The Cloudnet virus keeps coming back after restart

[LordJohn]

In Reference to https://forums.malwarebytes.com/topic/262651-cloudnet-virus-keeps-coming-back/
 

[Maurice Naggar]

Hello.   

That link cited above is someone else's old case.  Are you having issues on your Windows pc ?  Have you scanned with Malwarebytes for Windows ?

What is going on on your machine?

If you need help, please do as outlined on the pinned topic  https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/?do=getLastComment

Just only attach report files.  Dont paste them.

Edited December 25, 2020 by Maurice Naggar

[LordJohn]

Yes, i used to scan malware bytes but every time i restart that virus keeps showing up 
As to reason why i cited that case as iam having similar issues 

 

Result.txt

[Maurice Naggar]

I got your report.  Question:  Did you see these remaraks on your report   

No Action By User

Here's what needs doing.

In Malwarebytes for Windows program, we want to do a special scan.
Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.
Then click the Security tab.   

Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON        👈
Click it to get it ON  if it does not show a blue-color
.

Next, click the small x on the Settings line   to go to the main Malwarebytes Window.
 

Next click the blue button marked Scan.
When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.
You can actually click  ( tick )   the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).    👈

🔻

 

 

Then click on Quarantine selected.

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

[LordJohn]

Hi i have did that but still same issue, it is cleared now but when i restart my computer that virus is still showing in malware bytes 

[Maurice Naggar]

I have to have real / fresh reports from your machine !!

By the way, this additional information on the trojan

Trojan.Glupteba is Malwarebytes’ detection name for a backdoor Trojan that enables the threat actor to perform several actions on the affected Windows system.
Trojan.Glupteba is usually dropped by exploit kits. It can download and install further malware and add the affected system to a botnet. It has the tendency to pretend to be an updater for legitimate software.

cf.   https://blog.malwarebytes.com/detections/trojan-glupteba/

Here is what I need from you:

I would appreciate  getting  additional / fuller  important details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.80.848.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

Please know I help here as a volunteer.  and that I am not on 24 x 7.
Help on this forum is one to one. 

Sincerely,

Maurice

[LordJohn]

Hi Maurice,
This is the Grab result zip file 

Thank you !

mbst-grab-results.zip

[Maurice Naggar]

Thanks for this support-tool report.  It looks to me like perhaps, you had first done a "clean" operation using the tool, which would have removed & re-installed Malwarebytes.  I had only requested a "Gather logs" only.  I do have the log reports.  But it is always important to only do what I specify.

If there are questions, or something not clear, then Stop & ask me first and wait for my clarification .

I am not able to see the last scans with Malwarebytes.  However, I see another "booger" on this system.  It is SMADAV "Smart protection".  A allegation of protection.  But it is a trojan, too.

So we have a compound infections.

Sidenote for later on.  You have to Uninstall 

Java 8 Update 45 

It is a way old version.

.

[    1     ]

What follows is a first step to have Windows 10 show all files and folder. Do not let this spook you out.

There is a how-to at Tenforums. Use either option one or two or three

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

[      2     ]

The system will be rebooted after the script has run.

This custom script is for  LordJohn  only / for this machine only.

 

 

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome,  and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Flash Player cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 
If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

The  custom Fix script is going to be used by the FRSTENGLISH.exe   tool   which you have on your Downloads folder.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder   

Start the Windows Explorer and then, to the Downloads   folder.

RIGHT click on  FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this.

Sincerely.

 

Fixlist.txt

[LordJohn]

Hi Maurice,

This is the Fixlog.txt 
And followed your procedure above.

Should i uninstall smartdav as well ?,and should i do a scan now ? and check again.


Thank you ! 
Lord John
 

Fixlog.txt

[LordJohn]

Hi Maurice,
I did a scan now and it is showing no detection, should i try to restart my computer now ? and check if the issue will persist again.

Thank you ! 
Lord John

[Maurice Naggar]

Good morning.  I hope your holiday weekend is going well.  Thanks for the Fixlog.  The custom script run is very much worthwhile.  A good run.

IF in Windows Control Panel you see the "smadav" listed as a installed program, in that event, then Uninstall it   ( if you can).

 

Lets do this next one time special scan.  Do this in any event, at this point.

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

and save it to your desktop.

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
  
 

[LordJohn]

Hi Maurice,

Good morning to you to as well.

This is the MBAR log file

It said No malwares found 


Thank you ! 
Lord John

mbar-log-2020-12-27 (01-43-02).txt

[LordJohn]

Should i proceed to restart my computer now ?
 

[Maurice Naggar]

Yes, indeed, you can Restart the system.

[LordJohn]

Hi Maurice,

Good day ! 

After the restart, i did a scan again and now the virus is totally gone now !



By the way i wanna ask how did i got this virus to begin with incase on those logs when and where and how i got infected by that virus.

Thank you so much Maurice! 

Lord John

result after restart.txt

[Maurice Naggar]

Good morning. Thanks for the latest scan report from Malwarebytes for Windows.  I am very pleased to see the scan result.

As to how the trojan got on this machine, it is difficult to know exactly. Most likely means would have been when accepting the install of some "free" thing off the web. Had this pc had the Premium Malwarebytes it would have been stopped at the very start. Let me suggest 2 next steps.

[    1    ]

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner  detects factory Preinstalled applications too!

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

[    2    ]

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.

• Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
• and save the tool on the desktop.
• If Windows's  SmartScreen block that with a message-window, then
• Click on the MORE INFO spot and over-ride that and allow it to proceed.
• This tool is safe.   Smartscreen is overly sensitive.   This tool is safe to run.
• Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
• Wait for the scan to finish.
• It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
• You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

Edited December 27, 2020 by Maurice Naggar

[LordJohn]

Hi Maurice,
This is the Scan result and Clean Result.

And the Security Check, i checked on the text file it says i need to update my office, but when i checked on office app it is automatically downloading and update the app 


Thank you Again Maurice for fixing lots of my issue !

 

AdwCleaner[C02].txt AdwCleaner[S02].txt SecurityCheck.txt

[Maurice Naggar]

Hello.   Thanks for the reports.  The Adwcleaner scan result is fine.  Glad to see the good results & readout from the SecurityCheck.

Your system is good to go.  I would suggest that you consider adding the Malwarebytes Browser Guard to both the Chrome browser & this EDGE browser too.  They will help guard each browser.

To get & install the Malwarebytes Browser Guard extension for Chrome,

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

Then proceed with the setup.

Then, do the same for this EDGE browser.   Open Edge browser & go to 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

Then proceed with the setup.

.

To remove the FRST  tool & its work files, do this.  Go to your Downloads folder.  Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to UNINSTALL.exe .
Then run that ( double click on it)  to begin the cleanup process.

 

Delete mbst-grab-results.zip   on the Desktop

Delete mb-support-1.80.848.exe

Delete MBAR.exe

Delete SecurityCheck.exe

Any other download file I had you download, you may delete.

I wish you all the best.  Stay safe.

Sincerely,

Maurice

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you