Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hidden objects found and some strange things happening?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Hidden objects found and some strange things happening?

Unread postby MESA » March 26th, 2015, 7:59 am

Hi mAL.
That folder is my MVPS hosts file.That's ok.
The imagXpress doesn't show in programs and features.It also doesn't show in Revo uninstaller.
mAL regarding the fix could you please tell me what it's for and what it will do because I know what some of things are.
The C:\Users\Comet\Full Registry back up.reg is just a back up I made the registry that I no longer neeed so can delete it.
The C:\Users\Comet\avast_clear.exe is an uninstall tool for avast which again I can just delete.
2015-02-27 21:34 - 2015-02-27 21:34 - 00000000 ____D () C:\ProgramData\InstallMate this is the install folder that belongs to Winpatrol.
Could you please tell me what the other items are and why they need to be removed?

Here are the results of the fixlog.Thank you.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2015
Ran by Comet at 2015-03-26 12:06:08 Run:1
Running from C:\Users\Comet\Desktop
Loaded Profiles: Comet (Available profiles: Comet & Paul)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Winlogon\Notify\igfxcui: [X]
HKU\S-1-5-21-298761936-1198288888-1608458099-1000\...\MountPoints2: {710d8cd7-502d-11e2-bf2d-806e6f6e6963} - "E:\WD SmartWare.exe" autoplay=true
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-298761936-1198288888-1608458099-1000 -> {3BFBD858-86F7-4B01-9AC5-B551B693A5CA} URL =
SearchScopes: HKU\S-1-5-21-298761936-1198288888-1608458099-1000 -> {7B2F92D7-BFDA-4BDC-B046-AD0CA985F42E} URL =
SearchScopes: HKU\S-1-5-21-298761936-1198288888-1608458099-1000 -> {8B009F2B-FBEF-4378-AB25-346230683C49} URL =
BHO-x32: No Name -> -{9030D464-4C02-4ABF-8ECC-5164760863C6} -> No File
BHO-x32: No Name -> -{B4F3A835-0E21-4959-BA22-42B3008E02FF} -> No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
S3 MWAC; \??\C:\Windows\system32\drivers\ [0 ] () <==== ATTENTION (zero size file/folder)
S3 MWAC; \??\C:\Windows\SysWOW64\drivers\ [0 ] () <==== ATTENTION (zero size file/folder)
C:\Users\Comet\avast_clear.exe
C:\Users\Comet\Full Registry back up.reg
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
2015-02-27 21:34 - 2015-02-27 21:34 - 00000000 ____D () C:\ProgramData\InstallMate
C:\ProgramData\Partner
Reg: reg.exe delete "HKLM\SOFTWARE\PIP" /f
Reg: reg.exe delete "HKLM\SOFTWARE\Classes\CLSID\{02054E11-5113-4BE3-8153-AA8DFB5D3761}" /f
Reg: reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchTheWebARP" /f
Reg: reg.exe delete "HKLM\SOFTWARE\Classes\Interface\{7B5E8CE3-4722-4C0E-A236-A6FF731BEF37}" /f
Reg: reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0238BBE24EA3A70408B81E4BB89C15E5" /f
Reg: reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\29799DE249E7DBC459FC6C8F07EB8375" /f
ImagXpress (x32 Version: 7.0.74.0 - Nero AG) Hidden

*****************

"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui" => Key deleted successfully.
"HKU\S-1-5-21-298761936-1198288888-1608458099-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{710d8cd7-502d-11e2-bf2d-806e6f6e6963}" => Key deleted successfully.
HKCR\CLSID\{710d8cd7-502d-11e2-bf2d-806e6f6e6963} => Key not found.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
"HKU\S-1-5-21-298761936-1198288888-1608458099-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{3BFBD858-86F7-4B01-9AC5-B551B693A5CA}" => Key deleted successfully.
HKCR\CLSID\{3BFBD858-86F7-4B01-9AC5-B551B693A5CA} => Key not found.
"HKU\S-1-5-21-298761936-1198288888-1608458099-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{7B2F92D7-BFDA-4BDC-B046-AD0CA985F42E}" => Key deleted successfully.
HKCR\CLSID\{7B2F92D7-BFDA-4BDC-B046-AD0CA985F42E} => Key not found.
"HKU\S-1-5-21-298761936-1198288888-1608458099-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8B009F2B-FBEF-4378-AB25-346230683C49}" => Key deleted successfully.
HKCR\CLSID\{8B009F2B-FBEF-4378-AB25-346230683C49} => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\-{9030D464-4C02-4ABF-8ECC-5164760863C6}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\-{9030D464-4C02-4ABF-8ECC-5164760863C6} => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\-{B4F3A835-0E21-4959-BA22-42B3008E02FF}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\-{B4F3A835-0E21-4959-BA22-42B3008E02FF} => Key not found.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
MWAC => Service deleted successfully.
MWAC => Service not found.
C:\Users\Comet\avast_clear.exe => Moved successfully.
C:\Users\Comet\Full Registry back up.reg => Moved successfully.
C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully.
C:\ProgramData\InstallMate => Moved successfully.
C:\ProgramData\Partner => Moved successfully.

========= reg.exe delete "HKLM\SOFTWARE\PIP" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= reg.exe delete "HKLM\SOFTWARE\Classes\CLSID\{02054E11-5113-4BE3-8153-AA8DFB5D3761}" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchTheWebARP" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= reg.exe delete "HKLM\SOFTWARE\Classes\Interface\{7B5E8CE3-4722-4C0E-A236-A6FF731BEF37}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0238BBE24EA3A70408B81E4BB89C15E5" /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\29799DE249E7DBC459FC6C8F07EB8375" /f =========

The operation completed successfully.



========= End of Reg: =========
MESA
Regular Member
 
Posts: 41
Joined: January 17th, 2013, 3:11 pm
Advertisement
Register to Remove

Re: Hidden objects found and some strange things happening?

Unread postby MESA » March 26th, 2015, 8:14 am

imagXpress will not uninstall.
When clicking on it it doesn't bring up the uninstall box?
MESA
Regular Member
 
Posts: 41
Joined: January 17th, 2013, 3:11 pm

Re: Hidden objects found and some strange things happening?

Unread postby MESA » March 26th, 2015, 10:05 am

Hi mAL
Here is the result of the MSERT scan.
Microsoft Safety Scanner v1.0, (build 1.195.362.0)
Started On Thu Mar 26 13:56:41 2015
->Scan ERROR: resource process://pid:1352,ProcessStart:130718456968428182 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:5000,ProcessStart:130718517219442941 (code 0x0000012B (299))
->Scan ERROR: resource process://pid:2612,ProcessStart:130718517222773132 (code 0x0000012B (299))
->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000020 (32))

Results Summary:
----------------
No infection found.
Microsoft Safety Scanner Finished On Thu Mar 26 14:02:55 2015


Return code: 0 (0x0)
MESA
Regular Member
 
Posts: 41
Joined: January 17th, 2013, 3:11 pm

Re: Hidden objects found and some strange things happening?

Unread postby mAL_rEm018 » March 26th, 2015, 2:39 pm

Hello MESA,

MESA wrote:The C:\Users\Comet\Full Registry back up.reg is just a back up I made the registry that I no longer neeed so can delete it.
The C:\Users\Comet\avast_clear.exe is an uninstall tool for avast which again I can just delete.
2015-02-27 21:34 - 2015-02-27 21:34 - 00000000 ____D () C:\ProgramData\InstallMate this is the install folder that belongs to Winpatrol.
Could you please tell me what the other items are and why they need to be removed?


Files to move or delete:


Files listed in this section are those that either, are bad, or are files in a bad location.
Examples of legitimate files are the files that users have downloaded and saved to the User's directory. Another example is when a legitimate third party software keeps one of its files in User's directory. That is a bad practice by any software vendor and those files should be moved or deleted even if they are legitimate. We have seen many infections hiding their fabricated files (seemingly legitimate but malware files) in that directory and running it from there.



Please download Add Remove Program Cleaner to your desktop.

  • Right-click on addremovecleaner and select " Run as administrator " to run it.
  • Locate ImagXpress in the menu and click once on it to highlight.
  • Now click on Remove from add/remove programs list.
  • At the prompt click on Yes then Exit.
  • Now delete addremovecleaner from the desktop, empty the Recycle Bin and reboot the computer.



-----------------------------------------
In your next reply, I would like to see..
  • Were you able to remove ImagXpress?
User avatar
mAL_rEm018
Admin/Teacher
Admin/Teacher
 
Posts: 2689
Joined: November 11th, 2013, 6:26 pm
Location: Saint-Petersburg, Russia

Re: Hidden objects found and some strange things happening?

Unread postby MESA » March 26th, 2015, 4:19 pm

Hi mAL.
No imagXpres still hasn't been removed.
It removed from the list but the recycle bin is empty and it is still showing in ccleaner uninstall list but wont uninstall.
There is also an entry for nero xml in addremovecleaner that isn't in windows add/remove programs list?
I noticed in the fix list there were a few items not found including this one ========= reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchTheWebARP" /f =========
Is this bad?
Also there is quite a few errors showing.
Could you please let me know what the errors and missing files mean?
Are they left over from malware?
Thank you for your continued help.I appreciate it.
MESA
Regular Member
 
Posts: 41
Joined: January 17th, 2013, 3:11 pm

Re: Hidden objects found and some strange things happening?

Unread postby mAL_rEm018 » March 27th, 2015, 9:27 am

Hello MESA,


MESA wrote:I noticed in the fix list there were a few items not found including this one ========= reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchTheWebARP" /f =========
Is this bad?
Also there is quite a few errors showing.
Could you please let me know what the errors and missing files mean?

The errors and missing files is nothing to worry about, it just means that FRST does not find them in the registry.


MESA wrote:No imagXpres still hasn't been removed.
It removed from the list but the recycle bin is empty and it is still showing in ccleaner uninstall list but wont uninstall.
There is also an entry for nero xml in addremovecleaner that isn't in windows add/remove programs list?

Let's try something else..


Please download SystemLook from the link below and save it to your Desktop.

For 64 bit Systems

  • Right-click SystemLook.exe and select " Run as administrator " to run it.
  • Copy and paste the content of the following codebox into the main textfield: Do not include the words Code: select all
  • (Click the select all button next to the codebox to select the entire script).
    Code: Select all
    :filefind
    *ImagXpress*
    
    :folderfind
    *ImagXpress*
    
    :Regfind
    ImagXpress
    
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

-----------------------------------------
In your next reply, I would like to see..
  • SystemLook.txt
User avatar
mAL_rEm018
Admin/Teacher
Admin/Teacher
 
Posts: 2689
Joined: November 11th, 2013, 6:26 pm
Location: Saint-Petersburg, Russia

Re: Hidden objects found and some strange things happening?

Unread postby MESA » March 27th, 2015, 10:46 am

Hi mAL
Here it is.Thank you.
ystemLook 04.09.10 by jpshortstuff
Log created at 14:41 on 27/03/2015 by Comet
Administrator - Elevation successful

========== filefind ==========

Searching for "*ImagXpress*"
C:\Fujitsu\Programs\Nero\Nero 9 Essentials\unit_tpi_imagxpress-7.0.74.0\imagXpress.msi --a---- 35840 bytes [13:24 11/04/2012] [10:15 14/06/2010] BF2FA75A48744E500D5347174590A86D
C:\Fujitsu\Programs\Nero\Nero 9 Essentials\unit_tpi_imagxpress-7.0.74.0\imagXpress.wixpdb --a---- 94584 bytes [13:24 11/04/2012] [10:15 14/06/2010] A0F1A63E20F959A0BBE0A6E7AFCC0461

========== folderfind ==========

Searching for "*ImagXpress*"
C:\Fujitsu\Programs\Nero\Nero 9 Essentials\unit_tpi_imagxpress-7.0.74.0 d------ [13:24 11/04/2012]

========== Regfind ==========

Searching for "ImagXpress"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ImagXpr7.ImagXpress]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ImagXpr7.ImagXpress]
@="Pegasus ImagXpress Control v7.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ImagXpr7.ImagXpress\CurVer]
@="ImagXpr7.ImagXpress.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ImagXpr7.ImagXpress.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ImagXpr7.ImagXpress.1]
@="Pegasus ImagXpress Control v7.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\B9802F8A97F16FB43B582A2C0B9B7AD4]
"imagxpress_feat"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\B9802F8A97F16FB43B582A2C0B9B7AD4]
"ProductName"="ImagXpress"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\B9802F8A97F16FB43B582A2C0B9B7AD4\SourceList]
"PackageName"="imagXpress.msi"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\B9802F8A97F16FB43B582A2C0B9B7AD4\SourceList]
"LastUsedSource"="n;1;C:\Fujitsu\Programs\Nero\Nero 9 Essentials\unit_tpi_imagxpress-7.0.74.0\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\B9802F8A97F16FB43B582A2C0B9B7AD4\SourceList\Net]
"1"="C:\Fujitsu\Programs\Nero\Nero 9 Essentials\unit_tpi_imagxpress-7.0.74.0\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{ED512BE6-6629-4FB4-953D-D0C353847163}\1.0]
@="Pegasus ImagXpress Control v7.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{ED512BE6-6629-4FB4-953D-D0C353847163}\1.0\HELPDIR]
@="D:\Perforce\source\Dev\deployment\pb_deployment\TPI\ImagXPress\x86\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D3CF4F3-C2F3-46E7-A126-3E53102A6B91}]
@="Pegasus ImagXpress Control v7.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D3CF4F3-C2F3-46E7-A126-3E53102A6B91}\ProgID]
@="ImagXpr7.ImagXpress.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D3CF4F3-C2F3-46E7-A126-3E53102A6B91}\VersionIndependentProgID]
@="ImagXpr7.ImagXpress"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59003139-A19E-4E1F-9596-BC7A9F810897}]
@="IImagXpress"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DB92D0F-D75D-4AC0-8C04-C735E587E0DB}]
@="_IImagXpressEvents"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{ED512BE6-6629-4FB4-953D-D0C353847163}\1.0]
@="Pegasus ImagXpress Control v7.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{ED512BE6-6629-4FB4-953D-D0C353847163}\1.0\HELPDIR]
@="D:\Perforce\source\Dev\deployment\pb_deployment\TPI\ImagXPress\x86\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\B9802F8A97F16FB43B582A2C0B9B7AD4\Features]
"imagxpress_feat"="+ZmERNkpd9~QLlxAa&.E"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\B9802F8A97F16FB43B582A2C0B9B7AD4\InstallProperties]
"InstallSource"="C:\Fujitsu\Programs\Nero\Nero 9 Essentials\unit_tpi_imagxpress-7.0.74.0\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\B9802F8A97F16FB43B582A2C0B9B7AD4\InstallProperties]
"DisplayName"="ImagXpress"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{6D3CF4F3-C2F3-46E7-A126-3E53102A6B91}]
@="Pegasus ImagXpress Control v7.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{6D3CF4F3-C2F3-46E7-A126-3E53102A6B91}\ProgID]
@="ImagXpr7.ImagXpress.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{6D3CF4F3-C2F3-46E7-A126-3E53102A6B91}\VersionIndependentProgID]
@="ImagXpr7.ImagXpress"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{59003139-A19E-4E1F-9596-BC7A9F810897}]
@="IImagXpress"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{5DB92D0F-D75D-4AC0-8C04-C735E587E0DB}]
@="_IImagXpressEvents"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{ED512BE6-6629-4FB4-953D-D0C353847163}\1.0]
@="Pegasus ImagXpress Control v7.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{ED512BE6-6629-4FB4-953D-D0C353847163}\1.0\HELPDIR]
@="D:\Perforce\source\Dev\deployment\pb_deployment\TPI\ImagXPress\x86\"

-= EOF =-

P.s what about that entry for nero xml in addremovecleaner?
Is there any malware or altered settings on my computer at all?
MESA
Regular Member
 
Posts: 41
Joined: January 17th, 2013, 3:11 pm

Re: Hidden objects found and some strange things happening?

Unread postby mAL_rEm018 » March 27th, 2015, 2:55 pm

Hello MESA,

MESA wrote:P.s what about that entry for nero xml in addremovecleaner?

If you are using any other program by Nero (for example: burning CDs/DVDs), then I would advise you against removing this program.

MESA wrote:Is there any malware or altered settings on my computer at all?

Your computer seems to be free from malware at this point, however we still have a few things left to do.


Now let's remove the registry entries related to ImagXpress that SystemLook found..
  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
    • Copy/Paste the contents of the code box below into Notepad.
Code: Select all
C:\Fujitsu\Programs\Nero\Nero 9 Essentials\unit_tpi_imagxpress-7.0.74.0
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ImagXpr7.ImagXpress]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ImagXpr7.ImagXpress.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{ED512BE6-6629-4FB4-953D-D0C353847163}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D3CF4F3-C2F3-46E7-A126-3E53102A6B91}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59003139-A19E-4E1F-9596-BC7A9F810897}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DB92D0F-D75D-4AC0-8C04-C735E587E0DB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{ED512BE6-6629-4FB4-953D-D0C353847163}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{6D3CF4F3-C2F3-46E7-A126-3E53102A6B91}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{59003139-A19E-4E1F-9596-BC7A9F810897}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{5DB92D0F-D75D-4AC0-8C04-C735E587E0DB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{ED512BE6-6629-4FB4-953D-D0C353847163}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\B9802F8A97F16FB43B582A2C0B9B7AD4]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\B9802F8A97F16FB43B582A2C0B9B7AD4]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\B9802F8A97F16FB43B582A2C0B9B7AD4]

    • Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
    • Please post me the log



-----------------------------------------
In your next reply, I would like to see..
  • fixlog.txt
  • Is ImagXpress still installed on your computer?
    Please post everything in the order given.
User avatar
mAL_rEm018
Admin/Teacher
Admin/Teacher
 
Posts: 2689
Joined: November 11th, 2013, 6:26 pm
Location: Saint-Petersburg, Russia

Re: Hidden objects found and some strange things happening?

Unread postby MESA » March 27th, 2015, 3:23 pm

Hi mAL.I use Ashampoo and dvd flick for burning discs.A limited version of Nero 9 came pre installed with my computer and I uninstalled it.Somehow these remenants of ImagXpress and nero have remained.
Here is the log.Thank you

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2015
Ran by Comet at 2015-03-27 19:15:40 Run:2
Running from C:\Users\Comet\Desktop
Loaded Profiles: Comet (Available profiles: Comet & Paul)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
C:\Fujitsu\Programs\Nero\Nero 9 Essentials\unit_tpi_imagxpress-7.0.74.0
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ImagXpr7.ImagXpress]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ImagXpr7.ImagXpress.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{ED512BE6-6629-4FB4-953D-D0C353847163}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D3CF4F3-C2F3-46E7-A126-3E53102A6B91}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59003139-A19E-4E1F-9596-BC7A9F810897}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DB92D0F-D75D-4AC0-8C04-C735E587E0DB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{ED512BE6-6629-4FB4-953D-D0C353847163}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{6D3CF4F3-C2F3-46E7-A126-3E53102A6B91}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{59003139-A19E-4E1F-9596-BC7A9F810897}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{5DB92D0F-D75D-4AC0-8C04-C735E587E0DB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{ED512BE6-6629-4FB4-953D-D0C353847163}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\B9802F8A97F16FB43B582A2C0B9B7AD4]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\B9802F8A97F16FB43B582A2C0B9B7AD4]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\B9802F8A97F16FB43B582A2C0B9B7AD4]

*****************

C:\Fujitsu\Programs\Nero\Nero 9 Essentials\unit_tpi_imagxpress-7.0.74.0 => Moved successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ImagXpr7.ImagXpress => Failed to delete key at first attempt (Error: C0000121), see next line.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ImagXpr7.ImagXpress => Key Deleted Successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ImagXpr7.ImagXpress.1 => Failed to delete key at first attempt (Error: C0000121), see next line.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ImagXpr7.ImagXpress.1 => Key Deleted Successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{ED512BE6-6629-4FB4-953D-D0C353847163} => Failed to delete key at first attempt (Error: C0000121), see next line.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{ED512BE6-6629-4FB4-953D-D0C353847163} => Key Deleted Successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D3CF4F3-C2F3-46E7-A126-3E53102A6B91} => Failed to delete key at first attempt (Error: C0000121), see next line.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6D3CF4F3-C2F3-46E7-A126-3E53102A6B91} => Key Deleted Successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59003139-A19E-4E1F-9596-BC7A9F810897} => Failed to delete key at first attempt (Error: C0000121), see next line.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59003139-A19E-4E1F-9596-BC7A9F810897} => Key Deleted Successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DB92D0F-D75D-4AC0-8C04-C735E587E0DB} => Failed to delete key at first attempt (Error: C0000121), see next line.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DB92D0F-D75D-4AC0-8C04-C735E587E0DB} => Key Deleted Successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{ED512BE6-6629-4FB4-953D-D0C353847163} => Key not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{6D3CF4F3-C2F3-46E7-A126-3E53102A6B91} => Key not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{59003139-A19E-4E1F-9596-BC7A9F810897} => Key not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{5DB92D0F-D75D-4AC0-8C04-C735E587E0DB} => Key not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{ED512BE6-6629-4FB4-953D-D0C353847163} => Key not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\B9802F8A97F16FB43B582A2C0B9B7AD4 => Failed to delete key at first attempt (Error: C0000121), see next line.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\B9802F8A97F16FB43B582A2C0B9B7AD4 => Key Deleted Successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\B9802F8A97F16FB43B582A2C0B9B7AD4 => Key Deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\B9802F8A97F16FB43B582A2C0B9B7AD4 => Failed to delete key at first attempt (Error: C0000121), see next line.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\B9802F8A97F16FB43B582A2C0B9B7AD4 => Key Deleted Successfully.

==== End of Fixlog 19:16:07 ====
MESA
Regular Member
 
Posts: 41
Joined: January 17th, 2013, 3:11 pm

Re: Hidden objects found and some strange things happening?

Unread postby mAL_rEm018 » March 27th, 2015, 3:26 pm

Hello MESA,

Does ImagXpress appear to still be installed on your computer?
User avatar
mAL_rEm018
Admin/Teacher
Admin/Teacher
 
Posts: 2689
Joined: November 11th, 2013, 6:26 pm
Location: Saint-Petersburg, Russia

Re: Hidden objects found and some strange things happening?

Unread postby MESA » March 27th, 2015, 3:43 pm

Hi mAL
I can't see it in ccleaner add/remove programs anymore but there is a fujitsu folder(which is the make of my computer)on my C drive which has a few folders in it and one folder called programs has a nero folder with a lot of other folders but I can't see it in the programs list.It wasn't showing normally anyway that was the problem.
MESA
Regular Member
 
Posts: 41
Joined: January 17th, 2013, 3:11 pm

Re: Hidden objects found and some strange things happening?

Unread postby MESA » March 27th, 2015, 8:22 pm

Hi mAL,
I was reading up on adwcleaner and how to get round problems with it running.I tried it again and this times it ran successfully.
Last time you told me to uncheck any entries you don't want to remove, then click on Clean
There was a couple of entries that I left uncheceked because I didn't know what they were.One registry item was left over from imminent so I let it clean this.
Here are the results.
# AdwCleaner v4.113 - Logfile created 28/03/2015 at 00:09:39
# Updated 22/03/2015 by Xplode
# Database : 2015-03-27.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Comet - WINDOWS
# Running from : C:\Users\Comet\Desktop\adwcleaner_4.113.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Comet\Documents\hosts

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

[x] Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{02054E11-5113-4BE3-8153-AA8DFB5D3761}
[x] Not Deleted : HKLM\SOFTWARE\PIP
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchTheWebARP

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17689


-\\ Mozilla Firefox v36.0.4 (x86 en-GB)


*************************

AdwCleaner[R0].txt - [1407 bytes] - [23/03/2015 17:14:07]
AdwCleaner[R1].txt - [1466 bytes] - [23/03/2015 17:19:59]
AdwCleaner[R2].txt - [1525 bytes] - [25/03/2015 10:02:04]
AdwCleaner[R3].txt - [1584 bytes] - [25/03/2015 18:52:51]
AdwCleaner[R4].txt - [1238 bytes] - [27/03/2015 23:58:34]
AdwCleaner[R5].txt - [1297 bytes] - [28/03/2015 00:08:07]
AdwCleaner[S0].txt - [1240 bytes] - [28/03/2015 00:09:39]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1299 bytes] ##########
MESA
Regular Member
 
Posts: 41
Joined: January 17th, 2013, 3:11 pm

Re: Hidden objects found and some strange things happening?

Unread postby mAL_rEm018 » March 28th, 2015, 12:09 pm

Hello MESA,


In the following step, we will check your (C:) drive for errors.


Check Hard Disk For Errors:

Press Click on Start > All programs > Accessories > Run, then copy/paste the following command into the box and press OK:
cmd /c chkdsk c: |find /v "percent" >> "%userprofile%\desktop\checkhd.txt"
A blank command window will open on your desktop, then close in a few minutes. This is normal.
A file icon named checkhd.txt should appear on your Desktop. Please post the contents of this file.

Please answer the following question..
  • How is your computer performing?

-----------------------------------------
In your next reply, I would like to see..
  • Answer to my question.
  • checkhd.txt
    Please post everything in the order given.
User avatar
mAL_rEm018
Admin/Teacher
Admin/Teacher
 
Posts: 2689
Joined: November 11th, 2013, 6:26 pm
Location: Saint-Petersburg, Russia

Re: Hidden objects found and some strange things happening?

Unread postby MESA » March 28th, 2015, 4:38 pm

Hi mAL,
My computer is performing fine thanks.Can I remove the two registry items that I left unchecked in adwcleaner?
I unchecked them because I never knew what they were?
What are they and shoud I remove them.
Here is the chkhd.txt
The type of the file system is NTFS.
Volume label is System.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
File verification completed.
781 large file records processed.

0 bad file records processed.

0 EA records processed.

60 reparse records processed.

CHKDSK is verifying indexes (stage 2 of 3)...
Index verification completed.
0 unindexed files scanned.

0 unindexed files recovered.

CHKDSK is verifying security descriptors (stage 3 of 3)...
Security descriptor verification completed.
24033 data files processed.

CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
Windows has checked the file system and found no problems.

958235647 KB total disk space.
120910140 KB in 93140 files.
95032 KB in 24034 indexes.
0 KB in bad sectors.
295039 KB in use by the system.
65536 KB occupied by the log file.
836935436 KB available on disk.

4096 bytes in each allocation unit.
239558911 total allocation units on disk.
209233859 allocation units available on disk.
MESA
Regular Member
 
Posts: 41
Joined: January 17th, 2013, 3:11 pm

Re: Hidden objects found and some strange things happening?

Unread postby mAL_rEm018 » March 29th, 2015, 9:29 am

Hello MESA,

MESA wrote:My computer is performing fine thanks.Can I remove the two registry items that I left unchecked in adwcleaner?
I unchecked them because I never knew what they were?

You can safely remove them, there is no need to post a log.

I have good news..there is no more signs of active malware on your computer :)


Please download delfix and save it to your desktop.
  • Right-click on delfix.exe and select " Run as administrator " to run it.
  • Check the following boxes then click on Run.

    • Remove disinfection tools

    • All tools we used to clean your computer should be gone now.
    • You can now delete any tools/logs we used if they remain on your computer.


When you first posted, you mentioned that your computer was "lagging a bit". If this is still the case you should read the following topic What to do if your Computer is running slowly. which deals with such issues.

You should also read and get acquainted with the following topic COMPUTER SECURITY - a short guide to staying safer online , which goes into depth on how to keep your computer secure.


I would really appreciate it if you could respond to this post to let me know that it's ok for me to request for it to be closed.
User avatar
mAL_rEm018
Admin/Teacher
Admin/Teacher
 
Posts: 2689
Joined: November 11th, 2013, 6:26 pm
Location: Saint-Petersburg, Russia
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 290 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware