Security-X

Forum Security-X => Sécurité Générale => Malwares => Discussion démarrée par: chantal11 le septembre 13, 2017, 15:30:14

Titre: YunPanSer
Posté par: chantal11 le septembre 13, 2017, 15:30:14
Contenu republié avec la permission de Malwarebytes (https://forums.malwarebytes.org/index.php?showforum=39)

YunPanSer est un Browser Hijacker (pirate de navigateur) qui modifie les paramètres du navigateur (page d’accueil , page de recherche, ....) afin de forcer la consultation du site ciblé et affiche aussi des publicités.
YunPanSer détourne les raccourcis des navigateurs.

(https://forums.malwarebytes.com/applications/core/interface/imageproxy/imageproxy.php?img=https://static-cdn.malwarebytes.org/pub_images/YunPanSer/warning4.png&key=747e2851be312143b440cdad5d9bf245d35b407d31d19d5e3baeb0d48d518ba4)

(https://forums.malwarebytes.com/applications/core/interface/imageproxy/imageproxy.php?img=https://static-cdn.malwarebytes.org/pub_images/YunPanSer/warning1.png&key=2e31fbab4c80da861bff01f6d18643a7139d998630fd0a9f5dabdc13f0d0c504)

(https://forums.malwarebytes.com/applications/core/interface/imageproxy/imageproxy.php?img=https://static-cdn.malwarebytes.org/pub_images/YunPanSer/warning2.png&key=6ef852297281298a91adb4e5532445607b2b69dca5003f13b34011d24431f6a3)

(https://forums.malwarebytes.com/applications/core/interface/imageproxy/imageproxy.php?img=https://static-cdn.malwarebytes.org/pub_images/YunPanSer/warning3.png&key=a46a4415dbd71c4a3baf4e00a522c11090e3ee5e02f7c92ee6c1f6295fb8bfd4)


(https://forums.malwarebytes.com/applications/core/interface/imageproxy/imageproxy.php?img=https://static-cdn.malwarebytes.org/pub_images/YunPanSer/icons.png&key=38a00e28d0061f99056e2dcd2193d19d0324ab6e4de636130d9dffb19011fad4)







**********

Détection de YunPanSer dans des rapports FRST :

Citer
百度网盘种子综合搜索器版本V2.0.0 (HKLM-x32\...\{0E684690-1A6F-4E5B-AB49-9992958E460E}_is1) (Version: V2.0.0 - )
ShortcutWithArgument: C:\Users\{Nom_Utilisateur}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\Users\{Nom_Utilisateur}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\Users\{Nom_Utilisateur}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\Users\{Nom_Utilisateur}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\Users\{Nom_Utilisateur}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\Users\{Nom_Utilisateur}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\Users\{Nom_Utilisateur}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\Users\{Nom_Utilisateur}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\Users\{Nom_Utilisateur}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Opera.lnk -> C:\Program Files (x86)\Opera\launcher.exe (Opera Software) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\Users\{Nom_Utilisateur}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera Browser.lnk -> C:\Program Files (x86)\Opera\launcher.exe (Opera Software) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://hao549.com/?r=y&m=8
ShortcutWithArgument: C:\Users\Public\Desktop\Opera Browser.lnk -> C:\Program Files (x86)\Opera\launcher.exe (Opera Software) -> hxxp://hao549.com/?r=y&m=8

() C:\Program Files (x86)\YunPanSer\YunPanSer.exe
C:\Users\Public\Desktop\百度网盘种子综合搜索器.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\百度网盘种子综合搜索器
C:\Program Files (x86)\YunPanSer
C:\Users\{Nom_Utilisateur}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
C:\Users\Public\Desktop\Google Chrome.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera Browser.lnk
C:\Users\Public\Desktop\Opera Browser.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
C:\Users\Public\Desktop\Mozilla Firefox.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
C:\Users\Public\Desktop\Google Chrome.lnk



**********

Détecté et traité par Malwarebytes en tant que Adware (Programme publicitaire)


Citer
-Scan Details-
Process: 1
Adware.ChinAd.ShrtCln, C:\PROGRAM FILES (X86)\YUNPANSER\YUNPANSER.EXE, Quarantined, [9714], [419783],1.0.2433

Module: 2
Adware.HomeGuard, C:\PROGRAM FILES (X86)\YUNPANSER\SETHOMEPAGE.DLL, Quarantined, [3222], [387871],1.0.2433
Adware.ChinAd.ShrtCln, C:\PROGRAM FILES (X86)\YUNPANSER\YUNPANSER.EXE, Quarantined, [9714], [419783],1.0.2433

Registry Key: 3
Adware.ChinAd.ShrtCln, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{0E684690-1A6F-4E5B-AB49-9992958E460E}_is1, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\YunPanSer_RASAPI32, Delete-on-Reboot, [9714], [419784],1.0.2433
Adware.ChinAd.ShrtCln, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\YunPanSer_RASMANCS, Delete-on-Reboot, [9714], [419784],1.0.2433

Registry Value: 1
Adware.ChinAd.ShrtCln, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{0E684690-1A6F-4E5B-AB49-9992958E460E}_is1|INSTALLLOCATION, Delete-on-Reboot, [9714], [419785],1.0.2433

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 1
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin, Delete-on-Reboot, [9714], [419783],1.0.2433

File: 33
Adware.HomeGuard, C:\PROGRAM FILES (X86)\YUNPANSER\SETHOMEPAGE.DLL, Delete-on-Reboot, [3222], [387871],1.0.2433
Adware.Agent, C:\USERS\{username}\DESKTOP\BDWPZZSSSQ.EXE, Delete-on-Reboot, [259], [419664],1.0.2433
Adware.ChinAd.ShrtCln, C:\PROGRAM FILES (X86)\YUNPANSER\YUNPANSER.EXE, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\b1.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\b2.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\bb1.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\bb2.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\bj.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\logo.ico, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\logo.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\sx1.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\sx2.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\xx1.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\xx2.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\分割线.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\箭头初始状态.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\箭头点击状态.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\类型选择常态.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\类型选择悬停状态.png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\skin\背景图(无文字).png, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\bannerdown.gif, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\bj.gif, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\HtmlAgilityPack.dll, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\HtmlAgilityPack.XML, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\Interop.ThunderAgentLib.dll, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\Newtonsoft.Json.dll, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\ThunderAgent.dll, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\unins000.dat, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\unins000.exe, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\YunPanSer.exe.config, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\YunPanSer.pdb, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\YunPanSer.vshost.exe.config, Delete-on-Reboot, [9714], [419783],1.0.2433
Adware.ChinAd.ShrtCln, C:\Program Files (x86)\YunPanSer\YunPanSer.vshost.exe.manifest, Delete-on-Reboot, [9714], [419783],1.0.2433

Physical Sector: 0
(No malicious items detected)


Tutoriel d'utilisation Malwarebytes en images (https://forum.security-x.fr/tutoriels-317/tutoriel-malwarebytes-anti-malware-22723/)


Source : Removal instructions for YunPanSer de Metallica - Malwarebytes Forums (https://forums.malwarebytes.com/topic/205760-removal-instructions-for-yunpanser/)



Toujours infecté ? Une question avant de faire des manipulations ?

Venez poster un nouveau sujet dans ce forum : http://forum.security-x.fr/desinfections/  en prenant soin de suivre la procédure http://forum.security-x.fr/desinfections/procedure-preliminaire/