Scapa de Home Malware Cleaner – Ghid pentru devirusare

Home Malware Cleaner este un program antivirus fals de tip rogue. Este promovat prin intermediul unor Troieni care pretind sa fie codec-uri video sau actualizari flash absolut necesare pentru a urmari continutul online. De asemenea apare in rezultatele cautarilor Google, folosind metoda SEO poisoning. Apare sub denumirea de scandsk211i_8020.exe
Programul va afisa numeroase alerte false si va efectua scanari ale PC-ului detectand in mod eronat sute de infectii. Interfata grafica este similara celei Microsoft Security Essentials.

Toate acestea au scopul de a induce in eroare utilizatorul, cu scopul de a achizitiona acest program. Fisierele detectate sunt fie inexistente, fie curate, iar alertele nu trebuie luate in considerare.

Pentru a scapa de acest nepoftit cititi detaliile de mai jos:

Home Malware Cleaner

Programul creeaza urmatoarele fisiere\foldere:

  • %AppData%\Home Malware Cleaner\
  • %AppData%\Home Malware Cleaner\cookies.sqlite
  • %AppData%\Home Malware Cleaner\Instructions.ini
  • %AppData%\Home Malware Cleaner\ScanDisk_.exe
  • %AppData%\Microsoft\Internet Explorer\Quick Launch\Home Malware Cleaner.lnk
  • %CommonAppData%\79b35\
  • %CommonAppData%\79b35\HMa76.exe
  • %CommonAppData%\79b35\HMC.ico
  • %CommonAppData%\79b35\6543.mof
  • %CommonAppData%\79b35\mozcrt19.dll
  • %CommonAppData%\79b35\sqlite3.dll
  • %CommonAppData%\79b35\BackUp\
  • %CommonAppData%\79b35\HMCSys\
  • %CommonAppData%\79b35\Quarantine Items\
  • %CommonAppData%\HMJFZWC\
  • %CommonAppData%\HMJFZWC\HMXBXWJCMC.cfg
  • %StartMenu%\Home Malware Cleaner.lnk
  • %StartMenu%\Programs\Home Malware Cleaner.lnk
  • %UserProfile%\Desktop\Home Malware Cleaner.lnk
  • %UserProfile%\Recent\ANTIGEN.drv
  • %UserProfile%\Recent\CLSV.exe
  • %UserProfile%\Recent\DBOLE.tmp
  • %UserProfile%\Recent\eb.tmp
  • %UserProfile%\Recent\energy.tmp
  • %UserProfile%\Recent\exec.drv
  • %UserProfile%\Recent\fix.drv
  • %UserProfile%\Recent\grid.exe
  • %UserProfile%\Recent\PE.drv
  • %UserProfile%\Recent\PE.exe
  • %UserProfile%\Recent\PE.tmp
  • %UserProfile%\Recent\SICKBOY.tmp
  • %UserProfile%\Recent\tempdoc.drv
  • %UserProfile%\Recent\tempdoc.sys
  • %UserProfile%\Recent\tjd.drv

Ii sunt asociate cheile registry:

HKEY_CURRENT_USER\Software\3
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_CLASSES_ROOT\dumped_patched.DocHostUIHandler
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes “URL” = “http://findgala.com/?&uid=8010&q={searchTerms}”
HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes “URL” = “http://findgala.com/?&uid=8010&q={searchTerms}”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer “IIL” = 0
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer “ltHI” = 0
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer “ltTST”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer “PRS” = “http://127.0.0.1:27777/?inj=%ORIGINAL%”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “UID” = 8010
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform “runtime 13.08010”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer “DisallowRun” = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “0” = “msseces.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “1” = “MSASCui.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “2” = “ekrn.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “3” = “egui.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “4” = “avgnt.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “5” = “avcenter.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “6” = “avscan.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “7” = “avgfrw.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “8” = “avgui.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “9” = “avgtray.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “10” = “avgscanx.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “11” = “avgcfgex.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “12” = “avgemc.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “13” = “avgchsvx.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “14” = “avgcmgr.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun “15” = “avgwdsvc.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Home Malware Cleaner”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = “no”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashCnsnt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fnrb32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpromenu.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ndd32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pgmonitr.exe

DEVIRUSARE:

1. Porniti PC-ul in Safe Mode with Networking. Pentru aceasta restartati PC-ul si apasati tasta F8 de mai multe ori inainte de incarcarea Windows-ului pana obtineti ecranul de mai jos.
Dupa alegerea modului mentionat apasati tasta Enter si asteptati incarcarea completa a Windowsului.

safe mode

2. Virusul va incerca sa modifice setarile Internet Explorer folosind un proxy, care va bloca site-urile producatorilor antivirus. Pentru aceasta trebuie resetate aceste noi setari.
Deschideti Internet Explorer, navigati la Tools > Internet Options.

setari IE



3. Navigati in tab-ul Connections si apasati butonul LAN settings.

Ie setari

4. Debifati optiunea Use a proxy server for your LAN din cadrul sectiunii Proxy server. Apasati OK.

setari IE

5. Descarcati si instalati Malwarebytes Anti-Malware. Nu modificati nici o setare in timpul procesului de instalare, iar la final nu restartati PC-ul daca vi se va solicita acest lucru. Rulati o scanare rapida si stergeti infectiile gasite.

Administrator FaraVirusi.com
voluntar al Comodo Malware Research Team, expert Malwarebytes Anti-Malware

Leave a Reply