Devirusare Microsoft Security Essentials Alert

O noua amenintare de tip troina, combinat cu antivirus rogue, se raspandeste in acest moment. Se numeste Microsoft Security Essentials Alert si odata patruns in sistem atentioneaza asupra existentei unor virusi (Unknown Win32/Trojan).
Apoi ofera optiunea scanarii online directionand spre un site cu 35 de programe antivirus, dintre care 5 sunt false:

  • Red Cross Antivirus;
  • Peak Protection 2010;
  • Pest Detector 4.1;
  • Major Defense Kit;
  • AntiSpySafeguard / AntiSpy Safeguard.

microsoft security essentials fake alert remove

In timpul scanarii, bineinteles ca doar antivirusii rogue vor detecta presupusul virus, iar utilizatorul este practic fortat sa instaleze un program infectat.

Dupa instalarea unuia dintre acestia, vor fi afisate diverse mesaje, iar programele de securitate vor fi oprite:

The application taskmgr.exe was launched successfully but it was forced to shut down due to security reasons.
This happened because the application was infected by a malicious program which might pose a threat for the OS.
It is highly recommended to install the necessary heuristic module and perform a full scan of your computer to exterminate malicious programs from it.

Programul creeaza urmatoarele fisiere\foldere:

  • %UserProfile%\Application Data\PAV\
  • %UserProfile%\Application Data\antispy.exe
  • %UserProfile%\Application Data\defender.exe
  • %UserProfile%\Application Data\tmp.exe
  • %UserProfile%\Local Settings\Temp\kjkkklklj.bat



Ii sunt asociate cheile registry:

HKEY_CURRENT_USER\Software\PAV
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnonBadCertRecving” = “0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnPostRedirect” = “0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “tmp”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce “SelfdelNT”
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon “Shell” = “%UserProfile%\Application Data\antispy.exe”

In log-ul HijackThis apare urmatoarele intrari:

O4 – HKCU\..\Run: [tmp] %UserProfile%\Application Data\defender.exe
O4 – HKCU\..\RunOnce: [SelfdelNT] cmd /C del “%UserProfile%\Desktop\exe.exe”

DEVIRUSARE:

1.Descarcati si rulati rkill.com. Acest lucru este ncesar pentru a opri procesul activ folosit de virus. Veti primi probabil o atentionare ca rkill.com este infectat. Ignorati-l, este doar o alarma falsa generata de My Security Shield.
Rulati rkill.com din nou, pana cand virusul nu mai este activ. Alternativ puteti incerca eXplorer.exe sau iExplore.exe


2. Descarcati Malwarebytes Anti-Malware. Scanati PC-ul complet si stergeti la final infectiile gasite apasand Remove selected.

Daca ai reusit sa cureti aceasta infectie, iti recomand sa cumperi versiunea PRO a Malwarebytes Anti-Malware pentru a te proteja si pe viitor de astfel de amenintari, avand in vedere ca nu au fost detectate\eliminate de antivirusul tau actual.

Administrator FaraVirusi.com
voluntar al Comodo Malware Research Team, expert Malwarebytes Anti-Malware

4 responses to “Devirusare Microsoft Security Essentials Alert”

  1. Dmny

    Foarte bun articolul. Totusi nu stiu la cine prind antivirusii rogue…

  2. Virusul “More 10 000 Adult Movies (+18 only)” – Fals codec VLC Web plugin

    […] mai jos articolul in care am descris antivirusul rogue si metoda pentru o devirusare completa: http://www.faravirusi.com/2010/08/31/devirusare-microsoft-security-essentials-alert/ […]

  3. Devirusare ThinkPoint – Un Rogue foarte sofisticat

    […] aici, sigur vei dori sa te abonezi la feed-ul RSS pentru a primi noutatile de pe aceasta pagina.Microsoft Security Alert a evoluat si acum distribuie un antivirus rogue de ultima ora, ce utilizeaza o tehnica noua.Este […]

  4. Facebook password has been changed – E-mail fals ce raspandeste o noua varianta de Bredolab

    […] document a fost deschis nestiind ca in background a mai fost descarcat un antivirus fals denumit “Microsoft Security Essentials Alert”. Bineinteles ca nu este produsul real de la Microsoft, ci doar o copie. […]

Leave a Reply