Dezinstaleaza Sysinternals Antivirus – Ghid pentru Devirusare Completa

Sysinternals Antivirus este un program anti-spyware de tip rogue, sau mai bine zis o suita de securitate de tip rogue.
Se foloseste de celebra denumire Sysinternals, producator de soft-uri utilitare pentru PC.
Pretinde ca ofera antivirus, firewall si optimizarea sistemului. Este promovat prin intermediul unor Troieni care pretind sa fie codec-uri video sau actualizari flash absolut necesare pentru a urmari continutul online. Programul va afisa numeroase alerte false si va efectua scanari ale PC-ului detectand in mod eronat sute de infectii.

Toate acestea au scopul de a induce in eroare utilizatorul, cu scopul de a achizitiona acest program. Fisierele detectate sunt fie inexistente, fie curate, iar alertele nu trebuie luate in considerare.

Sysinternals Antivirus

Pentru a scapa de acest nepoftit cititi detaliile de mai jos:

Programul creeaza urmatoarele fisiere\foldere:

  • c:\Program Files\adc_w32.dll
  • c:\Program Files\alggui.exe
  • c:\Program Files\extra1.dat
  • c:\Program Files\extra2.dat
  • c:\Program Files\nuar.old
  • c:\Program Files\skynet.dat
  • c:\Program Files\svchost.exe
  • c:\Program Files\wp3.dat
  • c:\Program Files\wp4.dat
  • c:\Program Files\scdata
  • c:\Program Files\scdata\dbsinit.exe
  • c:\Program Files\scdata\wispex.html
  • c:\Program Files\scdata\images
  • c:\Program Files\scdata\images\i1.gif
  • c:\Program Files\scdata\images\i2.gif
  • c:\Program Files\scdata\images\i3.gif
  • c:\Program Files\scdata\images\j1.gif
  • c:\Program Files\scdata\images\j2.gif
  • c:\Program Files\scdata\images\j3.gif
  • c:\Program Files\scdata\images\jj1.gif
  • c:\Program Files\scdata\images\jj2.gif
  • c:\Program Files\scdata\images\jj3.gif
  • c:\Program Files\scdata\images\l1.gif
  • c:\Program Files\scdata\images\l2.gif
  • c:\Program Files\scdata\images\l3.gif
  • c:\Program Files\scdata\images\pix.gif
  • c:\Program Files\scdata\images\t1.gif
  • c:\Program Files\scdata\images\t2.gif
  • c:\Program Files\scdata\images\Thumbs.db
  • c:\Program Files\scdata\images\up1.gif
  • c:\Program Files\scdata\images\up2.gif
  • c:\Program Files\scdata\images\w1.gif
  • c:\Program Files\scdata\images\w11.gif
  • c:\Program Files\scdata\images\w2.gif
  • c:\Program Files\scdata\images\w3.jpg
  • c:\Program Files\scdata\images\word.doc
  • c:\Program Files\scdata\images\wt1.gif
  • c:\Program Files\scdata\images\wt2.gif
  • c:\Program Files\scdata\images\wt3.gif
  • c:\Program Files\Sysinternals Antivirus
  • c:\Program Files\Sysinternals Antivirus\Sysinternals Antivirus.exe
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\ccsmn.exe
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\ccsmn151.acf
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\ccsmn151.ltd
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\ccsmn151.lti
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\ccsmn151_0.acb
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\ccsmn151_0.aci
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\ccsmn151_0.mt
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\ccsrr.exe
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\lleod150
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\wmharun.log
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\wmrun.log
  • %UserProfile%\Start Menu\Programs\Sysinternals Antivirus
  • %UserProfile%\Start Menu\Programs\Sysinternals Antivirus\Sysinternals Antivirus.lnk



Ii sunt asociate cheile registry:

HKEY_CURRENT_USER\Software\Sysinternals Antivirus
HKEY_CLASSES_ROOT\CLSID\{149256D5-E103-4523-BB43-2CFB066839D6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{149256D5-E103-4523-BB43-2CFB066839D6}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdbUpd
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “novavapp”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “novavappr

In log-ul HijackThis apar urmatoarele intrari:

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 – BHO: ADC PlugIn – {149256D5-E103-4523-BB43-2CFB066839D6} – C:\Program Files\adc_w32.dll
O4 – HKCU\..\Run: [novavapp] %UserProfile%\Application Data\Microsoft\Internet Explorer\ccsmn.exe
O4 – HKCU\..\Run: [novavappr] %UserProfile%\Application Data\Microsoft\Internet Explorer\ccsrr.exe
O17 – HKLM\System\CCS\Services\Tcpip\..\{0F902301-D005-499E-8448-F9E2EC98B9A7}: NameServer = 8.8.8.8
O17 – HKLM\System\CCS\Services\Tcpip\..\{9239B395-78B0-4938-AC0D-692A7A7C682C}: NameServer = 8.8.8.8
O17 – HKLM\System\CCS\Services\Tcpip\..\{D3D77D58-5997-458E-A70C-892555CEEC52}: NameServer = 8.8.8.8
O17 – HKLM\System\CS1\Services\Tcpip\..\{0F902301-D005-499E-8448-F9E2EC98B9A7}: NameServer = 8.8.8.8
O23 – Service: Adobe Update Service (AdbUpd) – Unknown owner – C:\Program Files\svchost.exe

DEVIRUSARE:

1.Descarcati si rulati rkill.com. Acest lucru este ncesar pentru a opri procesul activ folosit de virus. Veti primi probabil o atentionare ca rkill.com este infectat. Ignorati-l, este doar o alarma falsa generata de Sysinternals Antivirus.
Rulati rkill.com din nou, pana cand virusul nu mai este activ. Alternativ puteti incerca eXplorer.exe sau iExplore.exe


2. Descarcati Malwarebytes Anti-Malware. Scanati PC-ul complet si stergeti la final infectiile gasite apasand Remove selected.

Daca ai reusit sa cureti aceasta infectie, iti recomand sa cumperi versiunea PRO a Malwarebytes Anti-Malware pentru a te proteja si pe viitor de astfel de amenintari, avand in vedere ca nu au fost detectate\eliminate de antivirusul tau actual.

Administrator FaraVirusi.com
voluntar al Comodo Malware Research Team, expert Malwarebytes Anti-Malware

Leave a Reply