Auteur Sujet: YunPanSer  (Lu 1430 fois)

0 Membres et 1 Invité sur ce sujet

Hors ligne chantal11

  • Admin Formation
  • Mega Power Members
  • ****
  • Messages: 23112
    • Windows 10 - Windows 8 - Windows 7 - Windows Vista
YunPanSer
« le: septembre 13, 2017, 15:30:14 »
Contenu republié avec la permission de Malwarebytes

YunPanSer est un Browser Hijacker (pirate de navigateur) qui modifie les paramètres du navigateur (page d’accueil , page de recherche, ....) afin de forcer la consultation du site ciblé et affiche aussi des publicités.
YunPanSer détourne les raccourcis des navigateurs.

  • S'installe en tant que programme, soit à l'insu de l'utilisateur ou parce qu'il n'a pas décoché les sponsors proposés lors de l'installation d'un logiciel gratuit légitime, soit depuis le site de l'éditeur

  • Affiche ces alertes pendant l'installation


  • Modifie les raccourcis des navigateurs

  • Crée ces icônes dans le Menu Démarrer et le Bureau








**********

Détection de YunPanSer dans des rapports FRST :

Citer
百度网盘种子综合搜索器版本V2.0.0 (HKLM-x32\...\{0E684690-1A6F-4E5B-AB49-9992958E460E}_is1) (Version: V2.0.0 - )
ShortcutWithArgument: C:\Users\{Nom_Utilisateur}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\Users\{Nom_Utilisateur}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\Users\{Nom_Utilisateur}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\Users\{Nom_Utilisateur}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\Users\{Nom_Utilisateur}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\Users\{Nom_Utilisateur}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\Users\{Nom_Utilisateur}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\Users\{Nom_Utilisateur}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\Users\{Nom_Utilisateur}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Opera.lnk -> C:\Program Files (x86)\Opera\launcher.exe (Opera Software) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\Users\{Nom_Utilisateur}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera Browser.lnk -> C:\Program Files (x86)\Opera\launcher.exe (Opera Software) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\Users\Public\Desktop\Opera Browser.lnk -> C:\Program Files (x86)\Opera\launcher.exe (Opera Software) -> hxxp://hao549.com/?r=y&m=8

() C:\Program Files (x86)\YunPanSer\YunPanSer.exe
C:\Users\Public\Desktop\百度网盘种子综合搜索器.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\百度网盘种子综合搜索器
C:\Program Files (x86)\YunPanSer
C:\Users\{Nom_Utilisateur}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
C:\Users\Public\Desktop\Google Chrome.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera Browser.lnk
C:\Users\Public\Desktop\Opera Browser.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
C:\Users\Public\Desktop\Mozilla Firefox.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
C:\Users\Public\Desktop\Google Chrome.lnk



**********

Détecté et traité par Malwarebytes en tant que Adware (Programme publicitaire)


Citer
-Scan Details-
Process: 1
Adware.ChinAd.ShrtCln, C:\PROGRAM FILES (X86)\YUNPANSER\YUNPANSER.EXE, Quarantined, [9714], [419783],1.0.2433

Module: 2
Adware.HomeGuard, C:\PROGRAM FILES (X86)\YUNPANSER\SETHOMEPAGE.DLL, Quarantined, [3222], [387871],1.0.2433
Adware.ChinAd.ShrtCln, C:\PROGRAM FILES (X86)\YUNPANSER\YUNPANSER.EXE, Quarantined, [9714], [419783],1.0.2433

Registry Key: 3
Adware.ChinAd.ShrtCln, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{0E684690-1A6F-4E5B-AB49-9992958E460E}_is1, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\YunPanSer_RASAPI32, Delete-on-Reboot, [9714], [419784],1.0.2433
Adware.ChinAd.ShrtCln, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\YunPanSer_RASMANCS, Delete-on-Reboot, [9714], [419784],1.0.2433

Registry Value: 1
Adware.ChinAd.ShrtCln, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{0E684690-1A6F-4E5B-AB49-9992958E460E}_is1|INSTALLLOCATION, Delete-on-Reboot, [9714], [419785],1.0.2433

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 1
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin, Delete-on-Reboot, [9714], [419783],1.0.2433

File: 33
Adware.HomeGuard, C:\PROGRAM FILES (X86)\YUNPANSER\SETHOMEPAGE.DLL, Delete-on-Reboot, [3222], [387871],1.0.2433
Adware.Agent, C:\USERS\{username}\DESKTOP\BDWPZZSSSQ.EXE, Delete-on-Reboot, [259], [419664],1.0.2433
Adware.ChinAd.ShrtCln, C:\PROGRAM FILES (X86)\YUNPANSER\YUNPANSER.EXE, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\b1.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\b2.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\bb1.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\bb2.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\bj.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\logo.ico, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\logo.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\sx1.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\sx2.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\xx1.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\xx2.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\分割线.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\箭头初始状态.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\箭头点击状态.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\类型选择常态.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\类型选择悬停状态.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\背景图(无文字).png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\bannerdown.gif, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\bj.gif, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\HtmlAgilityPack.dll, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\HtmlAgilityPack.XML, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\Interop.ThunderAgentLib.dll, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\Newtonsoft.Json.dll, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\ThunderAgent.dll, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\unins000.dat, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\unins000.exe, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\YunPanSer.exe.config, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\YunPanSer.pdb, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\YunPanSer.vshost.exe.config, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\YunPanSer.vshost.exe.manifest, Delete-on-Reboot, [9714], [419783],1.0.2433

Physical Sector: 0
(No malicious items detected)


Tutoriel d'utilisation Malwarebytes en images


Source : Removal instructions for YunPanSer de Metallica - Malwarebytes Forums



Toujours infecté ? Une question avant de faire des manipulations ?

Venez poster un nouveau sujet dans ce forum : http://forum.security-x.fr/desinfections/  en prenant soin de suivre la procédure http://forum.security-x.fr/desinfections/procedure-preliminaire/
 

Security-X

YunPanSer
« le: septembre 13, 2017, 15:30:14 »