Devirusare / Dezinstalare Windows System Suite – rogue removal

Posted by Devirusare on Oct 29, 2009 in Devirusare, New |

Hello there! If you are new here, you might want to subscribe to the RSS feed for updates on this topic.

Pe Devirusare.com am mai vorbit acum ceva timp ce este un program rogue si cat de daunator este.

Ca sa explic in 2 cuvinte pentru cei ce nu au rabdare sa citeasca, un program rogue este un antivirus/antispyware fals.

Imprumuta interfata si functii asemanatoare cu produsele originale ca sa pacaleasca utilizatorul sa plateasca o licenta.

Softul este un malware, care se instaleaza pe PC de pe diferite pagini(are sute de mirrors – site-uri identice cu originalul, doar pe alte domenii) si incepe sa trimita mesaje conform carora computerul este infectat si trebuie cumparata “licenta” pentru curatarea acestuia.

Bun, dupa acest malware au aparut sute de programe asemanatoare, companiile antivirus/antispyware facand cu greu fata zecilor de versiuni pe zi.

Este si greu de adaugat o detectie generica(o singura definitie pentru o familie de malware de acelasi tip).

Americanii au botezat acest fenomen scareware.

In continuare o sa prezint 2 metode de indepartare a programului Windows System Suite din PC:

1. Metoda manuala:

Stergeti urmatoarele fisiere din PC:

%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows System Suite.lnk
%UserProfile%\Application Data\Windows System Suite
%UserProfile%\Application Data\Windows System Suite\cookies.sqlite
%UserProfile%\Desktop\436.mof
%UserProfile%\Desktop\mozcrt19.dll
%UserProfile%\Desktop\sqlite3.dll
%UserProfile%\Desktop\Windows System Suite.lnk
%UserProfile%\Desktop\WSYSS.ico
%UserProfile%\Desktop\WSYSSSys
%UserProfile%\Desktop\WSYSSSys\vd952342.bd
%UserProfile%\Recent\ANTIGEN.tmp
%UserProfile%\Recent\cb.exe
%UserProfile%\Recent\cid.dll
%UserProfile%\Recent\CLSV.tmp
%UserProfile%\Recent\DBOLE.sys
%UserProfile%\Recent\ddv.dll
%UserProfile%\Recent\eb.drv
%UserProfile%\Recent\eb.exe
%UserProfile%\Recent\eb.sys
%UserProfile%\Recent\energy.sys
%UserProfile%\Recent\fan.drv
%UserProfile%\Recent\FS.drv
%UserProfile%\Recent\hijackthis.log.lnk
%UserProfile%\Recent\PE.drv
%UserProfile%\Recent\PE.tmp
%UserProfile%\Recent\ppal.exe
%UserProfile%\Recent\runddlkey.drv
%UserProfile%\Recent\tempdoc.tmp
%UserProfile%\Start Menu\Windows System Suite.lnk
%UserProfile%\Start Menu\Programs\Windows System Suite.lnk
c:\Documents and Settings\All Users\Application Data\61a60
c:\Documents and Settings\All Users\Application Data\61a60\WS83b.exe
c:\Documents and Settings\All Users\Application Data\WSYSSSys
c:\Documents and Settings\All Users\Application Data\WSYSSSys\wsyss.cfg

Stergeti urmatoarele chei de registry:

HKEY_CLASSES_ROOT\ReleaseXP.DocHostUIHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform “986707143803″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Windows System Suite”

Bifati si apasati Fix checked in Hijackthis 2.0.2 pentru:

O1 – Hosts: 74.125.45.100 test1111.com
O1 – Hosts: 74.125.45.100 test1112.com
O1 – Hosts: 74.125.45.100 4-open-davinci.com
O1 – Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 – Hosts: 74.125.45.100 privatesecuredpayments.com
O1 – Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 – Hosts: 74.125.45.100 getantivirusplusnow.com
O1 – Hosts: 74.125.45.100 secure-plus-payments.com
O1 – Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 – Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 – Hosts: 74.125.45.100 www.getavplusnow.com
O1 – Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 – Hosts: 74.125.45.100 test1111.com
O1 – Hosts: 74.125.45.100 test1112.com
O1 – Hosts: 74.125.45.100 4-open-davinci.com
O1 – Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 – Hosts: 74.125.45.100 privatesecuredpayments.com
O1 – Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 – Hosts: 74.125.45.100 getantivirusplusnow.com
O1 – Hosts: 74.125.45.100 secure-plus-payments.com
O1 – Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 – Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 – Hosts: 74.125.45.100 www.getavplusnow.com
O1 – Hosts: 74.125.45.100 www.securesoftwarebill.com
O4 – HKCU\..\Run: [Windows System Suite] “C:\Documents and Settings\All Users\Application Data\61a60\WS83b.exe” /s /d

Dupa cum vedeti, cheile si fisierele au nume random, uneori aceasta metoda este dificila.

2. Metoda automata:

Descarcati Malwarebytes’ Anti-Malware:

http://www.malwarebytes.org/mbam/program/mbam-setup.exe

si salvati-l pe Desktop.

In unele cazuri, nu puteti accesa site-ul Malwarebytes pentru a descarca programul.

Folositi mirror-ul pus la dispozitie de Softpedia:

http://www.softpedia.com/get/Antivirus/Malwarebytes-Anti-Malware.shtml

Redenumiti kit-ul in test.exe sau ceva.exe si instalati-l.

La sfarsitul instalarii asigurati-va ca ati bifat urmatoarele: Update Malwarebytes’ Anti-Malware si Launch Malwarebytes’ Anti-Malware. Apoi apasati Finish.

Daca nu se poate conecta la internet pentru a descarca cele mai noi definitii, faceti un update offline:

Malwarebytes’ Anti-Malware Update Offline

Dupa lansarea programului, selectati Perform full scan si apoi apasati pe Scan.

La terminarea scanarii apasati OK si apoi Show Results. Asigurati-va ca e totul bifat si apoi apasati Remove Selected.

Restart PC.