Virus double accent circonflexe "^^"

Thank you, Guillaume, for this ultra-fast response.

I ran ADW in deletion mode. Indeed, quite a few items were found and deleted.

I don't know how to post the AdwCleaner report on the forum.
Can you let me know how to proceed?

Thank you in advance.

Re

You put it here in your next message

# AdwCleaner v2.200 - Report created on 10/04/2013 at 20:57:10
# Updated on 02/04/2013 by Xplode
# Operating System: Microsoft Windows XP Service Pack 3 (32-bit)
# Username: lvidal - L-FR-11170
# Boot Mode: Normal
# Executed from: D:\documents and settings\lvidal\Desktop\adwcleaner.exe
# Option [Removal]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted: C:\Program Files\ICQ6Toolbar
Folder Deleted: C:\Program Files\Protected Search
Folder Deleted: C:\Program Files\Red Sky
Folder Deleted: D:\Documents and Settings\All Users\Application Data\ICQ\ICQToolbar
Folder Deleted: D:\Documents and Settings\lvidal\Local Settings\Application Data\DownTango
Folder Deleted: D:\Documents and Settings\lvidal\Local Settings\Application Data\OpenCandy
Folder Deleted: D:\Documents and Settings\lvidal\Local Settings\Application Data\simplytech
File Deleted: C:\WINDOWS\Tasks\Protected Search.job
File Deleted: D:\END

***** [Registry] *****

Key Deleted: HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted: HKCU\Software\Conduit
Key Deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6552C7DD-90A4-4387-B795-F8F96747DE19}
Key Deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{855F3B16-6D32-4FE6-8A56-BBB695989046}
Key Deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{855F3B16-6D32-4FE6-8A56-BBB695989046}
Key Deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted: HKCU\Software\ProtectedSearch
Key Deleted: HKLM\SOFTWARE\Classes\AppID\{3FC27B34-0C19-49DA-875E-1875DDD4A6B2}
Key Deleted: HKLM\SOFTWARE\Classes\CLSID\{A928E66C-F501-4E66-9953-855C712F93B2}
Key Deleted: HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted: HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted: HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted: HKLM\SOFTWARE\Classes\Interface\{8DA8B89E-0C65-403B-8231-AB22ECFA0687}
Key Deleted: HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted: HKLM\SOFTWARE\Classes\Interface\{A928E66C-F501-4E66-9953-855C712F93B2}
Key Deleted: HKLM\SOFTWARE\Classes\Interface\{B0E28FA0-DF07-44B6-95CE-48BE26DB9266}
Key Deleted: HKLM\SOFTWARE\Classes\Interface\{E6B4EE8F-C38E-4994-BE28-229A3F92262C}
Key Deleted: HKLM\SOFTWARE\Classes\Interface\{FCA8936E-403A-4487-A966-70F80F1D5A6A}
Key Deleted: HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted: HKLM\SOFTWARE\Classes\wtb.Band
Key Deleted: HKLM\SOFTWARE\Classes\wtb.Band.1
Key Deleted: HKLM\SOFTWARE\Classes\wtb.NotificationSource
Key Deleted: HKLM\SOFTWARE\Classes\wtb.NotificationSource.1
Key Deleted: HKLM\SOFTWARE\Classes\wtb.SourceSinkImpl
Key Deleted: HKLM\SOFTWARE\Classes\wtb.SourceSinkImpl.1
Key Deleted: HKLM\SOFTWARE\Classes\wtb.ToolbarInfo
Key Deleted: HKLM\SOFTWARE\Classes\wtb.ToolbarInfo.1
Key Deleted: HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Protected Search_is1
Key Deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted: HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Protected Search_is1
Key Deleted: HKLM\Software\pdfforge.org
Key Deleted: HKLM\Software\TENCENT
Value Deleted: HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]

***** [Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Replaced: [HKCU\Software\Microsoft\Internet Explorer\Main - ICQ Search] = hxxp://www.icq.com/search/results.php?q={searchTerms}&ch_id=osd --> hxxp://www.google.com
Replaced: [HKCU\Software\Microsoft\Internet Explorer\Main - Start Default_Page_URL] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2938 --> hxxp://www.google.com
Replaced: [HKCU\Software\Microsoft\Internet Explorer\Search - Start Page] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2938 --> hxxp://www.google.com
Replaced: [HKCU\Software\Microsoft\Internet Explorer\Search - Start Default_Page_URL] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2938 --> hxxp://www.google.com
Replaced: [HKCU\Software\Microsoft\Internet Explorer\Search - Search Bar] = hxxp://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q= --> hxxp://www.google.com
Replaced: [HKCU\Software\Microsoft\Internet Explorer\Search - Search Page] = hxxp://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q= --> hxxp://www.google.com
Replaced: [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Start Page] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2938 --> hxxp://www.google.com
Replaced: [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Start Default_Page_URL] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2938 --> hxxp://www.google.com
Replaced: [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Search Bar] = hxxp://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q= --> hxxp://www.google.com
Replaced: [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - Search Page] = hxxp://search.certified-toolbar.com?si=41460&tid=2938&bs=true&q= --> hxxp://www.google.com
Replaced: [HKCU\Software\Microsoft\Internet Explorer\SearchUrl - (Default)] = hxxp://search.certified-toolbar.com?si=41460&bs=true&tid=2938&q=%s --> hxxp://www.google.com
Replaced: [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchUrl - (Default)] = hxxp://search.certified-toolbar.com?si=41460&bs=true&tid=2938&q=%s --> hxxp://www.google.com
Replaced: [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Default_Page_URL] = hxxp://search.certified-toolbar.com?si=41460&home=true&tid=2938 --> hxxp://www.google.com

-\\ Mozilla Firefox v19.0.2 (fr)

File: D:\Documents and Settings\lvidal\Application Data\Mozilla\Firefox\Profiles\j0utydbv.default\prefs.js

D:\Documents and Settings\lvidal\Application Data\Mozilla\Firefox\Profiles\j0utydbv.default\user.js ... Deleted!

[OK] The file does not contain any illegitimate entries.

*************************

AdwCleaner[S1].txt - [7297 bytes] - [10/04/2013 20:57:10]

########## EOF - D:\AdwCleaner[S1].txt - [7357 bytes] ##########

I rebooted and restarted ADW for the second time, and it removed something again.
Here's the second report

# AdwCleaner v2.200 - Report created on 04/10/2013 at 21:23:41
# Updated on 04/02/2013 by Xplode
# Operating system: Microsoft Windows XP Service Pack 3 (32 bits)
# Username: lvidal - L-FR-11170
# Boot mode: Normal
# Executed from: D:\documents and settings\lvidal\Desktop\adwcleaner.exe
# Option [Removal]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted: D:\Documents and Settings\lvidal\Local Settings\Application Data\simplytech

***** [Registry] *****


***** [Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] The registry does not contain any illegitimate entries.

-\\ Mozilla Firefox v19.0.2 (fr)

File: D:\Documents and Settings\lvidal\Application Data\Mozilla\Firefox\Profiles\j0utydbv.default\prefs.js

[OK] The file does not contain any illegitimate entries.

*************************

AdwCleaner[S1].txt - [7426 bytes] - [04/10/2013 20:57:10]
AdwCleaner[S2].txt - [965 bytes] - [04/10/2013 21:23:41]

########## EOF - D:\AdwCleaner[S2].txt - [1024 bytes] ##########

Hello Guillaume
I can't connect to the site https://www.malwarebytes.com/

( I am temporarily redirected to the link [http://failsafe.fp.yahoo.com/404.html

which after a few seconds redirects me to http://failsafe.fp.yahoo.com/. )

However, I found it on a link http://www.pcastuces.com/logitheque/telechargement.asp?num=1358 the version is from 04/10/2013. On this page you will find the description and several servers: Name of the downloaded software:
<underline>Malwarebytes' Anti-Malware 1.75.0.1300 9.80 MB</underline>

I will install it and run it following your instructions and then I'll post the result

thanks again

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.04.04.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
lvidal :: L-FR-11170 [administrator]

04/11/2013 18:29:33
mbam-log-2013-04-11 (18-29-33).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File system | Heuristic/Extra | Heuristic/Shuriken | PUP | PUM | P2P
Scan options disabled:
Item(s) scanned: 501580
Elapsed time: 1 hour(s), 20 minute(s), 28 second(s)

Detected memory processes: 0
(No harmful items detected)

Detected memory modules: 0
(No harmful items detected)

Detected Registry key(s): 0
(No harmful items detected)

Detected Registry value(s): 0
(No harmful items detected)

Detected Registry data item(s): 0
(No harmful items detected)

Detected folder(s): 0
(No harmful items detected)

Detected file(s): 1
D:\lvidal\Clé 32_ancienne\soft\ultraedit\17.00\UltraEdit v17.00.0.1035.rar (RiskWare.Tool.HCK) -> Successfully quarantined and deleted.

(end)

Good evening Guillaume

I’m adding to my post above which was approved a bit quickly (with just a copy/paste of the Malwarebytes report).

This report indicates a file containing a RiskWare.Tool.HCK that it quarantined and eliminated.

Despite this, the double accent problem persists even after rebooting the machine.

This file had been lying around on my PC for several months (coming from a USB stick), so I could have been infected while trying to use it.

However, the use of this file dates back several months while my double accent issue appeared a few days ago at the end of March, beginning of April (at least that’s when I noticed it).

This means that it roughly coincides with the date I installed Mozilla Firefox in mid-March 2013 and some add-ons that triggered an update of my Java version.....

I also suspect Adobe 9.54, of which a recent update (03/28/2013) is titled "Adobe Reader 9.5.4-CPSID_83708" ???

This update is in the list of the control panel (add/remove programs) with the status "installed" and a note "this update cannot be uninstalled" on the line just below the current version Adobe Reader 9.5.4 (which does have the modify or remove option)

Another suspect is Flash Player, for which I see 2 lines in the program list of the control panel:
- 1 line Adobe Flash Player 11 Active X
- and 1 line Adobe Flash Player 11 plug-in
While I cannot find any command in the start menu to launch Flash Player

Perhaps I need to uninstall Adobe and Flash Player?

Thank you for your help.

Hello Guillaume

I have finally resolved my issue
I was infected by Trojan.Zbot.FS.

As a result: I no longer have duplication of inert characters (like accents and umlauts), and I am no longer redirected to Yahoo when I connect to https://www.malwarebytes.com/ as was the case yesterday.
Forget my previous report filed yesterday as this one executed in normal mode did not reflect reality.
I refer you to my discussion with H@ckm@n below (April 12, 2013 at 6:33 PM) where I detailed the difficulties encountered and the method implemented based on the elements you provided me

I particularly mention the difficulty in downloading Malwarebytes (the virus redirecting all browser connection attempts to https://www.malwarebytes.com/ to a 404 message from the Yahoo engine) and the workaround used to find a valid and fairly recent version on your tutorial site.

I also had to circumvent the fact that the virus prevents any updates proposed by the software on startup (by preventing connection to the download site and returning a falsified message "you have the latest database")

In safe mode everything changes: the software updates successfully and the search launched immediately resulted in the following discovery:
Trojan.Zbot.FS,
Key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Raqybeevqo
file D:\documents and settings\......\Application Data\Iwyw\asyks.exe (Trojan.Zbot.FS)

-> Successfully quarantined and deleted Thank you for all the relevant elements 100% that you provided me which allowed me to get through this

Here is the complete Malwarebytes report version BDD v2013.04.12 executed in safe mode this afternoon on my PC

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database Version: v2013.04.12.04

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Network)
Internet Explorer 8.0.6001.18702
lvidal :: L-FR-11170 [administrator]

12/04/2013 15:14:35
mbam-log-2013-04-12 (15-14-35).txt

Scan Type: Full Scan (C:\|D:\|)
Scan Options Enabled: Memory | Startup | Registry | File System | Heuristic/Extra | Heuristic/Shuriken | PUP | PUM | P2P
Scan Options Disabled:
Item(s) Scanned: 502511
Time Elapsed: 33 minute(s), 35 second(s)

Memory Processes Detected: 0
(No harmful items detected)

Memory Modules Detected: 0
(No harmful items detected)

Registry Keys Detected: 0
(No harmful items detected)

Registry Value(s) Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Raqybeevqo (Trojan.Zbot.FS) -> Data: "D:\Documents and Settings\lvidal\Application Data\Iwyw\asyks.exe" -> Successfully quarantined and deleted.
Data Items Detected in Registry: 0
(No harmful items detected)

Folder(s) Detected: 0
(No harmful items detected)

File(s) Detected: 1
D:\documents and settings\lvidal\Application Data\Iwyw\asyks.exe (Trojan.Zbot.FS) -> Successfully quarantined and deleted.(end)

Good evening

I am sure I am only pressing the ^ key once
I would be relieved to know that the keyboard configuration can produce such abnormal behavior
Do you know if there is a way to act on the keyboard

this problem has been addressed in another forum but does not provide real solutions: http://forum.bepo.fr/viewtopic.php?id=159

but also take a look here: http://forum.bepo.fr/viewtopic.php?pid=6
there is a good chance that it is the software configuration

Thank you for your suggestions from the post above and further on (April 12, 2013 at 2:29 PM)
I was able to solve the problem by running Malwarebytes in safe mode (see exchange with H@ckm@n below)
the virus is Trojan.Zbot.FS
Thank you for your help

No problem, I’m sorry for giving false leads anyway. I would never have thought that an infection could manifest in such a way.

What antivirus do you have otherwise?

Thank you H@ckm@n

Understood.

However, I am still interested to know if you have any idea about the nature of the threat.

Because I already made an online purchase at the beginning of April when the problem was already there.
So far, at the beginning of this week, no abnormal behavior of my credit card has been reported by my banker. But I remain worried.

Furthermore, I need to book a flight soon using my online payment methods on the secure portal of a travel agency.

I will not do it without having a solution.
Thank you

Talk to you later

still make a driver update for your keyboard, it doesn't hurt to try :)
for online purchases, if the connection is secure, you really don't have to worry. You're more likely to be defrauded at Carrefour.

it's not impossible that you were infected by a keylogger, normally your antivirus would have found it (unless you made an exception). In that case, the best thing to do is to do nothing on your PC and reformat everything. But honestly, I don't know of any undetectable keyloggers.

thank you H@ckm@n

Actually, I just solved the problem.

I was infected by Trojan.Zbot.FS, which I was able to eliminate this afternoon.
Result: I no longer have duplication of dead characters (like accents and umlauts), and I am no longer redirected to Yahoo when I connect to https://www.malwarebytes.com/ as was the case yesterday (see explanation below)

I'll summarize the history of the different issues and the solution that got me out of trouble in case it could help others

1) Guillaume asked me:
to post him the Malwarebytes analysis by first downloading this software from a link he provided https://www.malwarebytes.com/

Then to run Malwarebytes, update it, start the search for infected items, display and destroy these quarantined items, and finally post him the report on the Forum

2) my first difficulty was initially downloading Malwarebytes from the provided link: https://www.malwarebytes.com/

This link was inaccessible to me as if it were expired, automatically redirecting me first to the link http://failsafe.fp.yahoo.com/404.html and then after a few seconds to http://failsafe.fp.yahoo.com/.

3) However, thanks to the link to the tutorial https://forum.pcastuces.com/sujet.asp?f=31&s=3 that Guillaume also provided, I was able to find a valid Malwarebytes download link: https://www.pcastuces.com/logitheque/telechargement.asp?num=1358
in a very recent version: Malwarebytes V1.75.0.1300 that I was able to download, install, and run.

4) Then a new problem occurred: the software notified me upon opening that my version was already 7 days old and offered to proceed with an update, which I accepted. Immediately, a message appeared "you have the latest updated version" and no update occurred.

(In fact, I discovered that this message was caused by the Trojan and that it was also him who was redirecting my browser to the Yahoo 404 each time I tried to connect to https://www.malwarebytes.com/

5) I settled for this version and conducted the search for infected items.
Malwarebytes revealed that I had a .rar file infected with RiskWare.Tool.HCK but nothing else, no registry key for any running infected items...... It quarantined it and I deleted it. I also posted the report to Guillaume

6) I got in touch with totodu.net who suspected my keyboard configuration.
That's when you intervened to advise me to wait for Guillaume's return.

7) Today, to stay active I restarted my computer in safe mode. I immediately noticed in this mode the disappearance of the double accentuation. This was a good sign.

I relaunched Malwarebytes V1.75.0.1300, which immediately updated on the same message (your database is 7 days old) and unlike what happened yesterday in NORMAL mode, successfully completed the downloads and the update.

The search resulted in the following discovery:
I am infected by Trojan.Zbot.FS,
Key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Raqybeevqo
file D:\documents and settings\......\Application Data\Iwyw\asyks.exe (Trojan.Zbot.FS)

-> Successfully quarantined and deleted

Thank you for your good advice and the collective responsiveness on this Forum

PS I am posting the Malwarebytes report carried out in safe mode to Guillaume and the explanations I just gave you

Luc

https://forums.commentcamarche.net/forum/affich-27564553-virus-double-accent-circonflexe#21

he he ^^ go ahead with your keyboard driver ^^

Hi Gen ;-)

Hi Guillaume :)

Good evening Guillaume
Do you have a reliable site to download ZHPDiag?

Because my version (which I deleted) had an abnormal icon out of 3 (the one for mbr) with just a blue Windows border square instead of the original icon

Here is the MALWAREBYTES report



M A L W A R E B Y T E S R E P O R T
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.04.12.04

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Network)
Internet Explorer 8.0.6001.18702
lvidal :: L-FR-11170 [administrator]

04/12/2013 15:14:35
mbam-log-2013-04-12 (15-14-35).txt

Scan type: Complete scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristic/Extra | Heuristic/Shuriken | PUP | PUM | P2P
Scan options disabled:
Item(s) scanned: 502511
Time elapsed: 33 minute(s), 35 second(s)

Memory processes detected: 0
(No harmful items detected)

Memory modules detected: 0
(No harmful items detected)

Registry key(s) detected: 0
(No harmful items detected)

Registry value(s) detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Raqybeevqo (Trojan.Zbot.FS) -> Data: "D:\Documents and Settings\lvidal\Application Data\Iwyw\asyks.exe" -> Successfully quarantined and deleted.

Data item(s) detected in the Registry: 0
(No harmful items detected)

Folder(s) detected: 0
(No harmful items detected)

File(s) detected: 1
D:\documents and settings\lvidal\Application Data\Iwyw\asyks.exe (Trojan.Zbot.FS) -> Successfully quarantined and deleted.

(end)

Hello Guillaume

Here is the link to the ZHP Diag report .txt: https://www.cjoint.com/?3DnlfslRK08

For your information, here is another link: https://www.cjoint.com/?3DnlD1hT2MD
WORD version of the same ZHPDiag report (copied/pasted from the display of the report by ZHPDiag) while keeping the colors and layout of the ZHPDiag display:

For me, the Word version is easier to visually scrutinize, for example
example ADWARE opencandy in red
[HKLM\Software\Martin Prikryl\OpenCandy] =>Adware.OpenCandy

or the item "asyks.exe" in blue (which MalwareBytes did not completely eliminate)
<strong>line o53 - SMSR:HKLM\...\startupreg\Raqybeevqo [Key] . (...) -- D:\Documents and Settings\lvidal\Application Data\Iwyw\asyks.exe (.not file.)

P.S.: "asyks.exe" is also present at line o45 - LFCP:[MD5.E9304AB1FE4B086ADEA9D5E8D88488B8] - 12/04/2013 - 14:04:24 ---A- - C:\WINDOWS\Prefetch\ASYKS.EXE-39065795.pf

Thank you and see you later

Luc

Guillaume

I definitely want to continue benefiting from your insights because
- I don't know the next steps regarding the ZHPDiag tools and
- I can't tell if my ZHPDiag report is sufficient since it's run in user mode (with administrator privileges) but not strictly in administrator mode.
- In any case, I can only interpret bits and pieces and have no idea about the downstream actions from the report (Script to run ZHPFix ....)

But trust me for the few intermediate actions concerning the evolution of the situation
<bold>

(Suite)

For example, since my ZHPDiag report post this morning, I have 2 important events to report to you.

1) Thanks to the (possibly temporary) eradication of Zbot.FS, my Microsoft Forefront Client Security antivirus updated this morning.

Explanation: For the past 2-3 weeks, Forefront had been stating that its virus definition database needed to be updated. When I tried to perform the operation, I immediately received a message saying "no updates available" (similar issue to what I encountered with MalwareBytes).

2) my now-updated antivirus detected 2 threats:

a) Forefront confirms (like ZHPDiag) the detection of the ADWARE opencandy that was quarantined and which it offers to remove.
Information from Forefront about this element on the Microsoft site: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Adware%3aWin32%2fOpenCandy&threatid=159633

b) Forefront has detected another Trojan (not seen I believe by ZHPDiag this morning): TrojanClicker:Win32/Yabector.gen!B which was quarantined and which it offers to remove.

Information from Forefront about this element on the Microsoft site: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanClicker%3aWin32%2fYabector.gen

I asked Forefront to remove these 2 items.

If you agree, I will do a new ZHP diag and count on your help to analyze it under your control.
1) the traces of Zbot.FS mentioned in this morning's report will surely still be there

2) we will see if opencandy (Adware) and TrojanClicker:Win32/Yabector.gen have disappeared due to Forefront's action.
And then you can proceed with the next steps for the countermeasures.

Hoping that you agree with this approach.
Thank you for all the results already achieved.

Luc

Hello Guillaume
I can't call on the administrator because he can only reset my workstation as stated in the explanation below (and in my opinion, given the progress made on the issue at hand, I believe there's something else to try before we get to that point).

Indeed, I already contacted the administrator in February, that is to say, 2 months before I had this issue with the
double accent (which dates back to early April and motivated my registration on this forum).
I informed him that I could no longer update the Forefront antivirus from the internet as I used to. He recommended that I use the Intranet (which, due to the lack of VPN configuration, forced me to travel). But it worked, and the incident was closed.

The administrator also took the opportunity to advise me to use MalwareBytes to resolve threats that Forefront might not have detected due to being outdated.
He also mentioned that in case of unresolved issues (stubborn viruses) by updated Forefront and MalwareBytes, he wouldn't be able to do better than reset my workstation due to a lack of time for in-depth investigations.

Luc

Good evening

You do everything and nothing on the Internet and your company tells you nothing!!!

I leave you in the hands of g3n-h@ckm@n

See you+

Suite

Regarding the double accent problem, I believe we are quite close to a solution and that there is something else to try before I call the administrator to reformat the PC

I am optimistic because:
1) The double accent behavior has already been resolved at least temporarily by neutralizing the runtime process of Trojan.Zbot.FS
2) We need to maintain this success as much as possible by eliminating the residual traces that the ZHPdiag report still detects.

I think things are off to a good start because neutralizing Zbot.FS has also allowed for an online update of Forefront

Once updated, Forefront is equipped with all the necessary privileges and has thus been able to eliminate the other infection TrojanClicker:Win32/Yabector.gen!B
(which ZHPDiag run in user mode may not be able to see).

The two approaches, Forefront and ZHPDiag, therefore complement each other somewhat like (MalwareByte + ZHPDiag)

After the work done by Forefront this morning, I propose to send you, if you agree, the new ZHPDiag report launched after the eradication work by Forefront

You could guide me in eliminating the elements (registry keys or others) related to Zbot.FS (asyks.exe), opencandy or any others if you see them indicated by ZHPDiag

There are also a number of blue lines (or orphan keys, not.file, ...) that may signal a possible optimization of the registry

Thank you again for your advice
Luc

hello what's happening underneath

hello

zhpdiag, just like pre_scan, only touch the MBR if requested in a script :)

+100

Thank you h@ckm@n for your solution
with the Pre_Scan software, it's a great solution in my case, now able to write: ç â è ï
Windows 8

Hi, open a new topic. You must have other things, along with the link to the report so we can see what has been done by the tool.

yes, but your file ykruo.nui is located in:

c:\users\your session\appdata\local\<random folder>\ykruo.nui

The software "ComboFix" works!