cpctech 0 Posted October 10, 2018 Report Share Posted October 10, 2018 Emsi soft and other tools have cleaned this machine up, but because there are so many things out there that could hide, I thought I would run these logs by you to see if I missed anything. This computer's accounts were hacked about the same time Facebook was recently hacked. FRST-2018-10-10-1205.txt Addition-2018-10-10-1205.txt scan_181010-115115.txt Link to post Share on other sites
Kevin Zoll 309 Posted October 10, 2018 Report Share Posted October 10, 2018 Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION BHO-x32: No Name -> {DCC39ACE-709B-44EA-B062-5F6BE2774644} -> No File FF Plugin HKU\S-1-5-21-2767729402-2400587653-1126618633-1001: www.exent.com/GameTreatWidget -> C:\Program Files (x86)\Free Ride Games\npGameTreatWidget.dll [No File] ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File Task: {F8634D62-E919-401B-910E-774FF44A357E} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION AlternateDataStreams: C:\1940 United States Federal Census - Lawrence William Lathrop(1).jpg:com.dropbox.attributes [424] AlternateDataStreams: C:\ProgramData\TEMP:036B81D9 [167] AlternateDataStreams: C:\ProgramData\TEMP:0492851D [380] AlternateDataStreams: C:\ProgramData\TEMP:05670151 [137] AlternateDataStreams: C:\ProgramData\TEMP:12F3508C [112] AlternateDataStreams: C:\ProgramData\TEMP:18FE55C1 [286] AlternateDataStreams: C:\ProgramData\TEMP:1A14B3AF [234] AlternateDataStreams: C:\ProgramData\TEMP:1D476AA6 [498] AlternateDataStreams: C:\ProgramData\TEMP:24C072FF [426] AlternateDataStreams: C:\ProgramData\TEMP:24FECE50 [105] AlternateDataStreams: C:\ProgramData\TEMP:260575F1 [400] AlternateDataStreams: C:\ProgramData\TEMP:2AE74FF9 [237] AlternateDataStreams: C:\ProgramData\TEMP:2CB9631F [134] AlternateDataStreams: C:\ProgramData\TEMP:2DAD076E [392] AlternateDataStreams: C:\ProgramData\TEMP:31C9BA96 [229] AlternateDataStreams: C:\ProgramData\TEMP:39CB2031 [177] AlternateDataStreams: C:\ProgramData\TEMP:3A0C7C36 [132] AlternateDataStreams: C:\ProgramData\TEMP:413177C4 [239] AlternateDataStreams: C:\ProgramData\TEMP:49E5C2C5 [426] AlternateDataStreams: C:\ProgramData\TEMP:4C71A42B [252] AlternateDataStreams: C:\ProgramData\TEMP:50E2DC97 [308] AlternateDataStreams: C:\ProgramData\TEMP:566B9179 [129] AlternateDataStreams: C:\ProgramData\TEMP:5A0DD071 [394] AlternateDataStreams: C:\ProgramData\TEMP:5BF440AD [145] AlternateDataStreams: C:\ProgramData\TEMP:5C934C5D [244] AlternateDataStreams: C:\ProgramData\TEMP:5F423DFF [248] AlternateDataStreams: C:\ProgramData\TEMP:63931674 [237] AlternateDataStreams: C:\ProgramData\TEMP:65FE83E4 [128] AlternateDataStreams: C:\ProgramData\TEMP:6E03926D [169] AlternateDataStreams: C:\ProgramData\TEMP:70E897B5 [466] AlternateDataStreams: C:\ProgramData\TEMP:726BAC68 [178] AlternateDataStreams: C:\ProgramData\TEMP:73502E2B [143] AlternateDataStreams: C:\ProgramData\TEMP:7687A3E3 [168] AlternateDataStreams: C:\ProgramData\TEMP:7AE124EF [137] AlternateDataStreams: C:\ProgramData\TEMP:7B212553 [128] AlternateDataStreams: C:\ProgramData\TEMP:7C76EAF6 [191] AlternateDataStreams: C:\ProgramData\TEMP:7DC5D762 [448] AlternateDataStreams: C:\ProgramData\TEMP:90CCECEC [177] AlternateDataStreams: C:\ProgramData\TEMP:9195103F [458] AlternateDataStreams: C:\ProgramData\TEMP:91D94DDC [245] AlternateDataStreams: C:\ProgramData\TEMP:99A29126 [408] AlternateDataStreams: C:\ProgramData\TEMP:9C435C94 [251] AlternateDataStreams: C:\ProgramData\TEMP:9D0A16E4 [184] AlternateDataStreams: C:\ProgramData\TEMP:A3B8F70C [456] AlternateDataStreams: C:\ProgramData\TEMP:A441D13F [466] AlternateDataStreams: C:\ProgramData\TEMP:A4CDE823 [492] AlternateDataStreams: C:\ProgramData\TEMP:AE0B1F48 [177] AlternateDataStreams: C:\ProgramData\TEMP:B17A4A83 [168] AlternateDataStreams: C:\ProgramData\TEMP:B8791731 [233] AlternateDataStreams: C:\ProgramData\TEMP:C22674B6 [402] AlternateDataStreams: C:\ProgramData\TEMP:C6F9F83E [259] AlternateDataStreams: C:\ProgramData\TEMP:C7A2F0B9 [118] AlternateDataStreams: C:\ProgramData\TEMP:CAE2C3A5 [432] AlternateDataStreams: C:\ProgramData\TEMP:D8A1AC56 [482] AlternateDataStreams: C:\ProgramData\TEMP:E32966C0 [400] AlternateDataStreams: C:\ProgramData\TEMP:E80802C7 [434] AlternateDataStreams: C:\ProgramData\TEMP:F072AFAF [416] AlternateDataStreams: C:\ProgramData\TEMP:F41F8101 [442] AlternateDataStreams: C:\ProgramData\TEMP:FAFEC4B9 [484] AlternateDataStreams: C:\Users\Birdie\Documents\2016-02-09 Khoday v. Symantec Corp (Bert).pdf:com.dropbox.attributes [168] AlternateDataStreams: C:\Users\Birdie\Documents\2016-02-09 Khoday v. Symantec Corp (Wil).pdf:com.dropbox.attributes [168] AlternateDataStreams: C:\Users\Birdie\Documents\baby bib..docx:com.dropbox.attributes [168] AlternateDataStreams: C:\Users\Birdie\Documents\from Vicki.docx:com.dropbox.attributes [168] AlternateDataStreams: C:\Users\Birdie\Documents\Genealogy.docx:com.dropbox.attributes [168] AlternateDataStreams: C:\Users\Birdie\Documents\In case of emergency.docx:com.dropbox.attributes [168] AlternateDataStreams: C:\Users\Birdie\Documents\Irwin Drug account audit.xlsx:com.dropbox.attributes [168] AlternateDataStreams: C:\Users\Birdie\Documents\Payment Confirmation-Avista 2016-03-16.pdf:com.dropbox.attributes [168] AlternateDataStreams: C:\Users\Birdie\Documents\Prayer.docx:com.dropbox.attributes [168] AlternateDataStreams: C:\Users\Birdie\Documents\Rheumatoid Arthritis Health Center.docx:com.dropbox.attributes [168] AlternateDataStreams: C:\Users\Birdie\Documents\This yellow spice has more to it than a delicious flavor, etc. quilting.docx:com.dropbox.attributes [168] AlternateDataStreams: C:\Users\Birdie\Documents\TrueCrypt User Guide.pdf:com.dropbox.attributes [168] AlternateDataStreams: C:\Users\Birdie\Documents\Woodland Cenetery.jpg:com.dropbox.attributes [426] Close Notepad. NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version. Link to post Share on other sites
cpctech 0 Posted October 10, 2018 Author Report Share Posted October 10, 2018 Here is the fixlog. Fixlog-2018-10-10-1639.txt Link to post Share on other sites
Kevin Zoll 309 Posted October 10, 2018 Report Share Posted October 10, 2018 That should take care of the issues I saw in the logs. Link to post Share on other sites
cpctech 0 Posted October 11, 2018 Author Report Share Posted October 11, 2018 So everything should be good to go now? Link to post Share on other sites
Kevin Zoll 309 Posted October 11, 2018 Report Share Posted October 11, 2018 Should be, if you want you can run a fresh scan with FRSTand send the new FRST logs. Link to post Share on other sites
cpctech 0 Posted October 12, 2018 Author Report Share Posted October 12, 2018 I am not sure what is causing it, but something keeps writing a file named Program (no ext) to the root of C:\ It seems as though something is still trying to infect this machine. I'll run new EEK and FRST again and post in a little while. (probably tomorrow) Link to post Share on other sites
cpctech 0 Posted October 12, 2018 Author Report Share Posted October 12, 2018 So I had this problem show up on another computer I am working on. I looked at the file C😕(that is supposed to be C and : and \) Program with notepad and found it to be a Emsisoft Log file. Link to post Share on other sites
Kevin Zoll 309 Posted October 12, 2018 Report Share Posted October 12, 2018 That's interesting. Emsisoft does not save logs to the root of the system drive or at least it should not. What date was the log created? Link to post Share on other sites
cpctech 0 Posted October 13, 2018 Author Report Share Posted October 13, 2018 (edited) On both the machines on the day that I ran emsisoft. When I get to the office where one of the machines are I'll attach the log. I will have to remote into the machine that this thread is about. I'll get it's log as well and I will title them accordingly. Edited October 13, 2018 by cpctech More information provided w/o starting a new reply. Link to post Share on other sites
cpctech 0 Posted October 13, 2018 Author Report Share Posted October 13, 2018 Ok here are the files. Program1 Program_from_other_pc Link to post Share on other sites
Kevin Zoll 309 Posted October 13, 2018 Report Share Posted October 13, 2018 Both of those are Emsisoft Commandline Scanner logs. The only way they could have been saved to the Root folder of the system drive was for the scanner to be told to save them there. Link to post Share on other sites
Kevin Zoll 309 Posted October 18, 2018 Report Share Posted October 18, 2018 Thread Closed Reason: Lack of Response PM either Kevin, Elise, or Arthur to have this thread reopened. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread Link to post Share on other sites
Recommended Posts