pc-paul Posted July 4, 2022 ID:1523294 Share Posted July 4, 2022 I have a Windows 10pc with Malwarebytes Premium installed with Windows defender.. I also have WD external hard drives, one of which is controlled by Acronis Software. Over the last couple of days, just after my pc starts up, Acronis comes up with a brief message saying injection process with node.ex, do you want to recover lost files. Is this a virus or malware? I immediately stop the process and start to recover the files. Link to post Share on other sites More sharing options...
1PW Posted July 4, 2022 ID:1523313 Share Posted July 4, 2022 Hello @pc-paul and : While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run one or more of its following procedural steps, please carefully follow the instructions within the following: I'm infected - What do I do now? Remember, please be certain to attach (not Copy and Paste) the three (3) resulting report files in your next reply to this topic. Thank you. Link to post Share on other sites More sharing options...
MKDB Posted July 4, 2022 ID:1523345 Share Posted July 4, 2022 Hello @pc-paul and My name is MKDB and I will assist you. Some ground rules: Please follow the steps in the given order and post back the log files. Please attach all log files into your post. Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed. Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed. Searching, detecting and removing malware isn't instantaneous and there is no guarantee to repair every system. Before we start, please make sure that you have an external backup, not connected to this system, of all private data. Please be patient and stick with me until I give you the "all clear". Only run the tools I guide you to. Please don't run any other scans, download, install or uninstall any programs while I'm working with you. Cracked or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure. As English is not my native language, please do not use slang or idoms. It may be hard for me to understand. If you do not respond within 4 days, your topic will be closed. Step 1 If you already have Malwarebytes Anti-Malware installed, then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan. If you don't have Malwarebytes installed or if you don't run the newest version yet, please download it from here and install it. Once the MBAM dashboard opens, click on Settings (gear icon). Click on Security tab and make sure that all four Scan options are enabled. Close Settings and click on the Scan button on the dashboard. Once the scan is completed make sure you have it quarantine any detections it finds. If no detections were found click on the Save results drop-down, then the Export to TXT button and save the file as a Text file to your desktop. If there were detections then once the quarantine has completed click on the View report button, then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply. If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and paste that log on your next reply. If Malwarebytes won't run, then please skip to the next step and let me know in your next reply that the scanner would not run. Step 2 Please download AdwCleaner and save it to your desktop. Double-click to run it. Accept the End User License Agreement. Click Scan Now. When finished, if items are found please click Next / Quarantine. Maybe your PC will be rebooted, AdwCleaner will be opened automatically. Click View Log File. AdwCleaner will open one log (AdwCleaner[Cxx].txt). Please paste the log to your next reply. Step 3 Please download the suitable version of Farbar Recovery Scan Tool (FRST) and save it to your desktop: 32bit | 64bit Double-click to run it. When the tool opens, click Yes to disclaimer. Check the box in front of Shortcut.txt. Press the Scan button. FRST will create three logs (FRST.txt + Addition.txt + Shortcut.txt) in the same directory the tool is run. Please attach these logfiles to your next reply. Link to post Share on other sites More sharing options...
pc-paul Posted July 5, 2022 Author ID:1523436 Share Posted July 5, 2022 Thank you for your reply, your list of instructions seem to be very complicated to me, a person that doesn't understand the complexities of computers. However, I looked at my list of programs in the Control Panel and I noticed that Gogle Chrome had updated or downloaded at about the time the issue with node.exe started, so I uninstalled Google Chrome and started to use Microsoft Edge and so far the issue has not happened again. I will keep my fingers crossed and hope that by uninstalling Google Chrome I have uninstalled nodus.exe. One thing that has surprised me is that Malwarebytes did not pick up this issue but Acronis did. I will check back in with you in a couple of days and give you an update. Link to post Share on other sites More sharing options...
MKDB Posted July 5, 2022 ID:1523484 Share Posted July 5, 2022 Following those steps is not complicated. 😉 Link to post Share on other sites More sharing options...
pc-paul Posted July 5, 2022 Author ID:1523490 Share Posted July 5, 2022 MKDB, I could probably work my way through them but I hope by uninstalling Google Chrome I won't have to. Keeping my fingers crossed. Link to post Share on other sites More sharing options...
MKDB Posted July 5, 2022 ID:1523573 Share Posted July 5, 2022 Keep me updated in 2-3 days, please. Thank you @pc-paul. Link to post Share on other sites More sharing options...
pc-paul Posted July 5, 2022 Author ID:1523590 Share Posted July 5, 2022 Will do. Link to post Share on other sites More sharing options...
pc-paul Posted July 8, 2022 Author ID:1523992 Share Posted July 8, 2022 HI, My PC has been behaving since I last contacted you until today when the Acronis software alerted me to files being transferred. I stopped the process immediately. There are several hard drives backups on my pc, will I have to disconnect them all? Will they have been affected? I am still nervous about going through the steps you have suggested but I will give it a go. Will I have to disable Malwarebytes, Windows defender and Windows Firewall? It will be early next week before i can attempt this process. Thanks, Paul Link to post Share on other sites More sharing options...
MKDB Posted July 8, 2022 ID:1524010 Share Posted July 8, 2022 Hi @pc-paul, currently, I can't say if your system is infected. I need those logfiles that I've requested to get an overview of your system. Take care! Link to post Share on other sites More sharing options...
pc-paul Posted July 8, 2022 Author ID:1524025 Share Posted July 8, 2022 OK, leave it with me, would you mind answering the questions in my previous reply please? Link to post Share on other sites More sharing options...
MKDB Posted July 9, 2022 ID:1524097 Share Posted July 9, 2022 Oh, it seems that I've forgotten some of your questions. There is no need to disable Malwarebytes, Windows Defender and Firewall. Those programs do usually not interfere. Link to post Share on other sites More sharing options...
pc-paul Posted July 9, 2022 Author ID:1524121 Share Posted July 9, 2022 Will I have to disconnect all of my back up drives? Link to post Share on other sites More sharing options...
MKDB Posted July 9, 2022 ID:1524139 Share Posted July 9, 2022 Back up drives should be only connected to the operating system as long as you run a back up. The rest of the time, the backups are in a safe place, not connected, of course. During the analysis here, you should disconnect all of them. Thank you! Link to post Share on other sites More sharing options...
pc-paul Posted July 11, 2022 Author ID:1524310 Share Posted July 11, 2022 HI, My PC has been behaving since I last contacted you until today when the Acronis software alerted me to files being transferred. I stopped the process immediately. There are several hard drives backups on my pc, will I have to disconnect them all? Will they have been affected? I am still nervous about going through the steps you have suggested but I will give it a go. Will I have to disable Malwarebytes, Windows defender and Windows Firewall? Link to post Share on other sites More sharing options...
pc-paul Posted July 11, 2022 Author ID:1524311 Share Posted July 11, 2022 HI, I think I have follwed the steps you outlined and I have attached the log files as requested. Thanks for your help so far. Addition.txt AdwCleaner[C00].txt FRST.txt Malwarebytes log file 11072022.txt Link to post Share on other sites More sharing options...
MKDB Posted July 11, 2022 ID:1524315 Share Posted July 11, 2022 Well done @pc-paul. Your logfiles look good, there is no malware visible in your logfiles. If you like, we could remove some leftovers and check windows system files with FRST. Link to post Share on other sites More sharing options...
pc-paul Posted July 11, 2022 Author ID:1524321 Share Posted July 11, 2022 HI Good to know that there are no 'nasties, on my pc. I have attached a photo of the screen that pops up sometimes with Acronis. Do you know what is happening during this process? How do i clean up 'leftovers'? Thanks for your help so far. Link to post Share on other sites More sharing options...
MKDB Posted July 11, 2022 ID:1524323 Share Posted July 11, 2022 As far as I know, nvidia uses node.exe, but that would be legit. Let's search for that file @pc-paul. Step 1 Run FRST again. Copy and paste the following whole green content into the search field: node.exe Press the Search files button. Please be patient, this scan may take some time. FRST will create one log now (Search.txt) in the same directory the tool is run. Please attach this logfile to your next reply. Link to post Share on other sites More sharing options...
pc-paul Posted July 11, 2022 Author ID:1524352 Share Posted July 11, 2022 I will try this tomorrow, not sure I understand your instructions but hopefully, it will become clearer when I start. Link to post Share on other sites More sharing options...
MKDB Posted July 11, 2022 ID:1524379 Share Posted July 11, 2022 Don't hesitate to ask if you are not sure @pc-paul. Waiting to hear from you tomorrow. Link to post Share on other sites More sharing options...
pc-paul Posted July 12, 2022 Author ID:1524528 Share Posted July 12, 2022 HI, I have done the search, hopefully correctly. (whole green content node.exe) Search.txt Link to post Share on other sites More sharing options...
MKDB Posted July 12, 2022 ID:1524555 Share Posted July 12, 2022 Ok, please run the scan again, but paste only the following string into the search field and run the file search: node.exe Thank you! Link to post Share on other sites More sharing options...
pc-paul Posted July 12, 2022 Author ID:1524559 Share Posted July 12, 2022 Sorry, incredibly stupid of me, try this report. Search.txt Link to post Share on other sites More sharing options...
MKDB Posted July 13, 2022 ID:1524739 Share Posted July 13, 2022 You can choose "Ignore" at Acronis Active Protection - window. These files are legit, no need to worry @pc-paul. Is there anything else I can do for you? I've some tips at the end for you. Link to post Share on other sites More sharing options...
Recommended Posts