USB key virus - "photo 018"
Solvedbazfile Posted messages 58481 Registration date Status Moderator Last intervention -
Hello,
I am a student and I use a USB stick to transfer my courses. For the past few weeks, a file named "photo 018," an application, has slipped into my USB files... After some research, I realized it was probably a virus. That's why I'm asking for help on the forum.
I scanned my main PC with FRST, here are the files:
FRST: https://www.cjoint.com/c/NJktNljs6lO
Addition: https://www.cjoint.com/c/NJktMvcmEIO
Thank you in advance to anyone who would be willing to help me :)
3 answers
Hello.
Procedure to follow in the indicated order:
1- Open FRST as an administrator by right-clicking on FRST and choosing run as administrator
2 - Copy the entire script that is in the following box:
Start:: CreateRestorePoint: CloseProcesses: HKLM-x32\...\Run: [AirBackupHelper] => C:\Program Files (x86)\iMobie\AnyTrans\AirBackupHelper.exe (No file) HKU\S-1-5-21-2578958701-3296982357-2529178961-1001\...\Run: [Universal Control] => [X] Task: {6CBEF361-EE00-46F9-B3B8-D803788F07C8} - \Microsoft\Windows\Management\Provisioning\PostResetBoot -> No file Task: {8ACB53D9-7A3B-41B2-8448-52A927F42C4E} - \Microsoft\Windows\Setup\SetupCleanupTask -> No file Task: {A74F1BC2-B811-4919-B349-5173BD407625} - \HPAudioSwitch -> No file Task: {E718D044-8F6E-48E7-953D-85D8F0FF19E2} - \OneDrive Standalone Update Task-S-1-5-21-2292549785-2426566057-1901073597-500 -> No file U3 aspnet_state; no ImagePath S3 HWiNFO_174; \??\C:\Users\nilsc\AppData\Local\Temp\HWiNFO64A_174.SYS [X] CustomCLSID: HKU\S-1-5-21-2578958701-3296982357-2529178961-1001_Classes\CLSID\{1108FD1C-492F-4251-B9DB-77F0274267B2}\InprocServer32 -> C:\Users\nilsc\AppData\Local\Microsoft\EdgeUpdate\1.3.187.37\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2578958701-3296982357-2529178961-1001_Classes\CLSID\{2EF7E390-2F7C-4F9A-9B7D-4A87B56B711D}\InprocServer32 -> C:\Users\nilsc\AppData\Local\Microsoft\EdgeUpdate\1.3.173.51\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2578958701-3296982357-2529178961-1001_Classes\CLSID\{38971E90-14FD-44F6-AA45-1447B653F873}\InprocServer32 -> C:\Users\nilsc\AppData\Local\Microsoft\EdgeUpdate\1.3.173.45\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2578958701-3296982357-2529178961-1001_Classes\CLSID\{5FC44EBC-3A1F-4FBB-85E5-34405788C8D7}\InprocServer32 -> C:\Users\nilsc\AppData\Local\Microsoft\EdgeUpdate\1.3.187.41\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2578958701-3296982357-2529178961-1001_Classes\CLSID\{608D599A-DCA6-4A7C-BED7-AFCD8465345A}\InprocServer32 -> C:\Users\nilsc\AppData\Local\Microsoft\EdgeUpdate\1.3.175.29\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2578958701-3296982357-2529178961-1001_Classes\CLSID\{64C6EFB9-8F79-4106-B975-067448DC768F}\InprocServer32 -> C:\Users\nilsc\AppData\Local\Microsoft\EdgeUpdate\1.3.177.11\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2578958701-3296982357-2529178961-1001_Classes\CLSID\{6DD6748E-7DAE-47EF-B4D5-03AA1B06D697}\InprocServer32 -> C:\Users\nilsc\AppData\Local\Microsoft\EdgeUpdate\1.3.187.39\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2578958701-3296982357-2529178961-1001_Classes\CLSID\{72726D01-426C-4B35-8266-B4496CAA889E}\InprocServer32 -> C:\Users\nilsc\AppData\Local\Microsoft\EdgeUpdate\1.3.183.29\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2578958701-3296982357-2529178961-1001_Classes\CLSID\{78C1ADF4-6DAE-4164-AEFA-4E3EAD9E750A}\InprocServer32 -> C:\Users\nilsc\AppData\Local\Microsoft\EdgeUpdate\1.3.195.19\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2578958701-3296982357-2529178961-1001_Classes\CLSID\{7C9A348D-C321-47AC-904F-150312A5430F}\InprocServer32 -> C:\Users\nilsc\AppData\Local\Microsoft\EdgeUpdate\1.3.175.27\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2578958701-3296982357-2529178961-1001_Classes\CLSID\{83F21C4B-8643-4A08-A29A-822AFD835037}\InprocServer32 -> C:\Users\nilsc\AppData\Local\Microsoft\EdgeUpdate\1.3.193.5\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2578958701-3296982357-2529178961-1001_Classes\CLSID\{89b2b650-c4dd-d68b-46e7-3176f1973c8b}\localserver32 -> "C:\Program Files\Voicemod Desktop\VoicemodDesktop.exe" -ToastActivated => No file CustomCLSID: HKU\S-1-5-21-2578958701-3296982357-2529178961-1001_Classes\CLSID\{997809F3-33FD-4FD6-A2ED-CEF50F3263B1}\InprocServer32 -> C:\Users\nilsc\AppData\Local\Microsoft\EdgeUpdate\1.3.169.31\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2578958701-3296982357-2529178961-1001_Classes\CLSID\{ABF66F82-B04C-4FE4-8272-661539463FE1}\InprocServer32 -> C:\Users\nilsc\AppData\Local\Microsoft\EdgeUpdate\1.3.171.37\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2578958701-3296982357-2529178961-1001_Classes\CLSID\{AE1542A7-3989-481B-93A9-1500C5F56B14}\InprocServer32 -> C:\Users\nilsc\AppData\Local\Microsoft\EdgeUpdate\1.3.185.27\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2578958701-3296982357-2529178961-1001_Classes\CLSID\{B258532D-3529-4BEB-BF38-F08F98B3968C}\InprocServer32 -> C:\Users\nilsc\AppData\Local\Microsoft\EdgeUpdate\1.3.195.15\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2578958701-3296982357-2529178961-1001_Classes\CLSID\{B29F5F83-90DF-479A-BDE7-8A9F4412E394}\InprocServer32 -> C:\Users\nilsc\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2578958701-3296982357-2529178961-1001_Classes\CLSID\{CAE1760A-CB07-481B-8F9A-BC65510AF5D5}\InprocServer32 -> C:\Users\nilsc\AppData\Local\Microsoft\EdgeUpdate\1.3.185.21\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2578958701-3296982357-2529178961-1001_Classes\CLSID\{DAA7499A-B3AC-4419-A89B-124318504051}\InprocServer32 -> C:\Users\nilsc\AppData\Local\Microsoft\EdgeUpdate\1.3.185.29\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2578958701-3296982357-2529178961-1001_Classes\CLSID\{E3D57E77-FE71-4D06-BD34-D48820074909}\InprocServer32 -> C:\Users\nilsc\AppData\Local\Microsoft\EdgeUpdate\1.3.181.5\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2578958701-3296982357-2529178961-1001_Classes\CLSID\{E76F97B1-1AE9-497C-9FA4-F57BBABAD54A}\InprocServer32 -> C:\Users\nilsc\AppData\Local\Microsoft\EdgeUpdate\1.3.185.17\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2578958701-3296982357-2529178961-1001_Classes\CLSID\{E8791438-3525-48BF-A600-C577AD1674C2}\InprocServer32 -> C:\Users\nilsc\AppData\Local\Microsoft\EdgeUpdate\1.3.173.49\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2578958701-3296982357-2529178961-1001_Classes\CLSID\{F1658933-2997-4DDB-869C-061D53A9718E}\InprocServer32 -> C:\Users\nilsc\AppData\Local\Microsoft\EdgeUpdate\1.3.195.21\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2578958701-3296982357-2529178961-1001_Classes\CLSID\{F1CBF5EB-347F-4E4C-90AC-E43339FC34EC}\InprocServer32 -> C:\Users\nilsc\AppData\Local\Microsoft\EdgeUpdate\1.3.173.55\psuser_64.dll => No file AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [7696] cmd: netsh advfirewall reset EmptyTemp: End:: 3- Once the script has been copied, click on Fix, FRST will automatically take the script from the clipboard.

Let the fix complete, once it is finished you will be asked to restart your PC, do it as soon as requested, see below.

Then once your computer is restarted:
4- You will have a Fixlog file on your desktop, then send this fixlog report to https://www.cjoint.com/ or https://pixeldrain.com/
Then provide the link generated by https://www.cjoint.com/ or https://pixeldrain.com/ in your response.
5- To disinfect the USB device(s).
To disinfect your infected USB device(s) (USB flash drive or external hard drive), connect them to your PC but do not open them, then download KVRT to find out how to use it see this page paragraph Kaspersky Virus Removal Tool (KVRT), make sure to check the letters of the infected USB flash drives and external hard drives in all volumes.
6- CHECK AND LET ME KNOW IF YOUR PROBLEM STILL EXISTS.
bazfile
Moderator/Security Contributor.
A hello, a response, a thank you are always appreciated.
Your PC is not infected by the USB stick.
Is it possible that I could contaminate my main PC by sending myself my class notes via email? Because for now, using an external device seems complicated T-T
Let me explain the principle of this infection.
When you connect an infected USB stick to a PC and open it, the infectious executable it contains - in your case it's photo 018.exe - infects the PC by creating a registry entry that launches at startup. In your type of infection, the infectious executable is called systeme.exe. Then, as soon as a USB stick or external hard drive is connected to the infected PC, it too becomes infected; as you can see, it goes on endlessly.
So it must be the PC I use to take my class notes that is contaminated. I will try to install KVRT on it to clean all this up.
You can either run a FRST analysis on this PC and give me the links, or you can use KVRT without forgetting to connect your infected USB stick to the PC so that it is disinfected at the same time as the PC.
To disinfect USB sticks, there's also this:
Download Remediate VBS WORM, open Remediate VBS WORM, select option B like this:
Then press the Enter key, a window will appear where you enter the letter of your USB stick to disinfect be careful, never put drive C:
Press the Enter key; when the disinfection is complete, open drive C and you will find a file named Rem-VBS.log. Send it to https://pjjoint.malekal.com/ and include the generated link in your response.
bazfile
Moderator/Security Contributor.
A hello, a response, a thank you are always appreciated.
Alright, I'll send a new message on this topic with the links to the FRST analysis from the other PC.
I had a few questions, but I don't want to bother you either. I think you already have a lot on your plate, so if you don't want to answer, that's fine, I’ll understand.
If the virus infects PCs through the key, why hasn’t my main PC been infected by the key?
How did you acquire all these skills in viruses/computing?
Are your responses on the forums kind of like "volunteering"?
Sorry, this feels a bit like a job interview, but I'm just curious!
Have a good evening.
Here are the FRST links for the second PC:
FRST : https://www.cjoint.com/c/NJlv0OPul4O
Addition : https://www.cjoint.com/c/NJlv2RI5XMO
Your second PC is indeed infected; it's the culprit.
Procedure to follow in the order indicated:
1- Open FRST as an administrator by right-clicking on FRST and selecting run as administrator
2 - Copy the entire script that is in the box below:
Start:: CreateRestorePoint: CloseProcesses: CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] HKLM-x32\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [2133728 2017-09-12] (Wondershare Technology Co.,Ltd -> Wondershare) HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction HKU\S-1-5-21-2130748778-3176679208-1135441190-1003\...\Run: [Poisson18] => C:\ProgramData\Systeme\Systeme.exe HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction HKLM\SOFTWARE\Policies\Google: Restriction Task: {E3B8B5C3-315F-4D12-8F77-3AF12BDC0A50} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe /DeviceScanR6 (No file) Task: {7066F9F8-4874-4F0C-8C1D-9D455EEDFBC7} - System32\Tasks\HP\HP Hotkey Support\Start QLBController Process => "C:\Program Files (x86)\HP\HP Hotkey Support\QLBController.exe" (No file) Task: {DF3DF9BD-565D-468D-A2C4-A145B43FDAD5} - System32\Tasks\Microsoft\Windows\termsrv\RemoteFX\RemoteFXvGPUDisableTask => %windir%\System32\RemoteFXvGPUDisablement.exe Disable (No file) Task: {E14EDC5E-D632-4B6C-88E5-D245EAB0882E} - System32\Tasks\Microsoft\Windows\termsrv\RemoteFX\RemoteFXWarningTask => %windir%\System32\RemoteFXvGPUDisablement.exe Warning (No file) S2 UIUService; %SystemRoot%\system32\UIUSrv.exe [X] S3 AppleKmdfFilter; \SystemRoot\System32\drivers\AppleKmdfFilter.sys [X] S3 AppleLowerFilter; \SystemRoot\System32\drivers\AppleLowerFilter.sys [X] CustomCLSID: HKU\S-1-5-21-2130748778-3176679208-1135441190-1003_Classes\CLSID\{2EF7E390-2F7C-4F9A-9B7D-4A87B56B711D}\InprocServer32 -> C:\Users\Nils\AppData\Local\Microsoft\EdgeUpdate\1.3.173.51\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2130748778-3176679208-1135441190-1003_Classes\CLSID\{38971E90-14FD-44F6-AA45-1447B653F873}\InprocServer32 -> C:\Users\Nils\AppData\Local\Microsoft\EdgeUpdate\1.3.173.45\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2130748778-3176679208-1135441190-1003_Classes\CLSID\{64C6EFB9-8F79-4106-B975-067448DC768F}\InprocServer32 -> C:\Users\Nils\AppData\Local\Microsoft\EdgeUpdate\1.3.177.11\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2130748778-3176679208-1135441190-1003_Classes\CLSID\{72726D01-426C-4B35-8266-B4496CAA889E}\InprocServer32 -> C:\Users\Nils\AppData\Local\Microsoft\EdgeUpdate\1.3.183.29\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2130748778-3176679208-1135441190-1003_Classes\CLSID\{78C1ADF4-6DAE-4164-AEFA-4E3EAD9E750A}\InprocServer32 -> C:\Users\Nils\AppData\Local\Microsoft\EdgeUpdate\1.3.195.19\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2130748778-3176679208-1135441190-1003_Classes\CLSID\{AE1542A7-3989-481B-93A9-1500C5F56B14}\InprocServer32 -> C:\Users\Nils\AppData\Local\Microsoft\EdgeUpdate\1.3.185.27\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2130748778-3176679208-1135441190-1003_Classes\CLSID\{B258532D-3529-4BEB-BF38-F08F98B3968C}\InprocServer32 -> C:\Users\Nils\AppData\Local\Microsoft\EdgeUpdate\1.3.195.15\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2130748778-3176679208-1135441190-1003_Classes\CLSID\{B29F5F83-90DF-479A-BDE7-8A9F4412E394}\InprocServer32 -> C:\Users\Nils\AppData\Local\Microsoft\EdgeUpdate\1.3.171.39\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2130748778-3176679208-1135441190-1003_Classes\CLSID\{CAE1760A-CB07-481B-8F9A-BC65510AF5D5}\InprocServer32 -> C:\Users\Nils\AppData\Local\Microsoft\EdgeUpdate\1.3.185.21\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2130748778-3176679208-1135441190-1003_Classes\CLSID\{DAA7499A-B3AC-4419-A89B-124318504051}\InprocServer32 -> C:\Users\Nils\AppData\Local\Microsoft\EdgeUpdate\1.3.185.29\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2130748778-3176679208-1135441190-1003_Classes\CLSID\{E3D57E77-FE71-4D06-BD34-D48820074909}\InprocServer32 -> C:\Users\Nils\AppData\Local\Microsoft\EdgeUpdate\1.3.181.5\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2130748778-3176679208-1135441190-1003_Classes\CLSID\{E76F97B1-1AE9-497C-9FA4-F57BBABAD54A}\InprocServer32 -> C:\Users\Nils\AppData\Local\Microsoft\EdgeUpdate\1.3.185.17\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2130748778-3176679208-1135441190-1003_Classes\CLSID\{E8791438-3525-48BF-A600-C577AD1674C2}\InprocServer32 -> C:\Users\Nils\AppData\Local\Microsoft\EdgeUpdate\1.3.173.49\psuser_64.dll => No file CustomCLSID: HKU\S-1-5-21-2130748778-3176679208-1135441190-1003_Classes\CLSID\{F1CBF5EB-347F-4E4C-90AC-E43339FC34EC}\InprocServer32 -> C:\Users\Nils\AppData\Local\Microsoft\EdgeUpdate\1.3.173.55\psuser_64.dll => No file SearchScopes: HKU\S-1-5-21-2130748778-3176679208-1135441190-1003 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = C:\ProgramData\Systeme cmd: netsh advfirewall reset EmptyTemp: End:: 3- Once the script is copied, click on Fix, FRST will automatically take the script from the clipboard.

Let the repair process take place; once it is finished, you will be asked to restart your PC, do it as soon as prompted, see below.

Then once your computer has restarted:
4- You will have a Fixlog file on your desktop; then upload this fixlog report to https://www.cjoint.com/ or https://pixeldrain.com/
Then give the link generated by https://www.cjoint.com/ or https://pixeldrain.com/ in your response.
5- To disinfect the USB device(s).
As before, to disinfect your infected USB device(s) (USB stick or external hard drive) connect them to your PC but do not open them, then download KVRT; for instructions on how to use it see this page paragraph Kaspersky Virus Removal Tool (KVRT), be sure to check the letters of the infected USB sticks and external hard drives in all volumes.
This second PC is a low-end, very low-power PC, so the KVRT scan may take a certain amount of time.
6- CHECK AND TELL ME IF YOUR PROBLEM IS STILL PRESENT.
Hello,
Here is the fixlog report: https://www.cjoint.com/c/NJmiLEIIhSO
Thank you for everything and have a great weekend!
-
Copy-paste
at 09:28 -
Google photos transfer
at 08:55 -
Unable to download
at 08:03 -
Surface pro 4 tablet fully stuck, what to do ??
at 07:57 -
Broken black screen with talkback enabled and other issues help
at 07:52 -
Bounced emailsblocked emails
at 07:42 -
Uninstall totaladblock
at 07:39 -
Sony wh-1000xm5 not turning on after getting wet
at 06:36 -
Canon mg6450 printer driver
on 24 Jun -
Texture issues in enshrouded
on 24 Jun



Hello Bazfile,
First of all, thank you for your response. I followed the steps you mentioned up to step 4.
However, I was unable to disinfect the USB devices with KVRT; I got a blue screen on the first test, and the second took so long that I fell asleep and the PC went into sleep mode... That's why I have 2 questions:
Thanks again for your help,
Have a good day!
There was no trace of the infection on the PC, just a few obsolete processes that I deleted. You told me that your USB drive was infected with the file photo18.exe; normally, KVRT removes this kind of infection, but FRST cannot do anything with USB drives since it doesn't analyze their content.
In your response, include a screenshot of the content of your infected USB drive so that I can see.
You need to disable autoplay; it is normally disabled by default on PCs, and autoplay is the best way to get reinfected by a USB infection.
Perform a new FRST scan and provide the report links.
Alright. For your information, I don't think I ran the photo program 018 on this PC, so it must be the PC I use to take my notes that is infected. I will try to install KVRT on that one to clean everything up.
Also, is it possible that I could infect my main PC by sending myself my notes via email? Because for now, using an external device seems complicated T-T
I have disabled autorun, thanks for the advice.
Here are the links to the new FRST analyses of the main PC:
Addition: https://www.cjoint.com/c/NJlsuq5trzO
FRST: https://www.cjoint.com/c/NJlsuPnO4xO
Thanks again for the time you spent helping me :)