Jump to content

Malware keeps returning after restarting computer


samak37

Recommended Posts

Hello,

    

 

They call me TwinHeadedEagle around here, and I'll try to help your with your issue.

 

     

    

Before we start please read and note the following:

  • We're primarily oriented on malware removal here, so you must know that some issues just cannot be solved and you must be prepared for this. Some tools we use here will remove your browser search history, so backup your important links and all the files whose loss is unacceptable.
  • Note that we may live in totally different time zones, what may cause some delays between answers.
  • Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
  • Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
  • Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
:excl: I can't foresee everything, so if anything not covered in my instructions happens, please stop and inform me!

:excl: There are no silly questions. Never be afraid to ask if in doubt!

 

 

 

  warning.gif Rules and policies

 

We won't support any piracy.

That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!

The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

 

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

 

 


You need to run all tools and programs from Administrator account.


Link to post
Share on other sites

51a612a8b27e2-Zoek.png Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

createsrpoint;autoclean;emptyclsid;emptyalltemp;ipconfig /flushdns >>"%temp%\log.txt";b
  • Right-click on 51a612a8b27e2-Zoek.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:
  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)
Post its content into your next reply.
Link to post
Share on other sites

Here you go. I don't know if it is important but (i) the log-file didn't open automatically and (ii) I selected "10 minutes" in Avast shield control and it took much longer than that. I have also attached the file.

Thanks for all your help.

 

 

Zoek.exe v5.0.0.1 Updated 22-December-2015
Tool run by Enot on Thu 24/12/2015 at 18:17:10.75.
Microsoft Windows 7 Home Premium  6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Enot\Desktop\zoek.exe [scan all users] [script inserted]

==== System Restore Info ======================

24/12/2015 6:19:26 PM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~3\Logitech deleted successfully
C:\PROGRA~3\Oracle deleted successfully
C:\PROGRA~3\PlotSoft deleted successfully
C:\Users\Cobaka takaya\AppData\Roaming\EncryptStick deleted successfully
C:\Users\Cobaka takaya\AppData\Roaming\Macromedia deleted successfully
C:\Users\Enot\AppData\Roaming\HpUpdate deleted successfully
C:\Users\Enot\AppData\Roaming\Malwarebytes deleted successfully
C:\Users\Enot standard\AppData\Roaming\EncryptStick deleted successfully
C:\Users\Cobaka takaya\AppData\Local\EmieSiteList deleted successfully
C:\Users\Cobaka takaya\AppData\Local\EmieUserList deleted successfully
C:\Users\Cobaka takaya\AppData\Local\VirtualStore deleted successfully
C:\Users\Cobaka takaya\AppData\Local\{21F858B3-87B4-48B9-A5C2-CA63134DDF2A} deleted successfully
C:\Users\Cobaka takaya\AppData\Local\{D5CF053C-21C3-4661-BDE4-8A6983947A2F} deleted successfully
C:\Users\Cobaka takaya\AppData\Local\{F8B5D52E-050D-4FE5-8D7E-0AA4ABD4A44A} deleted successfully
C:\Users\Enot\AppData\Local\MigWiz deleted successfully
C:\Users\Enot standard\AppData\Local\EmieSiteList deleted successfully
C:\Users\Enot standard\AppData\Local\EmieUserList deleted successfully
C:\Users\Enot standard\AppData\Local\{37D82C29-5C1E-4311-9D74-48C3E2D60733} deleted successfully
C:\Users\Enot standard\AppData\Local\{6B49A0F8-027D-434F-9DC6-5E34ADB89169} deleted successfully
C:\Users\Enot standard\AppData\Local\{8BC93B6A-C86F-4A0A-8124-286AE4083838} deleted successfully
C:\Users\Enot standard\AppData\Local\{BE68615F-0C1B-42CB-A7E4-24260FFBF477} deleted successfully
C:\Users\Enot standard\AppData\Local\{DEEC859A-7D5E-441F-807F-4B44DFC8C2B5} deleted successfully
C:\Users\Enot standard\AppData\Local\{F1C89D26-9BA9-4B9D-A589-F6441B03E365} deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-2975197864-4186856469-2627874181-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} deleted successfully
HKEY_USERS\S-1-5-21-2975197864-4186856469-2627874181-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} deleted successfully
HKEY_USERS\S-1-5-21-2975197864-4186856469-2627874181-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{318A227B-5E9F-45BD-8999-7F8F10CA4CF5} deleted successfully
HKEY_CLASSES_ROOT\CLSID\{318A227B-5E9F-45BD-8999-7F8F10CA4CF5} deleted successfully

==== Deleting CLSID Registry Values ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{318A227B-5E9F-45BD-8999-7F8F10CA4CF5} deleted successfully
HKEY_LOCAL_MACHINE\software\Wow6432Node\mozilla\Firefox\extensions\{F003DA68-8256-4b37-A6C4-350FA04494DF} deleted successfully
HKEY_LOCAL_MACHINE\software\Wow6432Node\mozilla\Firefox\extensions\ocr@babylon.com deleted successfully

==== Deleting Services ======================

zoek-results.log

Link to post
Share on other sites

I still have a window which won't close:

 

Zoek.exe is running now.
Do not start any browser windows, they may get closed automatically.
Please wait! This window will close when finished.
A logfile will open afterwards and can also be found on your systemdrive as zoek-results.log

 

I can not restart Zoek

Link to post
Share on other sites

This time I selected "1 hour" in Avast shield control and it seemed to run OK.

 

 

Zoek.exe v5.0.0.1 Updated 22-December-2015
Tool run by Enot on Thu 24/12/2015 at 19:58:28.43.
Microsoft Windows 7 Home Premium  6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Enot\Desktop\zoek.exe [scan all users] [script inserted]

==== Older Logs ======================

C:\zoek-results2015-12-24-084133.log    3381 bytes

==== System Restore Info ======================

24/12/2015 8:01:08 PM Zoek.exe System Restore Point Created Successfully.

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== FireFox Fix ======================

ProfilePath: C:\Users\COBAKA~1\AppData\Roaming\Mozilla\Firefox\Profiles\4zpsqgno.default

user.js not found
---- FireFox user.js and prefs.js backups ----

prefs_20152412_0641_.backup
prefs_20152412_0815_.backup

ProfilePath: C:\Users\Enot\AppData\Roaming\Mozilla\Firefox\Profiles\68fq0wcu.default

user.js not found
---- Lines yahoo removed from prefs.js ----
user_pref("browser.search.param.yahoo-fr", "chr-greentree_ff&ilc=12&type=407453");
user_pref("capability.policy.maonoscript.sites", "addons.mozilla.org adobe.com afx.ms ajax.googleapis.com akamaihd.net aspnetcdn.com australia.gov.au
user_pref("extensions.wrc.SearchRules.yahoo.com.style", ".WRCN {display:none} .sm-hd .WRCN, .sm-links .WRCN, .res h3 > .WRCN {display:inline  url(\"IM
user_pref("extensions.wrc.SearchRules.yahoo.com.url", "^http(s)?\\:\\/\\/((.)+\\.)?search\\.yahoo\\.com\\/(.)*");
---- Lines Search  removed from prefs.js ----
user_pref("extensions.xpiState", "{\"app-profile\":{\"{73a6fe31-595d-460b-a920-fcc0f8843232}\":{\"d\":\"C:\\\\Users\\\\Enot\\\\AppData\\\\Roaming\\\\M
---- Lines ask.com removed from prefs.js ----
user_pref("extensions.wrc.SearchRules.ask.com.style", ".WRCN {display:none} #yui-main .tsrc_vnru .title + .WRCN, #yui-main #teoma-results .title + .WR
user_pref("extensions.wrc.SearchRules.ask.com.url", "^http(s)?\\:\\/\\/(.+\\.)?ask\\.com\\/.*");
---- FireFox user.js and prefs.js backups ----

prefs_20152412_0641_.backup
prefs_20152412_0815_.backup

ProfilePath: C:\Users\ENOTST~1\AppData\Roaming\Mozilla\Firefox\Profiles\t7rxbfxk.default-1412317766762

user.js not found
---- Lines yahoo removed from prefs.js ----
user_pref("capability.policy.maonoscript.sites", "28degreescard.com.au 9jumpin.com.au 9msn.com.au aami.com.au abc.net.au abctv.net.au acpo.police.uk a
---- Lines Search  removed from prefs.js ----
user_pref("extensions.xpiState", "{\"app-profile\":{\"firefox@ghostery.com\":{\"d\":\"C:\\\\Users\\\\Enot standard\\\\AppData\\\\Roaming\\\\Mozilla\\\
---- Lines babylon removed from prefs.js ----
user_pref("extensions.ocr@babylon.com.install-event-fired", true);
---- Lines search.com removed from prefs.js ----
user_pref("noscript.untrusted", "acint.net ad-center.com addthis.com adfox.ru adplxmd.com atdmt.com aus99.com.au blogger.com criteo.com d16s8pqtk4uodx
---- FireFox user.js and prefs.js backups ----

prefs_20152412_0641_.backup
prefs_20152412_0815_.backup

==== Batch Command(s) Run By Tool======================


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.
C:\Windows\system32\appdata deleted

==== Deleting Files \ Folders ======================

C:\Windows\syswow64\appdata deleted
C:\PROGRA~3\DivX deleted
C:\PROGRA~2\GreenTree Applications deleted
C:\PROGRA~3\YTD Video Downloader deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YTD Video Downloader deleted
C:\windows\SysNative\Tasks\avastBCLRestartS-1-5-21-2975197864-4186856469-2627874181-1000 deleted
C:\windows\SysNative\Tasks\avastBCLRestartS-1-5-21-2975197864-4186856469-2627874181-1004 deleted
C:\Windows\sysWoW64\config\systemprofile\AppData\LocalLow\Search Settings deleted
C:\Windows\sysWoW64\config\systemprofile\AppData\LocalLow\Application Updater deleted
C:\Windows\SysNative\config\systemprofile\Searches deleted
C:\windows\SysNative\GroupPolicy\Machine deleted
C:\windows\SysNative\GroupPolicy\User deleted
C:\windows\SysNative\GroupPolicy\gpt.ini deleted
C:\Windows\Syswow64\GroupPolicy\gpt.ini deleted
C:\Users\COBAKA~1\AppData\Roaming\Mozilla\Firefox\Profiles\4zpsqgno.default\extensions\firefox@ghostery.com.xpi deleted
C:\Users\COBAKA~1\AppData\Roaming\Mozilla\Firefox\Profiles\4zpsqgno.default\.autoreg deleted
C:\Users\COBAKA~1\AppData\Roaming\Mozilla\Firefox\Profiles\4zpsqgno.default\jetpack deleted
C:\Users\Enot\AppData\Roaming\Mozilla\Firefox\Profiles\68fq0wcu.default\jetpack deleted
C:\Users\ENOTST~1\AppData\Roaming\Mozilla\Firefox\Profiles\t7rxbfxk.default-1412317766762\extensions\firefox@ghostery.com.xpi deleted
C:\Users\ENOTST~1\AppData\Roaming\Mozilla\Firefox\Profiles\t7rxbfxk.default-1412317766762\jetpack deleted
C:\Users\Public\Desktop\YTD Video Downloader.lnk deleted
"C:\Users\Enot\AppData\Roaming\Mozilla\Firefox\Profiles\68fq0wcu.default\searchplugins\yahoo.xml" deleted
"C:\Users\Enot\AppData\Roaming\Mozilla\Firefox\Profiles\68fq0wcu.default\searchplugins\yahoo.xml" deleted

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\Enot\AppData\Roaming\Mozilla\Firefox\Profiles\68fq0wcu.default
user_pref("browser.startup.homepage", "https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1296801505&rver=6.1.6206.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-us&cbcxt=mai&snsc=1");

ProfilePath: C:\Users\ENOTST~1\AppData\Roaming\Mozilla\Firefox\Profiles\t7rxbfxk.default-1412317766762
user_pref("browser.startup.homepage", "https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=12&ct=1412318051&rver=6.4.6456.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fmail.live.com%2Fdefault.aspx%3Frru%3Dinbox&lc=1033&id=64855&mkt=en-us&cbcxt=mai");

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"sp@avast.com"="C:\Program Files\Alwil Software\Avast5\SafePrice\FF" [02/12/2015 04:48 PM]

==== Firefox Extensions ======================

ProfilePath: C:\Users\COBAKA~1\AppData\Roaming\Mozilla\Firefox\Profiles\4zpsqgno.default
- ReminderFox - C:\Users\Cobaka takaya\AppData\Roaming\Mozilla\Firefox\Profiles\4zpsqgno.default\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}
- ReminderFox - %ProfilePath%\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}
- TinEye Reverse Image Search - %ProfilePath%\extensions\tineye@ideeinc.com.xpi
- NoScript - %ProfilePath%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
- BetterPrivacy em:version1.69 em:type2 em:creatorGreg Yardley version 0.2 www.yardley.ca em:descriptionquot - %ProfilePath%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi

ProfilePath: C:\Users\Enot\AppData\Roaming\Mozilla\Firefox\Profiles\68fq0wcu.default
- NoScript - %ProfilePath%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

ProfilePath: C:\Users\ENOTST~1\AppData\Roaming\Mozilla\Firefox\Profiles\t7rxbfxk.default-1412317766762
- ReminderFox - C:\Users\Enot standard\AppData\Roaming\Mozilla\Firefox\Profiles\t7rxbfxk.default-1412317766762\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}
- ReminderFox - %ProfilePath%\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}
- TinEye Reverse Image Search - %ProfilePath%\extensions\tineye@ideeinc.com.xpi
- NoScript - %ProfilePath%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
- BetterPrivacy em:version1.69 em:type2 em:creatorGreg Yardley version 0.2 www.yardley.ca em:descriptionquot - %ProfilePath%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
- Skype Click to Call - %AppDir%\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi

==== Firefox Plugins ======================

Profilepath: C:\Users\Enot\AppData\Roaming\Mozilla\Firefox\Profiles\68fq0wcu.default
5DF56521E8985BFD8F21A3D97A4D4574    - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_235.dll -    Shockwave Flash


==== Chromium Look ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
dkinklhnkmkhkhofcnapakaoehijaoih - C:\Program Files (x86)\OnlineHD.TV\onhd11.crx[]
eofcbnmajmjmplflapaojjnihcjkigck - C:\Program Files\Alwil Software\Avast5\WebRep\Chrome\aswWebRepChromeSp.crx[17/11/2015 02:29 PM]
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\Alwil Software\Avast5\WebRep\Chrome\aswWebRepChrome.crx[17/11/2015 02:29 PM]
jfmjfhklogoienhpfnppmbcbjfjnkonk - No path found[]

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{C9061F70-D3B1-4EC1-A00D-B37D4B7F5B0D}"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C9061F70-D3B1-4EC1-A00D-B37D4B7F5B0D}] not found

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}"

==== All HKLM and HKCU SearchScopes ======================

HKLM\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKLM\Wow6432Node\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\Wow6432Node\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKCU\SearchScopes "DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}"
HKCU\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66} - http://www.google.com/search?q={searchTerms}
HKCU\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Google\Chrome\Extensions\dkinklhnkmkhkhofcnapakaoehijaoih deleted successfully

==== Empty IE Cache ======================

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Cobaka takaya\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Cobaka takaya\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Enot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Enot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Users\Enot standard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Enot standard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

==== Empty FireFox Cache ======================

C:\Users\Cobaka takaya\AppData\Local\Mozilla\Firefox\Profiles\4zpsqgno.default\cache2 emptied successfully
C:\Users\Enot\AppData\Local\Mozilla\Firefox\Profiles\68fq0wcu.default\cache2 emptied successfully
C:\Users\Enot standard\AppData\Local\Mozilla\Firefox\Profiles\t7rxbfxk.default-1412317766762\cache2 emptied successfully

==== Empty Chrome Cache ======================

No Chrome User Data found

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=146 folders=93 47510096 bytes)

==== Empty Temp Folders ======================

C:\Users\Cobaka takaya\AppData\Local\Temp will be emptied at reboot
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Enot\AppData\Local\Temp will be emptied at reboot
C:\Users\Enot standard\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\Enot\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

"C:\Users\Cobaka takaya\AppData\Local\Temp\avastBCLTMP" deleted
"C:\Users\Cobaka takaya\AppData\Local\Temp\Temp10_1tmp00.zip" not found
"C:\Users\Cobaka takaya\AppData\Local\Temp\Temp11_1tmp00.zip" not found
"C:\Users\Cobaka takaya\AppData\Local\Temp\Temp12_1tmp00.zip" not found
"C:\Users\Cobaka takaya\AppData\Local\Temp\Temp13_1tmp00.zip" not found
"C:\Users\Cobaka takaya\AppData\Local\Temp\Temp14_1tmp00.zip" not found
"C:\Users\Cobaka takaya\AppData\Local\Temp\Temp15_1tmp00.zip" not found
"C:\Users\Cobaka takaya\AppData\Local\Temp\Temp16_1tmp00.zip" not found
"C:\Users\Cobaka takaya\AppData\Local\Temp\Temp17_1tmp00.zip" not found
"C:\Users\Cobaka takaya\AppData\Local\Temp\Temp18_1tmp00.zip" not found
"C:\Users\Cobaka takaya\AppData\Local\Temp\Temp19_1tmp00.zip" not found
"C:\Users\Cobaka takaya\AppData\Local\Temp\Temp1_1tmp00.zip" not found
"C:\Users\Cobaka takaya\AppData\Local\Temp\Temp20_1tmp00.zip" not found
"C:\Users\Cobaka takaya\AppData\Local\Temp\Temp21_1tmp00.zip" not found
"C:\Users\Cobaka takaya\AppData\Local\Temp\Temp22_1tmp00.zip" not found
"C:\Users\Cobaka takaya\AppData\Local\Temp\Temp23_1tmp00.zip" not found
"C:\Users\Cobaka takaya\AppData\Local\Temp\Temp24_1tmp00.zip" not found
"C:\Users\Cobaka takaya\AppData\Local\Temp\Temp2_1tmp00.zip" not found
"C:\Users\Cobaka takaya\AppData\Local\Temp\Temp3_1tmp00.zip" not found
"C:\Users\Cobaka takaya\AppData\Local\Temp\Temp4_1tmp00.zip" not found
"C:\Users\Cobaka takaya\AppData\Local\Temp\Temp6_1tmp00.zip" not found
"C:\Users\Cobaka takaya\AppData\Local\Temp\Temp7_1tmp00.zip" not found
"C:\Users\Cobaka takaya\AppData\Local\Temp\Temp8_1tmp00.zip" not found
"C:\Users\Cobaka takaya\AppData\Local\Temp\Temp9_1tmp00.zip" not found
"C:\Users\Enot standard\AppData\Local\Temp\acrord32_super_sbx" not found
"C:\Users\Enot standard\AppData\Local\Temp\avastBCLTMP" deleted
"C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp\Low" not deleted

==== EOF on Thu 24/12/2015 at 20:22:19.24 ======================
 

zoek-results.log

Link to post
Share on other sites

51a46ae42d560-malwarebytes_anti_malware. Scan with Malwarebytes' Anti-Malware

Please re-run 51a46ae42d560-malwarebytes_anti_malware. Malwarebytes' Anti-Malware.

  • First of all, select update.
  • Once updated, click the Settings tab, in the left panel choose Detection & Protection and tick Scan for rootkits.
  • In the same tab, under PUP and PUM detections make sure it is set to Treat detections as malware
  • Click the Scan tab, choose Threat Scan is checked and click Start Scan.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the newest Scan Log.
  • At the bottom click Export and choose Text file.
Save the file to your desktop and upload your next reply.
Link to post
Share on other sites

mbam-old.png Uninstall outdated Malwarebytes' Anti-Malware

Please download MBAM-clean and save it to your desktop.

  • Right-click on mbam-clean.exe icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • It will ask you to reboot the machine - please do so.
After that follow my next instructions to download & install the latest MBAM version.

51a46ae42d560-malwarebytes_anti_malware. Scan with Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

  • Install the progam and select update.
  • Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
  • In the same tab, under PUP and PUM detections make sure it is set to Treat detections as malware.
  • Click the Scan tab, choose Threat Scan is checked and click Start Scan.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • At the bottom click Export and choose Text file.
Save the file to your desktop and include its content in your next reply.
Link to post
Share on other sites

Since there are no more problems, we can declare this PC clean thumbs_up_smiley.gif

Now, we can proceed with post-cleanup procedures. Let's remove my tools and create a new, non infected restore point concurrently deleting old ones.

Step 1. - Creation of system restore point and tools removal.

Download DelFix by Xplode and save it to your desktop.

  • Run the tool by right click on the 51a5ce45263de-delfix.png icon and Run as administrator option.
  • Make sure that these ones are checked:
    • Remove disinfection tools
    • Purge system restore
    • Reset system settings
  • Push Run and wait until the tool completes his work.
  • All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt). I don't need it for review.
Tool deletes old system restore points and creates a fresh system restore point after cleaning.

Step 2. - Tips and tricks to keep your computer clean, safe and in a good shape.

Security tips - highly recommended reading:

Maintenance tips:Additional software that I personally use and install on all my clients devices:
  • Malwarebytes' Anti-Malware (paid version highly recommended) - to scan your system from time to time in search for malware.
  • Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.
  • McShield - to prevent infections spread by removable media.
  • Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.
  • Adblock - to surf the web without annoying ads!
  • Qualys BrowserCheck - cloud service that scans your browsers and plugins to see if they’re all up-to-date.

My help is free for everybody.

If you're happy with the help provided and/or wish to buy me a beer for the assistance you received, then you can consider a donation: btn_donateCC_LG.gif

Thank you!

Stay safe,

TwinHeadedEagle :)

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.