PHOTO 018.exe Removal Protocol
Solvedbazfile Posted messages 58430 Registration date Status Modérateur Last intervention -
Hello,
My Galaxy Book2 (NP750XED-KB3FR) is corrupting every USB drive or external hard drive by irreversibly adding the dreaded folder "Photo 018.exe".
I see that this issue was resolved last April by the talented "bazfile", and I would like to know if it would be possible to generate a disinfecting script for this specific case, if possible of course.
I have attached the analysis folders obtained by FRST:
- FRST: https://www.cjoint.com/c/NIbwzm6lZx7
- Addition: https://www.cjoint.com/c/NIbwAsLvYw7
Thank you in advance to anyone who can spare a few moments to read my request,
Respectfully,
4 réponses
Hello @fatcookie StatutMembre.
Your problem dates back over a year; the infectious file has been on your PC since January 9, 2023.
Procedure to follow in the order indicated:
1- Run FRST as an administrator; to do this, right-click on FRST and choose run as administrator
2 - Copy the entire script found in the box below:
Start:: CreateRestorePoint: CloseProcesses: HKU\S-1-5-21-2281274065-122363012-1904882405-1001\...\Run: [Poisson18] => C:\ProgramData\Systeme\Systeme.exe [742871 2012-08-02] () [Unsigned file] [File in use] HKU\S-1-5-21-2281274065-122363012-1904882405-1001\...\Run: [Avast Browser] => C:\Users\cloti\AppData\Local\AVAST Software\Browser\Update\1.8.1653.5\AvastBrowserUpdateCore.exe (No file) Task: {A6EA333C-85AF-42A0-99DE-804C33FB25E5} - System32\Tasks\Meta\Messenger-WSP-Helper-S-1-5-21-2281274065-122363012-1904882405-1001 => MessengerHelper.exe --lassie (No file) Task: {E0F10DCF-44AD-40E8-9370-FB5DA59F93FB} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No file) Task: {80680206-2FA2-4BD4-B9C4-C9618C1BE677} - System32\Tasks\Samsung\SamsungUpdate\UserModeWorker => C:\Program Files\Samsung\SamsungUpdate\SUUserModeWorker.exe (No file) FF Plugin HKU\S-1-5-21-2281274065-122363012-1904882405-1001: @update.avastbrowser.com/Avast Browser;version=3 -> C:\Users\cloti\AppData\Local\AVAST Software\Browser\Update\1.8.1653.5\npAvastBrowserUpdate3.dll [No file] FF Plugin HKU\S-1-5-21-2281274065-122363012-1904882405-1001: @update.avastbrowser.com/Avast Browser;version=9 -> C:\Users\cloti\AppData\Local\AVAST Software\Browser\Update\1.8.1653.5\npAvastBrowserUpdate3.dll [No file] S1 WinSetupMon; system32\DRIVERS\WinSetupMon.sys [X] CustomCLSID: HKU\S-1-5-21-2281274065-122363012-1904882405-1001_Classes\CLSID\{10564456-C142-4E56-9531-06CCCA12F812}\InprocServer32 -> C:\Users\cloti\AppData\Local\AVAST Software\Browser\Update\1.8.1653.5\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2281274065-122363012-1904882405-1001_Classes\CLSID\{167FD956-39C3-374C-927A-1D3C47CB6663}\InprocServer32 -> C:\Users\cloti\AppData\Local\AVAST Software\Browser\Update\1.8.1653.5\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2281274065-122363012-1904882405-1001_Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32 -> C:\Users\cloti\AppData\Local\Kingsoft\WPS Office\11.2.0.11417\office6\kwpsmenushellext64.dll => No file CustomCLSID: HKU\S-1-5-21-2281274065-122363012-1904882405-1001_Classes\CLSID\{f9458f9f-5ee9-d43c-187e-8cc1f751cd69}\localserver32 -> "C:\Users\cloti\AppData\Local\OneLaunch\5.22.2\onelaunch.exe" -ToastActivated => No file ContextMenuHandlers1_S-1-5-21-2281274065-122363012-1904882405-1001: [ kwpsshellext] -> {28A80003-18FD-411D-B0A3-3C81F618E22B} => C:\Users\cloti\AppData\Local\Kingsoft\WPS Office\11.2.0.11417\office6\kwpsmenushellext64.dll -> No file ContextMenuHandlers4_S-1-5-21-2281274065-122363012-1904882405-1001: [ kwpsshellext] -> {28A80003-18FD-411D-B0A3-3C81F618E22B} => C:\Users\cloti\AppData\Local\Kingsoft\WPS Office\11.2.0.11417\office6\kwpsmenushellext64.dll -> No file FirewallRules: [{001C3D5F-C45F-474D-87D6-AB173A942A20}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\outlook.exe => No file FirewallRules: [{D3C3DC96-2202-41E3-B0E8-A813086E8CEE}] => (Allow) C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Tenorshare 4DDiG.exe => No file FirewallRules: [{DB627038-8152-42C3-95B0-CE7693A10302}] => (Allow) C:\Program Files (x86)\Tenorshare\Tenorshare 4DDiG\Tenorshare 4DDiG.exe => No file FirewallRules: [{15F3FAA4-2C2E-42C6-89C5-AB16AA8855B3}] => (Allow) C:\Program Files (x86)\Tenorshare\TenonsShare 4DDiG\NetFrameCheck.exe => No file FirewallRules: [{0690ABDE-3355-495C-82A9-ED5E3868F112}] => (Allow) C:\Program Files (x86)\Tenorshare\TenonsShare 4DDiG\NetFrameCheck.exe => No file FirewallRules: [{A892B005-86EF-411A-BCEB-BE6BF2D8BD6D}] => (Allow) C:\Program Files (x86)\TenonsShare 4DDiG\Monitor\Monitor.exe => No file FirewallRules: [{27356081-F1FE-4982-8928-7AD57D665D01}] => (Allow) C:\Program Files (x86)\TenonsShare 4DDiG\Monitor\Monitor.exe => No file FirewallRules: [{4C5C390C-0387-4230-A8A8-3E597D42581B}] => (Allow) C:\Program Files (x86)\Tenorshare\TenonsShare 4DDiG\ParseRecord.exe => No file FirewallRules: [{FEC5EF23-77A4-43E3-9E25-78B0D512CE34}] => (Allow) C:\Program Files (x86)\TenonsShare 4DDiG\ParseRecord.exe => No file FirewallRules: [{3E328E19-F7E9-47C7-8ADD-19E3F04A9547}] => (Allow) C:\Program Files (x86)\TenonsShare 4DDiG\UpdateService.exe => No file FirewallRules: [{4AE5998D-0640-4BFD-8C60-06C21A3B4CB4}] => (Allow) C:\Program Files (x86)\TenonsShare 4DDiG\UpdateService.exe => No file FirewallRules: [{85743DD4-7E85-496E-9A8B-561E0C9E9B06}] => (Allow) C:\Program Files (x86)\TenonsShare 4DDiG\preuninstall.exe => No file FirewallRules: [{A6106F05-B5D1-4050-A1B8-40B4582FD16E}] => (Allow) C:\Program Files (x86)\TenonsShare 4DDiG\preuninstall.exe => No file FirewallRules: [{33BA05E9-17F5-425D-BF04-59437D8C1666}] => (Allow) C:\Program Files (x86)\TenonsShare 4DDiG\DeviceViewerService.exe => No file FirewallRules: [{2F81F692-A53A-47D5-80DB-8C4AAC3B72F3}] => (Allow) C:\Program Files (x86)\TenonsShare 4DDiG\DeviceViewerService.exe => No file FirewallRules: [{8CA35349-9B5C-463A-8681-7880EFD4FDFF}] => (Allow) C:\Program Files (x86)\TenonsShare 4DDiG\NASConnecter.exe => No file FirewallRules: [{EEC44952-6A2E-4C2C-8A81-6355A1BCD848}] => (Allow) C:\Program Files (x86)\TenonsShare 4DDiG\NASConnecter.exe => No file FirewallRules: [{6088DAFD-F5E1-44BF-A9DB-F14841BA8AAF}] => (Allow) C:\Program Files (x86)\TenonsShare 4DDiG\DataScanService.exe => No file FirewallRules: [{F9CB5522-F77F-429C-9E47-68F19763BC3B}] => (Allow) C:\Program Files (x86)\TenonsShare 4DDiG\DataScanService.exe => No file FirewallRules: [{EC4ADA9F-AE20-4FD9-9A8A-079C53BF7626}] => (Allow) C:\Program Files (x86)\TenonsShare 4DDiG\DataRecoveryService.exe => No file FirewallRules: [{C5212E72-C812-40D1-9FD6-04E594718E6F}] => (Allow) C:\Program Files (x86)\TenonsShare 4DDiG\DataRecoveryService.exe => No file FirewallRules: [{9CFC8526-E83B-4286-8D9B-19CFF9F31A37}] => (Allow) C:\Program Files (x86)\TenonsShare 4DDiG\MsgSupport\MsgSupportService.exe => No file FirewallRules: [{47B11B7D-F272-4CEE-9BAD-FAD685B8B6F6}] => (Allow) C:\Program Files (x86)\TenonsShare 4DDiG\MsgSupport\MsgSupportService.exe => No file C:\ProgramData\Systeme EmptyTemp: End:: 3- Once the script is copied, click on Fix, FRST will automatically take the script from the clipboard.
Let the correction run; once it is finished, you will be asked to restart your PC, do it as soon as you are prompted, see below.
Then once your computer has restarted:
4- You will have a Fixlog file on your desktop, then send this fixlog report to https://www.cjoint.com/ or https://pixeldrain.com/
Then give the generated link from https://www.cjoint.com/ or https://pixeldrain.com/ in your reply.
5- Warning, do not open infected USB keys and external hard drives, otherwise your PC will be instantly reinfected.
6- To disinfect infected USB keys and external hard drives.
TWO SOLUTIONS:
- Either you use KVRT to find out how to use it, see this page paragraph Kaspersky Virus Removal Tool (KVRT), make sure to check the letters of the infected USB keys and external hard drives in all volumes.
- Or you can download Remediate VBS WORM, open Remediate VBS WORM and select option B like this:
Then press the Enter key, a window will appear asking you to enter the letter of the USB key or external hard drive to disinfect; be careful never use drive C:
Press the Enter key; when the disinfection is complete, open drive C, you will find a file named Rem-VBS.log, send it to https://www.cjoint.com/ and provide the generated link in your reply.
Repeat for each infected USB device.
7- CHECK AND LET ME KNOW IF YOUR PROBLEM IS STILL PRESENT.
bazfile
Moderator/Security Contributor.
A hello, a reply, a thank you are always appreciated.
Hello @bazfile StatutModérateur, Contributeur sécurité,
First of all, thank you so much for the time you're dedicating to my issue, and for your quick response.
Here is the cjoint of the fixlog: https://www.cjoint.com/c/NIctEWBQ4sl
As for the infected keys and disks, I'm using your solution #1, KVRT; the scan is not yet complete but the analysis is going perfectly.
Thanks again for your time,
@bazfile StatutModérateur, Contributeur sécurité Awesome! A huge thank you for your time!
Meanwhile, the KVRT scan is complete and was able to destroy the virus on the hard drives and USB drive, everything is fine on that front too!
I must admit I'm extremely curious, and I would also like to be able to repair all the infected computers in my circle due to this same virus. Therefore, I would like to ask you how you went about writing this disinfection script from the FRST report?
If you do not wish/cannot share your protocol with me for your own reasons, how would you like me to proceed to bring all the infected people to you without having to create a thousand duplicates of this discussion? Perhaps by private message?
Thank you again for your work,
@fatcookie StatutMembre .
If it's the same infection, for the infected USB drives and external hard disks in your vicinity, I think a scan with KVRT will be enough; it will disinfect everything (PC and USB) because this infection is in its database. Not all antivirus programs are effective against this infection, which is something I checked before suggesting it to you.
If that doesn't work, do FRST analyses on the PCs and continue in this post.
For your information:
KVRT has the advantage of being a portable software (no installation required), so it doesn't interfere with the resident antivirus, as you should never have two antivirus programs running resident protection on a PC; it causes significant slowdowns and bugs that can lead to the PC being locked up.
Know that you can also vaccinate your USB devices see this page.
As for FRST, it allows you to see what is wrong on the PC, particularly infections, but not only that; it also allows for PC optimization and can remove things that antivirus programs may not necessarily remove.
Using FRST is not possible without training because you need to understand the system very well to avoid making mistakes, as FRST deletes everything you tell it to delete, and it can easily crash a PC.
Regarding your infection, it was triggered at PC startup via the executable file Systeme.exe located in C:\ProgramData\Systeme\Systeme.exe; as soon as a USB device is connected to an infected PC, the USB device is automatically infected, and as soon as this infected USB device is connected to a PC and opened, the PC is automatically infected, it's endless.
On the other infected PCs, I think this file and folder must be present.
Important:
Uninstall FRST, rename the FRST file you downloaded to uninstall, then once the file is renamed, open it; the uninstallation will occur automatically via a PC restart.
