Trojan horse - Page 2

Solved
Previous
  • 1
  • 2
  1. lilidurhone Posted messages 800 Registration date   Status Security Contributor Last intervention   3 818
     
    You are waiting for another CS :)

    --
    If there is a problem, there is always a solution
    ~~~~~~ Cs ~~~~~~
    0
  2. billmaxime Posted messages 50523 Registration date   Status Contributor Last intervention   6 150
     
    Hello idnoder,

    at Lili's request, who has a problem with her PC, I'm taking over to finish the

    disinfection of your PC

    please do this and post the report

    Download roguekiller to your desktop

    take this one, look at the image >> click here

    The link https://www.luanagames.com/index.fr.html

    The tutorial http://tigzyrk.blogspot.be/2012/10/fr-roguekiller-tutoriel-officiel.html

    Close all your running programs

    Run roguekiller (Vista-W7-W8 users run as administrator - right-click)

    Let the prescan run and accept the Eula, see the image >> click here

    Click on scan

    The report will be displayed on your desktop and in C: RKReport[#].txt

    Post the report via copy/paste

    thank you

    @+

    the radiation level is higher at the employment office than at Chernobyl
    0
  3. idnoder Posted messages 251 Status Member 5
     
    RogueKiller V8.8.15 [Mar 27 2014] by Adlice Software
    email: https://www.adlice.com/contact/
    Feedback: https://forum.adlice.com/
    Website: http://www.surlatoile.org/RogueKiller/
    Blog: https://www.adlice.com/

    Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bit version
    Boot Mode: Normal mode
    User: Jacques [Admin Rights]
    Mode: Scan -- Date: 03/31/2014 18:11:16
    | ARK || FAK || MBR |

    ¤¤¤ Malicious Processes: 0 ¤¤¤

    ¤¤¤ Registry Entries: 13 ¤¤¤
    [RUN][SUSP PATH] HKLM\[...]\Run : C-Media Mixer (Mixer.exe /startup [7]) -> FOUND
    [PROXY IE][PUM] HKCU\[...]\Internet Settings : ProxyServer (hxxp=127.0.0.1:49167;hxxps=127.0.0.1:49167; [Country: (Private Address) (XX), City: (Private Address)]) -> FOUND
    [PROXY IE][PUM] HKCU\[...]\Internet Settings : ProxyEnable (1) -> FOUND
    [HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
    [HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
    [HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
    [HJ DESK][PUM] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK][PUM] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ DESK][PUM] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
    [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Scheduled Tasks: 2 ¤¤¤
    [V1][ROGUE ST] Weather It Up-firefoxinstaller.job : C:\Program Files\Weather It Up\Weather It Up-firefoxinstaller.exe - /installxpi /agentregpath='Weather It Up' /extensionfilepath='C:\Program Files\Weather It Up\49136.xpi' /appid=49136 /srcid='001101' /subid='0' /zdata='0' /bic=466DAF398D184B32823696145A8F0714IE /verifier=9343920cce8629641ebab91953801463 /installerversion=1_34_3_6 /installerfullversion=1.34.3.6 /installationtime=1396248094 /statsdomain=hxxp://stats.srvstatsdata.com /errorsdomain=hxxp://errors.srvstatsdata.com /waitforbrowser=300 /extensionid=18c3bc7a-b2aa-43c1-885a-665d2f25cf89@d6802e59-3519-4428-bef7-bce888d550bb.com /extensionversion=0.94 /prefsbranch=a18c3bc7ab2aa43c1885a665d2f25cf89d6802e5935194428bef7bce888d550bbcom49136 /updateurl=hxxps://w9u6a2p6.ssl.hwcdn.net/plugin/ff/update/49136.rdf /extensionname='Weather It Up' /extensiondesc='Weather it up is a simple browser extension that provides the latest weather information.' /publishername='Phoenix Media' /defbro=ie /allusers /allprofiles /checkfflist /autoupdateulr='hxxp://update.srvstatsdata.com/ff_agent_updates/{CAMP_ID}/update.json' /runfrom='task' /externallog='' [-][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x] -> FOUND
    [V2][ROGUE ST] Weather It Up-firefoxinstaller : C:\Program Files\Weather It Up\Weather It Up-firefoxinstaller.exe - /installxpi /agentregpath='Weather It Up' /extensionfilepath='C:\Program Files\Weather It Up\49136.xpi' /appid=49136 /srcid='001101' /subid='0' /zdata='0' /bic=466DAF398D184B32823696145A8F0714IE /verifier=9343920cce8629641ebab91953801463 /installerversion=1_34_3_6 /installerfullversion=1.34.3.6 /installationtime=1396248094 /statsdomain=hxxp://stats.srvstatsdata.com /errorsdomain=hxxp://errors.srvstatsdata.com /waitforbrowser=300 /extensionid=18c3bc7a-b2aa-43c1-885a-665d2f25cf89@d6802e59-3519-4428-bef7-bce888d550bb.com /extensionversion=0.94 /prefsbranch=a18c3bc7ab2aa43c1885a665d2f25cf89d6802e5935194428bef7bce888d550bbcom49136 /updateurl=hxxps://w9u6a2p6.ssl.hwcdn.net/plugin/ff/update/49136.rdf /extensionname='Weather It Up' /extensiondesc='Weather it up is a simple browser extension that provides the latest weather information.' /publishername='Phoenix Media' /defbro=ie /allusers /allprofiles /checkfflist /autoupdateulr='hxxp://update.srvstatsdata.com/ff_agent_updates/{CAMP_ID}/update.json' /runfrom='task' /externallog='' [-][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x] -> FOUND

    ¤¤¤ Startup Entries: 0 ¤¤¤

    ¤¤¤ Web Browsers: 0 ¤¤¤

    ¤¤¤ Browser Addons: 0 ¤¤¤

    ¤¤¤ Specific Files / Folders: ¤¤¤

    ¤¤¤ Driver: [LOAD] ¤¤¤
    [Address] EAT @explorer.exe (DllCanUnloadNow) : wlanutil.dll -> HOOKED (C:\Windows\System32\SndVolSSO.dll @ 0x735D155F)
    [Address] EAT @explorer.exe (DllGetClassObject) : wlanutil.dll -> HOOKED (C:\Windows\System32\SndVolSSO.dll @ 0x735D4852)
    [Address] EAT @explorer.exe (DllMain) : wlanutil.dll -> HOOKED (C:\Windows\System32\SndVolSSO.dll @ 0x735D12FB)
    [Address] IAT @iexplore.exe (GetProcAddress) : KERNEL32.dll -> HOOKED (C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll @ 0x021B4C50)
    [Address] IAT @iexplore.exe (LoadLibraryA) : KERNEL32.dll -> HOOKED (C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll @ 0x021B2000)
    [Address] IAT @iexplore.exe (LoadLibraryW) : KERNEL32.dll -> HOOKED (C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll @ 0x021B2030)
    [Address] IAT @iexplore.exe (LoadLibraryExW) : KERNEL32.dll -> HOOKED (C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll @ 0x021B20B0)

    ¤¤¤ External Routines: ¤¤¤

    ¤¤¤ Infection: ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    ---> %SystemRoot%\System32\drivers\etc\hosts

    127.0.0.1 localhost
    ::1 localhost

    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HDS721616PLA380 ATA Device +++++
    --- User ---
    [MBR] 681add1742775c3b051c7c13f50a8958
    [BSP] 855b5aaea752edba6aa8805dcb802c62 : Windows Vista MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 157064 MB
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished: << RKreport[0]_S_03312014_181116.txt >>

    Here is the report, I hope everything will be fine....thank you, have a good evening.
    --
    Jacques
    0
  4. billmaxime Posted messages 50523 Registration date   Status Contributor Last intervention   6 150
     
    re

    ok, relaunch roguekiller, let it do the pre-scan then click on scan

    when the scan is finished, click on delete and on proxy reset

    look at this

    delete
    proxy reset

    post the reports via 1 copy/paste

    thank you

    @+

    the radiation level is higher at the employment agency than at Chernobyl
    0
  5. idnoder Posted messages 251 Status Member 5
     
    Hello, there has been a change in my PC, I'm getting ads like (trojan horse) and double icons on my desktop, this morning it's in full form.
    Yesterday I did a scan but it's impossible to copy and paste, so I'm doing it manually, there are two lines for Explorer
    1st) status(deleted) type(PUM) key type(IE proxy) global(HKEY current user) user(none) key(software\microsoft\windows\current version\internet SE) value(proxy server) data(127.0.0.1;49167;https=127.0.0.1;49167;)
    2nd) status(replaced) type(PUM) key type(IE proxy) global(HKEY current user) key(software\microsoft\windows\current version\internetSE) value(proxy enable) data(1).
    That's the result, now this morning on my desktop I found three roguekiller reports from last night at 7 PM, they are different if that helps!!!! Have a good day, and thanks again.

    --
    jacques
    0
  6. billmaxime Posted messages 50523 Registration date   Status Contributor Last intervention   6 150
     
    Hi idnoder,

    yesterday I did the scan but it's impossible to copy and paste, so I'm doing it by hand

    try again one more time to post the 3 reports via one copy/paste please

    if it doesn't work, host them via cjoint >> https://www.cjoint.com/

    thanks

    @+

    --
    the radiation level is higher at the employment center than in Chernobyl
    0
  7. lilidurhone Posted messages 800 Registration date   Status Security Contributor Last intervention   3 818
     
    Hello

    Starting tomorrow evening, I can resume :)

    Take care

    --
    If there is a problem, there is always a solution
    ~~~~~~ Cs ~~~~~~
    0
  8. billmaxime Posted messages 50523 Registration date   Status Contributor Last intervention   6 150
     
    Hi Lili,

    Okay, no problem

    See you later

    --
    The radiation level is higher at the employment center than at Chernobyl.
    0
  9. idnoder Posted messages 251 Status Member 5
     
    here is the first of three, Jacques

    --
    jacquesRogueKiller V8.8.15 [Mar 27 2014] by Adlice Software
    email: https://www.adlice.com/contact/
    Feedback: https://forum.adlice.com/
    Website: http://www.surlatoile.org/RogueKiller/
    Blog: https://www.adlice.com/

    Operating System: Windows Vista (6.0.6002 Service Pack 2) 32-bit version
    Boot: Normal mode
    User: Jacques [Admin rights]
    Mode: Scan -- Date: 03/31/2014 19:54:36
    | ARK || FAK || MBR |

    ¤¤¤ Malicious Processes: 0 ¤¤¤

    ¤¤¤ Registry Entries: 2 ¤¤¤
    [PROXY IE][PUM] HKCU\[...]\Internet Settings: ProxyServer (hxxp=127.0.0.1:49167;hxxps=127.0.0.1:49167; [Country: (Private Address) (XX), City: (Private Address)]) -> FOUND
    [PROXY IE][PUM] HKCU\[...]\Internet Settings: ProxyEnable (1) -> FOUND

    ¤¤¤ Scheduled Tasks: 0 ¤¤¤

    ¤¤¤ Startup Entries: 0 ¤¤¤

    ¤¤¤ Web Browsers: 0 ¤¤¤

    ¤¤¤ Browser Addons: 0 ¤¤¤

    ¤¤¤ Specific Files / Folders: ¤¤¤

    ¤¤¤ Driver: [LOADED] ¤¤¤
    [Address] EAT @explorer.exe (DllCanUnloadNow): wlanutil.dll -> HOOKED (C:\Windows\System32\SndVolSSO.dll @ 0x735D155F)
    [Address] EAT @explorer.exe (DllGetClassObject): wlanutil.dll -> HOOKED (C:\Windows\System32\SndVolSSO.dll @ 0x735D4852)
    [Address] EAT @explorer.exe (DllMain): wlanutil.dll -> HOOKED (C:\Windows\System32\SndVolSSO.dll @ 0x735D12FB)

    ¤¤¤ External Traffic: ¤¤¤

    ¤¤¤ Infection: ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts

    127.0.0.1 localhost
    ::1 localhost

    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HDS721616PLA380 ATA Device +++++
    --- User ---
    [MBR] 681add1742775c3b051c7c13f50a8958
    [BSP] 855b5aaea752edba6aa8805dcb802c62: Windows Vista MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 157064 MB
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished: << RKreport[0]_S_03312014_195436.txt >>
    RKreport[0]_D_03312014_182539.txt;RKreport[0]_S_03312014_181116.txt
    0
  10. idnoder Posted messages 251 Status Member 5
     
    here is the second one, Jacques

    --
    jacquesRogueKiller V8.8.15 [Mar 27 2014] by Adlice Software
    email : https://www.adlice.com/contact/
    Feedback: https://forum.adlice.com/
    Website: http://www.surlatoile.org/RogueKiller/
    Blog: https://www.adlice.com/

    Operating System: Windows Vista (6.0.6002 Service Pack 2) 32-bit version
    Boot: Normal Mode
    User: Jacques [Admin Rights]
    Mode: Removal -- Date: 03/31/2014 19:54:57
    | ARK || FAK || MBR |

    ¤¤¤ Malicious Processes: 0 ¤¤¤

    ¤¤¤ Registry Entries: 0 ¤¤¤

    ¤¤¤ Scheduled Tasks: 0 ¤¤¤

    ¤¤¤ Startup Entries: 0 ¤¤¤

    ¤¤¤ Web Browsers: 0 ¤¤¤

    ¤¤¤ Browser Addons: 0 ¤¤¤

    ¤¤¤ Specific Files / Folders: ¤¤¤

    ¤¤¤ Driver: [LOADED] ¤¤¤
    [Address] EAT @explorer.exe (DllCanUnloadNow): wlanutil.dll -> HOOKED (C:\Windows\System32\SndVolSSO.dll @ 0x735D155F)
    [Address] EAT @explorer.exe (DllGetClassObject): wlanutil.dll -> HOOKED (C:\Windows\System32\SndVolSSO.dll @ 0x735D4852)
    [Address] EAT @explorer.exe (DllMain): wlanutil.dll -> HOOKED (C:\Windows\System32\SndVolSSO.dll @ 0x735D12FB)

    ¤¤¤ External Routines: ¤¤¤

    ¤¤¤ Infection: ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts

    127.0.0.1 localhost
    ::1 localhost

    ¤¤¤ MBR Verification: ¤¤¤

    +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HDS721616PLA380 ATA Device +++++
    --- User ---
    [MBR] 681add1742775c3b051c7c13f50a8958
    [BSP] 855b5aaea752edba6aa8805dcb802c62: Windows Vista MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 157064 MB
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished: << RKreport[0]_D_03312014_195454.txt >>
    RKreport[0]_D_03312014_182539.txt;RKreport[0]_S_03312014_181116.txt;RKreport[0]_S_03312014_195436.txt
    0
  11. idnoder Posted messages 251 Status Member 5
     
    now the third one, thank you, Jacques

    --
    jacquesRogueKiller V8.8.15 [Mar 27 2014] by Adlice Software
    email: https://www.adlice.com/contact/
    Feedback: https://forum.adlice.com/
    Website: http://www.surlatoile.org/RogueKiller/
    Blog: https://www.adlice.com/

    Operating system: Windows Vista (6.0.6002 Service Pack 2) 32 bit version
    Boot mode: Normal
    User: Jacques [Admin rights]
    Mode: Proxy RAZ -- Date: 03/31/2014 19:55:02
    | ARK || FAK || MBR |

    ¤¤¤ Malicious processes: 0 ¤¤¤

    ¤¤¤ Registry entries: 2 ¤¤¤
    [PROXY IE][PUM] HKCU\[...]\Internet Settings: ProxyServer (hxxp=127.0.0.1:49167;hxxps=127.0.0.1:49167; [Country: (Private Address) (XX), City: (Private Address)]) -> DELETED
    [PROXY IE][PUM] HKCU\[...]\Internet Settings: ProxyEnable (1) -> REPLACED (0)

    ¤¤¤ Web browsers: 0 ¤¤¤

    ¤¤¤ Driver: [LOAD] ¤¤¤

    ¤¤¤ External hives: ¤¤¤

    ¤¤¤ Infection: ¤¤¤

    Finished: << RKreport[0]_PR_03312014_195500.txt >>
    RKreport[0]_D_03312014_182539.txt;RKreport[0]_D_03312014_195454.txt;RKreport[0]_S_03312014_181116.txt
    RKreport[0]_S_03312014_195436.txt
    0
  12. billmaxime Posted messages 50523 Registration date   Status Contributor Last intervention   6 150
     
    Hi Jacques,

    let me know how the PC is doing

    thanks

    @+

    --
    the radiation level is higher at the job center than at Chernobyl
    0
  13. idnoder Posted messages 251 Status Member 5
     
    Hello, I waited this morning to see how it worked. So, one minute to access the Orange portal, then it is a bit faster but still slow. I have new ads appearing right now (Groupon which I don't know!!) and Bubble Dock at startup. For the rest, I'll see today. I can no longer access Facebook even through YouTube. I removed Chrome to see if it worked better but with no results, I’ll be able to put it back. That's where I stand for now. This morning I have work to do in the workshop so I’ll check around noon how it’s working. Thank you, have a good day. Jacques

    --
    jacques
    0
  14. billmaxime Posted messages 50523 Registration date   Status Contributor Last intervention   6 150
     
    Hi Jacques,

    please do this and post the report

    the link to host/post the report >> https://www.cjoint.com/

    the software to run on your PC >> http://www.sosvirus.net/canned-speech-shortcut-module-t613.html

    thank you

    see you

    --
    the radiation level is higher at the employment agency than at Chernobyl
    0
  15. idnoder Posted messages 251 Status Member 5
     
    Good evening, I think the (Trojans have landed) my computer is no longer working, I have ads continuously, the more I clean it, the less it works, I contacted sosvirus and I'm waiting, but since it's a forum I don't see what they're going to do better!! Can you tell me if it's possible to fix this problem (a month ago my computer doctor told me it was dead) thank you for your reply, Jacques

    --
    jacques
    0
  16. billmaxime Posted messages 50523 Registration date   Status Contributor Last intervention   6 150
     
    Hi Jacques,

    I contacted sosvirus and I'm waiting

    Let me know if you're registered on the site, as I don't see the username you use on CCM

    WARNING, you must not follow two disinfections simultaneously (risk of crashing the PC)

    If you haven't followed any instructions on sosvirus yet, try running

    Shortcut_Module in safe mode with network support

    http://www.sosvirus.net/mode-sans-echec-canned-speech-mode-sans-echec-t1391.html

    Awaiting your response

    Thank you

    @+

    --
    The radiation level is higher at the employment agency than at Chernobyl.
    0
  17. idnoder Posted messages 251 Status Member 5
     
    Hi, I didn't use sosvirus for disinfection, I'm waiting for a response, but I just went into (safe mode without results) I found a screen with my icons but nothing worked so I went back to normal mode and everything went back to normal, so for now no disinfection, well I’m not working on my computer, you know! At 77 years old it's retirement, but the computer passes the time, have a good evening, Jacques

    --
    jacques
    0
  18. billmaxime Posted messages 50523 Registration date   Status Contributor Last intervention   6 150
     
    Hi Jacques,

    let me know if you managed to execute Shortcut_Module on your PC

    thanks

    @+

    --
    the radiation level is higher at the unemployment office than in Chernobyl
    0
  19. idnoder
     
    Good evening, no, I wasn't able to succeed, and as on sosvirus, el desaparecido asked me to download OTL from Old Timer (which I couldn't place on my desktop, but I did the analysis that I sent) (I will try once again to put it on the desktop). It's not easy because when I'm on a page, ads pop up on their own, which is very annoying. My identification on sosvirus is (lenuleninformatique) and that's true. Have a good evening, Jacques.
    0
    1. lilidurhone Posted messages 800 Registration date   Status Security Contributor Last intervention   3 818
       
      :)

      I’m marking this as resolved here :)

      See you there
      0
  20. idnoder Posted messages 251 Status Member 5
     
    Hello lilidurhone, for me it's not resolved at all, on the contrary I have two additional viruses, and there (sosvirus) they don't do much or I don't know how to get it to work!! I don't know what to do anymore because I switch pages and I get an ad, if I try to access a site IE does not respond, how can I do a complete cleanup once and for all? Have a nice day Jacques

    --
    jacques
    0
Previous
  • 1
  • 2