Auteur Sujet: System Healer  (Lu 1257 fois)

0 Membres et 1 Invité sur ce sujet

Hors ligne chantal11

  • Admin Formation
  • Mega Power Members
  • ****
  • Messages: 23045
    • Windows 10 - Windows 8 - Windows 7 - Windows Vista
System Healer
« le: octobre 19, 2017, 16:29:20 »
Contenu republié avec la permission de Malwarebytes

System Healer est un faux nettoyeur/optimiseur, affiche intentionnellement des faux-positifs pour convaincre l'utilisateur que son système a des problèmes et lui faire acheter le logiciel.
Plus d'infos : Registry Cleaners: Digital Snake Oil | Malwarebytes Labs



  • S'installe en tant que programme, soit à l'insu de l'utilisateur ou parce qu'il n'a pas décoché les sponsors proposés lors de l'installation d'un logiciel gratuit légitime, soit depuis le site de l'éditeur

  • Affiche ces alertes pendant l'installation

  • Affiche ces écrans pendant les opérations



  • Crée cette icône dans la Barre des tâches, sur le Bureau et dans le Menu Démarrer

  • Crée ces tâches planifiées








**********

Détection de System Healer dans des rapports FRST :

Citer
System Healer (HKLM-x32\...\SystemHealer_is1) (Version: 4.4.0.3 - SystemHealer)
Task: {380B6879-EC7D-43F3-ABAF-3E445AE73FE1} - System32\Tasks\{797E7947-080C-7D79-7E11-790C0C791179} => powershell.exe -nologo -executionpolicy bypass -noninteractive -windowstyle hidden -EncodedCommand IAAgADsAOwA7ACAAOwA7ACAAOwA7ADsAIAA7ACAAOwAgACAAIAAgADsAOwAgADsAIAA7ACAAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACIAcwB0AG8AcAAiADsAJABzAGMAPQAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA (the data entry has 10112 more characters).
Task: {64630517-7171-4191-851F-CB0FD50AEDD4} - System32\Tasks\SystemHealer Task => C:\Program Files (x86)\SystemHealer\RescueMonitor.exe [2017-09-12] ()
Task: {92F7FABC-FAAB-434B-9BF3-302E5C4C7195} - System32\Tasks\SystemHealer Run Delay => C:\Program Files (x86)\SystemHealer\SystemHealer.exe [2017-09-12] ()
Task: {99A76278-74FF-462F-9D05-232DD1F1C3C6} - System32\Tasks\SystemHealer Monitor => C:\Program Files (x86)\SystemHealer\HealerConsole.exe [2017-09-12] ()
Task: {B544A224-833D-4E79-A01E-55F82594FF32} - System32\Tasks\System HealerPeriod => C:\Program Files (x86)\SystemHealer\SystemHealer.exe [2017-09-12] ()
Task: {E941C75D-D6B7-4742-8FFE-8630DF08C36E} - System32\Tasks\System HealerStartUp => C:\Program Files (x86)\SystemHealer\SystemHealer.exe [2017-09-12] ()
Task: C:\Windows\Tasks\System HealerPeriod.job => C:\Program Files (x86)\SystemHealer\SystemHealer.exe
Task: C:\Windows\Tasks\System HealerStartUp.job => C:\Program Files (x86)\SystemHealer\SystemHealer.exe

() C:\Program Files (x86)\SystemHealer\SystemHealer.exe
() C:\Program Files (x86)\SystemHealer\RescueMonitor.exe
C:\ProgramData\65502caa-4b67-0
C:\ProgramData\65502caa-2ca3-1
C:\Windows\System32\Tasks\System HealerPeriod
C:\Windows\System32\Tasks\System HealerStartUp
C:\Windows\Tasks\System HealerStartUp.job
C:\Windows\Tasks\System HealerPeriod.job
C:\Users\{Nom_Utilisateur}\AppData\Roaming\System Healer
C:\Program Files (x86)\SystemHealer
C:\Windows\System32\Tasks\{797E7947-080C-7D79-7E11-790C0C791179}
C:\Windows\System32\Tasks\SystemHealer Task
C:\Windows\System32\Tasks\SystemHealer Monitor
C:\Windows\System32\Tasks\SystemHealer Run Delay
C:\Users\{Nom_Utilisateur}\Desktop\Launch System Healer.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Healer
C:\ProgramData\65502caa-60f3-1
C:\ProgramData\65502caa-1aa1-0

**********

Détecté et traité par Malwarebytes en tant que PUP/LPI (Programme potentiellement Indésirable)
Sous la version Premium, Malwarebytes bloque l'accès au domaine ukhealer.net et l'IP 81.171.14.67

Citer
-Scan Details-
Process: 3
PUP.Optional.SystemHealer, C:\Program Files (x86)\SystemHealer\RescueMonitor.exe, Quarantined, [980], [182463],1.0.2811
PUP.Optional.SystemHealer, C:\Program Files (x86)\SystemHealer\SystemHealer.exe, Quarantined, [980], [182463],1.0.2811
PUP.Optional.SystemHealer, C:\PROGRA~2\SYSTEM~1\RESCUE~1.EXE, Quarantined, [980], [116850],1.0.2811

Module: 1
PUP.Optional.SystemHealer, C:\Program Files (x86)\SystemHealer\SystemHealer.exe, Quarantined, [980], [182463],1.0.2811

Registry Key: 18
PUP.Optional.SystemHealer, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{797E7947-080C-7D79-7E11-790C0C791179}, Quarantined, [980], [-1],0.0.0
PUP.Optional.SystemHealer, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{380B6879-EC7D-43F3-ABAF-3E445AE73FE1}, Quarantined, [980], [-1],0.0.0
PUP.Optional.SystemHealer, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{380B6879-EC7D-43F3-ABAF-3E445AE73FE1}, Quarantined, [980], [-1],0.0.0
PUP.Optional.SystemHealer, HKCU\SOFTWARE\SYSTEM HEALER, Quarantined, [980], [261796],1.0.2811
Adware.DNSUnlocker.ACMB2, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\11598763487076930564, Quarantined, [1728], [424293],1.0.2811
PUP.Optional.PSScriptLoad.ACMB3, HKCU\CONSOLE\TASKENG.EXE, Quarantined, [5380], [425125],1.0.2811
PUP.Optional.PSScriptLoad.ACMB3, HKCU\CONSOLE\%SYSTEMROOT%_SYSTEM32_SVCHOST.EXE, Quarantined, [5380], [425124],1.0.2811
PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{64630517-7171-4191-851F-CB0FD50AEDD4}, Quarantined, [980], [258707],1.0.2811
PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{92F7FABC-FAAB-434B-9BF3-302E5C4C7195}, Quarantined, [980], [258707],1.0.2811
PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\System HealerPeriod, Quarantined, [980], [252787],1.0.2811
PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{99A76278-74FF-462F-9D05-232DD1F1C3C6}, Quarantined, [980], [258707],1.0.2811
PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{B544A224-833D-4E79-A01E-55F82594FF32}, Quarantined, [980], [258706],1.0.2811
PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{E941C75D-D6B7-4742-8FFE-8630DF08C36E}, Quarantined, [980], [258706],1.0.2811
PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\System HealerStartUp, Quarantined, [980], [252787],1.0.2811
PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SystemHealer Monitor, Quarantined, [980], [252788],1.0.2811
PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SystemHealer Run Delay, Quarantined, [980], [252788],1.0.2811
PUP.Optional.SystemHealer, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SystemHealer_is1, Quarantined, [980], [182463],1.0.2811
PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SystemHealer Task, Quarantined, [980], [252788],1.0.2811

Registry Value: 9
PUP.Optional.PSScriptLoad.ACMB3, HKCU\CONSOLE\%SYSTEMROOT%_SYSTEM32_WINDOWSPOWERSHELL_V1.0_POWERSHELL.EXE|WINDOWPOSITION, Quarantined, [5380], [425126],1.0.2811
PUP.Optional.SystemHealer, HKCU\SOFTWARE\SYSTEM HEALER|CARTURL, Quarantined, [980], [261796],1.0.2811
PUP.Optional.PSScriptLoad.ACMB3, HKCU\CONSOLE\TASKENG.EXE|WINDOWPOSITION, Quarantined, [5380], [425125],1.0.2811
PUP.Optional.PSScriptLoad.ACMB3, HKCU\CONSOLE\%SYSTEMROOT%_SYSTEM32_SVCHOST.EXE|WINDOWPOSITION, Quarantined, [5380], [425124],1.0.2811
PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{64630517-7171-4191-851F-CB0FD50AEDD4}|PATH, Quarantined, [980], [258707],1.0.2811
PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{92F7FABC-FAAB-434B-9BF3-302E5C4C7195}|PATH, Quarantined, [980], [258707],1.0.2811
PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{99A76278-74FF-462F-9D05-232DD1F1C3C6}|PATH, Quarantined, [980], [258707],1.0.2811
PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{B544A224-833D-4E79-A01E-55F82594FF32}|PATH, Quarantined, [980], [258706],1.0.2811
PUP.Optional.SystemHealer, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{E941C75D-D6B7-4742-8FFE-8630DF08C36E}|PATH, Quarantined, [980], [258706],1.0.2811

Registry Data: 4
Adware.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|NameServer, Replaced, [1728], [-1],0.0.0
Adware.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|DhcpNameServer, Replaced, [1728], [-1],0.0.0
Adware.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{EDB0D6D8-B1F7-496F-A023-44DF7155F1CD}|NameServer, Replaced, [1728], [-1],0.0.0
Adware.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{EDB0D6D8-B1F7-496F-A023-44DF7155F1CD}|DhcpNameServer, Replaced, [1728], [-1],0.0.0

Data Stream: 0
(No malicious items detected)

Folder: 9
PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages, Quarantined, [980], [181294],1.0.2811
PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\WL, Quarantined, [980], [181294],1.0.2811
PUP.Optional.SystemHealer, C:\USERS\{username}\APPDATA\ROAMING\SYSTEM HEALER, Quarantined, [980], [181294],1.0.2811
PUP.Optional.SystemHealer, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SYSTEM HEALER, Quarantined, [980], [181295],1.0.2811
PUP.Optional.SystemHealer, C:\PROGRAM FILES (X86)\SYSTEMHEALER, Quarantined, [980], [182463],1.0.2811
PUP.Optional.BitsInstall.BITSRST, C:\PROGRAMDATA\65502caa-1aa1-0, Quarantined, [8358], [407181],1.0.2811
PUP.Optional.BitsInstall.BITSRST, C:\PROGRAMDATA\65502caa-2ca3-1, Quarantined, [8358], [407181],1.0.2811
PUP.Optional.BitsInstall.BITSRST, C:\PROGRAMDATA\65502caa-4b67-0, Quarantined, [8358], [407181],1.0.2811
PUP.Optional.BitsInstall.BITSRST, C:\PROGRAMDATA\65502caa-60f3-1, Quarantined, [8358], [407181],1.0.2811

File: 44
PUP.Optional.SystemHealer, C:\WINDOWS\SYSTEM32\TASKS\System HealerPeriod, Quarantined, [980], [252783],1.0.2811
PUP.Optional.SystemHealer, C:\WINDOWS\SYSTEM32\TASKS\{797E7947-080C-7D79-7E11-790C0C791179}, Quarantined, [980], [-1],0.0.0
PUP.Optional.SystemHealer, C:\WINDOWS\SYSTEM32\TASKS\System HealerStartUp, Quarantined, [980], [252783],1.0.2811
PUP.Optional.SystemHealer, C:\USERS\{username}\DESKTOP\LAUNCH SYSTEM HEALER.LNK, Quarantined, [980], [252782],1.0.2811
PUP.Optional.SystemHealer, C:\WINDOWS\SYSTEM32\TASKS\SystemHealer Monitor, Quarantined, [980], [252784],1.0.2811
PUP.Optional.SystemHealer, C:\WINDOWS\SYSTEM32\TASKS\SystemHealer Run Delay, Quarantined, [980], [252784],1.0.2811
PUP.Optional.SystemHealer, C:\WINDOWS\SYSTEM32\TASKS\SystemHealer Task, Quarantined, [980], [252784],1.0.2811
PUP.Optional.Amonetize.Gen, C:\PROGRAMDATA\65502caa-2ca3-1\BITD931.tmp, Quarantined, [14727], [257931],1.0.2811
PUP.Optional.Amonetize.Gen, C:\PROGRAMDATA\65502caa-4b67-0\BITD961.tmp, Quarantined, [14727], [257931],1.0.2811
PUP.Optional.SystemHealer, C:\WINDOWS\TASKS\System HealerPeriod.job, Quarantined, [980], [252785],1.0.2811
PUP.Optional.SystemHealer, C:\WINDOWS\TASKS\System HealerStartUp.job, Quarantined, [980], [252785],1.0.2811
PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages\Danish.json, Quarantined, [980], [181294],1.0.2811
PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages\Dutch.json, Quarantined, [980], [181294],1.0.2811
PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages\English.json, Quarantined, [980], [181294],1.0.2811
PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages\EnglishPC.json, Quarantined, [980], [181294],1.0.2811
PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages\French.json, Quarantined, [980], [181294],1.0.2811
PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages\German.json, Quarantined, [980], [181294],1.0.2811
PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages\Italian.json, Quarantined, [980], [181294],1.0.2811
PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages\Norwegian.json, Quarantined, [980], [181294],1.0.2811
PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages\Parameters.json, Quarantined, [980], [181294],1.0.2811
PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages\Portuguese.json, Quarantined, [980], [181294],1.0.2811
PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages\Spanish.json, Quarantined, [980], [181294],1.0.2811
PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages\Swedish.json, Quarantined, [980], [181294],1.0.2811
PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\Languages\tmpLang.json, Quarantined, [980], [181294],1.0.2811
PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\CallBanner.png, Quarantined, [980], [181294],1.0.2811
PUP.Optional.SystemHealer, C:\Users\{username}\AppData\Roaming\System Healer\FinishedScan.png, Quarantined, [980], [181294],1.0.2811
PUP.Optional.SystemHealer, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Healer\Launch System Healer.lnk, Quarantined, [980], [181295],1.0.2811
PUP.Optional.SystemHealer, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Healer\System Healer on the Web.url, Quarantined, [980], [181295],1.0.2811
PUP.Optional.SystemHealer, C:\Program Files (x86)\SystemHealer\HealerConsole.exe, Quarantined, [980], [182463],1.0.2811
PUP.Optional.SystemHealer, C:\Program Files (x86)\SystemHealer\RescueMonitor.exe, Quarantined, [980], [182463],1.0.2811
PUP.Optional.SystemHealer, C:\Program Files (x86)\SystemHealer\SystemHealer.exe, Quarantined, [980], [182463],1.0.2811
PUP.Optional.SystemHealer, C:\Program Files (x86)\SystemHealer\SystemHealer.ini, Quarantined, [980], [182463],1.0.2811
PUP.Optional.SystemHealer, C:\Program Files (x86)\SystemHealer\unins000.dat, Quarantined, [980], [182463],1.0.2811
PUP.Optional.SystemHealer, C:\Program Files (x86)\SystemHealer\unins000.exe, Quarantined, [980], [182463],1.0.2811
PUP.Optional.SystemHealer, C:\Program Files (x86)\SystemHealer\unins000.msg, Quarantined, [980], [182463],1.0.2811
PUP.Optional.BitsInstall.BITSRST, C:\ProgramData\65502caa-1aa1-0\65502caa-1aa1-0.d, Quarantined, [8358], [407181],1.0.2811
PUP.Optional.BitsInstall.BITSRST, C:\PROGRAMDATA\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR0.DAT, Delete-on-Reboot, [8358], [-1],0.0.0
PUP.Optional.BitsInstall.BITSRST, C:\PROGRAMDATA\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR1.DAT, Delete-on-Reboot, [8358], [-1],0.0.0
PUP.Optional.BitsInstall.BITSRST, C:\PROGRAMDATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR0.DAT, Quarantined, [8358], [-1],0.0.0
PUP.Optional.BitsInstall.BITSRST, C:\PROGRAMDATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR1.DAT, Quarantined, [8358], [-1],0.0.0
PUP.Optional.BitsInstall.BITSRST, C:\ProgramData\65502caa-60f3-1\65502caa-60f3-1.d, Quarantined, [8358], [407181],1.0.2811
PUP.Optional.SystemHealer, C:\PROGRA~2\SYSTEM~1\RESCUE~1.EXE, Quarantined, [980], [116850],1.0.2811
PUP.Optional.SystemHealer, C:\USERS\{username}\DESKTOP\SYSTEMHEALER.EXE, Quarantined, [980], [434913],1.0.2811
PUP.Optional.SystemHealer, C:\USERS\{username}\DESKTOP\SYSTEMHEALERSETUP.EXE, Quarantined, [980], [424479],1.0.2811

Physical Sector: 0
(No malicious items detected)



Tutoriel d'utilisation Malwarebytes en images


Source : Removal instructions for System Healer de Metallica - Malwarebytes Forums



Toujours infecté ? Une question avant de faire des manipulations ?

Venez poster un nouveau sujet dans ce forum : http://forum.security-x.fr/desinfections/  en prenant soin de suivre la procédure http://forum.security-x.fr/desinfections/procedure-preliminaire/
 

Security-X

System Healer
« le: octobre 19, 2017, 16:29:20 »