Scapa de Windows Repairing System – Ghid pentru Devirusare

Programele de optimizare a PC-ului de tip rogue incep sa fie promovate prin email-uri primite, ce contin un link infectat.Windows Repairing System este un astfel de program. Email-urile contin link-ul:

http://hanmitravel.com/osc//images/site.html

Ce este interesant, acest rogue ruleaza doar in Google Chrome si Firefox, dar nu in Internet Explorer !!!

Odata accesat va fi afisata o fereastra falsa “My computer” cu o scanare in curs de desfasurare.
Apoi va apare indicatia de a instala un program de remediere a erorilor din sistem (freesystemscan.exe). Programul va afisa numeroase alerte false si va efectua scanari ale PC-ului detectand in mod eronat sute de infectii.

Toate acestea au scopul de a induce in eroare utilizatorul, cu scopul de a achizitiona acest program. Fisierele detectate sunt fie inexistente, fie curate, iar alertele nu trebuie luate in considerare.

Pentru a scapa de acest nepoftit cititi detaliile de mai jos:

Windows Tweaking Utility

Programul va porni doar dupa restartarea Windows-ului si va afisa o fereastra falsa Microsoft Security Essentials Alert.

Orice incercare de a rula un program legitim va duce la afisarea unei erori false, dupa cum urmeaza:

Threat prevention solution found
Security system analysis has revealed critical file system vulnerability caused by severe malware attacks.
Risk of system files infection:
The detected vulnerability may result in unauthorized access to private information and hard drive data with a serious possibility of irreversible data loss and unstable PC performance. To remove the malware please run a full system scan. Press ‘OK’ to install the software necessary to initiate system files check. To complete the installation process please reboot your computer.

De asemenea, afiseaza urmatoarele mesaje:

System Security Warning
Attempt to modify register key entries is detected. Register entries analysis is recommended.

Warning!
Location: c:\windows\system32\taskmgr.exe
Viruses: Win32.Sality

Programul creeaza urmatoarele fisiere\foldere:

  • %UserProfile%\Application Data\Microsoft\<random>.exe

Ii sunt asociate cheile registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwserv.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe “Debugger” = ‘svchost.exe’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = ‘0’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = ‘0’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore “DisableSR ” = ‘1’

DEVIRUSARE:

1. Descarcati Malwarebytes Anti-Malware. Redenumiti kitul de instalare in svchost.exe si apoi instalati-l. Nu-l rulati la finalul instalarii !!!

2. Navigati in folderul C:\Program Files\Malwarebytes’ Anti-Malware si redenumiti mbam.exe in explorer.exe.

3. Rulati noul fisier redenumit (explorer.exe) scanati PC-ul complet si stergeti la final infectiile gasite apasand Remove selected.

Daca ai reusit sa cureti aceasta infectie, iti recomand sa cumperi versiunea PRO a Malwarebytes Anti-Malwarepentru a te proteja si pe viitor de astfel de amenintari, avand in vedere ca nu au fost detectate\eliminate de antivirusul tau actual.

Administrator FaraVirusi.com
voluntar al Comodo Malware Research Team, expert Malwarebytes Anti-Malware

18 responses to “Scapa de Windows Repairing System – Ghid pentru Devirusare”

  1. fLoriN_CoCo

    saLL..radu am sh eo o pb cu pc’u sh mai exact cu (death blue screen)..am incercat eo sa scap de asta dar in zadar.. sh am mai intrb pe cnva sh mia recomandat sa vb cu tine ka poate ai vreo idee kum sa scap de eroarea asta..am descarcat un program sa vad despre ce este vb in eroare sh sp in felu urmator:::

    A problem has been detected and Windows has been shut down to prevent damage
    to your computer.

    The problem seems to be caused by the following file: cdd.dll

    KERNEL_MODE_EXCEPTION_NOT_HANDLED

    If this is the first time you’ve seen this stop error screen,
    restart your computer. If this screen appears again, follow
    these steps:

    Check to make sure any new hardware or software is properly installed.
    If this is a new installation, ask your hardware or software manufacturer
    for any Windows updates you might need.

    If problems continue, disable or remove any newly installed hardware
    or software. Disable BIOS memory options such as caching or shadowing.
    If you need to use safe mode to remove or disable components, restart
    your computer, press F8 to select Advanced Startup Options, and then
    select Safe Mode.

    Technical Information:

    *** STOP: 0x1000008e (0xc0000005, 0x82cf42ca, 0xa3768a4c, 0x00000000)

    *** cdd.dll – Address 0x980072c9 base at 0x98000000 DateStamp 0x4a5bd992

    Din:
    Engleza
    ?
    În:
    Româna
    ?

    Traducere din Engleza în Româna
    O problema a fost detectat si Windows a fost închis pentru a evita deteriorarea
    la computer.

    Problema pare a fi cauzate de urmatorul fisier: cdd.dll

    KERNEL_MODE_EXCEPTION_NOT_HANDLED

    Daca aceasta este prima data când am vazut acest ecran de eroare Stop,
    reporniti computerul. În cazul în care acest ecran apare din nou, urmati
    acesti pasi:

    Verificati pentru a va asigura orice hardware nou sau software-ul este instalat corect.
    Daca aceasta este o instalatie noua, adresati-va hardware-ul sau producatorul de software
    pentru orice actualizari Windows ati putea avea nevoie.

    Daca problemele continua, dezactivati sau eliminati orice nou instalate hardware
    sau software. Dezactiveaza BIOS optiuni de memorie, cum ar fi caching sau shadowing.
    Daca aveti nevoie sa utilizati modul de siguranta pentru a elimina sau componente dezactivati, reporniti
    computerul, apasati F8 pentru a selecta Complex Startup Options, si apoi
    selectati Safe Mode.

    Informatii tehnice:

    (0x82cf42ca 0xc0000005,, 0xa3768a4c, 0x00000000) 0x1000008e: *** STOP

    *** cdd.dll – Adresa 0x980072c9 de baza la 0x98000000 marcajului de data 0x4a5bd992

    ==================================================
    Dump File : 052211-11593-01.dmp
    Crash Time : 22-May-11 10:08:02 AM
    Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
    Bug Check Code : 0x1000008e
    Parameter 1 : 0xc0000005
    Parameter 2 : 0x82cf42ca
    Parameter 3 : 0xa3768a4c
    Parameter 4 : 0x00000000
    Caused By Driver : cdd.dll
    Caused By Address : cdd.dll+72c9
    File Description : Canonical Display Driver
    Product Name : Microsoft® Windows® Operating System
    Company : Microsoft Corporation
    File Version : 6.1.7600.16385 (win7_rtm.090713-1255)
    Processor : 32-bit
    Computer Name :
    Full Path : C:\Windows\Minidump52211-11593-01.dmp
    Processors Count : 2
    Major Version : 15
    Minor Version : 7600
    Dump File Size : 159,624

  2. floryn_coco2008

    salut..radu am sh eo o pb cu eroarea (death blue screen) kare da batai de cap de cva vreme multor persoane sh se joaka cu nervi nostri…am inceract eo sa scap de ia prin diferite metode dar nmk.am intrb multe pers,am sch sistemul de operare sh tot dgb..m’am gandit sa te mai intrb pe tyne,poate ai tu vreo idee cum sa scap de chestia asta enervanta..ms;)

  3. floryn_cooc2008

    A problem has been detected and Windows has been shut down to prevent damage
    to your computer.

    The problem seems to be caused by the following file: cdd.dll

    KERNEL_MODE_EXCEPTION_NOT_HANDLED

    If this is the first time you’ve seen this stop error screen,
    restart your computer. If this screen appears again, follow
    these steps:

    Check to make sure any new hardware or software is properly installed.
    If this is a new installation, ask your hardware or software manufacturer
    for any Windows updates you might need.

    If problems continue, disable or remove any newly installed hardware
    or software. Disable BIOS memory options such as caching or shadowing.
    If you need to use safe mode to remove or disable components, restart
    your computer, press F8 to select Advanced Startup Options, and then
    select Safe Mode.

    Technical Information:

    *** STOP: 0x1000008e (0xc0000005, 0x82cf42ca, 0xa3768a4c, 0x00000000)

    *** cdd.dll – Address 0x980072c9 base at 0x98000000 DateStamp 0x4a5bd992

  4. floryn_cooc2008

    ==================================================
    Dump File : 052211-11593-01.dmp
    Crash Time : 22-May-11 10:08:02 AM
    Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
    Bug Check Code : 0x1000008e
    Parameter 1 : 0xc0000005
    Parameter 2 : 0x82cf42ca
    Parameter 3 : 0xa3768a4c
    Parameter 4 : 0x00000000
    Caused By Driver : cdd.dll
    Caused By Address : cdd.dll+72c9
    File Description : Canonical Display Driver
    Product Name : Microsoft® Windows® Operating System
    Company : Microsoft Corporation
    File Version : 6.1.7600.16385 (win7_rtm.090713-1255)
    Processor : 32-bit
    Computer Name :
    Full Path : C:\Windows\Minidump52211-11593-01.dmp
    Processors Count : 2
    Major Version : 15
    Minor Version : 7600
    Dump File Size : 159,624
    ==================================================

  5. floryn_cooc2008

    am loat BlueScreenView sh m’am uitat sa vad despre ce este vb sh am incercat sa sterg acel (cdd.dll) sh dn safe mode sh cu Malwarebytes’ Anti-Malware cu file assassin sh dgb..

  6. floryn_cooc2008

    dak vr sa vezi tu cu ochii tai sa intri la mn in pc sh sa iti sp mai multe ai id mai sus la nume..tiash fi recunoscator dak mai ajuta cu chestia asta.ka ma inebunit,imi vn sa il arunc de la balcon…

    1. Gigi

      Il poti arunca. Nu-l meriti.

  7. floryn_coco2008

    da gigi am sa tin cont de sfatu tau…te anunt kand o fi sh il arunc katre tine doar sa fii atent sa il prinzi..;)

    1. Gigi

      Io am o dilema: daca romana o scrii in halul asta, atunci cum sa intelegi engleza? Hai faiv!

  8. floryn_coco2008

    radu am intrat unde mi’ai sp uh in comp dar nu am gasit nc un driver cum zc uh…sh la tt jocurile kare le am am dat chestia aia cu disamble..sh app kand am incercat sa bag nero10 full sa instalat 3 sf sh apoi ecran albastru..

  9. floryn_coco2008

    radu sa stergi dn comment ka sa postat kam multe sh cred ka fara nc un rost..

    1. happyday

      ufff…de ce nu spui asa…acuma pricepui…

      limbajul tau e o impletire excelenta a hieroglifelor antice cu limbajul post-modernist, expus in manelele zilelor noastre. asa se explica imbinarea perfecta a genomului din trecutul de trilobit cu adn-ul de cocotier, ceea ce te transforma intr-o adevarata mostra demna de studiat de catre orice aspirant academic, masterand sau chiar simplu student la arte plastice.

      crezi ca mai pot posta unele comentarii? nu de alta, insa e pacat sa se piarda un asemenea subiect. 🙂

      bafta! 🙂

  10. aLcOL!c_An0n!M

    Nu stiu kare este pb voastra dar vad ka facetzi pe desteptzi acum cu lb romana sh nu mai jtyu eo ce..cred ka trb voastra ar fi sa va vedetzi de jukariile care le detzinetzi sh sa nu mai postati tt felul de comentarii prostesti..sau voi o facetzi doar de dragul sa fitzi bagatzi in seama..?.in fine comentariile unor cocalari electronici ka voi nu intereseaza pe nimeni….sh cred ka nu valoratzi nc kat o paine veche dak atzi incepot sa va datzi mari sh tari in fatza la un amarat de pc…dar va inteleg e criza nu avetzi de lucru sh pierdetzi sh voi timpul stand in fata calculatorului sh sa va datzi mari filozofi sh kand kolo nu avetzi nc 12 clase la un loc..va las ka v’am bagat kam mult in seama dekat e normal sh nu e bn…:)

  11. Danna

    =)) unii au ramas cu un tic datorat vremurilor grele cand sms-ul era scuump si trebuia sa faci economie la caractere :)) prea tare!!

  12. dozer

    0xc0000005 eroare fisier- dll corupt sau lipsa dll-uri (directx-rezolvare) ps: rezolvat de mine mentiune merg toate jocurile+programe, daca aveti cd-ul cu sistemul de operare cautati fisierele dll sau exemplu dezarhivati d3d8.dl_ in system32 si gata ati rezolvat problema nu inainte de a da un restart la pc

Leave a Reply