Contenu republié avec la permission de Malwarebytes (https://forums.malwarebytes.org/index.php?showforum=39)
Weather Forecast Alerts est un Browser Hijacker (pirate de navigateur) qui modifie les paramètres du navigateur (page d’accueil , page de recherche, ....) afin de forcer la consultation du site ciblé et affiche aussi des publicités.
Weather Forecast Alerts appartient à la famille Spigot (Spigot browser hijackers (https://blog.malwarebytes.com/puppum/2017/02/spigot-browser-hijackers/))
- S'installe en tant que programme, soit à l'insu de l'utilisateur ou parce qu'il n'a pas décoché les sponsors proposés lors de l'installation d'un logiciel gratuit légitime, soit depuis le site de l'éditeur
(https://forums.malwarebytes.com/applications/core/interface/imageproxy/imageproxy.php?img=https://static-cdn.malwarebytes.org/pub_images/WeatherForecastAlerts/warning4.png&key=f310562eb1221b7e5c5aebe5d57974448e2188c4b643f97476376f06d81bb677)
- Affiche ces alertes pendant l'installation
(https://forums.malwarebytes.com/applications/core/interface/imageproxy/imageproxy.php?img=https://static-cdn.malwarebytes.org/pub_images/WeatherForecastAlerts/warning1.png&key=f2f50d15242ade6c0c98f247aeb64d7c8c84ca00acd3f8f5313a786992684ee0)
(https://forums.malwarebytes.com/applications/core/interface/imageproxy/imageproxy.php?img=https://static-cdn.malwarebytes.org/pub_images/WeatherForecastAlerts/warning8.png&key=b43288d11a1e4b602cbaccb64a9293e7551c255d83f82f4b2245d6d97f716efc)
(https://forums.malwarebytes.com/applications/core/interface/imageproxy/imageproxy.php?img=https://static-cdn.malwarebytes.org/pub_images/WeatherForecastAlerts/warning2.png&key=6d6e440e73151948f3b4124ba57d3d0d6628124d34f1e4f8c3bcf8ae66c0b529)
- S'installe en tant qu'extension/add-on du navigateur
(https://forums.malwarebytes.com/applications/core/interface/imageproxy/imageproxy.php?img=https://static-cdn.malwarebytes.org/pub_images/WeatherForecastAlerts/warning5.png&key=9fb49dcbddea0114055309ceb6651b3fffc065510eaaacb8d887fabb8e31a6c5)
(https://forums.malwarebytes.com/applications/core/interface/imageproxy/imageproxy.php?img=https://static-cdn.malwarebytes.org/pub_images/WeatherForecastAlerts/warning9.png&key=b8fd6953cff180d75ca3c5b268a0183a4ce15ab0b4ed9d136ce1d14604938022)
- Affiche cette page de démarrage dans le navigateur
(https://forums.malwarebytes.com/applications/core/interface/imageproxy/imageproxy.php?img=https://static-cdn.malwarebytes.org/pub_images/WeatherForecastAlerts/startpage.png&key=cf2044e332c14051fb4bfdb73e73741da06bd0bf51c13abd1defb88baf610068)
- Paramètre un nouveau moteur de recherche par défaut
(https://forums.malwarebytes.com/applications/core/interface/imageproxy/imageproxy.php?img=https://static-cdn.malwarebytes.org/pub_images/WeatherForecastAlerts/warning7.png&key=d1744746f687470366062696813ebd1864f1d0e28e0efc29249b0bff18e2d19b)
**********
Détection de Weather Forecast Alerts dans des rapports FRST :
Weather Forecast Alerts (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 3.1.0.2 - Cloud Installer)
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.searchwfa.com/?source=unknown-bb8&uid=4fd16a1b-cc85-4510-8a6a-868ac384fd31&uc=20170831&ap=appfocus5&i_id=weather__1.30
SearchScopes: HKCU -> DefaultScope {9351B432-8D1E-42E1-A839-C2CDE60408A6} URL = hxxp://search.searchwfa.com/s?source=unknown-bb8&uid=4fd16a1b-cc85-4510-8a6a-868ac384fd31&uc=20170831&ap=appfocus5&i_id=weather__1.30&query={searchTerms}
SearchScopes: HKCU -> {9351B432-8D1E-42E1-A839-C2CDE60408A6} URL = hxxp://search.searchwfa.com/s?source=unknown-bb8&uid=4fd16a1b-cc85-4510-8a6a-868ac384fd31&uc=20170831&ap=appfocus5&i_id=weather__1.30&query={searchTerms}
FF Homepage: hxxp://search.searchwfa.com?uid=c67e3171-e3cc-444f-a692-ceaa1910bbd6&uc=20170831&ap=appfocus5&source=unknown&page=homepage&implementation_id=weather_0.0.9
FF Extension: Weather - C:\Users\{Nom_Utilisateur}\AppData\Roaming\Mozilla\Firefox\Profiles\x82gpani.default-1491393116824\Extensions\@Weather.xpi [2017-08-31]
CHR Extension: (Weather Forecast Alerts) - C:\Users\{Nom_Utilisateur}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hookklgbmgffgeefbnhhnbmcobhcgced [2017-08-31]
C:\Users\{Nom_Utilisateur}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}
**********
Détecté et traité par Malwarebytes en tant que PUP/LPI (Programme potentiellement Indésirable)
Sous la version Premium, Malwarebytes bloque le domaine weatherforecastalerts.com et l'IP 54.185.205.158
-Scan Details-
Process: 0
(No malicious items detected)
Module: 0
(No malicious items detected)
Registry Key: 2
PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [633], [373879],1.0.2694
PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9351B432-8D1E-42E1-A839-C2CDE60408A6}, Delete-on-Reboot, [1921], [368913],1.0.2694
Registry Value: 1
PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9351B432-8D1E-42E1-A839-C2CDE60408A6}|URL, Delete-on-Reboot, [1921], [368913],1.0.2694
Registry Data: 1
PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replace-on-Reboot, [1921], [373048],1.0.2694
Data Stream: 0
(No malicious items detected)
Folder: 14
PUP.Optional.LocalWeatherPro, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\x82gpani.default-1491393116824\jetpack\@Weather\simple-storage, Delete-on-Reboot, [2680], [351474],1.0.2694
PUP.Optional.LocalWeatherPro, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\X82GPANI.DEFAULT-1491393116824\JETPACK\@WEATHER, Delete-on-Reboot, [2680], [351474],1.0.2694
PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28E56CFB-E30E-4F66-85D8-339885B726B8}, Delete-on-Reboot, [633], [373878],1.0.2694
PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hookklgbmgffgeefbnhhnbmcobhcgced\2.0_0\_locales\en, Delete-on-Reboot, [1921], [362981],1.0.2694
PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hookklgbmgffgeefbnhhnbmcobhcgced\2.0_0\html\popup, Delete-on-Reboot, [1921], [362981],1.0.2694
PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hookklgbmgffgeefbnhhnbmcobhcgced\2.0_0\_metadata, Delete-on-Reboot, [1921], [362981],1.0.2694
PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hookklgbmgffgeefbnhhnbmcobhcgced\2.0_0\js\popup, Delete-on-Reboot, [1921], [362981],1.0.2694
PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hookklgbmgffgeefbnhhnbmcobhcgced\2.0_0\_locales, Delete-on-Reboot, [1921], [362981],1.0.2694
PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hookklgbmgffgeefbnhhnbmcobhcgced\2.0_0\newtab, Delete-on-Reboot, [1921], [362981],1.0.2694
PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hookklgbmgffgeefbnhhnbmcobhcgced\2.0_0\html, Delete-on-Reboot, [1921], [362981],1.0.2694
PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hookklgbmgffgeefbnhhnbmcobhcgced\2.0_0\css, Delete-on-Reboot, [1921], [362981],1.0.2694
PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hookklgbmgffgeefbnhhnbmcobhcgced\2.0_0\js, Delete-on-Reboot, [1921], [362981],1.0.2694
PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hookklgbmgffgeefbnhhnbmcobhcgced\2.0_0, Delete-on-Reboot, [1921], [362981],1.0.2694
PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HOOKKLGBMGFFGEEFBNHHNBMCOBHCGCED, Delete-on-Reboot, [1921], [362981],1.0.2694
File: 21
Trojan.TechSupportScam, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\X82GPANI.DEFAULT-1491393116824\EXTENSIONS\@WEATHER.XPI, Delete-on-Reboot, [77], [351507],1.0.2694
PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\LOCAL STORAGE\http_weatherforecastalerts.com_0.localstorage, Delete-on-Reboot, [633], [376102],1.0.2694
PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\LOCAL STORAGE\http_weatherforecastalerts.com_0.localstorage-journal, Delete-on-Reboot, [633], [376102],1.0.2694
PUP.Optional.LocalWeatherPro, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\x82gpani.default-1491393116824\jetpack\@Weather\simple-storage\store.json, Delete-on-Reboot, [2680], [351474],1.0.2694
PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Delete-on-Reboot, [633], [373878],1.0.2694
PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\HOOKKLGBMGFFGEEFBNHHNBMCOBHCGCED\2.0_0\BACKGROUND.JS, Delete-on-Reboot, [1921], [362981],1.0.2694
PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hookklgbmgffgeefbnhhnbmcobhcgced\2.0_0\css\description.css, Delete-on-Reboot, [1921], [362981],1.0.2694
PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hookklgbmgffgeefbnhhnbmcobhcgced\2.0_0\css\popup.css, Delete-on-Reboot, [1921], [362981],1.0.2694
PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hookklgbmgffgeefbnhhnbmcobhcgced\2.0_0\html\popup\description.html, Delete-on-Reboot, [1921], [362981],1.0.2694
PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hookklgbmgffgeefbnhhnbmcobhcgced\2.0_0\html\popup\popup.html, Delete-on-Reboot, [1921], [362981],1.0.2694
PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hookklgbmgffgeefbnhhnbmcobhcgced\2.0_0\js\popup\popup.js, Delete-on-Reboot, [1921], [362981],1.0.2694
PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hookklgbmgffgeefbnhhnbmcobhcgced\2.0_0\js\userNewTab.js, Delete-on-Reboot, [1921], [362981],1.0.2694
PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hookklgbmgffgeefbnhhnbmcobhcgced\2.0_0\newtab\newtab.html, Delete-on-Reboot, [1921], [362981],1.0.2694
PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hookklgbmgffgeefbnhhnbmcobhcgced\2.0_0\_locales\en\messages.json, Delete-on-Reboot, [1921], [362981],1.0.2694
PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hookklgbmgffgeefbnhhnbmcobhcgced\2.0_0\_metadata\computed_hashes.json, Delete-on-Reboot, [1921], [362981],1.0.2694
PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hookklgbmgffgeefbnhhnbmcobhcgced\2.0_0\_metadata\verified_contents.json, Delete-on-Reboot, [1921], [362981],1.0.2694
PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hookklgbmgffgeefbnhhnbmcobhcgced\2.0_0\contentscript.js, Delete-on-Reboot, [1921], [362981],1.0.2694
PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hookklgbmgffgeefbnhhnbmcobhcgced\2.0_0\icon.png, Delete-on-Reboot, [1921], [362981],1.0.2694
PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\hookklgbmgffgeefbnhhnbmcobhcgced\2.0_0\manifest.json, Delete-on-Reboot, [1921], [362981],1.0.2694
PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\X82GPANI.DEFAULT-1491393116824\PREFS.JS, Replaced, [1921], [361537],1.0.2694
Adware.Agent, C:\USERS\{username}\DESKTOP\WEATHERFORECASTALERTS.EXE, Delete-on-Reboot, [227], [421878],1.0.2694
Physical Sector: 0
(No malicious items detected)
Tutoriel d'utilisation Malwarebytes en images (https://forum.security-x.fr/tutoriels-317/tutoriel-malwarebytes-anti-malware-22723/)
Source : Removal instructions for Weather Forecast Alerts de Metallica - Malwarebytes Forums (https://forums.malwarebytes.com/topic/209406-removal-instructions-for-weather-forecast-alerts/)
Toujours infecté ? Une question avant de faire des manipulations ?
Venez poster un nouveau sujet dans ce forum : http://forum.security-x.fr/desinfections/ en prenant soin de suivre la procédure http://forum.security-x.fr/desinfections/procedure-preliminaire/