Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Information of log file


  • Please log in to reply
6 replies to this topic

#1 Onvme484

Onvme484

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 23 September 2016 - 09:43 AM

Hi, I've just did a Combofix scan, everything is fine, no register keys deleted etc, but then I saw a key:

--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)

it's the only locked key I saw on the list. I would just like to know some informations about it. Is this is harmful, what is it, what does this mean, why does it show this, is it locked by Combofix or was it already locked?

Thank you in advance.


Edited by hamluis, 23 September 2016 - 11:32 AM.
Moved from AII to MRL - Hamluis.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,248 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:07:29 PM

Posted 23 September 2016 - 11:30 AM

Since you have run ComboFix...please post the entire log for review.

 

Louis


Edited by hamluis, 23 September 2016 - 11:31 AM.


#3 Onvme484

Onvme484
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 23 September 2016 - 12:07 PM

Since you have run ComboFix...please post the entire log for review.

 

Louis

Hi, thank you for your reply. I'm sorry, I've already deleted the logfile. However, there were no viruses/harmful files or register keys found, I have nothing installed other than superfluous software (firefox, etc). May I know just this:

Is this harmful, what is it, what does this mean, why does it show this, is it locked by Combofix or was it already locked?

? I really don't want to harass you. Does ComboFix write somewhere if he found harmful register keys/softwares?


Edited by Onvme484, 23 September 2016 - 12:07 PM.


#4 Onvme484

Onvme484
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 23 September 2016 - 12:25 PM

@hamluis I've found someone who asked like me somewhere if that register key is harmful.

 

http://www.computerforum.com/threads/a-question-about-the-combofix-report.214639/

 

I would like to ask something about what the guy said to help other one. Quoting him:

 


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
Those 2 entries usually appear when you have had a decent infection.

In my case, Combofix wrote just :

 

 

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

 

as locked registry key. What does he mean for decent infection?


Edited by Onvme484, 23 September 2016 - 12:26 PM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:29 PM

Posted 24 September 2016 - 09:01 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

These Locked keys can be unlocked as seen in this topic.
http://www.computerforum.com/threads/a-question-about-the-combofix-report.214639/

In order to give you good advice I need to see a fresh Combofix log.

Please Download and run the ComboFix tool.

How to use ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Follow the instructions on the page.

Post the content of the C:\ComboFix.txt file for my review.

p.s.
When all is well you can remove the tool by following the Uninstall instructions on the same page.

===

While I have you attention you should run this scanning tool.
Nothing will be removed until I give you a Fix if required.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===

Please post the logs for my review.

#6 Onvme484

Onvme484
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 26 September 2016 - 11:25 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

These Locked keys can be unlocked as seen in this topic.
http://www.computerforum.com/threads/a-question-about-the-combofix-report.214639/

In order to give you good advice I need to see a fresh Combofix log.

Please Download and run the ComboFix tool.

How to use ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Follow the instructions on the page.

Post the content of the C:\ComboFix.txt file for my review.

p.s.
When all is well you can remove the tool by following the Uninstall instructions on the same page.

===

While I have you attention you should run this scanning tool.
Nothing will be removed until I give you a Fix if required.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===

Please post the logs for my review.

 

Ok, I will. Can you please reply my question first:

 

@hamluis I've found someone who asked like me somewhere if that register key is harmful.

 

http://www.computerforum.com/threads/a-question-about-the-combofix-report.214639/

 

I would like to ask something about what the guy said to help other one. Quoting him:

 

 


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
Those 2 entries usually appear when you have had a decent infection.

In my case, Combofix wrote just :

 

 

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

 

as locked registry key. What does he mean for decent infection?

 

? I've blocked many IPs on my firewall using route -p add, may it be this the problem (which Combofix thinks is)? Indeed when I explored the Quarantined folder on C:\Qoobox (I don't remember the name, I may be wrong), in that folder (Quarantine) there was just a register file of my blocked IPs.


Edited by Onvme484, 26 September 2016 - 11:29 AM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:29 PM

Posted 26 September 2016 - 01:09 PM

I think he/she met that it was a previous infection.

Just run the Farbar tool for now.

Ensure that you submit both logs.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users