Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DC3_FEXEC is back


  • This topic is locked This topic is locked
17 replies to this topic

#1 sergio23

sergio23

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 26 September 2017 - 02:02 AM

By attached file FRST.txt and Addition.tx
 
 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:47 AM

Posted 26 September 2017 - 09:12 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove these programs in bold via the Control Panel > Programs > Programs and Features.
Java 8 Update 141 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180141F0}) (Version: 8.0.1410.15 - Oracle Corporation)
You already have the latest version which is Java 8 Update 144
KMSpico (HKLM\...\{8B29D47F-92E2-4C20-9EE0-F710991F5D7C}_is1) (Version: - )

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(@ByELDI) C:\Program Files\KMSpico\Service_KMS.exe
(Microsoft Corporation) C:\Users\serge\wnxvnt.exe
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
FF user.js: detected! => C:\Users\serge\AppData\Roaming\Mozilla\Firefox\Profiles\ab1lkcv3.default\user.js [2017-09-24]
R2 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [737984 2015-08-30] (@ByELDI) [Fichier non signé]
C:\Program Files\KMSpico
C:\Users\serge\wnxvnt.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
---

Reset the browsers that you use and have been compromised.

How To:
https://www.howtogeek.com/171924/how-to-reset-your-web-browser-to-its-default-settings/

====

Let me know what problem persists.

#3 sergio23

sergio23
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 26 September 2017 - 10:10 AM

Thank a lot my friend for your help.

 

Now it's wonderful

 

Best regard



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:47 AM

Posted 26 September 2017 - 12:13 PM

Hi,

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#5 sergio23

sergio23
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 29 September 2017 - 01:19 AM

Hello,

 

I am sorry but DC3_FEXEC is back !

 

3 new attache files

 

Thank a lot

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:47 AM

Posted 29 September 2017 - 10:21 AM

Hi again.

If still present remove this program in bold via the Control Panel > Programs > Programs and Features.
KMSpico (HKLM\...\{8B29D47F-92E2-4C20-9EE0-F710991F5D7C}_is1) (Version: - )


Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(Microsoft Corporation) C:\Users\serge\wnxvnt.exe
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
C:\Users\serge\wnxvnt.exe

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

I need to see the Fixlog.txt. Please post it for my review.

#7 sergio23

sergio23
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 29 September 2017 - 11:34 AM

Hello Nasquad

 

Thank a lot for your help.

 

Since "programs and features" I deleted the entry "KMSpico", then run your scripts.
 
By attached "file fixlist.txt"
 
Best regards and thank again
 
Sergio
 


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:47 AM

Posted 29 September 2017 - 12:33 PM

Hi,

I need to see the Fixlog.txt.

Please attach it.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file. <-- Do not forget this 2nd step.
Click the Add reply button.
===

#9 sergio23

sergio23
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 29 September 2017 - 05:09 PM

Here the file : Fixlog.txt 

 

Sorry for the delay Hasquad

 

Best regards

Attached Files



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:47 AM

Posted 30 September 2017 - 07:59 AM

Hi,

Let me know if the problem returns.

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:47 AM

Posted 30 September 2017 - 09:51 AM

Hi,

After a review of you Addition.txt log I suggest you remove these entries.

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Task: {3CEC7596-A036-4915-BBD7-B4B5A1CFDA86} - System32\Tasks\zpow => C:\Users\serge\zpow\wnxvnt.exe [2016-10-09] (AutoIt Team)
C:\Windows\System32\Tasks\zpow
C:\Users\serge\zpow

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

#12 sergio23

sergio23
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 30 September 2017 - 10:16 AM

Hello NASQUAD

 

Thank again for your last email;

 

The nex fixlog is attached

 

Best regard

 

S.V.

Attached Files



#13 sergio23

sergio23
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 01 October 2017 - 02:23 AM

Hello Nasquad

 

How are you ?

 

I am very sorry but DC3_FEXEC is back again, but i don't know what...

 

By attached files :

• FRST.txt,

• Addition.txt,

• Shortcut.txt

 

Best regards

 

S.V

Attached Files



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:47 AM

Posted 01 October 2017 - 09:27 AM



Hi,

Please keep all messages in this topic. No need to create a new one.

I suspect that this is caused by some remnant registry entries..

Lets see what we can find in the Registry.

Farbar Recovery Scan Tool (FRST) - Registry Search
Follow the instructions below to download and execute a Registry search on your system with FRST, and provide the log in your next reply.
  • Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • In the Search text area, copy and paste the following:
DC3_FEXEC
  • Once done, click on the Search Registry button and wait for FRST to finish the search;
  • On completion, a log will open in Notepad. Copy and paste its content in your next reply;


#15 sergio23

sergio23
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 01 October 2017 - 11:06 AM

Hi,

 

Thank you for your answer.

 

When I open FRST as an administrator, I am not asked to accept the disclaimer ... attached by file attaches "SearchReg.txt" from this morning's FRST report

Then I did a search, directly on the registry (Windows + R button on the keyboard and select "regedit") and then I searched the entry "DC3_FEXEC" ... Result : no input DC3_FEXEC !!!

I will reinitialize Windows and Firefox browsers, and then do an analysis with the "iObit Advanced SystemeCar10 software" - what do you think about ?

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users