Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with JS/Kryptik.BDX trojan from flashplayer.hta from internet explorer


  • This topic is locked This topic is locked
40 replies to this topic

#1 Skillful

Skillful

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 18 May 2017 - 05:12 AM

I was using internet explorer to browse autosport forums. Took a screenshot https://www.facebook.com/photo.php?fbid=1796781010638581&set=pb.100009200976180.-2207520000.1494319905.&type=3&theater I then 'ended internet explorer' through task manager, also noticed that there was an adobe flash player running in the task manager, so I ended that as well. It had I think a black or dark coloured icon? Unsure if that's normal. I started internet explorer again just to google and did not get redirected again.

 

 

Also, when making topics here, they have spaces,  but when I press post, all the spaces are gone. I have to then edit the topic for the spaces/paragraphs to appear. I also just 'allowed all scripts' while editing this post, and it asked me if I wanted to download FRST again which I had already run.


Don't know if this is related to the start of this thread here, or just a co incidence
https://www.bleepingcomputer.com/forums/t/644806/website-loading-oddly-in-firefox-and-ie-attached-screen-and-one-redirect/




FRST log
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14-05-2017
Ran by Bq (administrator) on NW (18-05-2017 20:03:16)
Running from C:\Users\Bq\Downloads
Loaded Profiles: Bq (Available Profiles: Bq)
Platform: Windows 8.1 Pro (Update) (X64) Language: English (United Kingdom)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
() C:\Program Files (x86)\Intel Driver Update Utility\SUR\SurSvc.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Start WingMan Profiler] => C:\Program Files\Logitech\Gaming Software\LWEMon.exe [190536 2010-06-14] (Logitech Inc.)
HKLM\...\Run: [ZAM] => C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [13614832 2016-05-31] (Zemana Ltd.)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [287592 2014-04-11] (Intel Corporation)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766688 2014-07-04] (Advanced Micro Devices, Inc.)
HKU\S-1-5-21-251241379-2071700029-1508196371-1001\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [3019552 2017-04-26] (Valve Corporation)
HKU\S-1-5-21-251241379-2071700029-1508196371-1001\...\MountPoints2: {21306ffa-b2f6-11e6-beac-94de807d20b6} - "D:\LaunchU3.exe" -a
HKU\S-1-5-21-251241379-2071700029-1508196371-1001\...\MountPoints2: {d24438ef-83cf-11e6-bea8-94de807d20b6} - "D:\LaunchU3.exe" -a

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 10.0.0.138
Tcpip\..\Interfaces\{7730C283-7265-4607-948E-1DB0CA1C6BCA}: [DhcpNameServer] 10.0.0.138

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-251241379-2071700029-1508196371-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> DefaultScope value is missing

FireFox:
========
FF DefaultProfile: g8f8uubc.default
FF ProfilePath: C:\Users\Bq\AppData\Roaming\Mozilla\Firefox\Profiles\g8f8uubc.default [2017-05-18]
FF Extension: (NoScript) - C:\Users\Bq\AppData\Roaming\Mozilla\Firefox\Profiles\g8f8uubc.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2017-05-13]
FF Extension: (Adblock Plus) - C:\Users\Bq\AppData\Roaming\Mozilla\Firefox\Profiles\g8f8uubc.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-11-28]
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-09-16] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-09-16] (Intel Corporation)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 ESRV_SVC_WILLAMETTE; C:\Program Files\Intel\SUR\WILLAMETTE\ESRV\esrv_svc.exe [416408 2016-03-09] ()
S2 IAStorDataMgrsvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [16232 2014-04-11] (Intel Corporation)
R2 igfxCUIService1.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [355232 2015-08-09] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-09-16] (Intel Corporation)
R2 SystemUsageReportSvc_WILLAMETTE; C:\Program Files (x86)\Intel Driver Update Utility\SUR\SurSvc.exe [118424 2016-03-09] ()
S3 USER_ESRV_SVC_WILLAMETTE; C:\Program Files\Intel\SUR\WILLAMETTE\ESRV\esrv_svc.exe [416408 2016-03-09] ()
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2016-02-06] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2016-02-06] (Microsoft Corporation)
S2 ZAMSvc; C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [13614832 2016-05-31] (Zemana Ltd.)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 LGJoyXlCore; C:\WINDOWS\system32\drivers\LGJoyXlCore.sys [68384 2015-06-11] (Logitech Inc.)
R3 MEIx64; C:\WINDOWS\system32\DRIVERS\TeeDriverx64.sys [99288 2013-09-16] (Intel Corporation)
S3 semav6msr64; C:\WINDOWS\system32\drivers\semav6msr64.sys [21984 2016-03-09] ()
R3 SmbDrvI; C:\WINDOWS\system32\DRIVERS\Smb_driver_Intel.sys [51320 2016-06-01] (Synaptics Incorporated)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44560 2016-02-06] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [270168 2016-02-06] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [114520 2016-02-06] (Microsoft Corporation)
R1 ZAM; C:\WINDOWS\System32\drivers\zam64.sys [203680 2016-06-08] (Zemana Ltd.)
R1 ZAM_Guard; C:\WINDOWS\System32\drivers\zamguard64.sys [203680 2016-06-08] (Zemana Ltd.)
U0 Compbatt; no ImagePath
U2 ERSvc; no ImagePath
R1 MpKsla877c0cb; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{8EF565F4-8AF1-45B1-98E2-B393D8444D54}\MpKsla877c0cb.sys [X]
U2 NIHardwareService; no ImagePath
U2 NVSvc; no ImagePath
U2 Parvdm; no ImagePath
U2 srService; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-05-18 20:03 - 2017-05-18 20:03 - 00007748 _____ C:\Users\Bq\Downloads\FRST.txt
2017-05-18 20:03 - 2017-05-18 20:03 - 00000000 ____D C:\FRST
2017-05-18 20:00 - 2017-05-18 20:00 - 02429952 _____ (Farbar) C:\Users\Bq\Downloads\FRST64.exe
2017-05-15 07:20 - 2017-05-15 07:20 - 00000266 _____ C:\Users\Bq\Downloads\eset14-5-17.txt
2017-05-14 08:33 - 2017-05-14 08:33 - 02870984 _____ (ESET) C:\Users\Bq\Downloads\esetsmartinstaller_enu(1).exe
2017-05-14 08:25 - 2017-05-14 08:25 - 01663672 _____ (Malwarebytes) C:\Users\Bq\Downloads\JRT(1).exe
2017-05-14 08:23 - 2017-05-14 08:23 - 00001712 _____ C:\Users\Bq\Downloads\AdwCleaner[S6].txt
2017-05-14 08:20 - 2017-05-14 08:20 - 04102600 _____ C:\Users\Bq\Downloads\AdwCleaner(1).exe
2017-05-14 08:18 - 2017-05-14 08:18 - 00027385 _____ C:\Users\Bq\Downloads\MTB14-5-17b.txt
2017-05-14 08:17 - 2017-05-14 08:17 - 00027389 _____ C:\Users\Bq\Downloads\MTB14-5-17.txt
2017-05-14 08:16 - 2017-05-14 08:16 - 00892416 _____ (Farbar) C:\Users\Bq\Downloads\MiniToolBox.exe
2017-05-07 19:32 - 2017-05-07 19:32 - 00000686 _____ C:\Users\Bq\Desktop\SimRacingTools.lnk
2017-05-07 19:32 - 2017-05-07 19:32 - 00000000 ____D C:\SimRacingTools
2017-05-07 19:31 - 2017-05-07 19:31 - 15670194 _____ C:\Users\Bq\Downloads\SimRacingTools_installer(2).zip
2017-05-03 06:35 - 2017-05-08 01:57 - 00014636 _____ C:\Users\Bq\Desktop\Australia grand prix.xlsx
2017-05-03 06:29 - 2016-05-02 07:49 - 00258560 _____ C:\Users\Bq\Desktop\DAMPlugin.dll
2017-04-21 09:01 - 2017-04-21 09:01 - 00000242 _____ C:\Users\Bq\Downloads\eset.txt
2017-04-21 08:33 - 2017-04-21 08:33 - 00000000 ____D C:\Program Files (x86)\ESET
2017-04-21 08:31 - 2017-05-14 08:39 - 00000552 _____ C:\Users\Bq\Downloads\JRT.txt
2017-04-21 07:50 - 2017-04-21 07:50 - 02870984 _____ (ESET) C:\Users\Bq\Downloads\esetsmartinstaller_enu.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-05-18 20:03 - 2017-02-02 15:14 - 02485237 _____ C:\WINDOWS\ZAM_Guard.krnl.trace
2017-05-18 20:03 - 2017-02-02 15:14 - 02411414 _____ C:\WINDOWS\ZAM.krnl.trace
2017-05-18 19:51 - 2016-02-06 07:23 - 00003598 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-251241379-2071700029-1508196371-1001
2017-05-18 19:40 - 2017-02-03 10:13 - 00000000 ____D C:\Users\Bq\Desktop\2017
2017-05-18 19:33 - 2016-12-31 22:05 - 00000000 ____D C:\Program Files (x86)\Steam
2017-05-18 19:22 - 2016-11-27 00:07 - 00000000 ____D C:\Users\Bq\AppData\LocalLow\Mozilla
2017-05-18 19:22 - 2016-02-06 08:31 - 00000000 __SHD C:\Users\Bq\IntelGraphicsProfiles
2017-05-17 23:12 - 2016-02-06 07:17 - 00000000 ____D C:\Users\Bq\AppData\Local\Packages
2017-05-17 23:12 - 2013-08-23 01:36 - 00000000 ___HD C:\Program Files\WindowsApps
2017-05-17 23:12 - 2013-08-23 01:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-05-16 11:30 - 2016-02-20 19:54 - 00000000 ____D C:\ProgramData\MoTeC
2017-05-16 11:23 - 2017-02-28 18:49 - 10136624 _____ C:\Users\Bq\Downloads\koko2.rar
2017-05-14 08:38 - 2016-06-08 15:38 - 00000552 _____ C:\Users\Bq\Desktop\JRT.txt
2017-05-14 08:23 - 2016-06-08 14:59 - 00000000 ____D C:\AdwCleaner
2017-05-14 08:18 - 2016-06-09 14:59 - 00027385 _____ C:\Users\Bq\Downloads\MTB.txt
2017-05-11 20:48 - 2016-02-07 02:48 - 00000000 ____D C:\Users\Bq\Desktop\2016
2017-05-08 11:00 - 2016-02-06 09:41 - 00000000 ____D C:\Users\Bq
2017-05-04 03:46 - 2017-03-12 22:17 - 15703517 _____ (SimRacingTools.com) C:\Users\Bq\Downloads\SimRacingTools_installer.exe
2017-05-01 01:57 - 2014-11-22 11:00 - 00771630 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-05-01 01:57 - 2013-08-22 23:36 - 00000000 ____D C:\WINDOWS\Inf
2017-05-01 01:53 - 2013-08-23 00:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-04-24 01:57 - 2017-04-14 03:28 - 00014434 _____ C:\Users\Bq\Desktop\Canada Grand prix.xlsx
2017-04-18 01:06 - 2016-09-28 12:25 - 00000000 ____D C:\Users\Bq\Desktop\Photos good bad notes

==================== Files in the root of some directories =======

2016-03-11 01:19 - 2016-03-11 01:19 - 0000017 _____ () C:\Users\Bq\AppData\Local\resmon.resmoncfg

Some files in TEMP:
====================
2017-01-28 11:29 - 2017-02-27 22:34 - 44048864 _____ (Skype Technologies S.A.) C:\Users\Bq\AppData\Local\Temp\SkypeSetup.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-05-10 19:56

==================== End of FRST.txt ============================

Attached Files


Edited by Skillful, 18 May 2017 - 05:16 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:40 PM

Posted 20 May 2017 - 09:22 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-251241379-2071700029-1508196371-1001\...\MountPoints2: {21306ffa-b2f6-11e6-beac-94de807d20b6} - "D:\LaunchU3.exe" -a
HKU\S-1-5-21-251241379-2071700029-1508196371-1001\...\MountPoints2: {d24438ef-83cf-11e6-bea8-94de807d20b6} - "D:\LaunchU3.exe" -a
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> DefaultScope value is missing
U0 Compbatt; no ImagePath
U2 ERSvc; no ImagePath
R1 MpKsla877c0cb; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{8EF565F4-8AF1-45B1-98E2-B393D8444D54}\MpKsla877c0cb.sys [X]
U2 NIHardwareService; no ImagePath
U2 NVSvc; no ImagePath
U2 Parvdm; no ImagePath
U2 srService; no ImagePath

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

===

Just to be on the safe side run this scan. It may take one hour to complete.

Please download Sophos Virus Removal Tool and save it to your computer's Desktop.
  • Right-click the icon and select Run as administrator.
  • Click Yes to accept any security warnings that may appear.
  • Click the Next button.
  • Select 'I accept the terms in the license agreement', then click Next twice.
  • Click the Install button and wait until the installation is complete.
  • Click the Finish button. The tool created a shortcut icon on the Desktop of your computer.
  • Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • After it updates and a "Start Scanning" button appears in the lower right:
    • Disconnect from the Internet or physically unplug your Internet cable connection.
    • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
    • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • Click the "Start Scanning" button in the lower right to start the scan.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, if it detected anything there will be a "Start Clean-up" button, click it and allow it to finish.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • If any threats are found click Details, then View Log file (bottom left-hand corner).
  • Copy and paste its contents in your next reply and note any errors encountered.
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup.
  • Click Exit to close the program.
  • If no threats were found, please confirm that result.
Note: Whenever necessary, the log will be in the following location:

Windows Vista and above:
C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
===

Please let me know what problem persists with this computer.

#3 Skillful

Skillful
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 20 May 2017 - 08:30 PM

Thanks for help. I downloaded and installed sopho virus remover tool. I then copy paste the notepad. I then ran FRST, it auto updated? Folder was created with old version, I ran the new version clicked fix. After reboot, it had already turned off windows defender, and I disabled 'zem' in the process list[I think this is zem anti malware?]. Sopho did not find any threats, it only took 10mins? roughly to scan.

Here is the fixlog.txt

Fix result of Farbar Recovery Scan Tool (x64) Version: 20-05-2017
Ran by Bq (21-05-2017 10:56:15) Run:1
Running from C:\Users\Bq\Downloads
Loaded Profiles: Bq (Available Profiles: Bq)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-251241379-2071700029-1508196371-1001\...\MountPoints2: {21306ffa-b2f6-11e6-beac-94de807d20b6} - "D:\LaunchU3.exe" -a
HKU\S-1-5-21-251241379-2071700029-1508196371-1001\...\MountPoints2: {d24438ef-83cf-11e6-bea8-94de807d20b6} - "D:\LaunchU3.exe" -a
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> DefaultScope value is missing
U0 Compbatt; no ImagePath
U2 ERSvc; no ImagePath
R1 MpKsla877c0cb; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{8EF565F4-8AF1-45B1-98E2-B393D8444D54}\MpKsla877c0cb.sys [X]
U2 NIHardwareService; no ImagePath
U2 NVSvc; no ImagePath
U2 Parvdm; no ImagePath
U2 srService; no ImagePath

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-21-251241379-2071700029-1508196371-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{21306ffa-b2f6-11e6-beac-94de807d20b6} => key removed successfully
HKCR\CLSID\{21306ffa-b2f6-11e6-beac-94de807d20b6} => key not found.
HKU\S-1-5-21-251241379-2071700029-1508196371-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d24438ef-83cf-11e6-bea8-94de807d20b6} => key removed successfully
HKCR\CLSID\{d24438ef-83cf-11e6-bea8-94de807d20b6} => key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\SearchScopes: HKLM -> DefaultScope value is missing => value not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\SearchScopes: HKLM-x32 -> DefaultScope value is missing => value not found.
HKLM\System\CurrentControlSet\Services\Compbatt => key removed successfully
Compbatt => service removed successfully
HKLM\System\CurrentControlSet\Services\ERSvc => key removed successfully
ERSvc => service removed successfully
MpKsla877c0cb => Unable to stop service.
HKLM\System\CurrentControlSet\Services\MpKsla877c0cb => key removed successfully
MpKsla877c0cb => service removed successfully
HKLM\System\CurrentControlSet\Services\NIHardwareService => key removed successfully
NIHardwareService => service removed successfully
HKLM\System\CurrentControlSet\Services\NVSvc => key removed successfully
NVSvc => service removed successfully
HKLM\System\CurrentControlSet\Services\Parvdm => key removed successfully
Parvdm => service removed successfully
HKLM\System\CurrentControlSet\Services\srService => key removed successfully
srService => service removed successfully

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 59545410 B
Java, Flash, Steam htmlcache => 25176291 B
Windows/system/drivers => 2199308 B
Edge => 0 B
Chrome => 0 B
Firefox => 378801946 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 206390 B
Bq => 351217172 B

RecycleBin => 0 B
EmptyTemp: => 787.3 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 10:56:31 ====


Sopho virus removal did not find any threats.

I haven't had any other problems, so that .hta or whatever that I saw was downloaded[I think some websites advertisements are not checked for these things which is a shame], was technically a trojan but didn't cause any harm or do I need to run more stuff? I have not tried playing games or logging into stuff where I need to type passwords in because I try and avoid those things in case of risk while its infected. eg games would use ports, and in case of keylogger have not typed any passwords.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:40 PM

Posted 21 May 2017 - 07:40 AM

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

#5 Skillful

Skillful
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 21 May 2017 - 08:23 AM

Hi again, I ran turned off windows defender, I then ran zoek, I then uninstalled zem anti malware, reboot and ran zoek again, have put both files here in order.


First zoek log


Zoek.exe v5.0.0.1 Updated 27-09-2015
Tool run by Bq on Sun 21/05/2017 at 22:57:35.14.
Microsoft Windows 8.1 Pro 6.3.9600 x64
Running in: Normal Mode No Internet Access Detected
Launched: C:\Users\Bq\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

21/05/2017 10:58:50 PM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\Program Files\9-lab deleted successfully
C:\Users\Bq\AppData\Local\VirtualStore deleted successfully

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== FireFox Fix ======================

Deleted from C:\Users\Bq\AppData\Roaming\Mozilla\Firefox\Profiles\g8f8uubc.default\prefs.js:

Added to C:\Users\Bq\AppData\Roaming\Mozilla\Firefox\Profiles\g8f8uubc.default\prefs.js:

ProfilePath: C:\Users\Bq\AppData\Roaming\Mozilla\Firefox\Profiles\g8f8uubc.default

user.js not found
---- FireFox user.js and prefs.js backups ----

prefs_20172105_1104_.backup

==== Batch Command(s) Run By Tool======================


==== Deleting Files \ Folders ======================

C:\Users\Bq\AppData\Roaming\discord deleted
C:\PROGRA~3\Package Cache deleted
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk" not deleted

==== Firefox Extensions ======================

ProfilePath: C:\Users\Bq\AppData\Roaming\Mozilla\Firefox\Profiles\g8f8uubc.default
- NoScript - %ProfilePath%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Undetermined - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi

==== Firefox Plugins ======================


==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com/"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com/"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02&pc=UE10"
{67C334C0-408D-4E6D-B5A7-0ADD6AFFA252} Google Url="http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}"

==== Reset Google Chrome ======================

Nothing found to reset

==== Empty IE Cache ======================

C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Bq\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Bq\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully

==== Empty FireFox Cache ======================

C:\Users\Bq\AppData\Local\Mozilla\Firefox\Profiles\g8f8uubc.default\cache2 emptied successfully
C:\Users\Bq\AppData\Roaming\Mozilla\Firefox\Profiles\g8f8uubc.default\storage\default\https+++twitter.com\cache emptied successfully
C:\Users\Bq\AppData\Roaming\Mozilla\Firefox\Profiles\g8f8uubc.default\storage\default\https+++www.dropbox.com\cache emptied successfully
C:\Users\Bq\AppData\Roaming\Mozilla\Firefox\Profiles\g8f8uubc.default\storage\default\https+++www.gothamclub.com\cache emptied successfully
C:\Users\Bq\AppData\Roaming\Mozilla\Firefox\Profiles\g8f8uubc.default\storage\default\https+++www.youtube.com\cache emptied successfully

==== Empty Chrome Cache ======================

No Chrome User Data found

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

No Java Cache Found

==== C:\zoek_backup content ======================

C:\zoek_backup (files=834 folders=57 226442438 bytes)

==== Empty Temp Folders ======================

C:\Users\Bq\AppData\Local\Temp will be emptied at reboot
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\WINDOWS\Temp successfully emptied
C:\Users\Bq\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk" not found

==== EOF on Sun 21/05/2017 at 23:05:41.49 ======================




Second zoek log

Zoek.exe v5.0.0.1 Updated 27-09-2015
Tool run by Bq on Sun 21/05/2017 at 23:11:25.22.
Microsoft Windows 8.1 Pro 6.3.9600 x64
Running in: Normal Mode No Internet Access Detected
Launched: C:\Users\Bq\Desktop\zoek.exe [Scan all users] [Script inserted]

==== Older Logs ======================

C:\zoek-results2017-05-21-130541.log 5432 bytes

==== System Restore Info ======================

21/05/2017 11:12:17 PM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~2\Zemana AntiMalware deleted successfully
C:\Users\Bq\AppData\Local\VirtualStore deleted successfully

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== FireFox Fix ======================

Deleted from C:\Users\Bq\AppData\Roaming\Mozilla\Firefox\Profiles\g8f8uubc.default\prefs.js:

Added to C:\Users\Bq\AppData\Roaming\Mozilla\Firefox\Profiles\g8f8uubc.default\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

==== Batch Command(s) Run By Tool======================


==== Deleting Files \ Folders ======================

C:\PROGRA~2\Zemana AntiMalware not found

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\Bq\AppData\Roaming\Mozilla\Firefox\Profiles\g8f8uubc.default
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

==== Firefox Extensions ======================

ProfilePath: C:\Users\Bq\AppData\Roaming\Mozilla\Firefox\Profiles\g8f8uubc.default
- NoScript - %ProfilePath%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Undetermined - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi

==== Firefox Plugins ======================


==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com/"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com/"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02&pc=UE10"
{67C334C0-408D-4E6D-B5A7-0ADD6AFFA252} Google Url="http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}"

==== Reset Google Chrome ======================

Nothing found to reset

==== Empty IE Cache ======================

C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Bq\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Bq\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully

==== Empty FireFox Cache ======================

C:\Users\Bq\AppData\Local\Mozilla\Firefox\Profiles\g8f8uubc.default\cache2 emptied successfully
C:\Users\Bq\AppData\Roaming\Mozilla\Firefox\Profiles\g8f8uubc.default\storage\default\https+++twitter.com\cache emptied successfully
C:\Users\Bq\AppData\Roaming\Mozilla\Firefox\Profiles\g8f8uubc.default\storage\default\https+++www.dropbox.com\cache emptied successfully
C:\Users\Bq\AppData\Roaming\Mozilla\Firefox\Profiles\g8f8uubc.default\storage\default\https+++www.gothamclub.com\cache emptied successfully
C:\Users\Bq\AppData\Roaming\Mozilla\Firefox\Profiles\g8f8uubc.default\storage\default\https+++www.youtube.com\cache emptied successfully

==== Empty Chrome Cache ======================

No Chrome User Data found

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

No Java Cache Found

==== C:\zoek_backup content ======================

C:\zoek_backup (files=834 folders=57 226442438 bytes)

==== Empty Temp Folders ======================

C:\Users\Bq\AppData\Local\Temp will be emptied at reboot
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\WINDOWS\Temp successfully emptied
C:\Users\Bq\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== EOF on Sun 21/05/2017 at 23:18:51.18 ======================




When I ran zoek, both times, I ran it, after a few seconds "Das21" has stopped responding. Search for application online or close program. I said close and then zoek did the scans.

Edited by Skillful, 21 May 2017 - 08:24 AM.


#6 Skillful

Skillful
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 21 May 2017 - 08:24 AM

See why is that 1 paragraph? I had spaces in there but when I click "post" it goes to one paragraph.

Edit: After I edit the post and put on space in and go 'preview post' all the original paragraphs are there again? Dunno if thats something wrong on my end.

Edited by Skillful, 21 May 2017 - 08:25 AM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:40 PM

Posted 22 May 2017 - 06:44 AM



See why is that 1 paragraph? I had spaces in there but when I click "post" it goes to one paragraph.

Edit: After I edit the post and put on space in and go 'preview post' all the original paragraphs are there again? Dunno if thats something wrong on my end.


Strange but the browser is rendering it well.

===

Has your problem been solved?

#8 Skillful

Skillful
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 22 May 2017 - 07:22 AM

Yeah strange because after I put a few spaces in, well 2more, then all the original spaces are there, perhaps somehow putting it into preview post, and then posting, somehow changes the bbcode or whatever code is used for the forum... and then the original spaces show up in the post after editing! Okay I typed all of this and below out, clicked preview, and no spaces in the preview. Very odd. Just put 'double spaces' between some of the paragraphs, and now all spaces are in there[both single and double] correctly in the preview, how very odd. Is this a sign of any malware etc or not really? Hard to say?


My problem, basically I was using internet explorer, and got redirected, etc etc as per my first post, then closed that and ran ESET. ESET "quarantined" the .hta file calling it a trojan, I don't know if that means it was deleted or not, I have not used internet explorer much since then, I do have an ad blocker and script blocker on firefox so I could try going to the same site on firefox that infected me originally?[autosport forums I believe it was one of the advertisements on their site].


It was just one redirect, and a file .hta I think was downloaded automatically, and there was also a flash updater in the task list. A fake/trojan update I think. So the problem was one redirect, and something running in task manager disguising itself as flash updater[trojan I think according to ESET].

There is no flash updater in task manager. I guess its hard to say if the problem is gone, because I'm not sure if this trojan was 'light' or 'really bad'. I was reading here, the trojan description, can some trojans affect ports and keyloggers or take control or send stuff without you knowing, stuff like that?
http://docs.trendmicro.com/all/smb/wfbs-s/v7.0/en-us/wfbs-s_7.0_olh/wfbs/Introducing_WFBS/Understanding_Threats.htm

Edited by Skillful, 22 May 2017 - 07:24 AM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:40 PM

Posted 22 May 2017 - 07:48 AM

A redirect problem is not normally cause by a trojan.

If you did have a Trojan and it was not identified and remove the problem will return.

Run this Sophos Virus Removal Tool

Please download Sophos Virus Removal Tool and save it to your computer's Desktop.
  • Right-click the icon and select Run as administrator.
  • Click Yes to accept any security warnings that may appear.
  • Click the Next button.
  • Select 'I accept the terms in the license agreement', then click Next twice.
  • Click the Install button and wait until the installation is complete.
  • Click the Finish button. The tool created a shortcut icon on the Desktop of your computer.
  • Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • After it updates and a "Start Scanning" button appears in the lower right:
    • Disconnect from the Internet or physically unplug your Internet cable connection.
    • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
    • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • Click the "Start Scanning" button in the lower right to start the scan.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, if it detected anything there will be a "Start Clean-up" button, click it and allow it to finish.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • If any threats are found click Details, then View Log file (bottom left-hand corner).
  • Copy and paste its contents in your next reply and note any errors encountered.
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup.
  • Click Exit to close the program.
  • If no threats were found, please confirm that result.
Note: Whenever necessary, the log will be in the following location:

Windows Vista and above:
C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log

Test the system with all your browsers and let me know if you have any issues.

#10 Skillful

Skillful
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 22 May 2017 - 08:21 AM

Ran Sopho, no threats were found. When I ran Zoek the other day, I got 'das21' has stopped responding. Is that part of the Zoek tool?

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:40 PM

Posted 22 May 2017 - 11:57 AM

I do not know but I do not think so.

Can you related to this?

http://www.freefixer.com/library/file/DaS_21.exe-169694/

#12 Skillful

Skillful
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 23 May 2017 - 06:31 AM

I searched for 'das_21' in c drive and could not find it, the only thing I could find was the two crash reports about it in c:\programdata\microsoft\windows\wer\reportarchive.
Tried again this time 'das_21.exe' and only has the two crash reports. Maybe it is part of zoek program when it loads, I don't know.

I found this, has similar reports when using zoek

3rd post
https://forum.avast.com/index.php?topic=172445.0

9th post
https://forums.malwarebytes.com/topic/171952-malwarebytes-not-detecting-possible-trojan/

Edited by Skillful, 23 May 2017 - 06:35 AM.


#13 Skillful

Skillful
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 23 May 2017 - 06:35 AM

Also found this post the guy had same problem but later on did not get the error with das_21?
https://www.bleepingcomputer.com/forums/t/594570/possible-virus-or-malware-affecting-my-network-access/page-2

Edited by Skillful, 23 May 2017 - 06:35 AM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:40 PM

Posted 23 May 2017 - 07:44 AM

Run the Zoek tool again. See post no. 3.

Make sure that your security software is disabled. That your run the tool in an Administrator profile and that the Internet Is ON.

#15 Skillful

Skillful
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 23 May 2017 - 07:59 AM

Zoek says internet off, despite it being on? I don't have any security software running at the moment. Does firewall need to be off too? I left that on. How can I tell if I am in Administrator profile, is that the same as right click and 'run as administrator'?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users