Windows Functionality Checker

[MalwareBot]

Windows Functionality Checker est un rogue (faux anti-spyware) qui s'installe sans permission, le malware affiche de fausses alertes vous indiquant que vous êtes infecté par un spyware et vous recommande d'acheter ce faux anti-spyware pour soit disant désinfecter votre ordinateur.

Pour supprimer le rogue suivre les indications de la page suivante : supprimer-les-rogues-scareware-t5472.html





et bien sûr il faut payer pour supprimer les infections imaginaires

[Malekal_morte]

Les fichiers ajoutés :

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Inspector"
Type: REG_SZ
Data: C:\Documents and Settings\Mak\Application Data\Protector-orq.exe

qui se charge par clef Run :

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Inspector"
Type: REG_SZ
Data: C:\Documents and Settings\Mak\Application Data\Protector-orq.exe

Le malware ajoute des clefs Image File Execution Options qui peuvent empécher le chargement des antivirus exemple :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpm.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe

Exemples d'alertes :

Potential malware detected.
It is recommended to activate the protection and perform a thorough system scan to remove the malware.

Serious slowdown in system performance.
To eliminate the causes, full check is recommended.

Serious slowdown in system performance.
To eliminate the causes, full check is recommended.

Quelques autres alertes :

There's a suspicious software running on your PC.
For more details, run a system file check.

Potential malware detected.
It is recommended to activate the protection and perform a thorough system scan to remove the malware.

Software without a digital signature detected.
Your system files are at risk. We strongly advise you to activate your protection.

Attempt to modify registry key entries detected.
Registry entry analysis is recommended.

Attempt to run a potentially dangerous script detected.
Full system scan is highly recommended.

System data security is at risk!
To prevent potential PC errors, run a full system scan.

Keylogger activity detected. System information security is at risk.

It is recommended to activate protection and run a full system scan.

Trojan activity detected. System data security is at risk.
It is recommended to activate protection and run a full system scan.

Programs classified as Trojan download and install new versions of malicious programs, including Trojans and AdWare, on victim computers.
This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer performance, but which cannot be classified under any of the behaviours identified above.

et aussi une alerte Firewall has blocked a program from accessing internet avec un fond gris derrière.
Mais le PC n'est pas bloqué :



et même des alertes sur la SOPA :


Côté désinfection, RogueKiller fait le job.

RogueKiller V7.1.0 [15/02/2012] par Tigzy
mail: tigzyRK<at>gmail<dot>com
Remontees: http://www.sur-la-toile.com/discussion- ... ntees.html
Blog: http://tigzyrk.blogspot.com

Systeme d'exploitation: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Demarrage : Mode normal
Utilisateur: Mak [Droits d'admin]
Mode: Suppression -- Date: 18/02/2012 20:32:14

¤¤¤ Processus malicieux: 1 ¤¤¤
[SUSP PATH] Protector-orq.exe -- C:\Documents and Settings\Mak\Application Data\Protector-orq.exe -> KILLED [TermProc]

¤¤¤ Entrees de registre: 757 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : Inspector (C:\Documents and Settings\Mak\Application Data\Protector-orq.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : a.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : aAvgApi.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : AAWTray.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : About.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : ackwin32.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : Ad-Aware.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : adaware.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : advxdwin.exe (svchost.exe) -> DELETED
[..]
[HJ] HKCU\[...]\Internet Settings : WarnOnHTTPSToHTTPRedirect (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Fichiers / Dossiers particuliers: ¤¤¤

¤¤¤ Driver: [CHARGE] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ Fichier HOSTS: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Verif: ¤¤¤

+++++ PhysicalDrive0: VMware Virtual IDE Hard Drive +++++
--- User ---
[MBR] 0b3f2c19a288a19aca69e293c07efb06
[BSP] 63c9c941ff43fd9a1d68d3be0623ce40 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 8181 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Termine : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt