Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

zed.exe & alpha.exe infection

8 replies to this topic

#1 tknt009

tknt009

• Members
• 7 posts
• OFFLINE
•
• Local time:08:25 PM

Posted 24 March 2018 - 05:51 PM

Hello,

I've actually had this problem for a while, but had to put it and the affected computer aside for several months. I'm back now and finally hoping to resolve it, however.

As other users infected with zed.exe and alpha.exe have mentioned in the past, these two files appear in folders named /ATI and /NVD (with both folders appearing in /temp) after about 10 - 15 minutes of idle time, forcing my computer fans to kick on under the load of their bitcoin number crunching. I've only been able to notice this thanks to the sound of my fans and watching the Task Manager during these idle moments.

Attached are my FRST.txt and addition.txt logs. Thank you in advance for the help!

EDIT: And apparently, I've been infected with msaips.exe as well, which AVG seems to have quarantined as soon as it was written to disk.

Attached Files

Edited by tknt009, 24 March 2018 - 06:15 PM.

#2 nasdaq

nasdaq

• Malware Response Team
• 39,202 posts
• OFFLINE
•
• Gender:Male
• Local time:11:25 PM

Posted 25 March 2018 - 08:52 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

This version of CCleaner was compromised.
Remove this program in bold via the Control Panel > Programs > Programs and Features.
CCleaner (HKLM\...\CCleaner) (Version: 5.33 - Piriform) <==== ATTENTION

---

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

CHR Extension: (Yukon Extension) - C:\Users\Anton\AppData\Local\Google\Chrome\User Data\Default\Extensions\belncckcaakhmonmcfmegbglccbjlebc [2018-03-24]
S3 dbx; system32\DRIVERS\dbx.sys [X]
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers3: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
C:\windows\system32\msaips.exe

End

Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

---

Please update malwarebytes and run the program.

Remove everthing that will be found.
===

Please let me know what problem persists with this computer.

#3 tknt009

tknt009
• Topic Starter

• Members
• 7 posts
• OFFLINE
•
• Local time:08:25 PM

Posted 25 March 2018 - 11:31 AM

Hi nasdaq. Thank you for your help!

MalwareBytes quarantined Trojan.floxif, which looks like the trojan associated with the compromised version of CCleaner.

Attached is my fixlog.txt. A cursory glance at it seems to indicate that some things weren't removed because "access [was] denied." I'm wondering if this might be because Windows 10 updated while I was away from my computer for a bit, yesterday?

In any cash, thank you again, nasdaq!

#4 nasdaq

nasdaq

• Malware Response Team
• 39,202 posts
• OFFLINE
•
• Gender:Male
• Local time:11:25 PM

Posted 25 March 2018 - 12:27 PM

Hi,

Please run the Farbar program one more time.

To recreate an Addition.txt log make sure the box is checked.

Post the logs for my review.

Let me know if you have any problems with this computer.

#5 tknt009

tknt009
• Topic Starter

• Members
• 7 posts
• OFFLINE
•
• Local time:08:25 PM

Posted 25 March 2018 - 01:38 PM

Understood. Files are attached to this post.

That said, there hasn't been much in the way of problems with the PC that I've noticed so far. However, one of the files that I think we were aiming to remove, update.cab, is still hanging around in /system32. It contains an instance of msaips.exe, or so I'm led to believe when I view it in WinRAR (I haven't extracted it though, of course).

Thank you again!

#6 nasdaq

nasdaq

• Malware Response Team
• 39,202 posts
• OFFLINE
•
• Gender:Male
• Local time:11:25 PM

Posted 26 March 2018 - 07:16 AM

Hi,

The file msaips.exe is not present in your last logs.

Clean these items.

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.

Start

CreateRestorePoint:
CloseProcesses:

FirewallRules: [{A423E9A9-B68A-4563-936F-97C7CC4ABFAE}] => (Allow) C:\Users\Anton\AppData\Local\Temp\ati\alpha.exe
FirewallRules: [{54556857-70FA-4D1C-B4AB-5CEA94C9A459}] => (Allow) C:\Users\Anton\AppData\Local\Temp\nvd\zed.exe
FirewallRules: [{98D46E02-E6E2-444F-AE70-9F0E039F3DBB}] => (Allow) C:\Users\Anton\AppData\Local\Temp\ati\alpha.exe
FirewallRules: [{0B4914AF-E34E-4FB2-8F84-CB6CDC694ECA}] => (Allow) C:\Users\Anton\AppData\Local\Temp\ati\alpha.exe
FirewallRules: [{E8A49EEC-AF69-4EDC-837C-D2CF81912941}] => (Allow) C:\Users\Anton\AppData\Local\Temp\nvd\zed.exe
FirewallRules: [{0FFDED0A-18B3-4F7B-B848-2BA1F24C1B38}] => (Allow) C:\Users\Anton\AppData\Local\Temp\nvd\zed.exe
FirewallRules: [{52DB65EF-F163-49E5-9B1E-7A262FA934A6}] => (Allow) C:\Users\Anton\AppData\Local\Temp\ati\alpha.exe
C:\windows\system32\msaips.exe

Reboot:

End

Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

===

If the file C:\windows\system32\msaips.exe Is not deleted by the fix boot to Safe Mode and delete.

Keep me posted.

#7 tknt009

tknt009
• Topic Starter

• Members
• 7 posts
• OFFLINE
•
• Local time:08:25 PM

Posted 26 March 2018 - 10:13 AM

Fixlog appears to indicate that the firewall rules were removed successfully.

I was also able to successfully delete update.cab from /system32, which is a compressed file containing msaips.exe.

#8 nasdaq

nasdaq

• Malware Response Team
• 39,202 posts
• OFFLINE
•
• Gender:Male
• Local time:11:25 PM

Posted 26 March 2018 - 10:32 AM

Hi,

Good work.

If all is well.

https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#9 tknt009

tknt009
• Topic Starter

• Members
• 7 posts
• OFFLINE
•
• Local time:08:25 PM

Posted 26 March 2018 - 11:15 AM

Thank you for your help, Nasdaq! It is very much appreciated.

I'll keep an eye on it and will let you know if anything else pops up in the next day or two. It's been surprisingly OK these past 2 days, so hopefully, it will stay that way.

Thanks again!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users