CLOSED I think we may have gotten everything but wanted to be sure.

[cpctech 0]

Emsi soft and other tools have cleaned this machine up, but because there are so many things out there that could hide, I thought I would run these logs by you to see if I missed anything.

This computer's accounts were hacked about the same time Facebook was recently hacked.

FRST-2018-10-10-1205.txt

Addition-2018-10-10-1205.txt

scan_181010-115115.txt

[Kevin Zoll 309]

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
BHO-x32: No Name -> {DCC39ACE-709B-44EA-B062-5F6BE2774644} -> No File
FF Plugin HKU\S-1-5-21-2767729402-2400587653-1126618633-1001: www.exent.com/GameTreatWidget -> C:\Program Files (x86)\Free Ride Games\npGameTreatWidget.dll [No File]
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
Task: {F8634D62-E919-401B-910E-774FF44A357E} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
AlternateDataStreams: C:\1940 United States Federal Census - Lawrence William Lathrop(1).jpg:com.dropbox.attributes [424]
AlternateDataStreams: C:\ProgramData\TEMP:036B81D9 [167]
AlternateDataStreams: C:\ProgramData\TEMP:0492851D [380]
AlternateDataStreams: C:\ProgramData\TEMP:05670151 [137]
AlternateDataStreams: C:\ProgramData\TEMP:12F3508C [112]
AlternateDataStreams: C:\ProgramData\TEMP:18FE55C1 [286]
AlternateDataStreams: C:\ProgramData\TEMP:1A14B3AF [234]
AlternateDataStreams: C:\ProgramData\TEMP:1D476AA6 [498]
AlternateDataStreams: C:\ProgramData\TEMP:24C072FF [426]
AlternateDataStreams: C:\ProgramData\TEMP:24FECE50 [105]
AlternateDataStreams: C:\ProgramData\TEMP:260575F1 [400]
AlternateDataStreams: C:\ProgramData\TEMP:2AE74FF9 [237]
AlternateDataStreams: C:\ProgramData\TEMP:2CB9631F [134]
AlternateDataStreams: C:\ProgramData\TEMP:2DAD076E [392]
AlternateDataStreams: C:\ProgramData\TEMP:31C9BA96 [229]
AlternateDataStreams: C:\ProgramData\TEMP:39CB2031 [177]
AlternateDataStreams: C:\ProgramData\TEMP:3A0C7C36 [132]
AlternateDataStreams: C:\ProgramData\TEMP:413177C4 [239]
AlternateDataStreams: C:\ProgramData\TEMP:49E5C2C5 [426]
AlternateDataStreams: C:\ProgramData\TEMP:4C71A42B [252]
AlternateDataStreams: C:\ProgramData\TEMP:50E2DC97 [308]
AlternateDataStreams: C:\ProgramData\TEMP:566B9179 [129]
AlternateDataStreams: C:\ProgramData\TEMP:5A0DD071 [394]
AlternateDataStreams: C:\ProgramData\TEMP:5BF440AD [145]
AlternateDataStreams: C:\ProgramData\TEMP:5C934C5D [244]
AlternateDataStreams: C:\ProgramData\TEMP:5F423DFF [248]
AlternateDataStreams: C:\ProgramData\TEMP:63931674 [237]
AlternateDataStreams: C:\ProgramData\TEMP:65FE83E4 [128]
AlternateDataStreams: C:\ProgramData\TEMP:6E03926D [169]
AlternateDataStreams: C:\ProgramData\TEMP:70E897B5 [466]
AlternateDataStreams: C:\ProgramData\TEMP:726BAC68 [178]
AlternateDataStreams: C:\ProgramData\TEMP:73502E2B [143]
AlternateDataStreams: C:\ProgramData\TEMP:7687A3E3 [168]
AlternateDataStreams: C:\ProgramData\TEMP:7AE124EF [137]
AlternateDataStreams: C:\ProgramData\TEMP:7B212553 [128]
AlternateDataStreams: C:\ProgramData\TEMP:7C76EAF6 [191]
AlternateDataStreams: C:\ProgramData\TEMP:7DC5D762 [448]
AlternateDataStreams: C:\ProgramData\TEMP:90CCECEC [177]
AlternateDataStreams: C:\ProgramData\TEMP:9195103F [458]
AlternateDataStreams: C:\ProgramData\TEMP:91D94DDC [245]
AlternateDataStreams: C:\ProgramData\TEMP:99A29126 [408]
AlternateDataStreams: C:\ProgramData\TEMP:9C435C94 [251]
AlternateDataStreams: C:\ProgramData\TEMP:9D0A16E4 [184]
AlternateDataStreams: C:\ProgramData\TEMP:A3B8F70C [456]
AlternateDataStreams: C:\ProgramData\TEMP:A441D13F [466]
AlternateDataStreams: C:\ProgramData\TEMP:A4CDE823 [492]
AlternateDataStreams: C:\ProgramData\TEMP:AE0B1F48 [177]
AlternateDataStreams: C:\ProgramData\TEMP:B17A4A83 [168]
AlternateDataStreams: C:\ProgramData\TEMP:B8791731 [233]
AlternateDataStreams: C:\ProgramData\TEMP:C22674B6 [402]
AlternateDataStreams: C:\ProgramData\TEMP:C6F9F83E [259]
AlternateDataStreams: C:\ProgramData\TEMP:C7A2F0B9 [118]
AlternateDataStreams: C:\ProgramData\TEMP:CAE2C3A5 [432]
AlternateDataStreams: C:\ProgramData\TEMP:D8A1AC56 [482]
AlternateDataStreams: C:\ProgramData\TEMP:E32966C0 [400]
AlternateDataStreams: C:\ProgramData\TEMP:E80802C7 [434]
AlternateDataStreams: C:\ProgramData\TEMP:F072AFAF [416]
AlternateDataStreams: C:\ProgramData\TEMP:F41F8101 [442]
AlternateDataStreams: C:\ProgramData\TEMP:FAFEC4B9 [484]
AlternateDataStreams: C:\Users\Birdie\Documents\2016-02-09 Khoday v. Symantec Corp (Bert).pdf:com.dropbox.attributes [168]
AlternateDataStreams: C:\Users\Birdie\Documents\2016-02-09 Khoday v. Symantec Corp (Wil).pdf:com.dropbox.attributes [168]
AlternateDataStreams: C:\Users\Birdie\Documents\baby bib..docx:com.dropbox.attributes [168]
AlternateDataStreams: C:\Users\Birdie\Documents\from Vicki.docx:com.dropbox.attributes [168]
AlternateDataStreams: C:\Users\Birdie\Documents\Genealogy.docx:com.dropbox.attributes [168]
AlternateDataStreams: C:\Users\Birdie\Documents\In case of emergency.docx:com.dropbox.attributes [168]
AlternateDataStreams: C:\Users\Birdie\Documents\Irwin Drug account audit.xlsx:com.dropbox.attributes [168]
AlternateDataStreams: C:\Users\Birdie\Documents\Payment Confirmation-Avista 2016-03-16.pdf:com.dropbox.attributes [168]
AlternateDataStreams: C:\Users\Birdie\Documents\Prayer.docx:com.dropbox.attributes [168]
AlternateDataStreams: C:\Users\Birdie\Documents\Rheumatoid Arthritis Health Center.docx:com.dropbox.attributes [168]
AlternateDataStreams: C:\Users\Birdie\Documents\This yellow spice has more to it than a delicious flavor, etc. quilting.docx:com.dropbox.attributes [168]
AlternateDataStreams: C:\Users\Birdie\Documents\TrueCrypt User Guide.pdf:com.dropbox.attributes [168]
AlternateDataStreams: C:\Users\Birdie\Documents\Woodland Cenetery.jpg:com.dropbox.attributes [426]

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

[cpctech 0]

Here is the fixlog.

 

Fixlog-2018-10-10-1639.txt

[Kevin Zoll 309]

That should take care of the issues I saw in the logs.

[cpctech 0]

So everything should be good to go now?

[Kevin Zoll 309]

Should be, if you want you can run a fresh scan with FRSTand send the new FRST logs.

[cpctech 0]

I am not sure what is causing it, but something keeps writing a file named Program (no ext) to the root of C:\  It seems as though something is still trying to infect this machine.  I'll run new EEK and FRST again and post in a little while. (probably tomorrow)

[cpctech 0]

So I had this problem show up on another computer I am working on.

I looked at the file C😕(that is supposed to be C and : and \) Program with notepad and found it to be a Emsisoft Log file.

 

[Kevin Zoll 309]

That's interesting.  Emsisoft does not save logs to the root of the system drive or at least it should not.  What date was the log created?

[cpctech 0]

On both the machines on the day that I ran emsisoft. When I get to the office where one of the machines are I'll attach the log.  I will have to remote into the machine that this thread is about. I'll get it's log as well and I will title them accordingly.

Edited October 13, 2018 by cpctech
More information provided w/o starting a new reply.

[cpctech 0]

Ok here are the files.

Program1

Program_from_other_pc

[Kevin Zoll 309]

Both of those are Emsisoft Commandline Scanner logs.  The only way they could have been saved to the Root folder of the system drive was for the scanner to be told to save them there.

[Kevin Zoll 309]

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread