Jump to content

Raphaels

Members
  • Content count

    10
  • Joined

  • Last visited

About Raphaels

  • Rank
    New Member
  1. Ok great. I'll definitely plan to format in the coming days and this should be ok. A big big thank you for your quick replies, support & patience, it has been of great help. I wish you a nice end of week and a great weekend.
  2. Hi Aura Ok thanks for additional details. Then I will probably consider to format the system to ensure I don't leave any door open to it. From your point of you this infection is gone now?
  3. Ok thanks for your confirmation (unfortunately). Could we assume that it's removable from the computer? Or you would highly recommend to format it because the risk is too high?
  4. Thank you very much for this new step. Regarding AdwCleaner: no item found! I had run a scan & deleted the items this morning. I attached the 2 logs then (morning & now) if you want to see what had been identified earlier today. Here are then the 3 files. AdwCleaner[C00]_morning.txt AdwCleaner[S01].txt rk_E494.tmp.txt
  5. In case it can be helpful, here is the total file (except the ones listed in the error message) with wetranfer link: https://we.tl/Q5oVP1FJ4P
  6. I tried to deactivate all I could (Win Defender, MBAM), even trying creating the zip in Safe Mode, but I keep getting the following error message: C:\FRST\Quarantine.zip: Impossible d'ouvrir C:\FRST\Quarantine\C\WINDOWS\system32\Tasks\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA}.xBAD ! Accès refusé. C:\FRST\Quarantine.zip: Impossible d'ouvrir C:\FRST\Quarantine\C\WINDOWS\system32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}.xBAD ! Accès refusé. So archive is probably incomplete. Its total size is more than 220Mo so I tried creating it in separated files of 50Mo. Can I still post it or it won't help?
  7. Here's the log file: Entfernungsergebnis von Farbar Recovery Scan Tool (x64) Version: 06.06.2018 01 durchgeführt von rsabatier (13-06-2018 16:47:04) Run:1 Gestartet von C:\Users\rsabatier\OneDrive - Jobcloud\Desktop Geladene Profile: rsabatier (Verfügbare Profile: jcdeploy & rsabatier & dafsevgili & danlang & Administrator) Start-Modus: Normal ============================================== fixlist Inhalt: ***************** CloseProcesses: CreateRestorePoint: GroupPolicy: Beschränkung ? <==== ACHTUNG CHR HKLM\SOFTWARE\Policies\Google: Beschränkung <==== ACHTUNG Task: {04752D44-D268-4469-B718-C3C5D5048967} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> Keine Datei <==== ACHTUNG Task: {30736B57-47D7-4622-AD92-875B8387F688} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> Keine Datei <==== ACHTUNG Task: {3A26B9AA-8B7D-4361-B291-2768D84B3D2A} - System32\Tasks\fhwb => C:\Users\rsabatier\fhwb\zubqjye.exe [2016-10-09] (AutoIt Team) Task: {46EEF261-5CF2-41D3-A675-D08C967C17AE} - System32\Tasks\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA} Task: {5C00FEF3-1564-4C9F-951C-F5E14052AE72} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> Keine Datei <==== ACHTUNG Task: {5ED1402F-AD81-4190-B8FC-72AA50B5A0F7} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> Keine Datei <==== ACHTUNG Task: {9E4DB088-D5CB-478D-8CE8-D41CB7671E91} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> Keine Datei <==== ACHTUNG Task: {D058CEBE-35F6-4705-B2BD-1CB43AC3862A} - System32\Tasks\fseczq => C:\Users\rsabatier\fseczq\wvkykon.exe [2016-10-09] (AutoIt Team) Task: {DD538F00-A343-4A6D-9680-0DC5D5AEB086} - System32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202} Task: {E207B6C1-7A6F-4894-A26E-088033CB8BC9} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> Keine Datei <==== ACHTUNG Task: {F5A0CFDE-9C69-4EEA-BFD6-4AA87D2B9D3A} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> Keine Datei <==== ACHTUNG Task: {FF1CBC9D-40DA-44B4-AC8E-B886F3B6A503} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> Keine Datei <==== ACHTUNG AlternateDataStreams: C:\Windows:nlsPreferences [386] C:\Users\rsabatier\.obs32 C:\Users\rsabatier\fhwb C:\Users\rsabatier\fseczq C:\Users\rsabatier\wvkykon.exe C:\Users\rsabatier\zubqjye.exe C:\Users\rsabatier\ntuser.pol C:\Users\rsabatier\AppData\Roaming\A6C052D5-7E37-4797-A7BC-D87D95C03BBB Hosts: EmptyTemp: ***************** Prozesse erfolgreich geschlossen. Wiederherstellungspunkt wurde erfolgreich erstellt. C:\WINDOWS\system32\GroupPolicy\Machine => erfolgreich verschoben C:\WINDOWS\system32\GroupPolicy\GPT.ini => erfolgreich verschoben "HKLM\SOFTWARE\Policies\Google" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{04752D44-D268-4469-B718-C3C5D5048967}" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{04752D44-D268-4469-B718-C3C5D5048967}" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{30736B57-47D7-4622-AD92-875B8387F688}" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{30736B57-47D7-4622-AD92-875B8387F688}" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3A26B9AA-8B7D-4361-B291-2768D84B3D2A}" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3A26B9AA-8B7D-4361-B291-2768D84B3D2A}" => erfolgreich entfernt C:\WINDOWS\System32\Tasks\fhwb => erfolgreich verschoben "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\fhwb" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{46EEF261-5CF2-41D3-A675-D08C967C17AE}" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{46EEF261-5CF2-41D3-A675-D08C967C17AE}" => erfolgreich entfernt C:\WINDOWS\System32\Tasks\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA} => erfolgreich verschoben "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA}" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5C00FEF3-1564-4C9F-951C-F5E14052AE72}" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5C00FEF3-1564-4C9F-951C-F5E14052AE72}" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5ED1402F-AD81-4190-B8FC-72AA50B5A0F7}" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5ED1402F-AD81-4190-B8FC-72AA50B5A0F7}" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9E4DB088-D5CB-478D-8CE8-D41CB7671E91}" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9E4DB088-D5CB-478D-8CE8-D41CB7671E91}" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D058CEBE-35F6-4705-B2BD-1CB43AC3862A}" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D058CEBE-35F6-4705-B2BD-1CB43AC3862A}" => erfolgreich entfernt C:\WINDOWS\System32\Tasks\fseczq => erfolgreich verschoben "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\fseczq" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DD538F00-A343-4A6D-9680-0DC5D5AEB086}" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DD538F00-A343-4A6D-9680-0DC5D5AEB086}" => erfolgreich entfernt C:\WINDOWS\System32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202} => erfolgreich verschoben "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E207B6C1-7A6F-4894-A26E-088033CB8BC9}" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E207B6C1-7A6F-4894-A26E-088033CB8BC9}" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{F5A0CFDE-9C69-4EEA-BFD6-4AA87D2B9D3A}" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F5A0CFDE-9C69-4EEA-BFD6-4AA87D2B9D3A}" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{FF1CBC9D-40DA-44B4-AC8E-B886F3B6A503}" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FF1CBC9D-40DA-44B4-AC8E-B886F3B6A503}" => erfolgreich entfernt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d" => erfolgreich entfernt C:\Windows => ":nlsPreferences" ADS erfolgreich entfernt C:\Users\rsabatier\.obs32 => erfolgreich verschoben C:\Users\rsabatier\fhwb => erfolgreich verschoben C:\Users\rsabatier\fseczq => erfolgreich verschoben C:\Users\rsabatier\wvkykon.exe => erfolgreich verschoben C:\Users\rsabatier\zubqjye.exe => erfolgreich verschoben C:\Users\rsabatier\ntuser.pol => erfolgreich verschoben C:\Users\rsabatier\AppData\Roaming\A6C052D5-7E37-4797-A7BC-D87D95C03BBB => erfolgreich verschoben C:\Windows\System32\Drivers\etc\hosts => erfolgreich verschoben Hosts erfolgreich wiederhergestellt. =========== EmptyTemp: ========== BITS transfer queue => 10510336 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 18011760 B Java, Flash, Steam htmlcache => 0 B Windows/system/drivers => 151318709 B Edge => 645264 B Chrome => 711755075 B Firefox => 384132745 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 6656 B Users => 0 B ProgramData => 0 B Public => 0 B systemprofile => 0 B systemprofile32 => 0 B LocalService => 6308 B LocalService => 0 B NetworkService => 37792 B NetworkService => 0 B JCDeploy => 3440 B rsabatier => 130048257 B dafsevgili => 0 B danlang => 56941 B Administrator => 30274 B RecycleBin => 59168 B EmptyTemp: => 1.3 GB temporäre Dateien entfernt. ================================ Das System musste neu gestartet werden. ==== Ende von Fixlog 16:48:19 ==== Fixlog.txt
  8. Thank you for all these details. Although I understand the risks, I would prefer trying first the clean-up solution and see how it goes and would be glad to get your support there. Many thanks
  9. Hi Aura Thanks a lot for your quick reply. All clear to me and I'll do my best to follow your recommendations. Regarding the presence of dclogs folder: it's true that in MBAM report and detection, this folder doesn't appear anymore. It was in some of the previous scans. I don't know whether it will appear again in another scan or computer restart. At the moment I haven't selected any action on MBAM or Farbar yet, so I can still cancel or put all threats in Quarantine for ex. Thanks Raphael
  10. Hi I'm contacting you as I'm facing some difficulties in removing a malware on a PC I've just received. I've tried several analysis with MBAM and Adw cleaner, and cleaning the Temp folders, even in safe mode. Unfortunately everytime I restart the computer, the threats (or different ones) are present again. As described in the pinned post, I'm attaching the reports to this message. Thanks a lot in advance for your help. Raphael MBAM.txt Addition.txt FRST.txt
×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.