Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rKill Findings...Need assistance with results


  • This topic is locked This topic is locked
5 replies to this topic

#1 Jesecourt

Jesecourt

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alabama
  • Local time:10:38 AM

Posted 18 October 2016 - 10:35 PM

Hello,

 

My name is Selena and I believe that this is my very first post here. I have just run rkill on my Windows 7 PC because it has been acting quite sluggish and just plain odd. Below are the findings:

 

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 10/18/2016 at 22:04:09.
Operating System: Windows 7 Home Premium

Processes terminated by Rkill or while it was running:

C:\Windows\SysWOW64\InfDefaultInstall.exe
C:\Windows\SysWOW64\runonce.exe

Rkill completed on 10/18/2016 at 22:04:12.

 

I have heard that these items are virus/malware and need assistance as to how to clear this up.

 

Any help would be greatly appreciated.



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:38 PM

Posted 21 October 2016 - 10:11 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===

Please post the logs.

Wait for further instructions.

#3 Jesecourt

Jesecourt
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alabama
  • Local time:10:38 AM

Posted 21 October 2016 - 10:02 PM

Results are attached.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:38 PM

Posted 22 October 2016 - 09:36 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
GroupPolicy: Restriction <======= ATTENTION
SearchScopes: HKLM -> {a62abdee-78a2-4ddb-9355-1c334abd6e43} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=arh&hsimp=yhs-001&type=xy_9e8de677&param1=ArFaIWJoNqArQGMVHFFoNqAqBbFaISEaQGR7xTVoN9IAy7IsQGR7B7JoN9JbDSk8vFE9GqQANFdcFCk8NVE4IGYVvFI9JGYVvmk3vmIXwVJdJqYVvFE9JCIWwVU9GqYVNUI3wGYGwVM4JmoVwVM9GqUNNos3wCIYwVA9JmoUwVA3vCITwVI9GqUNNFM3wCILNFdcIaUXNEBcGqQANFdcFCk8NoM4IGYUwVQ9ISIYwVU3vqYVwVw9IWYUNVM3vmISwVM9J6k4NVI9I6oXwVM9JmoVwVxdIqYWwVVdISIWNVJdJqYVNVE4ISIYvFNbFCILNF9cI... (long line)
SearchScopes: HKLM-x32 -> {a62abdee-78a2-4ddb-9355-1c334abd6e43} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=arh&hsimp=yhs-001&type=xy_9e8de677&param1=ArFaIWJoNqArQGMVHFFoNqAqBbFaISEaQGR7xTVoN9IAy7IsQGR7B7JoN9JbDSk8vFE9GqQANFdcFCk8NVE4IGYVvFI9JGYVvmk3vmIXwVJdJqYVvFE9JCIWwVU9GqYVNUI3wGYGwVM4JmoVwVM9GqUNNos3wCIYwVA9JmoUwVA3vCITwVI9GqUNNFM3wCILNFdcIaUXNEBcGqQANFdcFCk8NoM4IGYUwVQ9ISIYwVU3vqYVwVw9IWYUNVM3vmISwVM9J6k4NVI9I6oXwVM9JmoVwVxdIqYWwVVdISIWNVJdJqYVNVE4ISIYvFNbFCILN... (long line)
SearchScopes: HKU\S-1-5-21-1767652436-1554288066-4292314943-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=arh&hsimp=yhs-001&type=xy_9e8de677&param1=ArFaIWJoNqArQGMVHFFoNqAqBbFaISEaQGR7xTVoN9IAy7IsQGR7B7JoN9JbDSk8vFE9GqQANFdcFCk8NVE4IGYVvFI9JGYVvmk3vmIXwVJdJqYVvFE9JCIWwVU9GqYVNUI3wGYGwVM4JmoVwVM9GqUNNos3wCIYwVA9JmoUwVA3vCITwVI9GqUNNFM3wCILNFdcIaUXNEBcGqQANFdcFCk8NoM4IGYUwVQ9ISIYwVU3vqYVwVw9IWYUNVM3vmISwVM9J6k4NV... (long line)
SearchScopes: HKU\S-1-5-21-1767652436-1554288066-4292314943-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=arh&hsimp=yhs-001&type=xy_9e8de677&param1=ArFaIWJoNqArQGMVHFFoNqAqBbFaISEaQGR7xTVoN9IAy7IsQGR7B7JoN9JbDSk8vFE9GqQANFdcFCk8NVE4IGYVvFI9JGYVvmk3vmIXwVJdJqYVvFE9JCIWwVU9GqYVNUI3wGYGwVM4JmoVwVM9GqUNNos3wCIYwVA9JmoUwVA3vCITwVI9GqUNNFM3wCILNFdcIaUXNEBcGqQANFdcFCk8NoM4IGYUwVQ9ISIYwVU3vqYVwVw9IWYUNVM3vmISwVM9J6k4NVI9I6oXwVM9Jmo... (long line)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
U0 aswVmm; no ImagePath
Task: {2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C} - \Microsoft\Windows\WindowsBackup\ConfigNotification -> No File <==== ATTENTION
Task: {5D76FB80-1DE2-4181-BD0B-4CDF3082A336} - \Microsoft\Windows\Windows Activation Technologies\ValidationTask -> No File <==== ATTENTION
Task: {AC4E5ACF-89F7-4220-BA21-81EE183975E2} - \Microsoft\Windows\Application Experience\AitAgent -> No File <==== ATTENTION
Task: {CEE64558-E1A7-4D9D-80A7-2001912BE5B5} - \Microsoft\Windows\MemoryDiagnostic\CorruptionDetector -> No File <==== ATTENTION
Task: {D3E3D45C-D08F-4FA4-8284-0CFAF240C8CF} - \Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline -> No File <==== ATTENTION
Task: {FA2BC0A6-8D4B-458A-85C8-2B8C72487513} - \Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector -> No File <==== ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.


Clean the Internet Explorer Cache.
https://kb.wisc.edu/page.php?id=15141
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old version(s) of Java via the Control Panel > Programs and Features.
Java™ 6 Update 27 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86416027FF}) (Version: 6.0.270 - Oracle)

===

Please post the Fixlog.txt file and let me know what problem persists.

#5 Jesecourt

Jesecourt
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alabama
  • Local time:10:38 AM

Posted 22 October 2016 - 02:35 PM

Results attached.

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,191 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:38 PM

Posted 23 October 2016 - 08:36 AM

How is the computer running now?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users