,.,am o problema la laptop.,.,cu un program"Security Shield.,.,.,.nu ma lasa sa deschid nici un program.,.,.nici firefox nu merge.,.,.,.si am incercat sa instalez un antivirus da deunde imi zice ca are virus trojan,.,.,.va rog ajutati-ma.,.,FUNDA

Dezinstalare Security Antivirus – Ghid pentru Devirusare Completa

By Radu FaraVirusi(com) on February 26, 2010
1

Security Antivirus este un program anti-spyware de tip rogue. Este promovat prin intermediul unor Troieni sau prin SEO poisoning. Ei vor apare ca rezultate ale unor cautari diverse pe Google. Accesarea site-ului duce in cele mai multe cazuri la instalarea automata a programului infectat.
Programul va afisa numeroase alerte false si va efectua scanari ale PC-ului detectand in mod eronat sute de infectii.

Toate acestea au scopul de a induce in eroare utilizatorul, cu scopul de a achizitiona acest program. Fisierele detectate sunt create chiar de virus, fiind curate, iar alertele nu trebuie luate in considerare.
Sunt toate localizate in %UserProfile%\Recent si printre ele se numara: ANTIGEN.exe, runddlkey.dll, PE.exe, PE.sys, PE.tmp, ddv.dll, ddv.sys, std.exe

remove Security Antivirus

Programul afiseaza si urmatoarele alerte:

An unauthorized program has been prevented from accessing your PC remotely. #Port:433 from 92.11.127.10
An unauthorized software C:\Program Files\Internet Explorer\Iexplore.exe which is potentially malicious and able to modify system files has been prevented from being installed on your PC.

Security Antivirus has detected potentially harmful software in your system. It is strongly recommended that you register Security Antivirus to remove all found threats immediately.

Potentially harmful programs have been detected in your system and need to be dealt with immediately. Click here to remove them using Security Antivirus.
Your PC may still be infected with dangerous viruses. Security Antivirus protection is needed to prevent data loss and avoid theft of your personal data and credit card details. Click here to activate protection.

Suspicious software which may be malicious has been detected on your PC. Click here to remove this threat immediately using Security Antivirus.
Click here to remove all potentially harmful programs found immediately using Security Antivirus.

Malicious applications, which may contain Trojans, were found on your computer and are to be removed immediately. Click here to remove these potentially harmful items using Security Antivirus.
No real-time malware, spyware and virus protection was found. Click here to activate.

Pentru a scapa de acest nepoftit cititi detaliile de mai jos:

Programul creeaza urmatoarele fisiere\foldere:

c:\Documents and Settings\All Users\Application Data\345d567\
c:\Documents and Settings\All Users\Application Data\345d567\72.mof
c:\Documents and Settings\All Users\Application Data\345d567\mozcrt19.dll
c:\Documents and Settings\All Users\Application Data\345d567\SA345d.exe
c:\Documents and Settings\All Users\Application Data\345d567\SAV.ico
c:\Documents and Settings\All Users\Application Data\345d567\sqlite3.dll
c:\Documents and Settings\All Users\Application Data\345d567\BackUp
c:\Documents and Settings\All Users\Application Data\345d567\BackUp\Adobe Reader Speed Launch.lnk
c:\Documents and Settings\All Users\Application Data\345d567\BackUp\Adobe Reader Synchronizer.lnk
c:\Documents and Settings\All Users\Application Data\345d567\Quarantine Items\
c:\Documents and Settings\All Users\Application Data\345d567\SAVSys\
c:\Documents and Settings\All Users\Application Data\345d567\SAVSys\vd952342.bd
c:\Documents and Settings\All Users\Application Data\SADFIOPODIV\SAAKDUPV.cfg
%UserProfile%\Application Data\Security Antivirus
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Security Antivirus.lnk
%UserProfile%\Application Data\Security Antivirus\cookies.sqlite
%UserProfile%\Desktop\Security Antivirus.lnk
%UserProfile%\Recent\ANTIGEN.drv
%UserProfile%\Recent\ANTIGEN.exe
%UserProfile%\Recent\cid.dll
%UserProfile%\Recent\CLSV.drv
%UserProfile%\Recent\DBOLE.sys
%UserProfile%\Recent\ddv.dll
%UserProfile%\Recent\ddv.sys
%UserProfile%\Recent\energy.tmp
%UserProfile%\Recent\FS.drv
%UserProfile%\Recent\gid.drv
%UserProfile%\Recent\PE.drv
%UserProfile%\Recent\PE.exe
%UserProfile%\Recent\PE.sys
%UserProfile%\Recent\PE.tmp
%UserProfile%\Recent\runddlkey.dll
%UserProfile%\Recent\std.exe
%UserProfile%\Recent\tjd.drv
%UserProfile%\Recent\tjd.sys
%UserProfile%\Start Menu\Security Antivirus.lnk
%UserProfile%\Start Menu\Programs\Security Antivirus.lnk
c:\Program Files\Mozilla Firefox\searchplugins\search.xml



Ii sunt asociate cheile registry:

HKEY_CURRENT_USER\Software\3
HKEY_CLASSES_ROOT\SA345d.DocHostUIHandler
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=195&q={searchTerms}"
HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://findgala.com/?&uid=195&q={searchTerms}"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer "PRS" ="http://127.0.0.1:27777/?inj=%ORIGINAL%"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "RunInvalidSignatures" = "1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "App/7.00195″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Security Antivirus"

In log-ul HijackThis apar urmatoarele intrari:

O1 – Hosts: 74.125.45.100 4-open-davinci.com
O1 – Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 – Hosts: 74.125.45.100 privatesecuredpayments.com
O1 – Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 – Hosts: 74.125.45.100 getantivirusplusnow.com
O1 – Hosts: 74.125.45.100 secure-plus-payments.com
O1 – Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 – Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 – Hosts: 74.125.45.100 www.getavplusnow.com
O1 – Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 – Hosts: 74.125.45.100 urs.microsoft.com
O1 – Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 – Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 – Hosts: 74.125.45.100 paysoftbillsolution.com
O1 – Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 – Hosts: 95.211.99.110 www.google.com
O1 – Hosts: 95.211.99.110 google.com
O1 – Hosts: 95.211.99.110 www.google-analytics.com
O1 – Hosts: 95.211.99.110 www.bing.com
O1 – Hosts: 95.211.99.110 search.yahoo.com
O1 – Hosts: 95.211.99.110 www.search.yahoo.com
O4 – HKCU\.\Run: [Security Antivirus] "C:\Documents and Settings\All Users\Application Data\345d567\SA345d.exe" /s /d

DEVIRUSARE:

1. Descarcati si rulati rkill.com. Acest lucru este ncesar pentru a opri procesul activ folosit de virus. Veti primi probabil o atentionare ca rkill.com este infectat. Ignorati-l, este doar o alarma falsa generata de Security Antivirus.
Rulati rkill.com din nou, pana cand virusul nu mai este activ. Daca rkill.com nu poate fi rulat folositi iExplore.exe sau eXplorer.exe


2. Descarcati si instalati Malwarebytes Anti-Malware. Scanati PC-ul complet si stergeti la final infectiile gasite apasand Remove selected.

3. Acest virus modifica si fisierul HOSTS al computerului cauzand imposibilitatea accesarii multor website-uri. Pentru a remedia acest lucru rulati initial fisierul urmator pentru a restabili drepturile de stergere\redenumire ale fisierului HOSTS: http://www.faravirusi.com/hosts/permisiuni_hosts.bat

4. Stergeti acum fisierul: C:\Windows\System32\Drivers\etc\HOSTS, iar apoi in functie de versiunea Windows disponibila descarcati unul din fisierele de mai jos si copiati-l in folder-ul: C:\Windows\System32\Drivers\etc