Malware- Acer- 20230626

Discussion in 'Malware Help - Public (Anyone Can Post & Respond)' started by manilka835, Jun 26, 2023.

  1. manilka835

    manilka835 Specialist

    A laptop computer has been received for usage.

    I have run READ & RUN ME FIRST- Malware Removal Guide to make sure there are no Malware. The relevant logs are attached.


    Dr. K.D.J.H. Manilka Jayawardena,
    Medical Officer of Health,
    Katana.
    Proud to be a Sri Lankan!
     

    Attached Files:

    manilka835, Jun 26, 2023
    #1
  2. Oh My!

    Oh My! Malware Expert Staff Member

    Greetings and welcome to the MajorGeeks Malware Forum.

    While I review what you have posted please do this.

    ===================================================

    Farbar Recovery Scan Tool (FRST)

    --------------------
    • Download Farbar Recover Scan Tool for 64 bit systems and save it to your Desktop. <<< Important
    • If your computer language is other than English right click on the FRST64 icon and rename it to FRST64english
    • Right click on the icon and select Run as administrator
    • Note: If you receive any warning about the download it is a false positive and you can ignore it. Click on More info to get the Run anyway option
    • Click Yes to the disclaimer
    • Click Scan and allow the program to run
    • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
    • 2 Notepad documents should now be open on your desktop.
    • Please copy and paste the contents of each report in separate reply windows
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:

    • FRST.txt
    • Addition.txt
     
    Oh My!, Jun 26, 2023
    #2
  3. manilka835

    manilka835 Specialist

    Greetings! Thank You!

    • FRST.txt
    • Addition.txt
    logs are attached.
     

    Attached Files:

    manilka835, Jun 27, 2023
    #3
  4. Oh My!

    Oh My! Malware Expert Staff Member

    I am pleased to report there is no evidence of malicious software on the system. However, combining Windows 7 along with a lot of outdated software makes this computer vulnerable going forward.

    This is very little available memory to efficiently run the system.

    There are some things we can do to tidy up the system a bit if you'd like. Let me know if you want to do that.
     
    Oh My!, Jun 27, 2023
    #4
  5. manilka835

    manilka835 Specialist

    As this laptop is to be used for Powerpoint Presentation and as it is slow on loading web pages, I would like to proceed with speeding up the system as much as possible.

    Further, I have
    • Installed SpyWare Blaster
    • Removed the existing Anti-Virus Programme and installed Microsoft Security Essentials.
    • Installed Comodo Firewall.
    • Installed Autoruneater
     
    manilka835, Jun 28, 2023
    #5
  6. Oh My!

    Oh My! Malware Expert Staff Member

    Very good.

    I am assuming you uninstalled Comodo antivirus and installed Comodo Firewall. The problem is even if you uninstall a program, especially antivirus programs, remnants remain behind that can negatively affect a system. What I propose is to uninstall Comodo Firewall temporarily, conduct a special search to locate then remove all Comodo remnants then reinstall Comodo Firewall when we are done cleaning the system.

    There is quite a bit to do in this first post. Please do these things.

    ===================================================

    Uninstalling Adobe Flash Player

    --------------------

    Note: Adobe Flash Player is no longer supported and is a security risk.
    • Download Adobe Flash Player Uninstaller and save it to your Desktop
    • Right click on the icon and select Run as administrator
    • Click Uninstall then Done to reboot your computer
    ===================================================

    Java Out of Date

    --------------------

    Java is known to have ongoing security concerns. If you know you don't need it, or even if you are unsure, I would recommend uninstalling it. If it is necessary in the future you will be alerted for the need to download it.

    If you would rather have the program on your system skip the above and complete the Clean Install of Java Using JavaRa instructions here.

    ===================================================

    Uninstalling Programs Using Revo Uninstaller Free Portable

    --------------------
    • Download Revo Uninstaller Free Portable from and save it to your Desktop
    • Right click on the folder and select Extract All..., then click Extract
    • Double click on the RevoUninstaller-Portable folder
    • Right click on RevoUPort and select Run as administrator
    • Click OK on the License Agreement
    • From the list of programs double click on the listed program(s), or anything similar, to remove it (if it exists)
    Code:
    Comodo Firewall
ESET NOD32 Antivirus
UmmyVideoDownloader
µTorrent
    • If the program's uninstaller appears work through the steps to remove the program(s)
    • Be sure the Advanced option is selected then click Scan
    • For each window that may appear identifying leftover items click Select All, Delete, then confirm the deletion
    • Once done click Finish
    • Reboot your computer
    ===================================================

    System Update Readiness Tool for Windows Updates 7/Vista

    --------------------
    • Download System Update Readiness Tool for Windows 7 for x64-based Systems (KB947821) and save it to your desktop
    • Right click on the file and select Open with then Windows Update Standalone Installer (default) then click OK
    • Be patient as it is a large file to download
    • If you are asked for permission to install software click Yes
    • This process may take a long time and appear as if it is stalled. If the cursor is still blinking inside the window the program is working
    • Once completed click Close
    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST will do it for you
    Code:
    Start::
CreateRestorePoint:
CloseProcesses:
Zip: C:\Windows\Logs\CBS
CHR Notifications: Default -> hxxps://video.genyoutube.net; hxxps://www.facebook.com; hxxps://www.genyoutube.net
S3 HWiNFO32; \??\C:\Users\DRC619~1.SAN\AppData\Local\Temp\HWiNFO64A.SYS [X] <==== ATTENTION 
FF Plugin: @microsoft.com/GENUINE -> disabled [No File] 
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File] 
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File 
FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird => not found 
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx <not found> 
S3 HWiNFO32; \??\C:\Users\DRC619~1.SAN\AppData\Local\Temp\HWiNFO64A.SYS [X] <==== ATTENTION 
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`27hfm [0] 
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_18_0_0_205.dll [2015-09-10] (Adobe Systems Incorporated -> ) 
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_205.dll [2015-09-10] (Adobe Systems Incorporated -> ) 
WMI:subscription\CommandLineEventConsumer->BVTConsumer::[CommandLineTemplate => cscript KernCap.vbs][WorkingDirectory => C:\\tools\\kernrate] 
WMI:subscription\__FilterToConsumerBinding->CommandLineEventConsumer.Name=\"BVTConsumer\"",Filter="__EventFilter.Name=\"BVTFilter\":: 
WMI:subscription\__EventFilter->BVTFilter::[Query => SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99] 
WMI:subscription\CommandLineEventConsumer->BVTConsumer::[CommandLineTemplate => cscript KernCap.vbs][WorkingDirectory => C:\\tools\\kernrate] 
HKU\S-1-5-21-3622672852-1347154351-1572509336-1000\...\MountPoints2: {3c12aada-f8ee-11e6-be4a-68942343bd1d} - F:\AutoRun.exe
HKU\S-1-5-21-3622672852-1347154351-1572509336-1000\...\MountPoints2: {3c12ab09-f8ee-11e6-be4a-68942343bd1d} - F:\AutoRun.exe
HKU\S-1-5-21-3622672852-1347154351-1572509336-1000\...\MountPoints2: {4f476230-f42d-11e5-97a7-b888e3a1938c} - F:\AutoRun.exe
HKU\S-1-5-21-3622672852-1347154351-1572509336-1000\...\MountPoints2: {629ebc71-3fe7-11e9-961c-68942343bd1e} - G:\AutoRun.exe
HKU\S-1-5-21-3622672852-1347154351-1572509336-1000\...\MountPoints2: {9ae8e118-f906-11e6-9ad1-68942343bd1d} - F:\AutoRun.exe
HKU\S-1-5-21-3622672852-1347154351-1572509336-1000\...\MountPoints2: {9fb44ab7-fdab-11e5-b53c-68942343bd1d} - F:\AutoRun.exe
HKU\S-1-5-21-3622672852-1347154351-1572509336-1000\...\MountPoints2: {abe311f9-5cfb-11e5-9ffe-68942343bd1d} - F:\AutoRun.exe
HKU\S-1-5-21-3622672852-1347154351-1572509336-1000\...\MountPoints2: {abe31205-5cfb-11e5-9ffe-68942343bd1d} - F:\AutoRun.exe
cmd: netsh winsock reset catalog
cmd: netsh int ip reset resetlog.txt
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state ON
cmd: bitsadmin /reset /allusers
cmd: ipconfig /flushdns
Removeproxy:
hosts:
Emptytemp:
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    • The tool will create a zipped folder on your Desktop with today's date, example: 06.20.2023_13.24.50.zip. Please upload the folder GoFile, WeTransfer, or the file hosting site of your choice. Post the download link in your reply
    • Note: This step resets your Firewall settings and you may be asked later to grant permission for legitimate programs to pass through the Firewall. If you recognize the program agree to the request.
    • Note: The Emptytemp: command will remove cookies and may result in some websites (like banking) indicating they do not recognize your computer. It may be necessary to receive and apply a verification code.
    ===================================================

    Farbar Recovery Scan Tool SearchAll

    --------------------
    • Right click on FRST and select Run as administrator
    • Copy/paste the following in the Search: box
    Code:
    SearchAll: Comodo
    • Click Search Files button
    • When completed click OK and a Search.txt document will open on your desktop
    • Zip and upload the file to GoFile or the file hosting site of your choice and post the download link in your reply
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
    • Adobe Flash removed?
    • Java removed?
    • Programs uninstalled?
    • System Update Readiness Tool run?
    • Fixlog
    • Download links for zipped CBS and Search.txt files
     
    Last edited: Jun 28, 2023
    Oh My!, Jun 28, 2023
    #6
  7. manilka835

    manilka835 Specialist

    Adobe Flash Player was Uninstalled.
    Java was Uninstalled.
    Comodo Firewall was uninstalled.
    System Update Readiness Tool for Windows Updates 7/Vista: Hotfix for Windows (KB947821) update could not be installed.

    Download link for the 29.06.2023_14.18.18 zipped folder created by the Farbar Recovery Scan Tool- https://gofile.io/d/1sXZNw

    Download link for Zipped Search.txt document- https://gofile.io/d/9Qgtzn

    Fixlog.txt. contents

    Fix result of Farbar Recovery Scan Tool (x64) Version: 28-06-2023
    Ran by Dr. Sanath (29-06-2023 14:17:14) Run:1
    Running from C:\Users\Dr. Sanath\Desktop
    Loaded Profiles: Dr. Sanath & Guest
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    Start::
    CreateRestorePoint:
    CloseProcesses:
    Zip: C:\Windows\Logs\CBS
    CHR Notifications: Default -> hxxps://video.genyoutube.net; hxxps://www.facebook.com; hxxps://www.genyoutube.net
    S3 HWiNFO32; \??\C:\Users\DRC619~1.SAN\AppData\Local\Temp\HWiNFO64A.SYS [X] <==== ATTENTION
    FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
    FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
    ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
    FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird => not found
    CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx <not found>
    S3 HWiNFO32; \??\C:\Users\DRC619~1.SAN\AppData\Local\Temp\HWiNFO64A.SYS [X] <==== ATTENTION
    AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`27hfm [0]
    FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_18_0_0_205.dll [2015-09-10] (Adobe Systems Incorporated -> )
    FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_205.dll [2015-09-10] (Adobe Systems Incorporated -> )
    WMI:subscription\CommandLineEventConsumer->BVTConsumer::[CommandLineTemplate => cscript KernCap.vbs][WorkingDirectory => C:\\tools\\kernrate]
    WMI:subscription\__FilterToConsumerBinding->CommandLineEventConsumer.Name=\"BVTConsumer\"",Filter="__EventFilter.Name=\"BVTFilter\"::
    WMI:subscription\__EventFilter->BVTFilter::[Query => SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99]
    WMI:subscription\CommandLineEventConsumer->BVTConsumer::[CommandLineTemplate => cscript KernCap.vbs][WorkingDirectory => C:\\tools\\kernrate]
    HKU\S-1-5-21-3622672852-1347154351-1572509336-1000\...\MountPoints2: {3c12aada-f8ee-11e6-be4a-68942343bd1d} - F:\AutoRun.exe
    HKU\S-1-5-21-3622672852-1347154351-1572509336-1000\...\MountPoints2: {3c12ab09-f8ee-11e6-be4a-68942343bd1d} - F:\AutoRun.exe
    HKU\S-1-5-21-3622672852-1347154351-1572509336-1000\...\MountPoints2: {4f476230-f42d-11e5-97a7-b888e3a1938c} - F:\AutoRun.exe
    HKU\S-1-5-21-3622672852-1347154351-1572509336-1000\...\MountPoints2: {629ebc71-3fe7-11e9-961c-68942343bd1e} - G:\AutoRun.exe
    HKU\S-1-5-21-3622672852-1347154351-1572509336-1000\...\MountPoints2: {9ae8e118-f906-11e6-9ad1-68942343bd1d} - F:\AutoRun.exe
    HKU\S-1-5-21-3622672852-1347154351-1572509336-1000\...\MountPoints2: {9fb44ab7-fdab-11e5-b53c-68942343bd1d} - F:\AutoRun.exe
    HKU\S-1-5-21-3622672852-1347154351-1572509336-1000\...\MountPoints2: {abe311f9-5cfb-11e5-9ffe-68942343bd1d} - F:\AutoRun.exe
    HKU\S-1-5-21-3622672852-1347154351-1572509336-1000\...\MountPoints2: {abe31205-5cfb-11e5-9ffe-68942343bd1d} - F:\AutoRun.exe
    cmd: netsh winsock reset catalog
    cmd: netsh int ip reset resetlog.txt
    cmd: netsh advfirewall reset
    cmd: netsh advfirewall set allprofiles state ON
    cmd: bitsadmin /reset /allusers
    cmd: ipconfig /flushdns
    Removeproxy:
    hosts:
    Emptytemp:
    End::
    *****************

    Restore point was successfully created.
    Processes closed successfully.
    ================== Zip: ===================
    C:\Windows\Logs\CBS -> copied successfully to C:\Users\Dr. Sanath\Desktop\29.06.2023_14.18.18.zip
    =========== Zip: End ===========
    "Chrome Notifications" => removed successfully
    HKLM\System\CurrentControlSet\Services\HWiNFO32 => removed successfully
    HWiNFO32 => service removed successfully
    HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE => removed successfully
    HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE => removed successfully
    HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui => removed successfully
    "HKLM\Software\Wow6432Node\Mozilla\Thunderbird\Extensions\\eplgTb@eset.com" => removed successfully
    HKLM\SOFTWARE\Google\Chrome\Extensions\ngpampappnmepgilojfohadhhmbhlaek => removed successfully
    HWiNFO32 => service not found.
    C:\ProgramData\Reprise => ":wupeogjxldtlfudivq`qsp`27hfm" ADS removed successfully
    HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer => not found
    "C:\Windows\system32\Macromed\Flash\NPSWF64_18_0_0_205.dll" => not found
    "HKLM\Software\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_205.dll [2015-09-10] (Adobe Systems Incorporated" => not found
    "C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_205.dll" => not found
    "BVTConsumer" => removed successfully
    "CommandLineEventConsumer.Name=\"BVTConsumer\"",Filter="__EventFilter.Name=\"BVTFilter\"" => removed successfully
    "BVTFilter" => removed successfully
    "BVTConsumer" => not found
    HKU\S-1-5-21-3622672852-1347154351-1572509336-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3c12aada-f8ee-11e6-be4a-68942343bd1d} => removed successfully
    HKU\S-1-5-21-3622672852-1347154351-1572509336-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3c12ab09-f8ee-11e6-be4a-68942343bd1d} => removed successfully
    HKU\S-1-5-21-3622672852-1347154351-1572509336-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4f476230-f42d-11e5-97a7-b888e3a1938c} => removed successfully
    HKU\S-1-5-21-3622672852-1347154351-1572509336-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{629ebc71-3fe7-11e9-961c-68942343bd1e} => removed successfully
    HKU\S-1-5-21-3622672852-1347154351-1572509336-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9ae8e118-f906-11e6-9ad1-68942343bd1d} => removed successfully
    HKU\S-1-5-21-3622672852-1347154351-1572509336-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9fb44ab7-fdab-11e5-b53c-68942343bd1d} => removed successfully
    HKU\S-1-5-21-3622672852-1347154351-1572509336-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{abe311f9-5cfb-11e5-9ffe-68942343bd1d} => removed successfully
    HKU\S-1-5-21-3622672852-1347154351-1572509336-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{abe31205-5cfb-11e5-9ffe-68942343bd1d} => removed successfully

    ========= netsh winsock reset catalog =========


    Sucessfully reset the Winsock Catalog.
    You must restart the computer in order to complete the reset.



    ========= End of CMD: =========


    ========= netsh int ip reset resetlog.txt =========

    Reseting Global, OK!
    Reseting Interface, OK!
    Reseting Unicast Address, OK!
    Reseting Route, OK!
    Restart the computer to complete this action.



    ========= End of CMD: =========


    ========= netsh advfirewall reset =========

    Ok.



    ========= End of CMD: =========


    ========= netsh advfirewall set allprofiles state ON =========

    Ok.



    ========= End of CMD: =========


    ========= bitsadmin /reset /allusers =========


    BITSADMIN version 3.0 [ 7.5.7601 ]
    BITS administration utility.
    (C) Copyright 2000-2006 Microsoft Corp.

    BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
    Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

    0 out of 0 jobs canceled.


    ========= End of CMD: =========


    ========= ipconfig /flushdns =========


    Windows IP Configuration

    Successfully flushed the DNS Resolver Cache.


    ========= End of CMD: =========


    ========= RemoveProxy: =========

    "HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
    "HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully
    "HKU\S-1-5-21-3622672852-1347154351-1572509336-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
    "HKU\S-1-5-21-3622672852-1347154351-1572509336-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully
    "HKU\S-1-5-21-3622672852-1347154351-1572509336-501\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
    "HKU\S-1-5-21-3622672852-1347154351-1572509336-501\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully


    ========= End of RemoveProxy: =========

    C:\Windows\System32\Drivers\etc\hosts => moved successfully
    Hosts restored successfully.

    =========== EmptyTemp: ==========

    FlushDNS => completed
    BITS transfer queue => 0 B
    DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 13835387 B
    Java, Discord, Steam htmlcache, WinHttpAutoProxySvc/winhttp *.cache => 0 B
    Windows/system/drivers => 59921829 B
    Edge => 0 B
    Chrome => 47032655 B
    Firefox => 10371349 B
    Opera => 4973064 B

    Temp, IE cache, history, cookies, recent:
    Default => 66228 B
    Public => 66228 B
    ProgramData => 66228 B
    systemprofile => 149619 B
    systemprofile32 => 222239 B
    LocalService => 354483 B
    NetworkService => 426649 B
    Dr. Sanath => 105033909 B
    Guest => 105281990 B

    RecycleBin => 75264 B
    EmptyTemp: => 331.8 MB temporary data Removed.

    ================================


    The system needed a reboot.

    ==== End of Fixlog 14:21:10 ====
     
    manilka835, Jun 29, 2023
    #7
  8. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you sir.

    Now this.

    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST will do it for you
    Code:
    Start::
CreateRestorePoint:
CloseProcesses:
C:\Windows\System32\winevt\Logs\COMODO Internet Security CEF.evtx
C:\Windows\System32\winevt\Logs\COMODO Internet Security Trace.evtx
C:\Users\Dr. Sanath\Desktop\Programme Shortcuts\COMODO Firewall.lnk
2023-06-29 13:59 - 2023-06-29 13:59 _____ C:\Users\Dr. Sanath\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.comodo.com_0.indexeddb.leveldb
2023-06-27 17:06 - 2023-06-29 13:59 _____ C:\ProgramData\Comodo
2023-06-27 17:24 - 2023-06-29 13:42 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\COMODO
2023-06-27 17:24 - 2023-06-27 17:24 _____ C:\Program Files (x86)\COMODO
DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BBB01528-20FE-4bc2-9D26-C70E3ABB9CD1}\LocalServer32|""
DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders|D:\Programme Files\COMODO\COMODO Internet Security\
DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders|D:\Programme Files\COMODO\
DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ComodoGroup\ISE|InstallPath
DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run|IseUI
DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ComodoIse|UninstallString
DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ComodoIse|Publisher
DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ComodoIse|DisplayIcon
DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ComodoIse|InstallLocation
DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDERD\0000|DeviceDesc
DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDGUARD\0000|DeviceDesc
DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDHLP\0000|DeviceDesc
DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_INSPECT\0000|DeviceDesc
DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\COMODO Internet Security CEF
DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\isesrv|ImagePath
DeleteValue: HKEY_USERS\S-1-5-21-3622672852-1347154351-1572509336-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\7667228d_0|""
DeleteValue: HKEY_USERS\S-1-5-21-3622672852-1347154351-1572509336-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts|C:\Users\Dr. Sanath\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\COMODO\Internet Security Essentials\Internet Security Essentials.lnk
DeleteValue: HKEY_USERS\S-1-5-21-3622672852-1347154351-1572509336-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts|C:\ProgramData\Microsoft\Windows\Start Menu\Programs\COMODO\Internet Security Essentials\Internet Security Essentials.lnk
DeleteValue: HKEY_USERS\S-1-5-21-3622672852-1347154351-1572509336-1000\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted|C:\Users\Dr. Sanath\Desktop\Comodo Firewall 12.2.2.8012.exe
DeleteValue: HKEY_USERS\S-1-5-21-3622672852-1347154351-1572509336-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|C:\Users\Dr. Sanath\Desktop\Comodo Firewall 12.2.2.8012.exe
DeleteValue: HKEY_USERS\S-1-5-21-3622672852-1347154351-1572509336-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|D:\Programme Files\COMODO\COMODO Internet Security\cis.exe
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\COMODO
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\COMODO
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ComodoGroup
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ComodoIse
DeleteKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\COMODO Internet Security CEF
DeleteKey: HKEY_USERS\S-1-5-21-3622672852-1347154351-1572509336-1000\Software\ComodoGroup
cmd: sfc /scannow
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
    • Fixlog
    • How is the computer running?
     
    Oh My!, Jun 29, 2023
    #8
  9. manilka835

    manilka835 Specialist

    Fixlog information

    Fix result of Farbar Recovery Scan Tool (x64) Version: 28-06-2023
    Ran by Dr. Sanath (30-06-2023 14:15:34) Run:2
    Running from C:\Users\Dr. Sanath\Desktop
    Loaded Profiles: Dr. Sanath
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    Start::
    CreateRestorePoint:
    CloseProcesses:
    C:\Windows\System32\winevt\Logs\COMODO Internet Security CEF.evtx
    C:\Windows\System32\winevt\Logs\COMODO Internet Security Trace.evtx
    C:\Users\Dr. Sanath\Desktop\Programme Shortcuts\COMODO Firewall.lnk
    2023-06-29 13:59 - 2023-06-29 13:59 _____ C:\Users\Dr. Sanath\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.comodo.com_0.indexeddb.leveldb
    2023-06-27 17:06 - 2023-06-29 13:59 _____ C:\ProgramData\Comodo
    2023-06-27 17:24 - 2023-06-29 13:42 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\COMODO
    2023-06-27 17:24 - 2023-06-27 17:24 _____ C:\Program Files (x86)\COMODO
    DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BBB01528-20FE-4bc2-9D26-C70E3ABB9CD1}\LocalServer32|""
    DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders|D:\Programme Files\COMODO\COMODO Internet Security\
    DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders|D:\Programme Files\COMODO\
    DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ComodoGroup\ISE|InstallPath
    DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run|IseUI
    DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ComodoIse|UninstallString
    DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ComodoIse|Publisher
    DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ComodoIse|DisplayIcon
    DeleteValue: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ComodoIse|InstallLocation
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDERD\0000|DeviceDesc
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDGUARD\0000|DeviceDesc
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDHLP\0000|DeviceDesc
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_INSPECT\0000|DeviceDesc
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\COMODO Internet Security CEF
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\isesrv|ImagePath
    DeleteValue: HKEY_USERS\S-1-5-21-3622672852-1347154351-1572509336-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\7667228d_0|""
    DeleteValue: HKEY_USERS\S-1-5-21-3622672852-1347154351-1572509336-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts|C:\Users\Dr. Sanath\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\COMODO\Internet Security Essentials\Internet Security Essentials.lnk
    DeleteValue: HKEY_USERS\S-1-5-21-3622672852-1347154351-1572509336-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts|C:\ProgramData\Microsoft\Windows\Start Menu\Programs\COMODO\Internet Security Essentials\Internet Security Essentials.lnk
    DeleteValue: HKEY_USERS\S-1-5-21-3622672852-1347154351-1572509336-1000\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted|C:\Users\Dr. Sanath\Desktop\Comodo Firewall 12.2.2.8012.exe
    DeleteValue: HKEY_USERS\S-1-5-21-3622672852-1347154351-1572509336-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|C:\Users\Dr. Sanath\Desktop\Comodo Firewall 12.2.2.8012.exe
    DeleteValue: HKEY_USERS\S-1-5-21-3622672852-1347154351-1572509336-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|D:\Programme Files\COMODO\COMODO Internet Security\cis.exe
    DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\COMODO
    DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\COMODO
    DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ComodoGroup
    DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ComodoIse
    DeleteKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\COMODO Internet Security CEF
    DeleteKey: HKEY_USERS\S-1-5-21-3622672852-1347154351-1572509336-1000\Software\ComodoGroup
    End::
    *****************

    Restore point was successfully created.
    Processes closed successfully.
    Could not move "C:\Windows\System32\winevt\Logs\COMODO Internet Security CEF.evtx" => Scheduled to move on reboot.
    C:\Windows\System32\winevt\Logs\COMODO Internet Security Trace.evtx => moved successfully
    C:\Users\Dr. Sanath\Desktop\Programme Shortcuts\COMODO Firewall.lnk => moved successfully
    C:\Users\Dr. Sanath\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.comodo.com_0.indexeddb.leveldb => moved successfully
    C:\ProgramData\Comodo => moved successfully
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\COMODO => moved successfully
    C:\Program Files (x86)\COMODO => moved successfully
    "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BBB01528-20FE-4bc2-9D26-C70E3ABB9CD1}\LocalServer32\\" => removed successfully
    "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\D:\Programme Files\COMODO\COMODO Internet Security\" => removed successfully
    "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\D:\Programme Files\COMODO\" => removed successfully
    "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ComodoGroup\ISE\\InstallPath" => removed successfully
    "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\\IseUI" => removed successfully
    "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ComodoIse\\UninstallString" => removed successfully
    "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ComodoIse\\Publisher" => removed successfully
    "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ComodoIse\\DisplayIcon" => removed successfully
    "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ComodoIse\\InstallLocation" => removed successfully
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDERD\0000 => Access Denied
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDGUARD\0000 => Access Denied
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDHLP\0000 => Access Denied
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_INSPECT\0000 => Access Denied
    DeleteValue: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\COMODO Internet Security CEF => Error = 6
    "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\isesrv\\ImagePath" => removed successfully
    "HKEY_USERS\S-1-5-21-3622672852-1347154351-1572509336-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\7667228d_0\\" => removed successfully
    "HKEY_USERS\S-1-5-21-3622672852-1347154351-1572509336-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts\\C:\Users\Dr. Sanath\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\COMODO\Internet Security Essentials\Internet Security Essentials.lnk" => not found
    "HKEY_USERS\S-1-5-21-3622672852-1347154351-1572509336-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts\\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\COMODO\Internet Security Essentials\Internet Security Essentials.lnk" => not found
    "HKEY_USERS\S-1-5-21-3622672852-1347154351-1572509336-1000\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted\\C:\Users\Dr. Sanath\Desktop\Comodo Firewall 12.2.2.8012.exe" => removed successfully
    "HKEY_USERS\S-1-5-21-3622672852-1347154351-1572509336-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\\C:\Users\Dr. Sanath\Desktop\Comodo Firewall 12.2.2.8012.exe" => removed successfully
    "HKEY_USERS\S-1-5-21-3622672852-1347154351-1572509336-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\\D:\Programme Files\COMODO\COMODO Internet Security\cis.exe" => removed successfully
    HKEY_LOCAL_MACHINE\SOFTWARE\COMODO => removed successfully
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\COMODO => removed successfully
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ComodoGroup => removed successfully
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ComodoIse => removed successfully
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\COMODO Internet Security CEF => removed successfully
    HKEY_USERS\S-1-5-21-3622672852-1347154351-1572509336-1000\Software\ComodoGroup => removed successfully

    Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 30-06-2023 14:21:02)

    C:\Windows\System32\winevt\Logs\COMODO Internet Security CEF.evtx => Is moved successfully

    ==== End of Fixlog 14:21:02 ====


    The computer
    • Boot time: 3 minutes and 40.95 seconds
    • No Malware found
    • Windows is up to date
    Everything seems to be okay with regard to the Desktop Acer.
     
    manilka835, Jun 30, 2023
    #9
  10. Oh My!

    Oh My! Malware Expert Staff Member

    Very good.

    Any questions before wrapping this up?
     
    Oh My!, Jun 30, 2023
    #10
  11. manilka835

    manilka835 Specialist

    No further questions. Everything seems to be okay with regard to the Desktop Acer.
     
    manilka835, Jun 30, 2023
    #11
  12. Oh My!

    Oh My! Malware Expert Staff Member

    Very good, let's close this one out.

    Here is our final step and some additional information to consider.

    ===================================================

    KpRm by Kernel-panik

    --------------
    • Download KpRm and save it to your Desktop (see here if you must use Chrome)
    • Note: If the file is detected as malware it is not and it is safe to download. The detection is a false positive.
    • Right click on the icon and select Run as administrator
    • Click Yes on the Disclaimer
    • Place a check mark in Delete Tools, Create Restore Point, and Delete in 7 days
    • Click Run
    • Click OK on All operations are completed
    • KpRm will delete itself from you Desktop and you can either save or remove the report that is generated
    • You are free to remove any other tools/reports still remaining
    ===================================================

    All Clean!

    --------------

    Your computer is now clean. Please consider this going forward.

    ===================================================

    Please take the time to read below on how to secure the machine and take the necessary steps to keep it clean.

     
    Oh My!, Jul 1, 2023
    #12
  13. manilka835

    manilka835 Specialist

    I guess this wraps things up.

    Thank You so much for your time and effort.

    This is yours truly signing off.
     
    manilka835, Jul 1, 2023
    #13
  14. Oh My!

    Oh My! Malware Expert Staff Member

    My pleasure.
     
    Oh My!, Jul 2, 2023
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds