich

http://www.trojaner-board.de/attachm...1&d=1266438195 http://www.trojaner-board.de/attachm...1&d=1266483642

Dateien von My Security Wall:

Code:

c:\Documents and Settings\All Users\Application Data\MSEAIVCW

c:\Documents and Settings\All Users\Application Data\MSEAIVCW\MSGWBQLMRPW.cfg

c:\Documents and Settings\All Users\Application Data\117fc

c:\Documents and Settings\All Users\Application Data\117fc\MS339.exe

c:\Documents and Settings\All Users\Application Data\117fc\MSW.ico

c:\Documents and Settings\All Users\Application Data\117fc\7463.mof

c:\Documents and Settings\All Users\Application Data\117fc\mozcrt19.dll

c:\Documents and Settings\All Users\Application Data\117fc\sqlite3.dll

c:\Documents and Settings\All Users\Application Data\117fc\BackUp\Adobe Reader Speed Launch.lnk

c:\Documents and Settings\All Users\Application Data\117fc\BackUp

c:\Documents and Settings\All Users\Application Data\117fc\BackUp\Adobe Reader Synchronizer.lnk

c:\Documents and Settings\All Users\Application Data\117fc\MSWSys

c:\Documents and Settings\All Users\Application Data\117fc\MSWSys\vd952342.bd

c:\Documents and Settings\All Users\Application Data\117fc\Quarantine Items

%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\My Security Wall.lnk

%UserProfile%\Application Data\My Security Wall

%UserProfile%\Application Data\My Security Wall\cookies.sqlite

%UserProfile%\Desktop\My Security Wall.lnk

%UserProfile\Recent\ANTIGEN.tmp

%UserProfile\Recent\dudl.sys

%UserProfile\Recent\energy.drv

%UserProfile\Recent\exec.dll

%UserProfile\Recent\exec.drv

%UserProfile\Recent\grid.drv

%UserProfile\Recent\hymt.drv

%UserProfile\Recent\kernel32.exe

%UserProfile\Recent\pal.drv

%UserProfile\Recent\PE.drv

%UserProfile\Recent\ppal.exe

%UserProfile\Recent\tempdoc.dll

%UserProfile\Recent\tempdoc.drv

%UserProfile\Recent\tjd.tmp

%UserProfile%\Start Menu\My Security Wall.lnk

%UserProfile%\Start Menu\Programs\My Security Wall.lnk

c:\Program Files\Mozilla Firefox\searchplugins\search.xml 

%UserProfile%\Recent\ANTIGEN.drv

%UserProfile%\Recent\ANTIGEN.exe

%UserProfile%\Recent\cid.dll

%UserProfile%\Recent\CLSV.drv

%UserProfile%\Recent\DBOLE.sys

%UserProfile%\Recent\ddv.dll

%UserProfile%\Recent\ddv.sys

%UserProfile%\Recent\energy.tmp

%UserProfile%\Recent\FS.drv

%UserProfile%\Recent\gid.drv

%UserProfile%\Recent\PE.drv

%UserProfile%\Recent\PE.exe

%UserProfile%\Recent\PE.sys

%UserProfile%\Recent\PE.tmp

%UserProfile%\Recent\runddlkey.dll

%UserProfile%\Recent\std.exe

%UserProfile%\Recent\tjd.drv

%UserProfile%\Recent\tjd.sys

Registry-Einträge von My Security Wall:

Code:

HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=7&q={searchTerms}"

HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=7&q={searchTerms}"

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "Build/13.00007"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "My Security Wall"

HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=7&q={searchTerms}"

HKEY_CLASSES_ROOT\xp_5f014.DocHostUIHandler

My Security Wall im HijackThis-Log:

Code:

O4 - HKCU\..\Run: [My Security Wall] "C:\Documents and Settings\All Users\Application Data\117fc\MS339.exe" /s /d

MySecurityWall / My Security Wall entfernen

MySecurityWall / My Security Wall entfernen

Tool: rkill.com Download Link herunterladen und mit doppelklick ausführen.

http://www.trojaner-board.de/attachm...aning-tool.png

Das Tool stoppt alle Prozesse von MySecurityWall / My Security Wall.

Bei Bedarf mehrmals ausführen, bis alle ungewünschten Prozesse beendet wurden.

Starte einen vollständigen Scan mit Malwarebytes Anti-Malware

Achtung: Diese Fake Software wird versuchen, den Einsatz von Malwarebytes zu verhindern. Benenne das Setup vor dem speichern in etwas anderes um (z.B. Herbert.exe).

Falls es vorher nicht funktioniert hat, sollte das Setup jetzt starten.

Wenn das Programm nach der Installation nicht starten sollte, dann benenne die "mbam.exe" in "herbert.exe" um und versuche es erneut.

http://www.trojaner-board.de/attachm...ntfernen-2.png

http://www.trojaner-board.de/attachm...1&d=1266441548

Code:

Memory Processes Infected: 1 Memory Modules Infected: 0 Registry Keys Infected: 760 Registry Values Infected: 14 Registry Data Items Infected: 8 Folders Infected: 1 Files Infected: 5 Memory Processes Infected: C:\Documents and Settings\{username}\Desktop\securitywall\xp_5f014.exe (Rogue.MySecurityWall) -> Unloaded process successfully. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe (Security.Hijack) -> Quarantined and deleted successfully. <snipped long list of IFEO hijack fixes> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfwsvc.exe (Security.Hijack) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\my security wall (Rogue.MySecurityWall) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Arrakis3.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdreinit.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdsubwiz.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdtkexec.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdwizreg.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiscan.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upgrepl.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\seccenter.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=7&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=7&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-19\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=7&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=7&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-20\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=7&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=7&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=7&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=7&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully. Folders Infected: C:\Documents and Settings\{username}\Application Data\My Security Wall (Rogue.MySecurityWall) -> Quarantined and deleted successfully. Files Infected: C:\Documents and Settings\{username}\Desktop\securitywall\xp_5f014.exe (Rogue.MySecurityWall) -> Quarantined and deleted successfully. C:\Documents and Settings\{username}\Application Data\My Security Wall\Instructions.ini (Rogue.MySecurityWall) -> Quarantined and deleted successfully. C:\Documents and Settings\{username}\Desktop\My Security Wall.lnk (Rogue.MySecurityWall) -> Quarantined and deleted successfully. C:\Documents and Settings\{username}\Start Menu\My Security Wall.lnk (Rogue.MySecurityWall) -> Quarantined and deleted successfully. C:\Documents and Settings\{username}\Start Menu\Programs\My Security Wall.lnk (Rogue.MySecurityWall) -> Quarantined and deleted successfully.

Lade Dir *HostsXpert*
auf dem Desktop speichern und entpacken

* Ordner HostsXpert öffnen
* HostsXpert.exe doppelklicken
* klicke auf Restore Microsoft's Hosts File, dann OK

MySecurityWall / My Security Wall immer noch nicht entfernt?

OTH - OTHelper - Kill All Processes

Mit aktualisiertem (!!) Malwarebytes Anti-Malware nach Ausführen von OTH nochmal QUICKSCAN ausführen.

Bitte alle temporären Dateien löschen und Speicherplatz freigeben.

Weitergehende Prüfung

Das System könnte noch nicht vollständig sauber sein.

Daher unbedingt ein Thema erstellen: Für alle Hilfesuchenden! Was muss ich vor der Eröffnung eines Themas beachten?

Nicht vergessen mit FRST-Logfiles wie in der Anleitung beschrieben.

Wie man Hilfe bekommt steht auch hier.