View original (French)

Chinese Virus

Solved
Otoneko Posted messages 11 Status Membre -  
 Matthieu -
Hello, I am reaching out to you to resolve this virus issue. Having followed Malekal's tutorial, I am attaching the three necessary files;

Addition:
- http://pjjoint.malekal.com/files.php?id=20170116_g9c15q914d13
FRST:
- http://pjjoint.malekal.com/files.php?id=FRST_20170116_q13i15p7z11t8
Shortcut:
- http://pjjoint.malekal.com/files.php?id=20170116_o5x5m7o14g10

Thank you for your help.

Configuration: Windows / Firefox 50.0

7 réponses

Réponse 1 / 7
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   24 711
 
Good evening,

Here is the correction to be made with FRST. You can refer to this explanatory note with screenshots.

Open Notepad: Windows Key + R,
In the "Run" field, type notepad and hit OK.
Copy/Paste the following into it: 

CreateRestorePoint:
CloseProcesses:
Task: {DBABBBE2-2C44-4BC4-84C2-2B8A4BBADA26} - System32\Tasks\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-7 => C:\Program Files\CinemaP-1.3c\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-7.exe <==== WARNING
Task: {DE359478-DC9E-44D1-A30E-988AFB75B9F9} - System32\Tasks\superbuy4u_helper_service => C:\Program Files\SuperBuy4U\superbuy4u_helper_service.exe <==== WARNING
Task: {E1F3B432-41F0-46F7-96ED-C4B1C127CA13} - System32\Tasks\Download Touch => Rundll32.exe "C:\Users\Neko\AppData\Local\Download Touch\Bin\DownloadTouch.dll",#3 <==== WARNING
Task: {E54F9EDC-F575-4270-9A81-F79587767737} - System32\Tasks\globalUpdateUpdateTaskMachineUA => C:\Program Files\globalUpdate\Update\GoogleUpdate.exe [2014-11-29] (globalUpdate) <==== WARNING
Task: {E659B1D7-FE53-46D5-A37D-768382376DA3} - \AutoKMS -> No file <==== WARNING
Task: {E8B44FD9-D25B-4149-8011-3A5AE8A7EDEE} - System32\Tasks\GyazoUpdateTaskMachineDaily => C:\Program Files\Gyazo\GyazoUpdate.exe [2016-08-03] ()
Task: {EABEE9BD-0708-43FF-BA42-C1D565964A7E} - System32\Tasks\GyazoUpdateTaskMachine => C:\Program Files\Gyazo\GyazoUpdate.exe [2016-08-03] ()
Task: {EB0D712C-798A-4115-A0C4-160D70C6C503} - System32\Tasks\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser => Rundll32.exe aepdu.dll,AePduRunUpdate -nolegacy
Task: C:\Windows\Tasks\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-1.job => C:\Program Files\CinemaP-1.3c\CinemaP-1.3c-codedownloader.exe <==== WARNING
Task: C:\Windows\Tasks\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-11.job => C:\Program Files\CinemaP-1.3c\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-11.exe <==== WARNING
Task: C:\Windows\Tasks\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-2.job => C:\Program Files\CinemaP-1.3c\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-2.exe <==== WARNING
Task: C:\Windows\Tasks\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-3.job => C:\Program Files\CinemaP-1.3c\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-3.exe <==== WARNING
Task: C:\Windows\Tasks\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-4.job => C:\Program Files\CinemaP-1.3c\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-4.exe <==== WARNING
Task: C:\Windows\Tasks\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-5.job => C:\Program Files\CinemaP-1.3c\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-5.exe <==== WARNING
Task: C:\Windows\Tasks\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-5_user.job => C:\Program Files\CinemaP-1.3c\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-5.exe <==== WARNING
Task: C:\Windows\Tasks\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-6.job => C:\Program Files\CinemaP-1.3c\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-6.exe <==== WARNING
Task: C:\Windows\Tasks\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-7.job => C:\Program Files\CinemaP-1.3c\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-7.exe <==== WARNING
Task: C:\Windows\Tasks\2bae45c8-f1bf-4423-ad45-95f868db37e5.job => C:\Program Files\CinemaP-1.3c\2bae45c8-f1bf-4423-ad45-95f868db37e5.exe�Ȓ/agentregpath='CinemaP-1.3c' /appid=65779 /srcid='002414' /subid='0' /zdata='0' /bic=2838E9F37D28452FA5AFE614F285AC50IE /verifier=35ae90abfdce147ab7e8998490f2c1e7 /installerversion=1_35_09_29 /installationtime=1417273995 /statsdomain=hxxp:/stats.newonlinedemoserv.com /errorsdomain=hxxp:/errors.newonlinedemoserv.com /extensionname='Information' /torpedoiesleeps=1000 /torpedoieplugins=93-0,102-0,104-0,178-288,179-288,180-288,223-288,263-24 /monetizationdomain=hxxp:/logs.newonlinedemoserv.com <==== WARNING
Task: C:\Windows\Tasks\5d909425-e66f-4cd1-8d63-5aa067548a9b.job => C:\Program Files\CinemaP-1.3c\5d909425-e66f-4cd1-8d63-5aa067548a9b.exe <==== WARNING
Task: C:\Windows\Tasks\globalUpdateUpdateTaskMachineCore.job => C:\Program Files\globalUpdate\Update\GoogleUpdate.exe <==== WARNING
Task: C:\Windows\Tasks\globalUpdateUpdateTaskMachineUA.job => C:\Program Files\globalUpdate\Update\GoogleUpdate.exe <==== WARNING
Task: C:\Windows\Tasks\sun_king_notification_service.job => C:\Program Files\sun king\sun_king_notification_service.exe�Ǥ/url='hxxp:/cdn.selectbestopt.com/notf_sys/index.html' /crregname='sun king' /appid='73143' /srcid='2913' /bic='e694a66a0fb8bb07e3e8628ec861b692' /verifier='f795cd78c0c28b1f1fb96d04a5eec0ea' /installerversion='1.50.3.10' /statsdomain='hxxp:/stats.buildomserv.com/data.gif?' /errorsdomain='hxxp:/stats.buildomserv.com/data.gif?' /monetizationdomain='hxxp:/logs.buildomserv.com/monetization.gif <==== WARNING
Task: C:\Windows\Tasks\sun_king_updating_service.job => C:\Program Files\sun king\sun_king_updating_service.exe�© /campid=2913 /verid=1 /url=hxxp:/cdn.buildomserv.com/txt/@CAMPID@/@VER@/file.txt /appid=73143 /taskname=sun_king_updating_service /funurl=hxxp:/stats.buildomserv.com <==== WARNING
Task: C:\Windows\Tasks\superbuy4u_helper_service.job => C:\Program Files\SuperBuy4U\superbuy4u_helper_service.exe <==== WARNING
2017-01-16 16:33 - 2015-04-01 19:33 - 00000650 _____ C:\Windows\Tasks\sun_king_updating_service.job
2017-01-16 16:16 - 2014-11-29 16:16 - 00003080 _____ C:\Windows\Tasks\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-1.job
2017-01-16 16:16 - 2014-11-29 16:16 - 00002414 _____ C:\Windows\Tasks\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-5_user.job
2017-01-16 16:16 - 2014-11-29 16:16 - 00002414 _____ C:\Windows\Tasks\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-5.job
2017-01-16 16:16 - 2014-11-29 16:16 - 00002078 _____ C:\Windows\Tasks\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-2.job
2017-01-16 16:16 - 2014-11-29 16:16 - 00001402 _____ C:\Windows\Tasks\2bae45c8-f1bf-4423-ad45-95f868db37e5.job
2017-01-16 16:15 - 2014-11-29 16:15 - 00005150 _____ C:\Windows\Tasks\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-7.job
2017-01-16 16:15 - 2014-11-29 16:15 - 00004126 _____ C:\Windows\Tasks\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-4.job
2017-01-16 16:15 - 2014-11-29 16:15 - 00000598 _____ C:\Windows\Tasks\5d909425-e66f-4cd1-8d63-5aa067548a9b.job
2017-01-16 16:14 - 2014-11-29 16:14 - 00005152 _____ C:\Windows\Tasks\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-11.job
2017-01-16 16:13 - 2014-11-29 16:13 - 00004126 _____ C:\Windows\Tasks\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-3.job
2017-01-09 19:04 - 2016-12-13 17:50 - 00000000 ____D C:\Program Files\Arewsycotele
2017-01-09 14:17 - 2016-12-13 22:29 - 00000000 ____D C:\Program Files\PaintToolSAI
2017-01-09 13:39 - 2016-12-15 12:26 - 00000000 ____D C:\Program Files\95a4q9ug
2016-12-27 12:03 - 2017-01-16 18:07 - 00000000 ____D C:\Program Files\Gubed
2016-12-26 13:04 - 2017-01-09 13:52 - 00000000 ____D C:\Users\Neko\AppData\Roaming\WinSnare
2016-12-26 13:04 - 2016-12-26 13:04 - 00000000 ____D C:\Users\Neko\AppData\Roaming\dgadg
2016-12-26 13:04 - 2016-12-26 13:04 - 00000000 ____D C:\ProgramData\QQBrowser
2016-12-26 13:04 - 2016-12-26 13:04 - 00000000 ____D C:\ProgramData\haeha
2016-12-26 13:04 - 2016-12-26 13:04 - 00000000 ____D C:\ProgramData\aehae
2016-12-23 16:00 - 2017-01-16 17:13 - 00002343 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-12-23 16:00 - 2017-01-05 14:25 - 00002267 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2016-12-23 16:00 - 2016-12-23 16:00 - 00000000 ____D C:\Program Files\Firefox
2016-12-22 12:58 - 2017-01-16 18:06 - 00000000 ____D C:\Program Files\amuleC1
2016-12-22 12:57 - 2017-01-10 13:58 - 00000000 ____D C:\Program Files\WinArcher
2016-12-19 12:19 - 2017-01-16 18:17 - 00000000 _____ C:\Users\Public\Documents\report.dat
2016-12-19 12:19 - 2017-01-12 14:55 - 00000000 ____D C:\ProgramData\gjdgj
2016-12-19 12:19 - 2017-01-12 14:11 - 00000000 ____D C:\ProgramData\wintools
2016-12-19 12:19 - 2017-01-11 15:20 - 00000000 _____ C:\Users\Public\Documents\temp.dat
2016-12-19 12:19 - 2016-12-26 13:04 - 00000000 ____D C:\ProgramData\ttff
2016-12-18 13:02 - 2016-12-18 13:02 - 00000000 ____D C:\Users\Neko\AppData\Local\Chromium
2016-12-18 01:44 - 2016-12-20 00:02 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\aaa
ShellExecuteHooks: No name - {39708236-AA9E-11E6-8BD7-64006A5CFC23} - C:\Users\Neko\AppData\Roaming\Rsoghtjonry\Thafry.dll -> No file
S4 globalUpdate; C:\Program Files\globalUpdate\Update\GoogleUpdate.exe [68608 2014-11-29] (globalUpdate) [Unsigned file] <==== WARNING
S4 globalUpdatem; C:\Program Files\globalUpdate\Update\GoogleUpdate.exe [68608 2014-11-29] (globalUpdate) [Unsigned file] <==== WARNING
R2 GubedZL; C:\Program Files\Gubed\GubedZL.dll [125952 2017-01-16] () [Unsigned file]
R3 iThemes5; C:\Program Files\Common Files\Services\iThemes.dll [519680 2017-01-09] () [Unsigned file] <==== WARNING
R2 Archer; C:\Program Files\WinArcher\Archer.dll [434176 2017-01-16] () [Unsigned file]
R2 Convxxxx; C:\Users\Neko\AppData\Roaming\dgadg\UvConverter.exe [396800 2016-12-26] (Copyright (C) 2016) [Unsigned file]
R2 Murudomdanry; C:\Program Files\Arewsycotele\PlsClient.dll [274432 2016-12-13] () [Unsigned file]
S1 p1482146318am; \??\C:\Users\Neko\AppData\Local\Temp\bkAF14.tmp\p1482146318am.sys [X]
S1 p1484053048am; \??\C:\Users\Neko\AppData\Local\Temp\bk709E.tmp\p1484053048am.sys [X]
Hosts:
EmptyTemp:
RemoveProxy:
Reboot:


Once you have pasted the text into Notepad,
Go to the "File" menu and then "Save As",
On the left, navigate to the Desktop,
In the field at the bottom, for the file name enter: fixlist.txt
Click "Save", this will create fixlist.txt on the Desktop.

Restart FRST and click the "Fix" button
A reboot may be necessary (not mandatory)
A text file will appear, copy/paste the content here in a new message.

Restart the computer.

2°)
Reset/Repair the WEB browsers:

--
Please press any key to continue the disinfection...
0
Réponse 2 / 7
Otoneko Posted messages 11 Status Membre
 
Here is the Fixlog;

- http://pjjoint.malekal.com/files.php?id=20170116_11f8u12g5w9

I will reboot and take care of the internet browser.
0
Réponse 3 / 7
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   24 711
 
MalwareBytes ( duration: about 40 minutes of scanning ):
==================================================
Download and install MBAM. The free version allows you to clean ( make sure to uncheck the trial offer for the Premium version at the end of the installation ):

Update MBAM and then start a scan.
At the end of the scan, click "Quarantine" at the bottom right.
Restart the computer if necessary and then relaunch Malwarebytes.

Look for the report in the "Reports" tab.
On the left "Scan Reports", double-click on the scan in the list.
Then at the bottom "Export text file", save it to the desktop.
Go to http://pjjoint.malekal.com/, click on Browse, find the saved Malwarebytes report.
Click on "Send". In a new message here in reply, provide the pjjoint link so that we can review the report.

Then redo a FRST scan and provide the reports via pjjoint.

--
Please press any key to continue the disinfection...
0
Otoneko Posted messages 11 Status Membre
 
I have obtained different reports that I will post below;

- http://pjjoint.malekal.com/files.php?id=20170118_w14i13f5l7t14
- http://pjjoint.malekal.com/files.php?id=20170118_f12j11p14d12i10
- http://pjjoint.malekal.com/files.php?id=20170118_j14v15q55b11
- http://pjjoint.malekal.com/files.php?id=20170118_e6g10r15z14r10

Addition;
- http://pjjoint.malekal.com/files.php?id=20170118_r8d6e7s9v14
FRST;
- http://pjjoint.malekal.com/files.php?id=FRST_20170118_e8f5g9v15t7
Shortcut;
- http://pjjoint.malekal.com/files.php?id=20170118_n13e6s10p7n7

Thank you very much for the help.
0
Réponse 4 / 7
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   24 711
 
Have you reset the web browsers?

Here is the correction to be made with FRST. You can refer to this explanatory note with screenshots.

Open Notepad: Press Windows + R,
In the "Run" field, type notepad and hit OK.
Copy/Paste the following into it: 

CreateRestorePoint:
CloseProcesses:
 S2 Gubed_WMI; C:\Program Files\Gubed_WMI\Gubed_WMI.exe -s [X] 
 S2 WinSAPSvc; C:\ProgramData\WinSAPSvc\WinSAP.dll [X] 
 S2 WinSnare; C:\Users\Neko\AppData\Roaming\WinSnare\WinSnare.dll [X] 
 S2 ed2kidle; C:\Program Files\amuleC1\ed2k.exe -downloadwhenidle [X] 
 2017-01-12 14:58 - 2016-12-15 12:29 - 00000000 ____D C:\ProgramData\WinSAPSvc 
 2017-01-12 01:39 - 2016-04-20 22:10 - 00001027 _____ C:\Users\Neko\Desktop\Eusing Free Registry Cleaner.lnk 
ShortcutWithArgument: C:\Users\Neko\AppData\Local\Google\Chrome\User Data\Google Chrome Application Launcher.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> --show-app-list
ShortcutWithArgument: C:\Users\Neko\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Applications\アイドルマスター シンデレラガールズ[ChromeApps版].lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.amisites.com/?type=sc&ts=1481883627&z=21311976c3724dd66b8d9b5gcz3bbgab9b3c4q5c1c&from=che0812&uid=HitachiXHDS721616PLA380_PVE301Z5UMKR9UUMKR9UX
ShortcutWithArgument: C:\Users\Neko\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.amisites.com/?type=sc&ts=1481883627&z=21311976c3724dd66b8d9b5gcz3bbgab9b3c4q5c1c&from=che0812&uid=HitachiXHDS721616PLA380_PVE301Z5UMKR9UUMKR9UX
Task: {F73993E1-B2C2-4E05-9B61-D1CB2A029DD4} - System32\Tasks\5d909425-e66f-4cd1-8d63-5aa067548a9b => C:\Program Files\CinemaP-1.3c\5d909425-e66f-4cd1-8d63-5aa067548a9b.exe <==== ATTENTION
Task: {ABE6A215-DE7A-4FEB-8CEE-EEDF27849FC3} - System32\Tasks\sun_king_updating_service => C:\Program Files\sun king\sun_king_updating_service.exe <==== ATTENTION
Task: {A941DB2A-C7F8-4297-9760-89C38D275860} - System32\Tasks\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-2 => C:\Program Files\CinemaP-1.3c\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-2.exe <==== ATTENTION
Task: {8DB75599-CB98-4562-9F19-42E70B3880C9} - System32\Tasks\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-1 => C:\Program Files\CinemaP-1.3c\CinemaP-1.3c-codedownloader.exe <==== ATTENTION
Task: {555551F5-A6EF-4137-AB7C-76392321078D} - System32\Tasks\Origin => C:\ProgramData\Origin\update.vbe [2015-02-07] () <==== ATTENTION
C:\ProgramData\Origin\update.vbe
Task: {955FD437-0892-4219-8D79-67C756EA32C7} - System32\Tasks\sun_king_notification_service => C:\Program Files\sun king\sun_king_notification_service.exe <==== ATTENTION
Task: {1071F8B1-B0A4-4F80-99A8-E6BEBA214A7A} - System32\Tasks\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-4 => C:\Program Files\CinemaP-1.3c\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-4.exe <==== ATTENTION
Task: {178A11BA-3D69-4003-9ADC-D48E7AF3ABB8} - System32\Tasks\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-6 => C:\Program Files\CinemaP-1.3c\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-6.exe <==== ATTENTION
Task: {18C1CE83-44B8-4743-9A50-BABC1AFD443F} - System32\Tasks\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-5_user => C:\Program Files\CinemaP-1.3c\0bd2f864-89c5-4020-9b18-e2ee0c1c60e6-5.exe <==== ATTENTION
Task: {1CC3EF49-B678-4770-8F9B-917046516D43} - System32\Tasks\{B88904D7-82D5-4AC1-9FD0-173C05466BE3} => Firefox.exe hxxp://ui.skype.com/ui/0/6.14.0.104/fr/abandoninstall?page=tsProgressBar
Task: {200F20D7-FF9C-41F9-98F2-1AFF28E88AA3} - System32\Tasks\globalUpdateUpdateTaskMachineCore => C:\Program Files\globalUpdate\Update\GoogleUpdate.exe <==== ATTENTION
Hosts:
EmptyTemp:
RemoveProxy:
Reboot:


Once the text is pasted into Notepad,
Go to the "File" menu and then "Save As",
On the left, navigate to the Desktop,
In the field below, for the file name enter: fixlist.txt
Click "Save", which will create fixlist.txt on the Desktop.

Restart FRST and click the "Fix" button
A restart may be necessary (not mandatory)
A text file will appear, copy/paste the content here in a new message.

Restart the computer.

Please press any key to continue the disinfection...
0
Otoneko Posted messages 11 Status Membre
 
I have successfully reset the browsers.

Here is the file;

- http://pjjoint.malekal.com/files.php?id=20170118_f8d11v9m11g5
0
Réponse 5 / 7
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   24 711
 
ok, what problem remains?

--
Please press a key to continue the disinfection...
0
Otoneko Posted messages 11 Status Membre
 
Normally, there shouldn’t be any problems left, so I’m marking it as resolved. Thank you for the help.
0
Réponse 6 / 7
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   24 711
 
ok do Malwarebytes scans in the coming days :)

To avoid getting caught again.
To read - Potentially Unwanted Programs / PUPs: File on Adwares/PUPs: unwanted and parasitic programs
(Especially enable LPI detections to identify parasitic and advertising programs)

--
Please press a key to continue the disinfection...
0
Réponse 7 / 7
Matthieu
 
Hello everyone,

I followed a tutorial to get this link and obtain the correction file because I caught a virus called the "Chinese virus".
Here is the link: http://pjjoint.malekal.com/files.php?id=FRST_20170222_d7x5d5n8j7

Thank you all for your help.
0