virus office central de lutte contre la cybercriminalité

[puiutz]

Hy,

i;m so sorry if my english is bad, and for the pressure and hurry of this post. I'm pressed by time, i have to finish my master degree and i have important data (programs) on my 'virused and blocked' laptop and a lot of work to do. I don't have the possibillity to work on another computer, because it will take me a lot of time to install and configure a lot of programs.
I didn't succeded running OTL, because i don't have any control in normal mode, ukash screen pops-up with or without internet connection.
I know it's my fault, that i didn't had my antivirus updated, my firewall disabled and i think also the restoration system diabled. But i also know that you could help me to unblocked and clean my system withoud reinstalling.
Please, can you help me? I'm really desperate and i need your help! I will make it up to you! I promise!

 

[Fiery]

Hi and welcome to MalwareTips!

I'n Fiery and I would gladly assist you in removing the malware on your computer.

Before we start:

• Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
• Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
• Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
• Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
• The absence of symptoms does not mean your PC is fully disinfected.
• If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
• Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>

Can you specify what your window version is? You said:

Operating system: XP 7. Is it XP or is it windows 7?

 

[puiutz]

Firstly, thank you for your help. Yes it's windows 7 and the arhitecture it's 64 bits (the newest one). Sorry for this mistake and thanks because you've noticed and sorry also for this late reply, but i was very tired last night, this virus frustrated me.

 

[Fiery]

Ok, no problem. Window 7 will make things easier

Download Farbar Recovery Scan Tool from the below link:
<ul><li>For 32 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST.exe" rel="nofollow external"><>Farbar Recovery Scan Tool</></a> and save it to a USB/flash drive.
For 64 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST64.exe" rel="nofollow external"><>Farbar Recovery Scan Tool x64</></a> and save it to a USB/flash drive.</li>

Also download List Parts 32bit or Listparts 64 bit and save it to the USB/flash drive also.

<li>Plug the flashdrive into the infected PC.</li>

<li>Enter <>System Recovery Options</>.</li>

<>To enter System Recovery Options from the Advanced Boot Options:</>
<ul>
<li>Restart the computer.</li>
<li>As soon as the BIOS is loaded begin tapping the<> F8</> key until Advanced Boot Options appears.</li>
<li>Use the arrow keys to select the <>Repair your computer</> menu item.</li>
<li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
<li>Select the operating system you want to repair, and then click <>Next</>.</li>
<li>Select your user account an click <>Next</>.</li>
</ul>

<li>On the System Recovery Options menu you will get the following options:</span>
<pre>Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt</pre>
<ol>
<li>Select <>Command Prompt</></li>
<li>In the command window type in <>notepad</> and press <>Enter</>.</li>
<li>The notepad opens. Under File menu select <>Open</>.</li>
<li>Select "Computer" and find your flash drive letter and close the notepad.</li>
<li>In the command window type <><span style="color: #ff0000;">e</span>:\frst.exe</> (for x64 bit version type <><span style="color: #ff0000;">e</span>:\frst64</>) and press <>Enter</>
<>Note:</><span style="color: #ff0000;"> Replace letter <>e</> with the drive letter of your flash drive.</span></li>
<li>The tool will start to run.</li>
<li>When the tool opens click <>Yes</> to disclaimer.</li>
<li>Press <>Scan</> button.</li>
<li><>FRST</> will let you know when the scan is complete and has written the <>FRST.txt</> to file, close the message.
<li>Back in the command prompt, type <><span style="color: #ff0000;">e</span>:\listparts.exe</> (for x64 bit version type <><span style="color: #ff0000;">e</span>:\listparts64.exe</>) and press <>Enter</>
<li>ListParts will start to run. Check the box beside List BCD and click Scan
<li>When finished scanning it will make a log Result.txt on the flash drive
<li>Type exit</li>
<li>Please copy and paste both FRST.txt and Result.txt logs in your next reply</li></li>
</ol>
</ul>

 

[puiutz]

Thank you!
I've tried, but at this step:
"In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter"
occurs an error: The subsystem needed to support the image type is not present.

i've changed "e" with h: h:\frst.exe
the cmd is case sensitive?
also the usb flash should be like an iso image with those 2 files, or like a normal usb and it should have only those 2 files? Because i used a usb with other data on it.

Thank you!

 

[Fiery]

For 64-bit, type only e:\frst64 where e is your USB drive

You don't type the .exe part

 

[puiutz]

ok. Thank you. Now it's working!

I send you the FRST & results log.

 

[Fiery]

On your other computer, open notepad and copy & paste the following:

HKU\Puiutz777\...\Winlogon: [Shell] explorer.exe,C:\Users\Puiutz777\AppData\Roaming\skype.dat [114688 2011-11-16] ()
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$7e8569ee9e0d1dbf4cb283a5b2b67b23\n. ATTENTION! ====> ZeroAccess
C:\Users\Puiutz777\AppData\Roaming\skype.ini
ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-6319201-1135886235-3007224784-1000\$7e8569ee9e0d1dbf4cb283a5b2b67b23
ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$7e8569ee9e0d1dbf4cb283a5b2b67b23

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

Now, attempt to reboot normally

 

[puiutz]

ok. done with fixing.
also rebooted into normal mode. it's working no more ukash screen for now! (i didn't plug the internet wire for now).

Thank u very very much...
Now let's proceed to remove this bastard virus!

 

[Fiery]

Good

Please uninstall Anivsoft from your PC. They are somewhat sketchy.

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
• Click delete
• Please post the content of that logfile with your next reply.
• You can find the logfile at C:\AdwCleaner[S1].txt

Download & SAVE to your Desktop RogueKiller or from here

• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select Run as Administrator to start
• Wait until Prescan has finished, then click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
  Exit/Close RogueKiller+

Please download Malwarebytes' Anti-Malware from here to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• When it prompts you to try their 30-day trail, click decline
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

 

[Fiery]

After all of that (which it shouldn't take too long)

Download OTL by Old Timer from here and save it to your Desktop.

• Double click on OTL.exe to run it.
• Click the Scan All Users checkbox.
• Change Standard Registry to All
• Check the boxes beside LOP Check and Purity Check
• Click on Run Scan at the top left hand corner.
• When done, two Notepad files will open.
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Please attach the contents of these 2 Notepad files in your next reply.

 

[puiutz]

Are you sure, it's ok if i pluged the internet cable? because i'm afraid to ukash virus won't appear again. I don't have my antivirus updated.

Thanks!

 

[Fiery]

If you are worried, you can use your other PC and transfer adwcleaner, roguekiller and OTL over to the infected PC and run those scan. Afterwards, transfer the logs onto the USB and post them here.

We will skip malwarebytes for now if you are worried. Though we have removed the heart of the virus, all that should be left are the remnants

 

[puiutz]

neither my firewall..it's disabled and it doesn't let me to enable it!

 

[Fiery]

Ok, run the OTL, adwcleaner and roguekiller scan first

 

[puiutz]

1. I uninstall Anivsoft
2. I've runed Adwcleaner -> AdwCleaner[S2].txt
3. I've runed Rogue Killer -> RKreport[2]_D_02192013_02d1751.txt
4. I've runed also Malwarebytes' Anti-Malware with internet connection like you said first -> mbam-log-2013-02-19 (18-40-13).txt
5. Runed also OTL -> OTL.Txt
-> Extras.Txt

Thank you!

 

[Fiery]

Hi,

I just want to make sure. You use www.rezel.net correct?

Open OTL. Under custom scan/fixes, copy and paste the following:

:Commands
[EMPTYTEMP]
[RESETHOSTS]

Then click Run Fix. Post the log afterwards.

---

Run Eset NOD32 Online AntiVirus

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
  • Scan unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Click Scan
• Wait for the scan to finish
• Re-enable your antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

 

[puiutz]

Yes, I use rezel internet provider.
Until eset scanning it's finishing, i send you OTL log.

 

[Fiery]

Ok.

Let me know how your PC is functioning. Is your firewall still disabled? Please list any other issues you still have after the scan is completed.

 

[puiutz]

Eset Nod32 Online antivirus finished scanning (log.txt). It found a virus in my E:\ drive, that file it's an HP driver for keyboard i think. It could be infected?

The system restore is still disabled: System Protection is turned off.
And when i try to turn on the Control Panel -> system restore -> System Protection -> Configure, the "Restore system settings and previous version of files" could not be selected, only "Turn off System Protection" (now is selected) and "Only restore previous of files".

For Firewall, same problem: still disabled. Control Panel -> Windows Firewall: "Update your Firewall Settings - Windows Firewall is not using the recommended settings to protect your computer". And when i click Use Recommended settings it provides an error: "Windows Firewall can't change some of your settings. Error code 0x80070424"
And for Advanced Settings tab of Windows Firewall, the error is: "There was an error opening the Windows Firewall with Advanced Security snap-in. The Windows Firewall with Advanced Security snap-in failed to load. Restart the Windows Firewall service on the computer that you are managing. Error code: 0x6D9."

And another question: An windows pop-up message keep coming up for my java update: "User Account Control" is the name of the message window, and the program it's "jucheck.exe" situated in Program Files\java\java Update. This is sure for java update, no? Cause i've seen that Ukash virus has a connection with java and flash...and i'm worried.

It's all i've noticed for now.

Thank you very much!