Jump to content

Trojan infection pls help!


Recommended Posts

  • Replies 171
  • Created
  • Last Reply

Top Posters In This Topic

HI M. :)

My backup is already done with Macrium reflect; so I'll delete it from my programs.

And what do you want me to do with the Registry settings?

...This Avira is really stubborn, you know the other day I went in: SERVICES.MSC in RUN Command and i saw:\Avira\AntiVir Desktop\avguard.exe; so it was already "STOPPED" but when I wanted to choose the "DISABLED" option(MANUAL, AUTOMATIQUE, or DISABLED) it didn't want!! Hey! sorry Mister AVira but this is MY computer! :P

..But good news, if I look there today, I can't see "Avira"...there so...

Wainting for further instructions :)

Link to post
Share on other sites

  • Root Admin

Please watch this video as it demonstrates how to take ownership of registry keys.  Don't worry about the tools and other things it's doing.  Just pay attention to how the registry permissions are reset.

 

http://kixhelp.com/wr/video-mb/0-440_and_339_errors.mp4

 

Then start REGEDIT.EXE and browse to the following key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services

 

Then see if you can locate these entries.  Do a search if needed.

Then take OWNERSHIP back and set the administrators group account to have full access.

 

avgntflt
avipbb
AntiVirService

 

Then see if you can delete the main key for that service.

Link to post
Share on other sites

Hi M. :)

 

I'm doing as in the video, but just in the first window there is no "ADMIN" or "SYSTEM"; it's written "EVERYBODY"! and the 2 boxes are already checked.

 

And if I do ADVANCED, in the video the first boxe was checked and we need to check the second one, but me anyone of them are checked...

 

Do I need to add "ADMIN" and "SYSTEM", and if so how we do that?

 

OK, waiting for your instructions to go on....

post-144080-0-60486300-1377655726_thumb.

Link to post
Share on other sites

  • Root Admin

Now that the key is shown again with all the users please again try to take ownership as the video shows.
 
Then don't worry about deleting for the moment.  Let me have you please transcribe the names shown for all those accounts.
 
Exact French spelling & English name
 
 
Then let me have you do the following which should restart the computer and recheck and repair any issues found with the hard drive.

It should take at least 10 minutes and could take hours to complete.  Please let it complete.
 
 
You may have corrupted files on your disk.  Please try running the following.
First close ALL Applications as this routine will automatically restart your computer.
Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /R | SHUTDOWN /R /T 30

Once it's done let me know.

 

Link to post
Share on other sites

-Administrateur(IBMCAMRESEAU/Administrateurs)             Administrator(IBMCAMRESEAU/Administrators)

-CREATEUR PROPRIÉTAIRE                                              CREATOR OWNER

-SYSTEM                                                                             SYSTEM

-Tout le monde                                                                    Everybody

-Utilisateurs(IBMCAMRESEAU/Utilisateurs)                          Users(IBMCAMRESEAU/Users)

-Utilisateurs avec pouvoir(IBMCAMRESEAU/Utilisateurs..)  Users with power(IBMCAMRESEAU/Users with power)

 

Ok, here the account's names. Hum, I'm a little bit confused here.. Do you want me to delete those accounts and keep only "ADMINISTRATOR" and "SYSTEM"... or you are talking about deleting the AV keys?

Link to post
Share on other sites

....Do you want me to try with: "CREATOR OWNER"? The third boxe(special authorization) is already checked in fade but i can click the other 2 like in the video.

 

Cause in "SYSTEM" and "ADMINISTRATOR", the 2 boxes are already checked in fade, unlike the video. And I cant delete the keys with those accounts it seems.

post-144080-0-80631500-1377660134_thumb.

Link to post
Share on other sites

  • Root Admin

No, no.. please do not touch or delete any accounts.  I'm going to look at doing some scripting to try to automate some permissions changes for you but since it's in French I needed to know the exact spelling. 

 

For now leave the Avira stuff alone.

 

Aside from this Avira stuff how is the computer running now?

Are there any other signs of an infection or any other malware related issues?

 

It will probably take me a couple of days to look into this so if I've not replied within a couple days please send me a PM and remind me.

 

Thanks

Link to post
Share on other sites

  • Root Admin

If you click on START - RUN and type in CMD.EXE then click OK that will put you back in the DOS console.

 

Then if you type the following and press the Enter key it should list all the accounts on the system and how DOS sees them.

 

 

net localgroup

 

 

If you can copy/paste that to make sure that would be good.   Here is what I think is correct.

 

The second column for NAME is the default English name.

Well-Known Security Identifiers

 

French:  Administrateur (IBMCAMRESEAU/Administrateurs)English: Administrator(IBMCAMRESEAU/Administrators)French:  CREATEUR PROPRIÉTAIREEnglish: Creator OwnerFrench:  SYSTEMEnglish: SYSTEMFrench:  Tout le mondeEnglish: EveryoneFrench:  Utilisateurs(IBMCAMRESEAU/Utilisateurs)English: Users(IBMCAMRESEAU/Users)French:  Utilisateurs avec pouvoir(IBMCAMRESEAU/Utilisateurs..)English: Power Users(IBMCAMRESEAU/Users with power)

Can you also please run the following for me .

Please create an mbam-check log:

  • Download mbam-check.exe from here and save it to your desktop
  • Double-click on mbam-check.exe to run it, it should then open a log file
  • Please do not copy and paste the entire contents of the log into your next post, instead please attach the log CheckResults.txt file which should now be located on your desktop to your next post
Link to post
Share on other sites

 :) That's what I was about to ask you if I run this Disk check..OK so I'll do it and give you the feedback. Hum but does it make a log? Cause I dunno if its the same check disk that I run from my C: tools but when it's done the results are on the screen just a few seconds and I dont have the time to read them.

 

And the computer is running very well, fast, cpu very low like before. But like I said I don't like the new processes, this spoolsv loading or this morning the W....exe (disapeared with comodo removing) was back, but it didn't stay on taskmanager. I'm afraid that somethings run on my computer that I am not aware. I caught 3 trojans and I read here that sometimes the computer never get back to be safe. :(

 

What do you think? Am I ok? Need to run a big scan known by you? And maybe I'll need some help too to remove the tools we used.

Thanks again for your help, and I'll wait for your return :)

 

P.S. I'll probably buy your pro version in a couple of day. Does it work fine on old machines with xp? Does it take a lot of cpu?

Link to post
Share on other sites

  • Root Admin

It can use a lot of resources on an older computer. Please run the following and we'll see what your computer has.

Yes, disk check does create a log in the EVENT LOGS that we can check when done. It takes a lot more time than a few seconds.

The computer should reboot and then run the disk check if you run it as I have shown.

Please run the following scanner and send back the logs.

Download DDS from one of the locations below and save to your Desktop

dds.scr

dds.com

Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click dds.scr or dds.com to run the tool.

Click the Run button if prompted with an Open File - Security Warning dialog box.

A black DOS console should open and run for a moment.

  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop
  • Please include the following logs in your next reply as an attachment: DDS.txt and Attach.txt
  • You can ignore the note about zipping the Attach.txt file.
Link to post
Share on other sites

Hi for the DOS command here:

 

C:/Documents and Settings/home>net localgroup

 

Alias of //IBMCAMRESEAU

 

*Administrateurs                                                      (Administrators)

*Duplicateurs                                                           (Duplicators)

*HelpServicesGroup                                                 

*Invités                                                                     (Guests)

*Opérateurs de configuration réseau                      (Network config operators)

*Opérateurs de sauvegarde                                    (Backup operators)

*Utilisateurs                                                             (Users)

*Utilisateurs avec pouvoir                                        (Power users)

*Utilisateurs du bureau à distance                           (Remote desktop users)

La commande s'est terminée correctement             (The command completed successfully)

 

It doesn't say much to me, hope it does for you. But I don't like "duplicators" or "remote desktop users".. I don't people from outside to use my computer?! And what about the "Network config operators"? ...Looks like there is a lot of people in this computer.

 

Ok, I continue with the check disk and the other steps...

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.