Antivirus dudosos

English version
Zweifelhafte Antiviren-Produkte

Bilderstrecke, 27 Bilder
Lesen

Worm Zimuse und Data Doctor 2010

Source

Ein neuer Virus bzw. Wurm macht die Runde. Der ZIMUSE Wurm ist besonders schädlich, weil er die Festplatte zerstört und dann alles zu spät ist. Der ZIMUSE Wurm tarnt sich in einem IQ TEST, denn man entweder im Internet findet oder per Email bekommt. Also vorsicht vor unbekannten Emails und sogenannten IQ Tests im Internet.

BitDefender: Wurm "Zimuse" zerstört Festplatten

Gleich an zwei Fronten droht Computernutzern derzeit Unheil: Aktuell warnen BitDefender und F-Secure, beide Hersteller von Sicherheitssoftware, vor akuten Bedrohungen durch einen sehr gefährlichen Wurm und einen besonders hinterlistigen Trojaner. Während letzterer wichtige Dateien auf dem Computer verschlüsselt und erst gegen Zahlung eines "Lösegelds" wieder entschlüsselt, greift der andere Schädling sogar erstmals massiv die Hardware an.

Die größere Gefahr geht von Win32.Worm.Zimuse.A aus: BitDefender beschreibt diese extrem gefährliche Malware als eine Kombination von Virus und Wurm. Zimuse verbreite sich schnell und könne zum kompletten Datenverlust bei Festplatten führen. Dabei präsentiert sich der Schädling dem Computernutzer anfangs nur als scheinbar harmloser IQ-Test. Doch nach dem ersten Ausführen verteilt der Wurm, der bislang in zwei Varianten aufgetreten ist, bis zu elf von sich erstellte Kopien in wichtige Bereiche des Windows-Systems.

Master Boot Record der Festplatte wird überschrieben

Besonders brisant: Die ersten 50 Kilobyte des Master Boot Record – auf dem die Informationen zum Booten des Systems gespeichert sind – werden von Zimuse überschrieben. Bei jedem Systemstart wird die Virus-Wurm-Kombi dann erneut ausgeführt.

Ermöglicht wird dies durch einen kleinen Eintrag in der Registry: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion Run]"Dump"="%ProgramFiles%DumpDump.exe.

Laut BitDefender werden zudem noch zwei Treiber-Dateien mit den Bezeichnungen %system%driversMstart.sys und %System%driversMseu.sys. installiert. Einen gewissen Schutz vor der Installation dieser Dateien bringen die Betriebssysteme Windows Vista und Windows 7 in der 64-Bit-Variante von Haus aus mit. Da die Systemtreiber hier digital signiert sind, kann die Malware keine Treiber unterschieben.

Gefährlicher Wurm "Zimuse: Nach dem Neustart droht ein kompletter Datenverlust. Bild: Eset

Systemausfall nach 20 oder 40 Tagen

Der Ausfall der Festplatte droht dann - je nach Variante des Wurms - nach 20 oder 40 Tagen. Eine Fehlermeldung weist zunächst auf ein angebliches Problem mit bösartigen Inhalten in IP-Paketen einer unbekannten Web-Adresse hin. Daher solle der User sein System neu starten. Kommt er dieser Aufforderung nach, hat er sich automatisch von seinen Daten verabschiedet, denn beim nächsten Systemstart lässt sich die Festplatte nicht mehr nutzen.

Zum Schutz vor solchen Gefahren solle laut Empfehlung von BitDefender stets eine aktuelle Antiviren-Software verwendet werden. Die Sicherheitsexperten von ESet haben aber auch bereits ein Tool zum Entfernen des Zimuse-Wurms zum Download bereitgestellt.

-----------

Nicht ganz so drastisch agiert der Trojaner W32/DatCrypt trojan, vor dem F-Secure, Anbieter von Virenschutz-Software, warnt. Dieser geht stattdessen eher hinterlistig vor. Auf infizierten Computern verschlüsselt der Trojaner wichtige Dateien

Computernutzern wird eine Fehlermeldung angezeigt, die darauf schließen lässt, dass Dateien wie etwa Microsoft Office Dokumente beschädigt sind. Eine täuschend echt aussehende "Windows-Systemmeldung" in der Statusleiste empfiehlt dann den Download der Reparatur-Software Data Doctor 2010, um die Dateien wiederherzustellen. Doch nach Installation und Ausführung dieses Programms erfährt der Anwender schnell, dass sich nur eine Datei kostenlos reparieren lässt. Um weitere Dateien wiederherzustellen, müsse das komplette Produkt zum Preis von 89,95 US-Dollar erworben werden. Sobald das Geld gezahlt wurde, werden die Dateien zwar "gerettet", faktisch aber einfach wieder "entschlüsselt".

F-Secure rät zum Backup von wichtigen Dateien

Data Doctor 2010: Die "Reparatur-Software" dient nur zur Abzocke. Bild: F-Secure

Die Software hat somit scheinbar hervorragend funktioniert und etliche Nutzer sind dem Programm sogar noch dankbar, dass ihre Dateien wieder verfügbar sind. Der Trick des Trojaners kann laut F-Secure allerdings nur effektiv funktionieren, wenn der Computernutzer seine wichtigen Daten nicht anderweitig – etwa auf CD, DVD oder externer Festplatte - gesichert hat. Die F-Secure-Experten raten daher zu regelmäßigen Daten-Backups, um Bedrohungen wie durch diesen Trojaner zu entgehen.

Productos Anti-spyware Engañifas o Sospechosos

Source

Rogue/Suspect Anti-Spyware Products

What follows is the main list of "rogue/suspect" anti-spyware applications, none of which can be recommended for anti-spyware protection. Be sure to consult the notes section at the bottom of the list for more information about the list and how it is constructed. Some applications with an entry below have been de-listed. Entries for those applications remain to point to explanatory notes below the main list If you don't find an application included on the main list of "rogue/suspect" anti-spyware products below, you might also consult the list of lesser known anti-spyware applications that are not considered "rogue/suspect." And for a short list of reputable, recommended anti-spyware, see the Trustworthy Anti-Spyware Products section.

Spyware Warrior

Spyware Warrior Blog
Spyware Warrior Forums
Spyware Warrior Home

Those who have followed the development of this page since 2004 will have noted that the list of "rogue/suspect" anti-spyware products has not been updated since May 2007. Unfortunately, other time commitments have precluded our efforts to keep that list up to date. Since the last update dozens of "new" rogue anti-spyware programs have hit the 'Net. The vast majority of them, however, are not really new, but are simply re-branded clones and knockoffs of the same rogue applications that have been around from years. In most cases, they are being pushed through the same deceptive practices by the same parties responsible for earlier versions. See in particular these "families" of anti-spyware products, which continue to live on through shameless re-branding: 15, 18, 19, 21, 22, & 23.

If you are looking for information on the most recent rogue anti-spyware applications, we recomend visiting these sites:

• BleepingComputer.com: Spyware & Malware Removal Guides
• MalwareBytes: Newest Rogue Threats
• MalwareBytes Blog
• Bharath's Security Blog
• VitalSecurity.org
• Sunbelt Blog

"Rogue/Suspect" means that these products are of unknown, questionable, or dubious value as anti-spyware protection.
Some of the products listed on this page simply do not provide proven, reliable anti-spyware protection or may be prone to ridiculous false positives. Others may use unfair, deceptive, high pressure sales tactics to scare up sales from gullible, confused users. A very few of these products are either associated with known distributors of spyware/adware or have been known to install spyware/adware themselves. Not all products exhibit the same problems, however. Please see this "note to readers" for more information.
Users are advised to rely on the short list of Trustworthy Anti-Spyware Products with deserved reputations for quality performance.

Criteria & Testing
Criteria that we use to classify anti-spyware programs as "rogue / suspect" are discussed below in the Listing Criteria section.

Testing was performed with most of the apps listed below, though not all of them. The notes section below contains definitions and descriptions of some of the key terms used in the comments for the applications listed. Be sure to consult the Anti-Spyware Family Resemblances and Orphans & Outcasts companion pages for more information on the applications listed.

De-Listed Applications
Some applications that were originally included in this list of "rogue/suspect" anti-spyware programs have been de-listed after the vendors for those programs took steps to correct the problems identified on this page. For each program that has been de-listed there is a note explaining the circumstances at the bottom of the main "rogue/suspect" list. For more information on the process of de-listing application, see THIS discussion below.
Note: before contacting us about programs not included on the main list below, please check the list of lesser-known anti-spyware applications that we have tested as well as the list of legitimate, licensed clones of other anti-spyware programs.

More Information
For additional information on "rogue/suspect" anti-spyware products, see the More Information section towards the bottom of the page. Suzi has put together a "Top 10 Rogue Anti-Spyware" list HERE.
For reports on more extensive testing with a select group of anti-spyware utilities, see HERE. A short list of anti-spyware applications that are recommended as useful and trustworthy can be found on the list of Trustworthy Anti-Spyware Products below. An extended list of quality anti-spyware products is HERE.

If your PC is already infested with spyware or adware, see the instructions below for getting help.

• Rogue/Suspect Anti-Spyware Products
  - Notes
  - Listing Criteria
  - Special Cases
  - De-Listed Applications
  - Not On the List
  - Old News
• Rogue/Suspect Anti-Spyware Sites
  - Bogus Security Pages
• Legitimate/Licensed Clones
• Trustworthy Anti-Spyware Products
• If Your PC is Infested w/ Spyware...
• Google & Anti-Spyware Products
• More Information
  - News Stories
  - Complaints & Enforcement
• About These Web Pages
  - Linking to These Pages
  - Questions & Contact

See also:	Anti-Spyware Family Resemblances Anti-Spyware Orphans & Outcasts
	Anti-Spyware Programs: Feature Comparison
	Anti-Spyware Tests (by Eric L. Howes)
	Protecting Your Privacy & Security on a Home PC
	Ben Edelman - Spyware Research

XP Antivirus 2008, XP Antivirus 2009, and XPAntiVirus

Extracted from Source

What this programs does:
XP Antivirus 2008, XP Antivirus 2009, and XPAntiVirus are rogue antivirus programs that, when run, display false results as a tactic to scare you into purchasing the software. Older versions of XP Antivirus would create 9 entries in your Windows Registry that impersonate infections on your machine. In reality, though, these registry entries were harmless and had absolutely no effect on your computer. Instead, these entries were set so that XP AntiVirus can find them when scanning your computer and report them as infections. The newer of versions of the program , such as XP Antivirus 2008 and XP Antivirus 2009, instead just display false results when scanning your computer that state infections were found. In order to remove these fake infections, though, you would first need to purchase the software as the trial does not allow you to remove them.
While running, XP Antivirus will also display fake alerts stating that you are infected or under attack from some type of threat. These alerts are fake and can be ignored. If you do click on the alert, though, it will prompt you to purchase the software. Examples of text contained in these alerts can be found below.

Privacy Violation alert!
XP antivirus detected Privacy Violation. Some program is secretly sending your private data to untrusted internet host. Click here to block this activity by removing threats (Recommended).
or
System files modification alert!
Some critical system files of your computer were modified by malicious program. It may cause system instability and data loss. Click here to block unathorised <sic> modification by removing threats (Recommended).

As you can see these programs are fraudware because they make changes to your computer and then state these changes are infections as a scare tactic to have you purchase the software. It goes without saying that under no circumstances should you buy it. The older program, XPAntivirus, does come with a removal option in the computer's Add or Remove Programs list, but when you attempt to uninstall it, all that happens is the entry is removed from the list and program's process is terminated. Next time you reboot, XP AntiVirus will start up again. The newer versions of the program do not contain an entry in the Add or Remove Programs list at all.

XP Antivirus 2008 screenshot
For more screen shots of this infection click on the image above.
There are a total of 7 images you can view.

Tools Needed for this fix:

• Malwarebytes' Anti-Malware

remove process PARTLOGIC-0.69-ISO.EXE

Source
PARTLOGIC-0.69-ISO.EXE Remove process
Author:PARTLOGIC-0.69-ISO.EXE
How to remove PARTLOGIC-0.69-ISO.EXE

Following is PARTLOGIC-0.69-ISO.EXE description and detail
of How to remove PARTLOGIC-0.69-ISO.EXE:
For successful remove PARTLOGIC-0.69-ISO.EXE , following the instruction:

1. Temporarily Disable System Restore.

2. Update the virus definitions for remove PARTLOGIC-0.69-ISO.EXE. Reboot computer in SafeMode.

3.Stop PARTLOGIC-0.69-ISO.EXE virus files process if you can find on the task list;

4. Locate PARTLOGIC-0.69-ISO.EXE virus files and uninstall PARTLOGIC-0.69-ISO.EXE files program. Follow the screen step-by-step screen instructions to complete uninstallation of PARTLOGIC-0.69-ISO.EXE.

5. Delete/Modify any values added to the registry related with PARTLOGIC-0.69-ISO.EXE,Exit registry editor and restart the computer.

6.Clean/delete all PARTLOGIC-0.69-ISO.EXEinfected file(s):PARTLOGIC-0.69-ISO.EXE and related,or rename PARTLOGIC-0.69-ISO.EXE virus files.

7.Please delete all your IE temp files manually (PARTLOGIC-0.69-ISO.EXE file may exist there),or download the tool ATF Cleaner to delete all your IE temp files.

8.Use antivirus program run a whole scan,or use the free online scaner (different famous antivirus online scaner)on the right site of home.

Following is the information of the virus file PARTLOGIC-0.69-ISO.EXE
PARTLOGIC-0.69-ISO.EXE: The filename PARTLOGIC-0.69-ISO.EXE was first seen on Aug 11 2008 in BELGIUM.The filename PARTLOGIC-0.69-ISO.EXE refers to an object. It has file size of 4,795,607 bytes. This file has no vendor, product or version information specified in the file header.
PARTLOGIC-0.69-ISO.EXE has been seen to perform the following behavior(s):

• Executes a Process

PARTLOGIC-0.69-ISO.EXE has been the subject of the following behavior(s):

• Created as a process on disk
• Executed as a Process
• Terminated as a Process
• Has code inserted into its Virtual Memory space by other programs

Virus, Spyware & Malware Center
IF you can not get your needed information from the article PARTLOGIC-0.69-ISO.EXE and fail to removal successfully,you may seek help on
Free Virus Remove Help forum
URL:http://help.antiviruses123.com.

RogueRemover

Source
The Internet today is full of scam sites, otherwise known as phishing sites that try to sell you products. These products can be potenially harmful to your computer. They install malware, provide false feedback about your computer, and can slow down the computer drastically. These products are known as rogue applications and come in a variety of forms - from anti-malware applications to registry cleaners and even hard drive utilities.
We at Malwarebytes realize this is becoming a more prevalent issue, and have created a free application to help keep you safe and secure - RogueRemover FREE
RogueRemover FREE is an application that can remove rogue antispyware, antivirus, and hard drive cleaning applications with ease. Rogue applications provide false information about the safety of your computer as well as, give erroneous scan results or put their own malware on your computer.

RogueRemover FREE has the ability to completely remove WinAntiSpyware / WinAntiVirus, SpyAxe, VirusBlast, VirusBursters, as well as a number of other rogue applications. In addition, we have implemented a threats center which will allow you to keep up to date with the latest rogue threats.

Usage
Simply download RogueRemover FREE from the one of the links below. Double click the downloaded file to install the application on your computer. Once the application is installed, double click on the RogueRemover FREE icon to start the program. When the application is open, select Scan and the application will guide you through the remaining steps.

Download

• Version: 1.24
• File Size: 674.38 KB
• Operating Systems: Microsoft ® Windows 2000, XP, Vista.
• Languages Available: English only.
  
• Main application (English)
  Download from MajorGeeks.com
  Download from Malwarebytes.org
  

Smitfraud-C.

My solution:
Do not use IExplorer version<7! Better: uninstall it completely!
Use Firefox, Flock or Opera instead (with webpage-threat advisors as belarcAdvisor, Sitehound, wot and McAfeeSiteAdvisor)
Don't forget NoScript!
And hosts related software to protect zonemapping
Use Spybot Searcha&Destroy!

---

Company:
Product: Smitfraud-C.
Threat:
Description
This program installs itself through the internet and creates new desktop wallpaper. This wallpaper looks like a Windows 98 blue screen and contains a warning that the computer is infected with viruses, that one should download run a virus scanner and that the computer wouldn't work in normal mode. In addition to this one gets a desktop icon leading to a pretended anti virus application named PSGuard.
Scanning the computer with this software will return a virus found (that was installed by this software itself). In order to remove this virus one has to download the full version for about 20 EUR.
Another unpleasant effect of Smitfraud-C. is that some configuration options in the Control Panel will no longer be available. This way it stops the user from changing the wallpaper and forces him to keep the blue screen. Overall Smitfraud-C is a very sneaky software trying to sell PSGuard by frightening less experienced users.

RegRun Reanimator | Rogue SW Reanimator

Source (Software ruso!)
Reanimator is a free of charge software for removing Trojans/Adware/Spyware and some of the rootkits.
Reanimator does not contain any adware/spyware modules.
Supported Windows 95/98/Me/NT4/2000/XP/2003/VISTA.
Compatible with all known antiviral software. Download
---------------------------------------------------------

NTOSKRNL.DLL is a user mode rootkit. It hides its presence in the registry and in the loaded modules listing.

You could not delete it using standard Windows deletion methods.

---

Removal Instructions

1. Download our special software:
   RegRun Reanimator
   Unzip it to any folder on your hard drive.
   
2. Open Reanimator.exe. Open "Reanimator" menu, "Execute Reanimator Job". Choose "ntsystem.rnr" file. "NTSYSTEM.RNR" job contains the procedure for activating RegRun Partizan and deleting the ntsystem.exe and ntoskrnl.dll at reboot.
   You will see the "RegRun Partizan" on the Windows blue boot screen in the same moment when Windows checking hard drives.
   Look at the messages on the screen to be sure that the dangerous files are deleted.
3. Restart your computer. Open Reanimator and choose "Scan for Viruses" to be sure that it is complete.
4. Visit our Support center if you have any questions.
   Open a support ticket and attach your detailed system report made by RegRun Reanimator.
5. To remove Partizan from your computer, open Reanimator.exe, go to "Features", "Partizan".
   Click on the "Remove" button.

---

---

Rogue SW: Triunfo Reanimator (shitware engañifle)
Fuente (Sitio marcado como no fiable en wot.com!) Cuidado!

Instrucciones de eliminación de triunfo Reanimator

Triunfo Reanimator es uno de las últimas versiones del software falsificado del anti-spyware Reanimator que pone en peligro el mundo de computadoras.
Gane Reanimator se instala generalmente sobre su PC sin su permiso, con Vundo Trojan, virus o software falso. El triunfo Reanimator exhibirá alarmas falsas del sistema o alarmas falsas de la seguridad para trampear a usuario para comprar la versión pagada del triunfo Reanimator, para quitar el potencial y los problemas divulgados. ¡Los mensajes de error probables incluyen, “Windows han detectado la infección del spyware! Se recomienda para utilizar las herramientas especiales del antispyware para prevenir pérdida de los datos. Windows ahora descargará e instalará el antispyware más actualizado para usted. Haga click aquí para proteger su computadora contra spyware!” No sólo hace su máquina retrasar dramáticamente, también pondría su aislamiento y datos en riesgo.

Utilidad de la detección de SpyHunter* Spyware de la transferencia directa.

Instrucciones manuales de eliminación:

Pare los procesos de Reanimator del triunfo:
Triunfo Reanimator.exe

Encuentre y suprima estos archivos de Reanimator del triunfo:
Triunfo Reanimator.exe
Triunfo Reanimator.lnk
Triunfo Reanimator.url
Triunfo Reanimator.lnk de Uninstall

Quite los valores del registro de Reanimator del triunfo:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Uninstall \ triunfo Reanimator

Eliminar Spysheriff

Source
En Windows Update descargar todas las actualizaciones críticas y de seguridad.
Después sigue estos pasos:
1) Apaga Restaurar Sistema
2) Ver archivos ocultos
3) Pasa al menos 2 de estos Antivirus Online
4) Reinicia a prueba de fallos
5) Desde panel de control/agregar o quitar programas desinstala si está:
SpySheriff
6) Ejecuta HijackThis con todos los programas cerrados y dale fix a:
O4 - HKLM\..\Run: [MS taskbar] taskbars.exe
O4 - HKLM\..\RunServices: [MS taskbar] taskbars.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [MS taskbar] taskbars.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll

7) Busca y elimina estos archivos y/o carpetas:
C:\Program Files\SpySheriff\

C:\WINDOWS\System32\bcmwltry.exe
       taskbars.exe

C:\winstall.exe

C:\WINDOWS\System32\vbsys2.dll


Para archivos que no se dejen eliminar usa KillBox
8) Limpia el registro con RegSeeker y pasa Ad-Aware actualizado.
9) Elimina cookies y temporales de internet con Disk Cleaner y vacia la papelera.
10) Reinicia normal


Instala SpywareBlaster 3.4 , actualízalo y pincha sobre “Enable All Protection”.

How to remove Andromeda AntiVirus

Source

Andromeda AntiVirus is a new rogue anti-spyware program that displays false and exaggerated results that cannot be removed unless you first purchase the software. When installed, Andromeda AV will create 8 harmless files on your computer with the filenames:

c:\WINDOWS\system32\bprint.exe
c:\WINDOWS\system32\hinetres.dll
c:\WINDOWS\system32\rpthreadVC.dll
c:\WINDOWS\system32\settings
c:\WINDOWS\system32\thunk.dll
c:\WINDOWS\system32\vclipsrv.exe
c:\WINDOWS\system32\dllcache\cpifmgr.dll
c:\WINDOWS\system32\dllcache\tmswdat10.dll

Symptoms that may be in a HijackThis Log:
O23 - Service: Andromeda AV (AndromedaAVService) - Unknown owner - C:\WINDOWS\system32\AndromedaAv.exe

Tools Needed for this fix:

• Malwarebytes' Anti-Malware

Use browser security add-ons!

Why users should...?

Because when you search online for software or services, links to malware or rogue is around.
Because when you click on a page or link, malware or rogue installers are around too.

So what browser security add-ons do you use?
We have a discussion at Calendar of Updates on September 2007 and I bump it today by updating what browser security add-ons is effective still and what is the new add-on that is also effective: Read it!