[Solutie] Windows Stable Work – Ghid pentru Devirusare

Programele de optimizare a PC-ului de tip rogue incep sa fie promovate prin email-uri primite, ce contin un link infectat. Windows Stable Work este un astfel de program.

Virusul nu porneste decat dupa restart cand afiseaza o fereastra denumita Microsoft Security Essentials Alert, ce pretinde ca a detectat un virus in calculator. Apoi vi se ofera spre instalare programul fals in discutie. Acesta va afisa numeroase alerte false si va efectua scanari ale PC-ului detectand in mod eronat sute de infectii.
Este promovat prin link-uri trimise prin email, de genul: http://chobanov-violin.com/index080a.html

Toate acestea au scopul de a induce in eroare utilizatorul, cu scopul de a achizitiona acest program. Fisierele detectate sunt fie inexistente, fie curate, iar alertele nu trebuie luate in considerare.

Pentru a scapa de acest nepoftit cititi detaliile de mai jos:

Windows Stable Work

Programul afiseaza urmatoarele mesaje:

System Security Warning
Attempt to modify register key entries is detected. Register entries analysis is recommended.

Warning!
Location: c:\windows\system32\taskmgr.exe
Viruses: Win32.Sality

 

Programul creeaza urmatoarele fisiere\foldere:

  • %UserProfile%\Application Data\Microsoft\<random>.exe

Ii sunt asociate cheile registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwserv.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe “Debugger” = ‘svchost.exe’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = ‘0’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = ‘0’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore “DisableSR ” = ‘1’

DEVIRUSARE:

1. Descarcati Malwarebytes Anti-Malware. Redenumiti kitul de instalare in svchost.exe si apoi instalati-l. Nu-l rulati la finalul instalarii !!!

2. Navigati in folderul C:\Program Files\Malwarebytes’ Anti-Malware si redenumiti mbam.exe in explorer.exe.

3. Rulati noul fisier redenumit (explorer.exe) scanati PC-ul complet si stergeti la final infectiile gasite apasand Remove selected.

Daca ai reusit sa cureti aceasta infectie, iti recomand sa cumperi versiunea PRO a Malwarebytes Anti-Malwarepentru a te proteja si pe viitor de astfel de amenintari, avand in vedere ca nu au fost detectate\eliminate de antivirusul tau actual.

Administrator FaraVirusi.com
voluntar al Comodo Malware Research Team, expert Malwarebytes Anti-Malware

Leave a Reply