Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware registry entries come back after reboot


  • This topic is locked This topic is locked
9 replies to this topic

#1 GrilledYo

GrilledYo

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 15 December 2017 - 12:48 AM

I've run Malwarebytes and Malwarebytes Adwcleaner. Both of which return two and four hits, respectively, of malware and pup registry entries after a clean and reboot. I've tried to install Sophos Malware Remover Tool but the exe won't do anything after clicking and accepting that it'll make changes to my computer. Not sure on what to try next as most posts differ in actions needed at this point.



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,200 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:39 AM

Posted 15 December 2017 - 09:01 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

It's a Syncing issue.
To remove it you will have to reset the Sync in Chrome.

Read this article and proceed.

Chrome Secure Preferences detection always comes back
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/
<<<>>>

Let me know if you have any other issues with this computer.

#3 GrilledYo

GrilledYo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 17 December 2017 - 01:58 PM

I'm currently not logged into chrome to allow syncing. The problem also doesn't originate in the chrome search engine folder. They're registry values and keys.


Edited by GrilledYo, 17 December 2017 - 02:01 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,200 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:39 AM

Posted 18 December 2017 - 07:18 AM

Please post a copy of the Malwarebytes log for my review.

#5 GrilledYo

GrilledYo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 20 December 2017 - 09:34 PM

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 12/17/17
Scan Time: 10:52 AM
Log File: 7d94c1ae-e35b-11e7-8985-bc5ff44e877b.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3508
License: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Alex-PC\Alex

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 376824
Threats Detected: 2
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 11 min, 13 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 1
Rootkit.Agent, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\UDISKMGR, Removal Failed, [1245], [466343],1.0.3508

Registry Value: 1
Rootkit.Agent, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\UDISKMGR|IMAGEPATH, Removal Failed, [1245], [466343],1.0.3508

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)



#6 GrilledYo

GrilledYo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 20 December 2017 - 09:36 PM

and here is ADWcleaner

 

# AdwCleaner 7.0.5.0 - Logfile created on Fri Dec 15 05:22:52 2017
# Updated on 2017/29/11 by Malwarebytes
# Database: 12-13-2017.2
# Running on Windows 7 Professional (X64)
# Mode: scan
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\CLSID\{FCE3FA8B-BA81-467C-81D8-E43C00D1BC71}
PUP.Optional.Legacy, [Key] - HKLM\SYSTEM\CurrentControlSet\Control\Class\{0C95ABFE-4FB6-49DB-B22F-0E1F5FC4BEEC}
PUP.Optional.Legacy, [Key] - HKLM\SYSTEM\CurrentControlSet\Control\Class\{EEEFACB3-729F-4484-B66D-E7A7917BBFC1}


***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries.

*************************

C:/AdwCleaner/AdwCleaner[C0].txt - [4659 B] - [2017/12/15 5:15:33]
C:/AdwCleaner/AdwCleaner[S0].txt - [5113 B] - [2017/12/15 5:11:40]


########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt ##########



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,200 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:39 AM

Posted 21 December 2017 - 08:14 AM

This should remove them.

Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.
 

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\UDISKMGR]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FCE3FA8B-BA81-467C-81D8-E43C00D1BC71}]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{0C95ABFE-4FB6-49DB-B22F-0E1F5FC4BEEC}]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{EEEFACB3-729F-4484-B66D-E7A7917BBFC1}]


Restart the computer when completed.

You can delete the fixme.reg file when done.
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#8 GrilledYo

GrilledYo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 21 December 2017 - 03:00 PM

This came back in AdwCleaner after making the notepad file and running the registry editor.

 

# AdwCleaner 7.0.5.0 - Logfile created on Thu Dec 21 19:58:44 2017
# Updated on 2017/29/11 by Malwarebytes
# Database: 12-21-2017.1
# Running on Windows 7 Professional (X64)
# Mode: scan
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.Legacy, [Key] - HKLM\SYSTEM\CurrentControlSet\Control\Class\{0C95ABFE-4FB6-49DB-B22F-0E1F5FC4BEEC}
PUP.Optional.Legacy, [Key] - HKLM\SYSTEM\CurrentControlSet\Control\Class\{EEEFACB3-729F-4484-B66D-E7A7917BBFC1}


***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries.

*************************

C:/AdwCleaner/AdwCleaner[C0].txt - [4659 B] - [2017/12/15 5:15:33]
C:/AdwCleaner/AdwCleaner[C1].txt - [1613 B] - [2017/12/15 5:53:14]
C:/AdwCleaner/AdwCleaner[S0].txt - [5113 B] - [2017/12/15 5:11:40]
C:/AdwCleaner/AdwCleaner[S1].txt - [1476 B] - [2017/12/15 5:22:52]
C:/AdwCleaner/AdwCleaner[S2].txt - [1414 B] - [2017/12/21 2:37:45]


########## EOF - C:\AdwCleaner\AdwCleaner[S3].txt ##########


Edited by GrilledYo, 21 December 2017 - 03:03 PM.


#9 GrilledYo

GrilledYo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 21 December 2017 - 03:05 PM

Much, much more came back on Malwarebytes

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 12/21/17
Scan Time: 11:54 AM
Log File: b4e0bd22-e688-11e7-b1b5-bc5ff44e877b.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3538
License: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Alex-PC\Alex

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 377003
Threats Detected: 10
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 10 min, 8 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 1
Adware.DotDo.Generic, C:\PROGRAM FILES (X86)\AEONS\EMULATE.EXE, No Action By User, [1053], [471311],1.0.3538

Module: 1
Adware.DotDo.Generic, C:\PROGRAM FILES (X86)\AEONS\EMULATE.EXE, No Action By User, [1053], [471311],1.0.3538

Registry Key: 1
Rootkit.Agent, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\UDISKMGR, No Action By User, [1244], [466343],1.0.3538

Registry Value: 3
Rootkit.Agent, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\UDISKMGR|IMAGEPATH, No Action By User, [1244], [466343],1.0.3538
PUP.Optional.WinResSync, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE|WINRESSYNC, No Action By User, [2697], [471359],1.0.3538
Adware.DotDo.Generic, HKU\S-1-5-21-807839814-2025956155-2868067111-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|emulate, No Action By User, [1053], [471311],1.0.3538

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 4
PUP.Optional.WinResSync, C:\USERS\ALEX\APPDATA\ROAMING\MICROSOFT\PROTECT\WINRESCHECK.WRC, No Action By User, [2697], [471379],1.0.3538
Adware.DotDo.Generic, C:\PROGRAM FILES (X86)\AEONS\EMULATE.EXE, No Action By User, [1053], [471311],1.0.3538
Trojan.Yelloader, C:\USERS\ALEX\APPDATA\LOCAL\TEMP\1512935268\SETUP0904.ZIP, No Action By User, [1316], [470698],1.0.3538
Trojan.Yelloader, C:\USERS\ALEX\APPDATA\LOCAL\TEMP\1512935268\SETUP0904.EXE, No Action By User, [1316], [470698],1.0.3538

Physical Sector: 0
(No malicious items detected)


(end)



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,200 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:39 AM

Posted 22 December 2017 - 08:05 AM



Hi,

It's a Syncing issue as I have suggested in post No. 2.

You can check with the Malwarebytes's forum. Boot tools are their responsibility.

https://forums.malwarebytes.com/forum/7-malware-removal-for-windows/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users