Solved Help Removing a Service and Registry Key

  • Hi there and welcome to PC Help Forum (PCHF), a more effective way to get the Tech Support you need!
    We have Experts in all areas of Tech, including Malware Removal, Crash Fixing and BSOD's , Microsoft Windows, Computer DIY and PC Hardware, Networking, Gaming, Tablets and iPads, General and Specific Software Support and so much more.

    Why not Click Here To Sign Up and start enjoying great FREE Tech Support.

    This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Welcome to our Community
Wanting to join the rest of our members? Feel free to sign up today.
Sign up
Status
Not open for further replies.

JawniHawni

PCHF Member
PCHF Member
Feb 23, 2019
10
3
31
Greetings,

I had recently gotten an adware that installed some software that created a service that made everything on my computer Yahoo search based. And also kept pinning IE with a Yahoo start page into my taskbar. Well, I managed to get the software out from my system and all the infected files in Safe Mode, but I'm still stuck with the service it created as well as an empty registry key for it.

The software that was on my box is called EasyMedianB. I cannot delete the service as Windows doesn't want me to and same for the regustry key. I cannot even change permissions for the registry key entry to force removal.

Below are the FRST logs. I tried running aswmbr as well, but I got a BSoD thanks to aswMBR.sys.

Thank ye in advance,
~Jawni
 

Attachments

Malnutrition

Malnurished Mod
Moderator
Security Team
Jul 22, 2016
3,394
551
Uninstall Avast Secure Browser With Geek Uninstaller


A couple of questions before we begin.

Did you set these policies? I need to know this before I create a FRST fix for your machine.

Disable System restore Etc?


HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig] <==== ATTENTION
HKU\S-1-5-21-1601658347-1384394231-484781949-1000\...\Policies\system: [NoDispAppearancePage] 0
HKU\S-1-5-21-1601658347-1384394231-484781949-1000\...\Policies\Explorer: [NoPreviewPane] 0
HKU\S-1-5-21-1601658347-1384394231-484781949-1000\...\Policies\Explorer: [NoTrayContextMenu] 0
HKU\S-1-5-21-1601658347-1384394231-484781949-1000\...\Policies\Explorer: [NoSetTaskbar] 0
HKU\S-1-5-21-1601658347-1384394231-484781949-1000\...\Policies\Explorer: [NoViewContextMenu] 0
HKU\S-1-5-21-1601658347-1384394231-484781949-1000\...\Policies\Explorer: [NoWinkeys] 0
HKU\S-1-5-21-1601658347-1384394231-484781949-1000\...\Policies\Explorer: [NoTrayItemsDisplay] 0
HKU\S-1-5-21-1601658347-1384394231-484781949-1000\...\Policies\Explorer: [HideClock] 0
HKU\S-1-5-21-1601658347-1384394231-484781949-1000\...\Policies\Explorer: [HideSCANetwork] 0
HKU\S-1-5-21-1601658347-1384394231-484781949-1000\...\Policies\Explorer: [HideSCAVolume] 0






Adware Cleaner Scan.

Please download AdwCleaner by Xplode onto your desktop.





  • Close all open programs and internet browsers.
  • Right Click on adwcleaner.exe and run as admin to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
Rogue Killer Scan.

Download RogueKiller -- (Portable) -- from one of the following links and save it to your Desktop:

Link 1
Link 2



  • Close all other the running programs
  • Disable ALL Antivirus -- Antimalware -- Applications.
  • Right Click Rogue Killer and Run as Administrator.
  • Click the Start Scan button.
  • Allow the scan to run -- it can take ten minutes or more.
  • Once the scan is complete check All items for removal.



  • After All items are checked then press Remove Selected.
  • Wait until the Status box shows Deleting Finished.
  • Click on open report -- then open txt
  • Copy the content of the report and paste it here in your next reply.
 
Last edited:

Malnutrition

Malnurished Mod
Moderator
Security Team
Jul 22, 2016
3,394
551
Right Click FRST64 on your desktop and copy paste SearchAll: EasyMedianB0 into the text window of FRST.

4875


In the search box, you have to type

SearchAll: EasyMedianB0

Make sure to include the "SearchAll:" part as well, then click Search Files.

Copy and paste the contents of the Search.txt log which will open in Notepad after the scan.

Thanks.
 

JawniHawni

PCHF Member
PCHF Member
Feb 23, 2019
10
3
31
I may have disabled system restore as well as backups as I only had so much harddrive space. More over, I ended up deleting the whole system restore partition not too long ago as i cloned my OS drive onto a nice shiny m.2 drive.

As for the other policies, I do not believe I set those. If you're planning on changing the system restore policy, you might as well do that as well.

I'll be downloading and running the cleaning software now.
 

Malnutrition

Malnurished Mod
Moderator
Security Team
Jul 22, 2016
3,394
551
Ok, I will remove those settings from the machine, everything will be back to default as far as those settings go. I will be awaiting the logs, and the search results from FRST. That will go into the fix. :)
 

Malnutrition

Malnurished Mod
Moderator
Security Team
Jul 22, 2016
3,394
551
You need to push the search files button when you copy paste SearchAll: EasyMedianB0

4882


You pushed the scan button.
 
Last edited:

JawniHawni

PCHF Member
PCHF Member
Feb 23, 2019
10
3
31
Oh. Whoopsie. Proper file attached now.

I'm doing another search for just "EasyMedianB". I think I added the "0" into the registry entry when I was trying to get rid of it. If anything pops I'll let you know.
 

Attachments

JawniHawni

PCHF Member
PCHF Member
Feb 23, 2019
10
3
31
Okay. "EasyMedianB" added a few extra things into the report and includes the stuff from the above file.
 

Attachments

Malnutrition

Malnurished Mod
Moderator
Security Team
Jul 22, 2016
3,394
551
Alright, I've got to run to the store I'll be back in a couple hours to complete this. For now....

Scan with ESET:

Please download ESET Online Scanner and save it to your desktop.


  • Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
  • Click on Get Started.
  • Another window will appear - select Get Started. Select whether you would like to send anonymous data to ESET.
  • Click on the Full Scan option.
  • Click on the option to Enable ESET to detect and remove potentially unwanted applications, and select Start scan.
  • ESET will now begin scanning your computer. This may take some time.
  • When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop with a name like ESETlog.txt. Click on Continue.
  • ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
  • On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
  • On your desktop, a file will be created called ESETlog.txt. Open it, then copy and paste its contents into your next reply.
 

Malnutrition

Malnurished Mod
Moderator
Security Team
Jul 22, 2016
3,394
551
Download attached fixlist.txt file and save it to the Desktop. NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system. Run FRST/FRST64 and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
 

Attachments

Malnutrition

Malnurished Mod
Moderator
Security Team
Jul 22, 2016
3,394
551
After the ESET Scan, I want you to tell me how things are going with the machine. What issues remain?
 

JawniHawni

PCHF Member
PCHF Member
Feb 23, 2019
10
3
31
Phew. Finally done. Here's the ESET log.

Everything seems to be going smoothly again. I dont see any EasyMedian stuff anymore and my searches aren't being changed to Yahoo. Nice.
 

Attachments

  • Like
Reactions: Malnutrition

Malnutrition

Malnurished Mod
Moderator
Security Team
Jul 22, 2016
3,394
551
Ok, lets just run a final couple checks then get you on your way. :)

Step 1:

Security Check Scan.




  • Download Security Check to your desktop.
  • Right click it run as administrator.
  • When the program completes, the tool will automatically open a log file.
  • Please post that log here in your next post.
Step 2:

HijackThis.




1- Please click HERE to download HijackThis.
2- Run the program.
3- Click on the Main Menu button if not already there.
4- Select Do a system scan and save a logfile.
5- Copy paste the log here.



Step 3:

Adware Removal Tool Scan.




Download Adware removal tool to your desktop, right click the icon and select Run as Administrator.















Hit Ok.













Hit next make sure to leave all items checked, for removal.















The Program will close all open programs to complete the removal, so save any work and hit OK. Then hit OK after the removal process is complete, thenOK again to finish up. Post log generated by tool.
 

JawniHawni

PCHF Member
PCHF Member
Feb 23, 2019
10
3
31
Aaaand here are these three.

SecurityCheck by glax24 & Severnyj v.1.4.0.53 [27.10.17]
WebSite: www.safezone.cc
DateLog: 19.06.2019 19:57:45
Path starting: C:\Users\Big Brother\AppData\Local\Temp\SecurityCheck\SecurityCheck.exe
Log directory: C:\SecurityCheck\
IsAdmin: True
User: Big Brother
VersionXML: 6.57is-18.06.2019
___________________________________________________________________________

Windows 10(6.3.17763) (x64) Core Release: 1809 Lang: English(0409)
Installation date OS: 21.02.2019 03:42:09
LicenseStatus: Office 16, Office16O365ProPlusR_Subscription1 edition Windows is in Notification mode
LicenseStatus: Windows(R), Core edition The machine is permanently activated.
Boot Mode: Normal
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
SystemDrive: C: FS: [NTFS] Capacity: [894.3 Gb] Used: [237.1 Gb] Free: [657.2 Gb]
------------------------------- [ Windows ] -------------------------------
Internet Explorer 11.557.17763.0
User Account Control enabled
Automatically download and schedule installation
Security Center (wscsvc) - The service is running
Remote Registry (RemoteRegistry) - The service has stopped
SSDP Discovery (SSDPSRV) - The service is running
Remote Desktop Services (TermService) - The service has stopped
Windows Remote Management (WS-Management) (WinRM) - The service has stopped
---------------------------- [ Antivirus_WMI ] ----------------------------
Windows Defender (enabled and up to date)
--------------------------- [ FirewallWindows ] ---------------------------
Windows Defender Firewall (mpssvc) - The service is running
--------------------------- [ AntiSpyware_WMI ] ---------------------------
Windows Defender (enabled and up to date)
---------------------- [ AntiVirusFirewallInstall ] -----------------------
Malwarebytes version 3.7.1.2839 v.3.7.1.2839
--------------------------- [ OtherUtilities ] ----------------------------
Microsoft Office 365 ProPlus - en-us v.16.0.10730.20348 Warning! Download Update
How Install Office updates?
Microsoft .NET Framework 4.5.2 v.4.5.51209 Warning! Download Update
Microsoft Silverlight v.5.1.50918.0
NVIDIA GeForce Experience 3.19.0.94 v.3.19.0.94
VLC media player v.2.2.1 Warning! Download Update
Steam v.1.0.0.0 Warning! Download Update
-------------------------------- [ Arch ] ---------------------------------
WinRAR 5.30 (32-bit) v.5.30.0 Warning! Download Update
--------------------------------- [ IM ] ----------------------------------
Discord v.0.0.305
Skype™ 7.40 v.7.40.151 Warning! Download Update
---------------------------- [ ProxyAndVPNs ] -----------------------------
NordVPN v.6.20.12
-------------------------------- [ Java ] ---------------------------------
Java 8 Update 211 (64-bit) v.8.0.2110.12
Java 8 Update 211 v.8.0.2110.12
--------------------------- [ AppleProduction ] ---------------------------
QuickTime v.7.73.80.64 Warning! This software is no longer supported. Please uninstall it and use another software.
--------------------------- [ AdobeProduction ] ---------------------------
Adobe AIR v.32.0.0.89 Warning! Download Update
Adobe Acrobat Reader DC v.15.009.20069 Warning! Download Update
^Please run Acrobat Reader DC and go Help - Check for updates...^
------------------------------- [ Browser ] -------------------------------
Mozilla Firefox 67.0.3 (x64 en-US) v.67.0.3
Google Chrome v.74.0.3729.169 Warning! Download Update
----------------------------- [ EmailClient ] -----------------------------
Windows Live Essentials v.16.4.3528.0331 Warning! This software is no longer supported.
Windows Live Sync v.14.0.8117.416 Warning! This software is no longer supported.
Windows Live Mail v.16.4.3528.0331 Warning! This software is no longer supported.
------------------ [ AntivirusFirewallProcessServices ] -------------------
Malwarebytes Service (MBAMService) - The service has stopped
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1905.4-0\MsMpEng.exe v.4.18.1905.4
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1905.4-0\NisSrv.exe v.4.18.1905.4
Windows Defender Antivirus Service (WinDefend) - The service is running
Windows Defender Antivirus Network Inspection Service (WdNisSvc) - The service is running
---------------------------- [ UnwantedApps ] -----------------------------
Unity Web Player (x64) (All users) v.4.6.6f2 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering.
----------------------------- [ End of Log ] ------------------------------
 

Attachments

Malnutrition

Malnurished Mod
Moderator
Security Team
Jul 22, 2016
3,394
551
Everything looks ok now. I'd update all of the out of date programs with Patch My PC.

If you do not know what this is, I'd remove it.

C:\Users\Big Brother\AppData\Local\ValidSimple.Updater\RKHelper.exe =>
https://www.virustotal.com/file/1a75c5de8b25d6b2c61a7e779899ff489c30ee3147b574bc9316761a31a25aa7/analysis/1560980491/

Now Lets Clean up the tools we used and remove old restore points.


Download DelFix by "Xplode" to your Desktop.

Right Click the tool and Run as Admin ( Xp Users Double Click)
Put a check mark next the items below:


Remove disinfection tools
Create registry backup
Purge System Restore




Now click on "Run" button.
allow the program to complete its work.
all the tools we used will be removed.
Tool will create and open a log report (DelFix.txt)
Note: The report can be located at the following location C:\DelFix.txt
 
Status
Not open for further replies.