Author Topic: What is this virus ?  (Read 4124 times)

0 Members and 1 Guest are viewing this topic.

October 09, 2015, 09:34:20 pm

azerty418

  • Newbie

  • Offline
  • *

  • 1
  • Reputation:
    0
    • View Profile
What is this virus ?
« on: October 09, 2015, 09:34:20 pm »
Hello,

I think I install something wrong on my computer, this is "WindowLoader2.4".

I run Rogekiller, the soft find a lot of critique malware,but I can't dellet them.

There is the scan log here:

RogueKiller V10.10.9.0 [Oct  5 2015] par Adlice Software
email : http://www.adlice.com/contact/
Remontées : http://forum.adlice.com
Site web : http://www.adlice.com/fr/logiciels/roguekiller/
Blog : http://www.adlice.com

Système d'exploitation : Windows 7 (6.1.7600) 64 bits version
Démarré en  : Mode normal
Utilisateur : Alexandre [Administrateur]
Démarré depuis : C:\Users\Alexandre\Downloads\RogueKiller.exe
Mode : Suppression -- Date : 10/09/2015 21:06:05

¤¤¤ Processus : 12 ¤¤¤
[PUP|VT.Unknown] Oumom.exe(4924) -- C:\Program Files\shopperz091020152027\Oumom.exe[-] -> Tué(e) [TermProc]
[PUP|VT.Unknown] csrcc.exe(5204) -- C:\Program Files\shopperz091020152027\csrcc.exe[-] -> Tué(e) [TermProc]
[PUP|VT.Unknown] Foopo.exe(5232) -- C:\Program Files\shopperz091020152027\Foopo.exe[-] -> Tué(e) [TermProc]
[Suspicious.Path|VT.PUP.Optional.Nosibay] LBubble Dock.exe(4816) -- C:\Users\Alexandre\AppData\Roaming\Nosibay\Bubble Dock\LBubble Dock.exe[-] -> Tué(e) [TermProc]
[Suspicious.Path|VT.PUP.Optional.Nosibay] Bubble Dock.exe(6924) -- C:\Users\Alexandre\AppData\Roaming\Nosibay\Bubble Dock\Bubble Dock.exe[-] -> Tué(e) [TermProc]
[PUP|VT.PUP.Optional.PhraseProfessor] ppsvc.exe(7616) -- C:\Program Files (x86)\PhraseProfessor_1.10.0.24\Service\ppsvc.exe[-] -> Tué(e) [TermProc]
[PUP|VT.Unknown] knsuBF24.tmpfs(11564) -- C:\Program Files (x86)\DEAB50B6-1444416086-E411-B2A0-F8A9635092F6\knsuBF24.tmpfs[-] -> Tué(e) [TermProc]
[PUP|VT.not-a-virus:AdWare.Win32.ConvertAd.azh] hnspF1EF.tmp(6340) -- C:\Program Files (x86)\DEAB50B6-1444416086-E411-B2A0-F8A9635092F6\hnspF1EF.tmp[-] -> Tué(e) [TermProc]
[Suspicious.Path|VT.not-a-virus:AdWare.Win32.ConvertAd.azl] snsz5793.tmp(5484) -- C:\Users\Alexandre\AppData\Local\DEAB50B6-1444423330-E411-B2A0-F8A9635092F6\snsz5793.tmp[-] -> Tué(e) [TermProc]
[Suspicious.Path|VT.a variant of Win32/Packed.Komodia.D suspicious] BoxoreService.exe(19384) -- C:\ProgramData\Boxore\LSP\BoxoreService.exe[-] -> Tué(e) [TermProc]
[PUP|VT.Unknown] Legfo.exe(8272) -- C:\Program Files\shopperz091020152027\Legfo.exe[-] -> Tué(e) [TermProc]
[PUP|VT.Unknown] Legfo64.exe(7740) -- C:\Program Files\shopperz091020152027\Legfo64.exe[-] -> Tué(e) [TermProc]

¤¤¤ Registre : 42 ¤¤¤
[PUP|VT.Unknown] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0B7A236-F8D2-4064-bF21-6F62535D9EA8} -> ERROR [2]
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FB4F6285-4C32-49F2-950F-A5998F9CEC6C} -> ERROR [2]
[Suspicious.Path|VT.GrayWare[AdWare]/Win32.BrowseFox.bz] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | smallbox : C:\ProgramData\uiksdl201510918\Advanced.exe /tlaclt [-]
  • -> ERROR
  • [VT.PUP.Optional.EoRezo] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | mbot_fr_014010109 : "C:\Program Files (x86)\mbot_fr_014010109\mbot_fr_014010109.exe" [-] -> ERROR
  • [VT.Generic.2EB] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | YYZB1 : "C:\Program Files (x86)\yyzb_201510092032\201510092032\YYZB.exe" -mini [-]
  • -> ERROR
  • [VT.Generic.2EB] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | YYZB2 : "C:\Program Files (x86)\yyzb_201510092032\201510092032\YYZB.exe" -W [-]
  • -> ERROR
  • [VT.Trojan.GenericKD.2766007] (X64) HKEY_USERS\S-1-5-21-1441641861-1517293250-1955841278-1000\Software\Microsoft\Windows\CurrentVersion\Run | apphide : C:\Program Files (x86)\baidu\pps.exe [-] -> ERROR
[PUP] (X64) HKEY_USERS\S-1-5-21-1441641861-1517293250-1955841278-1000\Software\Microsoft\Windows\CurrentVersion\Run | Bubble Dock : "C:\Users\Alexandre\AppData\Roaming\Nosibay\Bubble Dock\LBubble Dock.exe" /winstartup  -> ERROR
[PUP] (X64) HKEY_USERS\S-1-5-21-1441641861-1517293250-1955841278-1000\Software\Microsoft\Windows\CurrentVersion\Run | WindApp : "C:\Users\Alexandre\AppData\Roaming\Store\WindApp\WindApp.exe" /winstartup  -> ERROR
[PUP|VT.PUP.Optional.Nosibay] (X64) HKEY_USERS\S-1-5-21-1441641861-1517293250-1955841278-1000\Software\Microsoft\Windows\CurrentVersion\Run | Selection Tools : "C:\Users\Alexandre\AppData\Roaming\WTools\Selection Tools\Selection Tools.exe" /winstartup [-]
  • -> ERROR
  • [VT.Trojan.GenericKD.2766007] (X86) HKEY_USERS\S-1-5-21-1441641861-1517293250-1955841278-1000\Software\Microsoft\Windows\CurrentVersion\Run | apphide : C:\Program Files (x86)\baidu\pps.exe [-] -> ERROR [2]
[PUP] (X86) HKEY_USERS\S-1-5-21-1441641861-1517293250-1955841278-1000\Software\Microsoft\Windows\CurrentVersion\Run | Bubble Dock : "C:\Users\Alexandre\AppData\Roaming\Nosibay\Bubble Dock\LBubble Dock.exe" /winstartup  -> ERROR [2]
[PUP] (X86) HKEY_USERS\S-1-5-21-1441641861-1517293250-1955841278-1000\Software\Microsoft\Windows\CurrentVersion\Run | WindApp : "C:\Users\Alexandre\AppData\Roaming\Store\WindApp\WindApp.exe" /winstartup  -> ERROR [2]
[PUP|VT.PUP.Optional.Nosibay] (X86) HKEY_USERS\S-1-5-21-1441641861-1517293250-1955841278-1000\Software\Microsoft\Windows\CurrentVersion\Run | Selection Tools : "C:\Users\Alexandre\AppData\Roaming\WTools\Selection Tools\Selection Tools.exe" /winstartup [-]
  • -> ERROR [2]
[PUP|VT.PUP.Optional.EoRezo] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | upmbot_fr_014010109.exe : C:\Users\Alexandre\AppData\Local\mbot_fr_014010109\upmbot_fr_014010109.exe -runonce [-]
  • -> ERROR
[Rans.Gendarm] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | Update : C:\Users\Alexandre\AppData\Roaming\ASPackage\ASPackage.exe /runonce  -> ERROR
[Suspicious.Path|VT.a variant of Win32/Packed.Komodia.D suspicious] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BoxoreService (C:\ProgramData\Boxore\LSP\BoxoreService.exe) -> ERROR [2]
[PUP|VT.PUP.Optional.Shopperz.BrwsrFlsh] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\cherimoya (system32\drivers\cherimoya.sys) -> ERROR [2]
[Suspicious.Path|VT.not-a-virus:AdWare.Win32.ConvertAd.azl] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\dipubibu (C:\Users\Alexandre\AppData\Local\DEAB50B6-1444423330-E411-B2A0-F8A9635092F6\snsz5793.tmp) -> ERROR [2]
[PUP|VT.not-a-virus:AdWare.Win32.ConvertAd.azh] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gyvixodu (C:\Program Files (x86)\DEAB50B6-1444416086-E411-B2A0-F8A9635092F6\hnspF1EF.tmp) -> ERROR [2]
[PUP|VT.PUP.Optional.PhraseProfessor] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ppsvc_1.10.0.24 ("C:\Program Files (x86)\PhraseProfessor_1.10.0.24\Service\ppsvc.exe") -> ERROR [2]
[PUP|VT.PUP.Optional.SoftwareUpdate] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Software_update (C:\Program Files (x86)\Software\Update\SoftwareUpdate.exe /svc) -> ERROR [2]
[PUP|VT.PUP.Optional.SoftwareUpdate] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Software_update_m (C:\Program Files (x86)\Software\Update\SoftwareUpdate.exe /medsvc) -> ERROR [2]
[Suspicious.Path|VT.a variant of Win32/Packed.Komodia.D suspicious] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BoxoreService (C:\ProgramData\Boxore\LSP\BoxoreService.exe) -> ERROR [2]
[PUP|VT.PUP.Optional.Shopperz.BrwsrFlsh] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cherimoya (system32\drivers\cherimoya.sys) -> ERROR [2]
[Suspicious.Path|VT.not-a-virus:AdWare.Win32.ConvertAd.azl] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dipubibu (C:\Users\Alexandre\AppData\Local\DEAB50B6-1444423330-E411-B2A0-F8A9635092F6\snsz5793.tmp) -> ERROR [2]
[PUP|VT.not-a-virus:AdWare.Win32.ConvertAd.azh] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gyvixodu (C:\Program Files (x86)\DEAB50B6-1444416086-E411-B2A0-F8A9635092F6\hnspF1EF.tmp) -> ERROR [2]
[PUP|VT.PUP.Optional.PhraseProfessor] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ppsvc_1.10.0.24 ("C:\Program Files (x86)\PhraseProfessor_1.10.0.24\Service\ppsvc.exe") -> ERROR [2]
[PUP|VT.PUP.Optional.SoftwareUpdate] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Software_update (C:\Program Files (x86)\Software\Update\SoftwareUpdate.exe /svc) -> ERROR [2]
[PUP|VT.PUP.Optional.SoftwareUpdate] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Software_update_m (C:\Program Files (x86)\Software\Update\SoftwareUpdate.exe /medsvc) -> ERROR [2]
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://go.microsoft.com/fwlink/p/?LinkId=255141  -> Remplacé(e) (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://go.microsoft.com/fwlink/p/?LinkId=255141  -> Remplacé(e) (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1441641861-1517293250-1955841278-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://go.microsoft.com/fwlink/p/?LinkId=255141  -> Remplacé(e) (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1441641861-1517293250-1955841278-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://go.microsoft.com/fwlink/p/?LinkId=255141  -> Remplacé(e) (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome  -> Remplacé(e) (http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome)
[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome  -> Remplacé(e) (http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome)
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1441641861-1517293250-1955841278-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome  -> Remplacé(e) (http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1441641861-1517293250-1955841278-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome  -> Remplacé(e) (http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome)
[PUM.SearchPage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : http://go.microsoft.com/fwlink/?LinkId=54896  -> Remplacé(e) (http://go.microsoft.com/fwlink/?LinkId=54896)
[PUM.SearchPage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : http://go.microsoft.com/fwlink/?LinkId=54896  -> Remplacé(e) (http://go.microsoft.com/fwlink/?LinkId=54896)
[PUM.SearchPage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Search_URL : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Remplacé(e) (http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch)
[PUM.SearchPage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Search_URL : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Remplacé(e) (http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch)

¤¤¤ Tâches : 0 ¤¤¤

¤¤¤ Fichiers : 0 ¤¤¤

¤¤¤ Fichier Hosts : 0 ¤¤¤

¤¤¤ Antirootkit : 17 (Driver: Non chargé [0xc000036b]) ¤¤¤
[IAT:Inl(Hook.IEAT)] (chrome.exe @ NTDSAPI.dll) WS2_32.dll - GetAddrInfoW : Unknown @ 0x5b57e40 (jmp 0x902b1d4b|call 0x459d)
[IAT:Addr(Hook.IEAT)] (chrome.exe) kernel32.dll - CreateNamedPipeW : Unknown @ 0xe0010
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32.dll - CreateNamedPipeW : Unknown @ 0xe0010
[IAT:Addr(Hook.IEAT)] (chrome.exe) kernel32.dll - CreateNamedPipeW : Unknown @ 0xe0010
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32.dll - CreateNamedPipeW : Unknown @ 0xe0010
[IAT:Addr(Hook.IEAT)] (chrome.exe) kernel32.dll - CreateNamedPipeW : Unknown @ 0xe0010
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32.dll - CreateNamedPipeW : Unknown @ 0xe0010
[IAT:Addr(Hook.IEAT)] (chrome.exe) kernel32.dll - CreateNamedPipeW : Unknown @ 0xe0010
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32.dll - CreateNamedPipeW : Unknown @ 0xe0010
[IAT:Addr(Hook.IEAT)] (chrome.exe) kernel32.dll - CreateNamedPipeW : Unknown @ 0xe0010
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32.dll - CreateNamedPipeW : Unknown @ 0xe0010
[IAT:Addr(Hook.IEAT)] (chrome.exe) kernel32.dll - CreateNamedPipeW : Unknown @ 0xe0010
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32.dll - CreateNamedPipeW : Unknown @ 0xe0010
[IAT:Addr(Hook.IEAT)] (chrome.exe) kernel32.dll - CreateNamedPipeW : Unknown @ 0xe0010
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32.dll - CreateNamedPipeW : Unknown @ 0xe0010
[IAT:Addr(Hook.IEAT)] (chrome.exe) kernel32.dll - CreateNamedPipeW : Unknown @ 0xe0010
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32.dll - CreateNamedPipeW : Unknown @ 0xe0010

¤¤¤ Navigateurs web : 0 ¤¤¤

¤¤¤ Vérification MBR : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 02f4f70c4623b8694a10198d8af856c5
[BSP] fd6e0cde042b27fafea9e5bd109f29a6 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 953767 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


I don't understand what happen can you help me to find what is this pls?

Reply #1October 10, 2015, 01:41:38 am

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2310
  • Reputation:
    82
    • View Profile
Re: What is this virus ?
« Reply #1 on: October 10, 2015, 01:41:38 am »
Hi azerty418,

Welcome to Adlice.com Forum.
Could you please post the log that reports "WindowLoader2.4" ?

The report you posted was generated with the 32 bits version of RogueKiller .
Please download RogueKiller (64 bits version), redo a full scan and post the report obtained in your next reply.

Regards.