Windows PC Defender – Instructiuni pentru Devirusare

Va anuntam ieri despre noul virus de tip aplicatie rogue care se distribuie impreuna cu stirea despre moartea lui Patrick Swayze.
Daca nu ati reusit sa va protejati de el si ati fost infectati iata mai jos detalii despre el si devirusarea lui.

Windows PC Defender este o aplicatie rogue de ultima ora din aceeasi familie cu ultimate system Guard si Windows Guard Pro. Este promovat prin folosirea unor ferestre pop-up care apar in timpul navigarii pe internet. Acestea afirma ca au fost detectati virusi in computer si este recomandata o scanare antivirus. Indiferent de butonul apasat veti fi redirectionati spre o pagina ce pretinde ca este un scanner antivirus online. La finalul scanarii vi se va oferi descarcarea Windows PC Defender.
Acesta are o denumire aproape identica cu produsul de securitate oferit de Microsoft si de asemenea o interfata grafica asemanatoare.

Windows PC Defender

Pentru a scapa de acest virus, urmati procedura de mai jos:

Virusul creeaza urmatoarele fisiere\foldere:

  • c:\Documents and Settings\All Users\Application Data\345d567
  • c:\Documents and Settings\All Users\Application Data\345d567\8424.mof
  • c:\Documents and Settings\All Users\Application Data\345d567\mozcrt19.dll
  • c:\Documents and Settings\All Users\Application Data\345d567\sqlite3.dll
  • c:\Documents and Settings\All Users\Application Data\345d567\WP345d.exe
  • c:\Documents and Settings\All Users\Application Data\345d567\WPCD.ico
  • c:\Documents and Settings\All Users\Application Data\345d567\WPCDSys
  • c:\Documents and Settings\All Users\Application Data\345d567\WPCDSys\vd952342.bd
  • c:\Documents and Settings\All Users\Application Data\WPCDSys
  • c:\Documents and Settings\All Users\Application Data\WPCDSys\wpcd.cfg
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows PC Defender.lnk
  • %UserProfile%\Application Data\Windows PC Defender
  • %UserProfile%\Application Data\Windows PC Defender\cookies.sqlite
  • %UserProfile%\Application Data\Windows PC Defender\Instructions.ini
  • %UserProfile%\Desktop\Windows PC Defender.lnk
  • %UserProfile%\Recent\cid.dll
  • %UserProfile%\Recent\CLSV.tmp
  • %UserProfile%\Recent\ddv.dll
  • %UserProfile%\Recent\eb.exe
  • %UserProfile%\Recent\eb.sys
  • %UserProfile%\Recent\energy.sys
  • %UserProfile%\Recent\exec.tmp
  • %UserProfile%\Recent\fix.exe
  • %UserProfile%\Recent\FS.drv
  • %UserProfile%\Recent\kernel32.drv
  • %UserProfile%\Recent\PE.drv
  • %UserProfile%\Recent\PE.tmp
  • %UserProfile%\Recent\ppal.exe
  • %UserProfile%\Recent\runddlkey.drv
  • %UserProfile%\Recent\tempdoc.dll
  • %UserProfile%\Start Menu\Windows PC Defender.lnk
  • %UserProfile%\Start Menu\Programs\Windows PC Defender.lnk
  • c:\Program Files\Mozilla Firefox\searchplugins\search.xml

Sunt modificate\create urmatoarele chei registry:

HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_CLASSES_ROOT\WP345d.DocHostUIHandler
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes “URL” => “http://search-gala.com/?&uid=201&q={searchTerms}”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer “PRS” = “http://127.0.0.1:27777/?inj=%ORIGINAL%”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “UID” = “201”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform “89770891803”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Windows PC Defender”

Log-ul HijackThis afiseaza intrarile:

O1 – Hosts: 74.125.45.100 4-open-davinci.com
O1 – Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 – Hosts: 74.125.45.100 privatesecuredpayments.com
O1 – Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 – Hosts: 74.125.45.100 getantivirusplusnow.com
O1 – Hosts: 74.125.45.100 secure-plus-payments.com
O1 – Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 – Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 – Hosts: 74.125.45.100 www.getavplusnow.com
O1 – Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 – Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 – Hosts: 74.125.45.100 paysoftbillsolution.com
O4 – HKCU\..\Run: [Windows PC Defender] “C:\Documents and Settings\All Users\Application Data\345d567\WP345d.exe” /s /d

DEVIRUSARE: Descarcati, instalati si scanati Pc-ul cu Malwarebytes Anti-Malware. Stergeti la final toate infectiile gasite, apasand “Remove selected”.

Daca ai reusit sa cureti aceasta infectie, iti recomand sa cumperi versiunea PRO a Malwarebytes Anti-Malware pentru a te proteja si pe viitor de astfel de amenintari, avand in vedere ca nu au fost detectate\eliminate de antivirusul tau actual.

Administrator FaraVirusi.com
voluntar al Comodo Malware Research Team, expert Malwarebytes Anti-Malware

2 responses to “Windows PC Defender – Instructiuni pentru Devirusare”

  1. FaraVirusi.com » Blog Archive » Conturi Twitter False care au Link-uri Infectate spre Programe Rogue

    […] sunt scannere online false ce ofera spre descarcare Windows PC Defender (click aici pentru devirusare). In prealabil, pretind ca au detectat o multime de virusi, troieni, spyware […]

  2. FaraVirusi.com » Blog Archive » Cutremurul din Samoa – Stiri false ce directioneaza spre Programe Rogue

    […] Din pacate si aceasta stire a fost exploatata intens de atacatori. Cautarile Google, pe acest subiect si de asemenea cele Twitter redirectionau spre site-uri infectate ce oferea spre descarcare programe Rogue si mai precis Windows Defender. […]

Leave a Reply