How safe is running Zoek 5.0.0.0

marysilver · 21 Mar 2015

A few months ago I used Zoek 5.0.0.0 to get rid of a virus taking over the computer. It worked but ever since the computer hasn't been the same. Here is a list of problems

1) I primarily use firefox. Internet Explorer opened by itself which was only visible in the Windows task manager. I could view the websites that it was going to on it's own...they were mostly stores like walmart.com. So I blocked Internet Explorer from going through my firewall. Ended that...

2) Right now the computer has problems with highlighting.... when left clicking on the mouse and scrolling over a paragraph. It is very difficult for it to stay highlighted so I can copy and paste.

3) Just scrolling with the mouse it will pause on me once in a while and I'm unable to move the cursor until I hear a sound from the computer that sound like "uhht ahh". Sometimes it will "uhht ahh" 5 times in a row with the computer frozen.

4) Trying to move folders from one part of the computer to another is very difficult now too. When trying to drag and drop into another folder, before I get to the location to drop the file, the file isn't dragging any longer and have to do it multiple times before it works.

5) The mouse is shaky and doesn't feel normal.

6) Quite often when restarting the computer says it "highly recommends" to do a scan to fix corrupted files etc.

7) Firefox memory seems very high even when I'm not active on it....like 500,000 to 1,400,000 k

8) One day I found out that all these programs I never heard of had permission to get through my firewall.

9) Under windows task manager there are a ton of services which I'm not sure what they do

So I'm wondering if I can run Zoek again without it deleting any files I don't want deleted. How safe is it to use Zoek as a spyware scan? I already have malwarebytes, superanti-spyware and Microsoft security essentials which I've run and no problems or viruses show up.

I ran Zoek a month ago but didn't know what I was doing and it was showed that it was deleting all these files so I unplugged the computer to stop it because I couldn't stop Zoek any other way. Now I'm afraid of using Zoek because I'm worried it might delete things that I want saved. But the computer problems have been getting worse every month for the past 5 months so that's why I'm here.

Thank you

cottonball · 22 Mar 2015

marysilver,

Zoek.exe by Smeenk is a comprehensive command-line tool that executes instructions through various commands and scripts to scan, identify, and remove malware.

If Zoek is used without having knowledge of the purpose of its commands and scripts, the order in which to use them, etc., files may be deleted and unexpected results may occur. It is best to use Zoek under the guidance of a malware removal advisor familiar with the program.

Zoek is not an Antivirus program, like Microsoft Security Essentials, and it is not an Anti-Malware program such as Malwarebytes or SuperAntiSpyware.

If a virus was taking over the computer, it appears it is either still there, or, the virus may have caused some irreparable damage to the system. IMO, Zoek is not the tool of choice for these issues.

marysilver · 22 Mar 2015

Thank you cottonball. That was very helpful!

Do you have any suggestions how to go about fixing the issues I listed?

cottonball · 22 Mar 2015

To find out if the virus is still in your system, see if you can do the following...

Please use the Farbar Recovery Scan Tool.
Download: Farbar Recovery Scan Tool Download
Select the version that applies to your system: 64 bit

Save it to your Desktop.
Double-click the downloaded file to run it.
When the tool opens, click Yes to the disclaimer.
Press the Scan button.

When done, the tool makes a log, FRST.txt, in the same directory from which the tool is run (Desktop).

Please provide the FRST.txt in your reply.

The first time the tool is run, it also creates another log: Addition.txt

Also post the Addition.txt in your reply.

.

cottonball · 23 Mar 2015

marysilver,

My apology for the delay. I'm only here evenings...

FRST is: Running from C:\Users\13\Downloads
Please hve the FRST program on the Desktop, as previous instructions!!

Next, please open Notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below to Notepad. (Do not copy the word Code:, at the top!)
Save it to the Desktop, and name it: fixlist.txt

Code:

start
CloseProcesses:
HKLM-x32\...\Run: [Salus] => C:\Program Files (x86)\f552dd4c52e3\b786bdb3c67d.exe
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-343010218-970677843-29762225-1001\...\Run: [SSync] => C:\Users\13\AppData\Roaming\SSync\SSync.exe [36864 2013-04-09] ()
HKU\S-1-5-21-343010218-970677843-29762225-1001\...\Run: [Sixth] => C:\Users\13\AppData\Roaming\Sixth\Sixth.exe [74470 2014-11-24] ()
HKU\S-1-5-21-343010218-970677843-29762225-1001\...\Run: [Seventh] => "C:\Users\13\AppData\Roaming\Seventh\Seventh.exe"
HKU\S-1-5-21-343010218-970677843-29762225-1001\...\Run: [SCheck] => C:\Users\13\AppData\Roaming\SCheck\SCheck.exe [37376 2013-12-09] ()
HKU\S-1-5-21-343010218-970677843-29762225-1001\...\Run: [Snoozer] => C:\Users\13\AppData\Roaming\Snz\Snz.exe [1626622 2014-11-30] ()
HKU\S-1-5-21-343010218-970677843-29762225-1001\...\Run: [Intermediate] => C:\Users\13\AppData\Roaming\Intermediate\Intermediate.exe [37376 2013-12-09] ()
HKU\S-1-5-21-343010218-970677843-29762225-1001\...\Run: [bfsvc.exe] => C:\Users\13\AppData\Roaming\13-PC\bfsvc.exe
HKU\S-1-5-21-343010218-970677843-29762225-1001\...\Run: [Windows] => "C:\ProgramData\Windows\ntibcpsaq.exe"
C:\Program Files (x86)\f552dd4c52e3\b786bdb3c67d.exe
HKLM\...\Policies\Explorer: [NoControlPanel] 0
C:\Users\13\AppData\Roaming\SSync\SSync.exe [36864 2013-04-09] ()
C:\Users\13\AppData\Roaming\Sixth\Sixth.exe [74470 2014-11-24] ()
C:\Users\13\AppData\Roaming\SCheck\SCheck.exe [37376 2013-12-09] ()
C:\Users\13\AppData\Roaming\Snz\Snz.exe [1626622 2014-11-30] ()
C:\Users\13\AppData\Roaming\Intermediate\Intermediate.exe [37376 2013-12-09] ()
C:\Users\13\AppData\Roaming\13-PC\bfsvc.exe
C:\ProgramData\Windows\ntibcpsaq.exe
HKU\S-1-5-21-343010218-970677843-29762225-1001\...\Policies\Explorer: [NoDriveTypeAutoRun] 0x00000000
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction 
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-343010218-970677843-29762225-1001 -> {D9526E5B-4BBD-4D39-8B6A-9F48266482FE} URL = 
Toolbar: HKU\S-1-5-21-343010218-970677843-29762225-1001 -> No Name - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
C:\Users\13\AppData\Local\Temp\_is308B.exe
C:\Users\13\AppData\Local\Temp\_is3FD7.exe
C:\Users\13\AppData\Local\Temp\_is6080.exe
C:\Users\13\AppData\Local\Temp\_is62B2.exe
C:\Users\13\AppData\Local\Temp\_is7026.exe
C:\Users\13\AppData\Local\Temp\_is833A.exe
C:\Users\13\AppData\Local\Temp\_is9333.exe
C:\Users\13\AppData\Local\Temp\_isB03D.exe
C:\Users\13\AppData\Local\Temp\_isB6E6.exe
C:\Users\13\AppData\Local\Temp\_isB966.exe
C:\Users\13\AppData\Local\Temp\_isC881.exe
C:\Users\13\AppData\Local\Temp\_isCED.exe
C:\Users\13\AppData\Local\Temp\_isE447.exe
C:\Users\13\AppData\Local\Temp\_isEBC7.exe
C:\Users\13\AppData\Local\Temp\_isFE74.exe
Catalina Savings Printer (HKLM-x32\...\{37331C16-3E97-4A20-80D8-BFB43AB0E2FB}) (Version: 1.0.0 - Catalina Marketing Corp) 
DealBulldog Toolbar Toolbar (HKLM-x32\...\DealBulldog Toolbar Toolbar) (Version: - ) 
Salus (HKLM-x32\...\Salus) (Version: 1.0.14.28 - Salus) 
YTD Video Downloader 4.8.9 (HKLM-x32\...\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}) (Version: 4.8.9 - GreenTree Applications SRL) 
CustomCLSID: HKU\S-1-5-21-343010218-970677843-29762225-1001_Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InprocServer32 -> C:\Users\13\AppData\Roaming\itesing\procol.dll () 
Task: {5424C983-F629-417A-A73E-E1154B4849EB} - \Windows Update Check - 0x6C49084E No Task File
Task: {A3347A7D-829C-4A26-AE56-7AC2B2FEBEE6} - System32\Tasks\Optimizer Pro Schedule => C:\Program Files (x86)\Optimizer Pro 3.11\OptProLauncher.exe 
AlternateDataStreams: C:\ProgramData\TEMP:56E2E879
AlternateDataStreams: C:\ProgramData\TEMP:6387AA6C
AlternateDataStreams: C:\ProgramData\TEMP:85AA7074
Emptytemp:
CMD: ipconfig /flushdns
reboot:
end

NOTICE: This script is written specifically for this computer!!!
Running this on another computer may cause damage to the Operating System.

Now, please run FRST or FRST64, and press the Fix button, just once, and wait.
If for some reason the tool needs a restart, please let the system restart normally. After that let the tool complete its run.
When done, the tool creates a report on the Desktop called: Fixlog.txt

Please post the Fixlog.txt in your reply.

.

marysilver · 24 Mar 2015

Thank you cottonball.

marysilver · 24 Mar 2015

The problem doesn't seem to have gone away. I just heard the sound and the mouse froze. It might actually be worse.

And I have another problem. On the bottom right of the computer is a flag and I clicked on it. It says:

1 important message

I click on it and it takes me to the system and security action center. There it says Network Access Protection is OFF.

And insert removable media (Important)

The "restore and recovery" seems to be not working either.

Looking around I found an archived message that says:
"Win32/Fareit was found on your computer" from December 2014

cottonball · 24 Mar 2015

marysilver,

Can you look in the folder C:\FRST\LOGS\ and see if you can find the previous Fixlog.txt? The one on the Desktop was: Ran by 13 at 2015-03-24 02:59:47 Run:2

The folder C:\FRST\LOGS\ will have all the logs with dates like Fixlog_dd-mm-yyyy_hh-mm-ss.txt

Please download Malwarebytes Anti-Rootkit:
Download > Malwarebytes Anti-Rootkit Download
•Save to your Desktop.
•Double-click the icon to start the tool.
(Warning! Malwarebytes Anti-Rootkit needs to be run from an account with Administrator rights.)
•In the Introduction screen, click: Next
•On the Update Database screen, click Update to download the latest definitions, and then click: Next
•Once the update is complete select Next, and click: Scan
•When the scan is finished, if no malware is found select: Exit
•If malware is detected, check all items and click: Cleanup
•Reboot your computer.

Please open the MBAR folder and provide the content of the following reports in your reply:
mbar-log-{date} (xx-xx-xx).txt
system-log.txt

Also, do you recall what programs, in addition to Zoek.exe, you used to remove the virus taking over the computer a few months ago? If so, please list what the programs were.

Do you recall what program provided the archived message "Win32/Fareit was found on your computer"?

The sound you hear might be a sign of a hardware problem...

marysilver · 25 Mar 2015

cottonball said:

marysilver,

Can you look in the folder C:\FRST\LOGS\ and see if you can find the previous Fixlog.txt? The one on the Desktop was: Ran by 13 at 2015-03-24 02:59:47 Run:2

The folder C:\FRST\LOGS\ will have all the logs with dates like Fixlog_dd-mm-yyyy_hh-mm-ss.txt

Please download Malwarebytes Anti-Rootkit:
Download > Malwarebytes Anti-Rootkit Download
•Save to your Desktop.
•Double-click the icon to start the tool.
(Warning! Malwarebytes Anti-Rootkit needs to be run from an account with Administrator rights.)
•In the Introduction screen, click: Next
•On the Update Database screen, click Update to download the latest definitions, and then click: Next
•Once the update is complete select Next, and click: Scan
•When the scan is finished, if no malware is found select: Exit
•If malware is detected, check all items and click: Cleanup
•Reboot your computer.

Please open the MBAR folder and provide the content of the following reports in your reply:
mbar-log-{date} (xx-xx-xx).txt
system-log.txt

Also, do you recall what programs, in addition to Zoek.exe, you used to remove the virus taking over the computer a few months ago? If so, please list what the programs were.

Do you recall what program provided the archived message "Win32/Fareit was found on your computer"?

The sound you hear might be a sign of a hardware problem...

Thank you!

I'll do the Malwarebytes Anti-Rootkit scan tomorrow when I get a chance.

The 02:59:47 is a "ct" file that when opened just says "2"

Do you recall what program provided the archived message "Win32/Fareit was found on your computer"?

No

Also, do you recall what programs, in addition to Zoek.exe, you used to remove the virus taking over the computer a few months ago? If so, please list what the programs were.

I think I used Malewarebytes too.

One thing I remember is the restore points were deleted. On my old computer I never had a problem because when problems arose, I'd just go back to the previous restore points. This new computer doesn't save restore points when infected with a virus or a PUP for some reason. Even doing the Farbar Recovery Tool deleted the old restore points. If I could just get the restore points to always work no matter what, I wouldn't need help in the future. Just a side rant.

I've gone to websites and the Malewarebytes pops up multiple times afterward and says "thiswebsite.com malicious website has been blocked" Do you know where I can go on the computer to delete that problem website's virus if it ever happens again? I looked in the cookies, it wasn't even there.

Thank you for your time

marysilver · 25 Mar 2015

cottonball said:

marysilver,

Please download Malwarebytes Anti-Rootkit:
Download > Malwarebytes Anti-Rootkit Download
•Save to your Desktop.
•Double-click the icon to start the tool.
(Warning! Malwarebytes Anti-Rootkit needs to be run from an account with Administrator rights.)
•In the Introduction screen, click: Next
•On the Update Database screen, click Update to download the latest definitions, and then click: Next
•Once the update is complete select Next, and click: Scan
•When the scan is finished, if no malware is found select: Exit
•If malware is detected, check all items and click: Cleanup
•Reboot your computer.

Please open the MBAR folder and provide the content of the following reports in your reply:
mbar-log-{date} (xx-xx-xx).txt
system-log.txt

It may take awhile. I scanned with Malwarebytes Anti-Rootkit two times today. Both times the scanning froze after a couple hours. It usually takes more than 24 hours to scan my computer since it has so many files. Physical memory is eaten up quick on my computer, which doesn't help either.

I'm doing a scan now.

Is it safe showing the Farbar Recovery Scan Tool results on a public forum? Can hackers use that info to get into my computer? Should I go back and delete the old scan results?

Found this: ACA Utilities - All software for you in today's market.Scan and download now for free!!
Is it any good?