CelticCoder

Member
  • Content Count

    17
  • Joined

  • Last visited

Community Reputation

0 Neutral

About CelticCoder

  • Rank
    Member
  • Birthday July 3

Profile Information

  • Gender
    Male
  • Location
    Dublin, Ireland
  1. Hi Arthur, That's a very clear explanation! Thanks very much! Regards, Liam
  2. Yes, the issue is addressed. My only question is why this is logged on a daily basis? Is Emsisoft attempting this code injection into a system process each time that it runs? Thanks, by the way, for the prompt response!
  3. I see that the following comment addresses the issue: https://support.emsisoft.com/topic/29131-code-integrity-determined-that-the-page-hashes-of-an-image-file-are-not-valid-a2hooks64dll/?do=findComment&comment=181892
  4. Hi Emsisoft Support, Event viewer has the following entry for each day for the past several months. Since it is an "Information" error, I had missed it previously. Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 08/02/2019 10:19:23 Event ID: 6281 Task Category: System Integrity Level: Information Keywords: Audit Failure User: N/A Computer: new-PC Description: Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error. File Name: \Device\HarddiskVolume1\Program Files\Emsisoft Anti-Malware\a2hooks64.dll Is this an issue with the Emsisoft Anti-Malware Home installation or a possible disk error as noted in the Description? Regards, Liam
  5. Hi Kevin, Thanks for the help, much appreciated! Regards, Liam.
  6. Hi Kevin, I have attached the "Fixlog.txt" file. Thanks! Liam. Fixlog.txt
  7. Hi Kevin, Apologies for the delay in responding to your last post! I have attached two scans from EEK. The first (scan_170529-113754.txt) is the standard scan and the second (scan_170529-114608) is a direct access rootkit scan. Also attached is the FRST.txt and the Addition.txt. Interestingly, there are an "A" and "Z" users created yesterday: ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-05-28 23:24 - 2017-05-28 23:24 - 00522681 _____ C:\Users\Akwnl\debate-phenomena-civilization.xlsx 2017-05-28 23:24 - 2017-05-28 23:24 - 00515898 _____ C:\Users\Zjvm\2zLYtQRu1.xlsx 2017-05-28 23:24 - 2017-05-28 23:24 - 00218806 _____ C:\Users\Zjvm\plates-succeed-cultural-find.mdb 2017-05-28 23:24 - 2017-05-28 23:24 - 00207208 _____ C:\Users\Akwnl\joe-tent-lately.mdb 2017-05-28 23:24 - 2017-05-28 23:24 - 00068614 _____ C:\Users\Akwnl\exists.correction.rival.hydrogen.xls 2017-05-28 23:24 - 2017-05-28 23:24 - 00068304 _____ C:\Users\Zjvm\intensity.could.origin.xls 2017-05-28 23:24 - 2017-05-28 23:24 - 00056748 _____ C:\Users\Akwnl\WdOJocCN.pem 2017-05-28 23:24 - 2017-05-28 23:24 - 00054772 _____ C:\Users\Zjvm\diffusion-crush-valid.pem 2017-05-28 23:24 - 2017-05-28 23:24 - 00021050 _____ C:\Users\Zjvm\northmoist.txt 2017-05-28 23:24 - 2017-05-28 23:24 - 00015596 _____ C:\Users\Zjvm\refute-difficulty-core-plant.sql 2017-05-28 23:24 - 2017-05-28 23:24 - 00014948 _____ C:\Users\Akwnl\hesitation rate fault scientists.txt 2017-05-28 23:24 - 2017-05-28 23:24 - 00011277 _____ C:\Users\Akwnl\navy talents mess.sql 2017-05-28 23:24 - 2017-05-28 23:24 - 00000000 __SHD C:\Users\new\Desktop\ This folder protects against Ransomware. Just leave it here 2017-05-28 23:24 - 2017-05-28 23:24 - 00000000 ___HD C:\Users\Zjvm 2017-05-28 23:24 - 2017-05-28 23:24 - 00000000 ___HD C:\Users\new\Documents\Ximages222 2017-05-28 23:24 - 2017-05-28 23:24 - 00000000 ___HD C:\Users\new\Documents\Alog81 2017-05-28 23:24 - 2017-05-28 23:24 - 00000000 ___HD C:\Users\Akwnl 2017-05-28 23:24 - 2017-05-28 23:24 - 00000000 ____D C:\Xvalue111 2017-05-28 23:24 - 2017-05-28 23:24 - 00000000 ____D C:\arversions220 It would appear that Cybereason RamsomFree is creating random "A" and "Z" users at regular intervals and removing the previously created users. Should I uninstall this application? Thanks! Liam. scan_170529-113754.txt scan_170529-114608.txt FRST.txt Addition.txt
  8. Hi Kevin, Thanks for creating the fixlist! I have attached the output. However, it seems that these users / files have already been deleted and new ones have been created. I am going to uninstall Cybereason Ransomfree as it seems to be the culprit for these "random" users / files (see attached). As noted by Fabian on the Bleeping Computer site (https://www.bleepingcomputer.com/news/security/ransomfree-is-the-latest-app-that-tries-to-stop-ransomware-infections-on-windows/), the methodology used by Cybereason is flawed. Another reason to uninstall. Thanks! Liam. Fixlog.txt
  9. Hi Kevin, You mentioned that the logs look OK. However, is there any cause for concern about the new users and folders / files created on "2017-05-17 18:05" as noted in the FRST.txt file? ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-05-18 15:50 - 2017-05-18 15:51 - 00000000 ____D C:\FRST 2017-05-18 15:39 - 2017-05-18 15:49 - 00000000 ____D C:\EEK 2017-05-18 15:14 - 2017-05-18 15:51 - 00000000 ____D C:\Users\new\Downloads\Emsisoft Support 2017-05-18 09:15 - 2017-05-18 09:15 - 00000832 _____ C:\Users\Public\Desktop\CCleaner.lnk 2017-05-17 18:05 - 2017-05-17 18:05 - 00514406 _____ C:\Users\Zuyel\fare_talents_republican_meals.xlsx 2017-05-17 18:05 - 2017-05-17 18:05 - 00512350 _____ C:\Users\Akdzxqpv\action fighting.xlsx 2017-05-17 18:05 - 2017-05-17 18:05 - 00228938 _____ C:\Users\Akdzxqpv\luxury_run_burst.mdb 2017-05-17 18:05 - 2017-05-17 18:05 - 00215647 _____ C:\Users\Zuyel\contain incessant.mdb 2017-05-17 18:05 - 2017-05-17 18:05 - 00074442 _____ C:\Users\Zuyel\landscape conduct.xls 2017-05-17 18:05 - 2017-05-17 18:05 - 00066825 _____ C:\Users\Akdzxqpv\orange.francisco.her.xls 2017-05-17 18:05 - 2017-05-17 18:05 - 00059654 _____ C:\Users\Zuyel\dissatisfy publications imagine.pem 2017-05-17 18:05 - 2017-05-17 18:05 - 00054685 _____ C:\Users\Akdzxqpv\swell practice.pem 2017-05-17 18:05 - 2017-05-17 18:05 - 00034927 _____ C:\Users\Akdzxqpv\5fxt.txt 2017-05-17 18:05 - 2017-05-17 18:05 - 00033649 _____ C:\Users\Zuyel\texture-consequent-actress.txt 2017-05-17 18:05 - 2017-05-17 18:05 - 00025838 _____ C:\Users\Zuyel\horror_place.sql 2017-05-17 18:05 - 2017-05-17 18:05 - 00012203 _____ C:\Users\Akdzxqpv\HoTaC0k.sql 2017-05-17 18:05 - 2017-05-17 18:05 - 00000000 __SHD C:\Users\new\Desktop\ This folder protects against Ransomware. Just leave it here 2017-05-17 18:05 - 2017-05-17 18:05 - 00000000 ___HD C:\Users\Zuyel 2017-05-17 18:05 - 2017-05-17 18:05 - 00000000 ___HD C:\Users\new\Documents\Xlogs0 2017-05-17 18:05 - 2017-05-17 18:05 - 00000000 ___HD C:\Users\new\Documents\Aimages193 2017-05-17 18:05 - 2017-05-17 18:05 - 00000000 ___HD C:\Users\Akdzxqpv 2017-05-17 18:05 - 2017-05-17 18:05 - 00000000 ____D C:\Xorganized212 2017-05-17 18:05 - 2017-05-17 18:05 - 00000000 ____D C:\arconfig139 Might these be part of the honeypot files created by the Cybereason RansomFree application? Thanks! Liam.
  10. Note: At the beginning of the START HERE thread, it mentions that the scans should be done with all browsers closed. However, this instruction is not repeated later in the thread when the details are given about running the scans. Should this instruction be included again at that point to alert users to the requirement?
  11. Hi Emsisoft Support, I use an Asus laptop (Windows 7 x64 SP1) and a recent Emsisoft Anti-Malware alert as given in the attached screen shot shows the following message: I use PatchMyPC (https://patchmypc.net/supported-products-free-updater) for updating selected applications on my laptop when new versions become available. However, the "C:\PatchMyPCUpdates\" folder does not seem to exist. Did Emsisoft remove this folder or is this a false positive? I have attached the screen shot and the Emsisoft Emergency Kit log (scan_170518-154302.txt) from the "C:\EEK\Reports" folder. Also attached are the FRST.txt and Addition.txt. The FRST.txt shows a number of things that I find strange: (1) There are two users created yesterday on the laptop that I do not recognise (Akdzxqpv and Zuyel). Note: The "new" user is myself - I was too lazy to change the default user when I first got this second-hand laptop. In addition, the "Yer Woman" account was created by my wife. (2) Other folders created yesterday ("C:\Xorganized212" and "C:\arconfig139") I also do not recognise. Regards, Liam. Addition.txt FRST.txt scan_170518-154302.txt
  12. Hi Kevin, Thanks again for all your help and the explanation! Thanks! Liam.
  13. Hi Kevin, Thanks again for your help, much appreciated! I have a few final questions: - The "Delfix" program above removes all restore points and creates a new one called "End of disinfection". Is there any point then in doing a disable/enable of System Restore? - Emsisoft Anti-Malware had initially flagged that "newdev.dll" was infected. Was the DLL actually infected or was it just indicating another problem with the system? Thanks! Liam.
  14. Hi Kevin, I have attached the fixlog.txt. Thanks! Liam Fixlog.txt
  15. Hi Kevin, Thanks again for your help! The PC seems to be using less memory, but this is based on not having browser windows open during scans. Once the scans were finished, it still seems to be improved. I ran the EEK twice. The first time yesterday without rootkit checking and then today with rootkit checking using direct disk access. Both logs and the other requested logs are attached. EEK stated that no suspicious files were found during the scan. Thanks! Liam. FRST.txt Addition.txt scan_160318-214741.txt scan_160319-091856.txt