Facemoods est un programme qui s’installe généralement à votre insu via le téléchargement de logiciels gratuits.
– Il recueille vos habitudes de navigations et les communique à un serveur (Tracking).
Contents
Caractéristiques :
– Il appartient à une famille de PUP Optionnels (Potentially Unwanted Program).
– Vendeur : PUP.Optional.
Actions principales :
– Il s’installe en tant que processus lancé au démarrage du système (RP),
– Il modifie la page de recherche du navigateur Internet Explorer (R1),
– Il installe un plugin de navigateur Mozilla Firefox (M3),
– Il remplace la page de recherche du navigateur Google Chrome (G1),
– Il s’installe en tant que Browser Helper Object (BHO) de Navigateur internet (O2),
– Il s’installe en tant que barre d’outil (Toolbar) de Navigateur internet (O3),
– Il s’installe en tant qu’application démarrée par le registre (O4),
– Il s’installe en tant que programme (O42),
– Il crée des clés de Registre « Software »,
– Il créé une clé de registre ShareTools MSconfig StartupReg (O53),
– Il modifie le fournisseur de recherche Internet (O69),
– Il pollue la base de Registre avec de nombreuses clés (O88 ),
Aperçu ZHPDiag :
—-\\ Internet Explorer, Démarrage,Recherche,URLSearchHook, Phishing (R0,R1,R3,R4)
R1 – HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Search,SearchAssistant = https://start.facemoods.com
R1 – HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs,Tabs = https://start.facemoods.com
—\\ Mozilla Firefox, Plugins,Demarrage,Recherche,Extensions (P2,M0,M1,M2,M3)
M3 – MFPP: Plugins – [fusion_builder_container hundred_percent= »yes » overflow= »visible »][fusion_builder_row][fusion_builder_column type= »1_1″ background_position= »left top » background_color= » » border_size= » » border_color= » » border_style= »solid » spacing= »yes » background_image= » » background_repeat= »no-repeat » padding= » » margin_top= »0px » margin_bottom= »0px » class= » » id= » » animation_type= » » animation_speed= »0.3″ animation_direction= »left » hide_on_mobile= »no » center_content= »no » min_height= »none »][Coolman] — C:\Program Files (x86)\Mozilla FireFox\searchplugins\fcmdSrch.xml
M3 – MFPP: Plugins – [Coolman] — C:\Program Files\Mozilla FireFox\searchplugins\fcmdSrchddr.xml
M3 – MFPP: Plugins – [Coolman] — C:\Program Files\Mozilla FireFox\searchplugins\fcmdSrchtweak.xml
—\\ Google Chrome, Démarrage,Recherche,Extensions (G0,G1,G2)
G1 – GCS: Preference [User Data\Default] https://start.facemoods.com
—\\ Browser Helper Objects de navigateur (O2)
O2 – BHO: facemoods Helper [64Bits] – {64182481-4F71-486b-A045-B233BD0DA8FC} . (…) — C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.11\bh\facemoods.dll
—\\ Internet Explorer Toolbars (O3)
O3 – Toolbar: facemoods Toolbar – {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} . (…) — C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.11\bh\facemoodsTlbr.dll
O3 – Toolbar: facemoods Toolbar – {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} . (…) — C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.12\bh\escorTlbr.dll
—\\ Logiciels installés (O42)
O42 – Logiciel: Facemoods – (.Secure Digital Services.) [HKLM] — {D0198889-7766-424B-AB81-F16F8EDDFEF4}
—\\ Contenu des dossiers Programs/ProgramFiles/ProgramData/AppData (O43)
O43 – CFD: 19/12/2011 – 21:26:10 – [0,034] —-D- C:\Program Files (x86)\facemoods.com
—\\ HKCU & HKLM Software Keys
[HKCU\Software\facemoods.com]
[HKLM\Software\facemoods.com]
—\\ ShareTools MSconfig StartupReg (O53)
O53 – SMSR:HKLM\…\startupreg\facemoods [Key] . (…) — C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe
—\\ Search Browser Infection (SBI) (O69)
O69 – SBI: prefs.js [Coolman – e8whg3vx.default] user_pref(« extensions.facemoods._xpiupdate », true);
O69 – SBI: prefs.js [Coolman – e8whg3vx.default] user_pref(« extensions.facemoods.aflt », « _#wbst »);
O69 – SBI: prefs.js [Coolman – e8whg3vx.default] user_pref(« extensions.facemoods.fcmdVrsn », « 1.2.7.5.4 »);
O69 – SBI: prefs.js [Coolman – e8whg3vx.default] user_pref(« extensions.facemoods.firstRun », false);
O69 – SBI: prefs.js [Coolman – e8whg3vx.default] user_pref(« extensions.facemoods.first_time », false);
O69 – SBI: prefs.js [Coolman – e8whg3vx.default] user_pref(« extensions.facemoods.id », « _#cbbf8df580d74b0b8f071093911d59d3 »);
O69 – SBI: prefs.js [Coolman – e8whg3vx.default] user_pref(« extensions.facemoods.instlDay », « _#15345 »);
O69 – SBI: prefs.js [Coolman – e8whg3vx.default] user_pref(« extensions.facemoods.prtnrId », « _#facemoods.com »);
O69 – SBI: prefs.js [Coolman – e8whg3vx.default] user_pref(« extensions.facemoods.sid », « _#cbbf8df580d74b0b8f071093911d59d3 »);
O69 – SBI: prefs.js [Coolman – e8whg3vx.default] user_pref(« extensions.facemoods.update », « _#v1.4.0 »);
O69 – SBI: prefs.js [Coolman – e8whg3vx.default] user_pref(« extensions.facemoods.vrsn », « _#1.4.17.5 »);
O69 – SBI: SearchScopes [HKCU] {0D7562AE-8EF6-416d-A838-AB665251703A} – (Facemoods Search) – https://start.facemoods.com
—\\ Scan Additionnel (O88 )
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]:facemoods
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\facemoods]
[HKCU\Software\Microsoft\Internet Explorer\Main]:https://start.facemoods.com/?a=w7th
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0D7562AE-8EF6-416d-A838-AB665251703A}]
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]:facemoodssrv
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Search]:SearchAssistant
{HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]:facemoods Toolbar
[HKLM\Software\Classes\esrv.escrtSrvc]
[HKLM\Software\Wow6432Node\Classes\esrv.escrtSrvc]
[HKCR\Interface\{542FA950-C57A-4E17-B3E1-D935DFE15DEE}]
[HKLM\Software\Classes\Interface\{542FA950-C57A-4E17-B3E1-D935DFE15DEE}]
[HKCR\Interface\{5B035F86-41B5-40F1-AAAD-3D219F30244E}]
[HKLM\Software\Classes\Interface\{5B035F86-41B5-40F1-AAAD-3D219F30244E}]
[HKCR\Interface\{6365AC7B-9920-4D8B-AF5D-3BDFEAC340A8}]
[HKLM\Software\Classes\Interface\{6365AC7B-9920-4D8B-AF5D-3BDFEAC340A8}]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{64182481-4F71-486b-A045-B233BD0DA8FC}]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{64182481-4F71-486b-A045-B233BD0DA8FC}]
[HKCR\CLSID\{64182481-4F71-486b-A045-B233BD0DA8FC}]s
[HKLM\Software\Classes\CLSID\{64182481-4F71-486b-A045-B233BD0DA8FC}]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{64182481-4F71-486b-A045-B233BD0DA8FC}]
[HKCR\Interface\{6A934270-717F-4BC3-BA59-BC9BED47A8D2}]
[HKLM\Software\Classes\Interface\{6A934270-717F-4BC3-BA59-BC9BED47A8D2}]
[HKCR\Interface\{74C012C4-00FB-4F04-9AFB-4AD5449D2018}]
[HKLM\Software\Classes\Interface\{74C012C4-00FB-4F04-9AFB-4AD5449D2018}]
[HKCR\Interface\{79B13431-CCAC-4097-8889-D0289E5E924F}]
[HKLM\Software\Classes\Interface\{79B13431-CCAC-4097-8889-D0289E5E924F}]
[HKCR\Interface\{981334CB-7B8B-431F-B86D-67B7426B125B}]
[HKLM\Software\Classes\Interface\{981334CB-7B8B-431F-B86D-67B7426B125B}]
[HKCR\Interface\{A9379648-F6EB-4F65-A624-1C10411A15D0}]
[HKLM\Software\Classes\Interface\{A9379648-F6EB-4F65-A624-1C10411A15D0}]
[HKCR\Interface\{C1C2FC43-F042-4F17-AEDB-C5ABF3B42E4B}]
[HKLM\Software\Classes\Interface\{C1C2FC43-F042-4F17-AEDB-C5ABF3B42E4B}]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DB4E9724-F518-4dfd-9C7C-78B52103CAB9}]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DB4E9724-F518-4dfd-9C7C-78B52103CAB9}]
[HKCR\CLSID\{DB4E9724-F518-4dfd-9C7C-78B52103CAB9}]
[HKLM\Software\Classes\CLSID\{DB4E9724-F518-4dfd-9C7C-78B52103CAB9}]
[HKCR\Interface\{F16AB1DB-15C0-4456-A29E-4DF24FB9E3D2}]
[HKLM\Software\Classes\Interface\{F16AB1DB-15C0-4456-A29E-4DF24FB9E3D2}]
[HKCR\Interface\{F7EC6286-297C-4981-9DCC-FD7F57BC24C9}]
[HKLM\Software\Classes\Interface\{F7EC6286-297C-4981-9DCC-FD7F57BC24C9}]
[HKLM\Software\Google\Chrome\Extensions\ihflimipbcaljfnojhhknppphnnciiif]
[HKCU\Software\facemoods.com]
[HKLM\Software\facemoods.com]
[HKLM\Software\Wow6432Node\facemoods.com]
[HKLM\Software\Microsoft\Shared Tools\MSConfig\startupreg\Facemoods]
[HKLM\Software\Wow6432Node\Classes\Interface\{542FA950-C57A-4E17-B3E1-D935DFE15DEE}]
[HKLM\Software\Wow6432Node\Classes\Interface\{5B035F86-41B5-40F1-AAAD-3D219F30244E}]
[HKLM\Software\Wow6432Node\Classes\Interface\{6365AC7B-9920-4D8B-AF5D-3BDFEAC340A8}]
[HKLM\Software\Wow6432Node\Classes\Interface\{6A934270-717F-4BC3-BA59-BC9BED47A8D2}]
[HKLM\Software\Classes\Interface\{74C012C4-00FB-4F04-9AFB-4AD5449D2018}]
[HKLM\Software\Wow6432Node\Classes\Interface\{74C012C4-00FB-4F04-9AFB-4AD5449D2018}]
[HKLM\Software\Wow6432Node\Classes\Interface\{79B13431-CCAC-4097-8889-D0289E5E924F}]
[HKLM\Software\Wow6432Node\Classes\Interface\{981334CB-7B8B-431F-B86D-67B7426B125B}]
[HKLM\Software\Wow6432Node\Classes\Interface\{A9379648-F6EB-4F65-A624-1C10411A15D0}]
[HKLM\Software\Classes\TypeLib\{B12E99ED-69BD-437C-86BE-C862B9E5444D}]
[HKLM\Software\Wow6432Node\Classes\Interface\{C1C2FC43-F042-4F17-AEDB-C5ABF3B42E4B}]
[HKLM\Software\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}]
[HKLM\Software\Wow6432Node\Classes\Interface\{F16AB1DB-15C0-4456-A29E-4DF24FB9E3D2}]
[HKLM\Software\Wow6432Node\Classes\Interface\{F7EC6286-297C-4981-9DCC-FD7F57BC24C9}]
C:\Program Files\facemoods.com
C:\Program Files (x86)\facemoods.com
—\\ Product Upgrade Codes (O90)
O90 – PUC: « 9888910D6677B424BA181FF6E8DDEF4F » . (.Facemoods.) — C:\WINDOWS\Installer\{D0198889-7766-424B-AB81-F16F8EDDFEF4}\ARPPRODUCTICON.exe
Liens :
deletemalware.blogspot.com
www.systemlookup.com
Alias :
PUP.Optional.FaceMoods.A [Malwarebytes] Win32/SweetIM.B [ESET’s Nod32] Adware.Facemoods.1 [Dr.Web]
Supprimer (Remove) :
– Supprimer l’extension « Facemoods » de tous les navigateurs installés,
– Supprimer le plugin « Facemoods » de tous les navigateurs installés,
– Supprimer le logiciel « Facemoods » via le panneau de configuration Windows,
– Modifier les pages de recherche et de démarrage de tous les navigateurs installés,
– Vider le cache des navigateurs
– Appliquer un script de nettoyage ZHPFix pour les lignes identifiées dans les rapports ZHPDiag & NCDiag
Nettoyeurs (Cleaners):
Malwarebytes’s Antimalwares [Malwarebytes] ADWCleaner [xPlode] – Nettoyer avec ZHPCleaner