Cannot delete Registry entry

[VistaKing]

Run another scan with FRST

64-Bit Version OS Farbar Recovery Scan Tool x64 <===== Download Link

Drag the FRST64.exe from the Downloads folder to your Desktop

Right click on FRST64.exe and choose

When the tool opens click Yes on the disclaimer window .

Press Scan button.

FRST will let you know when the scan is complete and has written the FRST.txt to file

   Note

The first time Farbar Recovery Scan Tool is run, it makes also another log Addition.txt

Please upload both logs in your reply.(FRST.txt and Addition.txt)

:note: FRST.txt and Addition.txt will be on the Desktop :note:

Upload a File
Click on the Go Advanced button under the Message box . Scroll down to Additional Options then click on Manage Attachments in the Attach Files sections . Click the Browse button locate the file then click on the Open button . In the Upload File from your Computer section click on the Upload button . Wait until it finishes uploading then close the window . Then click Submit Reply .

 

[parhamjl]

Addition.txt and FRST.txt from Farbar included.

 

[VistaKing]

Open up Notepad . Paste the highlighted text into notepad


start
() C:\Program Files (x86)\Everything\Everything.exe
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
MountPoints2: {abcd23e1-4bf3-11df-9200-a4badbf9ed02} - H:\LaunchU3.exe -a
HKLM-x32\...\Run: [Virtual Account Numbers] - C:\PROGRA~2\VIRTUA~1\CitiVAN.exe /lang=en_RG /dontopenmycards [398336 2013-03-04] (Orbiscom Ltd. All rights reserved.)
HKU\Default\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [97280 2009-07-13] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [97280 2009-07-13] (Microsoft Corporation)
HKU\Guest\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [97280 2009-07-13] (Microsoft Corporation)
HKU\HomeGroupUser$\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [97280 2009-07-13] (Microsoft Corporation)
HKU\Lynn Standard Accoun\...\Run: [swg] - "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-10-26] (Google Inc.)
Startup: C:\ProgramData\Start Menu\Programs\Startup\Constant Guard.lnk
ShortcutTarget: Constant Guard.lnk -> C:\Program Files (x86)\Constant Guard Protection Suite\IDVault.exe (No File)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\20.3.1.22\coIEPlg.dll (Symantec Corporation)
CHR DefaultSearchURL: (SecureSearch) - http://securedsearch2.lavasoft.com/results.php?pr=vmn&id=adawaretb&v=3_1&hsimp=yhs-lavasoft&ent=ch&q={searchTerms}
CHR DefaultSuggestURL: (SecureSearch) - "suggest_url": ""
C:\ec893aea03bddf72e311869621
C:\Users\Lynn\AppData\Local\{D7C4A414-607E-4795-B3D0-A01E2F0EA11D}
C:\ProgramData\Syscon
C:\Windows\Tasks\SA.DAT
C:\Windows\BRWMARK.INI
C:\Users\Lynn\AppData\Roaming\1O1L1I1PtF1F1C1N
end


Click on File .... Save As
FIle Name : Fixlist.txt
Save as type : All Files
Location : Desktop

Open FRST64.exe again and click on the [FIX] button . Once complete it will create a new file called FixLog.txt upload the log with your reply

Then run

TDSSKILLER

download link :ar: TDSSKiller

Right-click the program and select: Extract to tdsskiller\


A TDSSKiller folder is found on your Desktop.
Open the folder, and double-click the TDSSKiller application.


When the TDSSKiller console opens, click on: Change Parameters
Under Additional Options, place a check in the box next to: Detect TDLFS File System
Click: OK


Press: Start Scan


If a suspicious object is detected, the default action is Skip, leave it as is, and click on: Continue
If malicious objects are found, they show in the Scan results.
Ensure Cure (the default) is selected, then click: Continue > Reboot now, to finish the cleaning process.
(Note: If Cure is not available, select Skip, >>Do not select: Delete<<)


When done, the tool outputs its log to the disk with the Windows Operating System, normally C:\


Logs have a name like:
C:\TDSSKiller.X.X.X_12.04.2013_15.31.43_log.txt


Please post the TDSSKiller log in your reply.

 

[parhamjl]

Files included. TDSSKiller apparently did not find any problem.

 

[VistaKing]

Lets see what an online scanner locates

On

Hold down Control and click on ESET Online Scanner to open ESET OnlineScan in a new window
Click the

button
Check YES, I accept the Terms of Use.
Click the Start button.
Accept any security warnings from your browser.
Under scan settings, check "Scan Archives" and "Remove found threats"
Click Advanced settings and select the following:
° Scan potentially unwanted applications
° Scan for potentially unsafe applications
° Enable Anti-Stealth technology
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, click List Threats
Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Click the Back button.
Click the Finish button.

On

or

Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
Right click on

choose

on your desktop
Check YES, I accept the Terms of Use.
Click the Start button.
Accept any security warnings from your browser.
Under scan settings, check "Scan Archives" and "Remove found threats"
Click Advanced settings and select the following:
° Scan potentially unwanted applications
° Scan for potentially unsafe applications
° Enable Anti-Stealth technology
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, click List Threats
Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Click the Back button.
Click the Finish button.

 

[VistaKing]

Start Google Chrome, click on 3 bar button icon in the top right corner.
Choose ‘Settings’ > ‘Search’ > ‘Manage Search Engines’.
Next select your preferred search engine and click on ‘Make Default’.


Remove any Securesearch.lavasoft.com

Do the same for extensions tab

Restart browser after completion.

 

[parhamjl]

ESETScan.txt enclosed. Took nearly 9 hours, partly because of the large Windows Backup and Computer Image files on Drive D where I keep most of my backups and non-system data. Not surprising they contained several malware files because the backups were from earlier versions of the computer. They are apparently now cleaned, but are expendable if needed for safety.

The Esetsmart scan, again almost 9 hours, did not find any problems.

Loaded Chrome and removed reference to Securesearch.lavasoft.com

 

[VistaKing]

Any issues ?

 

[parhamjl]

No issues that are apparent. My computer seems to be clean. I really appreciate your help.

 

[VistaKing]

I'd delete the old System Restore and create a new one

To delete : http://www.sevenforums.com/tutorials/336-system-protection-restore-points-delete.html

To Create a new one : http://www.sevenforums.com/tutorials/697-system-restore-point-create.html

 

[VistaKing]

You could delete the FRST folder located in C:\

 

[parhamjl]

Thanks! Do I mark this as solved? How do I make a contribution to the forum's efforts? Finally, any suggestions for programs to run or keep running to prevent infection, other than common sense in browsing, in which I had a small lapse.

 

[VistaKing]

Users here use malwarebytes and MSE

 

[VistaKing]

parhamjl

Have you deleted the RogueKiller reports and the RogueKiller Quarantine folder ? Also you could remove AdwCleaner by opening it and clicking on uninstall

AdwCleaner

To Remove AdwCleaner program from your PC

:ar: Right click on adwcleaner.exe choose Run as administrator to run the tool.

:ar: Click on Uninstall, then confirm with yes to remove this utility from your computer.

 

[parhamjl]

I have removed them.

 

[VistaKing]

How's the PC running ? No more DataMngr showing up ?

 

[parhamjl]

I don't see any trace of the malware. I think getting rid of some of the malware has speeded up my computer. I am beginning to migrate most of my computer use to a non-administrative account, and putting a lot of my volumes of archive material on an external hard drive that mostly stays turned off. Thanks again for your help. I appreciate it very much. Are donations accepted?

 

[VistaKing]

No need for that . A Thank You is all that is needed . This is a free forum .

 

[parhamjl]

Great! I was looking at a total windows re-install or even a new computer. Saved me a lot of time and effort. Again, I am most appreciative.

 

[VistaKing]

If you're gona go down that road . Gregrocker created a nice tutorial below

:ar: http://www.sevenforums.com/tutorials/219487-clean-reinstall-factory-oem-windows-7-a.html