How safe is running Zoek 5.0.0.0

marysilver

New member
Member
Local time
10:52 AM
Messages
44
A few months ago I used Zoek 5.0.0.0 to get rid of a virus taking over the computer. It worked but ever since the computer hasn't been the same. Here is a list of problems

1) I primarily use firefox. Internet Explorer opened by itself which was only visible in the Windows task manager. I could view the websites that it was going to on it's own...they were mostly stores like walmart.com. So I blocked Internet Explorer from going through my firewall. Ended that...

2) Right now the computer has problems with highlighting.... when left clicking on the mouse and scrolling over a paragraph. It is very difficult for it to stay highlighted so I can copy and paste.

3) Just scrolling with the mouse it will pause on me once in a while and I'm unable to move the cursor until I hear a sound from the computer that sound like "uhht ahh". Sometimes it will "uhht ahh" 5 times in a row with the computer frozen.

4) Trying to move folders from one part of the computer to another is very difficult now too. When trying to drag and drop into another folder, before I get to the location to drop the file, the file isn't dragging any longer and have to do it multiple times before it works.

5) The mouse is shaky and doesn't feel normal.

6) Quite often when restarting the computer says it "highly recommends" to do a scan to fix corrupted files etc.

7) Firefox memory seems very high even when I'm not active on it....like 500,000 to 1,400,000 k

8) One day I found out that all these programs I never heard of had permission to get through my firewall.

9) Under windows task manager there are a ton of services which I'm not sure what they do


So I'm wondering if I can run Zoek again without it deleting any files I don't want deleted. How safe is it to use Zoek as a spyware scan? I already have malwarebytes, superanti-spyware and Microsoft security essentials which I've run and no problems or viruses show up.

I ran Zoek a month ago but didn't know what I was doing and it was showed that it was deleting all these files so I unplugged the computer to stop it because I couldn't stop Zoek any other way. Now I'm afraid of using Zoek because I'm worried it might delete things that I want saved. But the computer problems have been getting worse every month for the past 5 months so that's why I'm here.

Thank you
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell
OS
Windows 7 Ultimate x64
Antivirus
malewarebytes
marysilver,

Zoek.exe by Smeenk is a comprehensive command-line tool that executes instructions through various commands and scripts to scan, identify, and remove malware.

If Zoek is used without having knowledge of the purpose of its commands and scripts, the order in which to use them, etc., files may be deleted and unexpected results may occur. It is best to use Zoek under the guidance of a malware removal advisor familiar with the program.

Zoek is not an Antivirus program, like Microsoft Security Essentials, and it is not an Anti-Malware program such as Malwarebytes or SuperAntiSpyware.

If a virus was taking over the computer, it appears it is either still there, or, the virus may have caused some irreparable damage to the system. IMO, Zoek is not the tool of choice for these issues.
 

My Computer My Computer

At a glance

Windows 7 Home Premium
Computer type
PC/Desktop
Computer Manufacturer/Model Number
An ol' eMachines
OS
Windows 7 Home Premium
Internet Speed
Fine for me...I'm retired!

My Computer My Computer

At a glance

Windows 7 Ultimate x64
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell
OS
Windows 7 Ultimate x64
Antivirus
malewarebytes
To find out if the virus is still in your system, see if you can do the following...

Please use the Farbar Recovery Scan Tool.
Download: Farbar Recovery Scan Tool Download
Select the version that applies to your system: 64 bit

Save it to your Desktop.
Double-click the downloaded file to run it.
When the tool opens, click Yes to the disclaimer.
Press the Scan button.

When done, the tool makes a log, FRST.txt, in the same directory from which the tool is run (Desktop).
:ar: Please provide the FRST.txt in your reply.

The first time the tool is run, it also creates another log: Addition.txt
:ar: Also post the Addition.txt in your reply.


.
 

My Computer My Computer

At a glance

Windows 7 Home Premium
Computer type
PC/Desktop
Computer Manufacturer/Model Number
An ol' eMachines
OS
Windows 7 Home Premium
Internet Speed
Fine for me...I'm retired!
marysilver,

My apology for the delay. I'm only here evenings...

FRST is: Running from C:\Users\13\Downloads
Please hve the FRST program on the Desktop, as previous instructions!!

Next, please open Notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below to Notepad. (Do not copy the word Code:, at the top!)
Save it to the Desktop, and name it: fixlist.txt

Code:
start
CloseProcesses:
HKLM-x32\...\Run: [Salus] => C:\Program Files (x86)\f552dd4c52e3\b786bdb3c67d.exe
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-343010218-970677843-29762225-1001\...\Run: [SSync] => C:\Users\13\AppData\Roaming\SSync\SSync.exe [36864 2013-04-09] ()
HKU\S-1-5-21-343010218-970677843-29762225-1001\...\Run: [Sixth] => C:\Users\13\AppData\Roaming\Sixth\Sixth.exe [74470 2014-11-24] ()
HKU\S-1-5-21-343010218-970677843-29762225-1001\...\Run: [Seventh] => "C:\Users\13\AppData\Roaming\Seventh\Seventh.exe"
HKU\S-1-5-21-343010218-970677843-29762225-1001\...\Run: [SCheck] => C:\Users\13\AppData\Roaming\SCheck\SCheck.exe [37376 2013-12-09] ()
HKU\S-1-5-21-343010218-970677843-29762225-1001\...\Run: [Snoozer] => C:\Users\13\AppData\Roaming\Snz\Snz.exe [1626622 2014-11-30] ()
HKU\S-1-5-21-343010218-970677843-29762225-1001\...\Run: [Intermediate] => C:\Users\13\AppData\Roaming\Intermediate\Intermediate.exe [37376 2013-12-09] ()
HKU\S-1-5-21-343010218-970677843-29762225-1001\...\Run: [bfsvc.exe] => C:\Users\13\AppData\Roaming\13-PC\bfsvc.exe
HKU\S-1-5-21-343010218-970677843-29762225-1001\...\Run: [Windows] => "C:\ProgramData\Windows\ntibcpsaq.exe"
C:\Program Files (x86)\f552dd4c52e3\b786bdb3c67d.exe
HKLM\...\Policies\Explorer: [NoControlPanel] 0
C:\Users\13\AppData\Roaming\SSync\SSync.exe [36864 2013-04-09] ()
C:\Users\13\AppData\Roaming\Sixth\Sixth.exe [74470 2014-11-24] ()
C:\Users\13\AppData\Roaming\SCheck\SCheck.exe [37376 2013-12-09] ()
C:\Users\13\AppData\Roaming\Snz\Snz.exe [1626622 2014-11-30] ()
C:\Users\13\AppData\Roaming\Intermediate\Intermediate.exe [37376 2013-12-09] ()
C:\Users\13\AppData\Roaming\13-PC\bfsvc.exe
C:\ProgramData\Windows\ntibcpsaq.exe
HKU\S-1-5-21-343010218-970677843-29762225-1001\...\Policies\Explorer: [NoDriveTypeAutoRun] 0x00000000
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction 
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-343010218-970677843-29762225-1001 -> {D9526E5B-4BBD-4D39-8B6A-9F48266482FE} URL = 
Toolbar: HKU\S-1-5-21-343010218-970677843-29762225-1001 -> No Name - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
C:\Users\13\AppData\Local\Temp\_is308B.exe
C:\Users\13\AppData\Local\Temp\_is3FD7.exe
C:\Users\13\AppData\Local\Temp\_is6080.exe
C:\Users\13\AppData\Local\Temp\_is62B2.exe
C:\Users\13\AppData\Local\Temp\_is7026.exe
C:\Users\13\AppData\Local\Temp\_is833A.exe
C:\Users\13\AppData\Local\Temp\_is9333.exe
C:\Users\13\AppData\Local\Temp\_isB03D.exe
C:\Users\13\AppData\Local\Temp\_isB6E6.exe
C:\Users\13\AppData\Local\Temp\_isB966.exe
C:\Users\13\AppData\Local\Temp\_isC881.exe
C:\Users\13\AppData\Local\Temp\_isCED.exe
C:\Users\13\AppData\Local\Temp\_isE447.exe
C:\Users\13\AppData\Local\Temp\_isEBC7.exe
C:\Users\13\AppData\Local\Temp\_isFE74.exe
Catalina Savings Printer (HKLM-x32\...\{37331C16-3E97-4A20-80D8-BFB43AB0E2FB}) (Version: 1.0.0 - Catalina Marketing Corp) 
DealBulldog Toolbar Toolbar (HKLM-x32\...\DealBulldog Toolbar Toolbar) (Version: - ) 
Salus (HKLM-x32\...\Salus) (Version: 1.0.14.28 - Salus) 
YTD Video Downloader 4.8.9 (HKLM-x32\...\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}) (Version: 4.8.9 - GreenTree Applications SRL) 
CustomCLSID: HKU\S-1-5-21-343010218-970677843-29762225-1001_Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InprocServer32 -> C:\Users\13\AppData\Roaming\itesing\procol.dll () 
Task: {5424C983-F629-417A-A73E-E1154B4849EB} - \Windows Update Check - 0x6C49084E No Task File
Task: {A3347A7D-829C-4A26-AE56-7AC2B2FEBEE6} - System32\Tasks\Optimizer Pro Schedule => C:\Program Files (x86)\Optimizer Pro 3.11\OptProLauncher.exe 
AlternateDataStreams: C:\ProgramData\TEMP:56E2E879
AlternateDataStreams: C:\ProgramData\TEMP:6387AA6C
AlternateDataStreams: C:\ProgramData\TEMP:85AA7074
Emptytemp:
CMD: ipconfig /flushdns
reboot:
end

NOTICE: This script is written specifically for this computer!!!
Running this on another computer may cause damage to the Operating System.

Now, please run FRST or FRST64, and press the Fix button, just once, and wait.
If for some reason the tool needs a restart, please let the system restart normally. After that let the tool complete its run.
When done, the tool creates a report on the Desktop called: Fixlog.txt

:ar: Please post the Fixlog.txt in your reply.


.
 

My Computer My Computer

At a glance

Windows 7 Home Premium
Computer type
PC/Desktop
Computer Manufacturer/Model Number
An ol' eMachines
OS
Windows 7 Home Premium
Internet Speed
Fine for me...I'm retired!
Thank you cottonball.
 
Last edited:

My Computer My Computer

At a glance

Windows 7 Ultimate x64
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell
OS
Windows 7 Ultimate x64
Antivirus
malewarebytes
The problem doesn't seem to have gone away. I just heard the sound and the mouse froze. It might actually be worse.

And I have another problem. On the bottom right of the computer is a flag and I clicked on it. It says:

1 important message

I click on it and it takes me to the system and security action center. There it says Network Access Protection is OFF.

And insert removable media (Important)

The "restore and recovery" seems to be not working either.

Looking around I found an archived message that says:
"Win32/Fareit was found on your computer" from December 2014
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell
OS
Windows 7 Ultimate x64
Antivirus
malewarebytes
marysilver,

:info: Can you look in the folder C:\FRST\LOGS\ and see if you can find the previous Fixlog.txt? The one on the Desktop was: Ran by 13 at 2015-03-24 02:59:47 Run:2

The folder C:\FRST\LOGS\ will have all the logs with dates like Fixlog_dd-mm-yyyy_hh-mm-ss.txt


:info: Please download Malwarebytes Anti-Rootkit:
Download > Malwarebytes Anti-Rootkit Download
•Save to your Desktop.
•Double-click the icon to start the tool.
(Warning! Malwarebytes Anti-Rootkit needs to be run from an account with Administrator rights.)
•In the Introduction screen, click: Next
•On the Update Database screen, click Update to download the latest definitions, and then click: Next
•Once the update is complete select Next, and click: Scan
•When the scan is finished, if no malware is found select: Exit
•If malware is detected, check all items and click: Cleanup
•Reboot your computer.

:ar: Please open the MBAR folder and provide the content of the following reports in your reply:
mbar-log-{date} (xx-xx-xx).txt
system-log.txt


:info: Also, do you recall what programs, in addition to Zoek.exe, you used to remove the virus taking over the computer a few months ago? If so, please list what the programs were.

Do you recall what program provided the archived message "Win32/Fareit was found on your computer"?


:info: The sound you hear might be a sign of a hardware problem...
 
Last edited:

My Computer My Computer

At a glance

Windows 7 Home Premium
Computer type
PC/Desktop
Computer Manufacturer/Model Number
An ol' eMachines
OS
Windows 7 Home Premium
Internet Speed
Fine for me...I'm retired!
marysilver,

:info: Can you look in the folder C:\FRST\LOGS\ and see if you can find the previous Fixlog.txt? The one on the Desktop was: Ran by 13 at 2015-03-24 02:59:47 Run:2

The folder C:\FRST\LOGS\ will have all the logs with dates like Fixlog_dd-mm-yyyy_hh-mm-ss.txt


:info: Please download Malwarebytes Anti-Rootkit:
Download > Malwarebytes Anti-Rootkit Download
•Save to your Desktop.
•Double-click the icon to start the tool.
(Warning! Malwarebytes Anti-Rootkit needs to be run from an account with Administrator rights.)
•In the Introduction screen, click: Next
•On the Update Database screen, click Update to download the latest definitions, and then click: Next
•Once the update is complete select Next, and click: Scan
•When the scan is finished, if no malware is found select: Exit
•If malware is detected, check all items and click: Cleanup
•Reboot your computer.

:ar: Please open the MBAR folder and provide the content of the following reports in your reply:
mbar-log-{date} (xx-xx-xx).txt
system-log.txt


:info: Also, do you recall what programs, in addition to Zoek.exe, you used to remove the virus taking over the computer a few months ago? If so, please list what the programs were.

Do you recall what program provided the archived message "Win32/Fareit was found on your computer"?


:info: The sound you hear might be a sign of a hardware problem...

Thank you!

I'll do the Malwarebytes Anti-Rootkit scan tomorrow when I get a chance.


The 02:59:47 is a "ct" file that when opened just says "2"


Do you recall what program provided the archived message "Win32/Fareit was found on your computer"?

No


Also, do you recall what programs, in addition to Zoek.exe, you used to remove the virus taking over the computer a few months ago? If so, please list what the programs were.

I think I used Malewarebytes too.

One thing I remember is the restore points were deleted. On my old computer I never had a problem because when problems arose, I'd just go back to the previous restore points. This new computer doesn't save restore points when infected with a virus or a PUP for some reason. Even doing the Farbar Recovery Tool deleted the old restore points. If I could just get the restore points to always work no matter what, I wouldn't need help in the future. Just a side rant.

I've gone to websites and the Malewarebytes pops up multiple times afterward and says "thiswebsite.com malicious website has been blocked" Do you know where I can go on the computer to delete that problem website's virus if it ever happens again? I looked in the cookies, it wasn't even there.

Thank you for your time
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell
OS
Windows 7 Ultimate x64
Antivirus
malewarebytes
marysilver,
:info: Please download Malwarebytes Anti-Rootkit:
Download > Malwarebytes Anti-Rootkit Download
•Save to your Desktop.
•Double-click the icon to start the tool.
(Warning! Malwarebytes Anti-Rootkit needs to be run from an account with Administrator rights.)
•In the Introduction screen, click: Next
•On the Update Database screen, click Update to download the latest definitions, and then click: Next
•Once the update is complete select Next, and click: Scan
•When the scan is finished, if no malware is found select: Exit
•If malware is detected, check all items and click: Cleanup
•Reboot your computer.

:ar: Please open the MBAR folder and provide the content of the following reports in your reply:
mbar-log-{date} (xx-xx-xx).txt
system-log.txt

It may take awhile. I scanned with Malwarebytes Anti-Rootkit two times today. Both times the scanning froze after a couple hours. It usually takes more than 24 hours to scan my computer since it has so many files. Physical memory is eaten up quick on my computer, which doesn't help either.

I'm doing a scan now.

Is it safe showing the Farbar Recovery Scan Tool results on a public forum? Can hackers use that info to get into my computer? Should I go back and delete the old scan results?

Found this: ACA Utilities - All software for you in today's market.Scan and download now for free!!
Is it any good?
 
Last edited:

My Computer My Computer

At a glance

Windows 7 Ultimate x64
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell
OS
Windows 7 Ultimate x64
Antivirus
malewarebytes
If MBAR is freezing up, don't use it.

Let's go to something more simple...

:info: Use the Farbar Service Scanner
Download: Downloading Farbar Service Scanner

Let's get a view of all services and dependencies scoped by the tool...
Make sure the following options are checked:

Internet Services
Windows Firewall
System Restore
Security Center
Windows Update
Windows Defender

Press: Scan

When done, FSS creates a log, FSS.txt, on the Desktop.

:ar: Please provide the FSS.txt in your reply. (No personal info there.)


If you wish, remove the FRST.txt and the Addition.txt results from this thread (Posts 5 thru 10).
 

My Computer My Computer

At a glance

Windows 7 Home Premium
Computer type
PC/Desktop
Computer Manufacturer/Model Number
An ol' eMachines
OS
Windows 7 Home Premium
Internet Speed
Fine for me...I'm retired!
After doing the above (Post #18), please check your current DNS server settings using the DNSCHECK tool from F-Secure:
https://www.ismydnshijacked.com/

Press: Start test

What is the Verdict?
Any DNS hijacking detected?
 

My Computer My Computer

At a glance

Windows 7 Home Premium
Computer type
PC/Desktop
Computer Manufacturer/Model Number
An ol' eMachines
OS
Windows 7 Home Premium
Internet Speed
Fine for me...I'm retired!
Hi Cottonball,

Thanks. Sorry for the delay.

Farbar Service Scanner Version: 17-01-2015
Ran by 13 (administrator) on 27-03-2015 at 01:16:14
Running from "C:\Users\13\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****



MBAR never did complete a scan without freezing...
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell
OS
Windows 7 Ultimate x64
Antivirus
malewarebytes
For the DNSCHECK tool it says:

"All is well.
No DNS hijacking detected."


I'm wondering if "Orbit downloader" is part of the problem. I went to open up Orbit the other day and the computer began acting up right away....started to freeze and make that sound maybe like 20 times within 20 seconds.

At one point right clicking on a download and clicking "Save As" disappeared as an option. And I had to download firefox extensions just to be able to download from blogtalk radio. Unless you know how I can get my right click "save as" option back, I'm not willing to delete orbit just yet though.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell
OS
Windows 7 Ultimate x64
Antivirus
malewarebytes
Let's see if you have better luck with this program...

TDSSKiller Download

Select the .exe version
  • Doubleclick on TDSSKiller.exe to run the program.
  • At the Kaspersky TDSSKiller interface, click: Change parameters
  • Check: Detect TDLFS file system
  • Click: OK
  • Now, click Start Scan and allow the scan to run
  • If any threats are found, select: Skip (Do not select: Delete!!)
  • Click: Continue
  • Click: Reboot computer
:ar: When done, please provide the TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\)
 

My Computer My Computer

At a glance

Windows 7 Home Premium
Computer type
PC/Desktop
Computer Manufacturer/Model Number
An ol' eMachines
OS
Windows 7 Home Premium
Internet Speed
Fine for me...I'm retired!
marysilver,

On your Save as and perhaps other issues, try the following, using Option 2 to Scan and Repair System files:
http://www.sevenforums.com/tutorials/1538-sfc-scannow-command-system-file-checker.html
If there are files that SFC cannot fix automatically, follow Option 3.


At this point, my personal assessment of your situation is the following:

Whatever virus or malware was taking over the computer, IMO, it caused irreparable damage to the system.
Just the possibility of having Win32.Fareit seriously compromises your computer, and a variant of this trojan steals passwords.


If this computer is a Dell, and has a Dell Recovery Partition, would consider pursuing the following:
https://neosmart.net/wiki/dell-recovery-partition/

Follow the instructions to: Access the recovery partition in Windows 7
It will reformat the hard drive and restore system software to factory condition.
 

My Computer My Computer

At a glance

Windows 7 Home Premium
Computer type
PC/Desktop
Computer Manufacturer/Model Number
An ol' eMachines
OS
Windows 7 Home Premium
Internet Speed
Fine for me...I'm retired!
Code:
01:
 
Last edited:

My Computer My Computer

At a glance

Windows 7 Ultimate x64
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell
OS
Windows 7 Ultimate x64
Antivirus
malewarebytes
Code:
01:11
 
Last edited:

My Computer My Computer

At a glance

Windows 7 Ultimate x64
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell
OS
Windows 7 Ultimate x64
Antivirus
malewarebytes
Code:
C:\Program Files\iPod\bin\iPodService.exe
01:11
 
Last edited:

My Computer My Computer

At a glance

Windows 7 Ultimate x64
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell
OS
Windows 7 Ultimate x64
Antivirus
malewarebytes
Back
Top