Virus mostly blocked, but made registry changes

J

Jeffesmi

New member
Member
Local time
10:09 PM
Messages
32
Hi,
At my office, someone opened a .jar attachment from an e-mail that seems to have used JAVA to make some registry change and it attempted to put in some type of Trojan, but Symantec stopped that. Here is the event viewer info for the block:

Log Name: Application
Source: Symantec AntiVirus
Date: 6/21/2017 12:46:06 PM
Event ID: 51
Task Category: None
Level: Error
Keywords: Classic
User: A02-2014\A02
Computer: A02-2014
Description:

Security Risk Found!SONAR.IFEO!gen2 in File: c:\windows\syswow64\regedit.exe by: SONAR scan. Action: . Action Description: Access Denied

Log Name: Application
Source: Symantec AntiVirus
Date: 6/21/2017 9:34:52 AM
Event ID: 51
Task Category: None
Level: Error
Keywords: Classic
User: A02-2014\A02
Computer: A02-2014
Description:

Security Risk Found!SONAR.Adwind!gen1 in File: c:\program files (x86)\java\jre1.8.0_111\bin\javaw.exe by: SONAR scan. Action: . Action Description: Access Denied

What it does seem to have succeeded in doing is running the registry files that I've attached. To me, it looks like it was just trying to weaken security, but I'm curious to have some other eyes look at it and tell me what they think. I undid most of the changes, but I couldn't roll it back as it turned off the system restore and when I put it back on, I had no restore points. Both Symantec and MalwareBytes are showing a clean system, but I'm curious if anyone has additional insight into the registry changes. I did the following:

- Removed the weakening of the .exe .com etc files in outlook
- Removed all the SVCHOST entries that were stamped in
- Re-enabled System Restore

Any thoughts will be appreciated. (i.e. Did I miss something? Is there still risk to computer? How did the registry info get stamped if Symantec blocked it? etc.)

Thanks,
Jeff
 

Attachments

My Computer My Computer

Computer Manufacturer/Model Number
Acer
OS
Winodws 7 64-bit
CPU
i5
Motherboard
Intel
Memory
4GB
Graphics Card(s)
Intel
Sound Card
unknown
Monitor(s) Displays
HP
Hard Drives
500GB
PSU
unknown
Case
Acer
Cooling
Acer
Doh, forgot to post the malwarebytes log:
Malwarebytes
www.malwarebytes.com
-Log Details-
Scan Date: 6/21/17
Scan Time: 12:39 PM
Log File:
Administrator: Yes
-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.141
Update Package Version: 1.0.2200
License: Trial
-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: A02-2014\A02
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 350660
Threats Detected: 115
Threats Quarantined: 115
Time Elapsed: 5 min, 16 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
-Scan Details-
Process: 0
(No malicious items detected)
Module: 0
(No malicious items detected)
Registry Key: 56
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVK.EXE, Quarantined, [701], [248936],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CAVWP.EXE, Quarantined, [701], [249032],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CIS.EXE, Quarantined, [701], [249057],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMWIN.EXE, Quarantined, [701], [249063],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPWIN.EXE, Quarantined, [701], [249188],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FRESHCLAM.EXE, Quarantined, [701], [249191],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPCMDRUN.EXE, Quarantined, [701], [249436],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPUXSRV.EXE, Quarantined, [701], [249446],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NVCOD.EXE, Quarantined, [701], [249554],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZANDA.EXE, Quarantined, [701], [250059],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZLH.EXE, Quarantined, [701], [250068],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKTRAY.EXE, Quarantined, [701], [248938],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\BULLGUARD.EXE, Quarantined, [701], [249022],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMTRAY.EXE, Quarantined, [701], [249062],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CMDAGENT.EXE, Quarantined, [701], [249076],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPAVSERVER.EXE, Quarantined, [701], [249184],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPROTTRAY.EXE, Quarantined, [701], [249187],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSSM32.EXE, Quarantined, [701], [249200],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCUI.EXE, Quarantined, [701], [249452],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NBROWSER.EXE, Quarantined, [701], [249508],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKPROXY.EXE, Quarantined, [701], [248937],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CISTRAY.EXE, Quarantined, [701], [249058],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMSCAN.EXE, Quarantined, [701], [249061],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAMSCHEDULER.EXE, Quarantined, [701], [249399],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSMPENG.EXE, Quarantined, [701], [249471],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NPROSEC.EXE, Quarantined, [701], [249540],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\VIRUSUTILITIES.EXE, Quarantined, [701], [249959],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIRESHARK.EXE, Quarantined, [701], [250030],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVK.EXE, Quarantined, [701], [248936],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CAVWP.EXE, Quarantined, [701], [249032],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CIS.EXE, Quarantined, [701], [249057],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMWIN.EXE, Quarantined, [701], [249063],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPWIN.EXE, Quarantined, [701], [249188],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FRESHCLAM.EXE, Quarantined, [701], [249191],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPCMDRUN.EXE, Quarantined, [701], [249436],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPUXSRV.EXE, Quarantined, [701], [249446],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NVCOD.EXE, Quarantined, [701], [249554],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZANDA.EXE, Quarantined, [701], [250059],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZLH.EXE, Quarantined, [701], [250068],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKTRAY.EXE, Quarantined, [701], [248938],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\BULLGUARD.EXE, Quarantined, [701], [249022],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMTRAY.EXE, Quarantined, [701], [249062],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CMDAGENT.EXE, Quarantined, [701], [249076],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPAVSERVER.EXE, Quarantined, [701], [249184],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPROTTRAY.EXE, Quarantined, [701], [249187],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSSM32.EXE, Quarantined, [701], [249200],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCUI.EXE, Quarantined, [701], [249452],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NBROWSER.EXE, Quarantined, [701], [249508],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKPROXY.EXE, Quarantined, [701], [248937],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CISTRAY.EXE, Quarantined, [701], [249058],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMSCAN.EXE, Quarantined, [701], [249061],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAMSCHEDULER.EXE, Quarantined, [701], [249399],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSMPENG.EXE, Quarantined, [701], [249471],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NPROSEC.EXE, Quarantined, [701], [249540],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\VIRUSUTILITIES.EXE, Quarantined, [701], [249959],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIRESHARK.EXE, Quarantined, [701], [250030],1.0.2200
Registry Value: 57
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVK.EXE|DEBUGGER, Quarantined, [701], [248936],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CAVWP.EXE|DEBUGGER, Quarantined, [701], [249032],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CIS.EXE|DEBUGGER, Quarantined, [701], [249057],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMWIN.EXE|DEBUGGER, Quarantined, [701], [249063],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPWIN.EXE|DEBUGGER, Quarantined, [701], [249188],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FRESHCLAM.EXE|DEBUGGER, Quarantined, [701], [249191],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPCMDRUN.EXE|DEBUGGER, Quarantined, [701], [249436],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPUXSRV.EXE|DEBUGGER, Quarantined, [701], [249446],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NVCOD.EXE|DEBUGGER, Quarantined, [701], [249554],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZANDA.EXE|DEBUGGER, Quarantined, [701], [250059],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZLH.EXE|DEBUGGER, Quarantined, [701], [250068],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKTRAY.EXE|DEBUGGER, Quarantined, [701], [248938],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\BULLGUARD.EXE|DEBUGGER, Quarantined, [701], [249022],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMTRAY.EXE|DEBUGGER, Quarantined, [701], [249062],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CMDAGENT.EXE|DEBUGGER, Quarantined, [701], [249076],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPAVSERVER.EXE|DEBUGGER, Quarantined, [701], [249184],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPROTTRAY.EXE|DEBUGGER, Quarantined, [701], [249187],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSSM32.EXE|DEBUGGER, Quarantined, [701], [249200],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCUI.EXE|DEBUGGER, Quarantined, [701], [249452],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NBROWSER.EXE|DEBUGGER, Quarantined, [701], [249508],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKPROXY.EXE|DEBUGGER, Quarantined, [701], [248937],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CISTRAY.EXE|DEBUGGER, Quarantined, [701], [249058],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMSCAN.EXE|DEBUGGER, Quarantined, [701], [249061],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAMSCHEDULER.EXE|DEBUGGER, Quarantined, [701], [249399],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSMPENG.EXE|DEBUGGER, Quarantined, [701], [249471],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NPROSEC.EXE|DEBUGGER, Quarantined, [701], [249540],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\VIRUSUTILITIES.EXE|DEBUGGER, Quarantined, [701], [249959],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIRESHARK.EXE|DEBUGGER, Quarantined, [701], [250030],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVK.EXE|DEBUGGER, Quarantined, [701], [248936],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CAVWP.EXE|DEBUGGER, Quarantined, [701], [249032],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CIS.EXE|DEBUGGER, Quarantined, [701], [249057],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMWIN.EXE|DEBUGGER, Quarantined, [701], [249063],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPWIN.EXE|DEBUGGER, Quarantined, [701], [249188],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FRESHCLAM.EXE|DEBUGGER, Quarantined, [701], [249191],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPCMDRUN.EXE|DEBUGGER, Quarantined, [701], [249436],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MPUXSRV.EXE|DEBUGGER, Quarantined, [701], [249446],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NVCOD.EXE|DEBUGGER, Quarantined, [701], [249554],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZANDA.EXE|DEBUGGER, Quarantined, [701], [250059],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ZLH.EXE|DEBUGGER, Quarantined, [701], [250068],1.0.2200
PUM.Optional.LowRiskFileTypes, HKU\S-1-5-21-1315600182-686938134-444850205-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ASSOCIATIONS|LOWRISKFILETYPES, Quarantined, [15564], [251589],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKTRAY.EXE|DEBUGGER, Quarantined, [701], [248938],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\BULLGUARD.EXE|DEBUGGER, Quarantined, [701], [249022],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMTRAY.EXE|DEBUGGER, Quarantined, [701], [249062],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CMDAGENT.EXE|DEBUGGER, Quarantined, [701], [249076],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPAVSERVER.EXE|DEBUGGER, Quarantined, [701], [249184],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPROTTRAY.EXE|DEBUGGER, Quarantined, [701], [249187],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FSSM32.EXE|DEBUGGER, Quarantined, [701], [249200],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCUI.EXE|DEBUGGER, Quarantined, [701], [249452],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NBROWSER.EXE|DEBUGGER, Quarantined, [701], [249508],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVKPROXY.EXE|DEBUGGER, Quarantined, [701], [248937],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CISTRAY.EXE|DEBUGGER, Quarantined, [701], [249058],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMSCAN.EXE|DEBUGGER, Quarantined, [701], [249061],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAMSCHEDULER.EXE|DEBUGGER, Quarantined, [701], [249399],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSMPENG.EXE|DEBUGGER, Quarantined, [701], [249471],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NPROSEC.EXE|DEBUGGER, Quarantined, [701], [249540],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\VIRUSUTILITIES.EXE|DEBUGGER, Quarantined, [701], [249959],1.0.2200
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIRESHARK.EXE|DEBUGGER, Quarantined, [701], [250030],1.0.2200
Registry Data: 2
PUM.Optional.WindowsToolDisabled, HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE|DISABLECONFIG, Replaced, [16611], [293254],1.0.2200
PUM.Optional.WindowsToolDisabled, HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE|DISABLECONFIG, Replaced, [16611], [293254],1.0.2200
Data Stream: 0
(No malicious items detected)
Folder: 0
(No malicious items detected)
File: 0
(No malicious items detected)
Physical Sector: 0
(No malicious items detected)

(end)
 

My Computer My Computer

Computer Manufacturer/Model Number
Acer
OS
Winodws 7 64-bit
CPU
i5
Motherboard
Intel
Memory
4GB
Graphics Card(s)
Intel
Sound Card
unknown
Monitor(s) Displays
HP
Hard Drives
500GB
PSU
unknown
Case
Acer
Cooling
Acer
first thoughts after quick look

re run Malwarebytes

ENABLE rootkit detection.

Roy
 

My Computer My Computer

Computer type
PC/Desktop
Computer Manufacturer/Model Number
medionl/Aspire 6930G/acer x55a
OS
W7 home premium 32bit/W7HP 64bit/w10 tp insider ring
CPU
E5300 dual core
Motherboard
medion MS7366
Memory
3gb
Graphics Card(s)
Nvidia Geforce 7100 Nforce 630i
Monitor(s) Displays
avixc
Internet Speed
n (isp resticted to 72)
Antivirus
mse/pands
Browser
palemoon
Other Info
Belkin Fd7050 n USB using Railink RT2870 drivers, more upto date
torchwood said:
first thoughts after quick look

re run Malwarebytes

ENABLE rootkit detection.

Roy
Click to expand...

Thanks for the idea. I'm curious though. Did you see anything in the reg file, Malwarebytes log, or Symantec messages that indicated an issue or do you just prefer to run Malwarebytes with RootKit detection on? I usually don't unless I have indications due to the added scan time. I might call over to that area and have one of the nearby users start a scan w/ rootkit detection as the user who had problems is away from the office today.

Thanks,
Jeff
 

My Computer My Computer

Computer Manufacturer/Model Number
Acer
OS
Winodws 7 64-bit
CPU
i5
Motherboard
Intel
Memory
4GB
Graphics Card(s)
Intel
Sound Card
unknown
Monitor(s) Displays
HP
Hard Drives
500GB
PSU
unknown
Case
Acer
Cooling
Acer
You must log in or register to reply here.

Similar threads

Office Click-to-Run Extensibility Component can't modify registry keys
Replies
5
Views
8K
glnz
glnz
Solved Registry changes apparently successful, but NO changes actually made!
Replies
1
Views
7K
Thenin
T
After MSE removed virus have unusual log messages
Replies
11
Views
7K
baritompa
B
BOSD downloading virus removal tool and client registry error
Replies
12
Views
5K
ICIT2LOL
ICIT2LOL
System Restore not responding!!!
Replies
2
Views
5K
mjf
M
Back
Top