Jump to content

CelticCoder

Member
  • Posts

    19
  • Joined

  • Last visited

Posts posted by CelticCoder

  1. Hi Arthur,

    I ran EmsiClean and then after the first reboot I ran it again to see what it might show. I have attached the log.

    However, I think that the message is a false positive as it came up again when I checked after the next reboot. At that stage I reinstalled Emsisoft successfully

    Thanks for your help! You can close this ticket.

    Kind Regards,

    Liam

    EmsiClean_2020.12.10_11.37.01.txt

  2. Hi Support,

    This issue started with the uninstall of a problematic Windows Update (KB4586878). I resolved the problem with the DNS, but then Emsisoft started giving problems. I uninstalled the software but an attempted reinstall gave the "A version of this software is already installed" error.

    As per this article: https://help.emsisoft.com/en/1787/how-do-i-completely-uninstall-an-emsisoft-product/ I ran EmsiClean and attached the log.

    Emsisoft version: 2020.12.1.10579.
    Device details: Name: DESKTOP-SNF8BOK OS: Microsoft Windows 10 Pro 10.0.18363 (64-bit)
    Laptop: Acer NC-E1-571G-32348

    In the cloud console, the device is showing as offline. As a temporary measure, might it be possible to install a 30-day trial of Emsisoft as I only have Windows Defender installed at the moment?

    Many thanks for your help!

     

    Kind Regards,

    Liam

    EmsiClean_2020.12.09_17.42.42.txt


  3. Hi Emsisoft Support,

    Event viewer has the following entry for each day for the past several months. Since it is an "Information" error, I had missed it previously.

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          08/02/2019 10:19:23
    Event ID:      6281
    Task Category: System Integrity
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      new-PC
    Description:
    Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
    
    File Name:    \Device\HarddiskVolume1\Program Files\Emsisoft Anti-Malware\a2hooks64.dll    
    

    Is this an issue with the Emsisoft Anti-Malware Home installation or a possible disk error as noted in the Description?

    Regards,

    Liam

  4. Hi Kevin,

    Apologies for the delay in responding to your last post!

    I have attached two scans from EEK. The first (scan_170529-113754.txt) is the standard scan and the second (scan_170529-114608) is a direct access rootkit scan. Also attached is the FRST.txt and the Addition.txt.

    Interestingly, there are an "A" and "Z" users created yesterday:

    ==================== One Month Created files and folders ========
    
    (If an entry is included in the fixlist, the file/folder will be moved.)
    
    2017-05-28 23:24 - 2017-05-28 23:24 - 00522681 _____ C:\Users\Akwnl\debate-phenomena-civilization.xlsx
    2017-05-28 23:24 - 2017-05-28 23:24 - 00515898 _____ C:\Users\Zjvm\2zLYtQRu1.xlsx
    2017-05-28 23:24 - 2017-05-28 23:24 - 00218806 _____ C:\Users\Zjvm\plates-succeed-cultural-find.mdb
    2017-05-28 23:24 - 2017-05-28 23:24 - 00207208 _____ C:\Users\Akwnl\joe-tent-lately.mdb
    2017-05-28 23:24 - 2017-05-28 23:24 - 00068614 _____ C:\Users\Akwnl\exists.correction.rival.hydrogen.xls
    2017-05-28 23:24 - 2017-05-28 23:24 - 00068304 _____ C:\Users\Zjvm\intensity.could.origin.xls
    2017-05-28 23:24 - 2017-05-28 23:24 - 00056748 _____ C:\Users\Akwnl\WdOJocCN.pem
    2017-05-28 23:24 - 2017-05-28 23:24 - 00054772 _____ C:\Users\Zjvm\diffusion-crush-valid.pem
    2017-05-28 23:24 - 2017-05-28 23:24 - 00021050 _____ C:\Users\Zjvm\northmoist.txt
    2017-05-28 23:24 - 2017-05-28 23:24 - 00015596 _____ C:\Users\Zjvm\refute-difficulty-core-plant.sql
    2017-05-28 23:24 - 2017-05-28 23:24 - 00014948 _____ C:\Users\Akwnl\hesitation rate fault scientists.txt
    2017-05-28 23:24 - 2017-05-28 23:24 - 00011277 _____ C:\Users\Akwnl\navy talents mess.sql
    2017-05-28 23:24 - 2017-05-28 23:24 - 00000000 __SHD C:\Users\new\Desktop\ This folder protects against Ransomware. Just leave it here
    2017-05-28 23:24 - 2017-05-28 23:24 - 00000000 ___HD C:\Users\Zjvm
    2017-05-28 23:24 - 2017-05-28 23:24 - 00000000 ___HD C:\Users\new\Documents\Ximages222
    2017-05-28 23:24 - 2017-05-28 23:24 - 00000000 ___HD C:\Users\new\Documents\Alog81
    2017-05-28 23:24 - 2017-05-28 23:24 - 00000000 ___HD C:\Users\Akwnl
    2017-05-28 23:24 - 2017-05-28 23:24 - 00000000 ____D C:\Xvalue111
    2017-05-28 23:24 - 2017-05-28 23:24 - 00000000 ____D C:\arversions220

    It would appear that Cybereason RamsomFree is creating random "A" and "Z" users at regular intervals and removing the previously created users. Should I uninstall this application?

    Thanks!
    Liam.

    scan_170529-113754.txt

    scan_170529-114608.txt

    FRST.txt

    Addition.txt

  5. Hi Kevin,

    Thanks for creating the fixlist! I have attached the output. However, it seems that these users / files have already been deleted and new ones have been created. I am going to uninstall Cybereason Ransomfree as it seems to be the culprit for these "random" users / files (see attached).

    As noted by Fabian on the Bleeping Computer site (https://www.bleepingcomputer.com/news/security/ransomfree-is-the-latest-app-that-tries-to-stop-ransomware-infections-on-windows/), the methodology used by Cybereason is flawed. Another reason to uninstall.

    Thanks!
    Liam.

    Fixlog.txt

    Random_Users.png

  6. Hi Kevin,

    You mentioned that the logs look OK.

    On 19/05/2017 at 0:40 AM, Kevin Zoll said:

    Hello,

    Your logs look fine.  This appears to be a false positive triggered by the BitDefender definitions.

    However, is there any cause for concern about the new users and folders / files created on "2017-05-17 18:05" as noted in the FRST.txt file?

    ==================== One Month Created files and folders ========
    
    (If an entry is included in the fixlist, the file/folder will be moved.)
    
    2017-05-18 15:50 - 2017-05-18 15:51 - 00000000 ____D C:\FRST
    2017-05-18 15:39 - 2017-05-18 15:49 - 00000000 ____D C:\EEK
    2017-05-18 15:14 - 2017-05-18 15:51 - 00000000 ____D C:\Users\new\Downloads\Emsisoft Support
    2017-05-18 09:15 - 2017-05-18 09:15 - 00000832 _____ C:\Users\Public\Desktop\CCleaner.lnk
    2017-05-17 18:05 - 2017-05-17 18:05 - 00514406 _____ C:\Users\Zuyel\fare_talents_republican_meals.xlsx
    2017-05-17 18:05 - 2017-05-17 18:05 - 00512350 _____ C:\Users\Akdzxqpv\action fighting.xlsx
    2017-05-17 18:05 - 2017-05-17 18:05 - 00228938 _____ C:\Users\Akdzxqpv\luxury_run_burst.mdb
    2017-05-17 18:05 - 2017-05-17 18:05 - 00215647 _____ C:\Users\Zuyel\contain incessant.mdb
    2017-05-17 18:05 - 2017-05-17 18:05 - 00074442 _____ C:\Users\Zuyel\landscape conduct.xls
    2017-05-17 18:05 - 2017-05-17 18:05 - 00066825 _____ C:\Users\Akdzxqpv\orange.francisco.her.xls
    2017-05-17 18:05 - 2017-05-17 18:05 - 00059654 _____ C:\Users\Zuyel\dissatisfy publications imagine.pem
    2017-05-17 18:05 - 2017-05-17 18:05 - 00054685 _____ C:\Users\Akdzxqpv\swell practice.pem
    2017-05-17 18:05 - 2017-05-17 18:05 - 00034927 _____ C:\Users\Akdzxqpv\5fxt.txt
    2017-05-17 18:05 - 2017-05-17 18:05 - 00033649 _____ C:\Users\Zuyel\texture-consequent-actress.txt
    2017-05-17 18:05 - 2017-05-17 18:05 - 00025838 _____ C:\Users\Zuyel\horror_place.sql
    2017-05-17 18:05 - 2017-05-17 18:05 - 00012203 _____ C:\Users\Akdzxqpv\HoTaC0k.sql
    2017-05-17 18:05 - 2017-05-17 18:05 - 00000000 __SHD C:\Users\new\Desktop\ This folder protects against Ransomware. Just leave it here
    2017-05-17 18:05 - 2017-05-17 18:05 - 00000000 ___HD C:\Users\Zuyel
    2017-05-17 18:05 - 2017-05-17 18:05 - 00000000 ___HD C:\Users\new\Documents\Xlogs0
    2017-05-17 18:05 - 2017-05-17 18:05 - 00000000 ___HD C:\Users\new\Documents\Aimages193
    2017-05-17 18:05 - 2017-05-17 18:05 - 00000000 ___HD C:\Users\Akdzxqpv
    2017-05-17 18:05 - 2017-05-17 18:05 - 00000000 ____D C:\Xorganized212
    2017-05-17 18:05 - 2017-05-17 18:05 - 00000000 ____D C:\arconfig139

    Might these be part of the honeypot files created by the Cybereason RansomFree application?

    Thanks!

    Liam.

  7. Hi Emsisoft Support,

    I use an Asus laptop (Windows 7 x64 SP1) and a recent Emsisoft Anti-Malware alert as given in the attached screen shot shows the following message:
     

    Quote

     

    The following objects were not removed for your own safety:

    C:\PatchMyPCUpdates\AutoHotKey.exe

     

    I use PatchMyPC (https://patchmypc.net/supported-products-free-updater) for updating selected applications on my laptop when new versions become available. However, the  "C:\PatchMyPCUpdates\" folder does not seem to exist. Did Emsisoft remove this folder or is this a false positive?

    I have attached the screen shot and the Emsisoft Emergency Kit log (scan_170518-154302.txt) from the "C:\EEK\Reports" folder. Also attached are the FRST.txt and Addition.txt.

    The FRST.txt shows a number of things that I find strange:

    (1) There are two users created yesterday on the laptop that I do not recognise (Akdzxqpv and Zuyel). Note: The "new" user is myself - I was too lazy to change the default user when I first got this second-hand laptop. In addition, the "Yer Woman" account was created by my wife.
    (2) Other folders created yesterday ("C:\Xorganized212" and "C:\arconfig139") I also do not recognise.

    Regards,
    Liam.

    Addition.txt

    FRST.txt

    scan_170518-154302.txt

    Emsisoft Anti-Malware AutoHotKey non removal.png

  8. Hi Kevin,

     

    Thanks again for your help, much appreciated! :D

     

    I have a few final questions:

     

    - The "Delfix" program above removes all restore points and creates a new one called "End of disinfection". Is there any point then in doing a disable/enable of System Restore?

     

    - Emsisoft Anti-Malware had initially flagged that "newdev.dll" was infected. Was the DLL actually infected or was it just indicating another problem with the system?

     

    Thanks!

    Liam.

  9. Hi Kevin,

     

    Thanks again for your help! The PC seems to be using less memory, but this is based on not having browser windows open during scans. Once the scans were finished, it still seems to be improved.

     

    I ran the EEK twice. The first time yesterday without rootkit checking and then today with rootkit checking using direct disk access. Both logs and the other requested logs are attached. EEK stated that no suspicious files were found during the scan.

     

    Thanks!

    Liam.

    FRST.txt

    Addition.txt

    scan_160318-214741.txt

    scan_160319-091856.txt

  10. My Emsisoft Anti-Malware alert says that says the the following Windows kernel files have been detected as infected:
    c:\Windows\System32\newdev.dll

     

    The "Behaviour Blocker" log shows that the "newdev.dll" had an "Undefined event (0)" and the detection was "Behavior.CodeInjector".

     

    The "C:\EEK\Logs" folder only had a "logs.db3" SQLite database. The "C:\EEK\Reports" folder had the attached "scan_160317-174816.txt" file. There does not appear to be any infections flagged.

     

    I have also uploaded the "FRS.txt" file. There was no "Addition.txt" file created.

     

    Note: In your START HERE forum post, the download link for the Emsisoft Emergency Kit should be updated to:
    http://dl.emsisoft.com/EmsisoftEmergencyKit.exe

     

    Thanks!

    Liam

    scan_160317-174816.txt

    FRST.txt

×
×
  • Create New...