Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

zed.exe & alpha.exe infection


  • This topic is locked This topic is locked
8 replies to this topic

#1 tknt009

tknt009

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 24 March 2018 - 05:51 PM

Hello,

 

I've actually had this problem for a while, but had to put it and the affected computer aside for several months. I'm back now and finally hoping to resolve it, however.

 

As other users infected with zed.exe and alpha.exe have mentioned in the past, these two files appear in folders named /ATI and /NVD (with both folders appearing in /temp) after about 10 - 15 minutes of idle time, forcing my computer fans to kick on under the load of their bitcoin number crunching. I've only been able to notice this thanks to the sound of my fans and watching the Task Manager during these idle moments.

 

Attached are my FRST.txt and addition.txt logs. Thank you in advance for the help!

 

EDIT: And apparently, I've been infected with msaips.exe as well, which AVG seems to have quarantined as soon as it was written to disk.

Attached Files


Edited by tknt009, 24 March 2018 - 06:15 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,586 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:50 AM

Posted 25 March 2018 - 08:52 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

This version of CCleaner was compromised.
Remove this program in bold via the Control Panel > Programs > Programs and Features.
CCleaner (HKLM\...\CCleaner) (Version: 5.33 - Piriform) <==== ATTENTION

Read about it.
https://www.ccleaner.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users
Get the latest version.
https://www.ccleaner.com/ccleaner/download
---

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

FF Extension: (Flash Video Downloader - YouTube HD Download [4K]) - C:\Users\Anton\AppData\Roaming\Mozilla\Firefox\Profiles\563o9uqq.default\Extensions\artur.dubovoy@gmail.com [2017-08-15] [Legacy]
CHR Extension: (Yukon Extension) - C:\Users\Anton\AppData\Local\Google\Chrome\User Data\Default\Extensions\belncckcaakhmonmcfmegbglccbjlebc [2018-03-24]
S3 dbx; system32\DRIVERS\dbx.sys [X]
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers3: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
Task: {BE6B8295-9815-4C17-AEA0-B669BA320660} - System32\Tasks\Microsoft Advanced Identity Protection Service => Command(1): wusa.exe -> C:\windows\update.cab /extract:C:\windows\system32\ <==== ATTENTION
Task: {BE6B8295-9815-4C17-AEA0-B669BA320660} - System32\Tasks\Microsoft Advanced Identity Protection Service => Command(2): C:\windows\system32\msaips.exe [2017-09-07] (Microsoft Corporation)
C:\Windows\System32\Tasks\Microsoft Advanced Identity Protection Service
C:\windows\system32\msaips.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
---

Please update malwarebytes and run the program.

Remove everthing that will be found.
===

Please let me know what problem persists with this computer.

#3 tknt009

tknt009
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 25 March 2018 - 11:31 AM

Hi nasdaq. Thank you for your help!

 

MalwareBytes quarantined Trojan.floxif, which looks like the trojan associated with the compromised version of CCleaner.

 

Attached is my fixlog.txt. A cursory glance at it seems to indicate that some things weren't removed because "access [was] denied." I'm wondering if this might be because Windows 10 updated while I was away from my computer for a bit, yesterday?

 

In any cash, thank you again, nasdaq!

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,586 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:50 AM

Posted 25 March 2018 - 12:27 PM



Hi,

Please run the Farbar program one more time.

To recreate an Addition.txt log make sure the box is checked.


Post the logs for my review.


Let me know if you have any problems with this computer.

#5 tknt009

tknt009
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 25 March 2018 - 01:38 PM

Understood. Files are attached to this post.

 

That said, there hasn't been much in the way of problems with the PC that I've noticed so far. However, one of the files that I think we were aiming to remove, update.cab, is still hanging around in /system32. It contains an instance of msaips.exe, or so I'm led to believe when I view it in WinRAR (I haven't extracted it though, of course).

 

Thank you again!

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,586 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:50 AM

Posted 26 March 2018 - 07:16 AM

Hi,

The file msaips.exe is not present in your last logs.

Clean these items.

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
CloseProcesses:

FirewallRules: [{A423E9A9-B68A-4563-936F-97C7CC4ABFAE}] => (Allow) C:\Users\Anton\AppData\Local\Temp\ati\alpha.exe
FirewallRules: [{C67BD166-A17F-4655-AD4A-A343551DF4B4}] => (Allow) C:\Users\Anton\AppData\Local\Temp\nvd\zed.exe
FirewallRules: [{54556857-70FA-4D1C-B4AB-5CEA94C9A459}] => (Allow) C:\Users\Anton\AppData\Local\Temp\nvd\zed.exe
FirewallRules: [{98D46E02-E6E2-444F-AE70-9F0E039F3DBB}] => (Allow) C:\Users\Anton\AppData\Local\Temp\ati\alpha.exe
FirewallRules: [{0B4914AF-E34E-4FB2-8F84-CB6CDC694ECA}] => (Allow) C:\Users\Anton\AppData\Local\Temp\ati\alpha.exe
FirewallRules: [{E8A49EEC-AF69-4EDC-837C-D2CF81912941}] => (Allow) C:\Users\Anton\AppData\Local\Temp\nvd\zed.exe
FirewallRules: [{0FFDED0A-18B3-4F7B-B848-2BA1F24C1B38}] => (Allow) C:\Users\Anton\AppData\Local\Temp\nvd\zed.exe
FirewallRules: [{52DB65EF-F163-49E5-9B1E-7A262FA934A6}] => (Allow) C:\Users\Anton\AppData\Local\Temp\ati\alpha.exe
C:\windows\system32\msaips.exe

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

===

If the file C:\windows\system32\msaips.exe Is not deleted by the fix boot to Safe Mode and delete.

Keep me posted.

#7 tknt009

tknt009
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 26 March 2018 - 10:13 AM

Fixlog appears to indicate that the firewall rules were removed successfully.

 

I was also able to successfully delete update.cab from /system32, which is a compressed file containing msaips.exe.

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,586 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:50 AM

Posted 26 March 2018 - 10:32 AM

Hi,

Good work.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#9 tknt009

tknt009
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 26 March 2018 - 11:15 AM

Thank you for your help, Nasdaq! It is very much appreciated.

 

I'll keep an eye on it and will let you know if anything else pops up in the next day or two. It's been surprisingly OK these past 2 days, so hopefully, it will stay that way.

 

Thanks again!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users