Jump to content

How to remove cloudnet epicnet virus that keeps returning


Go to solution Solved by kevinf80,

Recommended Posts

  • Replies 52
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Hello commegalife and welcome to Malwarebytes, Continue with the following: If you do not have Malwarebytes installed do the following: Download Malwarebytes version 4 from

Hiya commegalife, Thanks for those logs, continue: Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from. NOTE. It's

Nothing will be removed from your downloads folder.....

Hello commegalife,

Well that action rules out 3rd party programs as the source. Try this:

Check malwarebytes for current updates > Disconnect your PC from the internet > Run Malwarebyts scan and quarantine any found entries > Reboot your system with the internet still disconnected > Run another scan to see if the problem returns. Please ensure that the internet connection is off during that process...

Let me know the outcome.

Thanks,

Kevin...

Link to post
Share on other sites

Hi, Kevin, when I ran clean boot, and reboot still in cleanboot mode, I didn't connect to any internet.

This morning, after I turn on my laptop, I scanned my laptop immediately before opening any program. The virus moved to quarantine. 

Then, after lunch, I randomly checked again using malwarebytes and ttaraaaaa! Malwarebytes found them again even though I didn't turn off or restart my laptop 😭

And I don't know which 3rd party program causing this damned virus 😭

Link to post
Share on other sites
Please download the correct portable version (32-bit or 64-bit) of RogueKiller for your system and save the file to your computer Desktop.
 
  • Right-click on the RogueKiller file and select Run as administrator to start the tool.
  • Click Yes to accept the UAC security warning that may appear.
  • Click Accept to agree with the EULA (End User License Agreement) and close the browser tab it will open.
  • Now click the Scan blue button and under the Standard Scan (recommended) click on the Scan button.
  • When the scan is complete, click on Results button. NOTE: DO NOT delete any found entries. All listed entries will be carefully analyzed.
  • Then click on Report button.
  • Click Export button and select "Text file".
  • Give a name to the file such as RKlog.txt and save it to the Desktop or in a location where you can easily find it.
  • Click the Finish button and close RogueKiller window.
  • Copy and paste the entire contents of that log into your next reply.
Link to post
Share on other sites

RogueKiller Anti-Malware V14.7.4.0 (x64) [Oct 22 2020] (Free) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 10 (10.0.19041) 64 bits
Started in : Normal mode
User : ASUS [Administrator]
Started from : C:\Users\ASUS\Desktop\RogueKiller64.exe
Signatures : 20201109_140442, Driver : Loaded
Mode : Standard Scan, Scan -- Date : 2020/11/11 13:11:37 (Duration : 00:23:56)

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Process Modules ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Tasks ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registry ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
>>>>>> XX - System Policies
  [PUM.Policies (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System|ConsentPromptBehaviorAdmin -- 0 -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ WMI ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Hosts File ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Files ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[Tr.Chapak (Malicious)] (folder) rss -- C:\Windows\rss -> Found
[Tr.Gen (Malicious)] (folder) csrss -- C:\Users\ASUS\AppData\Local\Temp\csrss -> Found
[Miner.Gen (Malicious)] (folder) wup -- C:\Users\ASUS\AppData\Local\Temp\wup -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Web browsers ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
>>>>>> Firefox Config
  [PUM.SearchEngine (Potentially Malicious)] browser.search.defaultenginename (C:\Users\ASUS\AppData\Roaming\Mozilla\Firefox\Profiles\2jiyeosw.default-release\prefs.js) -- Default Search Engine -> Found
  [PUM.SearchEngine (Potentially Malicious)] browser.search.selectedEngine (C:\Users\ASUS\AppData\Roaming\Mozilla\Firefox\Profiles\2jiyeosw.default-release\prefs.js) -- Default Search Engine -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
 

Link to post
Share on other sites

Hiya commegalife,

I totally understand what you are saying, life can get real busy at times....

Now, let's re-run RogueKiller and remove all the items it found.
 
  • Right-click on the RogueKiller file and select Run as administrator to start the tool.
  • Click Yes to accept the UAC security warning that may appear.
  • Click Accept to agree with the EULA (End User License Agreement) and close the browser tab it will open.
  • Now click the Scan blue button and under the Standard Scan (recommended) click on the Scan button.
  • When the scan is complete, make sure every item listed is checkmarked.
  • Then click the Removal button and wait until the removal process is complete.
  • When complete, click on Results.
  • Click Report.
  • Click Export and select "Text file".
  • Give a name to the file such as RKlog.txt and save it to the Desktop or in a location where you can easily find it.
  • Click the Finish button and close RogueKiller window.
  • Copy and paste the entire contents of that log into your next reply.

let me see that log in your reply, also tell me if there are any remaining isues or concerns...

Thank you,

Kevin

 

 

Link to post
Share on other sites

RogueKiller Anti-Malware V14.7.4.0 (x64) [Oct 22 2020] (Free) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 10 (10.0.19041) 64 bits
Started in : Normal mode
User : ASUS [Administrator]
Started from : C:\Users\ASUS\Desktop\RogueKiller64.exe
Signatures : 20201109_140442, Driver : Loaded
Mode : Standard Scan, Delete -- Date : 2020/11/11 17:04:24 (Duration : 00:21:59)

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Delete ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[PUM.Policies (Potentially Malicious)] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System|ConsentPromptBehaviorAdmin --  -> Replaced (2)
[Tr.Chapak (Malicious)] rss -- %SystemRoot%\rss -> Deleted
  => Protection Dir -- C:\Windows\rss\csrss.exe\PROTEC~1 -> Deleted
  => csrss.exe -- C:\Windows\rss\csrss.exe -> Deleted
[Tr.Gen (Malicious)] csrss -- %localappdata%\Temp\csrss -> Deleted
  => Protection Dir -- C:\Users\ASUS\AppData\Local\Temp\csrss\al.exe\PROTEC~1 -> Deleted
  => al.exe -- C:\Users\ASUS\AppData\Local\Temp\csrss\al.exe -> Deleted
  => Protection Dir -- C:\Users\ASUS\AppData\Local\Temp\csrss\cloudnet.exe\PROTEC~1 -> Deleted
  => cloudnet.exe -- C:\Users\ASUS\AppData\Local\Temp\csrss\cloudnet.exe -> Deleted
  => Protection Dir -- C:\Users\ASUS\AppData\Local\Temp\csrss\i2pd\i2pd.exe\PROTEC~1 -> Deleted
  => i2pd.exe -- C:\Users\ASUS\AppData\Local\Temp\csrss\i2pd\i2pd.exe -> Deleted
  => i2pd -- C:\Users\ASUS\AppData\Local\Temp\csrss\i2pd -> Deleted
  => Protection Dir -- C:\Users\ASUS\AppData\Local\Temp\csrss\lsa64.exe\PROTEC~1 -> Deleted
  => lsa64.exe -- C:\Users\ASUS\AppData\Local\Temp\csrss\lsa64.exe -> Deleted
  => Protection Dir -- C:\Users\ASUS\AppData\Local\Temp\csrss\LSA64I~1.EXE\PROTEC~1 -> Deleted
  => lsa64install_in.exe -- C:\Users\ASUS\AppData\Local\Temp\csrss\LSA64I~1.EXE -> Deleted
  => Protection Dir -- C:\Users\ASUS\AppData\Local\Temp\csrss\mrt.exe\PROTEC~1 -> Deleted
  => mrt.exe -- C:\Users\ASUS\AppData\Local\Temp\csrss\mrt.exe -> Deleted
  => Protection Dir -- C:\Users\ASUS\AppData\Local\Temp\csrss\proxy\OBFS4P~1.EXE\PROTEC~1 -> Deleted
  => obfs4proxy.exe -- C:\Users\ASUS\AppData\Local\Temp\csrss\proxy\OBFS4P~1.EXE -> Deleted
  => Protection Dir -- C:\Users\ASUS\AppData\Local\Temp\csrss\proxy\Tor\tor.exe\PROTEC~1 -> Deleted
  => tor.exe -- C:\Users\ASUS\AppData\Local\Temp\csrss\proxy\Tor\tor.exe -> Deleted
  => Tor -- C:\Users\ASUS\AppData\Local\Temp\csrss\proxy\Tor -> Deleted
  => Protection Dir -- C:\Users\ASUS\AppData\Local\Temp\csrss\proxy\tor.exe\PROTEC~1 -> Deleted
  => tor.exe -- C:\Users\ASUS\AppData\Local\Temp\csrss\proxy\tor.exe -> Deleted
  => proxy -- C:\Users\ASUS\AppData\Local\Temp\csrss\proxy -> Deleted
  => Protection Dir -- C:\Users\ASUS\AppData\Local\Temp\csrss\SCHEDU~1.EXE\PROTEC~1 -> Deleted
  => scheduled.exe -- C:\Users\ASUS\AppData\Local\Temp\csrss\SCHEDU~1.EXE -> Deleted
  => Protection Dir -- C:\Users\ASUS\AppData\Local\Temp\csrss\smb\e7.exe\PROTEC~1 -> Deleted
  => e7.exe -- C:\Users\ASUS\AppData\Local\Temp\csrss\smb\e7.exe -> Deleted
  => smb -- C:\Users\ASUS\AppData\Local\Temp\csrss\smb -> Deleted
  => Protection Dir -- C:\Users\ASUS\AppData\Local\Temp\csrss\vc.exe\PROTEC~1 -> Deleted
  => vc.exe -- C:\Users\ASUS\AppData\Local\Temp\csrss\vc.exe -> Deleted
  => Protection Dir -- C:\Users\ASUS\AppData\Local\Temp\csrss\WINBOX~1.EXE\PROTEC~1 -> Deleted
  => winboxls-1008-2.exe -- C:\Users\ASUS\AppData\Local\Temp\csrss\WINBOX~1.EXE -> Deleted
  => Protection Dir -- C:\Users\ASUS\AppData\Local\Temp\csrss\WINBOX~2.EXE\PROTEC~1 -> Deleted
  => winboxscan-1003-2.exe -- C:\Users\ASUS\AppData\Local\Temp\csrss\WINBOX~2.EXE -> Deleted
[Miner.Gen (Malicious)] wup -- %localappdata%\Temp\wup -> Deleted
  => Protection Dir -- C:\Users\ASUS\AppData\Local\Temp\wup\wup.exe\PROTEC~1 -> Deleted
  => wup.exe -- C:\Users\ASUS\AppData\Local\Temp\wup\wup.exe -> Deleted
[PUM.SearchEngine (Potentially Malicious)] browser.search.defaultenginename -- Default Search Engine -> Deleted
[PUM.SearchEngine (Potentially Malicious)] browser.search.selectedEngine -- Default Search Engine -> Deleted
 

Link to post
Share on other sites

Yep, still there :')

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 11/11/20
Scan Time: 8:18 PM
Log File: 6a20f4fe-2420-11eb-bb19-2cfda17fd2c7.json

-Software Information-
Version: 4.2.2.95
Components Version: 1.0.1096
Update Package Version: 1.0.32750
License: Trial

-System Information-
OS: Windows 10 (Build 19041.508)
CPU: x64
File System: NTFS
User: 5HINEE\ASUS

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 291441
Threats Detected: 8
Threats Quarantined: 0
Time Elapsed: 10 min, 18 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 8
Trojan.Glupteba.BITSRST, C:\Users\ASUS\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe\Protection Dir, No Action By User, 1167, 781247, , , , , , 
Trojan.Glupteba.BITSRST, C:\Users\ASUS\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe, No Action By User, 1167, 781247, , , , , , 
Trojan.Glupteba.BITSRST, C:\Users\ASUS\AppData\Roaming\EpicNet Inc\CloudNet, No Action By User, 1167, 781247, , , , , , 
Trojan.Glupteba.BITSRST, C:\USERS\ASUS\APPDATA\ROAMING\EPICNET INC, No Action By User, 1167, 781247, 1.0.32750, , ame, , , 
Trojan.Glupteba.BITSRST, C:\Users\ASUS\AppData\Local\EpicNet Inc\CloudNet\cloudnet.exe\Protection Dir, No Action By User, 1167, 781248, , , , , , 
Trojan.Glupteba.BITSRST, C:\Users\ASUS\AppData\Local\EpicNet Inc\CloudNet\cloudnet.exe, No Action By User, 1167, 781248, , , , , , 
Trojan.Glupteba.BITSRST, C:\Users\ASUS\AppData\Local\EpicNet Inc\CloudNet, No Action By User, 1167, 781248, , , , , , 
Trojan.Glupteba.BITSRST, C:\USERS\ASUS\APPDATA\LOCAL\EPICNET INC, No Action By User, 1167, 781248, 1.0.32750, , ame, , , 

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Link to post
Share on other sites
  • Solution

Hiya commegalife,

Been doing google searches and found a thread similar to your at another site, the program in question had been suggested as a possible cause. Problem was the initiator of the thread did not reply to question and the thread was locked and closed out. Lets remove it first and see what happens... Continue:

Download GeekUninstaller from here: http://www.geekuninstaller.com/download (Choose free version) Save Geek.zip to your Desktop. (Visit the Home page at that link for necessary information)

Extract Geek Uninstaller and save to your Desktop. There is no need to install, the executable is portable and can also be run from a USB if required.

Run the tool, the main GUI will populate with installed programs list,

Left click on Smadav to highlight that entry.

Select Action from the Menu bar, then Uninstall from there follow the prompts.

If Uninstall fails open the "Action" menu one more time and use "Force Removal" option...

Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

user posted image

Thank you,
 
Kevin
Link to post
Share on other sites

Hiya commegalife,

Thanks for those logs, continue:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:
 
  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin


Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

user posted image

The system will be rebooted after the fix has run.

FRST will aslo create a zip file Date_Time.zip it should save to the same place FRST was run from, can you attach that please. If not in downloads folder please check your desktop..

Next,

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

Thank you,

Kevin..

fixlist.txt

Edited by kevinf80
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.