Closed Help my PC is infected

[Trekerj]

Several changes were made automatically to my PC and appeared after updating my Emsisoft anti-Malware. First my licence for Internet guard switched to Anti-Malware olny (the last update to my Internet Security files was 9/29/2017, and I can not run the application): second; when this happened the emsisoft firewall software change to the Windows 10 native firewall and it does not seem to be functioning correctly: third, a new network device showed up, RalinkLinuxClient with the Mac address of cc:95:d7:3a:82:18 with no IP addess. A quick search of the mac address reported it to be from Malware, which I think created a new process call c:\windows\system32\taskkill.exe. The emergency kit run does not show any suspicious files nor did my nightly scan.

Thoughts on what is goping on and how do I get the emsisoft firewall back.

Thanks

logs.db3

Addition.txt

FRST.txt

[ShadowPuterDude]

The automatic downgrade of EIS to EAM was published a couple months ago, when we announced that we have decided to discontinue EIS and place it in an accelerated End-of-Life cycle.  EIS licenses were converted to EAM licenses and the remaining time on the EIS license was extended to compensate for the higher cost of EIS.  EIS was downgrade with the 2017.9 update.  logs.db3 is not a scan report, it is an SQLite database file.  You can find the EEK scan reports under Logs -> Scan logs.  Just export the latest scan log and attach it to your reply.

Do the following:

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKU\S-1-5-21-3536669321-2452747631-4105606700-1001\...\Policies\Explorer: [NolowDiskSpaceChecks] 1
HKU\S-1-5-21-3536669321-2452747631-4105606700-1001\...\Policies\Explorer: []
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: No Name -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> No File
CHR HKLM-x32\...\Chrome\Extension: [nfengeggddojhakldhlpjdlddgkkjkdd] - <no Path/update_url>
ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} =>  -> No File
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxlctlfudivq`qsp`28hfm [0]
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`27hfm [0]

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

 

[Trekerj]

Hi
Kevin, not sure how I missed the software downgrade messages, but clearly my bad.

Ran the fixlist which seemed to clear up a few of the issues I was having. Chrome now gets through the Windows Firewall.

I still have the device Ralink Wireless Linux Client showing up on my home network, with some continued research it looks like this mauy be some 'plug and play' device show up on my network, is this something you think I should be concerned with?

Fixlog.txt

scan_171004-205502.txt

[ShadowPuterDude]

4 hours ago, Trekerj said:

Ralink Wireless Linux Client

It could be your router.

Run a fresh scan with FRST, attach the new FRST logs to your reply.

[Trekerj]

Thanks Kevin here are the post fix logs .

Addition.txt

FRST.txt

[ShadowPuterDude]

Your logs look fine.  The system does not appear to be infected.