Devirusare AVDefender 2011

Despre cum se “agata” un rogue de pe net. “Procedura” decurge cam asa:

Windows Security Alert! Application NOTEPAD.EXE has crashed because of Conficker.Worm.Virus

Infected file: notepad.exe

Potential Risks: Viruses is spreading over your PC and the system status is unsafe. Your service provider may lock you out of internet access, because your PC is potentially harmful.

Viruses’ actions:

Steal your personal data and send it to the remote host. Spread between your friends quickly (via internet or storage drives). Send spam and malicious codes from your computer.

AVDefender 2011, va afişa alerte de securitate false:

System warning: Unknown virus is harming your system at this moment. Click here to stop and remove the virus.

Critical security error! Malicious software has infected your PC and trying to send private information to remote host 231.21.212.1.

Warning! System health status is critical! Your computer is infected with viruses. Stability and reliability of your system is damaged. It is strongly recommended to remove threats immediately.

Cand porniti Internet Explorer, va anunta ca Google a gasit o vulnerabilitate in Windows:

Google Security Warning! We have discovered a vulnerability related to Microsoft software that could allow a virus or other malicious program to harm your system or personal files or to steal personal information stored on your computer.

Toate aceste alerte, sunt false! AVDefender 2011 utilizează aceste alerte, pentru a va face sa credeti ca aveti computerul infectat!

Creaza si modifica urmatoarele fisiere:

• C:Documents and Settings\%USER%\Application Data\AVDefender2011\AVDefender2011.ini
• C:Documents and Settings\%USER%\Application Data\AVDefender2011\history.dat
• C:Documents and Settings\%USER%\Application Data\AVDefender2011\result.dat
• C:Documents and Settings\%USER%\Application Data\AVDefender2011\vlc.dat
• C:Documents and Settings\%USER%\Application Data\unevvpfar\sk.lst
• C:Documents and Settings\%USER%\Application Data\unevvpfar\zdzjpoud.exe
• C:Documents and Settings%USER%Start MenuAVDefender2011AVDefender2011.lnk

Modificari in Windows Registry:

HKEY_CURRENT_USER\Software\AVDefender 2011
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon “Shell” = “%AppData%\\.exe”

Intrarea din log-ul HijackThis este urmatoare:
F2 – REG:system.ini: Shell=C:\Documents and Settings\%User%\Application Data\\.exe

DEVIRUSARE:

1. Descarcati Malwarebytes Anti-Malware.
Redenumiti fisierul mbam-setup.exe in iexplore.exe si rulati-l. La finalul instalarii debifati Update Malwarebytes’ Anti-Malware si Launch Malwarebytes’ Anti-Malware.

2. Navigati in folder-ul C:\program files\Malwarebytes’ Anti-Malware\ si redenumiti mbam.exe in iexplore.exe.
Rulati acum executabilul redenumit anterior, scanati PC-ul complet si stergeti la final infectiile gasite apasand Remove selected.

Daca ai reusit sa cureti aceasta infectie, iti recomand sa cumperi versiunea PRO a Malwarebytes Anti-Malware pentru a te proteja si pe viitor de astfel de amenintari, avand in vedere ca nu au fost detectate\eliminate de antivirusul tau actual.