Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Have I been hacked? Accounts & passwords found in plain txt files

  • Please log in to reply
4 replies to this topic

#1 ts1520


  • Members
  • 5 posts
  • Gender:Male
  • Local time:08:41 PM

Posted 28 February 2016 - 11:04 AM

I was trolling thru directories and came across plain text files in the Program Data directory that had account logins and URLs with my user name and passwords in them. 

The files 1, 218930EM, 218390P, 27323, 955942P, and weerrretm.exe did not have read /write permissions enabled, only execute. 


I'm really worried now - Is deleting and changing passwords enough or do I need to do something more? Maybe it's to late. 


    Directory: C:\ProgramData\218390
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         1/9/2016   2:16 PM            388 01-09-2016.txt
-a----        1/10/2016   8:24 PM           6276 01-10-2016.txt
-a----        1/11/2016   7:57 PM           1702 01-11-2016.txt
-a----        1/12/2016   9:19 PM            738 01-12-2016.txt
-a----        1/13/2016   9:04 PM           2942 01-13-2016.txt
-a----        1/14/2016   8:45 PM            457 01-14-2016.txt
-a----        1/15/2016   7:44 PM            978 01-15-2016.txt
-a----         1/9/2016  11:54 AM              0 1
-a----         1/9/2016   2:22 PM          99328 218390EM
-a----         1/9/2016   2:17 PM         348160 218390P
-a----        1/16/2016   5:37 AM        1814016 27323
-a----        1/16/2016   4:05 AM         348160 955942P
-a----        1/13/2016   8:43 PM            582 Account.log.txt
-a----        1/13/2016   8:44 PM            447 Amazon.log.txt
-a----        1/15/2016   7:35 PM           1406 bank.log.txt
-a----        1/16/2016   4:38 AM        1622334 weerrretm.exe
File content example -- real info masked.
[My Verizon Online Sign In - Verizon Wireless - Google Chrome]
<login name>
[Login Page ‎- Microsoft Edge]
<login name>
[Sign in to xxx Online Banking - Google Chrome]
<login name>
[Amazon.com Sign In - Google Chrome]
<login name>
<old password>

<old password>


Thanks for the help.

Edited by ts1520, 28 February 2016 - 11:05 AM.

BC AdBot (Login to Remove)


#2 RolandJS


  • Members
  • 4,539 posts
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:08:41 PM

Posted 28 February 2016 - 12:21 PM


My search for "weerrretm.exe" led me to the above URL.  I have no idea whether weWhateverEXE is really a pup or not.

"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.


Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)

#3 buddy215


  • Moderator
  • 13,396 posts
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:41 PM

Posted 29 February 2016 - 03:41 PM

According to Driver Information Technology Co., Ltd. Analysis - Reason Core Security Labs

weerrretm.exe (Driver Genius)  (da538dbdd2858cc8be9707ffee2620c8)
PUP...Potential unwanted program
Scan for malware and adware using the programs below.

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download


Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).

  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • When MBAM is finished scanning it will display a screen that displays any malware that it has detected.
  • Click the Remove Selected button.
  • MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.



Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#4 ts1520

  • Topic Starter

  • Members
  • 5 posts
  • Gender:Male
  • Local time:08:41 PM

Posted 04 March 2016 - 11:03 PM

Malwarebytes Anti-Malware
Scan Date: 2/28/2016
Scan Time: 11:25 AM
Administrator: Yes
Malware Database: v2016.02.28.04
Rootkit Database: v2016.02.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
OS: Windows 10
CPU: x64
File System: NTFS
User: trs1
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 364053
Time Elapsed: 5 min, 8 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 0
(No malicious items detected)
Registry Values: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Folders: 0
(No malicious items detected)
Files: 1
PUP.Optional.DownLoadAdmin, C:\Users\trs1\Downloads\isotousb-setup.exe, Quarantined, [e72d5511d3c674c2b7e234bc0ff247b9], 
Physical Sectors: 0
(No malicious items detected)
# AdwCleaner v5.037 - Logfile created 04/03/2016 at 19:45:35
# Updated 28/02/2016 by Xplode
# Database : 2016-03-02.1 [Server]
# Operating system : Windows 10 Home  (x64)
# Username : trs1 - DESKTOP-OU0GMOA
# Running from : C:\Users\trs1\Downloads\AdwCleaner.exe
# Option : Scan
***** [ Services ] *****
***** [ Folders ] *****
Folder Found : C:\Users\trs1\Documents\Updater
***** [ Files ] *****
***** [ DLL ] *****
***** [ Shortcuts ] *****
***** [ Scheduled tasks ] *****
***** [ Registry ] *****
Key Found : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\winamp.com
Key Found : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\www.winamp.com
Key Found : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\mplayer.en.softonic.com
Key Found : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\softonic.com
Key Found : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mplayer.en.softonic.com
Key Found : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\softonic.com
***** [ Web browsers ] *****
C:\AdwCleaner\AdwCleaner[S1].txt - [1657 bytes] - [04/03/2016 19:45:35]
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1730 bytes] ##########
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.3 (02.09.2016)
Operating System: Windows 10 Home x64 
Ran by trs1 (Administrator) on Fri 03/04/2016 at 19:48:42.78
File System: 0 
Registry: 2 
Successfully deleted: HKLM\SYSTEM\CurrentControlSet\services\0078361456951432mcinstcleanup (Registry Key) 
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0E15506B-F0BB-499F-B3E0-FDA774655187} (Registry Key)
Scan was completed on Fri 03/04/2016 at 19:51:00.17
End of JRT log
C:\tmp\whatfund2buy\218390\weerrretm.exe MSIL/Agent.ABP trojan cleaned by deleting
C:\Users\trs1\Downloads\Intuit TurboTax Home and Business 2012.exe a variant of MSIL/Injector.AVU trojan cleaned by deleting
C:\Users\trs1\Downloads\isobuster_all_lang.exe a variant of Win32/Toolbar.Conduit.AR potentially unwanted application deleted
C:\Users\trs1\Downloads\WinZip180.exe a variant of Win32/OpenInstall potentially unwanted application cleaned by deleting

#5 buddy215


  • Moderator
  • 13,396 posts
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:41 PM

Posted 05 March 2016 - 04:50 AM

It looks like you didn't allow MBAM and AdwCleaner to remove what they found. Please rerun both and follow the directions

to choose clean when AdwCleaner finishes scanning and click the Remove Selected button when MBAM finishes scanning.


Once completing the above, start a new topic in the Malware Removal forum.


Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.

When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.


DO NOT bump your new topic. Wait for a response from one of the Team Members.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users