Jump to content

Exe Virus Keeps Coming Back in Temp Folder

madiemmy

By madiemmy
in Resolved Malware Removal Logs

 Share
Go to solution Solved by Maurice Naggar,

Recommended Posts

madiemmy

madiemmy

Posted
Posted

Hello,

I have a virus in my temp folder that I've removed 3-4 times yet it continues to come back time and time again. It's an .exe virus. Both Malwarebytes and Windows Defender have stated they removed it, yet the virus returns after every restart of my computer. I'd like some help of how to get rid of this thing for good.

Thanks!

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hi.   

My name is Maurice.  I will be guiding you.  Let me know what name you prefer to be addressed.  As we go along, always attach any reports / files I request from you.

Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.

You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to the disclaimer.
  • Press the Scan button.

_frst_scan.jpg

  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've run it before it may not and you may need to select it manually
  • Please attach both logs to your reply if possible. 
  • To Upload  attachments please click the "choose files" at left-side bottom of the Reply box. Then browse to where your file is located and select it and click the Open button.   Then review the main body of your reply.  When ready & all set, click on the button " Submit Reply ".

_mb_attach.jpg

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Thanks.  Let us start out with the following.

What follows is a first step to have Windows 10 show all files and folder. Do not let this spook you out.

There is a how-to at Tenforums. Use either option one or two or three

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

.

Then next,

On the Windows taskbar ,  on the Windows search box,  type in 

cmd.exe

and then look at the entire list of choices, and click on Run as Administrator.  

Once the Command prompt window is up,   copy > paste the line in the codebox below into the command-window

It is best to  use COPY & Paste for the following.  All of each line as-is 

del /s /q C:\Users\lobby\AppData\Local\Temp\PE5FBA.exe

tap Enter.  This should finish super quick.   Let me know when this is done.

Just so you know, any file in the temporary folder  C:\Users\lobby\AppData\Local\Temp   is fair game for deletion.

 

Link to post
Share on other sites
  • Solution
Maurice Naggar

Maurice Naggar

Posted
  • Solution
Posted

Let me suggest what follows.    

On the Windows taskbar ,  on the Windows search box,  type in 

cmd.exe

and then look at the entire list of choices, and click on Run as Administrator.  

Once the Command prompt window is up,   copy > paste the line in the codebox below into the command-window

It is best to  use COPY & Paste for the following.  All of each line as-is 

del /s /q C:\Users\lobby\AppData\Local\Temp\*.*

tap Enter.  This should finish super quick.   Let me know when this is done.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Hello @madiemmy

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

The logs show that the system is running one or more P2P torrenting programs.

The act of torrenting itself is not illegal. However, downloading and sharing unsanctioned copyrighted material is very much illegal, and there is always a chance of getting caught by the authorities.
Torrenting non-copyrighted material is perfectly fine and is allowed. We have seen an increase in malware being bundled with software downloads over P2P.
Please keep this in mind when sharing files that you're increasing the risk that your system might get infected. Scan all files prior to running them.

If you really don't need µTorrent I would recommend that you uninstall it.

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Great, that log looks pretty good.

So there are a few issues left we need to look at.

You have this entry which is the one responsible for creating the EXE file in the temp folder. I'm not saying the file is bad but if you're not aware of the program, you did not install it yourself, or know what it's doing, then I would remove it. (I can help you do that)

 

This process is running and making that file:

(AutoIt Consulting Ltd -> AutoIt Team) C:\Users\lobby\AppData\Roaming\rmDsKDsTuM\BevgArUsMm.com

That seems to be from this company which does consulting work to create software using AutoIT scripting language.
https://www.autoitconsulting.com/site/

 

Windows Defender sees the file being created and believes it is an infection. Again, it might be a valid program, but without knowing more about it yourself I would remove it.

 

Windows Defender:
===============
Date: 2021-02-17 14:41:31
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Wacatac.DF!ml&threatid=2147757794&enterprise=0
Name: Trojan:Win32/Wacatac.DF!ml
ID: 2147757794
Severity: Severe
Category: Trojan
Path: file:_C:\Users\lobby\AppData\Local\Temp\PE3B6F.exe
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: Real-Time Protection
Process Name: C:\Users\lobby\AppData\Roaming\rmDsKDsTuM\BevgArUsMm.com
Security intelligence Version: AV: 1.331.1232.0, AS: 1.331.1232.0, NIS: 1.331.1232.0
Engine Version: AM: 1.1.17800.5, NIS: 1.1.17800.5

 

 

You also have an older version of Java running on the computer. If possible it's best to try and run your computer without Java if possible. If you really have to have it then make sure you remove old versions and keep it up to date at all times.

Java 8 Update 271

 

 

Link to post
Share on other sites
madiemmy

madiemmy

Posted
  • Author
Posted

Yeah, I didn't install that program, not voluntarily at least. I went in and removed the entire folder, and the program was actually run as I tried deleting it, so I ended the process in task manager and tried to delete it - success!

Thanks so much for your help! I also updated my Java.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please run the following @madiemmy

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current-security-update status of some applications.

  • Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • and save the tool on the desktop.
  • If Windows's  SmartScreen block that with a message-window, then
  • Click on the MORE INFO spot and over-ride that and allow it to proceed.
  • This tool is safe.   Smartscreen is overly sensitive.
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please review and address the following.


--------------------------- [ OtherUtilities ] ----------------------------
calibre 64bit v.5.0.1 Warning! Download Update

 

------------------------------ [ ArchAndFM ] ------------------------------
WinRAR 5.91 (64-bit) v.5.91.0 Warning! Download Update

 


-------------------------- [ IMAndCollaborate ] ---------------------------

Zoom v.5.2.1 (44052.0816) Warning! Download Update

 

--------------------------------- [ P2P ] ---------------------------------
µTorrent v.3.5.5.45852 Warning! Ad-supported P2P-client.

 

-------------------------------- [ Media ] --------------------------------
VLC media player v.3.0.11 Warning! Download Update

QuickTime 7 v.7.79.80.95 Warning! This software is no longer supported. Please uninstall it and use another software.

 

 

Then once those are done, please download and run the following software which will check on other software on your computer.

 

Patch My PC Home Updater
https://patchmypc.com/home-updater

 

I'll check back on you again some time tomorrow

Thank you

 

Link to post
Share on other sites
  • 1 month later...
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept