node.ex

[pc-paul]

I have a Windows 10pc with Malwarebytes Premium installed with Windows defender..

I also have WD  external hard drives, one of which is controlled by Acronis Software.

Over the last couple of days, just after my pc starts up, Acronis comes up with a brief message saying injection process with node.ex, do you want to recover lost files. Is this a virus or malware?

I immediately stop the process and start to recover the files.

[1PW]

Hello @pc-paul and :

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run one or more of its following procedural steps, please carefully follow the instructions within the following:

I'm infected - What do I do now?

Remember, please be certain to attach (not Copy and Paste) the three (3) resulting report files in your next reply to this topic.

Thank you.

[MKDB]

Hello  @pc-paul   and 

 

My name is MKDB and I will assist you.

 

 

Some ground rules:

• Please follow the steps in the given order and post back the log files.
• Please attach all log files into your post.
• Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
• Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
• Searching, detecting and removing malware isn't instantaneous and there is no guarantee to repair every system. Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
• Please be patient and stick with me until I give you the "all clear".
• Only run the tools I guide you to. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Cracked or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
• As English is not my native language, please do not use slang or idoms. It may be hard for me to understand.
• If you do not respond within 4 days, your topic will be closed.

 

 

 

Step 1

• If you already have Malwarebytes Anti-Malware installed, then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
• If you don't have Malwarebytes installed or if you don't run the newest version yet, please download it from here and install it.
• Once the MBAM dashboard opens, click on Settings (gear icon).
• Click on Security tab and make sure that all four Scan options are enabled.
• Close Settings and click on the Scan button on the dashboard.
• Once the scan is completed make sure you have it quarantine any detections it finds.
• If no detections were found click on the Save results drop-down, then the Export to TXT button and save the file as a Text file to your desktop.
• If there were detections then once the quarantine has completed click on the View report button, then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and paste that log on your next reply.
• If Malwarebytes won't run, then please skip to the next step and let me know in your next reply that the scanner would not run.

 

 

Step 2

Please download AdwCleaner and save it to your desktop.

• Double-click to run it.
• Accept the End User License Agreement.
• Click Scan Now.
• When finished, if items are found please click Next / Quarantine.
• Maybe your PC will be rebooted, AdwCleaner will be opened automatically.
• Click View Log File.
• AdwCleaner will open one log (AdwCleaner[Cxx].txt).
• Please paste the log to your next reply.

 

 

 

Step 3

Please download the suitable version of Farbar Recovery Scan Tool (FRST) and save it to your desktop: 32bit | 64bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Check the box in front of Shortcut.txt.
• Press the Scan button.
• FRST will create three logs (FRST.txt + Addition.txt + Shortcut.txt) in the same directory the tool is run.
• Please attach these logfiles to your next reply.

 

 

 

[pc-paul]

Thank you for your reply, your list of instructions seem to be very complicated to me, a person that doesn't understand the complexities of computers.

However, I looked at my list of programs in the Control Panel and I noticed that Gogle Chrome had updated or downloaded at about the time the issue with node.exe started, so I uninstalled Google Chrome and started to use Microsoft Edge and so far the issue has not happened again. I will keep my fingers crossed and hope that by uninstalling Google Chrome I have uninstalled nodus.exe.

One thing that has surprised me is that Malwarebytes did not pick up this issue but Acronis did.

I will check back in with you in a couple of days and give you an update.

[MKDB]

Following those steps is not complicated. 😉

 

[pc-paul]

MKDB, I could probably work my way through them but I hope by uninstalling Google Chrome I won't have to. Keeping my fingers crossed.

[MKDB]

Keep me updated in 2-3 days, please.

Thank you @pc-paul.

[pc-paul]

Will do.

[pc-paul]

HI, My PC has been behaving since I last contacted you until today when the Acronis software alerted me to files being transferred.

I stopped the process immediately.

There are several hard drives backups on my pc, will I have to disconnect them all? Will they have been affected?

 I am still nervous about going through the steps you have suggested but I will give it a go. Will I have to disable Malwarebytes, Windows defender and Windows Firewall?

It will be early next week before i can attempt this process.

Thanks,

Paul

 

[MKDB]

Hi @pc-paul,

currently, I can't say if your system is infected.

I need those logfiles that I've requested to get an overview of your system.

Take care!

[pc-paul]

OK, leave it with me, would you mind answering the questions in my previous reply please?

[MKDB]

Oh, it seems that I've forgotten some of your questions.

There is no need to disable Malwarebytes, Windows Defender and Firewall. Those programs do usually not interfere.

[pc-paul]

Will I have to disconnect all of my back up drives?

[MKDB]

Back up drives should be only connected to the operating system as long as you run a back up.

The rest of the time, the backups are in a safe place, not connected, of course.

During the analysis here, you should disconnect all of them.

Thank you!

[pc-paul]

HI, My PC has been behaving since I last contacted you until today when the Acronis software alerted me to files being transferred.

I stopped the process immediately.

There are several hard drives backups on my pc, will I have to disconnect them all? Will they have been affected?

 I am still nervous about going through the steps you have suggested but I will give it a go. Will I have to disable Malwarebytes, Windows defender and Windows Firewall?

 

[pc-paul]

HI, 

I think I have follwed the steps you outlined and I have attached the log files as requested.

Thanks for your help so far.

Addition.txt AdwCleaner[C00].txt FRST.txt Malwarebytes log file 11072022.txt

[MKDB]

Well done @pc-paul.

Your logfiles look good, there is no malware visible in your logfiles.

If you like, we could remove some leftovers and check windows system files with FRST.

[pc-paul]

HI Good to know that there are no 'nasties, on my pc. I have attached a photo of the screen that pops up sometimes with Acronis.

Do you know what is happening during this process?

How do i clean up 'leftovers'?

Thanks for your help so far.

[MKDB]

As far as I know, nvidia uses node.exe, but that would be legit.

Let's search for that file @pc-paul.

 

Step 1

• Run FRST again.
• Copy and paste the following whole green content into the search field:

node.exe

• Press the Search files button. Please be patient, this scan may take some time.
• FRST will create one log now (Search.txt) in the same directory the tool is run.
• Please attach this logfile to your next reply.

 

 

 

[pc-paul]

I will try this tomorrow, not sure I understand your instructions but hopefully, it will become clearer when I start.

[MKDB]

Don't hesitate to ask if you are not sure @pc-paul.

Waiting to hear from you tomorrow.

[pc-paul]

HI,

I have done the search, hopefully correctly. (whole green content node.exe)

Search.txt

[MKDB]

Ok, please run the scan again, but paste only the following string into the search field and run the file search:

node.exe

 

Thank you!

[pc-paul]

Sorry, incredibly stupid of me, try this report.

Search.txt

[MKDB]

You can choose "Ignore" at Acronis Active Protection - window.

These files are legit, no need to worry @pc-paul.

 

Is there anything else I can do for you? I've some tips at the end for you.