Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Program typing without my consent (unknown origin)


  • This topic is locked This topic is locked
9 replies to this topic

#1 torsvped

torsvped

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 29 June 2017 - 02:17 PM

Hello, I was re-directed to post here from this thread after some scans. I scanned using MiniToolBox, AdwCleaner, Junkware Removal Tool and ESET. Their logs are on the previous thread, as well as the details on various files they removed and restored. 

 

Essentially a program is typing without my consent on any program I have open. This is the only symptom I have noticed. The text that is typed is "EXCUSEME EXUSEME" "IM U". I have no way to check it's presence apart from this and it takes hours to occur o: It can happen in a browser, inside of a game, and inside a word document. Anywhere my keyboard is. My mouse is under my control however and it only writes in spaces available to type or which require a enter key to type in (For instance, it requires a enter key to bring up the chat inside the game). 

 

Before posting on the site, I had preformed a DBAN wipe on my hard drive, but the problem persisted. OS reinstallation (windows 8.1) was done through disk. The issue initially occurred on windows 10.

 

 

 

 

Farbar txt's

 

FRST.txt

Spoiler
 
addition.txt
Spoiler
 
 

 

 

Attached Files


Edited by torsvped, 29 June 2017 - 02:30 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,877 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:57 AM

Posted 30 June 2017 - 09:31 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-243237723-1963058242-3342647689-1001\Software\Microsoft\Internet Explorer\Main,Start Page =
CHR Extension: (Chrome Web Store Payments) - C:\Users\Aris\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-06-26]
CHR Extension: (Chrome Media Router) - C:\Users\Aris\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-06-26]

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Let me know if the problem persists.

#3 torsvped

torsvped
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 05 July 2017 - 06:07 PM

Sorry for the time away. My son has been using the computer while I was away and said it's still happening. I asked him not to download anything new but he has anyway...

 

Fixit.txt log before I left:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 29-06-2017
Ran by Aris (30-06-2017 20:02:55) Run:1
Running from C:\Users\Aris\Desktop
Loaded Profiles: Aris (Available Profiles: Aris)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
HKU\S-1-5-21-243237723-1963058242-3342647689-1001\Software\Microsoft\Internet Explorer\Main,Start Page =
CHR Extension: (Chrome Web Store Payments) - C:\Users\Aris\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-06-26]
CHR Extension: (Chrome Media Router) - C:\Users\Aris\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-06-26]
 
cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-21-243237723-1963058242-3342647689-1001\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
C:\Users\Aris\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\Aris\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
 
========= ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
========= IPCONFIG /release =========
 
 
Windows IP Configuration
 
No operation can be performed on Local Area Connection* 2 while it has its media disconnected.
No operation can be performed on Ethernet while it has its media disconnected.
 
Wireless LAN adapter Local Area Connection* 2:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Ethernet adapter Ethernet:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Wireless LAN adapter WiFi:
 
   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::e912:1d3c:cf48:b150%3
   Default Gateway . . . . . . . . . : 
 
Tunnel adapter isatap.home:
 
   Media State . . . . . . . . . . . : Media unoperational
   Connection-specific DNS Suffix  . : 
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:1c93:c27:3f57:fe9d
   Link-local IPv6 Address . . . . . : fe80::1c93:c27:3f57:fe9d%7
   Default Gateway . . . . . . . . . : ::
 
========= End of CMD: =========
 
 
========= IPCONFIG /renew =========
 
 
Windows IP Configuration
 
No operation can be performed on Local Area Connection* 2 while it has its media disconnected.
No operation can be performed on Ethernet while it has its media disconnected.
 
Wireless LAN adapter Local Area Connection* 2:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Ethernet adapter Ethernet:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Wireless LAN adapter WiFi:
 
   Connection-specific DNS Suffix  . : home
   Link-local IPv6 Address . . . . . : fe80::e912:1d3c:cf48:b150%3
   IPv4 Address. . . . . . . . . . . : 192.168.1.98
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.254
 
Tunnel adapter isatap.home:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : home
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:1c93:c27:3f57:fe9d
   Link-local IPv6 Address . . . . . : fe80::1c93:c27:3f57:fe9d%7
   Default Gateway . . . . . . . . . : ::
 
========= End of CMD: =========
 
 
========= netsh advfirewall reset =========
 
Ok.
 
 
========= End of CMD: =========
 
 
========= netsh advfirewall set allprofiles state ON =========
 
Ok.
 
 
========= End of CMD: =========
 
 
========= netsh winsock reset catalog =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
========= netsh int ip reset c:\resetlog.txt =========
 
Resetting Global, OK!
Resetting Interface, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting , failed.
Access is denied.
 
Resetting , OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
 
========= netsh int ipv4 reset =========
 
Resetting , failed.
Access is denied.
 
There's no user specified settings to be reset.
 
 
========= End of CMD: =========
 
 
========= netsh int ipv6 reset =========
 
Resetting Interface, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting , failed.
Access is denied.
 
Resetting , OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
 
========= bitsadmin /reset /allusers =========
 
 
BITSADMIN version 3.0 [ 7.7.9600 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.
 
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
 
0 out of 0 jobs canceled.
 
========= End of CMD: =========
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 5360107 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 5871860 B
Edge => 0 B
Chrome => 726883868 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 245879 B
systemprofile32 => 128 B
LocalService => 130278 B
NetworkService => 1644 B
Aris => 149085392 B
 
RecycleBin => 0 B
EmptyTemp: => 854.5 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 20:03:11 ====
 
 
I can run new ones if needed. Sorry for the unnecessary complication. Couldn't avoid being away from home


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,877 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:57 AM

Posted 06 July 2017 - 07:25 AM

Hi,

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 3 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe
rkill.com
rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

When completed it will create a log. Please post the content on your next reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

#5 torsvped

torsvped
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 09 July 2017 - 08:56 AM

My son pointed out to me today it seemed to type /s before the rest, which is a thing you type in Guild Wars 2 to access a certain type of chat. No idea if this indicates it's relation to the issue.

 

rkill.exe worked fine;

 

Rkill 2.8.4 by Lawrence Abrams (Grinler)
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 07/09/2017 02:23:30 PM in x64 mode.
Windows Version: Windows 8.1 
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Checking Windows Service Integrity: 
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * Cannot edit the HOSTS file.
 * Permissions could not be fixed. Use Hosts-perm.bat to fix permissions: http://www.bleepingcomputer.com/download/hosts-permbat/
 
Program finished at: 07/09/2017 02:23:39 PM
Execution time: 0 hours(s), 0 minute(s), and 9 seconds(s)
 
 
 
 
 
RogueKiller
(detected nothing)
 
 
RogueKiller V12.11.5.0 (x64) [Jul  3 2017] (Free) by Adlice Software
 
Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : Aris [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 07/09/2017 14:39:28 (Duration : 00:07:10)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 0 ¤¤¤
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 850 EVO 120GB +++++
--- User ---
[MBR] 6fb270a2c4af1ee40369d4d19fcbe77a
[BSP] 1af7d5c5ddf015a1d7be9b809fd1c3d7 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 114121 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1: ST1000DM003-1ER162 +++++
--- User ---
[MBR] 42f4bc091b4e64d118dbfa6deb9669ee
[BSP] ead1311bb4009435be14faa7ea6491d8 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] FAT16 (0x6) [VISIBLE] Offset (sectors): 2048 | Size: 953867 MB
User = LL1 ... OK
User = LL2 ... OK
 


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,877 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:57 AM

Posted 09 July 2017 - 10:39 AM

My son pointed out to me today it seemed to type /s before the rest, which is a thing you type in Guild Wars 2 to access a certain type of chat. No idea if this indicates it's relation to the issue.

Can you give me an example where the /s in added.
===

 

Checking HOSTS File:

* Cannot edit the HOSTS file.
* Permissions could not be fixed. Use Hosts-perm.bat to fix permissions: http://www.bleepingcomputer.com/download/hosts-permbat/


Before I suggests you download and run the Host-perm.bat as suggested in the Rkill log lets have a look at the contents.

Please download MiniToolBox to Desktop and run it.

Check mark the following boxes:
  • List content of Hosts
How is the computer running?

#7 torsvped

torsvped
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 09 July 2017 - 11:49 AM

"/s EXCUSEME EXCUSE ME"

"I'M U"

 

the /s means the writing will go into say chat, and close by players will be able to read it. Seems pointless but it does seem to insinuate it's related to the game somehow. And I have reinstalled said game on every startup, so there's a chance it's related there perhaps? I'm happy to test it. 

 

Minitoolbox result:

MiniToolBox by Farbar  Version: 17-06-2016
Ran by Aris (administrator) on 09-07-2017 at 17:40:11
Running from "C:\Users\Aris\Desktop"
Microsoft Windows 8.1  (X64)
Model: All Series Manufacturer: ASUS
Boot Mode: Normal
***************************************************************************
========================= Hosts content: =================================
 
**** End of log ****
 
 
Computer seems to be running fine. CPU usage is normal, everything is still very fast. Only my internet has been prone to some pretty serious lags lately but they don't coincide with the typing and I can't say for sure it's not just the recent broadband provider switch. Genuinely the only symptom I have that is noticeably malicious is that ghost typing. 


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,877 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:57 AM

Posted 09 July 2017 - 12:59 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Lets reset the HOSTS file.
It may help with your internet. Not sure.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:

Hosts:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Try this,
Disable JavaScript in Google Chrome
https://www.technipages.com/google-chrome-enable-or-disable-javascript

Restart the computer and see if the problem perists.

===

If your problem is not solved. Lets turn off these options.
Navigate to this page.
https://support.microsoft.com/en-us/help/308260/how-to-troubleshoot-script-errors-in-internet-explorer

Do only these fixes.
Method 3: Turn off Smooth Scrolling
Method 4: Turn off hardware acceleration
and possibly Method 5.
Method 5: Install the current version of Microsoft DirectX

===

If the problem persists run this cleaning tool.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

===

Keep me posted.

#9 torsvped

torsvped
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 10 July 2017 - 02:31 PM

fixlist.txt

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 08-07-2017

Ran by Aris (10-07-2017 19:41:37) Run:2
Running from C:\Users\Aris\Desktop
Loaded Profiles: Aris (Available Profiles: Aris)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
 
Hosts:
 
End
*****************
 
Restore point was successfully created.
Could not move "C:\Windows\System32\Drivers\etc\hosts" => Scheduled to move on reboot.
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 10-07-2017 19:42:21)
 
"C:\Windows\System32\Drivers\etc\hosts" => Could not move
Could not restore Hosts.
 
==== End of Fixlog 19:42:21 ====
 
 
 
zoek-results.txt
 
 
oek.exe v5.0.0.1 Updated 27-09-2015
Tool run by Aris on 10/07/2017 at 20:14:13.45.
Microsoft Windows 8.1 6.3.9600  x64
Running in: Normal Mode No Internet Access Detected
Launched: C:\Users\Aris\Desktop\zoek.exe [Scan all users] [Script inserted] 
 
==== System Restore Info ======================
 
10/07/2017 20:15:11 Zoek.exe System Restore Point Created Successfully.
 
==== Empty Folders Check ======================
 
C:\Users\Aris\AppData\Local\EmieSiteList deleted successfully
C:\Users\Aris\AppData\Local\EmieUserList deleted successfully
C:\Users\Aris\AppData\Local\ESET deleted successfully
C:\Users\Aris\AppData\Local\PackageStaging deleted successfully
C:\Users\Aris\AppData\Local\VirtualStore deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Services ======================
 
 
==== Batch Command(s) Run By Tool======================
 
 
==== Deleting Files \ Folders ======================
 
C:\Users\Aris\AppData\Roaming\discord deleted
C:\PROGRA~3\Package Cache deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted
C:\windows\SysNative\GroupPolicy\Machine deleted
C:\windows\SysNative\GroupPolicy\User deleted
"C:\Windows\Installer\10e0a.msi" deleted
 
==== Chromium Look ======================
 
 
Share on Rabbit - Aris\AppData\Local\Google\Chrome\User Data\Default\Extensions\dplabnbcafdgpcjmibgkekpaejlfhnkl
Chrome Media Router - Aris\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
 
==== Chromium Fix ======================
 
C:\Users\Aris\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_phonefinderuk.com_0.localstorage deleted successfully
C:\Users\Aris\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_phonefinderuk.com_0.localstorage-journal deleted successfully
 
==== Set IE to Default ======================
 
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
==== All HKCU SearchScopes ======================
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
 
==== Reset Google Chrome ======================
 
C:\Users\Aris\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully
C:\Users\Aris\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences was reset successfully
C:\Users\Aris\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully
C:\Users\Aris\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal was reset successfully
 
==== Deleting Registry Keys ======================
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A2D9FD4A59BA03F4C94AF29466B23AD9 deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A4DF9D2A-AB95-4F30-9CA4-2F49662BA39D} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A2D9FD4A59BA03F4C94AF29466B23AD9 deleted successfully
 
==== Empty IE Cache ======================
 
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Aris\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Aris\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Aris\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\Aris\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
 
==== Empty FireFox Cache ======================
 
No FireFox Profiles found
 
==== Empty Chrome Cache ======================
 
C:\Users\Aris\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
 
==== Empty All Flash Cache ======================
 
Flash Cache Emptied Successfully
 
==== Empty All Java Cache ======================
 
No Java Cache Found
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=855 folders=45 211748769 bytes)
 
==== Empty Temp Folders ======================
 
C:\Users\Aris\AppData\Local\Temp will be emptied at reboot
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\Windows\Temp successfully emptied
C:\Users\Aris\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== EOF on 10/07/2017 at 20:22:29.40 ======================
 
 
Will get back to you on how the computer is running ^^


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,877 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:57 AM

Posted 11 July 2017 - 06:49 AM


I suggest you download and run the Hosts-perm.bat file.

Permissions could not be fixed. Use Hosts-perm.bat to fix permissions: http://www.bleepingcomputer.com/download/hosts-permbat/

Restart the computer normally and let me know if the problem persists.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users