Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unknown malicious, behavior/rootkit/trojan)maybe MSCaui (windefender)


  • This topic is locked This topic is locked
3 replies to this topic

#1 Amos-Clovisd

Amos-Clovisd

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:45 PM

Posted 29 November 2016 - 12:48 AM

Hey! My friend already posted his log about his computer after being infected when he came with his laptop at home. We tried many things to get rid of him, but it always come back.We tried every option of the Recovery mode, including the one that propose to delete all files from all drives. We changed our hard drive, and it seems like our usb key, extern disk drive or also spreading. Our android phone and tablet began to act weirdly too...When we reboot, it's amazing at which point he can deploy himself at the moment he can get internet... I'm not sure it's safe to link the post that my friend did (masterjulzz), explaining with a little bit more details and examples.

And for now, this is my log. I had to reboot it yesterday because I was stock in a boot loop, crashing a second with a bleu screen and a sad face, not having time to see anything. and then it reboot by himself, trying to do a diagnosis, but without a chance... 

We noticed that windows defender (windefender, Mscaui.exe, msmpeng.exe) was always almost always on top of the task manager list.... even running in safe mode. 

 

System volume information appearing on all hd, usb, can't destroy it, as huge size in the volume even though we deleted all points or receovery. (We all have our data save already, we're just keeping reseting our pc to make it workable, but to much time with internet on and there's a bunch of brand new .dll/Ink/exe.

 

 

My friend had to reboot his windows again this morning, it was loading just before getting to the page where you choose your account and got stuck there on a semi-black windows, for about an hour and a half.....He was looking for some information about the real name of windows defender (according to microsoft site if we weren'T redirected, is MMpc.exe? So theres my part of log.... ****It might not be complete, as I openned FRTS without internet the first time so I couldn't to the updates....and when I retried, even afeter restarting the computer with internet, ''he'' wouldnt let me access it.

 

Résultats d'analyse de  Farbar Recovery Scan Tool (FRST) (x64) Version: 27-11-2016
Exécuté par stella (administrateur) sur DENLQPADCRACHA (28-11-2016 23:47:06)
Exécuté depuis C:\Users\stella\Desktop
Profils chargés: stella (Profils disponibles: stella)
Platform: Windows 8.1 (X64) Langue: Français (France)
Internet Explorer Version 11 (Navigateur par défaut: Chrome)
Mode d'amorçage: Normal
 
==================== Processus (Avec liste blanche) =================
 
(Si un élément est inclus dans le fichier fixlist.txt, le processus sera arrêté. Le fichier ne sera pas déplacé.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Apple Inc.) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
() C:\Program Files (x86)\SmartDiskMounter\sdfs.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\ielowutil.exe
 
 
==================== Registre (Avec liste blanche) ====================
 
(Si un élément est inclus dans le fichier fixlist.txt, l'élément de Registre sera restauré à la valeur par défaut ou supprimé. Le fichier ne sera pas déplacé.)
 
 
==================== Internet (Avec liste blanche) ====================
 
(Si un élément est inclus dans le fichier fixlist.txt, s'il s'agit d'un élément du Registre, il sera supprimé ou restauré à la valeur par défaut.)
 
Tcpip\Parameters: [DhcpNameServer] 24.200.243.189 24.200.241.37 24.201.245.77
Tcpip\..\Interfaces\{27DC67A3-C1A2-4B1A-89CF-2B886098E82A}: [DhcpNameServer] 24.200.243.189 24.200.241.37 24.201.245.77
 
Internet Explorer:
==================
HKU\S-1-5-21-2967857167-749118968-318433013-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.ca/
HKU\S-1-5-21-2967857167-749118968-318433013-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/fr-ca/?ocid=iehp
 
FireFox:
========
FF HKLM-x32\...\Firefox\Extensions: [bonjour4firefox@apple.com] - C:\Program Files (x86)\Bonjour SDK\Bin\FirefoxExtension
FF Extension: (Bonjour Extension for Firefox) - C:\Program Files (x86)\Bonjour SDK\Bin\FirefoxExtension [2016-11-28] [non signé]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-11-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-11-28] (Google Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\stella\AppData\Local\Google\Chrome\User Data\Default [2016-11-28]
CHR Extension: (Google Slides) - C:\Users\stella\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-11-28]
CHR Extension: (Google Docs) - C:\Users\stella\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-11-28]
CHR Extension: (Google Drive) - C:\Users\stella\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-11-28]
CHR Extension: (YouTube) - C:\Users\stella\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-11-28]
CHR Extension: (Google Sheets) - C:\Users\stella\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-11-28]
CHR Extension: (Google Docs hors connexion) - C:\Users\stella\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-11-28]
CHR Extension: (Paiements via le Chrome Web Store) - C:\Users\stella\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-11-28]
CHR Extension: (Gmail) - C:\Users\stella\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-11-28]
CHR Extension: (Chrome Media Router) - C:\Users\stella\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-11-28]
 
==================== Services (Avec liste blanche) ====================
 
(Si un élément est inclus dans le fichier fixlist.txt, il sera supprimé du Registre. Le fichier ne sera pas déplacé, sauf s'il est inscrit séparément.)
 
R2 SmartDiskMounter; C:\Program Files (x86)\SmartDiskMounter\sdfs.exe [23152 2015-07-19] ()
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [346872 2013-08-22] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23840 2013-08-22] (Microsoft Corporation)
 
===================== Pilotes (Avec liste blanche) ======================
 
(Si un élément est inclus dans le fichier fixlist.txt, il sera supprimé du Registre. Le fichier ne sera pas déplacé, sauf s'il est inscrit séparément.)
 
R2 SmartDisk; C:\Program Files (x86)\SmartDiskMounter\sdfs.sys [55408 2015-07-19] (Windows ® Win 7 DDK provider)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [34760 2013-08-22] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [265056 2013-08-22] (Microsoft Corporation)
R2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [124256 2013-08-22] (Microsoft Corporation)
U2 FWebDrv; pas de ImagePath
 
==================== NetSvcs (Avec liste blanche) ===================
 
(Si un élément est inclus dans le fichier fixlist.txt, il sera supprimé du Registre. Le fichier ne sera pas déplacé, sauf s'il est inscrit séparément.)
 
 
==================== Un mois - Créés - fichiers et dossiers ========
 
(Si un élément est inclus dans le fichier fixlist.txt, le fichier/dossier sera déplacé.)
 
2016-11-28 23:47 - 2016-11-28 23:47 - 00005720 _____ C:\Users\stella\Desktop\FRST.txt
2016-11-28 21:57 - 2016-11-28 21:57 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_11_00.Wdf
2016-11-28 21:31 - 2016-11-28 23:47 - 00000000 ____D C:\FRST
2016-11-28 21:24 - 2016-11-28 21:24 - 02411520 _____ (Farbar) C:\Users\stella\Desktop\FRST64.exe
2016-11-28 20:57 - 2016-11-28 20:57 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdMtpDr_01_11_00.Wdf
2016-11-28 16:44 - 2016-11-28 16:44 - 00000000 ____D C:\Users\stella\Documents\SmartDiskMounter
2016-11-28 16:44 - 2016-11-28 16:44 - 00000000 ____D C:\Users\stella\AppData\Local\SMARTDISK_CO._LTD
2016-11-28 16:44 - 2016-11-28 16:44 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Smart Disk Mounter
2016-11-28 16:44 - 2016-11-28 16:44 - 00000000 ____D C:\Program Files (x86)\SmartDiskMounter
2016-11-28 16:43 - 2016-11-28 16:43 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Bonjour SDK
2016-11-28 16:43 - 2016-11-28 16:43 - 00000000 ____D C:\ProgramData\Apple
2016-11-28 16:43 - 2016-11-28 16:43 - 00000000 ____D C:\Program Files\Bonjour SDK
2016-11-28 16:43 - 2016-11-28 16:43 - 00000000 ____D C:\Program Files\Bonjour
2016-11-28 16:43 - 2016-11-28 16:43 - 00000000 ____D C:\Program Files (x86)\Bonjour SDK
2016-11-28 16:43 - 2016-11-28 16:43 - 00000000 ____D C:\Program Files (x86)\Bonjour
2016-11-28 16:42 - 2016-11-28 16:43 - 07298360 _____ C:\Users\stella\Desktop\setup.exe
2016-11-28 16:41 - 2016-11-28 16:41 - 00000000 ____D C:\Program Files\Common Files\ATI Technologies
2016-11-28 16:41 - 2016-11-28 16:41 - 00000000 ____D C:\Program Files\AMD
2016-11-28 16:41 - 2016-11-28 16:41 - 00000000 _____ C:\Windows\ativpsrm.bin
2016-11-28 16:40 - 2016-11-28 23:45 - 00001098 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-11-28 16:40 - 2016-11-28 23:43 - 00001094 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-11-28 16:40 - 2016-11-28 16:40 - 00004070 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-11-28 16:40 - 2016-11-28 16:40 - 00003834 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-11-28 16:40 - 2016-11-28 16:40 - 00002292 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-11-28 16:40 - 2016-11-28 16:40 - 00002280 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-11-28 16:40 - 2016-11-28 16:40 - 00000000 ____D C:\Users\stella\AppData\Local\Google
2016-11-28 16:40 - 2016-11-28 16:40 - 00000000 ____D C:\Program Files (x86)\Google
2016-11-28 16:39 - 2016-11-28 16:39 - 01065376 _____ (Google Inc.) C:\Users\stella\Desktop\ChromeSetup.exe
2016-11-28 16:38 - 2016-11-28 23:47 - 00003964 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{9ED80A4A-5977-42D3-A171-D5ECC2DD7E43}
2016-11-28 16:38 - 2016-11-28 16:38 - 00000000 __SHD C:\Users\stella\AppData\LocalLow\EmieUserList
2016-11-28 16:38 - 2016-11-28 16:38 - 00000000 __SHD C:\Users\stella\AppData\LocalLow\EmieSiteList
2016-11-28 16:38 - 2016-11-28 16:38 - 00000000 __SHD C:\Users\stella\AppData\Local\EmieUserList
2016-11-28 16:38 - 2016-11-28 16:38 - 00000000 __SHD C:\Users\stella\AppData\Local\EmieSiteList
2016-11-27 16:40 - 2016-11-28 16:46 - 00003594 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2967857167-749118968-318433013-1001
2016-11-27 16:34 - 2016-11-27 16:34 - 00001465 _____ C:\Users\stella\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-11-27 16:34 - 2016-11-27 16:34 - 00000020 ___SH C:\Users\stella\ntuser.ini
2016-11-27 16:34 - 2016-11-27 16:34 - 00000000 _SHDL C:\Users\stella\Voisinage réseau
2016-11-27 16:34 - 2016-11-27 16:34 - 00000000 _SHDL C:\Users\stella\Voisinage d'impression
2016-11-27 16:34 - 2016-11-27 16:34 - 00000000 _SHDL C:\Users\stella\Modèles
2016-11-27 16:34 - 2016-11-27 16:34 - 00000000 _SHDL C:\Users\stella\Mes documents
2016-11-27 16:34 - 2016-11-27 16:34 - 00000000 _SHDL C:\Users\stella\Menu Démarrer
2016-11-27 16:34 - 2016-11-27 16:34 - 00000000 _SHDL C:\Users\stella\Documents\Mes vidéos
2016-11-27 16:34 - 2016-11-27 16:34 - 00000000 _SHDL C:\Users\stella\Documents\Mes images
2016-11-27 16:34 - 2016-11-27 16:34 - 00000000 _SHDL C:\Users\stella\Documents\Ma musique
2016-11-27 16:34 - 2016-11-27 16:34 - 00000000 _SHDL C:\Users\stella\AppData\Roaming\Microsoft\Windows\Start Menu\Programmes
2016-11-27 16:34 - 2016-11-27 16:34 - 00000000 _SHDL C:\Users\stella\AppData\Local\Historique
2016-11-27 16:34 - 2016-11-27 16:34 - 00000000 ____D C:\Users\stella\AppData\Roaming\Adobe
2016-11-27 16:34 - 2016-11-27 16:34 - 00000000 ____D C:\Users\stella\AppData\Local\VirtualStore
2016-11-27 16:34 - 2016-11-27 16:34 - 00000000 ____D C:\Users\stella\AppData\Local\Packages
2016-11-27 16:34 - 2014-03-18 05:10 - 00000369 _____ C:\Users\stella\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pictures.lnk
2016-11-27 16:34 - 2014-03-18 05:10 - 00000369 _____ C:\Users\stella\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Documents.lnk
2016-11-27 16:33 - 2016-11-27 16:34 - 00000000 ____D C:\Users\stella
2016-11-27 15:42 - 2016-11-27 15:42 - 00000000 _SHDL C:\Users\Public\Documents\Mes vidéos
2016-11-27 15:42 - 2016-11-27 15:42 - 00000000 _SHDL C:\Users\Public\Documents\Mes images
2016-11-27 15:42 - 2016-11-27 15:42 - 00000000 _SHDL C:\Users\Public\Documents\Ma musique
2016-11-27 15:42 - 2016-11-27 15:42 - 00000000 _SHDL C:\Users\Default\Voisinage réseau
2016-11-27 15:42 - 2016-11-27 15:42 - 00000000 _SHDL C:\Users\Default\Voisinage d'impression
2016-11-27 15:42 - 2016-11-27 15:42 - 00000000 _SHDL C:\Users\Default\Modèles
2016-11-27 15:42 - 2016-11-27 15:42 - 00000000 _SHDL C:\Users\Default\Mes documents
2016-11-27 15:42 - 2016-11-27 15:42 - 00000000 _SHDL C:\Users\Default\Menu Démarrer
2016-11-27 15:42 - 2016-11-27 15:42 - 00000000 _SHDL C:\Users\Default\Documents\Mes vidéos
2016-11-27 15:42 - 2016-11-27 15:42 - 00000000 _SHDL C:\Users\Default\Documents\Mes images
2016-11-27 15:42 - 2016-11-27 15:42 - 00000000 _SHDL C:\Users\Default\Documents\Ma musique
2016-11-27 15:42 - 2016-11-27 15:42 - 00000000 _SHDL C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programmes
2016-11-27 15:42 - 2016-11-27 15:42 - 00000000 _SHDL C:\Users\Default\AppData\Local\Historique
2016-11-27 15:42 - 2016-11-27 15:42 - 00000000 _SHDL C:\Users\Default User\Documents\Mes vidéos
2016-11-27 15:42 - 2016-11-27 15:42 - 00000000 _SHDL C:\Users\Default User\Documents\Mes images
2016-11-27 15:42 - 2016-11-27 15:42 - 00000000 _SHDL C:\Users\Default User\Documents\Ma musique
2016-11-27 15:42 - 2016-11-27 15:42 - 00000000 _SHDL C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programmes
2016-11-27 15:42 - 2016-11-27 15:42 - 00000000 _SHDL C:\Users\Default User\AppData\Local\Historique
2016-11-27 15:42 - 2016-11-27 15:42 - 00000000 _SHDL C:\ProgramData\Modèles
2016-11-27 15:42 - 2016-11-27 15:42 - 00000000 _SHDL C:\ProgramData\Microsoft\Windows\Start Menu\Programmes
2016-11-27 15:42 - 2016-11-27 15:42 - 00000000 _SHDL C:\ProgramData\Menu Démarrer
2016-11-27 15:42 - 2016-11-27 15:42 - 00000000 _SHDL C:\ProgramData\Bureau
2016-11-27 15:42 - 2016-11-27 15:42 - 00000000 _SHDL C:\Program Files\Fichiers communs
2016-11-27 09:39 - 2016-11-27 16:34 - 00000000 ____D C:\Windows\Panther
2016-11-27 09:39 - 2016-11-27 09:39 - 00008192 __RSH C:\BOOTSECT.BAK
 
==================== Un mois - Modifiés - fichiers et dossiers ========
 
(Si un élément est inclus dans le fichier fixlist.txt, le fichier/dossier sera déplacé.)
 
2016-11-28 23:46 - 2014-03-18 05:02 - 01734474 _____ C:\Windows\system32\PerfStringBackup.INI
2016-11-28 23:46 - 2014-03-18 04:26 - 00774688 _____ C:\Windows\system32\perfh00C.dat
2016-11-28 23:46 - 2014-03-18 04:26 - 00151426 _____ C:\Windows\system32\perfc00C.dat
2016-11-28 23:46 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\Inf
2016-11-28 23:42 - 2013-08-22 09:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-11-28 21:43 - 2013-08-22 08:25 - 00262144 ___SH C:\Windows\system32\config\BBI
2016-11-27 16:40 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\AppReadiness
2016-11-27 16:34 - 2013-08-22 10:36 - 00000000 ___HD C:\Program Files\WindowsApps
2016-11-27 15:42 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\rescache
2016-11-27 15:42 - 2013-08-22 10:36 - 00000000 ____D C:\Program Files\Windows NT
2016-11-27 09:39 - 2013-08-22 10:36 - 00262144 _____ C:\Windows\system32\config\BCD-Template
 
==================== Bamital & volsnap ======================
 
(Il n'y a pas de correction automatique pour les fichiers qui ne satisfont pas à la vérification.)
 
C:\Windows\system32\winlogon.exe => Le fichier est signé numériquement
C:\Windows\system32\wininit.exe => Le fichier est signé numériquement
C:\Windows\explorer.exe => Le fichier est signé numériquement
C:\Windows\SysWOW64\explorer.exe => Le fichier est signé numériquement
C:\Windows\system32\svchost.exe => Le fichier est signé numériquement
C:\Windows\SysWOW64\svchost.exe => Le fichier est signé numériquement
C:\Windows\system32\services.exe => Le fichier est signé numériquement
C:\Windows\system32\User32.dll => Le fichier est signé numériquement
C:\Windows\SysWOW64\User32.dll => Le fichier est signé numériquement
C:\Windows\system32\userinit.exe => Le fichier est signé numériquement
C:\Windows\SysWOW64\userinit.exe => Le fichier est signé numériquement
C:\Windows\system32\rpcss.dll => Le fichier est signé numériquement
C:\Windows\system32\dnsapi.dll => Le fichier est signé numériquement
C:\Windows\SysWOW64\dnsapi.dll => Le fichier est signé numériquement
C:\Windows\system32\Drivers\volsnap.sys => Le fichier est signé numériquement
 
 
LastRegBack: 2016-11-27 15:39
 
==================== Fin de FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,922 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:45 AM

Posted 30 November 2016 - 11:27 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

#3 Amos-Clovisd

Amos-Clovisd
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:45 PM

Posted 30 November 2016 - 06:07 PM

It actually went well....I guess. No lag/disconnect or crash when downloading or running the script. For now it seems top helped, I was glad to open internet without being redirected at the first page... so here's the log 

 
Zoek.exe v5.0.0.1 Updated 19-September-2016
Tool run by stella on 2016-11-30 at 17:53:38,20.
Microsoft Windows 8.1 6.3.9600  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\stella\Desktop\zoek.exe [Scan all users] [Script inserted] 
 
==== System Restore Info ======================
 
2016-11-30 17:53:56 Zoek.exe System Restore Point Created Successfully.
 
==== Empty Folders Check ======================
 
C:\Users\stella\AppData\Local\VirtualStore deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Services ======================
 
 
==== Batch Command(s) Run By Tool======================
 
 
==== Deleting Files \ Folders ======================
 
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted
 
==== Firefox Extensions Registry ======================
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"bonjour4firefox@apple.com"="C:\Program Files (x86)\Bonjour SDK\Bin\FirefoxExtension" [2016-11-28 16:43]
 
==== Chromium Look ======================
 
 
Chrome Media Router - stella\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
 
==== Chromium Fix ======================
 
C:\Users\stella\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_c.betrad.com_0.localstorage deleted successfully
C:\Users\stella\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_c.betrad.com_0.localstorage-journal deleted successfully
 
==== Set IE to Default ======================
 
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
==== All HKLM and HKCU SearchScopes ======================
 
HKLM\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKLM\Wow6432Node\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\Wow6432Node\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKCU\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKCU\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66} - http://www.google.com/search?q={searchTerms}
HKCU\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02
 
==== Reset Google Chrome ======================
 
C:\Users\stella\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully
C:\Users\stella\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences was reset successfully
C:\Users\stella\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully
C:\Users\stella\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal was reset successfully
 
==== Empty IE Cache ======================
 
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\stella\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\stella\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\stella\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\stella\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
 
==== Empty FireFox Cache ======================
 
No FireFox Profiles found
 
==== Empty Chrome Cache ======================
 
C:\Users\stella\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
 
==== Empty All Flash Cache ======================
 
No Flash Cache Found
 
==== Empty All Java Cache ======================
 
No Java Cache Found
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=3 folders=0 77423 bytes)
 
==== Empty Temp Folders ======================
 
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\stella\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\Windows\Temp successfully emptied
C:\Users\stella\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== EOF on 2016-11-30 at 18:03:34,27 ======================


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,922 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:45 AM

Posted 01 December 2016 - 08:20 AM

Run the Farbar tool again.

Post Fresh FRST and Addition.txt file for my review.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users