Usuwanie wirusów

Usuwanie SpyCrush

Kolejny BEZUŻYTECZNY !!! program następca znanych nam już takich programów jak SpyDawn,VirusBurst, SpywareQuake itd...zobaczcie że tak naprawdę to twórcy zmieniają tylko kolorki.
Oczywiście dostaniecie "fake alerta" ale odpowiada za niego  Grupa Codecowa   nie program  ,  zobaczcie wynik  TESTÓW






Tak wyglądał  na począdku, teraz przeszedł  metamorfozę i wygląda tak ( czy widzicie podobieństwo do innych programów?) :







W logu hijack można zobaczyć:


C:\Program Files\Video ActiveX Access\iesmn.exe
C:\Program Files\Video ActiveX Access\imsmain.exe
C:\Program Files\Video ActiveX Access\imsmn.exe
C:\Program Files\Video ActiveX Access\iesmin.exe

O2 - BHO: (no name) - {B8C5186E-EC37-4889-9C2E-F73649FFB7BB} - C:\Program Files\Video ActiveX Access\iesplg.dll

O3 - Toolbar: Protection Bar - {DF4E7A0C-E233-4906-B4C1-A404356541FF} - C:\Program Files\Video ActiveX Access\iesbpl.dll

O4 - HKLM\..\Run: [SpyCrush] C:\Program Files\SpyCrush\SpyCrush.exe /h
O4 - HKLM\..\Run: [SpyCrush 3.1] "C:\Program Files\SpyCrush 3.1\SpyCrush 3.1.exe" /h
O4 - HKLM\..\Run: [SpyCrush 3.2] "C:\Program Files\SpyCrush 3.2\SpyCrush 3.2.exe" /h
O4 - HKLM\..\Run: [SpyCrush 3.3] "C:\Program Files\SC\SpyCrush 3.3\SpyCrush 3.3.exe" /h

O21 - SSODL: damkjernite - {5bf53d50-b1ec-47b6-a00a-0bd32baeb7ef} - C:\WINDOWS\system32\ckimzeb.dll
O21 - SSODL: debugs - {c704547b-26c0-4222-a034-81653c07b494} - C:\WINDOWS\system32\gsrnxgh.dll
O21 - SSODL: hellenophile - {6f396a67-f473-48c9-9950-636ce17e584e} - C:\WINDOWS\system32\yesgnhr.dll
 O21 - SSODL: cornerer - {9ff419a8-1748-4ca7-99df-d269465b0e8b} - C:\WINDOWS\system32\iauoi.dll
O21 - SSODL: castigating - {41eaa909-24be-4d24-877f-076a0576a6fd} - C:\WINDOWS\system32\gbjkog.dll
 O21 - SSODL: concise - {3afa7405-68e8-4bdb-920e-0d506f552826} - C:\WINDOWS\system32\cdwvhbf.dll
 O21 - SSODL: biographers - {e7aff349-39e1-4a96-a13d-24983440b44a} - C:\WINDOWS\system32\xikor.dll
 O21 - SSODL: farrandly - {8aa7a4d2-73c7-4fca-bef7-7923e38a3b1c} - C:\WINDOWS\system32\tczij.dll
 O21 - SSODL: crawley - {8bbe40fd-0416-4c3f-80ea-0c7ad5fb1aab} - C:\WINDOWS\system32\igpfced.dll
 O21 - SSODL: decoyed - {9c0c879c-9091-45d1-807f-2adc37d7d6d6} - C:\WINDOWS\system32\iwwvh.dll
O21 - SSODL: drays - {33b8d257-07f6-4c06-8605-94bc21728635} - C:\WINDOWS\system32\xedasn.dll

 O22 - SharedTaskScheduler: damkjernite - {5bf53d50-b1ec-47b6-a00a-0bd32baeb7ef} - C:\WINDOWS\system32\ckimzeb.dll
O22 - SharedTaskScheduler: debugs - {c704547b-26c0-4222-a034-81653c07b494} - C:\WINDOWS\system32\gsrnxgh.dll
O22 - SharedTaskScheduler: hellenophile - {6f396a67-f473-48c9-9950-636ce17e584e} - C:\WINDOWS\system32\yesgnhr.dll
O22 - SharedTaskScheduler: cornerer - {9ff419a8-1748-4ca7-99df-d269465b0e8b} - C:\WINDOWS\system32\iauoi.dll
 O22 - SharedTaskScheduler: castigating - {41eaa909-24be-4d24-877f-076a0576a6fd} - C:\WINDOWS\system32\gbjkog.dll
O22 - SharedTaskScheduler: concise - {3afa7405-68e8-4bdb-920e-0d506f552826} - C:\WINDOWS\system32\cdwvhbf.dll
 O22 - SharedTaskScheduler: biographers - {e7aff349-39e1-4a96-a13d-24983440b44a} - C:\WINDOWS\system32\xikor.dll
 O22 - SharedTaskScheduler: farrandly - {8aa7a4d2-73c7-4fca-bef7-7923e38a3b1c} - C:\WINDOWS\system32\tczij.dll
 O22 - SharedTaskScheduler: crawley - {8bbe40fd-0416-4c3f-80ea-0c7ad5fb1aab} - C:\WINDOWS\system32\igpfced.dll
 O22 - SharedTaskScheduler: decoyed - {9c0c879c-9091-45d1-807f-2adc37d7d6d6} - C:\WINDOWS\system32\iwwvh.dll
O22 - SharedTaskScheduler: drays - {33b8d257-07f6-4c06-8605-94bc21728635} - C:\WINDOWS\system32\xedasn.dll

W logu z silenta można zobaczyć:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
 <<!>> "{5bf53d50-b1ec-47b6-a00a-0bd32baeb7ef}" = "damkjernite"
   -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ckimzeb.dll" [null data]

W logu smitfraudfix zobaczycie coś takiego:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{5bf53d50-b1ec-47b6-a00a-0bd32baeb7ef}"="damkjernite"

[HKEY_CLASSES_ROOT\CLSID\{5bf53d50-b1ec-47b6-a00a-0bd32baeb7ef}\InProcServer32]
@="C:\WINDOWS\system32\ckimzeb.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{5bf53d50-b1ec-47b6-a00a-0bd32baeb7ef}\InProcServer32]
@="C:\WINDOWS\system32\ckimzeb.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{c704547b-26c0-4222-a034-81653c07b494}"="debugs"

[HKEY_CLASSES_ROOT\CLSID\{c704547b-26c0-4222-a034-81653c07b494}\InProcServer32]
@="C:\WINDOWS\system32\gsrnxgh.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{c704547b-26c0-4222-a034-81653c07b494}\InProcServer32]
@="C:\WINDOWS\system32\gsrnxgh.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{6f396a67-f473-48c9-9950-636ce17e584e}"="hellenophile"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6f396a67-f473-48c9-9950-636ce17e584e}\InProcServer32]
@="C:\WINDOWS\system32\yesgnhr.dll"

[HKEY_CLASSES_ROOT\CLSID\{6f396a67-f473-48c9-9950-636ce17e584e}\InProcServer32]
@="C:\WINDOWS\system32\yesgnhr.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{9ff419a8-1748-4ca7-99df-d269465b0e8b}"="cornerer"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9ff419a8-1748-4ca7-99df-d269465b0e8b}\InProcServer32]
@="C:\WINDOWS\system32\iauoi.dll"

[HKEY_CLASSES_ROOT\CLSID\{9ff419a8-1748-4ca7-99df-d269465b0e8b}\InProcServer32]
@="C:\WINDOWS\system32\iauoi.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{41eaa909-24be-4d24-877f-076a0576a6fd}"="castigating"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41eaa909-24be-4d24-877f-076a0576a6fd}\InProcServer32]
@="C:\WINDOWS\system32\gbjkog.dll"

[HKEY_CLASSES_ROOT\CLSID\{41eaa909-24be-4d24-877f-076a0576a6fd}\InProcServer32]
@="C:\WINDOWS\system32\gbjkog.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{3afa7405-68e8-4bdb-920e-0d506f552826}"="concise"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3afa7405-68e8-4bdb-920e-0d506f552826}\InProcServer32]
@="C:\WINDOWS\system32\cdwvhbf.dll"

[HKEY_CLASSES_ROOT\CLSID\{3afa7405-68e8-4bdb-920e-0d506f552826}\InProcServer32]
@="C:\WINDOWS\system32\cdwvhbf.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{e7aff349-39e1-4a96-a13d-24983440b44a}"="biographers"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e7aff349-39e1-4a96-a13d-24983440b44a}\InProcServer32]
@="C:\WINDOWS\system32\xikor.dlll"

[HKEY_CLASSES_ROOT\CLSID\{e7aff349-39e1-4a96-a13d-24983440b44a}\InProcServer32]
@="C:\WINDOWS\system32\xikor.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8aa7a4d2-73c7-4fca-bef7-7923e38a3b1c}"="farrandly"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8aa7a4d2-73c7-4fca-bef7-7923e38a3b1c}\InProcServer32]
@="C:\WINDOWS\system32\tczij.dll"

[HKEY_CLASSES_ROOT\CLSID\{8aa7a4d2-73c7-4fca-bef7-7923e38a3b1c}\InProcServer32]
@="C:\WINDOWS\system32\tczij.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Share dTaskScheduler]
"{8bbe40fd-0416-4c3f-80ea-0c7ad5fb1aab}"="crawley"

[HKEY_CLASSES_ROOT\CLSID\{8bbe40fd-0416-4c3f-80ea-0c7ad5fb1aab}\InProcServer32]
@="C:\WINDOWS\system32\igpfced.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8bbe40fd-0416-4c3f-80ea-0c7ad5fb1aab}\InProcServer32]
@="C:\WINDOWS\system32\igpfced.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Share dTaskScheduler]
"{9c0c879c-9091-45d1-807f-2adc37d7d6d6}"="decoyed"

[HKEY_CLASSES_ROOT\CLSID\{9c0c879c-9091-45d1-807f-2adc37d7d6d6}\InProcServer32]
@="C:\WINDOWS\system32\iwwvh.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9c0c879c-9091-45d1-807f-2adc37d7d6d6}\InProcServer32]
@="C:\WINDOWS\system32\iwwvh.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Share dTaskScheduler]
"{33b8d257-07f6-4c06-8605-94bc21728635}"="drays"

[HKEY_CLASSES_ROOT\CLSID\{33b8d257-07f6-4c06-8605-94bc21728635}\InProcServer32]
@="C:\WINDOWS\system32\xedasn.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{33b8d257-07f6-4c06-8605-94bc21728635}\InProcServer32]
@="C:\WINDOWS\system32\xedasn.dll"



 Plikami odpowiedzialnymi za "fake alert"  są :

C:\Windows\System32\ckimzeb.dll
C:\Windows\System32\gsrnxgh.dll
C:\Windows\System32\yesgnhr.dll
C:\Windows\System32\iauoi.dll
C:\Windows\System32\gbjkog.dll
C:\Windows\System32\cdwvhbf.dll
C:\Windows\System32\xikor.dll
C:\Windows\System32\tczij.dll
C:\Windows\System32\igpfced.dll
C:\Windows\System32\iwwvh.dll
C:\Windows\System32\xedasn.dll


Usuwanie:

W panelu sterowania >>dodaj/usuń programy : odinstalować SpyCrush, SpyCrush 3.1, SpyCrush 3.2
W trybie awaryjnym zastosować  narzędzie  Smitfraudfix., Roguefix Roguescanfix , RogueRemover
Jeśli  został zmieniony plik Hosts , zastosować narzędzie HostsXpert
Zastosować skanery On Line np.Trend Micro, Panda

Hmmm....ale dalej nie podoba mi się taki podział, powinna być grupa "kodekowa".Program  jako taki jest nieszkodliwy, jest bezużyteczny  dlatego zbędny.