Sign in with
Sign up | Sign in
Your question

Any one know why the computer infected by Security Shield 2012?

Last response: in Business Computing
Share
July 8, 2012 10:39:05 AM

http://forums.malwarebytes.org/index.php?showtopic=1076...

I have one computer on company always infect by these rogue malware. I know how to remove but I need to find the cause of Infect.
I check it user Internet history have not access to adult website but why Infected?

Computer OS: Windows Server 2003
Antivirus: KASPERSKY BUSINESS SPACE
a b 8 Security
July 8, 2012 10:45:10 AM

You should consider upgrading all of your Server 2003 installations to 2008 or 2008 R2. Windows Server 2003 is based off of a slightly different version of Windows XP (NT 5.2 rather than NT 5.1) and thus has all the same security vulnerabilities as XP. Microsoft put a lot of work into improving security for 2008 and 2008 R2 which are based off of the same codebase as Vista and 7 respectively.
a b 8 Security
July 8, 2012 11:11:06 AM

in addition there are websites that do drive by attacks. adult websites have nothing to do with it. Any (bad) website can do this. you most likely have a stupid user who keeps going to his favorite site, or clicking yes on a popup. restrict access to essential personnel, change their accounts to standard, remove install rights, review basic internet common sense with them, update ie and Java etc.

before removing it look here:

In the existing folder C:\Documents and Settings\{username}\Local Settings\Application Data
Adds the file ghfbr.exe"="16:10 22/03/12 371200 bytes

Since its in the users profile folder you may be able to figure out which idiot keeps doing it.

malwarebytes pro would also block it
Related resources
July 8, 2012 9:14:12 PM

Going to an inappropriate or "dangerous" website really has nothing to do with it anymore. You can get a malware infection from any website really, if the web server is infected and you have the vulnerability. Facebook, Yahoo, MSN, or any page really. Most of the malicious programs actually seem to come from the advertisements on the page, which are usually loaded from a completely different website than the one you're actually visiting, and its these ad websites that are infected with the virus.

There are some ways to go about preventing or helping to lock down the system a little better from receiving infection. First off, log EVERY website that they are visiting on the computer to see if you can find a pattern to point to a specific site that might be loading the virus. We've had this happen before on one of our office computers and came to find out it was a completely legitimate website that we used quite regularly. We contacted them and they had no idea they'd been infected but after a quick search they realized we were correct.

Next, make sure you are completely up to date on security definitions and Windows updates. If there are any add-ons or plug-ins for your browser, disable them. This can be one way that stuff can get access to your browser and your system. If you are using Internet Explorer for your web browsing, try to switch to something more secure like Mozilla Firefox or Google's Chrome.

As stated above, you may consider updating to Server 2008 which is much more secure than the older Server 2003, just as Windows 7 has been redesigned to address many of the security issues of Window XP. This is just the natural course of evolution from operating systems and technology.

But finally, if this is a Server 2003 environment and I assume something is utilizing this system specifically as a server since it is a server OS, then don't use it for web browsing! In fact, don't use it period to do anything but the necessary server tasks. No one should be checking their email or logging into their facebook on a production server system, it's completely contradictory to the purpose of your server host and workstation client environment. Use a separate non-server computer to access any websites.
July 8, 2012 10:25:03 PM

why were you surfing the web on a critical server? or allowing anyone to do so? what kind of systems admin are you? the main rules for an important server:

NO ACCESS TO THE SYSTEM (PASSWORD PROTECTED BIOS+USER ACCOUNT)
DONT SURF THE WEB ON THE SYSTEM
NO PHYSICAL ACCESS TO THE SYSTEM
DO NOT USE THE SYSTEM FOR DAY TO DAY TASKS (ITS THERE TO SERVE)

NT5 is dead (XP/2K/2K3) time to move on, and you probably have to do a fresh install now and re-setup everything.
August 25, 2012 9:41:01 PM

Security Shield can get you from a source you don't even expect. Like someone mentioned above, it can even load itself from ads, or infected servers. Nice article about this at http://securityshieldremoval.com . I hope they work out a solution to this malware soon enough, its insane how they can't stop it for years now...
a b 8 Security
August 26, 2012 12:28:43 AM

apache_lives said:
why were you surfing the web on a critical server? or allowing anyone to do so? what kind of systems admin are you? the main rules for an important server:

NO ACCESS TO THE SYSTEM (PASSWORD PROTECTED BIOS+USER ACCOUNT)
DONT SURF THE WEB ON THE SYSTEM
NO PHYSICAL ACCESS TO THE SYSTEM
DO NOT USE THE SYSTEM FOR DAY TO DAY TASKS (ITS THERE TO SERVE)

NT5 is dead (XP/2K/2K3) time to move on, and you probably have to do a fresh install now and re-setup everything.


I'm a particular fan of systems that have a built in "remote server" mode. This disables physical access to the server, forces all of it to be done over IP through the management interface.
August 26, 2012 12:39:45 AM

Pinhedd said:
I'm a particular fan of systems that have a built in "remote server" mode. This disables physical access to the server, forces all of it to be done over IP through the management interface.


I have never heard of suck thing before, but I will look it up on google, it may be useful in the future :)  I learn something new every day...
a b 8 Security
August 26, 2012 10:10:54 AM

Gintoki said:
I have never heard of suck thing before, but I will look it up on google, it may be useful in the future :)  I learn something new every day...


It has to be supported in the firmware and it will only be found on enterprise hardware that has built-in management interfaces. I know that HP has it in their ProLiant servers
!