Author Topic: HKCU and HKEY infections (Read 3704 times)

Maxwell5 · « **on:** July 15, 2015, 09:11:37 PM »

I keep getting the following infection identified by ADWCleaner but I cannot seem to get rid of it and Avast seems unable to catch it:

HKCU\Software\Google\Chrome\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh

Concurrent with this Emsisoft Emergency Tool continually finds the following infections:

Value: HKEY_USERS\S-1-5-21-1422163307-3788927115-2030255185-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-21-1422163307-3788927115-2030255185-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)

Avast also seems not to be capturing these.

Can you please tell me how to get rid of these infections?

Thank you

TwinHeadedEagle · « **Reply #1 on:** July 15, 2015, 09:15:42 PM »

Hello,

Scan with Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Maxwell5 · « **Reply #2 on:** July 15, 2015, 09:26:10 PM »

I shall do as you have instructed but I should like you to know in advance that in the past when I have reached the point where I need to use FRST and click "Fix" once that when when I perform the subsequent reboot upon rebooting I lose my connection with the internet and am forced to do a System Restore.

Perhaps that will not be the case this time but I wanted to make you aware that this has been an issue in the past.

I will run FRST as directed and get back to you once it is done.

Thank you.

Maxwell5 · « **Reply #3 on:** July 15, 2015, 09:36:15 PM »

Attached find FRST reports.

Thank you

TwinHeadedEagle · « **Reply #4 on:** July 15, 2015, 10:40:19 PM »

Uninstall MalwareBytes

Scan with Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

Install the progam and select update.
Once updated, click the Settings tab, in the left panel choose Detection & Protection and tick Scan for rootkits.
Click the Scan tab, choose Threat Scan is checked and click Scan Now.
If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
Upon completion of the scan (or after the reboot), click the History tab.
Click Application Logs and double-click the Scan Log.
At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

Maxwell5 · « **Reply #5 on:** July 15, 2015, 11:34:50 PM »

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 7/15/2015
Scan Time: 5:04 PM
Logfile: malware.txt
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.07.15.06
Rootkit Database: v2015.07.15.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Lewis

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 372894
Time Elapsed: 28 min, 23 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

TwinHeadedEagle · « **Reply #6 on:** July 16, 2015, 07:21:20 AM »

PC seems clean.

Maxwell5 · « **Reply #7 on:** July 16, 2015, 02:42:54 PM »

Thank you TWE.

It has been rearing its ugly head every 2-3 days.

Hopefully it will not do so again but if so I shall contact you.

Best regards.

Maxwell5 · « **Reply #8 on:** July 17, 2015, 12:13:54 PM »

Please note that the pesky infection has once again reared its ugly head. I "cleaned" it with AdwCleaner but it keeps returning.

# AdwCleaner v4.208 - Logfile created 17/07/2015 at 06:06:18
# Updated 09/07/2015 by Xplode
# Database : 2015-07-15.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Lewis - LEWIS-PC
# Running from : C:\Users\Lewis\Desktop\zAdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Software\Google\Chrome\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17909

-\\ Google Chrome v43.0.2357.134

*************************

AdwCleaner[R0].txt - [748 bytes] - [13/07/2015 07:00:45]
AdwCleaner[R10].txt - [1979 bytes] - [14/07/2015 21:43:00]
AdwCleaner[R11].txt - [1692 bytes] - [14/07/2015 21:48:08]
AdwCleaner[R12].txt - [1752 bytes] - [15/07/2015 05:30:38]
AdwCleaner[R13].txt - [1897 bytes] - [15/07/2015 10:45:58]
AdwCleaner[R14].txt - [1957 bytes] - [15/07/2015 11:34:59]
AdwCleaner[R15].txt - [2018 bytes] - [15/07/2015 14:21:01]
AdwCleaner[R16].txt - [2052 bytes] - [15/07/2015 22:41:50]
AdwCleaner[R17].txt - [2112 bytes] - [16/07/2015 02:57:26]
AdwCleaner[R18].txt - [2172 bytes] - [16/07/2015 04:45:07]
AdwCleaner[R19].txt - [2232 bytes] - [16/07/2015 06:02:25]
AdwCleaner[R1].txt - [889 bytes] - [13/07/2015 09:56:51]
AdwCleaner[R20].txt - [2292 bytes] - [16/07/2015 09:13:34]
AdwCleaner[R21].txt - [2352 bytes] - [16/07/2015 11:24:44]
AdwCleaner[R22].txt - [2412 bytes] - [16/07/2015 13:46:24]
AdwCleaner[R23].txt - [2472 bytes] - [16/07/2015 16:23:31]
AdwCleaner[R24].txt - [2617 bytes] - [17/07/2015 06:02:49]
AdwCleaner[R2].txt - [1005 bytes] - [13/07/2015 14:48:43]
AdwCleaner[R3].txt - [1186 bytes] - [13/07/2015 18:23:41]
AdwCleaner[R4].txt - [1184 bytes] - [14/07/2015 06:33:53]
AdwCleaner[R5].txt - [1302 bytes] - [14/07/2015 12:13:31]
AdwCleaner[R6].txt - [1362 bytes] - [14/07/2015 18:01:37]
AdwCleaner[R7].txt - [1480 bytes] - [14/07/2015 19:39:33]
AdwCleaner[R8].txt - [1539 bytes] - [14/07/2015 20:01:55]
AdwCleaner[R9].txt - [1598 bytes] - [14/07/2015 20:10:40]
AdwCleaner[S0].txt - [954 bytes] - [13/07/2015 10:03:05]
AdwCleaner[S1].txt - [1255 bytes] - [13/07/2015 18:31:30]
AdwCleaner[S2].txt - [1251 bytes] - [14/07/2015 06:43:45]
AdwCleaner[S3].txt - [1428 bytes] - [14/07/2015 18:02:58]
AdwCleaner[S4].txt - [1836 bytes] - [14/07/2015 21:45:02]
AdwCleaner[S5].txt - [2083 bytes] - [15/07/2015 14:23:24]
AdwCleaner[S6].txt - [2543 bytes] - [17/07/2015 06:06:18]

########## EOF - C:\AdwCleaner\AdwCleaner[S6].txt - [2602 bytes] ##########

TwinHeadedEagle · « **Reply #9 on:** July 17, 2015, 01:00:01 PM »

Fix with Junkware Removal Tool

Please download JRT by Thisisu and save the file to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

Right-click on icon and select Run as Administrator to start the tool.
Follow the prompts and let this process run uninterrupted.
This scan can take a while, depending on your System specs.
Upon completion, a log (JRT.txt) will open on your desktop.

Please include the contents of that file in your reply.

Do not forget to re-enable your previously switched off protection software!
Please also manually reboot your machine after this procedure.

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

Right-click on icon and select Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
Make sure that Addition option is checked.
Press Scan button and wait.
The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

Maxwell5 · « **Reply #10 on:** July 17, 2015, 02:29:17 PM »

Below find JRT report. I tried to paste the FRST reports but got a message that it made the post too large so I have attached them instead.

Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.5.1 (07.16.2015:1)
OS: Windows 7 Home Premium x64
Ran by Lewis on Fri 07/17/2015 at 7:59:57.65
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Tasks

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~ Chrome

[C:\Users\Lewis\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - default search provider reset

[C:\Users\Lewis\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:

[C:\Users\Lewis\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

[C:\Users\Lewis\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 07/17/2015 at 8:08:33.35
End of JRT log

Author Topic: HKCU and HKEY infections (Read 3704 times)

Maxwell5

HKCU and HKEY infections

TwinHeadedEagle

Re: HKCU and HKEY infections

Maxwell5

Re: HKCU and HKEY infections

Maxwell5

Re: HKCU and HKEY infections

TwinHeadedEagle

Re: HKCU and HKEY infections

Maxwell5

Re: HKCU and HKEY infections

TwinHeadedEagle

Re: HKCU and HKEY infections

Maxwell5

Re: HKCU and HKEY infections

Maxwell5

Re: HKCU and HKEY infections

TwinHeadedEagle

Re: HKCU and HKEY infections

Maxwell5

Re: HKCU and HKEY infections