VirusTotal 2010 – Antivirus Rogue (Ghid dezinstalare)

Protectie impotriva ultimelor amenintari informatice, protectie inteligenta impotriva programelor spyware, protectia clientilor de mesagerie instanta si consum redus de resurse (CPU)… suna tentant, nu?
Daca adaugam aici si distinctiile din partea SoftPedia, PC Magazine, cnet, compatibilitatea cu Windows 7 si suportul tehnic 24/7, obtinem poate antivirusul perfect. (care ofera de asemenea si o detectie si devirusare de 97,5%, cu mult peste concurenta).

Cu toate aceste pretentii false, se lauda unul dintre programele rogue disponibile “pe piata”. Pentru a fi si mai convingator foloseste denumirea VirusTotal 2010, imprumutand-o de la celebrul site de scanare online a fisierelor suspecte.

Programul instalat dupa descarcare este insa aleator, in functie de sistemul de operare. Denumirea sa variaza dupa cum urmeaza: AntiSpyware XP, Antivirus XP, Total XP Security, XP AntiSpyware 2010, XP Antivirus Pro, XP Guardian, XP Security Tool, XP Smart Security, XP AntiMalware, XP Defender, XP Defender Pro, XP Internet Security, Security Master AV. Pentru sistemele de operare Windows Vista si 7, este inlocuita particula “XP” cu “Vista“, respectiv “Win 7“.

Programul va afisa alerte false la pornirea browserelor, va bloca rularea programelor de curatare a infectiilor (gen Malwarebytes Anti-Malware si SuperAntiSpyware) si va afisa in plus un Security Center fals.

Programului ii sunt asociate urmatoarele fisiere (functie de sistemul de operare):

Windows XP:

• c:\Documents and Settings\All Users\Application Data\QJyrk5wvCU1
• %UserProfile%\Local Settings\Application Data\av.exe
• %UserProfile%\Local Settings\Application Data\ave.exe
• %UserProfile%\Local Settings\Application Data\QJyrk5wvCU1
• %UserProfile%\Local Settings\Application Data\WRblt8464P
• %UserProfile%\Local Settings\Temp\QJyrk5wvCU1
• %UserProfile%\Templates\QJyrk5wvCU1

Windows Vista si Windows 7:

• C:\ProgramData\QJyrk5wvCU1
• C:\Users\All Users\QJyrk5wvCU1
• %UserProfile%\AppData\Local\av.exe
• %UserProfile%\AppData\Local\ave.exe
• %UserProfile%\AppData\Local\QJyrk5wvCU1
• %UserProfile%\AppData\Local\WRblt8464P
• %UserProfile%\AppData\Local\Temp\QJyrk5wvCU1
• %UserProfile%\AppData\Roaming\Microsoft\Windows\Templates\QJyrk5wvCU1

De asemenea, ii sunt asociate urmatoarele chei registry:

HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command “(Default)” = “%UserProfile%\Local Settings\Application Data\av.exe” /START “%1″ %*
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command “(Default)” = “%UserProfile%\Local Settings\Application Data\av.exe” /START “%1″ %*
HKEY_CLASSES_ROOT\.exe\shell\open\command “(Default)” = “%UserProfile%\Local Settings\Application Data\av.exe” /START “%1″ %*
HKEY_CLASSES_ROOT\secfile\shell\open\command “(Default)” = “%UserProfile%\Local Settings\Application Data\av.exe” /START “%1″ %*
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” = “%UserProfile%\Local Settings\Application Data\av.exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command “(Default)” = “%UserProfile%\Local Settings\Application Data\av.exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = “%UserProfile%\Local Settings\Application Data\av.exe” /START “C:\Program Files\Internet Explorer\iexplore.exe”
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command “(Default)” = “%UserProfile%\Local Settings\Application Data\ave.exe” /START “%1″ %*
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command “(Default)” = “%UserProfile%\Local Settings\Application Data\ave.exe” /START “%1″ %*
HKEY_CLASSES_ROOT\.exe\shell\open\command “(Default)” = “%UserProfile%\Local Settings\Application Data\ave.exe” /START “%1″ %*
HKEY_CLASSES_ROOT\secfile\shell\open\command “(Default)” = “%UserProfile%\Local Settings\Application Data\ave.exe” /START “%1″ %*
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” = “%UserProfile%\Local Settings\Application Data\ave.exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command “(Default)” = “%UserProfile%\Local Settings\Application Data\ave.exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = “%UserProfile%\Local Settings\Application Data\ave.exe” /START “C:\Program Files\Internet Explorer\iexplore.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “AntiVirusOverride” = “1″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “FirewallOverride” = “1″

DEVIRUSARE:

1.Descarcati si rulati rkill.com. Acest lucru este ncesar pentru a opri procesul activ folosit de virus. Veti primi probabil o atentionare ca rkill.com este infectat. Ignorati-l, este doar o alarma falsa generata de Sysinternals Antivirus.
Rulati rkill.com din nou, pana cand virusul nu mai este activ. Alternativ puteti incerca eXplorer.exe sau iExplore.exe


2. Descarcati Malwarebytes Anti-Malware. Scanati PC-ul complet si stergeti la final infectiile gasite apasand Remove selected.

Daca ai reusit sa cureti aceasta infectie, iti recomand sa cumperi versiunea PRO a Malwarebytes Anti-Malware pentru a te proteja si pe viitor de astfel de amenintari, avand in vedere ca nu au fost detectate\eliminate de antivirusul tau actual.