Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

File may have affected edited registry and other things


  • This topic is locked This topic is locked
7 replies to this topic

#1 AlbertCam

AlbertCam

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 08 May 2017 - 05:46 PM

Hello everyone, I would like to request some help regarding an issue. I do apologize for the coming wall of text.

 

My system is currently and was at time of infection, protected by Kaspersky Internet Security with settings set so that any activity or attempt by program gives me a prompt.

 

I used an executable file for a video game, it was a game trainer which is supposed to inject code into the game to basically add 'cheats'. This is the culprit of my issue and I can point you to the file if needed. While the file itself was cleared by Kaspersky.

 

The issue is that upon allowing it to do a couple of actions, I noticed that it was asking me for permission to edit registry in location of ../internetsettings/zonemap/domains , and those areas.

I stopped and deleted it but unfortunately due to my carelessness I allowed it do perform around 3-5 actions. In the domains registry I saw 4 entries which seem to be adware.

 

  1. I have run a Kaspersky full system scan and rootkit scan and it found nothing.
  2. Full scan with Malwarebytes and it found nothing.
  3. Scan with Malwarebytes Anti-Rootkit found nothing to fix.
  4. "HiJack This" produced a log file of registry issues of which included the 4 entries for "Domains" mentioned above
  5. Spybot normal scan found 86 fixable issues but they're all green and minor (I will not fix the issues until instructed further here)
  6. Spybot Rootkit scan found nothing to fix.

While the above scans show no major issues, I am not 100% comfortable with the results and do not feel safe. Not to mention the 4 registry entries and the fact that I am aware that the executable did something.

 

I would greatly appreciate help in fixing this issue and any advice or ways to clean out areas that are less likely to be detected such as registries. Please let me know how you prefer I approach this , many thanks

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:55 PM

Posted 09 May 2017 - 09:01 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

Windows Registry Editor Version 5.00
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]


Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.

Restart the computer normally.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===


Please post the logs.

Let me know if you have any issues with this computer.

#3 AlbertCam

AlbertCam
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 09 May 2017 - 01:59 PM

Thank you Nasdaq for your quick help

 

I have followed instructions and can confirm that the registry commands you provided have cleared the entries I saw.

 

FRST.txt has been attached.

Attached Files

  • Attached File  FRST.txt   80.07KB   4 downloads


#4 AlbertCam

AlbertCam
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 10 May 2017 - 03:50 PM

Hi nasdaq, sorry to repost in this thread but I am very worried there would be something hidden or some residual malware that I would not be able to detect normally by myself.
Short of formatting and reinstalling OS, is it possible to insure that my PC is 100% clean or that can never be known?

 

Edit: Apologies, I just saw the rule as to not allow bumping of threads. I would delete it but not sure how. I understand the consequences.


Edited by AlbertCam, 10 May 2017 - 04:01 PM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:55 PM

Posted 11 May 2017 - 07:08 AM

The bumping message is for those waiting from help.
You can add as many posts to this topic.


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
GroupPolicy: Restriction <======= ATTENTION
GroupPolicy\User: Restriction <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION
FF user.js: detected! => C:\Users\Albert\AppData\Roaming\Mozilla\Firefox\Profiles\g1lvyc7r.default\user.js [2015-05-03]
FF Homepage: Mozilla\Firefox\Profiles\g1lvyc7r.default -> hxxps://www.google.com/?gws_rd=cr&ei=4S9gVb_SKabgywP6jIKIBg&fg=1
CHR HKLM\...\Chrome\Extension: [lpeeaghdjmhlakojjcgfdhgcejdaefmi] - hxxps://chrome.google.com/webstore/detail/lpeeaghdjmhlakojjcgfdhgcejdaefmi
CHR HKLM-x32\...\Chrome\Extension: [lpeeaghdjmhlakojjcgfdhgcejdaefmi] - hxxps://chrome.google.com/webstore/detail/lpeeaghdjmhlakojjcgfdhgcejdaefmi
S3 cpuz137; \??\C:\Users\Albert\AppData\Local\Temp\cpuz137\cpuz137_x64.sys [X] <==== ATTENTION
S3 cpuz138; \??\C:\Windows\TEMP\cpuz138\cpuz138_x64.sys [X]
S3 dbx; system32\DRIVERS\dbx.sys [X]
S3 GPUZ; \??\C:\Windows\TEMP\GPUZ.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]


End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.iu.edu/d/ahic#firefox
<<<>>>


Please post the Fixldog.txt and let me know what problem persists.

Post also the Addition.txt file that was created by the Farbar program.

===

p.s.
While I check your logs run this Sophos Scan.

Please download Sophos Virus Removal Tool and save it to your computer's Desktop.
  • Right-click the icon and select Run as administrator.
  • Click Yes to accept any security warnings that may appear.
  • Click the Next button.
  • Select 'I accept the terms in the license agreement', then click Next twice.
  • Click the Install button and wait until the installation is complete.
  • Click the Finish button. The tool created a shortcut icon on the Desktop of your computer.
  • Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • After it updates and a "Start Scanning" button appears in the lower right:
    • Disconnect from the Internet or physically unplug your Internet cable connection.
    • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
    • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • Click the "Start Scanning" button in the lower right to start the scan.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, if it detected anything there will be a "Start Clean-up" button, click it and allow it to finish.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • If any threats are found click Details, then View Log file (bottom left-hand corner).
  • Copy and paste its contents in your next reply and note any errors encountered.
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup.
  • Click Exit to close the program.
  • If no threats were found, please confirm that result.
Note: Whenever necessary, the log will be in the following location:

Windows Vista and above:
C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log

#6 AlbertCam

AlbertCam
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 12 May 2017 - 09:12 AM

Instructions performed and files attached as requested.

 

Sophos ran as instructed, no threats have been found.

 

There were no initial symptoms and currently there are no symptoms as well.

 

I have a Windows system restore point to before the registry incident, it is not advisable to do anything with that correct?

Attached Files


Edited by AlbertCam, 12 May 2017 - 10:57 AM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:55 PM

Posted 12 May 2017 - 12:51 PM

Looking good.

Look at the restore points available on the Addition.txt log.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#8 AlbertCam

AlbertCam
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 12 May 2017 - 04:38 PM

Thank you nasdaq! I really appreciate all the help you have given me!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users