View original (French)

Virus Trojan win32

Solved
Lou0909 Posted messages 7 Registration date   Status Membre Last intervention   -  
 Lou0909 -
Hello,
I have a Trojan Win32 virus on my PC. When I start my system, a message is generated telling me that the PC will shut down in 10 minutes because of the Trojan Win32 virus. I ran Microsoft Security Essentials, which detected this virus in several locations, but it didn't change anything. I can't run Malwarebytes Anti-Malware because the PC shuts down before the scan is finished. I ran Avast, which detected 3 infected files and quarantined them. Currently, I am running a more thorough scan with Avast.
Can you help me because I don't know what else to do
Thank you

5 réponses

Réponse 1 / 5
Saraapop Posted messages 33 Status Membre
 
Good evening

Try downloading AdwCleaner.

--
Posted from CCM Live forum for iPhone/iPad
0
Lou0909
 
Hello
Thank you for wanting to help me. I have to wait to try to load AdwCleaner because Avast is currently running a scan and quarantining everything it finds infected (believe me, it finds a lot). As soon as it finishes, I will load AdwCleaner. I already ran CCleaner and it didn’t help at all. I will keep you updated. Thank you.
0
Saraapop Posted messages 33 Status Membre > Lou0909
 
Hello

As I recommend to you, AdwCleaner is a software that a computer-savvy friend recommended to me for my little viruses, so I hope it works for you.

--
0
Lou0909 > Saraapop Posted messages 33 Status Membre
 
I tried it but it didn't work
thank you
0
Saraapop Posted messages 33 Status Membre > Lou0909
 
Oh, okay, but what did you download to get that virus (I've had a lot of viruses, so I want to know if you got the same one as me)

--
0
Réponse 2 / 5
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   24 711
 
Hello,

Follow the FRST tutorial.
(And be sure to read carefully to apply everything correctly - everything is explained).
Download and run the FRST scan, which will generate three FRST reports:
  • FRST.txt
  • Shortcut.txt
  • Additionnal.txt


Send, as explained, these three reports to the website http://pjjoint.malekal.com and in return provide the three pjjoint links that lead to these reports here in a new response so that we can consult them.

--
Like the angel you are, you laugh creating a lightness in my chest,
Your eyes they penetrate me,
(Your answer's always 'maybe')
That's when I got up and left
0
Lou0909
 
Hi,
Is it safe? Should I run AdwCleaner before executing the tutorial?
Thank you
0
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   24 711
 
As you wish, we will see what there is with FRST anyway.
0
Lou0909 > Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention  
 
Hello
I ran AdwCleaner and it didn’t help. I tried to load FRF and it won't load. The internet is very slow and it's not always working.
0
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   24 711
 
Faire FRST..
0
Lou0909 > Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention  
 
Hello
I finally managed to run FRST and the reports are on my desktop. I tried to send them, and indeed the system gives me a link, but when I right-click on the link, the system doesn't give me the option to copy the link. So I am unable to send the reports. What should I do?
0
Réponse 3 / 5
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   24 711
 
Send C:\ProgramData\DataFile\DV.exe to http://upload.malekal.com

then:

Here is the correction to be made with FRST.
You can refer to this explanatory note with screenshots to help you: https://www.malekal.com/tutoriel-farbar-recovery-scan-tool-frst/#fix

Open Notepad: Press Windows + R, in the run box, type notepad and OK.
Copy/paste the following into it:

HKU\S-1-5-21-1957909628-1465040256-3756267120-1000\...\Run: [DV] => C:\ProgramData\DataFile\DV.exe [275968 2015-07-23] ()
2015-07-22 11:49 - 2015-07-22 12:24 - 00003456 _____ C:\Windows\System32\Tasks\Nleuuvtral
2015-07-22 11:41 - 2015-07-22 11:41 - 00003052 _____ C:\Windows\System32\Tasks\Form Cooking
2015-07-22 11:41 - 2015-07-22 11:41 - 00000024 _____ C:\Users\Joe\AppData\Roaming\appdataFr25.bin
2015-07-22 11:41 - 2015-07-22 11:41 - 00000000 ____D C:\Users\Joe\AppData\Local\Form Cooking
2015-07-22 11:26 - 2015-07-23 10:25 - 00000000 ____D C:\ProgramData\DataFile
2015-07-22 11:15 - 2015-07-23 06:30 - 00000000 ____D C:\Program Files (x86)\3dc97409-7866-4100-9e31-b00539e69dde
2015-07-22 10:51 - 2015-07-22 10:51 - 00000000 ____D C:\ProgramData\Package Cache
2015-07-22 10:36 - 2015-07-24 06:19 - 00000338 ____H C:\Windows\Tasks\XDRYJGURDJTTMYHO.job
2015-07-22 10:36 - 2015-07-24 06:19 - 00000326 _____ C:\Windows\Tasks\TLRHBWVKKC1.job
2015-07-22 10:36 - 2015-07-22 16:41 - 00000000 ____D C:\ProgramData\Service1291
2015-07-22 10:36 - 2015-07-22 10:36 - 00003368 _____ C:\Windows\System32\Tasks\XDRYJGURDJTTMYHO
2015-07-22 10:36 - 2015-07-22 10:36 - 00002848 _____ C:\Windows\System32\Tasks\TLRHBWVKKC1
2015-07-22 10:36 - 2015-07-22 10:36 - 00000000 ____D C:\ProgramData\28341ff220e0446c9fff27c4493d622e
Task: {E6692242-9973-40B1-AE53-E4E18D5A8F08} - \Binkiland lesa No Task File <==== ATTENTION
Task: {F56E36BF-1493-4A9B-83CA-59F1365E466A} - \SMW_UpdateTask_Time_313538323138323838332d5b2d4a326c57235a2a45552a No Task File <==== ATTENTION
Task: {11C401F2-B380-4F46-A4BF-4DE7F8D4EE40} - System32\Tasks\{BA5C1C82-3AEB-455E-B73A-395FEE0735B9} => pcalua.exe -a C:\PROGRA~2\SearchProtect\Main\bin\uninstall.exe -c /S <==== ATTENTION
Task: {1AE49383-6A93-4268-8967-D5CA7D98A7DC} - System32\Tasks\{AFFFF1EF-182B-428A-B0FD-04DB247F6ABA} => pcalua.exe -a C:\ProgramData\HealthAlert\uninstall.exe -c /kb=y /ic=1
Task: {2F3B7D55-6016-433A-8DE5-AADF08CB62DF} - System32\Tasks\XDRYJGURDJTTMYHO => C:\ProgramData\Service1291\Service1291.exe <==== ATTENTION
Task: {2FF860B1-A531-49D1-9FC4-50FF9DADB5D0} - System32\Tasks\Nleuuvtral => C:\ProgramData\Nleuuvtral\1.0.4.1\iimoodlu.exe
Task: {582D0D70-43F1-4633-8835-795A7C3E465A} - \ProPCCleaner_Start No Task File <==== ATTENTION
Task: {8FDD5BEF-CE25-4F7F-8992-29D434922ED8} - \SMWUpd No Task File <==== ATTENTION
Task: {950B8780-97D0-4059-8C49-346D93DC1D2B} - System32\Tasks\TLRHBWVKKC1 => C:\ProgramData\FlashBeat\FlashBeat.exe <==== ATTENTION

Once the text is pasted into Notepad.
File menu then Save As.
On the left, go to the desktop.
In the bottom field, file name, enter: fixlist.txt
Click on Save - this will create a file fixlist.txt on the desktop.

Restart FRST and click the Fix button
Depending on how a restart is required (not mandatory).
A text file will appear, copy/paste the content here in a new message.

Restart the computer

then reset your browsers:
==================================
Reset your browsers and/or manually reconfigure your web browsers (homepage, search engine, etc.) but also remove/disable unnecessary/parasitic extensions:

--
Like the angel you are, you laugh creating a lightness in my chest,
Your eyes they penetrate me,
(Your answer's always 'maybe')
That's when I got up and left
0
Lou0909
 
Hello
There is no ProgrammeData in C.
Should I still apply the requested corrections anyway?
Thank you
0
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   24 711
 
yes.
0
Lou0909 > Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention  
 
I am ready to restart the computer. Here is the result of the first step
Fix result of Farbar Recovery Scan Tool (x64) Version:20-07-2015
Ran by Joe at 2015-07-24 09:07:47 Run:2
Running from C:\Users\Joe\Desktop
Loaded Profiles: Joe (Available Profiles: Joe)
Boot Mode: Normal
==============================================

fixlist content:

HKU\S-1-5-21-1957909628-1465040256-3756267120-1000\...\Run: [DV] => C:\ProgramData\DataFile\DV.exe [275968 2015-07-23] ()
2015-07-22 11:49 - 2015-07-22 12:24 - 00003456 _____ C:\Windows\System32\Tasks\Nleuuvtral
2015-07-22 11:41 - 2015-07-22 11:41 - 00003052 _____ C:\Windows\System32\Tasks\Form Cooking
2015-07-22 11:41 - 2015-07-22 11:41 - 00000024 _____ C:\Users\Joe\AppData\Roaming\appdataFr25.bin
2015-07-22 11:41 - 2015-07-22 11:41 - 00000000 ____D C:\Users\Joe\AppData\Local\Form Cooking
2015-07-22 11:26 - 2015-07-23 10:25 - 00000000 ____D C:\ProgramData\DataFile
2015-07-22 11:15 - 2015-07-23 06:30 - 00000000 ____D C:\Program Files (x86)\3dc97409-7866-4100-9e31-b00539e69dde
2015-07-22 10:51 - 2015-07-22 10:51 - 00000000 ____D C:\ProgramData\Package Cache
2015-07-22 10:36 - 2015-07-24 06:19 - 00000338 ____H C:\Windows\Tasks\XDRYJGURDJTTMYHO.job
2015-07-22 10:36 - 2015-07-24 06:19 - 00000326 _____ C:\Windows\Tasks\TLRHBWVKKC1.job
2015-07-22 10:36 - 2015-07-22 16:41 - 00000000 ____D C:\ProgramData\Service1291
2015-07-22 10:36 - 2015-07-22 10:36 - 00003368 _____ C:\Windows\System32\Tasks\XDRYJGURDJTTMYHO
2015-07-22 10:36 - 2015-07-22 10:36 - 00002848 _____ C:\Windows\System32\Tasks\TLRHBWVKKC1
2015-07-22 10:36 - 2015-07-22 10:36 - 00000000 ____D C:\ProgramData\28341ff220e0446c9fff27c4493d622e
Task: {E6692242-9973-40B1-AE53-E4E18D5A8F08} - \Binkiland lesa No Task File <==== ATTENTION
Task: {F56E36BF-1493-4A9B-83CA-59F1365E466A} - \SMW_UpdateTask_Time_313538323138323838332d5b2d4a326c57235a2a45552a No Task File <==== ATTENTION
Task: {11C401F2-B380-4F46-A4BF-4DE7F8D4EE40} - System32\Tasks\{BA5C1C82-3AEB-455E-B73A-395FEE0735B9} => pcalua.exe -a C:\PROGRA~2\SearchProtect\Main\bin\uninstall.exe -c /S <==== ATTENTION
Task: {1AE49383-6A93-4268-8967-D5CA7D98A7DC} - System32\Tasks\{AFFFF1EF-182B-428A-B0FD-04DB247F6ABA} => pcalua.exe -a C:\ProgramData\HealthAlert\uninstall.exe -c /kb=y /ic=1
Task: {2F3B7D55-6016-433A-8DE5-AADF08CB62DF} - System32\Tasks\XDRYJGURDJTTMYHO => C:\ProgramData\Service1291\Service1291.exe <==== ATTENTION
Task: {2FF860B1-A531-49D1-9FC4-50FF9DADB5D0} - System32\Tasks\Nleuuvtral => C:\ProgramData\Nleuuvtral\1.0.4.1\iimoodlu.exe
Task: {582D0D70-43F1-4633-8835-795A7C3E465A} - \ProPCCleaner_Start No Task File <==== ATTENTION
Task: {8FDD5BEF-CE25-4F7F-8992-29D434922ED8} - \SMWUpd No Task File <==== ATTENTION
Task: {950B8780-97D0-4059-8C49-346D93DC1D2B} - System32\Tasks\TLRHBWVKKC1 => C:\ProgramData\FlashBeat\FlashBeat.exe <==== ATTENTION


HKU\S-1-5-21-1957909628-1465040256-3756267120-1000\Software\Microsoft\Windows\CurrentVersion\Run\\DV => value not found.
"C:\Windows\System32\Tasks\Nleuuvtral" => File/Folder not found.
"C:\Windows\System32\Tasks\Form Cooking" => File/Folder not found.
"C:\Users\Joe\AppData\Roaming\appdataFr25.bin" => File/Folder not found.
"C:\Users\Joe\AppData\Local\Form Cooking" => File/Folder not found.
"C:\ProgramData\DataFile" => File/Folder not found.
"C:\Program Files (x86)\3dc97409-7866-4100-9e31-b00539e69dde" => File/Folder not found.
"C:\ProgramData\Package Cache" => File/Folder not found.
"C:\Windows\Tasks\XDRYJGURDJTTMYHO.job" => File/Folder not found.
"C:\Windows\Tasks\TLRHBWVKKC1.job" => File/Folder not found.
"C:\ProgramData\Service1291" => File/Folder not found.
"C:\Windows\System32\Tasks\XDRYJGURDJTTMYHO" => File/Folder not found.
"C:\Windows\System32\Tasks\TLRHBWVKKC1" => File/Folder not found.
"C:\ProgramData\28341ff220e0446c9fff27c4493d622e" => File/Folder not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E6692242-9973-40B1-AE53-E4E18D5A8F08} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Binkiland lesa => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F56E36BF-1493-4A9B-83CA-59F1365E466A} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SMW_UpdateTask_Time_313538323138323838332d5b2d4a326c57235a2a45552a => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{11C401F2-B380-4F46-A4BF-4DE7F8D4EE40} => key not found.
C:\Windows\System32\Tasks\{BA5C1C82-3AEB-455E-B73A-395FEE0735B9} not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{BA5C1C82-3AEB-455E-B73A-395FEE0735B9} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1AE49383-6A93-4268-8967-D5CA7D98A7DC} => key not found.
C:\Windows\System32\Tasks\{AFFFF1EF-182B-428A-B0FD-04DB247F6ABA} not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{AFFFF1EF-182B-428A-B0FD-04DB247F6ABA} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2F3B7D55-6016-433A-8DE5-AADF08CB62DF} => key not found.
C:\Windows\System32\Tasks\XDRYJGURDJTTMYHO not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\XDRYJGURDJTTMYHO => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2FF860B1-A531-49D1-9FC4-50FF9DADB5D0} => key not found.
C:\Windows\System32\Tasks\Nleuuvtral not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Nleuuvtral => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{582D0D70-43F1-4633-8835-795A7C3E465A} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ProPCCleaner_Start => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8FDD5BEF-CE25-4F7F-8992-29D434922ED8} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SMWUpd => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{950B8780-97D0-4059-8C49-346D93DC1D2B} => key not found.
C:\Windows\System32\Tasks\TLRHBWVKKC1 not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TLRHBWVKKC1 => key not found.

End of Fixlog 09:07:48

0
Lou0909
 
Hello,
There has been a lot of improvement. The Trojan message no longer appears at startup. My PC doesn't shut down by itself anymore.
I have reset the advanced settings on the internet and I am at the point of removing the add-ons, but I can't find tools on the internet. I have MSN displayed.
0
Réponse 4 / 5
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   24 711
 


Open My Computer
then the C drive
Open the FRST folder.
Inside, you will find the Quarantine folder
Right-click on it and send it to the compressed folder.
Upload the zip file to http://upload.malekal.com

--
Like the angel you are, you laugh creating a lightness in my chest,
Your eyes they penetrate me,
(Your answer's always 'maybe')
That's when I got up and left
0
Lou0909
 
Hello

I also wanted to tell you that I managed to do everything you asked me to and there are no more viruses, the computer no longer shuts down. The internet is completely cleaned and it's doing very well and is very fast. Everything seems to be just fine. Once it's done, should I remove FRST from my PC, and the scripts that were generated? Thank you a thousand times.
I tried to do what you asked me to, and I can't because the system responds to me with, folder not found or access denied.
0
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   24 711
 
You didn't send the zip.
0
Lou0909 > Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention  
 
I am unable to do it because when I click on the compressed folder, the system responds: folder not found or read access denied. What should I do?
0
Réponse 5 / 5
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   24 711
 
ok never mind,

to finish, run a Malwarebytes cleanup: https://www.malekal.com/tutoriel-malwarebyte-anti-malware/

~~

There you go, it's done, you can delete the programs used.

Some advice:

To prevent malicious sites, you can install Blockulicious: https://forum.malekal.com/viewtopic.php?t=46656&start=

To avoid being caught again.
Read - Unwanted Programs / PUPs: https://www.malekal.com/adwares-pup-protection/
(Especially enable LPI detections to catch unwanted and advertising programs)

The rest of your security: http://forum.malekal.com/comment-securiser-son-ordinateur.html

--
Like the angel you are, you laugh creating a lightness in my chest,
Your eyes they penetrate me,
(Your answer's always 'maybe')
That's when I got up and left
0
Lou0909
 
Thank you very much for your help,
I will do everything you say.
Thanks again and goodbye.
0