Windows Functionality Checker

Listes des différents Rogues/Scareware
Avatar de l’utilisateur
MalwareBot
Geek à longue barbe
Geek à longue barbe
Messages : 5448
Inscription : 20 mars 2010 13:45

Windows Functionality Checker

Message par MalwareBot » 18 févr. 2012 21:20

Windows Functionality Checker est un rogue (faux anti-spyware) qui s'installe sans permission, le malware affiche de fausses alertes vous indiquant que vous êtes infecté par un spyware et vous recommande d'acheter ce faux anti-spyware pour soit disant désinfecter votre ordinateur.

Pour supprimer le rogue suivre les indications de la page suivante : supprimer-les-rogues-scareware-t5472.html

Image

Image

et bien sûr il faut payer pour supprimer les infections imaginaires
Image

Avatar de l’utilisateur
Malekal_morte
Site Admin
Site Admin
Messages : 86209
Inscription : 10 sept. 2005 13:57
Contact :

Re: Windows Functionality Checker

Message par Malekal_morte » 18 févr. 2012 21:33

Les fichiers ajoutés :
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Inspector"
Type: REG_SZ
Data: C:\Documents and Settings\Mak\Application Data\Protector-orq.exe
qui se charge par clef Run :
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Inspector"
Type: REG_SZ
Data: C:\Documents and Settings\Mak\Application Data\Protector-orq.exe

Le malware ajoute des clefs Image File Execution Options qui peuvent empécher le chargement des antivirus exemple :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpm.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe
Exemples d'alertes :
Potential malware detected.
It is recommended to activate the protection and perform a thorough system scan to remove the malware.
Image
Serious slowdown in system performance.
To eliminate the causes, full check is recommended.
Serious slowdown in system performance.
To eliminate the causes, full check is recommended.
Image

Quelques autres alertes :
There's a suspicious software running on your PC.
For more details, run a system file check.
Potential malware detected.
It is recommended to activate the protection and perform a thorough system scan to remove the malware.
Software without a digital signature detected.
Your system files are at risk. We strongly advise you to activate your protection.
Attempt to modify registry key entries detected.
Registry entry analysis is recommended.
Attempt to run a potentially dangerous script detected.
Full system scan is highly recommended.
System data security is at risk!
To prevent potential PC errors, run a full system scan.
Keylogger activity detected. System information security is at risk.
It is recommended to activate protection and run a full system scan.
Trojan activity detected. System data security is at risk.
It is recommended to activate protection and run a full system scan.
Programs classified as Trojan download and install new versions of malicious programs, including Trojans and AdWare, on victim computers.
This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer performance, but which cannot be classified under any of the behaviours identified above.
et aussi une alerte Firewall has blocked a program from accessing internet avec un fond gris derrière.
Mais le PC n'est pas bloqué :

Image

et même des alertes sur la SOPA :
Image

Côté désinfection, RogueKiller fait le job.
RogueKiller V7.1.0 [15/02/2012] par Tigzy
mail: tigzyRK<at>gmail<dot>com
Remontees: http://www.sur-la-toile.com/discussion- ... ntees.html
Blog: http://tigzyrk.blogspot.com

Systeme d'exploitation: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Demarrage : Mode normal
Utilisateur: Mak [Droits d'admin]
Mode: Suppression -- Date: 18/02/2012 20:32:14

¤¤¤ Processus malicieux: 1 ¤¤¤
[SUSP PATH] Protector-orq.exe -- C:\Documents and Settings\Mak\Application Data\Protector-orq.exe -> KILLED [TermProc]

¤¤¤ Entrees de registre: 757 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : Inspector (C:\Documents and Settings\Mak\Application Data\Protector-orq.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : a.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : aAvgApi.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : AAWTray.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : About.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : ackwin32.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : Ad-Aware.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : adaware.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : advxdwin.exe (svchost.exe) -> DELETED
[..]
[HJ] HKCU\[...]\Internet Settings : WarnOnHTTPSToHTTPRedirect (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Fichiers / Dossiers particuliers: ¤¤¤

¤¤¤ Driver: [CHARGE] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ Fichier HOSTS: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Verif: ¤¤¤

+++++ PhysicalDrive0: VMware Virtual IDE Hard Drive +++++
--- User ---
[MBR] 0b3f2c19a288a19aca69e293c07efb06
[BSP] 63c9c941ff43fd9a1d68d3be0623ce40 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 8181 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Termine : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt
Première règle élémentaire de sécurité : on réfléchit puis on clic et pas l'inverse - Les fichiers/programmes c'est comme les bonbons, quand ça vient d'un inconnu, on n'accepte pas

Sécuriser son ordinateur (version courte)

Tutoriels Logiciels - Tutoriel Windows - Windows 10

Stop publicités - popups intempestives
supprimer-trojan.com : guide de suppression de malwares

Partagez malekal.com : n'hésitez pas à partager sur Facebook et GooglePlus les articles qui vous plaisent.

Répondre

Revenir vers « Rogues/Scareware & Programmes douteux »

Qui est en ligne ?

Utilisateurs parcourant ce forum : Aucun utilisateur inscrit et 4 invités