Jump to content

I NEED HELP TO REMOVE CLOUDNET VIRUS THAT KEEP COMING BACK


Recommended Posts

Hello,

 

i need help to removing a cloudnet virus from my computer which i have been trying to remove for weeks but it keeps coming back. i have been using malwarebytes to remove the virus, but after i reboot my computer and scanning it again, it still there. 

recently i saw athread where somebody used FRST fixlist and works. please help what i have to do to remove this viruses? thanks

Scan result.txt

Link to post
Share on other sites

  • Root Admin

Thank you for the log. It looks like there was a rootkit located and removed. Let me have you run the following to double-check @siskaprif

 

Please download the following scanner from Kaspersky and save it to your computer: TDSSkiller

Then watch the following video on how to use the tool and make sure to temporarily disable your security applications before running TDSSkiller.

PC Winvids - How to run Kaspersky TDSSKiller

If an infection is found please make sure to choose SKIP and post back the log in case of a False Positive detection.

Once the tool has completed scanning make sure to re-enable your other security applications.

Thank you

 

 

 

Link to post
Share on other sites

Hello, i have scan with TDSSKiller. and here is the log.

07:26:39.0750 0x2910  TDSS rootkit removing tool 3.1.0.28 Apr  9 2019 21:11:46
07:26:43.0962 0x2910  ============================================================
07:26:43.0962 0x2910  Current date / time: 2021/09/01 07:26:43.0962
07:26:43.0962 0x2910  SystemInfo:
07:26:43.0965 0x2910  
07:26:43.0965 0x2910  OS Version: 10.0.19042 ServicePack: 0.0
07:26:43.0965 0x2910  Product type: Workstation
07:26:43.0965 0x2910  ComputerName: PC-HOME
07:26:43.0965 0x2910  UserName: user
07:26:43.0965 0x2910  Windows directory: C:\WINDOWS
07:26:43.0965 0x2910  System windows directory: C:\WINDOWS
07:26:43.0965 0x2910  Running under WOW64
07:26:43.0965 0x2910  Processor architecture: Intel x64
07:26:43.0965 0x2910  Number of processors: 8
07:26:43.0965 0x2910  Page size: 0x1000
07:26:43.0965 0x2910  Boot type: Normal boot
07:26:43.0965 0x2910  CodeIntegrityOptions = 0x00000001
07:26:43.0965 0x2910  ============================================================
07:26:43.0966 0x2910  KLMD ARK init status: drvProperties = 0xEF0F02, osBuild = 19041.0, osProperties = 0x1D
07:26:43.0966 0x2910  KLMD BG init status: drvProperties = 0xEF0F02, osBuild = 19041.0, osProperties = 0x1D
07:26:43.0966 0x2910  BG loaded
07:26:44.0117 0x2910  System UUID: {66E929B6-F7DE-7713-B135-A3359BC56DCD}
07:26:44.0326 0x2910  !crdlk
07:26:44.0329 0x2910  Drive \Device\Harddisk0\DR0 - Size: 0x1D1C0EE0E00 ( 1863.01 Gb ), SectorSize: 0x200, Cylinders: 0x3B601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
07:26:44.0334 0x2910  ============================================================
07:26:44.0334 0x2910  \Device\Harddisk0\DR0:
07:26:44.0335 0x2910  MBR partitions:
07:26:44.0335 0x2910  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0xFA000
07:26:44.0335 0x2910  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0xFA800, BlocksNum 0x3CE8E33B
07:26:44.0335 0x2910  \Device\Harddisk0\DR0\Partition3: MBR, Type 0x7, StartLBA 0x3D090800, BlocksNum 0xABD76000
07:26:44.0336 0x2910  ============================================================
07:26:44.0339 0x2910  C: <-> \Device\Harddisk0\DR0\Partition2
07:26:44.0340 0x2910  E: <-> \Device\Harddisk0\DR0\Partition3
07:26:44.0340 0x2910  ============================================================
07:26:44.0340 0x2910  Initialize success
07:26:44.0340 0x2910  ============================================================
07:26:50.0290 0x0ed0  ============================================================
07:26:50.0290 0x0ed0  Scan started
07:26:50.0290 0x0ed0  Mode: Manual; SigCheck; TDLFS; 
07:26:50.0290 0x0ed0  ============================================================
07:26:50.0290 0x0ed0  KSN ping started
07:26:50.0579 0x0ed0  KSN ping finished: true
07:26:57.0155 0x0ed0  ================ Scan BIOS =================================
07:26:57.0156 0x0ed0  BIOS info: vendor = Dell Inc., version = 1.0.4, releaseDate = 02/23/2017
07:26:57.0156 0x0ed0  Base board info: manufacturer = Dell Inc., product = 0VHXCD, version = A00
07:27:05.0152 0x0ed0  [ 8D873E54CD78B56655564E507920FB41, 506E01E3B795FBF33D148C0AEBA7B096D629C40AFDD007484E363436654F2D5C ] BIOS
07:27:05.0152 0x0ed0  BIOS - ok
07:27:05.0154 0x0ed0  ================ Scan system memory ========================
07:27:05.0158 0x0ed0  System memory - ok
07:27:05.0160 0x0ed0  ================ Scan services =============================
07:27:05.0160 0x0ed0  ================ Scan global ===============================
07:27:05.0235 0x0ed0  [ Global ] - ok
07:27:05.0236 0x0ed0  ================ Scan MBR ==================================
07:27:05.0239 0x0ed0  [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0
07:27:05.0401 0x0ed0  \Device\Harddisk0\DR0 - ok
07:27:05.0402 0x0ed0  ================ Scan VBR ==================================
07:27:05.0403 0x0ed0  [ 13B060CD5B9EDD2B53E0BC7AF0BC9544 ] \Device\Harddisk0\DR0\Partition1
07:27:05.0405 0x0ed0  \Device\Harddisk0\DR0\Partition1 - ok
07:27:05.0410 0x0ed0  [ FD34584398594408CA850D46679E7A6C ] \Device\Harddisk0\DR0\Partition2
07:27:05.0412 0x0ed0  \Device\Harddisk0\DR0\Partition2 - ok
07:27:05.0415 0x0ed0  [ 40C0555165C00E1F306F3D60047A6BE4 ] \Device\Harddisk0\DR0\Partition3
07:27:05.0417 0x0ed0  \Device\Harddisk0\DR0\Partition3 - ok
07:27:05.0417 0x0ed0  ================ Scan generic autorun ======================
07:27:05.0419 0x0ed0  SecurityHealth - ok
07:27:05.0593 0x0ed0  [ 2D11CF68F390BA0768EEFD6EA5D691EC, 46C2640A7B1D9BF07DACE82FA78802ECEC97F81FE2C0D2EDBBCCD5E9890C7013 ] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
07:27:05.0726 0x0ed0  RTHDVCPL - ok
07:27:05.0767 0x0ed0  [ 9E47F14EFABBE4145F95BC1114217FAB, 1655CAA99E56E410F6D17C3618A9A3650899059B2B20594B95B0ECDD4A090A73 ] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
07:27:05.0790 0x0ed0  RtHDVBg_PushButton - ok
07:27:05.0797 0x0ed0  [ 6055DE5C4980310E0988DB68B3BCC9E0, E0C73AA5D63971B0EF483A57CFDD3F27CEC15F87E0006110890E880B9790293E ] C:\Program Files\Intel\ConnectCenter\bin\ICCLauncher.exe
07:27:05.0802 0x0ed0  IntelConnectCenter - detected UnsignedFile.Multi.Generic ( 1 )
07:27:06.0149 0x0ed0  Detect skipped due to KSN trusted
07:27:06.0149 0x0ed0  IntelConnectCenter - ok
07:27:06.0166 0x0ed0  [ 5447AF432CDA61159ADDE218C468FFD9, 63BD74521F679F195C24C1818267ECCBD8A7F5C2B4CEF3E60EC46B5AE0AC72A8 ] C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe
07:27:06.0176 0x0ed0  AdobeAAMUpdater-1.0 - ok
07:27:06.0188 0x0ed0  [ 5AAF8EADC1642B3C4D200F4FFF8FEEB7, D0475540DB7DABE8918E6A0D153BEA94AE4D4C984F8581DD28037D5E66CE492E ] C:\Program Files\ESET\ESET Security\ecmds.exe
07:27:06.0195 0x0ed0  egui - ok
07:27:06.0211 0x0ed0  [ D5B783DACE1BBDD382A63C894BAB8E1E, 20BA7479B3BE8AC7771AA91DB9C4F3B46DADDFF9C48627A5C7C460546DD20AF3 ] C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
07:27:06.0219 0x0ed0  AdobeCS5ServiceManager - ok
07:27:06.0241 0x0ed0  [ F577910A133A592234EBAAD3F3AFA258, 36F514740EE2D2B2F7ABFFFA13D575233EC4CE774EB58BF889C09930FEF1F443 ] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
07:27:06.0256 0x0ed0  SwitchBoard - detected UnsignedFile.Multi.Generic ( 1 )
07:27:06.0440 0x0ed0  Detect skipped due to KSN trusted
07:27:06.0440 0x0ed0  SwitchBoard - ok
07:27:06.0507 0x0ed0  [ F3848AC6A985488A981EFA12E6568E09, B7BDD99CD0BEF80600BF02A0FEC60B4BEAC317D69C4755319604413A255FFA71 ] C:\Program Files (x86)\Smadav\SMΔRTP.exe
07:27:06.0556 0x0ed0  SMΔRT-Protection - ok
07:27:06.0634 0x0ed0  [ 4DAB66CBEDBBC8D166A9E22C3E549402, E8EDE96D0AB4FC17C2B7A2C37D063007E68B59DC5F384198C1ACA5009669A010 ] C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\phantom_sl.exe
07:27:06.0686 0x0ed0  Phantom_Sl - ok
07:27:06.0718 0x0ed0  OneDriveSetup - ok
07:27:06.0721 0x0ed0  OneDriveSetup - ok
07:27:06.0724 0x0ed0  OneDrive - ok
07:27:06.0741 0x0ed0  [ 50EE900910FEF2DD0228FE9C397FCA18, EEB99343DB5166F0394709808894E1A54B492E0A64B634AE1BC41DB203A06CF4 ] C:\Users\user\AppData\Local\Google\Update\1.3.36.102\GoogleUpdateCore.exe
07:27:06.0754 0x0ed0  Google Update - ok
07:27:06.0820 0x0ed0  [ 25C58EE88883710AFF8D4B029AB053FF, F93BB50BC65153D529166DB445E2952B04DADAB6226ABF30296EB0B4FAE2109F ] C:\Users\user\AppData\Local\Microsoft\Teams\Update.exe
07:27:06.0897 0x0ed0  com.squirrel.Teams.Teams - ok
07:27:06.0912 0x0ed0  Spotify - ok
07:27:06.0993 0x0ed0  [ CEDC492FA7879BD5073A255E3B36E373, 4AB07CEA0D5543F3A955EC1EDDE511BF1C0D770748FDB84A8C5750A122808EED ] C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe
07:27:07.0065 0x0ed0  GoogleChromeAutoLaunch_4E874A737D5662A34EBBEADB3A9C4A09 - ok
07:27:07.0073 0x0ed0  CCleaner Smart Cleaning - ok
07:27:07.0079 0x0ed0  CCleaner - ok
07:27:07.0082 0x0ed0  Waiting for KSN requests completion. In queue: 10
07:27:08.0098 0x0ed0  AV detected via SS2: Windows Defender, windowsdefender:// (  ), 0x61100 ( enabled : updated )
07:27:08.0102 0x0ed0  Win FW state via NFP2: enabled ( trusted )
07:27:08.0625 0x0ed0  ============================================================
07:27:08.0625 0x0ed0  Scan finished
07:27:08.0625 0x0ed0  ============================================================
07:27:08.0641 0x2160  Detected object count: 0
07:27:08.0641 0x2160  Actual detected object count: 0
07:27:19.0075 0x177c  Deinitialize success

 

Link to post
Share on other sites

  • Root Admin

We're not done here. We'll get ;you fixed up, just takes a bit of time. Try to relax and keep calm.

 

Please download the following tool

Farbar Service Scanner and run it on the computer with the issue
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/

 

Make sure the following options are checked:

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender

Click "Scan"

It will create a log (FSS.txt) in the same directory the tool is run.
Please attach the log to your next reply.

 

Link to post
Share on other sites

Thank you for your help. Here is the FSS.txt

 

Farbar Service Scanner Version: 23-12-2020
Ran by user (administrator) on 01-09-2021 at 09:20:46
Running from "C:\Users\user\Documents\EGDownloads"
Microsoft Windows 10 Pro  (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy: 
==================


System Restore:
============

System Restore Policy: 
========================


Windows Security:
============

SecurityHealthService Service is not running. Checking service configuration:
Checking Start type of SecurityHealthService: ATTENTION!=====> Unable to open SecurityHealthService registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open SecurityHealthService registry key. The service key does not exist.

wscsvc Service is not running. Checking service configuration:
Checking Start type of wscsvc: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll of wscsvc: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type of wuauserv: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll of wuauserv: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.


Windows Autoupdate Disabled Policy: 
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Disabled. The default start type is Auto.
The ImagePath of WinDefend: "%SystemRoot%\System32\svchost.exe -k secsvcs".


Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\Drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\Drivers\afd.sys => File is digitally signed
C:\Windows\System32\Drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\Drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\SecurityHealthService.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****

Link to post
Share on other sites

Oh btw, i found a topic here with same situation as mine. Then i followed the instruction using software Everything. Search the cloudnet and epicnet then delete them. And it works. After i reboot my computer and scan it again with malwarebytes, it not find anything. zero threat

but not sure if it really delete the virus. However, my windows security, defender, and update is still missing. Need help to recover them. 

Thank you so much

Here is the link of the topic

 

Link to post
Share on other sites

  • Root Admin

Each system is different. Please do not make fixes on your own. Just be patient and I will assist you in fixing your computer. Running the wrong fix can cause even more problems.

Okay, if the computer is working better now, please try again to run the Farbar FRST program from Windows Normal Mode and ATTACH back both new logs again.

It's quite late for me so I'll check back on you again in the morning.

Thanks @siskaprif

 

 

 

Link to post
Share on other sites

  • 1 month later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.