Laboratoire antivirus Avira

‹ Retour

PUA/SecurityReviver.EL.2

Brève description
  • Nom
    PUA/SecurityReviver.EL.2
  • La date de la découverte
    11 sept. 2017
  • Version VDF
    7.14.27.34 (2017-09-11 13:08)
Description complète

Cette classe d'indicateurs de détection, applications potentiellement indésirables (PUA), peut nuire à la vie privée de l'utilisateur et à la sécurité du système local. Il s'agit d'applications légitimes qui tentent souvent d'utiliser l'ingénierie sociale pour inciter l'utilisateur à installer des offres supplémentaires au cours de l'installation du logiciel voulu initialement par l'utilisateur. Les logiciels, publicités ou sites Internet affichant l'un ou l'autre comportement et/ou propriétés répréhensibles sont classés en tant que PUA. Une liste complète des PUA est disponible sous http://www.avira.com/en/potentially-unwanted-applications. Cette détection ne signifie pas que le fichier est malveillant. Toutefois, si le fichier a été installé sur le système sans que l'utilisateur en soit informé, la vie privée de ce dernier ou la sécurité du système peuvent être en danger. Il n'est recommandé de désactiver cette détection qu'aux seuls utilisateurs avancés connaissant les risques et la façon d'utiliser ces applications.

  • VDF
    7.14.27.34 (2017-09-11 13:08)
  • Captures d'écran
  • Activité réseau
    • s2.s****.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D
    • sv.s****.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEEPKAhTPicpg8HWaxIzI43E%3D
  • Processus
    • %executed_sample_name%.exe
  • Fichiers
    Les fichiers suivants sont créés:
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_38998BEE68CAF8DF5533DF24A6ADB2B2
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_38998BEE68CAF8DF5533DF24A6ADB2B2
    • %TEMPDIR%\Cab9CC7.tmp
    • %TEMPDIR%\Tar9CC8.tmp
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
    • %TEMPDIR%\Cab9C4F.tmp
    • %TEMPDIR%\Tar9C50.tmp
    Les fichiers suivants sont modifiés:
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_38998BEE68CAF8DF5533DF24A6ADB2B2
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_38998BEE68CAF8DF5533DF24A6ADB2B2
    • %TEMPDIR%\Cab9C4F.tmp
    • %TEMPDIR%\Tar9C50.tmp
    Les fichiers suivants sont supprimés:
    • %TEMPDIR%\Cab9CC7.tmp
    • %TEMPDIR%\Tar9CC8.tmp
    • %TEMPDIR%\Cab9C4F.tmp
    • %TEMPDIR%\Tar9C50.tmp
    • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2336.27628968
    • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2336.27628968
    • %APPDATA%\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2336.27628968
    Les pilotes suivants sont chargés:
    • \Device\KsecDD
    • %APPDATA%\LocalLow
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\Content
    • %WINDIR%\Microsoft.NET\Framework\v1.0.3705\clr.dll
    • %WINDIR%\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
    • %WINDIR%\Microsoft.NET\Framework\v1.1.4322\clr.dll
    • %WINDIR%\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
    • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\clr.dll
    • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
    • %WINDIR%\Microsoft.NET\Framework\v4.0.30319\clr.dll
    • %TEMPDIR%\%executed_sample%.config
    • %TEMPDIR%\%executed_sample%
    • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
    • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
    • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
    • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
    • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
    • %APPDATA%\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
    • %APPDATA%\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
    • %WINDIR%\assembly\NativeImages_v2.0.50727_32\index18f.dat
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_DF4CA81DC775CDA9B3214BDB5B55900E
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB
    • %SYSDIR%\en-US\WINHTTP.dll.mui
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_38998BEE68CAF8DF5533DF24A6ADB2B2
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_CC22B1AB635D142AB5956AF90DD3E252
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ECF3006D44DA211141391220EE5049F4
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    • %TEMPDIR%\Cab9C4F.tmp
    • %TEMPDIR%\Tar9C50.tmp
    • %SYSDIR%\l_intl.nls
    • %WINDIR%\assembly\pubpol17.dat
    • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
    • %WINDIR%\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
    • %WINDIR%\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
    • %WINDIR%\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\System.Core.dll
    Les fichiers suivants sont exécutés:
    • \Device\KsecDD
    • %APPDATA%\LocalLow
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\MetaData
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\Content
    • %WINDIR%\Microsoft.NET\Framework\v1.0.3705\clr.dll
    • %WINDIR%\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
    • %WINDIR%\Microsoft.NET\Framework\v1.1.4322\clr.dll
    • %WINDIR%\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
    • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\clr.dll
    • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
    • %WINDIR%\Microsoft.NET\Framework\v4.0.30319\clr.dll
    • %TEMPDIR%\%executed_sample%.config
    • %TEMPDIR%\%executed_sample%
    • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
    • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
    • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
    • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
    • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
    • %APPDATA%\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
    • %APPDATA%\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
    • %WINDIR%\assembly\NativeImages_v2.0.50727_32\index18f.dat
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_DF4CA81DC775CDA9B3214BDB5B55900E
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB
    • %SYSDIR%\en-US\WINHTTP.dll.mui
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_38998BEE68CAF8DF5533DF24A6ADB2B2
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_CC22B1AB635D142AB5956AF90DD3E252
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ECF3006D44DA211141391220EE5049F4
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    • %APPDATA%\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    • %TEMPDIR%\Cab9C4F.tmp
    • %TEMPDIR%\Tar9C50.tmp
    • %SYSDIR%\l_intl.nls
    • %WINDIR%\assembly\pubpol17.dat
    • %WINDIR%\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
    • %WINDIR%\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
    • %WINDIR%\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
    • %WINDIR%\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\System.Core.dll
  • Registre
    Les entrées de registre suivantes sont ajoutées:
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
    • HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\8c\52C64B7E
    • HKEY_CLASSES_ROOT\Local Settings\MuiCache\8C\52C64B7E ("LanguageList": "en-USen") ("@%SystemRoot%\system32\p2pcollab.dll,-8042": "Peer to Peer Trust") ("@%SystemRoot%\system32\qagentrt.dll,-10": "System Health Authentication") ("@%SystemRoot%\system32\dnsapi.dll,-103": "Domain Name System (DNS) Server Trust") ("@%SystemRoot%\System32\fveui.dll,-843": "BitLocker Drive Encryption") ("@%SystemRoot%\System32\fveui.dll,-844": "BitLocker Data Recovery Agent") ("@%SystemRoot%\System32\wuaueng.dll,-400": "Windows Update")
    • HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My
    • HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA
    • HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates
    • HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CRLs
    • HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CTLs
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\Certificates
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CRLs
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CTLs
    • HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\CA
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs
    • HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CRLs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CTLs
    • HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed
    • HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\Certificates
    • HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CRLs
    • HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CTLs
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
    • HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
    • HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
    • HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root
    • HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates
    • HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CRLs
    • HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CTLs
    • HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs
    • HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs
    • HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CRLs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CTLs
    • HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SmartCardRoot
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs
    • HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot
    • HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates
    • HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs
    • HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs
    • HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople
    • HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates
    • HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs
    • HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
    • HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
    • HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs
    • HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust
    • HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\Certificates
    • HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CRLs
    • HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CTLs
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\Certificates
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CRLs
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CTLs
    • HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs
    • HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certificates
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application ("AutoBackupLogFiles": "0x00000000")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\Security Reviver ("EventMessageFile": "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("mscorlib,2.0.0.0,,b77a5c561934e089,x86": "D½?+‰Ë")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System.Web.Services,2.0.0.0,,b03f5f7f11d50a3a,MSIL": "´ê°Ž+‰Ë")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System,2.0.0.0,,b77a5c561934e089,MSIL": "t>…+‰Ë")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System.Xml,2.0.0.0,,b77a5c561934e089,MSIL": "!.ƒ+‰Ë")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL": "àÒ;+‰Ë")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System.Data,2.0.0.0,,b77a5c561934e089,x86": "w¸ÈŽ+‰Ë")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System.Design,2.0.0.0,,b03f5f7f11d50a3a,MSIL": "¬G/˜+‰Ë")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System.DirectoryServices,2.0.0.0,,b03f5f7f11d50a3a,MSIL": "]B+‰Ë")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System.EnterpriseServices,2.0.0.0,,b03f5f7f11d50a3a,x86": "êû_Ž+‰Ë")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86": "€îõ™+‰Ë")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL": "ûȃ+‰Ë")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL": "DÁ™“+‰Ë")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL": "ܼ+‰Ë")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL": "<,Þ¬êÉ")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL": "זêÉ")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL": "¯U¡+‰Ë")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application ("AutoBackupLogFiles": "0")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Security Reviver ("EventMessageFile": "")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Security Reviver ("EventMessageFile": "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Security Reviver
    • HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\29\52C64B7E ("LanguageList": "en-USen")
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing ("State": "146432")
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE ("Blob": "")
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE ("Blob": " 'œÖRÄâR¿¾R¬r"×r›¤ Œúžmž[¹N¯ñ TMicrosoft Root Certificate Authority 2011b „}ö§„—”?'ürë“ù¦72 µaЩ èzxí|ar-:1C¹Náê§Ç1Ñ#‰4î¶(Ö¥™HيMÝhaÀi0  +‚7<C(ŠÒró;o±B„…ê0À¼þ ñ0‚í0‚Õ ?‹ÈµüŸ²–CµiÖlBáD0  *†H†÷  0ˆ1 0 UUS10U Washington10URedmond10U Microsoft Corporation1200U)Microsoft Root Certificate Authority 20110 110322220528Z 360322221304Z0ˆ1 0 UUS10U Washington10URedmond10U Microsoft Corporation1200U)Microsoft Root Certificate Authority 20110‚"0  *†H†÷ ‚0‚ ‚²€Aª58Mr2h"M¸²ñÿÕR¼lÇõÒJŒ6îÑÂ\~ŒŠ®¯(oÀsã:ÎÐ%¨Z:m器Y«#hÍ )‡Ño€\D]RX¬QÅ_*‡ÜÜØ Á¹{°Vè£Þdažøó|¹ì µTþL¶eOˆðœH™ B |1Yyx(‰:L%¾qj\ ç„`¤™"ãÒ¯„¤§ûÑ˜í ©Þ”‰á ÜÀΙ=êR»Vy䄺¸´ÄI\O1K‡ÝÝg&™€àq£¸¥Aâ¤S¹÷2)ƒ ¿6^³KCG/kâ‘ӘOÝBÈèü™©k>’~ÈÖi:üd½¶ Êý ¢›w`K”¤0iÖB-ÁALÊܪý[ƒFšÙü±Ñã³ÉHzÍ$ðA\tЬ° I·Ç-!ÈWãІóhûÐÎqÁ‰™Jdlýì0‘ÏA<’Ç庆a„Ç_ƒ9b®´’/Gó øUë Yлt›Ðvæòé×èúdÞiÆ5–ˆðF¸?'™oËq‰)5÷H5Õy|MÏ_늃OEqˆù© NréœÏINcQŒ^ØÁU,¶ÆàÂeNÉ49õœ³Ä~èan_Ä_Ù~íÎîDìË.†±ì8öpí«\ÁÙ ǀ²Uí4÷¬›äÃÚçG<¦µ1ßÅK¯ëñ£Q0O0 U†0Uÿ0ÿ0Ur-:1C¹Náê§Ç1Ñ#‰40 +‚70  *†H†÷  ‚rÏ·ÅۛÀIÊ&[þžæÓðÒۗ_òK?M³®®íח ¬ï©:£ÂA°å¸‘ž$æ ý[email protected]!$VÑ/[email protected]©6†K´SWšûñ~‰þlQªèí •µåqÉ¡é‡u¦É~7T^t“ÅÃgÌ Ok¨ m’~‹Ýª-p!Ã=»¿$^§„×?!"½KۗØ^ÔÅ \‡nP¤èÃ8¤ûË,Œf›…^Ëzl“|€)X[Wµ@iºy¦db‡–Eµf# ‹s Ó¢y3àPY†Û/å%ês*ŸÈ6ǒ;éNìØV ¹3IÒT «¬G¶‘)}L´u€RèʂöŸÌ¬œê/&°«r¬ þžQÇCUgOQ³WÖ¶ìîR·:éNáׁˆ¼OŽu»K¨ð5ª&ÔggI²pL;“Üßx†r²8¤ÑܒMÉXë+\Ô;®Œk°ƒå?ø 2ö“54"¯Ý7 w €+ÍHñŒ™GéÑ¿ÑNÐæ(C7™¤ JٚqsÒªÍ1cv¡7o’8}<f2çËmáüR‰ÝÊÖfš–a¾¢(Ç£§6P<:¤ßJnæ‡;Îëðà7<RŽ½¹4ÆÕ j=˜)pŒ‰*Ñ«‚HÜôï¥Å»U8c„N·l­•Tìe"I¸ÀǬTG")
    Les entrées de registre suivantes sont modifiées:
    • HKEY_CLASSES_ROOT\Local Settings\MuiCache\8C\52C64B7E ("LanguageList": "en-USen") ("@%SystemRoot%\system32\p2pcollab.dll,-8042": "Peer to Peer Trust") ("@%SystemRoot%\system32\qagentrt.dll,-10": "System Health Authentication") ("@%SystemRoot%\system32\dnsapi.dll,-103": "Domain Name System (DNS) Server Trust") ("@%SystemRoot%\System32\fveui.dll,-843": "BitLocker Drive Encryption") ("@%SystemRoot%\System32\fveui.dll,-844": "BitLocker Data Recovery Agent") ("@%SystemRoot%\System32\wuaueng.dll,-400": "Windows Update")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application ("AutoBackupLogFiles": "0x00000000")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\Security Reviver ("EventMessageFile": "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("mscorlib,2.0.0.0,,b77a5c561934e089,x86": "D½?+‰Ë")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System.Web.Services,2.0.0.0,,b03f5f7f11d50a3a,MSIL": "´ê°Ž+‰Ë")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System,2.0.0.0,,b77a5c561934e089,MSIL": "t>…+‰Ë")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System.Xml,2.0.0.0,,b77a5c561934e089,MSIL": "!.ƒ+‰Ë")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL": "àÒ;+‰Ë")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System.Data,2.0.0.0,,b77a5c561934e089,x86": "w¸ÈŽ+‰Ë")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System.Design,2.0.0.0,,b03f5f7f11d50a3a,MSIL": "¬G/˜+‰Ë")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System.DirectoryServices,2.0.0.0,,b03f5f7f11d50a3a,MSIL": "]B+‰Ë")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System.EnterpriseServices,2.0.0.0,,b03f5f7f11d50a3a,x86": "êû_Ž+‰Ë")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86": "€îõ™+‰Ë")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL": "ûȃ+‰Ë")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL": "DÁ™“+‰Ë")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL": "ܼ+‰Ë")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL": "<,Þ¬êÉ")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL": "זêÉ")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default ("System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL": "¯U¡+‰Ë")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application ("AutoBackupLogFiles": "0")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Security Reviver ("EventMessageFile": "")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Security Reviver ("EventMessageFile": "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll")
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Security Reviver
    • HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\29\52C64B7E ("LanguageList": "en-USen")
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing ("State": "146432")
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE ("Blob": "")
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE ("Blob": " 'œÖRÄâR¿¾R¬r"×r›¤ Œúžmž[¹N¯ñ TMicrosoft Root Certificate Authority 2011b „}ö§„—”?'ürë“ù¦72 µaЩ èzxí|ar-:1C¹Náê§Ç1Ñ#‰4î¶(Ö¥™HيMÝhaÀi0  +‚7<C(ŠÒró;o±B„…ê0À¼þ ñ0‚í0‚Õ ?‹ÈµüŸ²–CµiÖlBáD0  *†H†÷  0ˆ1 0 UUS10U Washington10URedmond10U Microsoft Corporation1200U)Microsoft Root Certificate Authority 20110 110322220528Z 360322221304Z0ˆ1 0 UUS10U Washington10URedmond10U Microsoft Corporation1200U)Microsoft Root Certificate Authority 20110‚"0  *†H†÷ ‚0‚ ‚²€Aª58Mr2h"M¸²ñÿÕR¼lÇõÒJŒ6îÑÂ\~ŒŠ®¯(oÀsã:ÎÐ%¨Z:m器Y«#hÍ )‡Ño€\D]RX¬QÅ_*‡ÜÜØ Á¹{°Vè£Þdažøó|¹ì µTþL¶eOˆðœH™ B |1Yyx(‰:L%¾qj\ ç„`¤™"ãÒ¯„¤§ûÑ˜í ©Þ”‰á ÜÀΙ=êR»Vy䄺¸´ÄI\O1K‡ÝÝg&™€àq£¸¥Aâ¤S¹÷2)ƒ ¿6^³KCG/kâ‘ӘOÝBÈèü™©k>’~ÈÖi:üd½¶ Êý ¢›w`K”¤0iÖB-ÁALÊܪý[ƒFšÙü±Ñã³ÉHzÍ$ðA\tЬ° I·Ç-!ÈWãІóhûÐÎqÁ‰™Jdlýì0‘ÏA<’Ç庆a„Ç_ƒ9b®´’/Gó øUë Yлt›Ðvæòé×èúdÞiÆ5–ˆðF¸?'™oËq‰)5÷H5Õy|MÏ_늃OEqˆù© NréœÏINcQŒ^ØÁU,¶ÆàÂeNÉ49õœ³Ä~èan_Ä_Ù~íÎîDìË.†±ì8öpí«\ÁÙ ǀ²Uí4÷¬›äÃÚçG<¦µ1ßÅK¯ëñ£Q0O0 U†0Uÿ0ÿ0Ur-:1C¹Náê§Ç1Ñ#‰40 +‚70  *†H†÷  ‚rÏ·ÅۛÀIÊ&[þžæÓðÒۗ_òK?M³®®íח ¬ï©:£ÂA°å¸‘ž$æ ý[email protected]!$VÑ/[email protected]©6†K´SWšûñ~‰þlQªèí •µåqÉ¡é‡u¦É~7T^t“ÅÃgÌ Ok¨ m’~‹Ýª-p!Ã=»¿$^§„×?!"½KۗØ^ÔÅ \‡nP¤èÃ8¤ûË,Œf›…^Ëzl“|€)X[Wµ@iºy¦db‡–Eµf# ‹s Ó¢y3àPY†Û/å%ês*ŸÈ6ǒ;éNìØV ¹3IÒT «¬G¶‘)}L´u€RèʂöŸÌ¬œê/&°«r¬ þžQÇCUgOQ³WÖ¶ìîR·:éNáׁˆ¼OŽu»K¨ð5ª&ÔggI²pL;“Üßx†r²8¤ÑܒMÉXë+\Ô;®Œk°ƒå?ø 2ö“54"¯Ý7 w €+ÍHñŒ™GéÑ¿ÑNÐæ(C7™¤ JٚqsÒªÍ1cv¡7o’8}<f2çËmáüR‰ÝÊÖfš–a¾¢(Ç£§6P<:¤ßJnæ‡;Îëðà7<RŽ½¹4ÆÕ j=˜)pŒ‰*Ñ«‚HÜôï¥Å»U8c„N·l­•Tìe"I¸ÀǬTG")
    Les valeurs des clés de registre suivantes sont supprimées:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
  • Alias
    Avast: Win32:SecurityReviver-A
    ESET: MSIL/UwS.SecurityReviver.A application
    G Data: Adware.GenericKD.5523396