[Recurring Trojan.Agent with dclogs folder]

Ok great.
I'll definitely plan to format in the coming days and this should be ok.

A big big thank you for your quick replies, support & patience, it has been of great help.
I wish you a nice end of week and a great weekend.

[Recurring Trojan.Agent with dclogs folder]

Hi Aura

Ok thanks for additional details. Then I will probably consider to format the system to ensure I don't leave any door open to it.
From your point of you this infection is gone now?

[Recurring Trojan.Agent with dclogs folder]

Ok thanks for your confirmation (unfortunately).

Could we assume that it's removable from the computer? Or you would highly recommend to format it because the risk is too high?

[Recurring Trojan.Agent with dclogs folder]

Thank you very much for this new step.

Regarding AdwCleaner: no item found!
I had run a scan & deleted the items this morning. I attached the 2 logs then (morning & now) if you want to see what had been identified earlier today.

Here are then the 3 files.

 

AdwCleaner[C00]_morning.txt

AdwCleaner[S01].txt

rk_E494.tmp.txt

[Recurring Trojan.Agent with dclogs folder]

In case it can be helpful, here is the total file (except the ones listed in the error message) with wetranfer link: https://we.tl/Q5oVP1FJ4P

[Recurring Trojan.Agent with dclogs folder]

I tried to deactivate all I could (Win Defender, MBAM), even trying creating the zip in Safe Mode, but I keep getting the following error message:

    C:\FRST\Quarantine.zip: Impossible d'ouvrir C:\FRST\Quarantine\C\WINDOWS\system32\Tasks\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA}.xBAD
!   Accès refusé.
    C:\FRST\Quarantine.zip: Impossible d'ouvrir C:\FRST\Quarantine\C\WINDOWS\system32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}.xBAD
!   Accès refusé.

So archive is probably incomplete.

Its total size is more than 220Mo so I tried creating it in separated files of 50Mo.
Can I still post it or it won't help?

[Recurring Trojan.Agent with dclogs folder]

Here's the log file:

Entfernungsergebnis von Farbar Recovery Scan Tool (x64) Version: 06.06.2018 01
durchgeführt von rsabatier (13-06-2018 16:47:04) Run:1
Gestartet von C:\Users\rsabatier\OneDrive - Jobcloud\Desktop
Geladene Profile: rsabatier (Verfügbare Profile: jcdeploy & rsabatier & dafsevgili & danlang & Administrator)
Start-Modus: Normal
==============================================

fixlist Inhalt:
*****************
CloseProcesses:
CreateRestorePoint:

GroupPolicy: Beschränkung ? <==== ACHTUNG
CHR HKLM\SOFTWARE\Policies\Google: Beschränkung <==== ACHTUNG

Task: {04752D44-D268-4469-B718-C3C5D5048967} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> Keine Datei <==== ACHTUNG
Task: {30736B57-47D7-4622-AD92-875B8387F688} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> Keine Datei <==== ACHTUNG
Task: {3A26B9AA-8B7D-4361-B291-2768D84B3D2A} - System32\Tasks\fhwb => C:\Users\rsabatier\fhwb\zubqjye.exe [2016-10-09] (AutoIt Team)
Task: {46EEF261-5CF2-41D3-A675-D08C967C17AE} - System32\Tasks\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA}
Task: {5C00FEF3-1564-4C9F-951C-F5E14052AE72} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> Keine Datei <==== ACHTUNG
Task: {5ED1402F-AD81-4190-B8FC-72AA50B5A0F7} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> Keine Datei <==== ACHTUNG
Task: {9E4DB088-D5CB-478D-8CE8-D41CB7671E91} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> Keine Datei <==== ACHTUNG
Task: {D058CEBE-35F6-4705-B2BD-1CB43AC3862A} - System32\Tasks\fseczq => C:\Users\rsabatier\fseczq\wvkykon.exe [2016-10-09] (AutoIt Team)
Task: {DD538F00-A343-4A6D-9680-0DC5D5AEB086} - System32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}
Task: {E207B6C1-7A6F-4894-A26E-088033CB8BC9} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> Keine Datei <==== ACHTUNG
Task: {F5A0CFDE-9C69-4EEA-BFD6-4AA87D2B9D3A} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> Keine Datei <==== ACHTUNG
Task: {FF1CBC9D-40DA-44B4-AC8E-B886F3B6A503} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> Keine Datei <==== ACHTUNG

AlternateDataStreams: C:\Windows:nlsPreferences [386]

C:\Users\rsabatier\.obs32
C:\Users\rsabatier\fhwb
C:\Users\rsabatier\fseczq
C:\Users\rsabatier\wvkykon.exe
C:\Users\rsabatier\zubqjye.exe
C:\Users\rsabatier\ntuser.pol
C:\Users\rsabatier\AppData\Roaming\A6C052D5-7E37-4797-A7BC-D87D95C03BBB

Hosts:
EmptyTemp:
*****************

Prozesse erfolgreich geschlossen.
Wiederherstellungspunkt wurde erfolgreich erstellt.
C:\WINDOWS\system32\GroupPolicy\Machine => erfolgreich verschoben
C:\WINDOWS\system32\GroupPolicy\GPT.ini => erfolgreich verschoben
"HKLM\SOFTWARE\Policies\Google" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{04752D44-D268-4469-B718-C3C5D5048967}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{04752D44-D268-4469-B718-C3C5D5048967}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{30736B57-47D7-4622-AD92-875B8387F688}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{30736B57-47D7-4622-AD92-875B8387F688}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3A26B9AA-8B7D-4361-B291-2768D84B3D2A}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3A26B9AA-8B7D-4361-B291-2768D84B3D2A}" => erfolgreich entfernt
C:\WINDOWS\System32\Tasks\fhwb => erfolgreich verschoben
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\fhwb" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{46EEF261-5CF2-41D3-A675-D08C967C17AE}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{46EEF261-5CF2-41D3-A675-D08C967C17AE}" => erfolgreich entfernt
C:\WINDOWS\System32\Tasks\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA} => erfolgreich verschoben
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5C00FEF3-1564-4C9F-951C-F5E14052AE72}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5C00FEF3-1564-4C9F-951C-F5E14052AE72}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5ED1402F-AD81-4190-B8FC-72AA50B5A0F7}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5ED1402F-AD81-4190-B8FC-72AA50B5A0F7}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9E4DB088-D5CB-478D-8CE8-D41CB7671E91}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9E4DB088-D5CB-478D-8CE8-D41CB7671E91}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D058CEBE-35F6-4705-B2BD-1CB43AC3862A}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D058CEBE-35F6-4705-B2BD-1CB43AC3862A}" => erfolgreich entfernt
C:\WINDOWS\System32\Tasks\fseczq => erfolgreich verschoben
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\fseczq" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DD538F00-A343-4A6D-9680-0DC5D5AEB086}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DD538F00-A343-4A6D-9680-0DC5D5AEB086}" => erfolgreich entfernt
C:\WINDOWS\System32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202} => erfolgreich verschoben
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E207B6C1-7A6F-4894-A26E-088033CB8BC9}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E207B6C1-7A6F-4894-A26E-088033CB8BC9}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{F5A0CFDE-9C69-4EEA-BFD6-4AA87D2B9D3A}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F5A0CFDE-9C69-4EEA-BFD6-4AA87D2B9D3A}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{FF1CBC9D-40DA-44B4-AC8E-B886F3B6A503}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FF1CBC9D-40DA-44B4-AC8E-B886F3B6A503}" => erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d" => erfolgreich entfernt
C:\Windows => ":nlsPreferences" ADS erfolgreich entfernt
C:\Users\rsabatier\.obs32 => erfolgreich verschoben
C:\Users\rsabatier\fhwb => erfolgreich verschoben
C:\Users\rsabatier\fseczq => erfolgreich verschoben
C:\Users\rsabatier\wvkykon.exe => erfolgreich verschoben
C:\Users\rsabatier\zubqjye.exe => erfolgreich verschoben
C:\Users\rsabatier\ntuser.pol => erfolgreich verschoben
C:\Users\rsabatier\AppData\Roaming\A6C052D5-7E37-4797-A7BC-D87D95C03BBB => erfolgreich verschoben
C:\Windows\System32\Drivers\etc\hosts => erfolgreich verschoben
Hosts erfolgreich wiederhergestellt.

=========== EmptyTemp: ==========

BITS transfer queue => 10510336 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 18011760 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 151318709 B
Edge => 645264 B
Chrome => 711755075 B
Firefox => 384132745 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 6656 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 6308 B
LocalService => 0 B
NetworkService => 37792 B
NetworkService => 0 B
JCDeploy => 3440 B
rsabatier => 130048257 B
dafsevgili => 0 B
danlang => 56941 B
Administrator => 30274 B

RecycleBin => 59168 B
EmptyTemp: => 1.3 GB temporäre Dateien entfernt.

================================

Das System musste neu gestartet werden.

==== Ende von Fixlog 16:48:19 ====

Fixlog.txt

[Recurring Trojan.Agent with dclogs folder]

Thank you for all these details.

Although I understand the risks, I would prefer trying first the clean-up solution and see how it goes and would be glad to get your support there.

 

Many thanks

[Recurring Trojan.Agent with dclogs folder]

Hi Aura

Thanks a lot for your quick reply.
All clear to me and I'll do my best to follow your recommendations.

 

Regarding the presence of dclogs folder: it's true that in MBAM report and detection, this folder doesn't appear anymore. It was in some of the previous scans.
I don't know whether it will appear again in another scan or computer restart.

At the moment I haven't selected any action on MBAM or Farbar yet, so I can still cancel or put all threats in Quarantine for ex.

Thanks

 

Raphael

[Recurring Trojan.Agent with dclogs folder]

Hi

I'm contacting you as I'm facing some difficulties in removing a malware on a PC I've just received.
I've tried several analysis with MBAM and Adw cleaner, and cleaning the Temp folders, even in safe mode.
Unfortunately everytime I restart the computer, the threats (or different ones) are present again.

As described in the pinned post, I'm attaching the reports to this message.
Thanks a lot in advance for your help.

 

Raphael

 

 

MBAM.txt

Addition.txt

FRST.txt