Postări
Va anuntam ieri despre noul virus de tip aplicatie rogue care se distribuie impreuna cu stirea despre moartea lui Patrick Swayze.
Daca nu ati reusit sa va protejati de el si ati fost infectati iata mai jos detalii despre el si devirusarea lui.
Windows PC Defender este o aplicatie rogue de ultima ora din aceeasi familie cu ultimate system Guard si Windows Guard Pro. Este promovat prin folosirea unor ferestre pop-up care apar in timpul navigarii pe internet. Acestea afirma ca au fost detectati virusi in computer si este recomandata o scanare antivirus. Indiferent de butonul apasat veti fi redirectionati spre o pagina ce pretinde ca este un scanner antivirus online. La finalul scanarii vi se va oferi descarcarea Windows PC Defender.
Acesta are o denumire aproape identica cu produsul de securitate oferit de Microsoft si de asemenea o interfata grafica
Daca nu ati reusit sa va protejati de el si ati fost infectati iata mai jos detalii despre el si devirusarea lui.
Windows PC Defender este o aplicatie rogue de ultima ora din aceeasi familie cu ultimate system Guard si Windows Guard Pro. Este promovat prin folosirea unor ferestre pop-up care apar in timpul navigarii pe internet. Acestea afirma ca au fost detectati virusi in computer si este recomandata o scanare antivirus. Indiferent de butonul apasat veti fi redirectionati spre o pagina ce pretinde ca este un scanner antivirus online. La finalul scanarii vi se va oferi descarcarea Windows PC Defender.
Acesta are o denumire aproape identica cu produsul de securitate oferit de Microsoft si de asemenea o interfata grafica
Pentru a scapa de acest virus, urmati procedura de mai jos:
Virusul creeaza urmatoarele fisiere\foldere:
•c:\Documents and Settings\All Users\Application Data\345d567
•c:\Documents and Settings\All Users\Application Data\345d567\8424.mof
•c:\Documents and Settings\All Users\Application Data\345d567\mozcrt19.dll
•c:\Documents and Settings\All Users\Application Data\345d567\sqlite3.dll
•c:\Documents and Settings\All Users\Application Data\345d567\WP345d.exe
•c:\Documents and Settings\All Users\Application Data\345d567\WPCD.ico
•c:\Documents and Settings\All Users\Application Data\345d567\WPCDSys
•c:\Documents and Settings\All Users\Application Data\345d567\WPCDSys\vd952342.bd
•c:\Documents and Settings\All Users\Application Data\WPCDSys
•c:\Documents and Settings\All Users\Application Data\WPCDSys\wpcd.cfg
•%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows PC Defender.lnk
•%UserProfile%\Application Data\Windows PC Defender
•%UserProfile%\Application Data\Windows PC Defender\cookies.sqlite
•%UserProfile%\Application Data\Windows PC Defender\Instructions.ini
•%UserProfile%\Desktop\Windows PC Defender.lnk
•%UserProfile%\Recent\cid.dll
•%UserProfile%\Recent\CLSV.tmp
•%UserProfile%\Recent\ddv.dll
•%UserProfile%\Recent\eb.exe
•%UserProfile%\Recent\eb.sys
•%UserProfile%\Recent\energy.sys
•%UserProfile%\Recent\exec.tmp
•%UserProfile%\Recent\fix.exe
•%UserProfile%\Recent\FS.drv
•%UserProfile%\Recent\kernel32.drv
•%UserProfile%\Recent\PE.drv
•%UserProfile%\Recent\PE.tmp
•%UserProfile%\Recent\ppal.exe
•%UserProfile%\Recent\runddlkey.drv
•%UserProfile%\Recent\tempdoc.dll
•%UserProfile%\Start Menu\Windows PC Defender.lnk
•%UserProfile%\Start Menu\Programs\Windows PC Defender.lnk
•c:\Program Files\Mozilla Firefox\searchplugins\search.xml
Sunt modificate\create urmatoarele chei registry:
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_CLASSES_ROOT\WP345d.DocHostUIHandler
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes “URL” => “http://search-gala.com/?&uid=201&q={searchTerms}”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer “PRS” = “http://127.0.0.1:27777/?inj=%ORIGINAL%”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “UID” = “201″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform “89770891803″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Windows PC Defender”
Log-ul HijackThis afiseaza intrarile:
O1 – Hosts: 74.125.45.100 4-open-davinci.com
O1 – Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 – Hosts: 74.125.45.100 privatesecuredpayments.com
O1 – Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 – Hosts: 74.125.45.100 getantivirusplusnow.com
O1 – Hosts: 74.125.45.100 secure-plus-payments.com
O1 – Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 – Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 – Hosts: 74.125.45.100 www.getavplusnow.com
O1 – Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 – Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 – Hosts: 74.125.45.100 paysoftbillsolution.com
O4 – HKCU\..\Run: [Windows PC Defender] “C:\Documents and Settings\All Users\Application Data\345d567\WP345d.exe” /s /d
DEVIRUSARE: Descarcati, instalati si scanati Pc-ul cu Malwarebytes Anti-Malware. Stergeti la final toate infectiile gasite, apasand “Remove selected”.
