Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Virus mostly blocked, but made registry changes

21 Jun 2017   #1
Jeffesmi

Winodws 7 64-bit
 
 
Virus mostly blocked, but made registry changes

Hi,
At my office, someone opened a .jar attachment from an e-mail that seems to have used JAVA to make some registry change and it attempted to put in some type of Trojan, but Symantec stopped that. Here is the event viewer info for the block:

Log Name: Application
Source: Symantec AntiVirus
Date: 6/21/2017 12:46:06 PM
Event ID: 51
Task Category: None
Level: Error
Keywords: Classic
User: A02-2014\A02
Computer: A02-2014
Description:

Security Risk Found!SONAR.IFEO!gen2 in File: c:\windows\syswow64\regedit.exe by: SONAR scan. Action: . Action Description: Access Denied

Log Name: Application
Source: Symantec AntiVirus
Date: 6/21/2017 9:34:52 AM
Event ID: 51
Task Category: None
Level: Error
Keywords: Classic
User: A02-2014\A02
Computer: A02-2014
Description:

Security Risk Found!SONAR.Adwind!gen1 in File: c:\program files (x86)\java\jre1.8.0_111\bin\javaw.exe by: SONAR scan. Action: . Action Description: Access Denied

What it does seem to have succeeded in doing is running the registry files that I've attached. To me, it looks like it was just trying to weaken security, but I'm curious to have some other eyes look at it and tell me what they think. I undid most of the changes, but I couldn't roll it back as it turned off the system restore and when I put it back on, I had no restore points. Both Symantec and MalwareBytes are showing a clean system, but I'm curious if anyone has additional insight into the registry changes. I did the following:

- Removed the weakening of the .exe .com etc files in outlook
- Removed all the SVCHOST entries that were stamped in
- Re-enabled System Restore

Any thoughts will be appreciated. (i.e. Did I miss something? Is there still risk to computer? How did the registry info get stamped if Symantec blocked it? etc.)

Thanks,
Jeff




Attached Files
File Type: zip tNGsRMvxPx1679783693454237022.zip (8.5 KB, 1 views)
My System SpecsSystem Spec
.
21 Jun 2017   #2
Jeffesmi

Winodws 7 64-bit
 
 

Doh, forgot to post the malwarebytes log:
Malwarebytes
www.malwarebytes.com
-Log Details-
Scan Date: 6/21/17
Scan Time: 12:39 PM
Log File:
Administrator: Yes
-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.141
Update Package Version: 1.0.2200
License: Trial
-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: A02-2014\A02
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 350660
Threats Detected: 115
Threats Quarantined: 115
Time Elapsed: 5 min, 16 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
-Scan Details-
Process: 0
(No malicious items detected)
Module: 0
(No malicious items detected)
Registry Key: 56
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVK.EXE, Quarantined, [701], [248936],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CAVWP.EXE, Quarantined, [701], [249032],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CIS.EXE, Quarantined, [701], [249057],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMWIN.EXE, Quarantined, [701], [249063],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPWIN.EXE, Quarantined, [701], [249188],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FRESHCLAM.EXE, Quarantined, [701], [249191],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPCMDRUN.EXE, Quarantined, [701], [249436],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPUXSRV.EXE, Quarantined, [701], [249446],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NVCOD.EXE, Quarantined, [701], [249554],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZANDA.EXE, Quarantined, [701], [250059],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZLH.EXE, Quarantined, [701], [250068],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKTRAY.EXE, Quarantined, [701], [248938],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\BULLGUARD.EXE, Quarantined, [701], [249022],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMTRAY.EXE, Quarantined, [701], [249062],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CMDAGENT.EXE, Quarantined, [701], [249076],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPAVSERVER.EXE, Quarantined, [701], [249184],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPROTTRAY.EXE, Quarantined, [701], [249187],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSSM32.EXE, Quarantined, [701], [249200],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCUI.EXE, Quarantined, [701], [249452],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NBROWSER.EXE, Quarantined, [701], [249508],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKPROXY.EXE, Quarantined, [701], [248937],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CISTRAY.EXE, Quarantined, [701], [249058],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMSCAN.EXE, Quarantined, [701], [249061],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAMSCHEDULER.EXE, Quarantined, [701], [249399],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSMPENG.EXE, Quarantined, [701], [249471],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NPROSEC.EXE, Quarantined, [701], [249540],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\VIRUSUTILITIES.EXE, Quarantined, [701], [249959],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIRESHARK.EXE, Quarantined, [701], [250030],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVK.EXE, Quarantined, [701], [248936],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CAVWP.EXE, Quarantined, [701], [249032],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CIS.EXE, Quarantined, [701], [249057],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMWIN.EXE, Quarantined, [701], [249063],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPWIN.EXE, Quarantined, [701], [249188],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FRESHCLAM.EXE, Quarantined, [701], [249191],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPCMDRUN.EXE, Quarantined, [701], [249436],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPUXSRV.EXE, Quarantined, [701], [249446],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NVCOD.EXE, Quarantined, [701], [249554],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZANDA.EXE, Quarantined, [701], [250059],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZLH.EXE, Quarantined, [701], [250068],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKTRAY.EXE, Quarantined, [701], [248938],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\BULLGUARD.EXE, Quarantined, [701], [249022],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMTRAY.EXE, Quarantined, [701], [249062],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CMDAGENT.EXE, Quarantined, [701], [249076],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPAVSERVER.EXE, Quarantined, [701], [249184],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPROTTRAY.EXE, Quarantined, [701], [249187],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSSM32.EXE, Quarantined, [701], [249200],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCUI.EXE, Quarantined, [701], [249452],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NBROWSER.EXE, Quarantined, [701], [249508],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKPROXY.EXE, Quarantined, [701], [248937],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CISTRAY.EXE, Quarantined, [701], [249058],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMSCAN.EXE, Quarantined, [701], [249061],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAMSCHEDULER.EXE, Quarantined, [701], [249399],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSMPENG.EXE, Quarantined, [701], [249471],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NPROSEC.EXE, Quarantined, [701], [249540],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\VIRUSUTILITIES.EXE, Quarantined, [701], [249959],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIRESHARK.EXE, Quarantined, [701], [250030],1.0.2200
Registry Value: 57
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVK.EXE|DEBUGGER, Quarantined, [701], [248936],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CAVWP.EXE|DEBUGGER, Quarantined, [701], [249032],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CIS.EXE|DEBUGGER, Quarantined, [701], [249057],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMWIN.EXE|DEBUGGER, Quarantined, [701], [249063],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPWIN.EXE|DEBUGGER, Quarantined, [701], [249188],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FRESHCLAM.EXE|DEBUGGER, Quarantined, [701], [249191],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPCMDRUN.EXE|DEBUGGER, Quarantined, [701], [249436],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPUXSRV.EXE|DEBUGGER, Quarantined, [701], [249446],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NVCOD.EXE|DEBUGGER, Quarantined, [701], [249554],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZANDA.EXE|DEBUGGER, Quarantined, [701], [250059],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZLH.EXE|DEBUGGER, Quarantined, [701], [250068],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKTRAY.EXE|DEBUGGER, Quarantined, [701], [248938],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\BULLGUARD.EXE|DEBUGGER, Quarantined, [701], [249022],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMTRAY.EXE|DEBUGGER, Quarantined, [701], [249062],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CMDAGENT.EXE|DEBUGGER, Quarantined, [701], [249076],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPAVSERVER.EXE|DEBUGGER, Quarantined, [701], [249184],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPROTTRAY.EXE|DEBUGGER, Quarantined, [701], [249187],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSSM32.EXE|DEBUGGER, Quarantined, [701], [249200],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCUI.EXE|DEBUGGER, Quarantined, [701], [249452],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NBROWSER.EXE|DEBUGGER, Quarantined, [701], [249508],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKPROXY.EXE|DEBUGGER, Quarantined, [701], [248937],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CISTRAY.EXE|DEBUGGER, Quarantined, [701], [249058],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMSCAN.EXE|DEBUGGER, Quarantined, [701], [249061],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAMSCHEDULER.EXE|DEBUGGER, Quarantined, [701], [249399],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSMPENG.EXE|DEBUGGER, Quarantined, [701], [249471],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NPROSEC.EXE|DEBUGGER, Quarantined, [701], [249540],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\VIRUSUTILITIES.EXE|DEBUGGER, Quarantined, [701], [249959],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIRESHARK.EXE|DEBUGGER, Quarantined, [701], [250030],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVK.EXE|DEBUGGER, Quarantined, [701], [248936],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CAVWP.EXE|DEBUGGER, Quarantined, [701], [249032],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CIS.EXE|DEBUGGER, Quarantined, [701], [249057],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMWIN.EXE|DEBUGGER, Quarantined, [701], [249063],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPWIN.EXE|DEBUGGER, Quarantined, [701], [249188],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FRESHCLAM.EXE|DEBUGGER, Quarantined, [701], [249191],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPCMDRUN.EXE|DEBUGGER, Quarantined, [701], [249436],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPUXSRV.EXE|DEBUGGER, Quarantined, [701], [249446],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NVCOD.EXE|DEBUGGER, Quarantined, [701], [249554],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZANDA.EXE|DEBUGGER, Quarantined, [701], [250059],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZLH.EXE|DEBUGGER, Quarantined, [701], [250068],1.0.2200
PUM.Optional.LowRiskFileTypes, HKU\S-1-5-21-1315600182-686938134-444850205-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ASSOCIATIONS|LOWRISKFILETYPES, Quarantined, [15564], [251589],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKTRAY.EXE|DEBUGGER, Quarantined, [701], [248938],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\BULLGUARD.EXE|DEBUGGER, Quarantined, [701], [249022],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMTRAY.EXE|DEBUGGER, Quarantined, [701], [249062],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CMDAGENT.EXE|DEBUGGER, Quarantined, [701], [249076],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPAVSERVER.EXE|DEBUGGER, Quarantined, [701], [249184],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPROTTRAY.EXE|DEBUGGER, Quarantined, [701], [249187],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSSM32.EXE|DEBUGGER, Quarantined, [701], [249200],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCUI.EXE|DEBUGGER, Quarantined, [701], [249452],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NBROWSER.EXE|DEBUGGER, Quarantined, [701], [249508],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKPROXY.EXE|DEBUGGER, Quarantined, [701], [248937],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CISTRAY.EXE|DEBUGGER, Quarantined, [701], [249058],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMSCAN.EXE|DEBUGGER, Quarantined, [701], [249061],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAMSCHEDULER.EXE|DEBUGGER, Quarantined, [701], [249399],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSMPENG.EXE|DEBUGGER, Quarantined, [701], [249471],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NPROSEC.EXE|DEBUGGER, Quarantined, [701], [249540],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\VIRUSUTILITIES.EXE|DEBUGGER, Quarantined, [701], [249959],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIRESHARK.EXE|DEBUGGER, Quarantined, [701], [250030],1.0.2200
Registry Data: 2
PUM.Optional.WindowsToolDisabled, HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE|DISABLECONFIG, Replaced, [16611], [293254],1.0.2200
PUM.Optional.WindowsToolDisabled, HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE|DISABLECONFIG, Replaced, [16611], [293254],1.0.2200
Data Stream: 0
(No malicious items detected)
Folder: 0
(No malicious items detected)
File: 0
(No malicious items detected)
Physical Sector: 0
(No malicious items detected)

(end)
My System SpecsSystem Spec
21 Jun 2017   #3
torchwood

W7 home premium 32bit/W7HP 64bit/w10 tp insider ring
 
 

first thoughts after quick look

re run Malwarebytes

ENABLE rootkit detection.

Roy
My System SpecsSystem Spec
.

22 Jun 2017   #4
Jeffesmi

Winodws 7 64-bit
 
 

Quote   Quote: Originally Posted by torchwood View Post
first thoughts after quick look

re run Malwarebytes

ENABLE rootkit detection.

Roy
Thanks for the idea. I'm curious though. Did you see anything in the reg file, Malwarebytes log, or Symantec messages that indicated an issue or do you just prefer to run Malwarebytes with RootKit detection on? I usually don't unless I have indications due to the added scan time. I might call over to that area and have one of the nearby users start a scan w/ rootkit detection as the user who had problems is away from the office today.

Thanks,
Jeff
My System SpecsSystem Spec
Reply

 Virus mostly blocked, but made registry changes




Thread Tools




Similar help and support threads
Thread Forum
Removal of virus has blocked internet. PLEASE PLEASE HELP
Browsing through the forums and came across a case involving someone named Florida Rene who was experiencing similar issues to what i am now dealing with. Basically, it looks like Avast quarantined/deleted a file (likely malware that I thought I'd cleaned) called plsapp.dll. Since the deletion of...
System Security
Registry changes apparently successful, but NO changes actually made!
This is a nasty and incomprehensible problem I've had with two 64-bit Windows 7 SP1 on two separate machines: When I make command-line registry changes, even though no error is thrown, often the changes do NOT actually show up! :confused: I can make changes just fine with any GUI reg editor such...
General Discussion
Need proper registry entries to counter changes I made
I made a mistake by not backing up the registry in Windows 7 home premium 32 bit before making a couple changes to the registry. What I need is the proper string value for HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders and then the string value for Favorites ...
General Discussion
Registry ACL virus aftermath
I have been comming across a more computers with corrupted registry ACL entries that refuse Administrator edits to the rights. I have had to take ownership of the entry, then change the SYSTEM and ADMINISTRATOR rights to "Full Control" to correct them. There seems to be alot of TRUSTEDINSTALLER...
System Security
Virus/Malware/Registry
What are the best current (FREE) Spyware,Registry and Virus software. When I took a break from my IT profession it was spybot and cc cleaner what is the top ones nowadays? Thanks
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 06:30.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App