• Hi there and welcome to PC Help Forum (PCHF), a more effective way to get the Tech Support you need!
    We have Experts in all areas of Tech, including Malware Removal, Crash Fixing and BSOD's , Microsoft Windows, Computer DIY and PC Hardware, Networking, Gaming, Tablets and iPads, General and Specific Software Support and so much more.

    Why not Click Here To Sign Up and start enjoying great FREE Tech Support.

    This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Solved steered here from the Windows 10 sub

Status
Not open for further replies.
4

40meghd

PCHF Member
Nov 3, 2023
7
0
63
#1
Hi I was told to seek help here. This is the the post I made on the Windows 10 sub...

Hi everyone, first time poster. I was logging into my bank account and noticed Chrome was autofilling my login information. I'm trying to clear this information in my Google account and was looking at my Third-party apps & services. One of the apps is RFD Prod Internal. When I do a Google search of the app it doesn't sound like something I want / could be malicious. Any insights regarding this app or action I should take would be appreciated. Attached is a screenshot of my Google 3rd party apps.

Screenshot 2023-11-03 155103.png
 
#3
Please download the FRST 32 bit or FRST 64bit version to suit your operating system. It is important FRST is downloaded to your desktop.
If you are unsure if your operating system is 32 or 64 Bit please go HERE.
Once downloaded right click the FRST desktop icon and select "Run as administrator" from the menu"
If you receive any security warnings, or the User Account Control warning opens at any time whilst using FRST you can safely allow FRST to proceed.
FRST will open with two dialogue boxes, accept the disclaimer.
Then select Scan
Frst will take a few minutes to scan your computer, and when finished will produce two log files on your desktop, FRST.txt, and Addition.txt. They will display immediately on the desktop, but can be reopened later as a notepad file.
Please Attach the contents of these logs in your next post
 
#5
okay I got this message after downloading the file -

FRST64.exe
This file is not commonly downloaded and may be dangerous.

any need for concern? just trust the process and launch?!?! lol
 
Last edited by a moderator:
#6
Go ahead and remove RFD Prod Internal. app with Geek Uninstaller, use force mode if needed. If you are unable to remove it or can not find, then skip and move onto FRST scans.


Everything is fine, this tool is widely used in many forums. It's the diagnostic tool used to provide information for me to help you.

Here are alternate links for the tool.... Download the FRST 32 bit or FRST 64bit version to suit your operating system.

You can see in the threads below it is used, and also many many others.

Solved - Windows Security Stopped working

when i want to open windows security it stays like this until it closes eventually . this happedn when i tried to download a program any help is appreciated thanks.
pchelpforum.net pchelpforum.net

Solved - A virus disguising as RAR

I have virus that is disguising itself as winRAR, and it can be viewed in Task Manager. If show in details, it will show up as this (properties included) Ending the task does nothing. It will simply run again on its own. Access to the file's location is also inaccessible, even with...
pchelpforum.net pchelpforum.net

Solved - I can't seem to remove a trojan, should I reset my pc ?

Hello everyone, (excuse my rusty english, I'm french). I finally regret not having invested in an antivirus earlier, because I am now infected, but it is indeed my fault. After I realized that my data was being stolen and that my accounts were being logged in, I did a scan with Windows...
pchelpforum.net pchelpforum.net
 
Last edited:
#7
I was unable to find anything with Geek Uninstaller so ran FRST, here are the requested logs
 

Attachments

  • Addition.txt
    35.6 KB · Views: 0
  • FRST.txt
    28.9 KB · Views: 1
#8
A couple quick questions.

What is this on your desktop? C:\Users\a440j\Desktop\RFD Prod Internal
Also, are you only able to see RFD Prod Internal. from within your google account? Not on your computer?
Have you tried to remove it via this method? Or any other way you have attempted to remove it?


Download Malwarebytes v.4 . Install and run.

  • Once the MBAM dashboard opens, click on Settings (gear icon).
  • Click on Security tab and make sure that all four Scan options are enabled.
  • Close Settings and click on the Scan button on the dashboard.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT button and save the file as a Text file to your desktop.
  • If there were detections then once the quarantine has completed click on the View report button, then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and include that log on your next reply.


Copy the content of the code box below.
Do not copy the word code!!!
Right Click FRST and run as Administrator.
Click Fix once (!) and wait. The program will create a log file (Fixlog.txt).
Attach it to your next message.

Code: 
Start::
CloseProcesses:
SystemRestore: On
CreateRestorePoint:
RemoveProxy:
HKLM-x32\...\Run: [] => [X]
Edge Extension: (No Name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\AutoFormFill [not found]
Edge Extension: (No Name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\BookViewer [not found]
Edge Extension: (No Name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\LearningTools [not found]
Edge Extension: (No Name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\PinJSAPI [not found]
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
C:\WINDOWS\system32\drivers\etc\hosts.ics
C:\Windows\system32\drivers\etc\hosts
Hosts:
cmd: net stop bits
Move: C:\ProgramData\Microsoft\Network\Downloader\qmgr*.db C:\ProgramData\Microsoft\Network\Downloader\qmgr*.db.old
cmd: net start bits
cmd:  bitsadmin /list /allusers
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state On
CMD: del /f /s /q %windir%\prefetch\*.*
CMD: del /s /q C:\Windows\SoftwareDistribution\download\*.*
CMD: del /s /q "%userprofile%\AppData\Local\Google\Chrome\User Data\Default\Cache\*.*"
cmd: del /s /q "%userprofile%\AppData\Local\Microsoft\Edge\User Data\Default\Cache\*.*"
cmd: del /s /q "%userprofile%\AppData\Local\Opera Software\Opera Stable\Cache\Cache_Data\*.*"
CMD: del /s /q "%userprofile%\AppData\Local\temp\*.*"
CMD: del /s /q C:\Windows\SoftwareDistribution\download\*.*
CMD: ipconfig /flushdns
C:\Windows\Temp\*.*
C:\WINDOWS\system32\*.tmp
C:\WINDOWS\syswow64\*.tmp
emptytemp:
ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32
ExportKey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder
ExportKey: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions
Folder: C:\Windows\System32\Tasks
Reboot:
End::

 
#9
C:\Users\a440j\Desktop\RFD Prod Internal is a folder I made to put screenshots of my Google account.

I ran O&O AppBuster and can't see RFD Prod Internal in the list of apps.

So I guess it is only used by my Google account? I watched the youtube vid. Navigating through my Google account I found the following options-

how Google helps you sign in with RFD.png

Whatever it is it looks it looks like I gave it access on April 11th

I also have these options -

stop using sign in with Google.png


delete connections.png
Google account sign in prompts.png


 
#10
Eliminate every option you have,then follow up with the instructions provided. We will still continue to check the machine for any infiltration.
 
#12
OK, now please post the malwarebytes log along with this please.

Download ZHP Suite to your desktop.
Right Click Run as admin.
Hit the scanner button.
Once it is complete a file name ZHPdiag.txt will be on your desktop.
Attach it.
 
#15
Copy the content of the code box below.
Do not copy the word code!!!
Right Click FRST and run as Administrator.
Click Fix once (!) and wait. The program will create a log file (Fixlog.txt).
Attach it to your next message.

Code: 
Start::
CloseProcesses:
SystemRestore: On
CreateRestorePoint:
RemoveProxy:
DeleteValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|FileOpenBroker
DeleteValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run}Logitech Download Assistant  
DeleteValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32|HP Software Update  
C:\Users\a440j\AppData\Local\00F19BBA-6E5C-46DB-8B94-577037865070.aplzod
C:\Users\a440j\AppData\Local\Backup
C:\Users\a440j\AppData\Local\LogMeIn Rescue Applet
C:\Program Files (x86)\LogMeIn Rescue Applet
Reboot:
End::
Make sure and disable your antivirus/defender prior to the scan.


  • Download ESET Online Scanner from herea nd save it to your Desktop.
  • Right click the esetonlinescanner.exe file you downloaded and select Run as administrator.
  • Click Get started.
  • In the Terms of use screen, click Accept if you agree to the Terms of use.
  • Click Get started in the welcome screen.
  • Select your preference for the Customer Experience Improvement Program and the Detection feedback system.Click Continue.
  • Click Computer scan, in the Welcome back screen.
  • Choose Full scan on the next screen.
  • Select Enable ESET to detect and quarantine potentially unwanted applications.Then click Start scan
  • When the scan is finished click Save scan log and save it to your Desktop as ESETScan.txt. Click Continue.
  • ESET Online Scanner will now ask if you wish to turn on the Periodic Scan feature.Click Continue
  • You will now be offered a trial version of ESET Internet Security.Click continue
  • On the next screen, you can leave feedback about the program if you wish.
  • Select Delete application's data on closing, if you are short of disk space or do not wish to retain the program for future use.
  • If you left feedback, click Submit and continue. If not, Close without feedback.
  • Copy and paste the contents of the ESETScan.txt file in your next reply.
 
#17
Here is the log from FRST

I ran ESET but I couldn't seem to save the log file, it did tell me that nothing was detected.

I appreciate all the time you spent helping me Malnutrition!
 

Attachments

  • Addition2.txt
    28.1 KB · Views: 0
Status
Not open for further replies.
Top Bottom
Back
Forums
Resources
Menu