CelticCoder

CLOSED AutoHotKey not removed for your own safety

Recommended Posts

Hi Emsisoft Support,

I use an Asus laptop (Windows 7 x64 SP1) and a recent Emsisoft Anti-Malware alert as given in the attached screen shot shows the following message:
 

Quote

 

The following objects were not removed for your own safety:

C:\PatchMyPCUpdates\AutoHotKey.exe

 

I use PatchMyPC (https://patchmypc.net/supported-products-free-updater) for updating selected applications on my laptop when new versions become available. However, the  "C:\PatchMyPCUpdates\" folder does not seem to exist. Did Emsisoft remove this folder or is this a false positive?

I have attached the screen shot and the Emsisoft Emergency Kit log (scan_170518-154302.txt) from the "C:\EEK\Reports" folder. Also attached are the FRST.txt and Addition.txt.

The FRST.txt shows a number of things that I find strange:

(1) There are two users created yesterday on the laptop that I do not recognise (Akdzxqpv and Zuyel). Note: The "new" user is myself - I was too lazy to change the default user when I first got this second-hand laptop. In addition, the "Yer Woman" account was created by my wife.
(2) Other folders created yesterday ("C:\Xorganized212" and "C:\arconfig139") I also do not recognise.

Regards,
Liam.

Addition.txt

FRST.txt

scan_170518-154302.txt

Emsisoft Anti-Malware AutoHotKey non removal.png
Download Image

Share this post


Link to post
Share on other sites

Note: At the beginning of the START HERE thread, it mentions that the scans should be done with all browsers closed. However, this instruction is not repeated later in the thread when the details are given about running the scans. Should this instruction be included again at that point to alert users to the requirement?

Share this post


Link to post
Share on other sites

Hello,

Your logs look fine.  This appears to be a false positive triggered by the BitDefender definitions.

6 hours ago, CelticCoder said:

Note: At the beginning of the START HERE thread, it mentions that the scans should be done with all browsers closed. However, this instruction is not repeated later in the thread when the details are given about running the scans. Should this instruction be included again at that point to alert users to the requirement?

I try not to repeat things in the instructions.

Share this post


Link to post
Share on other sites

Hi Kevin,

You mentioned that the logs look OK.

On 19/05/2017 at 0:40 AM, Kevin Zoll said:

Hello,

Your logs look fine.  This appears to be a false positive triggered by the BitDefender definitions.

However, is there any cause for concern about the new users and folders / files created on "2017-05-17 18:05" as noted in the FRST.txt file?

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-05-18 15:50 - 2017-05-18 15:51 - 00000000 ____D C:\FRST
2017-05-18 15:39 - 2017-05-18 15:49 - 00000000 ____D C:\EEK
2017-05-18 15:14 - 2017-05-18 15:51 - 00000000 ____D C:\Users\new\Downloads\Emsisoft Support
2017-05-18 09:15 - 2017-05-18 09:15 - 00000832 _____ C:\Users\Public\Desktop\CCleaner.lnk
2017-05-17 18:05 - 2017-05-17 18:05 - 00514406 _____ C:\Users\Zuyel\fare_talents_republican_meals.xlsx
2017-05-17 18:05 - 2017-05-17 18:05 - 00512350 _____ C:\Users\Akdzxqpv\action fighting.xlsx
2017-05-17 18:05 - 2017-05-17 18:05 - 00228938 _____ C:\Users\Akdzxqpv\luxury_run_burst.mdb
2017-05-17 18:05 - 2017-05-17 18:05 - 00215647 _____ C:\Users\Zuyel\contain incessant.mdb
2017-05-17 18:05 - 2017-05-17 18:05 - 00074442 _____ C:\Users\Zuyel\landscape conduct.xls
2017-05-17 18:05 - 2017-05-17 18:05 - 00066825 _____ C:\Users\Akdzxqpv\orange.francisco.her.xls
2017-05-17 18:05 - 2017-05-17 18:05 - 00059654 _____ C:\Users\Zuyel\dissatisfy publications imagine.pem
2017-05-17 18:05 - 2017-05-17 18:05 - 00054685 _____ C:\Users\Akdzxqpv\swell practice.pem
2017-05-17 18:05 - 2017-05-17 18:05 - 00034927 _____ C:\Users\Akdzxqpv\5fxt.txt
2017-05-17 18:05 - 2017-05-17 18:05 - 00033649 _____ C:\Users\Zuyel\texture-consequent-actress.txt
2017-05-17 18:05 - 2017-05-17 18:05 - 00025838 _____ C:\Users\Zuyel\horror_place.sql
2017-05-17 18:05 - 2017-05-17 18:05 - 00012203 _____ C:\Users\Akdzxqpv\HoTaC0k.sql
2017-05-17 18:05 - 2017-05-17 18:05 - 00000000 __SHD C:\Users\new\Desktop\ This folder protects against Ransomware. Just leave it here
2017-05-17 18:05 - 2017-05-17 18:05 - 00000000 ___HD C:\Users\Zuyel
2017-05-17 18:05 - 2017-05-17 18:05 - 00000000 ___HD C:\Users\new\Documents\Xlogs0
2017-05-17 18:05 - 2017-05-17 18:05 - 00000000 ___HD C:\Users\new\Documents\Aimages193
2017-05-17 18:05 - 2017-05-17 18:05 - 00000000 ___HD C:\Users\Akdzxqpv
2017-05-17 18:05 - 2017-05-17 18:05 - 00000000 ____D C:\Xorganized212
2017-05-17 18:05 - 2017-05-17 18:05 - 00000000 ____D C:\arconfig139

Might these be part of the honeypot files created by the Cybereason RansomFree application?

Thanks!

Liam.

Share this post


Link to post
Share on other sites

If you did not create those Users then we can remove them.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

2017-05-17 18:05 - 2017-05-17 18:05 - 00514406 _____ C:\Users\Zuyel\fare_talents_republican_meals.xlsx
2017-05-17 18:05 - 2017-05-17 18:05 - 00512350 _____ C:\Users\Akdzxqpv\action fighting.xlsx
2017-05-17 18:05 - 2017-05-17 18:05 - 00228938 _____ C:\Users\Akdzxqpv\luxury_run_burst.mdb
2017-05-17 18:05 - 2017-05-17 18:05 - 00215647 _____ C:\Users\Zuyel\contain incessant.mdb
2017-05-17 18:05 - 2017-05-17 18:05 - 00074442 _____ C:\Users\Zuyel\landscape conduct.xls
2017-05-17 18:05 - 2017-05-17 18:05 - 00066825 _____ C:\Users\Akdzxqpv\orange.francisco.her.xls
2017-05-17 18:05 - 2017-05-17 18:05 - 00059654 _____ C:\Users\Zuyel\dissatisfy publications imagine.pem
2017-05-17 18:05 - 2017-05-17 18:05 - 00054685 _____ C:\Users\Akdzxqpv\swell practice.pem
2017-05-17 18:05 - 2017-05-17 18:05 - 00034927 _____ C:\Users\Akdzxqpv\5fxt.txt
2017-05-17 18:05 - 2017-05-17 18:05 - 00033649 _____ C:\Users\Zuyel\texture-consequent-actress.txt
2017-05-17 18:05 - 2017-05-17 18:05 - 00025838 _____ C:\Users\Zuyel\horror_place.sql
2017-05-17 18:05 - 2017-05-17 18:05 - 00012203 _____ C:\Users\Akdzxqpv\HoTaC0k.sql
2017-05-17 18:05 - 2017-05-17 18:05 - 00000000 ___HD C:\Users\Zuyel
2017-05-17 18:05 - 2017-05-17 18:05 - 00000000 ___HD C:\Users\Akdzxqpv

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Hi Kevin,

Thanks for creating the fixlist! I have attached the output. However, it seems that these users / files have already been deleted and new ones have been created. I am going to uninstall Cybereason Ransomfree as it seems to be the culprit for these "random" users / files (see attached).

As noted by Fabian on the Bleeping Computer site (https://www.bleepingcomputer.com/news/security/ransomfree-is-the-latest-app-that-tries-to-stop-ransomware-infections-on-windows/), the methodology used by Cybereason is flawed. Another reason to uninstall.

Thanks!
Liam.

Fixlog.txt

Random_Users.png
Download Image

Share this post


Link to post
Share on other sites

Liam,

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Share this post


Link to post
Share on other sites

Hi Kevin,

Apologies for the delay in responding to your last post!

I have attached two scans from EEK. The first (scan_170529-113754.txt) is the standard scan and the second (scan_170529-114608) is a direct access rootkit scan. Also attached is the FRST.txt and the Addition.txt.

Interestingly, there are an "A" and "Z" users created yesterday:

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-05-28 23:24 - 2017-05-28 23:24 - 00522681 _____ C:\Users\Akwnl\debate-phenomena-civilization.xlsx
2017-05-28 23:24 - 2017-05-28 23:24 - 00515898 _____ C:\Users\Zjvm\2zLYtQRu1.xlsx
2017-05-28 23:24 - 2017-05-28 23:24 - 00218806 _____ C:\Users\Zjvm\plates-succeed-cultural-find.mdb
2017-05-28 23:24 - 2017-05-28 23:24 - 00207208 _____ C:\Users\Akwnl\joe-tent-lately.mdb
2017-05-28 23:24 - 2017-05-28 23:24 - 00068614 _____ C:\Users\Akwnl\exists.correction.rival.hydrogen.xls
2017-05-28 23:24 - 2017-05-28 23:24 - 00068304 _____ C:\Users\Zjvm\intensity.could.origin.xls
2017-05-28 23:24 - 2017-05-28 23:24 - 00056748 _____ C:\Users\Akwnl\WdOJocCN.pem
2017-05-28 23:24 - 2017-05-28 23:24 - 00054772 _____ C:\Users\Zjvm\diffusion-crush-valid.pem
2017-05-28 23:24 - 2017-05-28 23:24 - 00021050 _____ C:\Users\Zjvm\northmoist.txt
2017-05-28 23:24 - 2017-05-28 23:24 - 00015596 _____ C:\Users\Zjvm\refute-difficulty-core-plant.sql
2017-05-28 23:24 - 2017-05-28 23:24 - 00014948 _____ C:\Users\Akwnl\hesitation rate fault scientists.txt
2017-05-28 23:24 - 2017-05-28 23:24 - 00011277 _____ C:\Users\Akwnl\navy talents mess.sql
2017-05-28 23:24 - 2017-05-28 23:24 - 00000000 __SHD C:\Users\new\Desktop\ This folder protects against Ransomware. Just leave it here
2017-05-28 23:24 - 2017-05-28 23:24 - 00000000 ___HD C:\Users\Zjvm
2017-05-28 23:24 - 2017-05-28 23:24 - 00000000 ___HD C:\Users\new\Documents\Ximages222
2017-05-28 23:24 - 2017-05-28 23:24 - 00000000 ___HD C:\Users\new\Documents\Alog81
2017-05-28 23:24 - 2017-05-28 23:24 - 00000000 ___HD C:\Users\Akwnl
2017-05-28 23:24 - 2017-05-28 23:24 - 00000000 ____D C:\Xvalue111
2017-05-28 23:24 - 2017-05-28 23:24 - 00000000 ____D C:\arversions220

It would appear that Cybereason RamsomFree is creating random "A" and "Z" users at regular intervals and removing the previously created users. Should I uninstall this application?

Thanks!
Liam.

scan_170529-113754.txt

scan_170529-114608.txt

FRST.txt

Addition.txt

Share this post


Link to post
Share on other sites

Yes, uninstall RansomFree.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

Winlogon\Notify\ScCertProp: wlnotify.dll [X]
HKLM\...\Policies\Explorer: [MemCheckBoxInRunDlg] 1
HKU\S-1-5-21-2860326244-2907990433-3158645314-1000\...\Policies\Explorer: [NoDrives] 2
Startup: C:\Users\new\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RescueTime.lnk [2017-04-28]
ShortcutTarget: RescueTime.lnk -> C:\Program Files (x86)\RescueTime\RescueTime.exe (No File)
2017-05-19 19:21 - 2017-05-19 19:22 - 1382032 _____ (RescueTime, Inc.                                            ) C:\Users\new\AppData\Local\Temp\RescueTimeInstaller.exe
AlternateDataStreams: C:\ProgramData\TEMP:84098FD3 [133]

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

That should take care of everything.  AutoHotKey is not malicious, if it is still being detected you can whitelist the detection.

Share this post


Link to post
Share on other sites

Unless you are having problems, it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:

Download Delfix from here and save it to your desktop.

  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
    • Create registry backup
    • Purge system restore

  • Click the Run button.


When the tool is finished, a log will open in notepad. I do not need the log.  You can close Notepad.

Empty the Recycle Bin

Download to your Desktop:
- CCleaner Portable

  • UnZip CCleaner Portable to a folder on your Desktop named CCleaner


Run CCleaner

  • Open the CCleaner Folder on your Desktop and double-click CCleaner.exe (32-bit) or CCleaner64.exe (64-bit)
  • Click "Options" and choose "Advanced"
  • Uncheck "Only delete files in Windows Temp folders older than 24 hours"
  • Then go back to "Cleaner" and click the "RunCleaner" button.
  • Exit CCleaner.


You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

To Remove EEK simple delete the EEK for in the of your System Drive, normally C:\EEK

Run Windows Update and update your Windows Operating System.

Articles to Read:
How to Protect Your Computer From Malware
How to keep you and your Windows PC happy
Web, email, chat, password and kids safety
How Did I Get Infected?

That should take care of everything.

Safe Surfing!

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only.  Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair.  Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.