Usuwanie wirów

Usuwanie SpyDawn

Kolejny BEZUŻYTECZNY !!! program następca znanych nam już takich programów jak VirusBurst, SpywareQuake itd...zobaczcie że tak naprawdę to twórcy zmieniają tylko kolorki.Program tak jak i w przypadku pozostałych jest aplikowany podczas ściągania i instalowania kodeków audio lub video. Oczywiście dostaniecie "fake alerta" ale odpowiada za niego  Grupa Codecowa   nie program  ,  zobaczcie wynik  TESTÓW



 

Tak to mniej więcej wygląda.

W logu z hijacka możecie zobaczyć takie wpisy :

C:\Program Files\Image ActiveX Object\isamntr.exe
C:\Program Files\Image ActiveX Object\pmsnrr.exe
C:\Program Files\Image ActiveX Object\isamini.exe
C:\Program Files\Image ActiveX Object\pmmnt.exe

O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program\Internet Security\isadd.dll
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video ActiveX Object\isadd.dll
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video Access ActiveX Object\isadd.dll
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Image ActiveX Object\isadd.dll

 O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program Files\Video ActiveX Object\iesplugin.dll
O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program Files\Image ActiveX Object\iesplugin.dll
O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program Files\Video Access ActiveX Object\iesplugin.dll

 O4 - HKLM\..\Run: [SpyDawn] C:\Program Files\SpyDawn\SpyDawn.exe /h

O21 - SSODL: eitheror - {2016a466-91a2-43c6-97d8-2fd380f065ef} - C:\WINDOWS\system32\higehsg.dll
O21 - SSODL: didynamia - {8329660f-e248-4872-98cc-fb9c4fec7ba8} - C:\WINDOWS\System32\xkrdk.dll
O21 - SSODL: apathies - {aed6f6a3-183c-488d-9f90-23db99f56e7f} - C:\WINDOWS\SYSTEM\geplxss.dll
O21 - SSODL: cam - {634be415-da12-496b-b89e-329b73c4807f} - C:\WINDOWS\system32\tvomnc.dll

W logu silenta możecie zobaczyć coś takiego:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpyDawn" = "C:\Program Files\SpyDawn\SpyDawn.exe /h" ["SpyDawn.com"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"rare" = "C:\Program Files\Video ActiveX Object\pmsnrr.exe" [null data]
"user32.dll" = "C:\Program Files\Video ActiveX Object\isamntr.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"user32.dll" = "H:\Program Files\Image ActiveX Object\isamntr.exe" [null data]
"rare" = "H:\Program Files\Image ActiveX Object\pmsnrr.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\SharedTaskScheduler\
<<!>> "{8329660f-e248-4872-98cc-fb9c4fec7ba8}" = "didynamia"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\xkrdk.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad\
"didynamia" = "{8329660f-e248-4872-98cc-fb9c4fec7ba8}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\xkrdk.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
<<!>> "{aed6f6a3-183c-488d-9f90-23db99f56e7f}" = "apathies"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\geplxss.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Image ActiveX Object\isadd.dll" [null data]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{84938242-5C5B-4A55-B6B9-A1507543B418}"
-> {HKLM...CLSID} = "Protection Bar"
\InProcServer32\(Default) = "C:\Program Files\Image ActiveX Object\iesplugin.dll" [null data]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{84938242-5C5B-4A55-B6B9-A1507543B418}" = (no title provided)
-> {HKLM...CLSID} = "Protection Bar"
\InProcServer32\(Default) = "C:\Program Files\Image ActiveX Object\iesplugin.dll" [null data]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{84938242-5C5B-4A55-B6B9-A1507543B418}\(Default) = "Protection Bar"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Image ActiveX Object\iesplugin.dll" [null data]



W logu smitfraudfix zobaczycie coś takiego:

C:\Program Files\PCODEC\ FOUND !
C:\Program Files\Video ActiveX Object\ FOUND !
C:\Program Files\Video Access ActiveX Object\ FOUND !

 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2016a466-91a2-43c6-97d8-2fd380f065ef}"="eitheror"

[HKEY_CLASSES_ROOT\CLSID\{2016a466-91a2-43c6-97d8-2fd380f065ef}\InProcServer32]
@="C:\WINDOWS\system32\higehsg.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2016a466-91a2-43c6-97d8-2fd380f065ef}\InProcServer32]
@="C:\WINDOWS\system32\higehsg.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8329660f-e248-4872-98cc-fb9c4fec7ba8}"="didynamia"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8329660f-e248-4872-98cc-fb9c4fec7ba8}\InProcServer32]
@="C:\\WINDOWS\\System32\\xkrdk.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{aed6f6a3-183c-488d-9f90-23db99f56e7f}"="apathies"

[HKEY_CLASSES_ROOT\CLSID\{aed6f6a3-183c-488d-9f90-23db99f56e7f}\InProcServer32]
@="C:\WINDOWS\system32\geplxss.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{aed6f6a3-183c-488d-9f90-23db99f56e7f}\InProcServer32]
@="C:\\WINDOWS\\system32\\geplxss.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{634be415-da12-496b-b89e-329b73c4807f}"="cam"

[HKEY_CLASSES_ROOT\CLSID\{634be415-da12-496b-b89e-329b73c4807f}\InProcServer32]
@="C:\WINDOWS\system32\tvomnc.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{634be415-da12-496b-b89e-329b73c4807f}\InProcServer32]
@="C:\\WINDOWS\\system32\\tvomnc.dll"


GenericRenosFix by S!Ri

C:\WINDOWS\system32\higehsg.dll -> Hoax.Win32.Renos.gen.i
C:\WINDOWS\system32\higehsg.dll -> Deleted


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Program Files\SpyDawn\ Deleted
C:\Program Files\VideoAccess\ Deleted

W logu ComboScan  możecie zobaczyć:
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"user32.dll"="C:\\Program Files\\Video ActiveX Object\\isamntr.exe"
"rare"="C:\\Program Files\\Video ActiveX Object\\pmsnrr.exe"

 Plikami odpowiedzialnymi za "fake alert"  są :

C:\WINDOWS\system32\higehsg.dll
C:\Windows\System32\xkrdk.dll
C:\Windows\System32\geplxss.dll
C:\Windows\System32\tvomnc.dll
Usuwanie:

W panelu sterowania >>dodaj/usuń programy : odinstalować SpyDawn.
Zastosować narzędzie ,a macie do wyboru  Roguescanfix, SmitfraudfixRogueRemover
Zastosować skanery On Line np.Trend Micro, Panda

Hmmm....ale dalej nie podoba mi się taki podział, powinna być grupa "kodekowa".Program  jako taki jest nieszkodliwy, jest bezużyteczny  dlatego zbędny.