steered here from the Windows 10 sub

**veeg** · 11-04-2023, 02:06 AM

Let me tag our expert.

@Malnutrition

**Malnutrition** · 11-04-2023, 03:25 AM

Please download the FRST 32 bit or FRST 64bit version to suit your operating system. It is important FRST is downloaded to your desktop.
If you are unsure if your operating system is 32 or 64 Bit please go HERE.
Once downloaded right click the FRST desktop icon and select “Run as administrator” from the menu"
If you receive any security warnings, or the User Account Control warning opens at any time whilst using FRST you can safely allow FRST to proceed.
FRST will open with two dialogue boxes, accept the disclaimer.
Then select Scan
Frst will take a few minutes to scan your computer, and when finished will produce two log files on your desktop, FRST.txt, and Addition.txt. They will display immediately on the desktop, but can be reopened later as a notepad file.
Please Attach the contents of these logs in your next post

**Malnutrition** · 11-04-2023, 03:25 AM

@40meghd

**40meghd** · 11-04-2023, 03:49 AM

okay I got this message after downloading the file -

FRST64.exe
This file is not commonly downloaded and may be dangerous.

any need for concern? just trust the process and launch?!?! lol

**Malnutrition** · 11-04-2023, 11:28 AM

Go ahead and remove [COLOR=rgb(184, 49, 47)]RFD Prod Internal. app with Geek Uninstaller, use force mode if needed. If you are unable to remove it or can not find, then skip and move onto FRST scans.

Everything is fine, this tool is widely used in many forums. It’s the diagnostic tool used to provide information for me to help you.

Here are alternate links for the tool… Download the FRST 32 bit or FRST 64bit version to suit your operating system.

You can see in the threads below it is used, and also many many others.

Forums - PC Help Forum

https://pchelpforum.net/t/windows-security-stopped-working.85509/

PCHF Forums

Forums - PC Help Forum

https://pchelpforum.net/t/a-virus-disguising-as-rar.81957/

PCHF Forums

https://pchelpforum.net/t/i-cant-see...t-my-pc.81367/[/COLOR]

**40meghd** · 11-04-2023, 06:54 PM

I was unable to find anything with Geek Uninstaller so ran FRST, here are the requested logs

**Malnutrition** · 11-05-2023, 12:46 AM

A couple quick questions.

What is this on your desktop? [COLOR=rgb(184, 49, 47)] C:\Users\a440j\Desktop\RFD Prod Internal
Also, are you only able to see RFD Prod Internal. from within your google account? Not on your computer?
Have you tried to remove it via this method? Or any other way you have attempted to remove it?

Download Malwarebytes v.4 . Install and run.

[ul]
[li]Once the MBAM dashboard opens, click on Settings (gear icon).[/li][li]Click on Security tab and make sure that all four Scan options are enabled.[/li][li]Close Settings and click on the Scan button on the dashboard.[/li][li]Once the scan is completed make sure you have it quarantine any detections it finds.[/li][li]If no detections were found click on the Save results drop-down, then the Export to TXT button and save the file as a Text file to your desktop.[/li][li]If there were detections then once the quarantine has completed click on the View report button, then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.[/li][li]If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and include that log on your next reply.[/li][/ul]

Copy the content of the code box below.
[COLOR=rgb(184, 49, 47)]Do not copy the word code!!!
Right Click FRST and run as Administrator.
Click Fix once (!) and wait. The program will create a log file (Fixlog.txt).
Attach it to your next message.

Code:

Start::
CloseProcesses:
SystemRestore: On
CreateRestorePoint:
RemoveProxy:
HKLM-x32\...\Run: [] => [X]
Edge Extension: (No Name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\AutoFormFill [not found]
Edge Extension: (No Name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\BookViewer [not found]
Edge Extension: (No Name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\LearningTools [not found]
Edge Extension: (No Name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\PinJSAPI [not found]
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
C:\WINDOWS\system32\drivers\etc\hosts.ics
C:\Windows\system32\drivers\etc\hosts
Hosts:
cmd: net stop bits
Move: C:\ProgramData\Microsoft\Network\Downloader\qmgr*.db C:\ProgramData\Microsoft\Network\Downloader\qmgr*.db.old
cmd: net start bits
cmd:  bitsadmin /list /allusers
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state On
CMD: del /f /s /q %windir%\prefetch\*.*
CMD: del /s /q C:\Windows\SoftwareDistribution\download\*.*
CMD: del /s /q "%userprofile%\AppData\Local\Google\Chrome\User Data\Default\Cache\*.*"
cmd: del /s /q "%userprofile%\AppData\Local\Microsoft\Edge\User Data\Default\Cache\*.*"
cmd: del /s /q "%userprofile%\AppData\Local\Opera Software\Opera Stable\Cache\Cache_Data\*.*"
CMD: del /s /q "%userprofile%\AppData\Local\temp\*.*"
CMD: del /s /q C:\Windows\SoftwareDistribution\download\*.*
CMD: ipconfig /flushdns
C:\Windows\Temp\*.*
C:\WINDOWS\system32\*.tmp
C:\WINDOWS\syswow64\*.tmp
emptytemp:
ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32
ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder
ExportKey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions
Folder: C:\Windows\System32\Tasks
Reboot:
End::

[/COLOR][/COLOR]

**40meghd** · 11-05-2023, 03:18 AM

C:\Users\a440j\Desktop\RFD Prod Internal is a folder I made to put screenshots of my Google account.

I ran O&O AppBuster and can’t see RFD Prod Internal in the list of apps.

So I guess it is only used by my Google account? I watched the youtube vid. Navigating through my Google account I found the following options-

[ATTACH type=“full”]12909[/ATTACH]
Whatever it is it looks it looks like I gave it access on April 11th

I also have these options -

[ATTACH type=“full”]12910[/ATTACH]

[ATTACH type=“full”]12911[/ATTACH][ATTACH type=“full”]12912[/ATTACH]

**Malnutrition** · 11-05-2023, 01:01 PM

Eliminate every option you have,then follow up with the instructions provided. We will still continue to check the machine for any infiltration.

**40meghd** · 11-05-2023, 05:47 PM

I deleted the connection to RFD and turned off sign in prompts. Attached is the logfile generated by FRST

**Malnutrition** · 11-05-2023, 06:28 PM

OK, now please post the malwarebytes log along with this please.

Download ZHP Suite to your desktop.
Right Click Run as admin.
Hit the scanner button.
Once it is complete a file name ZHPdiag.txt will be on your desktop.
Attach it.

**40meghd** · 11-06-2023, 02:56 AM

Here are the two files

**Malnutrition** · 11-06-2023, 01:04 PM

Ok, I’ll take a look at this when I get home from work today.

**Malnutrition** · 11-07-2023, 02:57 AM

Copy the content of the code box below.
[COLOR=rgb(184, 49, 47)]Do not copy the word code!!!
Right Click FRST and run as Administrator.
Click Fix once (!) and wait. The program will create a log file (Fixlog.txt).
Attach it to your next message.

Code:

Start::
CloseProcesses:
SystemRestore: On
CreateRestorePoint:
RemoveProxy:
DeleteValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|FileOpenBroker
DeleteValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run}Logitech Download Assistant  
DeleteValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32|HP Software Update  
C:\Users\a440j\AppData\Local\00F19BBA-6E5C-46DB-8B94-577037865070.aplzod
C:\Users\a440j\AppData\Local\Backup
C:\Users\a440j\AppData\Local\LogMeIn Rescue Applet
C:\Program Files (x86)\LogMeIn Rescue Applet
Reboot:
End::

Make sure and disable your antivirus/defender prior to the scan.

[ul]
[li]Download ESET Online Scanner from herea nd save it to your Desktop.[/li][li]Right click the esetonlinescanner.exe file you downloaded and select Run as administrator.[/li][li]Click Get started.[/li][li]In the Terms of use screen, click Accept if you agree to the Terms of use.[/li][li]Click Get started in the welcome screen.[/li][li]Select your preference for the Customer Experience Improvement Program and the Detection feedback system.Click Continue.[/li][li]Click Computer scan, in the Welcome back screen.[/li][li]Choose Full scan on the next screen.[/li][li]Select Enable ESET to detect and quarantine potentially unwanted applications.Then click Start scan[/li][li]When the scan is finished click Save scan log and save it to your Desktop as ESETScan.txt. Click Continue.[/li][li]ESET Online Scanner will now ask if you wish to turn on the Periodic Scan feature.Click Continue[/li][li]You will now be offered a trial version of ESET Internet Security.Click continue[/li][li]On the next screen, you can leave feedback about the program if you wish.[/li][li]Select Delete application’s data on closing, if you are short of disk space or do not wish to retain the program for future use.[/li][li]If you left feedback, click Submit and continue. If not, Close without feedback.[/li][li]Copy and paste the contents of the ESETScan.txt file in your next reply.[/li][/ul][/COLOR]

steered here from the Windows 10 sub

steered here from the Windows 10 sub

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment