Après l'infection winntify.exe qui affiche une alerte via une icône avec un rong barré, ceci afin de vous faire faire télécharger le rogue WinAntiSpyware 2007 & Privacy Protector

C'est au tour du rogue WinAntivirus Pro 2007 d'avoir son infection.
Cette infection ajoute le aussi une icône avec un triangle jaune qui affiche des alertes.

L'alerte se fait à travers le fichier : winavxmy.exe
Si vous cliquez sur l'icône vous arrivez sur des sites qui affichent de fausses alertes afin de vous faire télécharger/acheter WinAntivirus Pro 2007
Par exemple :

L'infection ajoute les lignes suivantes sur HijackThis
O2 - BHO: CIEIntegrator Object - {2178F3FB-2560-458F-BDEE-631E2FE0DFE4} - C:\Program Files\WinAntiVirus Pro 2007\winpgi.dll
O2 - BHO: IEFW Object - {B5141620-C2B2-4D95-9F0F-134D99C87AB0} - C:\Program Files\WinAntiVirus Pro 2007\IEFWBHO.dll
O4 - HKLM\..\Run: [WinAntiSpyware 2006 Free] "C:\Program Files\WinAntiSpyware 2006 Free\was6.exe" /min
O4 - HKLM\..\Run: [uwas6cw] "C:\Program Files\WinAntiSpyware 2006 Free\uwas6cw.exe" -c
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvX.exe
O4 - HKLM\..\Run: [uwa7pcw] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\uwa7pcw.exe" -c
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKLM\..\Run: [rtasks] C:\Program Files\WinAntiVirus Pro 2007\rtasks.exe
O4 - HKLM\..\Run: [WinAntiVirus Pro 2007] C:\Program Files\WinAntiVirus Pro 2007\WinAv.exe /min
O4 - HKLM\..\RunOnce: [fat.exe] "C:\Program Files\WinAntiVirus Pro 2007\fat.exe"
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvX.exe
O4 - HKCU\..\Run: [uwa7pcw] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\uwa7pcw.exe" -c
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfsm.dat
O23 - Service: Background Intelligent Transfer Service BITSUPS (BITSUPS) - Unknown owner - C:\WINDOWS\system32\amcompatx.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfsm.dat is probably a variant of O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat est une variante de perfc000.dat/trojan.crypt.xpack.gen
- L'infection désactive l'éditeur du registre, en lançant regedit.exe vous pouvez obtenir le message "L'édition du registre a été désactivée par votre administrateur"
- L'infection désactive le gestionnaire de tâches, en appuyant sur CTRL+ALT+Suppr vous pouvez obtenir le message "Le gestionnaire des tâches a été désactivé par l'administrateur"
- Lors de l'installation de l'infection, si vous utilisez Process Explorer, ceclui-ci a pu être supprimé.
Notez que vous pouvez rétablir le gestionnaire de tâches & éditeur du registre comme ceci, néanmoins il convient de nettoyer l'infection au préalable :
- Télécharge Activer_regedit_taskmgr.reg
- Désactive tous les logiciels de protection : AVG Anti-Spyware, Doctor Spyware, SpySweeper etc..
- Double-clic sur Activer_regedit_taskmgr.reg et accepte l'inscription des données
- Redémarre l'ordinateur
Le fichier HOSTS de Windows est modifié afin de ne plus pouvoir se rendre sur les sites des éditeurs d'antivirus mais surtout empécher les mises à jour de votre Antivirus.
Enfin voici un scan des fichiers au 14 Juillet :192.168.200.3 ad.doubleclick.net
192.168.200.3 ad.fastclick.net
192.168.200.3 ads.fastclick.net
192.168.200.3 ar.atwola.com
192.168.200.3 atdmt.com
192.168.200.3 avp.ch
192.168.200.3 avp.com
192.168.200.3 avp.ru
192.168.200.3 awaps.net
192.168.200.3 banner.fastclick.net
192.168.200.3 banners.fastclick.net
192.168.200.3 ca.com
192.168.200.3 click.atdmt.com
192.168.200.3 clicks.atdmt.com
192.168.200.3 customer.symantec.com
192.168.200.3 dispatch.mcafee.com
192.168.200.3 download.mcafee.com
192.168.200.3 downloads-us1.kaspersky-labs.com
192.168.200.3 downloads-us2.kaspersky-labs.com
192.168.200.3 downloads-us3.kaspersky-labs.com
192.168.200.3 downloads1.kaspersky-labs.com
192.168.200.3 downloads2.kaspersky-labs.com
192.168.200.3 downloads3.kaspersky-labs.com
192.168.200.3 downloads4.kaspersky-labs.com
192.168.200.3 engine.awaps.net
192.168.200.3 f-secure.com
192.168.200.3 fastclick.net
192.168.200.3 ftp.avp.ch
192.168.200.3 ftp.downloads1.kaspersky-labs.com
192.168.200.3 ftp.downloads2.kaspersky-labs.com
192.168.200.3 ftp.downloads3.kaspersky-labs.com
192.168.200.3 ftp.f-secure.com
192.168.200.3 ftp.kasperskylab.ru
192.168.200.3 ftp.sophos.com
192.168.200.3 ids.kaspersky-labs.com
192.168.200.3 kaspersky-labs.com
192.168.200.3 kaspersky.com
192.168.200.3 liveupdate.symantec.com
192.168.200.3 liveupdate.symantecliveupdate.com
192.168.200.3 mast.mcafee.com
192.168.200.3 mcafee.com
192.168.200.3 media.fastclick.net
192.168.200.3 my-etrust.com
192.168.200.3 nai.com
192.168.200.3 networkassociates.com
192.168.200.3 norton.com
192.168.200.3 phx.corporate-ir.net
192.168.200.3 rads.mcafee.com
192.168.200.3 secure.nai.com
192.168.200.3 securityresponse.symantec.com
192.168.200.3 service1.symantec.com
192.168.200.3 sophos.com
192.168.200.3 spd.atdmt.com
192.168.200.3 symantec.com
192.168.200.3 trendmicro.com
192.168.200.3 update.symantec.com
192.168.200.3 updates.symantec.com
192.168.200.3 updates1.kaspersky-labs.com
192.168.200.3 updates2.kaspersky-labs.com
192.168.200.3 updates3.kaspersky-labs.com
192.168.200.3 updates4.kaspersky-labs.com
192.168.200.3 updates5.kaspersky-labs.com
192.168.200.3 us.mcafee.com
192.168.200.3 vil.nai.com
192.168.200.3 viruslist.com
192.168.200.3 viruslist.ru
192.168.200.3 virusscan.jotti.org
192.168.200.3 virustotal.com
192.168.200.3 http://www.avp.ch
192.168.200.3 http://www.avp.com
192.168.200.3 http://www.avp.ru
192.168.200.3 http://www.awaps.net
192.168.200.3 http://www.ca.com
192.168.200.3 http://www.f-secure.com
192.168.200.3 http://www.fastclick.net
192.168.200.3 http://www.grisoft.com
192.168.200.3 http://www.kaspersky-labs.com
192.168.200.3 http://www.kaspersky.com
192.168.200.3 http://www.kaspersky.ru
192.168.200.3 http://www.mcafee.com
192.168.200.3 http://www.my-etrust.com
192.168.200.3 http://www.nai.com
192.168.200.3 http://www.networkassociates.com
192.168.200.3 http://www.sophos.com
192.168.200.3 http://www.symantec.com
192.168.200.3 http://www.symantec.com
192.168.200.3 http://www.trendmicro.com
192.168.200.3 http://www.viruslist.com
192.168.200.3 http://www.viruslist.ru
192.168.200.3 http://www.virustotal.com
192.168.200.3 www3.ca.com
Vous pouvez constater qu'Avast! ne détecte pas les fichiers.
En conséquence, voici pourquoi je recommande plutôt Antivir qu'Avast!, voir les deux sujets :
* Avast! VS Antivir
* Un point sur les antivirus
File winavx.exe received on 07.14.2007 12:56:19 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.7.14.0 2007.07.14 no virus found
AntiVir 7.4.0.39 2007.07.13 HEUR/Malware
Authentium 4.93.8 2007.07.13 no virus found
Avast 4.7.997.0 2007.07.13 no virus found
AVG 7.5.0.476 2007.07.13 no virus found
BitDefender 7.2 2007.07.14 Generic.Malware.SP!DYVd!wdldspg.2119ABBC
CAT-QuickHeal 9.00 2007.07.14 no virus found
ClamAV devel-20070416 2007.07.14 no virus found
DrWeb 4.33 2007.07.14 no virus found
eSafe 7.0.15.0 2007.07.10 suspicious Trojan/Worm
eTrust-Vet 30.8.3784 2007.07.14 no virus found
Ewido 4.0 2007.07.14 no virus found
FileAdvisor 1 2007.07.14 no virus found
Fortinet 2.91.0.0 2007.07.14 no virus found
F-Prot 4.3.2.48 2007.07.13 W32/NewMalware-Rootkit-PX-based!Maximus
Ikarus T3.1.1.8 2007.07.14 no virus found
Kaspersky 4.0.2.24 2007.07.14 no virus found
McAfee 5074 2007.07.13 New Malware
Microsoft 1.2704 2007.07.14 no virus found
NOD32v2 2398 2007.07.14 no virus found
Norman 5.80.02 2007.07.13 no virus found
Panda 9.0.0.4 2007.07.13 Suspicious file
Sophos 4.19.0 2007.07.06 no virus found
Sunbelt 2.2.907.0 2007.07.14 no virus found
Symantec 10 2007.07.14 no virus found
TheHacker 6.1.6.146 2007.07.13 no virus found
VBA32 3.12.0.2 2007.07.13 no virus found
VirusBuster 4.3.23:9 2007.07.13 no virus found
Webwasher-Gateway 6.0.1 2007.07.14 Heuristic.Malware
Aditional information
File size: 18944 bytes
MD5: 9c74faf97efede878de8f34952a36b04
SHA1: 583fcd99ceac4ee8a4be2951295b7a4dcc103cf1
Les drivers utilisés par WinAntivirus Pro 2007 :File perfsm.dat received on 07.14.2007 12:56:34 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.7.14.0 2007.07.14 Win-Trojan/Agent.6144.BP
AntiVir 7.4.0.39 2007.07.13 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2007.07.13 no virus found
Avast 4.7.997.0 2007.07.13 no virus found
AVG 7.5.0.476 2007.07.13 no virus found
BitDefender 7.2 2007.07.14 no virus found
CAT-QuickHeal 9.00 2007.07.14 no virus found
ClamAV devel-20070416 2007.07.14 no virus found
DrWeb 4.33 2007.07.14 Trojan.Proxy.1939
eSafe 7.0.15.0 2007.07.10 Suspicious Trojan/Worm
eTrust-Vet 30.8.3784 2007.07.14 no virus found
Ewido 4.0 2007.07.14 no virus found
FileAdvisor 1 2007.07.14 no virus found
Fortinet 2.91.0.0 2007.07.14 no virus found
F-Prot 4.3.2.48 2007.07.13 no virus found
Ikarus T3.1.1.8 2007.07.14 no virus found
Kaspersky 4.0.2.24 2007.07.14 Trojan.Win32.Agent.ali
McAfee 5074 2007.07.13 no virus found
Microsoft 1.2704 2007.07.14 no virus found
NOD32v2 2398 2007.07.14 no virus found
Norman 5.80.02 2007.07.13 W32/Agent.BVLY
Panda 9.0.0.4 2007.07.13 Suspicious file
Sophos 4.19.0 2007.07.06 no virus found
Sunbelt 2.2.907.0 2007.07.14 no virus found
Symantec 10 2007.07.14 Trojan.Perfcoo
TheHacker 6.1.6.146 2007.07.13 no virus found
VBA32 3.12.0.2 2007.07.13 no virus found
VirusBuster 4.3.23:9 2007.07.13 no virus found
Webwasher-Gateway 6.0.1 2007.07.14 Trojan.Crypt.XPACK.Gen
Aditional information
File size: 6144 bytes
MD5: c6a79ce192fb02f6c136d92c76fad13a
SHA1: d01bc02d0a3a7201be7033b8ccc7fc15d9bbe92d
%windir%\system32\drivers\fopn.sys
%windir%\system32\drivers\uwasfsd.sys
File uwasfsd.sys received on 07.14.2007 13:41:20 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.7.14.0 2007.07.14 no virus found
AntiVir 7.4.0.39 2007.07.13 no virus found
Authentium 4.93.8 2007.07.13 no virus found
Avast 4.7.997.0 2007.07.13 no virus found
AVG 7.5.0.476 2007.07.13 no virus found
BitDefender 7.2 2007.07.14 Application.Winfixer.BF
CAT-QuickHeal 9.00 2007.07.14 no virus found
ClamAV devel-20070416 2007.07.14 no virus found
DrWeb 4.33 2007.07.14 no virus found
eSafe 7.0.15.0 2007.07.10 no virus found
eTrust-Vet 30.8.3784 2007.07.14 no virus found
Ewido 4.0 2007.07.14 no virus found
FileAdvisor 1 2007.07.14 no virus found
Fortinet 2.91.0.0 2007.07.14 Misc/WinFixer
F-Prot 4.3.2.48 2007.07.13 no virus found
Ikarus T3.1.1.8 2007.07.14 no virus found
Kaspersky 4.0.2.24 2007.07.14 no virus found
McAfee 5074 2007.07.13 potentially unwanted program Winfixer
Microsoft 1.2704 2007.07.14 Program:Win32/WinSoftware.WinAntiSpyware
NOD32v2 2399 2007.07.14 no virus found
Norman 5.80.02 2007.07.13 no virus found
Panda 9.0.0.4 2007.07.13 Generic Malware
Sophos 4.19.0 2007.07.06 no virus found
Sunbelt 2.2.907.0 2007.07.14 WinAntiSpyware
Symantec 10 2007.07.14 WinAntiSpyware
TheHacker 6.1.6.146 2007.07.13 no virus found
VBA32 3.12.0.2 2007.07.13 no virus found
VirusBuster 4.3.23:9 2007.07.13 no virus found
Webwasher-Gateway 6.0.1 2007.07.14 Win32.Malware.gen!80 (suspicious)
Aditional information
File size: 11776 bytes
MD5: c3663c9d9a3b81d6781f92ae20fd05c9
SHA1: 892d486d9c361afb9d0a4f96c0d7c0b40e613659
Sunbelt info: WinAntiSpyware is a rogue antis-pyware product which pesters users with scareware tactics to purchase the product.
File fopn.sys received on 07.14.2007 13:40:21 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.7.14.0 2007.07.14 no virus found
AntiVir 7.4.0.39 2007.07.13 APPL/Winfixer.46592
Authentium 4.93.8 2007.07.13 no virus found
Avast 4.7.997.0 2007.07.13 no virus found
AVG 7.5.0.476 2007.07.13 Potentially harmful program WinFixer.IV
BitDefender 7.2 2007.07.14 Adware.Winantivirus.L
CAT-QuickHeal 9.00 2007.07.14 no virus found
ClamAV devel-20070416 2007.07.14 no virus found
DrWeb 4.33 2007.07.14 no virus found
eSafe 7.0.15.0 2007.07.10 no virus found
eTrust-Vet 30.8.3784 2007.07.14 no virus found
Ewido 4.0 2007.07.14 no virus found
FileAdvisor 1 2007.07.14 no virus found
Fortinet 2.91.0.0 2007.07.14 Misc/WinFixer
F-Prot 4.3.2.48 2007.07.13 no virus found
Ikarus T3.1.1.8 2007.07.14 no virus found
Kaspersky 4.0.2.24 2007.07.14 no virus found
McAfee 5074 2007.07.13 potentially unwanted program Winfixer
Microsoft 1.2704 2007.07.14 Program:Win32/Winfixer
NOD32v2 2399 2007.07.14 no virus found
Norman 5.80.02 2007.07.13 no virus found
Panda 9.0.0.4 2007.07.13 Generic Malware
Sophos 4.19.0 2007.07.06 no virus found
Sunbelt 2.2.907.0 2007.07.14 WinSoftware Corporation, Inc. (v)
Symantec 10 2007.07.14 WinFixer
TheHacker 6.1.6.146 2007.07.13 no virus found
VBA32 3.12.0.2 2007.07.13 no virus found
VirusBuster 4.3.23:9 2007.07.13 no virus found
Webwasher-Gateway 6.0.1 2007.07.14 Riskware.Winfixer.46592
Aditional information
File size: 52432 bytes
MD5: a72576b9eb1c4e950e45cae0d91c3a02
SHA1: 63178366e402e93db036dbc04f6b504263a18ae9