Scapa de Windows Risks Preventions – Ghid pentru Devirusare

Programele de optimizare a PC-ului de tip rogue incep sa fie promovate prin email-uri primite, ce contin un link infectat.Windows Risks Preventions este un astfel de program.

Virusul nu porneste decat dupa restart cand afiseaza o fereastra denumita Microsoft Security Essentials Alert, ce pretinde ca a detectat un virus in calculator. Apoi vi se ofera spre instalare programul fals in discutie. Acesta va afisa numeroase alerte false si va efectua scanari ale PC-ului detectand in mod eronat sute de infectii.

Toate acestea au scopul de a induce in eroare utilizatorul, cu scopul de a achizitiona acest program. Fisierele detectate sunt fie inexistente, fie curate, iar alertele nu trebuie luate in considerare.

Pentru a scapa de acest nepoftit cititi detaliile de mai jos:

Windows Tweaking Utility

Programul va porni doar dupa restartarea Windows-ului si va afisa o fereastra falsa Microsoft Security Essentials Alert.

Orice incercare de a rula un program legitim va duce la afisarea unei erori false, dupa cum urmeaza:

Threat prevention solution found
Security system analysis has revealed critical file system vulnerability caused by severe malware attacks.
Risk of system files infection:
The detected vulnerability may result in unauthorized access to private information and hard drive data with a serious possibility of irreversible data loss and unstable PC performance. To remove the malware please run a full system scan. Press ‘OK’ to install the software necessary to initiate system files check. To complete the installation process please reboot your computer.

De asemenea, afiseaza urmatoarele mesaje:

System Security Warning
Attempt to modify register key entries is detected. Register entries analysis is recommended.

Warning!
Location: c:\windows\system32\taskmgr.exe
Viruses: Win32.Sality

Programul creeaza urmatoarele fisiere\foldere:

  • %UserProfile%\Application Data\Microsoft\<random>.exe

Ii sunt asociate cheile registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwserv.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe “Debugger” = ‘svchost.exe’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = ‘0’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = ‘0’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore “DisableSR ” = ‘1’

DEVIRUSARE:

1. Descarcati Malwarebytes Anti-Malware. Redenumiti kitul de instalare in svchost.exe si apoi instalati-l. Nu-l rulati la finalul instalarii !!!

2. Navigati in folderul C:\Program Files\Malwarebytes’ Anti-Malware si redenumiti mbam.exe in explorer.exe.

3. Rulati noul fisier redenumit (explorer.exe) scanati PC-ul complet si stergeti la final infectiile gasite apasand Remove selected.

Daca ai reusit sa cureti aceasta infectie, iti recomand sa cumperi versiunea PRO a Malwarebytes Anti-Malwarepentru a te proteja si pe viitor de astfel de amenintari, avand in vedere ca nu au fost detectate\eliminate de antivirusul tau actual.

Administrator FaraVirusi.com
voluntar al Comodo Malware Research Team, expert Malwarebytes Anti-Malware

5 responses to “Scapa de Windows Risks Preventions – Ghid pentru Devirusare”

  1. Paul 46

    ms mult de informatii faravirusi.com…..acum vreo 5 zile am avut asemenea infectie majora…..nu am reusit sa scap de el pt ca bloca executabilele de la avg, avira, avast, kav,nis…….dar, am avut noroc ca am instalat Malwarebytes’ Anti-Malware in conditii normale ( fara sa redenumesc mbam-ul si .exe-ul )…la versiunea free nu poti scana flash ( optiunea fiind numai pt utilizatorii licentiati ), dar am reusit cumva cumva sa fac rost de un serial pt malwarebytes valid ( desi programul asta fals imi tot inchidea explorerul sau orice alt browser foloseam ) si am scanat flash…..si din scanarea aia ( a durat prea putin ca sa opreasca malwarebytes ) mia gasit vreo 13-15 infectii..si le-am dat remove selected….si dupa ce am restartat am mai scanat din nou, dar acuma un full scan si a gasit 0….

    1. Gigi

      Nu mai pirata Malwarebytes. Puteai redenumi mbam.exe in explorer.exe si scanai sistemul complet.

  2. Antivirus fals raspandit prin e-mail

    […] numita Microsoft Security Essentials Alert va face tot posibilul sa instaleze antivirusul fals Windows Risks Preventions despre care a scris Radu ieri.Desi pagina infectata deschide o multime de ferestre mici cu alerte […]

  3. Paul 46

    asa o sa fac de acuma incolo……..multumita voua…..ms de pont Gigi si multumesc celor de la faravirusi.com!:)

  4. Dan82

    Mersi pentru tutorial. Mi-a fost de mare ajutor si cred ca si altora le va fi.

Leave a Reply