Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

echt.exe virus


  • Please log in to reply
5 replies to this topic

#1 kshukla87

kshukla87

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:22 PM

Posted 10 March 2018 - 07:07 AM

Some type of malware runs in the background of my computer which I have traced to this application "echt.exe".  Despite repeated attempts to delete this (manually, malwarebytes scan, and Zemana) it keeps coming back.  Ads randomly start running in the background (even if I do not have a browser open).  All I hear is the sound, no visual.  And the only way to make them stop is to go to Task Manager and end the echt.exe process.  This only works for a short amount of time and then it starts up again.  Please help.

 

Tried to attach a screenshot but I'm not having any luck at the moment.  Will try to add it if I can.



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,399 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:22 PM

Posted 10 March 2018 - 07:59 AM

Use the programs below to clean, remove adware and remove malware.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of Google Chrome and Avast.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Download 51a5f31352b88-icon_MBAR.pngMalwarebytes Anti-Rootkit (MBAR) to your desktop.

  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click "Next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
  • "mbar-log-{date} (xx-xx-xx).txt"

 

Download AdwCleaner by Xplode onto your desktop. (compatible with Windows 7, 8 and 10)

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Download and run the FREE online scanner from Free Virus Scan | Online Virus Scan from ESET | ESET

  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 kshukla87

kshukla87
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:22 PM

Posted 11 March 2018 - 02:35 AM

Here are the log files:

 

mbar-log-2018-03-10 (22-38-48)

 

Malwarebytes Anti-Rootkit BETA 1.10.3.1001
www.malwarebytes.org

Database version:
  main:    v2018.03.11.02
  rootkit: v2018.03.08.03

Windows 10 x64 NTFS
Internet Explorer 11.248.16299.0
kshuk :: DESKTOP-8HHSNIT [administrator]

3/10/2018 10:38:48 PM
mbar-log-2018-03-10 (22-38-48).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 195578
Time elapsed: 3 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EW5SBZRSNBQN UPDATER (Adware.DNSUnlocker.ACMB2) -> Delete on reboot. [a559c6449523bf7730fce2ab44bc8779]

Registry Values Detected: 1
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\Ew5SBZrsNbqn Updater|ImagePath (Adware.DNSUnlocker.ACMB2) -> Data: C:\Program Files (x86)\Ew5SBZrsNbqn Updater\Ew5SBZrsNbqn Updater.exe -> Delete on reboot. [a559c6449523bf7730fce2ab44bc8779]

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 12
C:\Windows\System32\drivers\etc\hosts (Hijack.Host) -> Bad: (162.222.193.86       aoaomo.tremorhub.com) Good: () -> Replace on reboot. [d82617f36d4bd4626f67db0f1ee47e82]
C:\Windows\System32\drivers\etc\hosts (Hijack.Host) -> Bad: ( file used by Microsoft TCP/IP for W) Good: () -> Replace on reboot. [a45a51b9ccecfa3c2caafcee000249b7]
C:\Windows\System32\drivers\etc\hosts (Hijack.Host) -> Bad: (9 Microsoft Corp.
#
# This is ) Good: () -> Replace on reboot. [ae509971dddb1b1ba33311d9649e4fb1]
C:\Windows\System32\drivers\etc\hosts (Hijack.Host) -> Bad: (-2009 Microsoft Corp.
#
# This is) Good: () -> Replace on reboot. [18e6b45677419c9a429441a916ec54ac]
C:\Windows\System32\drivers\etc\hosts (Hijack.Host) -> Bad: (09 Microsoft Corp.
#
# This i) Good: () -> Replace on reboot. [9d6124e691272b0b36a09456b052857b]
C:\Windows\System32\drivers\etc\hosts (Hijack.Host) -> Bad: (3-2009 Microsoft Corp.
#
# This is a ) Good: () -> Replace on reboot. [847aea20a31582b46a6c707a966c6898]
C:\Windows\System32\drivers\etc\hosts (Hijack.Host) -> Bad: (icrosoft Corp.
#
# This is a samp) Good: () -> Replace on reboot. [56a8ec1e27919c9aede95a903fc3e21e]
C:\Windows\System32\drivers\etc\hosts (Hijack.Host) -> Bad: (09 Microsoft Corp.
#
# This is a sampl) Good: () -> Replace on reboot. [a25c41c9d9df1e184591bb2f2fd331cf]
C:\Windows\System32\drivers\etc\hosts (Hijack.Host) -> Bad: (crosoft Corp.
#
# This is a sample) Good: () -> Replace on reboot. [1ae4e822249495a1f0e6d119b74be31d]
C:\Windows\System32\drivers\etc\hosts (Hijack.Host) -> Bad: (188.95.50.62       bobomo.tremorhub.com) Good: () -> Replace on reboot. [d42a27e307b1979f98e0a4477b879868]
C:\Windows\System32\drivers\etc\hosts (Hijack.Host) -> Bad: (5.149.252.98 www.gstatic.com) Good: () -> Replace on reboot. [d628a664bdfb40f6e6a247a5699913ed]
C:\Windows\System32\drivers\etc\hosts (Hijack.Host) -> Bad: (93-2009 Microsoft Corp.
#
# This is) Good: () -> Replace on reboot. [5ea0000a07b16cca7711ce1e4bb708f8]

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 

 

# AdwCleaner 7.0.8.0 - Logfile created on Sun Mar 11 06:51:08 2018
# Updated on 2018/08/02 by Malwarebytes
# Database: 2018-03-08.1
# Running on Windows 10 Home (X64)
# Mode: scan
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries.

*************************

C:/AdwCleaner/AdwCleaner[C0].txt - [3405 B] - [2018/3/10 11:7:0]
C:/AdwCleaner/AdwCleaner[S0].txt - [3833 B] - [2018/3/10 11:6:0]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt ##########

 

 

 

C:\AdwCleaner\Quarantine\RYwTiizs2t\0236b7b4a600f300e3850747745aba02.exe    Win32/Adware.Zdengo.VD application    cleaned by deleting
C:\AdwCleaner\Quarantine\RYwTiizs2t\76f40666ff45f0989512dd713160b32e.exe    a variant of Win32/Adware.Zdengo.VE application    cleaned by deleting
C:\AdwCleaner\Quarantine\RYwTiizs2t\cddf7a46f07fcd80aace91fea10a5681.exe    a variant of Win32/Adware.Zdengo.VE application    cleaned by deleting
C:\Program Files (x86)\bizarreness\bizarreness.exe    a variant of MSIL/TrojanClicker.Agent.NTD trojan    cleaned by deleting
C:\Program Files (x86)\bizarreness\sacraments.dll    a variant of MSIL/TrojanClicker.Agent.NTD trojan    cleaned by deleting
C:\Program Files (x86)\kowtowing\pacemaker.exe    Win32/Adware.Dotdo.R application    cleaned by deleting
C:\Program Files (x86)\Vapors\echt.dll    a variant of MSIL/TrojanClicker.Agent.NTD trojan    cleaned by deleting
C:\Program Files (x86)\Vapors\Vapors.exe    a variant of MSIL/TrojanClicker.Agent.NTD trojan    cleaned by deleting
C:\Users\kshuk\AppData\Local\echt.exe    a variant of MSIL/TrojanClicker.Agent.NTD trojan    cleaned by deleting (after the next restart)
C:\Users\kshuk\AppData\Local\Temp\nsz75D4.tmp\ip086arl1.exe    a variant of MSIL/Adware.Dotdo.DK application    cleaned by deleting
C:\Users\kshuk\Downloads\ccsetup540.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    cleaned by deleting
C:\Users\kshuk\Downloads\Install JDownloader.rar    Win32/Downloader.Agent.BX potentially unwanted application    deleted
C:\Users\kshuk\Downloads\uTorrent.exe    a variant of MSIL/WebCompanion.A potentially unwanted application,a variant of Win32/WebCompanion.B potentially unwanted application    cleaned by deleting
C:\Users\kshuk\Downloads\Install JDownloader\Install JDownloader.exe    Win32/Downloader.Agent.BX potentially unwanted application    cleaned by deleting
C:\Windows\hasegawa.exe    a variant of MSIL/TrojanClicker.Agent.NTD trojan    cleaned by deleting
C:\Windows\Temp\~wsB82C.tmp    a variant of Win64/Adware.RunBooster.E application    cleaned by deleting
 



#4 buddy215

buddy215

  • Moderator
  • 13,399 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:22 PM

Posted 11 March 2018 - 06:27 AM

Are you still seeing/ hearing ads?


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 kshukla87

kshukla87
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:22 PM

Posted 11 March 2018 - 11:20 AM

Yes.  I actually heard the ads while Eset virus scan was running.  And the echt.exe program was running and I had to manually kill it from Task Manager.  Additionally when I use Chrome, i keep getting redirected via "extensions.citypage"



#6 buddy215

buddy215

  • Moderator
  • 13,399 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:22 PM

Posted 11 March 2018 - 11:43 AM

I think you may be infected with smart. You need to start a new topic in the malware removal forum by following the directions below.

 

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.

When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.

 

DO NOT bump your new topic. Wait for a response from one of the Team Members.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users