Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I infected?


  • Please log in to reply
10 replies to this topic

#1 confoosedguy

confoosedguy

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 PM

Posted 25 May 2015 - 10:14 PM

Hello, this is a text file just created from running CCleaner, I was hoping someone could take a look and let me know what it might be, much gratitude, Michael:

 

Invalid or empty file class opdownload_auto_file HKCR\opdownload_auto_file
ActiveX/COM Issue InProcServer32\C:\Program Files\Google\Update\1.3.26.9\psmachine.dll HKCR\CLSID\{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}
ActiveX/COM Issue InProcServer32\C:\windows\system32\wuaucpl.cpl HKCR\CLSID\{5F327514-6C5E-4d60-8F16-D07FA08A78ED}
Missing TypeLib Reference ISearch - {47A7A4B0-2723-41BA-865E-EBBB7081A602} HKCR\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Application Paths Issue C:\Windows\AP\ENG\MSWorks\MSWorks\Setup.exe HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
Application Paths Issue C:\Windows\AP\Audio\5948\Setup.exe HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
Application Paths Issue C:\Users\MP\Downloads\ChromeSetup.exe HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
Application Paths Issue C:\Users\MP\Downloads\GoogleVoiceAndVideoSetup.exe HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
Application Paths Issue C:\Users\MP\Downloads\tweaking.com_windows_repair_aio_setup (1).exe HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
Application Paths Issue C:\Users\MP\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
Installer Reference Issue C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders
Uninstaller Reference Issue "C:\Program Files\FreeFixer\uninstall.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\FreeFixer1.12
Invalid firewall rule NetPres-In-TCP-NoScope - %SystemRoot%\system32\netproj.exe HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Invalid firewall rule NetPres-Out-TCP-NoScope - %SystemRoot%\system32\netproj.exe HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Invalid firewall rule NetPres-WSD-In-UDP - %SystemRoot%\system32\netproj.exe HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Invalid firewall rule NetPres-WSD-Out-UDP - %SystemRoot%\system32\netproj.exe HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Invalid firewall rule NetPres-In-TCP - %SystemRoot%\system32\netproj.exe HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Invalid firewall rule NetPres-Out-TCP - %SystemRoot%\system32\netproj.exe HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Invalid firewall rule MCX-In-TCP - %SystemRoot%\ehome\ehshell.exe HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Invalid firewall rule MCX-Out-TCP - %SystemRoot%\ehome\ehshell.exe HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Invalid firewall rule MCX-In-UDP - %SystemRoot%\ehome\ehshell.exe HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Invalid firewall rule MCX-Out-UDP - %SystemRoot%\ehome\ehshell.exe HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Invalid firewall rule MCX-Prov-Out-TCP - %SystemRoot%\ehome\mcx2prov.exe HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Invalid firewall rule MCX-McrMgr-Out-TCP - %SystemRoot%\ehome\mcrmgr.exe HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Invalid firewall rule NetPres-In-TCP-NoScope - %SystemRoot%\system32\netproj.exe HKLM\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Invalid firewall rule NetPres-Out-TCP-NoScope - %SystemRoot%\system32\netproj.exe HKLM\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Invalid firewall rule NetPres-WSD-In-UDP - %SystemRoot%\system32\netproj.exe HKLM\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Invalid firewall rule NetPres-WSD-Out-UDP - %SystemRoot%\system32\netproj.exe HKLM\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Invalid firewall rule NetPres-In-TCP - %SystemRoot%\system32\netproj.exe HKLM\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Invalid firewall rule NetPres-Out-TCP - %SystemRoot%\system32\netproj.exe HKLM\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Invalid firewall rule MCX-In-TCP - %SystemRoot%\ehome\ehshell.exe HKLM\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Invalid firewall rule MCX-Out-TCP - %SystemRoot%\ehome\ehshell.exe HKLM\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Invalid firewall rule MCX-In-UDP - %SystemRoot%\ehome\ehshell.exe HKLM\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Invalid firewall rule MCX-Out-UDP - %SystemRoot%\ehome\ehshell.exe HKLM\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Invalid firewall rule MCX-Prov-Out-TCP - %SystemRoot%\ehome\mcx2prov.exe HKLM\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Invalid firewall rule MCX-McrMgr-Out-TCP - %SystemRoot%\ehome\mcrmgr.exe HKLM\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules


BC AdBot (Login to Remove)

 


#2 ransomwolf

ransomwolf

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Europe
  • Local time:01:09 AM

Posted 26 May 2015 - 01:43 PM

CCleaner is short for "crap cleaner", and that's exactly what it does, it cleans crap, like temporary files and registry errors. It rarely deletes any malware, as it's not supposed to be a security tool. You can't really tell if the machine is infected or not by having the look at its logs.
 
There's a chance your PC is completely clean, and there's a chance it's not. Since your thread's name is "Am I infected?", I suppose you wanna make sure you're clean, so let's run a few tools. Click the "spoiler" button for instructions.
 

Spoiler


Edited by ransomwolf, 26 May 2015 - 02:13 PM.


#3 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:09 AM

Posted 26 May 2015 - 01:45 PM

Hi there,

Did you use CCleaner's Registry Cleaner function?

Regards,
Alex

#4 confoosedguy

confoosedguy
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 PM

Posted 26 May 2015 - 04:34 PM

Ok thank you I will run the Spoiler later and post the results.

 

Yes, I ran the Registry tool within CCleaner.



#5 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:09 AM

Posted 27 May 2015 - 01:14 AM

Using Registry Cleaners (in this case, CCleaner's Registry Cleaner option) is a bad idea.

The following warning is quoted from Moderator Budapest.

Bleeping Computer DOES NOT recommend the use of registry cleaners/optimizers for several reasons:
  • Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

    The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.
  • Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.
  • Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.
  • Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.
  • The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".
Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.You can still use CCleaner, but don't use the Registry Cleaner option.

I would do what ransomwolf has posted for you, but I would run AdwCleaner and Junkware Removal Tool before Malwarebytes and Emsisoft.

Regards,
Alex

#6 confoosedguy

confoosedguy
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 PM

Posted 11 June 2015 - 10:39 PM

ADWCleaner Results:

 

# AdwCleaner v4.206 - Logfile created 11/06/2015 at 23:31:06
# Updated 01/06/2015 by Xplode
# Database : 2015-06-09.1 [Server]
# Operating system : Windows 7 Starter Service Pack 1 (x86)
# Username : MP - MP-PC
# Running from : C:\Users\MP\Downloads\AdwCleaner.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Users\MP\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v8.0.7601.17514
 
 
-\\ Google Chrome v43.0.2357.124
 
 
-\\ Opera v0.0.0.0
 
 
*************************
 
AdwCleaner[R0].txt - [2810 bytes] - [03/01/2015 18:05:54]
AdwCleaner[R1].txt - [1299 bytes] - [14/01/2015 10:38:47]
AdwCleaner[R2].txt - [1586 bytes] - [25/05/2015 22:17:06]
AdwCleaner[R3].txt - [1230 bytes] - [11/06/2015 23:26:56]
AdwCleaner[S0].txt - [2905 bytes] - [03/01/2015 18:11:28]
AdwCleaner[S1].txt - [1793 bytes] - [14/01/2015 22:08:39]
AdwCleaner[S2].txt - [1666 bytes] - [25/05/2015 22:20:34]
AdwCleaner[S3].txt - [1158 bytes] - [11/06/2015 23:31:06]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S3].txt - [1217  bytes] ##########


#7 confoosedguy

confoosedguy
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 PM

Posted 11 June 2015 - 10:48 PM

JunkwareRemovalTool Results:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.9.1 (06.08.2015:1)
OS: Windows 7 Starter x86
Ran by MP on Thu 06/11/2015 at 23:41:58.28
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Tasks
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
~~~ Chrome
 
 
[C:\Users\MP\appdata\local\Google\Chrome\User Data\Default\Preferences] - default search provider reset
 
[C:\Users\MP\appdata\local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:
 
[C:\Users\MP\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset
 
[C:\Users\MP\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 06/11/2015 at 23:46:33.01
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#8 confoosedguy

confoosedguy
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 PM

Posted 11 June 2015 - 11:30 PM

Emisoft Results:

 

Emsisoft Emergency Kit - Version 9.0
Last update: 6/11/2015 11:58:10 PM
User account: MP-PC\MP
 
Scan settings:
 
Scan type: Smart Scan
Objects: Rootkits, Memory, Traces, C:\windows\, C:\Program Files\
 
Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 6/11/2015 11:59:22 PM
Value: HKEY_USERS\S-1-5-21-691718447-235585631-1268440559-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-21-691718447-235585631-1268440559-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
 
Scanned 124815
Found 2
 
Scan end: 6/12/2015 12:28:44 AM
Scan time: 0:29:22
 
Value: HKEY_USERS\S-1-5-21-691718447-235585631-1268440559-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS Quarantined Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-21-691718447-235585631-1268440559-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR Quarantined Setting.DisableTaskMgr (A)
 
Quarantined 2


#9 confoosedguy

confoosedguy
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 PM

Posted 12 June 2015 - 12:02 AM

Malware Bytes Anti Malware Results:

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 6/12/2015
Scan Time: 12:33:26 AM
Logfile: MWB_06_12_15.txt
Administrator: Yes
 
Version: 2.01.6.1022
Malware Database: v2015.06.11.05
Rootkit Database: v2015.06.02.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: MP
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 297596
Time Elapsed: 24 min, 59 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 1
PUP.Optional.ReImageRepair.A, HKU\S-1-5-21-691718447-235585631-1268440559-1000\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\Reimage - Windows Problem Relief., Quarantined, [8ee30bae04865ed827b0f891a5603fc1], 
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#10 confoosedguy

confoosedguy
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:09 PM

Posted 24 June 2015 - 10:46 PM

Hello, do you think someone might get back to this one?  This would be greatly appreciated, Michael



#11 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:09 AM

Posted 25 June 2015 - 01:18 AM

Your logs did not show anything - I would say that you are clean. Those entries in CCleaner are nothing to worry about - and you should not use the registry cleaner anyway.

Okay... now we just need to clean things up and you are good to go.

Download DelFix from here and save it to your Desktop.
  • Close all running programs and start DelFix.
  • Make sure all available options are checked.
  • Click Run.
  • DelFix will remove the most of the tools used during the cleaning process.
Some useful security utilitiesNote: Only use ONE anti-exploit application at a time! Using more than one at a time will lower your protection due to conflicts between exploit protection modules.

===

Safe computing practices

Best Practices for Safe Computing - Prevention of Malware Infection
How Malware Spreads - How did I get infected
About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs)

Regards,
Alex




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users