Browse: Home / , , , / Dezinstaleaza Windows Enterprise Defender – Ghid pentru Devirusare Completa

Dezinstaleaza Windows Enterprise Defender – Ghid pentru Devirusare Completa

By Radu FaraVirusi(com) on October 15, 2009

Windows Enterprise Defender este ultimul anti-spyware de tip rogue din familia Virus Doctor. Odata instalat, va porni odata cu Windows-ul si va crea o serie de fisiere care nu sunt periculoase ce au denumirile urmatoare:

%UserProfile%\Recent\cb.sys
%UserProfile%\Recent\ddv.dll
%UserProfile%\Recent\eb.sys
%UserProfile%\Recent\energy.exe
%UserProfile%\Recent\pal.sys
%UserProfile%\Recent\PE.drv
%UserProfile%\Recent\ppal.exe
%UserProfile%\Recent\tempdoc.tmp

Cand Windows Enterprise Defender va scana computerul va detecta acele fisiere ca fiind infectate si va solicita achizitionarea programului pentru indepartarea lor. Bineinteles ca este doar o tactica de marketing pentru a va fura banii, PC-ul nefiind afectat de acei pretinsi virusi.
De asemenea soft-ul afiseaza alerte conform carora calculatorul ar fi atacat de pe internet, cu acelasi scop cu al fisierelor de mai sus.

windows enterprise defender

Programul va crea urmatoarele fisiere\foldere:

  • c:\Documents and Settings\All Users\Application Data\c9ba
  • c:\Documents and Settings\All Users\Application Data\c9ba\83.mof
  • c:\Documents and Settings\All Users\Application Data\c9ba\mozcrt19.dll
  • c:\Documents and Settings\All Users\Application Data\c9ba\sqlite3.dll
  • c:\Documents and Settings\All Users\Application Data\c9ba\unins000.dat
  • c:\Documents and Settings\All Users\Application Data\c9ba\WED.ico
  • c:\Documents and Settings\All Users\Application Data\c9ba\WindowsEDefender.exe
  • c:\Documents and Settings\All Users\Application Data\c9ba\WEDDSys
  • c:\Documents and Settings\All Users\Application Data\c9ba\WEDDSys\vd952342.bd
  • c:\Documents and Settings\All Users\Application Data\WEDDSys
  • c:\Documents and Settings\All Users\Application Data\WEDDSys\wed.cfg
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Enterprise Defender.lnk
  • %UserProfile%\Application Data\Windows Enterprise Defender
  • %UserProfile%\Application Data\Windows Enterprise Defender\cookies.sqlite
  • %UserProfile%\Desktop\Windows Enterprise Defender.lnk
  • %UserProfile%\Recent\cb.sys
  • %UserProfile%\Recent\ddv.dll
  • %UserProfile%\Recent\eb.sys
  • %UserProfile%\Recent\energy.exe
  • %UserProfile%\Recent\pal.sys
  • %UserProfile%\Recent\PE.drv
  • %UserProfile%\Recent\ppal.exe
  • %UserProfile%\Recent\tempdoc.tmp
  • %UserProfile%\Start Menu\Windows Enterprise Defender.lnk
  • %UserProfile%\Start Menu\Programs\Windows Enterprise Defender.lnk
  • c:\Program Files\Mozilla Firefox\searchplugins\search.xml

De asemenea si urmatoarele intrari registry ii sunt asociate:

HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_CLASSES_ROOT\WindowsEDefender.DocHostUIHandler
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes “URL” => “http://search-gala.com/?&uid=7&q={searchTerms}”
HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes “URL”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform “[xSP_2:61a6083b6194a2314e3dd54cf9615e36_7]”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform “876902803″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “Windows Enterprise Defender”

In log-ul HijackThis apar urmatoarea intrare:

O4 – HKLM\..\Run: [Windows Enterprise Defender] “C:\Documents and Settings\All Users\Application Data\c9ba\WindowsEDefender.exe” /s /d

DEVIRUSARE: Descarcati, instalati si scanati Pc-ul cu Malwarebytes Anti-Malware. Stergeti la final toate infectiile gasite, apasand “Remove selected”.

Daca ai reusit sa cureti aceasta infectie, iti recomand sa cumperi versiunea PRO a Malwarebytes Anti-Malware pentru a te proteja si pe viitor de astfel de amenintari, avand in vedere ca nu au fost detectate\eliminate de antivirusul tau actual.

Posted in , , , | 4 Responses

Administrator FaraVirusi.com, voluntar al Comodo Malware Research Team

4 responses to “Dezinstaleaza Windows Enterprise Defender – Ghid pentru Devirusare Completa”

  1. iusti
    iusti
    October 15, 2009 at 2:29 PM | | Reply

    De ce nu-ti mai merge prima pagina? Asta apare cand incerc sa intru http://i.imagehost.org/view/0097/error

    1. Faravirusi
      Faravirusi
      October 15, 2009 at 4:06 PM | | Reply

      @iusti: Merge perfect prima pagina. :)

  2. Alexx
    Alexx
    October 15, 2009 at 5:01 PM | | Reply

    Si eu la munca patesc la fel cu prima pagina.
    Acasa imi merge perfect.
    Mentionez ca la munca am net de la RDS

  3. Danielu'
    Danielu'
    October 15, 2009 at 5:08 PM | | Reply

    Salut Radu-Faravirusi.
    Iusti are dreptate si mie mi s-a intamplat sa imi apara acea pagina, ieri, de vreo cateva ori.

Leave a Reply