Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malicious folder? Found in C 6749525315573233238


  • This topic is locked This topic is locked
7 replies to this topic

#1 axuy09

axuy09

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 03 June 2018 - 03:22 AM

HI yesterday after a BSOD I noticed this folder in my C drive. "C:\6749525315573233238"

 

Was redirected to start a new thread by Buddy215 after posting I decided to be proactive & followed this guide  (step by step)

 

Used Revo uninstaller to uninstall “super antispyware” is this still a good program or are there better alternatives?

 

I followed this & updated programs. Unsure how to update drivers or bios.

 

I have scanned using AdwCleaner. Malwarebytes, Hitman pro & RogueKiller but I do not think that the malware/virus or trojan has been removed logged on to find the time had changed.

 

Not sure if this is noteworthy? But some features of adobe (like reading aloud speech & restoring) do not work.

 

Not allowing me to post with logs.. keep getting error msg that post is too long logs attached

 

Thanks for your help.

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,461 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:26 PM

Posted 03 June 2018 - 07:06 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===
 

Used Revo uninstaller to uninstall super antispyware is this still a good program or are there better alternatives?

Malwarebytes is more than adequate as a replacement.
---

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-471338810-843470785-2729124550-1001\...\Run: [59D18B5FB184D47E41287162A748A18EFEC32ACD._service_run] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [1588568 2018-05-26] (Google Inc.)
HKU\S-1-5-21-471338810-843470785-2729124550-1001\...\Run: [GoogleChromeAutoLaunch_D105180118C0E9C7DF8303153917726A] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [1588568 2018-05-26] (Google Inc.)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt => not found
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
S2 AdobeARMservice; "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" [X]

ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ContextMenuHandlers1: [MagicISO] -> [CC]{DB85C504-C730-49DD-BEC1-7B39C6103B7A} =>  -> No File
ContextMenuHandlers4: [MagicISO] -> [CC]{DB85C504-C730-49DD-BEC1-7B39C6103B7A} =>  -> No File
ContextMenuHandlers4: [MSSE] -> {0365FE2C-F183-4091-AC82-BFC39FB75C49} =>  -> No File
ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} =>  -> No File
ContextMenuHandlers6: [MagicISO] -> {DB85C504-C730-49DD-BEC1-7B39C6103B7A} =>  -> No File

Task: {19D73376-8E68-4CA6-9DD6-901AA5F05B1F} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {250D7717-A980-49E9-9928-26041AB20F53} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {36DA82E3-F4F4-4755-9045-B7F01D26F10D} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {559F541C-BB35-4C24-AD15-8D93D3B3DC7B} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {57D729F8-7722-40D7-A952-9F562455E6A6} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {6151EAEB-1FF7-4508-8F07-7D7C03CD1F6B} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {6BA32F10-F07C-4506-8836-3CA4E7131D46} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {72A4AAD3-CC01-4629-98E9-912B3F0B812B} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {7970D7D0-CE80-4425-BA7D-0A10A689A971} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {B94FCE85-870A-46BD-9BA7-1704CC65C9B6} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {E1752A92-BDA2-4080-8CCA-8DF609E1805A} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {E9463DF4-3B6C-4C74-BA16-E1C72C4A263B} - \CCleanerSkipUAC -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`27hfm [0]
C:\6749525315573233238

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png or the 3 vertical dots located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
<<<>>>

Please post the Fixlog.txt and let me know what problem persists.

#3 axuy09

axuy09
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 03 June 2018 - 10:45 PM

 

 

Hi nasdaq

 

Thank you for your help

 

Apologies, I meant "Revo uninstaller." is Revo still considered good or are there better alternatives?

 

Followed instructions, didn’t realise my history would be erased. Is there a way of getting my history back?

 

Not sure if it is resolved. Should I delete the folder, malicious folder "6749525315573233238"?

 

Also should I attach some of the logs from the guide that i followed? One said that the MBR was corrupted, that sounds serious.

 

I am also concerned that my drivers & or BIOS may not be up to date.

 

 

Please find the log  below.

 

Thanks again for all your help

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 03.06.2018
Ran by Elia (04-06-2018 11:05:49) Run:1
Running from E:\Desktop
Loaded Profiles: Elia (Available Profiles: Elia & amz_8)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-471338810-843470785-2729124550-1001\...\Run: [59D18B5FB184D47E41287162A748A18EFEC32ACD._service_run] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [1588568 2018-05-26] (Google Inc.)
HKU\S-1-5-21-471338810-843470785-2729124550-1001\...\Run: [GoogleChromeAutoLaunch_D105180118C0E9C7DF8303153917726A] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [1588568 2018-05-26] (Google Inc.)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt => not found
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
S2 AdobeARMservice; "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" [X]

ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ContextMenuHandlers1: [MagicISO] -> [CC]{DB85C504-C730-49DD-BEC1-7B39C6103B7A} =>  -> No File
ContextMenuHandlers4: [MagicISO] -> [CC]{DB85C504-C730-49DD-BEC1-7B39C6103B7A} =>  -> No File
ContextMenuHandlers4: [MSSE] -> {0365FE2C-F183-4091-AC82-BFC39FB75C49} =>  -> No File
ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} =>  -> No File
ContextMenuHandlers6: [MagicISO] -> {DB85C504-C730-49DD-BEC1-7B39C6103B7A} =>  -> No File

Task: {19D73376-8E68-4CA6-9DD6-901AA5F05B1F} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {250D7717-A980-49E9-9928-26041AB20F53} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {36DA82E3-F4F4-4755-9045-B7F01D26F10D} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {559F541C-BB35-4C24-AD15-8D93D3B3DC7B} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {57D729F8-7722-40D7-A952-9F562455E6A6} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {6151EAEB-1FF7-4508-8F07-7D7C03CD1F6B} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {6BA32F10-F07C-4506-8836-3CA4E7131D46} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {72A4AAD3-CC01-4629-98E9-912B3F0B812B} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {7970D7D0-CE80-4425-BA7D-0A10A689A971} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {B94FCE85-870A-46BD-9BA7-1704CC65C9B6} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {E1752A92-BDA2-4080-8CCA-8DF609E1805A} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {E9463DF4-3B6C-4C74-BA16-E1C72C4A263B} - \CCleanerSkipUAC -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`27hfm [0]
C:\6749525315573233238

*****************

Restore point was successfully created.
Processes closed successfully.
"HKU\S-1-5-21-471338810-843470785-2729124550-1001\Software\Microsoft\Windows\CurrentVersion\Run\\59D18B5FB184D47E41287162A748A18EFEC32ACD._service_run" => removed successfully
"HKU\S-1-5-21-471338810-843470785-2729124550-1001\Software\Microsoft\Windows\CurrentVersion\Run\\GoogleChromeAutoLaunch_D105180118C0E9C7DF8303153917726A" => removed successfully
"HKLM\SOFTWARE\Policies\Google" => removed successfully
"HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\{F003DA68-8256-4b37-A6C4-350FA04494DF}" => removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@videolan.org/vlc,version=2.1.5" => removed successfully
"HKLM\System\CurrentControlSet\Services\AdobeARMservice" => removed successfully
AdobeARMservice => service removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt1"" => removed successfully
HKLM\Software\Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => not found
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt2"" => removed successfully
HKLM\Software\Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => not found
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt3"" => removed successfully
HKLM\Software\Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => not found
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt4"" => removed successfully
HKLM\Software\Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => not found
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt5"" => removed successfully
HKLM\Software\Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => not found
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt6"" => removed successfully
HKLM\Software\Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => not found
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt7"" => removed successfully
HKLM\Software\Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => not found
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt8"" => removed successfully
HKLM\Software\Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => not found
"HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\MagicISO" => removed successfully
HKLM\Software\Classes\CLSID\[CC]{DB85C504-C730-49DD-BEC1-7B39C6103B7A} => not found
"HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers\MagicISO" => removed successfully
HKLM\Software\Classes\CLSID\[CC]{DB85C504-C730-49DD-BEC1-7B39C6103B7A} => not found
"HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers\MSSE" => removed successfully
HKLM\Software\Classes\CLSID\{0365FE2C-F183-4091-AC82-BFC39FB75C49} => not found
"HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\Gadgets" => removed successfully
HKLM\Software\Classes\CLSID\{6B9228DA-9C15-419e-856C-19E768A13BDC} => not found
"HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\MagicISO" => removed successfully
HKLM\Software\Classes\CLSID\{DB85C504-C730-49DD-BEC1-7B39C6103B7A} => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{19D73376-8E68-4CA6-9DD6-901AA5F05B1F}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{19D73376-8E68-4CA6-9DD6-901AA5F05B1F}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{250D7717-A980-49E9-9928-26041AB20F53}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{250D7717-A980-49E9-9928-26041AB20F53}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{36DA82E3-F4F4-4755-9045-B7F01D26F10D}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{36DA82E3-F4F4-4755-9045-B7F01D26F10D}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{559F541C-BB35-4C24-AD15-8D93D3B3DC7B}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{559F541C-BB35-4C24-AD15-8D93D3B3DC7B}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{57D729F8-7722-40D7-A952-9F562455E6A6}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{57D729F8-7722-40D7-A952-9F562455E6A6}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6151EAEB-1FF7-4508-8F07-7D7C03CD1F6B}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6151EAEB-1FF7-4508-8F07-7D7C03CD1F6B}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{6BA32F10-F07C-4506-8836-3CA4E7131D46}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6BA32F10-F07C-4506-8836-3CA4E7131D46}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{72A4AAD3-CC01-4629-98E9-912B3F0B812B}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{72A4AAD3-CC01-4629-98E9-912B3F0B812B}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7970D7D0-CE80-4425-BA7D-0A10A689A971}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7970D7D0-CE80-4425-BA7D-0A10A689A971}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B94FCE85-870A-46BD-9BA7-1704CC65C9B6}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B94FCE85-870A-46BD-9BA7-1704CC65C9B6}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E1752A92-BDA2-4080-8CCA-8DF609E1805A}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E1752A92-BDA2-4080-8CCA-8DF609E1805A}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E9463DF4-3B6C-4C74-BA16-E1C72C4A263B}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E9463DF4-3B6C-4C74-BA16-E1C72C4A263B}" => removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CCleanerSkipUAC => not found
C:\ProgramData\Reprise => ":wupeogjxldtlfudivq`qsp`27hfm" ADS removed successfully
C:\6749525315573233238 => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 10772480 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 166746236 B
Java, Flash, Steam htmlcache => 22163 B
Windows/system/drivers => 9772196 B
Edge => 1383718 B
Chrome => 222872179 B
Firefox => 537216755 B
Opera => 500110261 B

Temp, IE cache, history, cookies, recent:
Default => 6656 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 693098 B
Elia => 739472732 B
amz_8 => 27430 B

RecycleBin => 18630385403 B
EmptyTemp: => 19.4 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 11:10:44 ====


Edited by axuy09, 03 June 2018 - 10:48 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,461 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:26 PM

Posted 04 June 2018 - 07:04 AM

Hi,

Apologies, I meant "Revo uninstaller." is Revo still considered good or are there better alternatives?

It's good.
Should be used when the program is not in the Add/Remove program list.
===

Followed instructions, didn’t realise my history would be erased. Is there a way of getting my history back?

Unfortunately no. Malware is often parked in the History.

The folder was sent to the Farbar quarentine folder. When all is well you can clean this quarantine folder.
C:\6749525315573233238 => moved successfully

Run this program to check your MBR.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

Before running this tool check this out.

If you use a CD emulator disable it.

Disable the CD emulators....

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed. Or when this computer is clean.

HOW TO: Enable the CD Emulators... < restore only when we are finished.

To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.
===

I am also concerned that my drivers

If you have not issues with this computer let it be.

#5 axuy09

axuy09
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 04 June 2018 - 07:45 AM

Hi

 

Yes, Sorry I later noticed that the script removed the folder Thanks!

 

Do we know how it ended up there and what it was doing?

 

the DeFogger link didn't work I used this link instead https://www.bleepingcomputer.com/download/defogger/

 

I don’t think that I use a CD emulator. (although I googled CD emulator & found that magiciso was one (this file/thing was removed by FRST)

 

Defogger “finished” instantly (it said it would take a few minutes)

 

aswMBR.exe did not work or did not open.

?

 

Is that really bad?

 


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,461 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:26 PM

Posted 05 June 2018 - 07:24 AM

Hi,

Do we know how it ended up there and what it was doing?


I found an other log were this was found.
2018-05-10 19:26 - 2018-05-27 16:18 - 000000000 ____D C:\Users\Josh\AppData\LocalLow\AMD
2018-05-10 19:26 - 2018-05-10 19:26 - 000000000 ____D C:\6749525315573233238


It from Advanced Micro Devices, Inc. - http://www.amd.com/.
Possibly a new driver was instaldled on that date.
===

Your computer is clean.
I would not worry about the BIOS.
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

p.s.
Thank you for the new Defogger link.

Edited by nasdaq, 05 June 2018 - 07:25 AM.


#7 axuy09

axuy09
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 05 June 2018 - 08:27 AM

Oh ok thank you.

 

I am confused there are no users "josh" on this pc or at least there shouldn't be!!

 

Isn't the fact that the program "aswMBR.exe" did not open concerning? actually nevermind I see from the addition log that the partition is GPT.

 

query? why did the code in the "code box" target chrome? was something malicious found in there?

 

I ask as my default browser is firefox.

 

Also is there a recomended alternative for the "aswMBR.exe" program & for "Super Antispyware" ?

 

Thanks again. :clapping:  for everything Nasdaq :thumbup2: & the Malware Response Team !!!

 

 

0 Links


#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,461 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:26 PM

Posted 05 June 2018 - 12:51 PM

Hi,

Josh came from an other log I found, not your.

I found an other log were this was found.
2018-05-10 19:26 - 2018-05-27 16:18 - 000000000 ____D C:\Users\Josh\AppData\LocalLow\AMD
2018-05-10 19:26 - 2018-05-10 19:26 - 000000000 ____D C:\6749525315573233238



query? why did the code in the "code box" target chrome? was something malicious found in there?

They were removed. Unknown malware.

Also is there a recomended alternative for the "aswMBR.exe" program & for "Super Antispyware" ?

No for AswMBR

As for SuperAntispiware, You do not need it.
Today use Malwarebytes and AdwCleneaner from MBAM also.

---




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users