Susan Peach 0 Posted January 24, 2019 Report Share Posted January 24, 2019 Upon attempting to quarantine 4 suspicious files found during a scan, I got a message stating: "Removing these items bears an unusually high risk of crashing your operating system during automatic cleaning, as these threats are embedded deeply. The malware removal experts at the Emsisoft Support will guide you through a safe removal of these threats." Accordingly, I am attaching the requested log files as per the forum posting instructions, and await your instructions. scan_190124-135355.txt Addition_24-01-2019 14.11.35.txt FRST_24-01-2019 14.11.35.txt Link to post Share on other sites
Kevin Zoll 309 Posted January 25, 2019 Report Share Posted January 25, 2019 Hello Susan, Please run FRST again. Next, select and copy the following text, including the words Start:: and End::. Switch back to the FRST program window, and click the Fix button. It should read the fix directly from the clipboard and run the fix. When it is finished, please attach the fixlog.txt file it created in the same folder the FRST program is in. Start::ShellServiceObjects-x32: No Name -> {E6FB5E20-DE35-11CF-9C87-00AA005127ED} =>SSODL-x32: UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - No FileShellExecuteHooks-x32: No Name - {AEB6717E-7E19-11d0-97EE-00C04FD91972} - -> No FileCHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTIONBHO: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> No FileBHO-x32: No Name -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> No File2019-01-19 15:38 - 2015-12-17 16:43 - 000678944 _____ (WildTangent, Inc.) C:\ProgramData\uninstall2338968.exe2019-01-19 15:35 - 2019-01-19 15:38 - 000000000 ____D C:\Users\Gerald\AppData\Roaming\WildTangent2019-01-19 15:38 - 2015-12-17 16:43 - 000678944 _____ (WildTangent, Inc.) C:\ProgramData\uninstall2338968.exe2009-02-05 10:16 - 2009-02-04 09:42 - 000000062 ___SH () C:\Users\Gerald\AppData\Roaming\desktop (1).ini2009-02-05 10:16 - 2016-11-23 20:42 - 000000062 ___SH () C:\Users\Gerald\AppData\Local\desktop (1).iniShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No FileShellIconOverlayIdentifiers-x32: [Offline Files] -> {750fdf0e-2a26-11d1-a3ea-080036587f03} => -> No FileContextMenuHandlers1-x32: [!NetFax0] -> {35308360-D4A6-436D-B701-1FEC7E96BA48} => C:\windows\System32\spool\drivers\w32x86\3\NetFaxShell.dll -> No FileContextMenuHandlers1-x32-x32: [!NetFax1] -> {35308360-D4A6-436D-B701-1FEC7E96BA48} => C:\windows\System32\spool\drivers\w32x86\3\NetFaxShell.dll -> No FileContextMenuHandlers1-x32-x32-x32: [!NetFax2] -> {35308360-D4A6-436D-B701-1FEC7E96BA48} => C:\windows\System32\spool\drivers\w32x86\3\NetFaxShell.dll -> No FileContextMenuHandlers1-x32-x32-x32-x32: [!NetFax3] -> {35308360-D4A6-436D-B701-1FEC7E96BA48} => C:\windows\System32\spool\drivers\w32x86\3\NetFaxShell.dll -> No FileContextMenuHandlers1-x32-x32-x32-x32-x32: [!NetFax4] -> {35308360-D4A6-436D-B701-1FEC7E96BA48} => C:\windows\System32\spool\drivers\w32x86\3\NetFaxShell.dll -> No FileContextMenuHandlers1-x32-x32-x32-x32-x32-x32: [!NetFax5] -> {35308360-D4A6-436D-B701-1FEC7E96BA48} => C:\windows\System32\spool\drivers\w32x86\3\NetFaxShell.dll -> No FileContextMenuHandlers1-x32-x32-x32-x32-x32-x32-x32: [!NetFax6] -> {35308360-D4A6-436D-B701-1FEC7E96BA48} => C:\windows\System32\spool\drivers\w32x86\3\NetFaxShell.dll -> No FileContextMenuHandlers1-x32-x32-x32-x32-x32-x32-x32-x32: [!NetFax7] -> {35308360-D4A6-436D-B701-1FEC7E96BA48} => C:\windows\System32\spool\drivers\w32x86\3\NetFaxShell.dll -> No FileContextMenuHandlers3: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No FileTask: {0C2E1A1E-2F5A-40B8-BB7E-F9CDFE3BCE67} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTIONTask: {E013D9EF-8BBD-4E2A-B494-A36BFABC6476} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant printer driver installation => C:\WINDOWS\TEMP\sp77849.exe <==== ATTENTIONC:\WINDOWS\TEMP\sp77849.exeReg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{95B7759C-8C7F-4BF1-B163-73684A933233}" /fReg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\W3I" /fReg: reg delete "HKEY_USERS\S-1-5-21-3064643449-3981555495-736014380-1002\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}" /fReg: reg delete "HKEY_USERS\S-1-5-21-3064643449-3981555495-736014380-1002\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}" /fEnd:: Link to post Share on other sites
Susan Peach 0 Posted January 25, 2019 Author Report Share Posted January 25, 2019 Attaching fixlog.txt file as requested. Note that FRST did not read from the clipboard so I created a new .txt document with that name and saved in unicode format. Hopefully this is correct. I currently have a message on my computer screen that I need to restart. I will wait to do that until I receive further instructions from you. Fixlog.txt Link to post Share on other sites
Kevin Zoll 309 Posted January 26, 2019 Report Share Posted January 26, 2019 Susan, Let's take a fresh look. Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply. Be sure to let me know how things are running. Link to post Share on other sites
Susan Peach 0 Posted January 26, 2019 Author Report Share Posted January 26, 2019 Shut down and restarted computer as prompted by FRST after running the fix provided. Ran new EEK and FRST scans (attached). Prior to restarting computer we did have one instance of a hijack/redirect while viewing cnn.com but have not had one yet since restarting. We do sometimes get a message on a yellow background at the top of a web page that "a web page is slowing down your browser" and have seen this once since restarting but not sure if this is related to the hijack issue or something else. scan_190125-182548.txt FRST.txt Link to post Share on other sites
Kevin Zoll 309 Posted January 27, 2019 Report Share Posted January 27, 2019 The "a web page is slowing down your browser" message is displayed when a page is slow loading web resources. Usually happens on pages that have lots of graphics or videos. Your FRST log is empty. Please do a fresh scan with FRST again. Link to post Share on other sites
Susan Peach 0 Posted January 27, 2019 Author Report Share Posted January 27, 2019 New FRST scan attached, sorry not sure why the other was empty. FRST_26-01-2019 18.20.12.txt Link to post Share on other sites
Kevin Zoll 309 Posted January 29, 2019 Report Share Posted January 29, 2019 Susan, Your FRST log looks fine. How are things running? Link to post Share on other sites
Susan Peach 0 Posted January 29, 2019 Author Report Share Posted January 29, 2019 So far so good, no more hijacks since running the fix so I think we're good. Thanks very much for your help. Link to post Share on other sites
Kevin Zoll 309 Posted January 30, 2019 Report Share Posted January 30, 2019 Susan, Now to remove most of the tools that we have used in fixing your machine: Download Delfix from here and save it to your Desktop. Ensure Remove disinfection tools is checked. Also place a checkmark next to: Create registry backup Purge system restore Click the Run button. When the tool is finished, a log will open in notepad. I do not need the log. You can close Notepad. Empty the Recycle Bin You can delete and uninstall any programs I had you download, that you do not wish to keep on the system. To Remove EEK simple delete the EEK for in the of your System Drive, normally C:\EEK Run Windows Update and update your Windows Operating System. Articles to Read:How to Protect Your Computer From MalwareHow to keep you and your Windows PC happyWeb, email, chat, password and kids safetyHow Did I Get Infected? That should take care of everything. Safe Surfing! Link to post Share on other sites
Susan Peach 0 Posted January 31, 2019 Author Report Share Posted January 31, 2019 All done as instructed. Thanks again for your help, much appreciated! Link to post Share on other sites
Kevin Zoll 309 Posted February 1, 2019 Report Share Posted February 1, 2019 Susan, You are welcome. Thread Closed Reason: Resolved PM either Kevin, Elise, or Arthur to have this thread reopened. The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread Link to post Share on other sites
Recommended Posts