Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by the "zed.exe" malware/virus


  • This topic is locked This topic is locked
12 replies to this topic

#1 Julienx54

Julienx54

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 12 September 2017 - 07:59 AM

Hello. I recently find out that my PC has been infected by the malware "zed.exe" who consume all the perfomance of my processor when I'm playing for exemple. It looks like Malwarebyte keep him in quarantine for now but every time I tried to remove him, he keep coming back. I attached the logs from FRST but they are in french though.

 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:25 PM

Posted 12 September 2017 - 09:18 AM

:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


:step1: Please download Security Analysis by Rocket Grannie from here
  • Save it to your Desktop.
  • Close your security software to avoid potential conflicts.
  • Double click RGSA.exe
  • Click OK on the copyright-disclaimer
  • When finished, a Notepad window will open with the results of the scan.
  • The log named SALog.txt can also be found on the Desktop or in the same folder from where the tool is run if installed elsewhere.
  • Please copy and paste the contents of that log in this topic.
  • Note:
If you get a Warning from Windows about running the program, click on More info and then click Run Anyway to run it even though Windows says it might put your PC at risk.
 

***


:step2: Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step3: Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
    If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 Julienx54

Julienx54
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 12 September 2017 - 12:15 PM

Here is the RGSA log: 

 

 

Result of Security Analysis by Rocket Grannie (x86) Updated: 28th August, 2017
Running from:C:\Users\Julien Barré\Downloads (17:13:01 - 09/12/2017)
***---------------------------------------------------------***
Microsoft Windows 10 Famille X64
UAC is Enabled
Internet Explorer 11
Default Browser: Microsoft Edge
***------------Antivirus - Antispyware - Firewall-----------***
Windows Defender (Enabled - up to Date)
Windows Defender (Enabled - up to Date)
Windows Firewall (Enabled)
No other Firewall Installed
***-------Security Programs - Browsers - Miscellaneous------***
Adobe Flash Player NPAPI is not installed
CCleaner (5.32)
Defraggler (2.21)
Google Chrome (60.0.3112.113)
Java (8.0.1110.14)
Malwarebytes (3.2.2.2018)
 
***----------------Analysis Complete-------------------------***

 

 

Here is the Mbar-log (it seem that he also found a trojan, "alpha.exe"):

 

Malwarebytes Anti-Rootkit BETA 1.9.3.1001

 

www.malwarebytes.org
 
Database version:
  main:    v2017.09.12.07
  rootkit: v2017.08.02.01
 
Windows 10 x64 NTFS
Internet Explorer 11.540.15063.0
Julien-PC :: JULIENBARRÉ-PC [administrator]
 
12/09/2017 18:19:06
mbar-log-2017-09-12 (18-19-06).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 481621
Time elapsed: 43 minute(s), 30 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 2
C:\Users\Julien Barré\AppData\Local\Temp\ati\alpha.exe (Trojan.BitCoinMiner) -> No action taken. [4e39dfd4377223137a687a747090ed13]
C:\Users\Julien Barré\AppData\Local\Temp\nvd\zed.exe (RiskWare.BitCoinMiner) -> No action taken. [f5929d16b4f5af873270455698693ac6]
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)

 

 
 
Here is the log of ADWCleaner: 

 
# AdwCleaner 7.0.2.1 - Logfile created on Tue Sep 12 17:11:06 2017
# Updated on 2017/29/08 by Malwarebytes 
# Database: 09-12-2017.1
# Running on Windows 10 Home (X64)
# Mode: scan
 
***** [ Services ] *****
 
PUP.Optional.Legacy, Update service
 
 
***** [ Folders ] *****
 
PUP.Optional.Legacy, C:\Program Files\Hola
PUP.Optional.Legacy, C:\Users\Julien Barré\AppData\Local\Hola
PUP.Optional.Legacy, C:\Users\Julien Barré\AppData\Roaming\Hola
PUP.Optional.Legacy, C:\Users\Julien Barré\AppData\Local\AdvinstAnalytics
PUP.Optional.AuslogicsDriverUpdater, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics
PUP.Optional.AuslogicsDriverUpdater, C:\ProgramData\Auslogics
PUP.Optional.AuslogicsDriverUpdater, C:\ProgramData\Application Data\Auslogics
PUP.Optional.AuslogicsDriverUpdater, C:\Program Files (x86)\Auslogics
PUP.Optional.AuslogicsDriverUpdater, C:\Users\All Users\Auslogics
 
 
***** [ Files ] *****
 
No malicious files found.
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
***** [ WMI ] *****
 
No malicious WMI found.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts found.
 
***** [ Tasks ] *****
 
No malicious tasks found.
 
***** [ Registry ] *****
 
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Hola
PUP.Optional.Legacy, [Key] - HKU\.DEFAULT\Software\Hola
PUP.Optional.Legacy, [Key] - HKU\S-1-5-18\Software\Hola
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
PUP.Optional.Legacy, [Key] - HKCU\Software\MozillaPlugins\@hola.org\vlc
PUP.Optional.Legacy, [Key] - HKCU\Software\MozillaPlugins\@hola.org\FlashPlayer
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hola.org
PUP.Optional.AuslogicsDriverUpdater, [Key] - HKLM\SOFTWARE\Auslogics
 
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries.
 
*************************
 
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt ##########

 

 

 



#4 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:25 PM

Posted 12 September 2017 - 12:19 PM

Hello,

:step1: Run Malwarebytes Anti-Rootkit again: Double click mbar.exe to run the tool.
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • Scan your system for malware
  • If malware is found, click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • then please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step2: Double click on AdwCleaner.exe to run the tool again.
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[C#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

***


:step3: Please download Junkware Removal Tool from HERE and save it to your desktop.
Shutdown your antivirus to avoid any potential conflicts.
Double click JRT.exe to run the tool.
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • JRT will begin to backup your registry and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, the log JRT.txt is saved on your desktop and will automatically open.
Enable your antivirus!
Post the contents of JRT.txt into your next reply.


***


:step4: How the computer is running now?


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#5 Julienx54

Julienx54
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 12 September 2017 - 02:20 PM

Ok, I did all the step and for now, I don't see the exe of the malware in their files. They are gone for the moment and I hope they will not come back like a other users that I seen on the forum. Thanks :)

 

Here the log:

 

Mbar-log:

 

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org
 
Database version:
  main:    v2017.09.12.07
  rootkit: v2017.08.02.01
 
Windows 10 x64 NTFS
Internet Explorer 11.540.15063.0
Julien-PC :: JULIENBARRÉ-PC [administrator]
 
12/09/2017 19:22:12
mbar-log-2017-09-12 (19-22-12).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 481615
Time elapsed: 52 minute(s), 48 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 2
C:\Users\Julien Barré\AppData\Local\Temp\ati\alpha.exe (Trojan.BitCoinMiner) -> Delete on reboot. [4f381e953d6ca39336acee00ce3212ee]
C:\Users\Julien Barré\AppData\Local\Temp\nvd\zed.exe (RiskWare.BitCoinMiner) -> Delete on reboot. [1671d8db4168bb7b742ee3b8f40df10f]
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)

 

 
 
Adwcleaners log:
 
# AdwCleaner 7.0.2.1 - Logfile created on Tue Sep 12 18:49:06 2017
# Updated on 2017/29/08 by Malwarebytes 
# Database: 09-12-2017.1
# Running on Windows 10 Home (X64)
# Mode: scan
 
***** [ Services ] *****
 
PUP.Optional.Legacy, Update service
 
 
***** [ Folders ] *****
 
PUP.Optional.Legacy, C:\Program Files\Hola
PUP.Optional.Legacy, C:\Users\Julien Barré\AppData\Local\Hola
PUP.Optional.Legacy, C:\Users\Julien Barré\AppData\Roaming\Hola
PUP.Optional.Legacy, C:\Users\Julien Barré\AppData\Local\AdvinstAnalytics
PUP.Optional.AuslogicsDriverUpdater, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics
PUP.Optional.AuslogicsDriverUpdater, C:\ProgramData\Auslogics
PUP.Optional.AuslogicsDriverUpdater, C:\ProgramData\Application Data\Auslogics
PUP.Optional.AuslogicsDriverUpdater, C:\Program Files (x86)\Auslogics
PUP.Optional.AuslogicsDriverUpdater, C:\Users\All Users\Auslogics
 
 
***** [ Files ] *****
 
No malicious files found.
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
***** [ WMI ] *****
 
No malicious WMI found.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts found.
 
***** [ Tasks ] *****
 
No malicious tasks found.
 
***** [ Registry ] *****
 
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Hola
PUP.Optional.Legacy, [Key] - HKU\.DEFAULT\Software\Hola
PUP.Optional.Legacy, [Key] - HKU\S-1-5-18\Software\Hola
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
PUP.Optional.Legacy, [Key] - HKCU\Software\MozillaPlugins\@hola.org\vlc
PUP.Optional.Legacy, [Key] - HKCU\Software\MozillaPlugins\@hola.org\FlashPlayer
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hola.org
PUP.Optional.AuslogicsDriverUpdater, [Key] - HKLM\SOFTWARE\Auslogics
 
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries.
 
*************************
 
C:/AdwCleaner/AdwCleaner[S0].txt - [2245 B] - [2017/9/12 17:11:6]
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt ##########

 

 

JRT log:
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.4 (07.09.2017)
Operating System: Windows 10 Home x64 
Ran by Julien-PC (Administrator) on 12/09/2017 at 21:00:22,86
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 3 
 
Successfully deleted: C:\ProgramData\mntemp (File) 
Successfully deleted: C:\ProgramData\thunder network (Folder) 
Successfully deleted: C:\Users\Public\thunder network (Folder) 
 
 
 
Registry: 2 
 
Successfully deleted: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13D67BB7-DB5F-48AA-884D-7A5D94168509} (Registry Key)
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13D67BB7-DB5F-48AA-884D-7A5D94168509} (Registry Key)
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 12/09/2017 at 21:06:09,99
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

 

 


#6 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:25 PM

Posted 12 September 2017 - 02:38 PM

I noticed that you have Potentially Unwanted Programs (PUPs) installed on your system.
I'll ask you to uninstall them since uninstalling such programs before running more malware removal tools will ensure a better clean-up.
Go to Start > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista / Windows 7/8/10 and remove:

Popcorn-Time

---

Copy FRST / FSRT64.exe to your desktop!

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt
 
Start
CreateRestorePoint:
CloseProcesses:
CHR StartupUrls: Default -> "hxxp://www.google.fr/","hxxp://www.google.fr/webhp?source=search_app","hxxp://search.babylon.com/?affID=111020&tt=3612_8&babsrc=HP_ss&mntrId=9ee1a543000000000000c86000702c04","hxxp://mystart.incredibar.com/mb187?a=6OyJ6lxWdN&i=26","hxxp://www.google.com","hxxp://websearch.good-results.info/?pid=719&r=2013/02/14&hid=491920902&lg=EN&cc=FR","hxxp://www.dosearches.com/?utm_source=b&utm_medium=smt&utm_campaign=eXQ&utm_content=hp&from=smt&uid=SAMSUNGXHD103SJ_S246J90Z421078&ts=1381581684"
S4 Update service; C:\Program Files (x86)\Popcorn Time\Updater.exe [339968 2016-08-03] (Popcorn Time) [Fichier non signé]
2017-09-01 03:08 - 2017-09-01 03:08 - 014151168 _____ (Microsoft Corporation) C:\WINDOWS\system32\msaips.exe
2017-09-01 03:08 - 2017-09-01 03:08 - 009626476 _____ C:\WINDOWS\update.cab
2017-09-01 03:08 - 2017-09-01 03:08 - 000003706 _____ C:\WINDOWS\System32\Tasks\Microsoft Advanced Identity Protection Service
2017-09-01 03:08 - 2017-09-01 03:08 - 000003144 _____ C:\WINDOWS\splash.cab
C:\Users\Julien Barré\AppData\Local\Temp\ati
C:\Users\Julien Barré\AppData\Local\Temp\nvd
C:\Windows\Tasks\{980F1477-45EF-4D46-9066-F6129E027418}.job
Task: {A26F6187-07D8-43C3-A0C2-2AAEA897F176} - System32\Tasks\Microsoft Advanced Identity Protection Service => C:\WINDOWS\system32\wusa.exe [2017-03-18] (Microsoft Corporation)
FirewallRules: [{54B1F5A0-29DA-47C0-8389-DA56F5807088}] => (Allow) C:\Program Files (x86)\Popcorn Time\Updater.exe
FirewallRules: [{7FB8F2F0-6F76-4538-A1C1-82DF1F4D7051}] => (Allow) C:\Program Files (x86)\Popcorn Time\Updater.exe
EmptyTemp:
End

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST / FSRT64 again as Administrator like we did before but this time press the Fix button just once and wait.

The tool will make a log (Fixlog.txt) please post it to your reply.


How the computer is running now?

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#7 Julienx54

Julienx54
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 12 September 2017 - 06:05 PM

Here is the fixlog:

 

Résultats de correction de Farbar Recovery Scan Tool (x64) Version: 12-09-2017
Exécuté par Julien-PC (13-09-2017 00:26:51) Run:1
Exécuté depuis C:\Users\Julien Barré\Desktop
Profils chargés: Julien-PC (Profils disponibles: Julien-PC & DefaultAppPool)
Mode d'amorçage: Normal
==============================================
 
fixlist contenu:
*****************
Start
CreateRestorePoint:
CloseProcesses:
CHR StartupUrls: Default -> "hxxp://www.google.fr/","hxxp://www.google.fr/webhp?source=search_app","hxxp://search.babylon.com/?affID=111020&tt=3612_8&babsrc=HP_ss&mntrId=9ee1a543000000000000c86000702c04","hxxp://mystart.incredibar.com/mb187?a=6OyJ6lxWdN&i=26","hxxp://www.google.com","hxxp://websearch.good-results.info/?pid=719&r=2013/02/14&hid=491920902&lg=EN&cc=FR","hxxp://www.dosearches.com/?utm_source=b&utm_medium=smt&utm_campaign=eXQ&utm_content=hp&from=smt&uid=SAMSUNGXHD103SJ_S246J90Z421078&ts=1381581684"
S4 Update service; C:\Program Files (x86)\Popcorn Time\Updater.exe [339968 2016-08-03] (Popcorn Time) [Fichier non sign�]
2017-09-01 03:08 - 2017-09-01 03:08 - 014151168 _____ (Microsoft Corporation) C:\WINDOWS\system32\msaips.exe
2017-09-01 03:08 - 2017-09-01 03:08 - 009626476 _____ C:\WINDOWS\update.cab
2017-09-01 03:08 - 2017-09-01 03:08 - 000003706 _____ C:\WINDOWS\System32\Tasks\Microsoft Advanced Identity Protection Service
2017-09-01 03:08 - 2017-09-01 03:08 - 000003144 _____ C:\WINDOWS\splash.cab
C:\Users\Julien Barr�\AppData\Local\Temp\ati
C:\Users\Julien Barr�\AppData\Local\Temp\nvd
C:\Windows\Tasks\{980F1477-45EF-4D46-9066-F6129E027418}.job
Task: {A26F6187-07D8-43C3-A0C2-2AAEA897F176} - System32\Tasks\Microsoft Advanced Identity Protection Service => C:\WINDOWS\system32\wusa.exe [2017-03-18] (Microsoft Corporation)
FirewallRules: [{54B1F5A0-29DA-47C0-8389-DA56F5807088}] => (Allow) C:\Program Files (x86)\Popcorn Time\Updater.exe
FirewallRules: [{7FB8F2F0-6F76-4538-A1C1-82DF1F4D7051}] => (Allow) C:\Program Files (x86)\Popcorn Time\Updater.exe
EmptyTemp:
End
*****************
 
Le Point de restauration a été créé avec succès.
Processus fermé avec succès.
Chrome StartupUrls => supprimé(es) avec succès
Update service => service non trouvé(e).
C:\WINDOWS\system32\msaips.exe => déplacé(es) avec succès
C:\WINDOWS\update.cab => déplacé(es) avec succès
C:\WINDOWS\System32\Tasks\Microsoft Advanced Identity Protection Service => déplacé(es) avec succès
C:\WINDOWS\splash.cab => déplacé(es) avec succès
"C:\Users\Julien Barré\AppData\Local\Temp\ati" => non trouvé(e).
"C:\Users\Julien Barré\AppData\Local\Temp\nvd" => non trouvé(e).
C:\Windows\Tasks\{980F1477-45EF-4D46-9066-F6129E027418}.job => déplacé(es) avec succès
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{A26F6187-07D8-43C3-A0C2-2AAEA897F176} => clé supprimé(es) avec succès
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A26F6187-07D8-43C3-A0C2-2AAEA897F176} => clé supprimé(es) avec succès
C:\WINDOWS\System32\Tasks\Microsoft Advanced Identity Protection Service => non trouvé(e).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft Advanced Identity Protection Service => clé supprimé(es) avec succès
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{54B1F5A0-29DA-47C0-8389-DA56F5807088} => valeur supprimé(es) avec succès
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7FB8F2F0-6F76-4538-A1C1-82DF1F4D7051} => valeur supprimé(es) avec succès
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 7364608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 116480120 B
Java, Flash, Steam htmlcache => 410954320 B
Windows/system/drivers => 17648515 B
Edge => 224833 B
Chrome => 785593783 B
Firefox => 5519466 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 6656 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 2502 B
NetworkService => 315932 B
Julien Barré => 1456394635 B
DefaultAppPool => 0 B
 
RecycleBin => 2397308 B
EmptyTemp: => 2.6 GB données temporaires supprimées.
 
================================
 
 
Le système a dû redémarrer.
 
==== Fin de Fixlog 00:29:48 ====

 

 
 
I see no difference for the moment, maybe later . I though that I had uninstall this software like month ago (I installed that first just to give it a try), so weird to see that some parts of it was still present. Thanks again  :thumbsup:


#8 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:25 PM

Posted 12 September 2017 - 06:20 PM


We should wait for 24 hours to be sure, that the Virus does not come back.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#9 Julienx54

Julienx54
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 12 September 2017 - 06:26 PM

Ok, I will post tomorrow if the virus is back or not.



#10 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:25 PM

Posted 13 September 2017 - 05:11 PM

Is the virus back or not?

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#11 Julienx54

Julienx54
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 13 September 2017 - 06:33 PM

No, the virus didn't came back. Again, thanks  :wink:


Edited by Julienx54, 13 September 2017 - 06:34 PM.


#12 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:25 PM

Posted 14 September 2017 - 01:17 AM

***


It Appears That Your Pc Is Clean!


***


Clean up:


***


Right-click AdwCleaner.exe and select Run As Administrator.
  • Click on the Uninstall button.
  • A window will open, press the Confirm button.
  • AdwCleaner will uninstall now.

***


Clean up with delfix:
  • please download delfix to your desktop.
  • Close all other programms and start delfix.
  • Please check all the boxes and run the tool.
  • delfix will now delete all found traces of our removal process

***


Delete the log files our tools created; they are located at your desktop or at the
"c:\users\{.......}\Downloads" folder.
Highlight them, and press the del or delete key on the keyboard.
You can browse to the location of the file or folder using either My Computer or Windows Explorer.

===================================

Here are some Preventive tips to reduce the potential for spyware infection in the future

:step1: Make sure you keep your Windows OS current.
  • Windows Vista / 7 / 8 users can update via
    Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane).
:step2: Avoid P2P
  • If you think you're using a "safe" P2P program, only the program is safe, not the data.
  • You will share files from unsafe sources, and these may be infected.
  • Some bad guys use P2P filesharing as an important chanel to spread their wares.
:step3: Use only one anti-virus software and keep it up-to-date.

:step4: Firewall
Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

:step5: Backup regularly
You never know when your PC will become unstable or become so infected that you can't recover it.

:step6: Use Strong passwords!

:step7: Email attachments
Do not open any unknown email attachments, which you received without asking for it!


Extra note:
Keep your Browser, Java, pdf Reader and Adobe Flash Up to Date.
And you could install Malwarebytes Anti-Exploit to run alongside your traditional anti-virus or anti-malware products.

Make sure your programs are up to date - because older versions may contain Security Leaks.


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#13 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:25 PM

Posted 15 September 2017 - 03:56 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users