Need help removing a virus "Photo 018.exe"
Solvedbazfile Posted messages 58430 Registration date Status Modérateur Last intervention -
Hello everyone,
I am experiencing a persistent problem with a malicious file named "Photo 018.exe", which seems to propagate via USB drives and external hard drives.
I have consulted the articles and discussions on this topic, particularly the contributions from the user "bazfile", who seems particularly knowledgeable in this area. I followed the instructions from similar cases that have already been resolved to facilitate your analysis as much as possible.
Attached documents:
Here are the reports generated by FRST:
- FRST Report: https://www.cjoint.com/c/NLnpPiL7rMs
- Addition Report: https://www.cjoint.com/c/NLnpPW7QUKs
Equipment used / potentially infected:
- Desktop computer (custom configuration).
- ASUS Zenbook laptop.
- Philips 64 Go USB drive.
- Seagate 1 To external hard drive.
Chronology of events:
-
Two months ago: First detection of the file "Photo 018.exe" on a USB drive connected to the desktop computer (autorun enabled).
- Action:
- Manual deletion of the file.
- Formatting of external drives.
- Scans with Avast Premium and Windows Defender → No threats detected.
- Problem supposedly resolved.
- Action:
-
Recently: After a business trip, connecting the external hard drive to the desktop computer (autorun still enabled).
- Symptom: "Photo 018.exe" reappears immediately with an installation date corresponding to the moment of opening.
- Action: Immediate formatting of the hard drive, without manual interaction with the file.
Steps taken:
- Installation of Kaspersky Virus Removal Tool:
- On the desktop PC:
- Detection and deletion of a file named "Agent".
- Second thorough scan post-deletion → No files detected.
- On the ASUS laptop: No threats detected.
- On the desktop PC:
- Disabling autorun of external drives.
- Individual scan of storage devices (hard drive and USB drive) after formatting and without opening them → No files detected.
My questions:
- Is my main computer still infected?
- Are the steps taken sufficient to eradicate this virus?
- Are there any additional tools or steps you recommend, knowing that the infection seems to have lasted for a while?
Thank you in advance for the time you will spend helping me. I remain available to provide other information if necessary.
Sincerely,
Hugo
4 réponses
Hello.
You did well to follow my instructions in the other posts, Kaspersky Virus Removal Tool successfully removed the infection.
There are only a few inactive remnants of the infection and some orphaned/obsolete processes left; if you want to remove them, do the following:
For your information: uninstall Wondershare Helper Compact, it's adware.
Then:
Procedure to follow in the indicated order:
1- Open FRST as administrator; to do this, right-click on FRST and select run as administrator
2 - Copy the entire script that is in the box below:
Start:: CreateRestorePoint: CloseProcesses: HKLM-x32\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [2133728 2017-09-12] (Wondershare Technology Co.,Ltd -> Wondershare) HKLM\...\RunOnce: [e323ed41-70f1-4565-8001-2cf08176f2e2] => "C:\Users\hugov\AppData\Local\Temp\{89b84009-b3c5-433d-bdf8-787def80d4de}\e323ed41-70f1-4565-8001-2cf08176f2e2.cmd" (File not found) HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction S3 EasyAntiCheat; "C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe" [X] S3 EpicOnlineServices; "C:\Program Files (x86)\Epic Games\Epic Online Services\service\EpicOnlineServicesHost.exe" [X] S3 UElevationService; "C:\Program Files\Ultra\Application\8.0.1.18\elevation_service.exe" [X] U4 AppMgmt; no ImagePath U3 aswArDisk; no ImagePath U4 CscService; no ImagePath U4 napagent; no ImagePath U4 PeerDistSvc; no ImagePath CustomCLSID: HKU\S-1-5-21-3636227605-4139202428-2108584352-1001_Classes\CLSID\{2F81B25E-7507-4844-BFF2-77D2CC24CED4}\localserver32 -> "C:\Program Files\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe" -ToastActivated => File not found CustomCLSID: HKU\S-1-5-21-3636227605-4139202428-2108584352-1001_Classes\CLSID\{d1b22d3d-8585-53a6-acb3-0e803c7e8d2a}\localserver32 -> "C:\Users\hugov\AppData\Local\Microsoft\Teams\current\Teams.exe" --toast => File not found AlternateDataStreams: C:\ProgramData\DP45977C.lfl:677104FCAA [5170] AlternateDataStreams: C:\ProgramData\mntemp:8EAD8B3507 [5170] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini:B1DA6C571C [5170] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Access.lnk:A1B76439FE [5170] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop 2022.lnk:638138415C [5170] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AdsPower Browser.lnk:E9BD082F00 [5170] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audacity.lnk:09A0A90EF3 [5170] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast One.lnk:BA4BA832A4 [5170] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Epic Games Launcher.lnk:BE32D07BC5 [5170] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel.lnk:B96E9B8455 [5170] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KeePass 2.lnk:CF2917E869 [5170] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneNote.lnk:60EC9648C0 [5170] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outlook (classic).lnk:5465085A2F [5170] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outlook (classic).lnk:BE800952D3 [5170] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Health Check.lnk:F20EF51E1F [5170] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint.lnk:1DC1525F34 [4314] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Publisher.lnk:104946E0EA [4314] AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype Entreprise.lnk:127DED20AD [4314] cmd: netsh advfirewall reset End:: 3- Once the script is copied, click on Repair, FRST will automatically take the script from the clipboard.
Let the repair process run; once it's finished, you will be prompted to restart your PC, do it as soon as you are asked, see below.
Then once your computer has restarted:
4- You will have a Fixlog file on your desktop, then send this fixlog report to https://www.cjoint.com/ or https://pixeldrain.com/
Then provide the generated link from https://www.cjoint.com/ or https://pixeldrain.com/ in your reply.
Moderator/Security Contributor.
A hello, a response, a thank you are always appreciated.
Good evening,
Thank you very much for your response and your promptness!
After multiple analyses of my external drives and computers, it seems that everything is back to normal. I also manually uninstalled the adware, thank you for pointing that out! I hope the malicious folder doesn't reappear when I connect to my hard drives again.
You will find access to the fixlog file here: https://www.cjoint.com/c/NLnuqNz4fTs
Another question, if I may: is this type of attack likely to have leaked my documents? Would it be wiser to change all of my access credentials and conduct a more thorough analysis, or would simply deleting the malicious file be enough to secure myself again?
Waiting for your reply, I thank you once again for your time and assistance.
Have a good evening,
Hugo
The fixlog is OK.
As for the infection your pc was infected by this, as a result, change your sensitive and important online passwords.
No need for further analysis, FRST is sufficient as it is very comprehensive and there is nothing infectious left on your pc.
Uninstall FRST, rename the FRST file you downloaded to uninstall, then once the file is renamed, open it; the uninstallation will occur automatically via a restart of the pc.
.
bazfile
Moderator/Security Contributor.
a hello, a response, a thank you are always appreciated.