[SOLVED] weird chinese symbols in registry

C

carl a

Contributor
Joined
Oct 25, 2015
Posts
650
Hello forum it's been a long time since I posted something , but here I am again with a problem I have had before in Nov 16 2017 and you guys guided me to the solution. I notice in my registry there are two strange Chinese symbols in my registry in the classes string here is the snap shot of the registry , I hope I remember how to post a view.
 

Attachments

  • weird symbols.png
    weird symbols.png
    269.6 KB · Views: 22
your right Corday, I found that post before I submitted the request, that's why I knew the date and what tools were used to accomplish the task. So the staff member that guide me through this process will have plenty information on helping me solve this problem.
 
Hi, Carl a.

Not necessary a bad thing those entries, but if you would like us to check the computer for malware, please do the following:

Download Farbar Recovery Scan Tool and save it to your desktop. --> IMPORTANT

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your antivirus software detects the tool as malicious, it’s safe to allow FRST to run. It is a false-positive detection.

If English is not your primary language, right click on FRST.exe/FRST64.exe and rename to FRSTEnglish.exe/FRST64English.exe

  • Double-click the FRST icon to run the tool. When the tool opens click Yes to disclaimer.
  • Press Scan button and wait for a while.
  • The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
  • Please attach the content of these two logs in your next reply.
 
Okay DR M thanks for your response and your assistance, now I will lean on my memory on how to post and send the required files and txt , because it's been awhile since done these things. I hope, I've done what you asked properly.
 

Attachments

Last edited by a moderator:
Thanks, carl a. However you attached the same log (Addition) twice. Can you also please attach the FRST.txt for me to check?
 
Carl, apologies for this delay. I'm abroad for work purposes and my responses will have a bit delay. Just letting you know.

Right now, I'm reviewing your logs.
 
I understand , I am sure that wherever you're at working , that your doing an excellent service, take your time to complete your task. I will be here no problem.
 
Hi, Carl!

I am back home, meaning back to normality. Again, I apologize about the delay.

The logs don't show a sign of an active infections, and the weird characters in the registry is most possibly due to an encoding error. Nothing to worry about.

However, there are some issues I would like to take care about.

First, can you please tell me if you intentionally set these settings, regarding these file type extensions?

HKU\S-1-5-21-3322077908-2260706495-1581740148-1002\Software\Classes\regfile: <==== ATTENTION
HKU\S-1-5-21-3322077908-2260706495-1581740148-1002\Software\Classes\.reg: => <==== ATTENTION
HKU\S-1-5-21-3322077908-2260706495-1581740148-1002\Software\Classes\.bat: => <==== ATTENTION
HKU\S-1-5-21-3322077908-2260706495-1581740148-1002\Software\Classes\.cmd: => <==== ATTENTION

Also, there is evidence that you used a tool for resetting/troubleshooting Windows updates. It is not shown in the installed programs list, but there are items related to it. Are you using this tool? I wouldn't feel comfortable to use it if I needed help with specific updates, anyway.
 
Hey there DR M no apologize need you were just taking care of your business. Those registry setting in the classes I don't remember doing any alterations and I can uninstall update reset tool if it's better for me. We can straigthen registry out if think it's wise to do so
 
Hi, Carl.

It's up to you if you keep it or not. If you choose to uninstall, let me know to check for remnants later.

Another question:

Have you installed Norton or Doctor Web related programs recently?

================================

For now, please do the following:


1. FRST fix

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Code: 
Start::
SystemRestore:On
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-3322077908-2260706495-1581740148-1002\Software\Classes\regfile:  <==== ATTENTION
HKU\S-1-5-21-3322077908-2260706495-1581740148-1002\Software\Classes\.reg:  =>  <==== ATTENTION
HKU\S-1-5-21-3322077908-2260706495-1581740148-1002\Software\Classes\.bat:  =>  <==== ATTENTION
HKU\S-1-5-21-3322077908-2260706495-1581740148-1002\Software\Classes\.cmd:  =>  <==== ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
Task: {ABC43F7B-8370-4599-8C6E-42126A22A39B} - System32\Tasks\OneDrive Reporting Task-S-1-5-21-3322077908-2260706495-1581740148-500 => C:\Users\acarl\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe /reporting (No File)
Task: C:\WINDOWS\Tasks\EOSv3 Scheduler onLogOn.job => C:\Users\acarl\AppData\Local\ESET\ESETOnlineScanner\ESETOnlineScanner.exe
Task: C:\WINDOWS\Tasks\EOSv3 Scheduler onTime.job => C:\Users\acarl\AppData\Local\ESET\ESETOnlineScanner\ESETOnlineScanner.exe
S3 WinRing0_1_2_0; \??\C:\Users\acarl\AppData\Local\Temp\tmpC141.tmp [X] <==== ATTENTION
EmptyTemp:
End::
  • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Post the log in your next reply.


2. Run AdwCleaner (scan only)

Download AdwCleaner and save it to your desktop.
  • Double click AdwCleaner.exe to run it.
  • Click Scan Now.
    • When the scan has finished, a Scan Results window will open.
    • Click Cancel (at this point do not attempt to Quarantine anything that is found)
  • Now click the Log Filestab.
    • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
    • A Notepad file will open containing the results of the scan.
    • Please post the contents of the file in your next reply.


3. Run Malwarebytes (scan only)
  • Open Malwarebytes you have already installed.
  • Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
    Code: 
    Under the title Scan Options, all the options are checked.
Under the title Windows Security Center (Premium only) the option is NOT checked.
Under the title Potentially unwanted items all options are set to Always.
  • Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
  • When finished, you will see the Threat Scan Summary window open.
If threats are not found, click View Report and proceed to the two last steps below.

If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.


In your next reply, please post:
  1. The fixlog.txt
  2. The AdwCleaner[S0*].txt
  3. The Malwarebytes report
 
DR Mc I must have done something wrong because when I hit the fix I keep getting no fixlist.txt found, and I did uninstalled the windows update repair tool, also I did downloaded norton power tool and tried to download Dr.web
,
 
Make sure to select the script I gave you, then right click and copy. No paste anywhere. Just run FRST and hit the Fix button.

As to Norton Power Tool, is it successfully installed and running? Have you checked it?

You have already Microsoft Defender and Malwarebytes. If you need something else for a second/on demand opinion, it's fine. However, you can't have two security programs running in real time. My recommendation is to uninstall it, but again, it's your decision.
 
Start::
SystemRestore:On
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-3322077908-2260706495-1581740148-1002\Software\Classes\regfile: <==== ATTENTION
HKU\S-1-5-21-3322077908-2260706495-1581740148-1002\Software\Classes\.reg: => <==== ATTENTION
HKU\S-1-5-21-3322077908-2260706495-1581740148-1002\Software\Classes\.bat: => <==== ATTENTION
HKU\S-1-5-21-3322077908-2260706495-1581740148-1002\Software\Classes\.cmd: => <==== ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
Task: {ABC43F7B-8370-4599-8C6E-42126A22A39B} - System32\Tasks\OneDrive Reporting Task-S-1-5-21-3322077908-2260706495-1581740148-500 => C:\Users\acarl\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe /reporting (No File)
Task: C:\WINDOWS\Tasks\EOSv3 Scheduler onLogOn.job => C:\Users\acarl\AppData\Local\ESET\ESETOnlineScanner\ESETOnlineScanner.exe
Task: C:\WINDOWS\Tasks\EOSv3 Scheduler onTime.job => C:\Users\acarl\AppData\Local\ESET\ESETOnlineScanner\ESETOnlineScanner.exe
S3 WinRing0_1_2_0; \??\C:\Users\acarl\AppData\Local\Temp\tmpC141.tmp [X] <==== ATTENTION
EmptyTemp: malwarebytes good nothing detected and the norton tool is not running because it was a one time online scan.
 

Attachments

AdwCleaner log is also clean.

Let's see fresh FRST logs now to do some tidiness.

  • Double-click on the FRST icon to run it, as you did before. When the tool opens click Yes to disclaimer.
  • Press Scan button and wait for a while.
  • The scanner will produce two logs on your Desktop: FRST.txt and Addition.txt.
  • Please attach these two logs in your next reply.
 
Thanks, Carl. I'll review them by tomorrow, since it's bed time for me now. :-)
 
Hi, Carl.

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Code: 
Start::
CreateRestorePoint:
CloseProcesses:
Task: {88EBA9EF-C985-4351-85E2-E3B630B71ACC} - System32\Tasks\CCleaner Update => C:\Users\acarl\Downloads\Downloads\Ccleaner\CCUpdate.exe (No File)
2023-02-26 17:40 - 2023-02-26 17:40 - 000000000 ____D C:\Users\acarl\Doctor Web
2023-02-26 14:58 - 2023-02-26 14:58 - 000000000 ____D C:\Users\acarl\AppData\Local\NPE
2023-02-26 14:58 - 2023-02-26 14:58 - 000000000 ____D C:\ProgramData\Norton
CMD: DISM /Online /Cleanup-Image /RestoreHealth
CMD: SFC /scannow
EmptyTemp:
End::
  • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Post the log in your next reply.
 
Good morning DR M I'm up very early this morning being many hours behind your time.
 

Attachments

You must log in or register to reply here.

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top