Clean PC after fake infection scam
Solved
PlentyCoups
Posted messages
11
Status
Membre
-
sassou -
sassou -
Hello,
I just picked up my father's PC to clean it after he was scammed by one of those companies that make people believe their computer is infected in order to charge them for a cleanup.
Personally, I have little sympathy for those who fall for this kind of thing despite all the warnings to be cautious, but my father is 75 years old and in poor health, so honestly, how can I criticize him? However, if I had those people in front of me...
For now, I have retrieved his PC and haven't turned it on at all before knowing the best procedure to follow.
Below are some partial information that may help you:
This Saturday, January 14, apparently through Facebook, a pop-up window alerts him about the PC being infected by a Trojan. Trying to close it by clicking the corner right opens more windows. He calls the number 04 81 68 10 14. Unfortunately, he ends up calling.
A lady tells him that his PC is highly infected and asks him to enter "www.ordi247.fr."
She sends him two files and asks him to click on them. One of them is an .exe file, so probably the software for remote control. She says a technician needs to intervene and it will cost €199. My father pays through an online form, thus providing his credit card number and the three-digit number on the back.
He then speaks with a man, the technician. After a while, the technician tells him not to touch the PC until the black screen disappears and everything is back to normal.
End of call.
Later, my father notices he has a "normal" screen again except for a bar at the top. He turns off the PC and restarts it in the afternoon to use it.
Around 6:30 PM, the "technician" calls him back and asks him to turn on the PC.
My father replies that you don't call people at 6:30 PM on a Saturday. Nonetheless, the same man calls back around 8:00 PM. I don't know exactly what was said except that they agreed the man could call back on Monday, January 16, at 9:30 AM.
In the meantime, on Sunday, January 15, my father, still intrigued, confided this episode to me, and I quickly realized he had been scammed.
I advised him not to answer or to answer and immediately hang up without a word as soon as he understood that it was those people calling again. In short, no contact.
So I took the PC with me, and it remains off until I have instructions on how to clean it.
Thank you in advance, and of course, I will follow up with any requests for scan reports, etc.
I just picked up my father's PC to clean it after he was scammed by one of those companies that make people believe their computer is infected in order to charge them for a cleanup.
Personally, I have little sympathy for those who fall for this kind of thing despite all the warnings to be cautious, but my father is 75 years old and in poor health, so honestly, how can I criticize him? However, if I had those people in front of me...
For now, I have retrieved his PC and haven't turned it on at all before knowing the best procedure to follow.
Below are some partial information that may help you:
This Saturday, January 14, apparently through Facebook, a pop-up window alerts him about the PC being infected by a Trojan. Trying to close it by clicking the corner right opens more windows. He calls the number 04 81 68 10 14. Unfortunately, he ends up calling.
A lady tells him that his PC is highly infected and asks him to enter "www.ordi247.fr."
She sends him two files and asks him to click on them. One of them is an .exe file, so probably the software for remote control. She says a technician needs to intervene and it will cost €199. My father pays through an online form, thus providing his credit card number and the three-digit number on the back.
He then speaks with a man, the technician. After a while, the technician tells him not to touch the PC until the black screen disappears and everything is back to normal.
End of call.
Later, my father notices he has a "normal" screen again except for a bar at the top. He turns off the PC and restarts it in the afternoon to use it.
Around 6:30 PM, the "technician" calls him back and asks him to turn on the PC.
My father replies that you don't call people at 6:30 PM on a Saturday. Nonetheless, the same man calls back around 8:00 PM. I don't know exactly what was said except that they agreed the man could call back on Monday, January 16, at 9:30 AM.
In the meantime, on Sunday, January 15, my father, still intrigued, confided this episode to me, and I quickly realized he had been scammed.
I advised him not to answer or to answer and immediately hang up without a word as soon as he understood that it was those people calling again. In short, no contact.
So I took the PC with me, and it remains off until I have instructions on how to clean it.
Thank you in advance, and of course, I will follow up with any requests for scan reports, etc.
9 réponses
Re,
I ran Malwarebytes again and it still finds traces. Below is the copied report.
Malwarebytes
www.malwarebytes.com
-Log Details-
Scan Date: 01/18/2017
Scan Time: 13:03
Log File: resultat_scan_malwarebytes.txt
Administrator: Yes
-Software Information-
Version: 3.0.5.1299
Component Version: 1.0.43
Update Pack Version: 1.0.1045
License: Free
-System Information-
Operating System: Windows 10
Processor: x64
File System: NTFS
User: PC-PORTABLE\Enderl\u00c3\u00a9
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 446339
Elapsed Time: 4 min, 4 s
-Scan Options-
Memory: Enabled
Startup: Enabled
File System: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristic: Enabled
PUP: Enabled
PUM: Enabled
-Scan Details-
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Key: 3
PUP.Optional.InstallCore, HKU\S-1-5-21-2654685568-423182402-509720106-1002\SOFTWARE\csastats, No user action, [8], [260986],1.0.1045
PUP.Optional.APNToolBar.Gen, HKLM\SOFTWARE\WOW6432NODE\AskPartnerNetwork, No user action, [10967], [186877],1.0.1045
PUP.Optional.APNToolBar.Gen, HKU\S-1-5-18\SOFTWARE\AskPartnerNetwork, No user action, [10967], [186876],1.0.1045
Registry Value: 0
(No malicious items detected)
Data Streams: 0
(No malicious items detected)
Folder: 1
PUP.Optional.APNToolBar.Gen, C:\PROGRAMDATA\APN\APN-Stub, No user action, [10967], [175062],1.0.1045
File: 1
PUP.Optional.ASK, C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCACHE\IE\AskToolbarInstaller-AVIRA-V7C[1].7z, No user action, [647], [358503],1.0.1045
Physical Sector: 0
(No malicious items detected)
(end)
I ran Malwarebytes again and it still finds traces. Below is the copied report.
Malwarebytes
www.malwarebytes.com
-Log Details-
Scan Date: 01/18/2017
Scan Time: 13:03
Log File: resultat_scan_malwarebytes.txt
Administrator: Yes
-Software Information-
Version: 3.0.5.1299
Component Version: 1.0.43
Update Pack Version: 1.0.1045
License: Free
-System Information-
Operating System: Windows 10
Processor: x64
File System: NTFS
User: PC-PORTABLE\Enderl\u00c3\u00a9
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 446339
Elapsed Time: 4 min, 4 s
-Scan Options-
Memory: Enabled
Startup: Enabled
File System: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristic: Enabled
PUP: Enabled
PUM: Enabled
-Scan Details-
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Key: 3
PUP.Optional.InstallCore, HKU\S-1-5-21-2654685568-423182402-509720106-1002\SOFTWARE\csastats, No user action, [8], [260986],1.0.1045
PUP.Optional.APNToolBar.Gen, HKLM\SOFTWARE\WOW6432NODE\AskPartnerNetwork, No user action, [10967], [186877],1.0.1045
PUP.Optional.APNToolBar.Gen, HKU\S-1-5-18\SOFTWARE\AskPartnerNetwork, No user action, [10967], [186876],1.0.1045
Registry Value: 0
(No malicious items detected)
Data Streams: 0
(No malicious items detected)
Folder: 1
PUP.Optional.APNToolBar.Gen, C:\PROGRAMDATA\APN\APN-Stub, No user action, [10967], [175062],1.0.1045
File: 1
PUP.Optional.ASK, C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\MICROSOFT\WINDOWS\INETCACHE\IE\AskToolbarInstaller-AVIRA-V7C[1].7z, No user action, [647], [358503],1.0.1045
Physical Sector: 0
(No malicious items detected)
(end)
Hello,
This is a message about a telephone support scam aiming to make you believe that your PC is infected to get you to call a support number....
The goal of this support is to convince you that your computer is infected, which will lead you to buy software at high prices, often totaling up to 200 euros.
These messages attempting to block the web browser and indicating that the PC is infected come from ads on illegal streaming/torrent sites.
This can also occur through phone campaigns, where you receive a call from a technician posing as Microsoft.
Your computer is not infected.
Facebook can also send these ads: zeus virus on facebook.
--
Please press any key to continue the disinfection...
This is a message about a telephone support scam aiming to make you believe that your PC is infected to get you to call a support number....
The goal of this support is to convince you that your computer is infected, which will lead you to buy software at high prices, often totaling up to 200 euros.
These messages attempting to block the web browser and indicating that the PC is infected come from ads on illegal streaming/torrent sites.
This can also occur through phone campaigns, where you receive a call from a technician posing as Microsoft.
Your computer is not infected.
Facebook can also send these ads: zeus virus on facebook.
--
Please press any key to continue the disinfection...
Indeed, according to my father, it was while he was on Facebook that the alert window opened. I couldn't find out if he clicked on something specific (advertisement, etc.). However, I am providing above the phone number of the so-called technical support for reference.
I understood that the PC is not infected at the time this fake alert manifests, but in my case, we are already at the next stage. My father has paid, executed at least one exe file that these people sent him, and has indeed noticed that they were intervening remotely on his PC. I think there is definitely some cleaning to do now, and that's why I'm here. Thank you.
I understood that the PC is not infected at the time this fake alert manifests, but in my case, we are already at the next stage. My father has paid, executed at least one exe file that these people sent him, and has indeed noticed that they were intervening remotely on his PC. I think there is definitely some cleaning to do now, and that's why I'm here. Thank you.
I preferred to make sure =)
As for the launched exe, it’s probably a legitimate setup program but not malicious,
have you checked in the control panel > programs and features
sort the list by installation date.
If you want to check the computer:
Follow the FRST tutorial. ( take the time to read carefully - everything is well explained ).
Download and run the FRST scan, 3 FRST reports will be generated:
Send these 3 reports to http://pjjoint.malekal.com/ and reply with the 3 pjjoint links that lead to the reports here in a new response so that we can consult them.
As for the launched exe, it’s probably a legitimate setup program but not malicious,
have you checked in the control panel > programs and features
sort the list by installation date.
If you want to check the computer:
Follow the FRST tutorial. ( take the time to read carefully - everything is well explained ).
Download and run the FRST scan, 3 FRST reports will be generated:
- FRST.txt
- Shortcut.txt
- Additionnal.txt
Send these 3 reports to http://pjjoint.malekal.com/ and reply with the 3 pjjoint links that lead to the reports here in a new response so that we can consult them.
Here is the correction to be made with FRST. You can refer to this explanatory note with screenshots.
Open Notepad: Press Windows + R,
In the "Run" field, type notepad and click OK.
Copy/Paste the following into it:
Once the text is pasted into Notepad,
Menu "File" then "Save As",
On the left, navigate to Desktop,
In the field below, file name type: fixlist.txt
Click "Save", this will create fixlist.txt on the Desktop.
Restart FRST and click the "Fix" button
A restart may be required (not mandatory)
A text file will appear, copy/paste the content here in a new message.
Restart the computer.
--
Please press a key to continue the disinfection...
Open Notepad: Press Windows + R,
In the "Run" field, type notepad and click OK.
Copy/Paste the following into it:
CreateRestorePoint:
CloseProcesses:
2016-12-25 15:08 - 2016-12-25 15:08 - 00000000 ____D C:\Users\Enderlé\AppData\Local\chromium
2016-12-25 15:07 - 2017-01-13 18:31 - 00000000 ____D C:\ProgramData\{DA791F1A-503B-95DC-D6FD-0B9E4CBF8050}
2016-12-25 15:07 - 2016-12-26 15:50 - 00000296 _____ C:\WINDOWS\Tasks\{44811B53-CE81-4676-2AD9-4BAB0D99DC5C}.job
2016-12-25 15:07 - 2016-12-25 15:07 - 00004468 _____ C:\WINDOWS\System32\Tasks\Yahoo! Powered secad
2016-12-25 15:07 - 2016-12-25 15:07 - 00002836 _____ C:\WINDOWS\System32\Tasks\{44811B53-CE81-4676-2AD9-4BAB0D99DC5C}
2016-12-25 15:06 - 2016-12-25 15:07 - 00000000 ____D C:\Users\Enderlé\AppData\Local\{4102775E-65AA-1BE6-0832-3E0E2C5AC296}
2017-01-14 12:18 - 2017-01-14 12:41 - 00000649 _____ C:\Users\Enderlé\Desktop\Assistance Technique.url
2017-01-14 12:17 - 2017-01-14 12:17 - 00009241 _____ C:\Users\Enderlé\Desktop\Transaction réussie.html
2017-01-14 12:17 - 2017-01-14 12:17 - 00000000 ____D C:\Users\Enderlé\Desktop\Transaction réussie_files
2017-01-14 12:07 - 2017-01-17 12:18 - 00000000 ____D C:\Program Files (x86)\supportdotcom
2017-01-14 12:07 - 2017-01-14 12:42 - 00000054 _____ C:\END
2017-01-14 12:07 - 2017-01-14 12:41 - 00000000 ____D C:\Users\Enderlé\AppData\Roaming\supportdotcom
2017-01-14 12:07 - 2017-01-14 12:07 - 00000000 ____D C:\Users\Enderlé\AppData\Local\SPRT
2017-01-14 12:05 - 2017-01-14 12:07 - 02949760 _____ C:\Users\Enderlé\Downloads\connect_477378 (1).exe
2017-01-14 12:04 - 2017-01-14 12:05 - 02949760 _____ C:\Users\Enderlé\Downloads\connect_477378.exe
Task: {E4FCA49D-E896-4C43-BE4C-8BA862A3E0E7} - System32\Tasks\Yahoo! Powered secad => Wscript.exe "C:\ProgramData\{DA791F1A-503B-95DC-D6FD-0B9E4CBF8050}\nesi.txt" "687474703a2f2f74646670612e636f6d" "433a5c50726f6772616d446174615c7b44413739314631412d353033422d393544432d443646442d3042394534434246383035307d5c746164616461" "433a5c50726f6772616d446174615c7b44413739314631412d353033422d393544432d443646 (the data element has 78 extra characters).
Task: {B991DBD2-4BAF-4A6C-8241-08B4FAE964CA} - System32\Tasks\{44811B53-CE81-4676-2AD9-4BAB0D99DC5C} => C:\Users\ENDERL~1\AppData\Local\FUBUDO~1\Sync.exe <==== WARNING
Hosts:
EmptyTemp:
RemoveProxy:
Reboot:
Once the text is pasted into Notepad,
Menu "File" then "Save As",
On the left, navigate to Desktop,
In the field below, file name type: fixlist.txt
Click "Save", this will create fixlist.txt on the Desktop.
Restart FRST and click the "Fix" button
A restart may be required (not mandatory)
A text file will appear, copy/paste the content here in a new message.
Restart the computer.
--
Please press a key to continue the disinfection...
Hello,
Below is the copied message:
Farbar Recovery Scan Tool (x64) Correction Results Version: 15-01-2017
Executed by Enderlé (18-01-2017 12:40:22) Run:1
Executed from C:\Users\Enderlé\Desktop
Loaded profiles: Enderlé & (Available profiles: Enderlé)
Boot mode: Normal
==============================================
fixlist content:
CreateRestorePoint:
CloseProcesses:
2016-12-25 15:08 - 2016-12-25 15:08 - 00000000 ____D C:\Users\Enderlé\AppData\Local\chromium
2016-12-25 15:07 - 2017-01-13 18:31 - 00000000 ____D C:\ProgramData\{DA791F1A-503B-95DC-D6FD-0B9E4CBF8050}
2016-12-25 15:07 - 2016-12-26 15:50 - 00000296 _____ C:\WINDOWS\Tasks\{44811B53-CE81-4676-2AD9-4BAB0D99DC5C}.job
2016-12-25 15:07 - 2016-12-25 15:07 - 00004468 _____ C:\WINDOWS\System32\Tasks\Yahoo! Powered secad
2016-12-25 15:07 - 2016-12-25 15:07 - 00002836 _____ C:\WINDOWS\System32\Tasks\{44811B53-CE81-4676-2AD9-4BAB0D99DC5C}
2016-12-25 15:06 - 2016-12-25 15:07 - 00000000 ____D C:\Users\Enderlé\AppData\Local\{4102775E-65AA-1BE6-0832-3E0E2C5AC296}
2017-01-14 12:18 - 2017-01-14 12:41 - 00000649 _____ C:\Users\Enderlé\Desktop\Technical Assistance.url
2017-01-14 12:17 - 2017-01-14 12:17 - 00009241 _____ C:\Users\Enderlé\Desktop\Successful Transaction.html
2017-01-14 12:17 - 2017-01-14 12:17 - 00000000 ____D C:\Users\Enderlé\Desktop\Successful Transaction_files
2017-01-14 12:07 - 2017-01-17 12:18 - 00000000 ____D C:\Program Files (x86)\supportdotcom
2017-01-14 12:07 - 2017-01-14 12:42 - 00000054 _____ C:\END
2017-01-14 12:07 - 2017-01-14 12:41 - 00000000 ____D C:\Users\Enderlé\AppData\Roaming\supportdotcom
2017-01-14 12:07 - 2017-01-14 12:07 - 00000000 ____D C:\Users\Enderlé\AppData\Local\SPRT
2017-01-14 12:05 - 2017-01-14 12:07 - 02949760 _____ C:\Users\Enderlé\Downloads\connect_477378 (1).exe
2017-01-14 12:04 - 2017-01-14 12:05 - 02949760 _____ C:\Users\Enderlé\Downloads\connect_477378.exe
Task: {E4FCA49D-E896-4C43-BE4C-8BA862A3E0E7} - System32\Tasks\Yahoo! Powered secad => Wscript.exe "C:\ProgramData\{DA791F1A-503B-95DC-D6FD-0B9E4CBF8050}\nesi.txt" "687474703a2f2f74646670612e636f6d" "433a5c50726f6772616d446174615c7b44413739314631412d353033422d393544432d443646442d3042394534434246383035307d5c746164616461" "433a5c50726f6772616d446174615c7b44413739314631412d353033422d393544432d443646 (the data element has 78 characters extra).
Task: {B991DBD2-4BAF-4A6C-8241-08B4FAE964CA} - System32\Tasks\{44811B53-CE81-4676-2AD9-4BAB0D99DC5C} => C:\Users\ENDERL~1\AppData\Local\FUBUDO~1\Sync.exe <==== WARNING
Hosts:
EmptyTemp:
RemoveProxy:
Reboot:
The Restore Point was created successfully.
Processes closed successfully.
C:\Users\Enderlé\AppData\Local\chromium => moved successfully
C:\ProgramData\{DA791F1A-503B-95DC-D6FD-0B9E4CBF8050} => moved successfully
C:\WINDOWS\Tasks\{44811B53-CE81-4676-2AD9-4BAB0D99DC5C}.job => moved successfully
C:\WINDOWS\System32\Tasks\Yahoo! Powered secad => moved successfully
C:\WINDOWS\System32\Tasks\{44811B53-CE81-4676-2AD9-4BAB0D99DC5C} => moved successfully
C:\Users\Enderlé\AppData\Local\{4102775E-65AA-1BE6-0832-3E0E2C5AC296} => moved successfully
C:\Users\Enderlé\Desktop\Technical Assistance.url => moved successfully
C:\Users\Enderlé\Desktop\Successful Transaction.html => moved successfully
C:\Users\Enderlé\Desktop\Successful Transaction_files => moved successfully
C:\Program Files (x86)\supportdotcom => moved successfully
C:\END => moved successfully
C:\Users\Enderlé\AppData\Roaming\supportdotcom => moved successfully
C:\Users\Enderlé\AppData\Local\SPRT => moved successfully
C:\Users\Enderlé\Downloads\connect_477378 (1).exe => moved successfully
C:\Users\Enderlé\Downloads\connect_477378.exe => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E4FCA49D-E896-4C43-BE4C-8BA862A3E0E7} => key deleted successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E4FCA49D-E896-4C43-BE4C-8BA862A3E0E7} => key deleted successfully
C:\WINDOWS\System32\Tasks\Yahoo! Powered secad => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Yahoo! Powered secad => key deleted successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B991DBD2-4BAF-4A6C-8241-08B4FAE964CA} => key deleted successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B991DBD2-4BAF-4A6C-8241-08B4FAE964CA} => key deleted successfully
C:\WINDOWS\System32\Tasks\{44811B53-CE81-4676-2AD9-4BAB0D99DC5C} => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{44811B53-CE81-4676-2AD9-4BAB0D99DC5C} => key deleted successfully
Unable to move "C:\Windows\System32\Drivers\etc\hosts" => Scheduled for moving on restart.
========= RemoveProxy: =========
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value deleted successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value deleted successfully
HKU\S-1-5-21-2654685568-423182402-509720106-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value deleted successfully
HKU\S-1-5-21-2654685568-423182402-509720106-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value deleted successfully
HKU\S-1-5-21-2654685568-423182402-509720106-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01172017141336283\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value deleted successfully
HKU\S-1-5-21-2654685568-423182402-509720106-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01172017141336283\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value deleted successfully
HKU\S-1-5-21-2654685568-423182402-509720106-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01172017141340898\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value deleted successfully
HKU\S-1-5-21-2654685568-423182402-509720106-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01172017141340898\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value deleted successfully
HKU\S-1-5-21-2654685568-423182402-509720106-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01172017213806390\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value deleted successfully
HKU\S-1-5-21-2654685568-423182402-509720106-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01172017213806390\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value deleted successfully
========= End of RemoveProxy: =========
=========== EmptyTemp: ==========
BITS transfer queue => 299093 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 65953388 B
Java, Flash, Steam htmlcache => 697 B
Windows/system/drivers => 26713014 B
Edge => 6749640 B
Chrome => 458525599 B
Firefox => 0 B
Opera => 0 B
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 8605368 B
NetworkService => 2282 B
UpdatusUser => 0 B
Enderlé => 741145759 B
RecycleBin => 2581931804 B
EmptyTemp: => 3.6 GB of temporary data deleted.
================================
Results of planned file moves (Boot mode: Normal) (Date&Time: 18-01-2017 12:44:50)
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
Below is the copied message:
Farbar Recovery Scan Tool (x64) Correction Results Version: 15-01-2017
Executed by Enderlé (18-01-2017 12:40:22) Run:1
Executed from C:\Users\Enderlé\Desktop
Loaded profiles: Enderlé & (Available profiles: Enderlé)
Boot mode: Normal
==============================================
fixlist content:
CreateRestorePoint:
CloseProcesses:
2016-12-25 15:08 - 2016-12-25 15:08 - 00000000 ____D C:\Users\Enderlé\AppData\Local\chromium
2016-12-25 15:07 - 2017-01-13 18:31 - 00000000 ____D C:\ProgramData\{DA791F1A-503B-95DC-D6FD-0B9E4CBF8050}
2016-12-25 15:07 - 2016-12-26 15:50 - 00000296 _____ C:\WINDOWS\Tasks\{44811B53-CE81-4676-2AD9-4BAB0D99DC5C}.job
2016-12-25 15:07 - 2016-12-25 15:07 - 00004468 _____ C:\WINDOWS\System32\Tasks\Yahoo! Powered secad
2016-12-25 15:07 - 2016-12-25 15:07 - 00002836 _____ C:\WINDOWS\System32\Tasks\{44811B53-CE81-4676-2AD9-4BAB0D99DC5C}
2016-12-25 15:06 - 2016-12-25 15:07 - 00000000 ____D C:\Users\Enderlé\AppData\Local\{4102775E-65AA-1BE6-0832-3E0E2C5AC296}
2017-01-14 12:18 - 2017-01-14 12:41 - 00000649 _____ C:\Users\Enderlé\Desktop\Technical Assistance.url
2017-01-14 12:17 - 2017-01-14 12:17 - 00009241 _____ C:\Users\Enderlé\Desktop\Successful Transaction.html
2017-01-14 12:17 - 2017-01-14 12:17 - 00000000 ____D C:\Users\Enderlé\Desktop\Successful Transaction_files
2017-01-14 12:07 - 2017-01-17 12:18 - 00000000 ____D C:\Program Files (x86)\supportdotcom
2017-01-14 12:07 - 2017-01-14 12:42 - 00000054 _____ C:\END
2017-01-14 12:07 - 2017-01-14 12:41 - 00000000 ____D C:\Users\Enderlé\AppData\Roaming\supportdotcom
2017-01-14 12:07 - 2017-01-14 12:07 - 00000000 ____D C:\Users\Enderlé\AppData\Local\SPRT
2017-01-14 12:05 - 2017-01-14 12:07 - 02949760 _____ C:\Users\Enderlé\Downloads\connect_477378 (1).exe
2017-01-14 12:04 - 2017-01-14 12:05 - 02949760 _____ C:\Users\Enderlé\Downloads\connect_477378.exe
Task: {E4FCA49D-E896-4C43-BE4C-8BA862A3E0E7} - System32\Tasks\Yahoo! Powered secad => Wscript.exe "C:\ProgramData\{DA791F1A-503B-95DC-D6FD-0B9E4CBF8050}\nesi.txt" "687474703a2f2f74646670612e636f6d" "433a5c50726f6772616d446174615c7b44413739314631412d353033422d393544432d443646442d3042394534434246383035307d5c746164616461" "433a5c50726f6772616d446174615c7b44413739314631412d353033422d393544432d443646 (the data element has 78 characters extra).
Task: {B991DBD2-4BAF-4A6C-8241-08B4FAE964CA} - System32\Tasks\{44811B53-CE81-4676-2AD9-4BAB0D99DC5C} => C:\Users\ENDERL~1\AppData\Local\FUBUDO~1\Sync.exe <==== WARNING
Hosts:
EmptyTemp:
RemoveProxy:
Reboot:
The Restore Point was created successfully.
Processes closed successfully.
C:\Users\Enderlé\AppData\Local\chromium => moved successfully
C:\ProgramData\{DA791F1A-503B-95DC-D6FD-0B9E4CBF8050} => moved successfully
C:\WINDOWS\Tasks\{44811B53-CE81-4676-2AD9-4BAB0D99DC5C}.job => moved successfully
C:\WINDOWS\System32\Tasks\Yahoo! Powered secad => moved successfully
C:\WINDOWS\System32\Tasks\{44811B53-CE81-4676-2AD9-4BAB0D99DC5C} => moved successfully
C:\Users\Enderlé\AppData\Local\{4102775E-65AA-1BE6-0832-3E0E2C5AC296} => moved successfully
C:\Users\Enderlé\Desktop\Technical Assistance.url => moved successfully
C:\Users\Enderlé\Desktop\Successful Transaction.html => moved successfully
C:\Users\Enderlé\Desktop\Successful Transaction_files => moved successfully
C:\Program Files (x86)\supportdotcom => moved successfully
C:\END => moved successfully
C:\Users\Enderlé\AppData\Roaming\supportdotcom => moved successfully
C:\Users\Enderlé\AppData\Local\SPRT => moved successfully
C:\Users\Enderlé\Downloads\connect_477378 (1).exe => moved successfully
C:\Users\Enderlé\Downloads\connect_477378.exe => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E4FCA49D-E896-4C43-BE4C-8BA862A3E0E7} => key deleted successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E4FCA49D-E896-4C43-BE4C-8BA862A3E0E7} => key deleted successfully
C:\WINDOWS\System32\Tasks\Yahoo! Powered secad => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Yahoo! Powered secad => key deleted successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B991DBD2-4BAF-4A6C-8241-08B4FAE964CA} => key deleted successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B991DBD2-4BAF-4A6C-8241-08B4FAE964CA} => key deleted successfully
C:\WINDOWS\System32\Tasks\{44811B53-CE81-4676-2AD9-4BAB0D99DC5C} => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{44811B53-CE81-4676-2AD9-4BAB0D99DC5C} => key deleted successfully
Unable to move "C:\Windows\System32\Drivers\etc\hosts" => Scheduled for moving on restart.
========= RemoveProxy: =========
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value deleted successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value deleted successfully
HKU\S-1-5-21-2654685568-423182402-509720106-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value deleted successfully
HKU\S-1-5-21-2654685568-423182402-509720106-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value deleted successfully
HKU\S-1-5-21-2654685568-423182402-509720106-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01172017141336283\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value deleted successfully
HKU\S-1-5-21-2654685568-423182402-509720106-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01172017141336283\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value deleted successfully
HKU\S-1-5-21-2654685568-423182402-509720106-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01172017141340898\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value deleted successfully
HKU\S-1-5-21-2654685568-423182402-509720106-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01172017141340898\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value deleted successfully
HKU\S-1-5-21-2654685568-423182402-509720106-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01172017213806390\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value deleted successfully
HKU\S-1-5-21-2654685568-423182402-509720106-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01172017213806390\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value deleted successfully
========= End of RemoveProxy: =========
=========== EmptyTemp: ==========
BITS transfer queue => 299093 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 65953388 B
Java, Flash, Steam htmlcache => 697 B
Windows/system/drivers => 26713014 B
Edge => 6749640 B
Chrome => 458525599 B
Firefox => 0 B
Opera => 0 B
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 8605368 B
NetworkService => 2282 B
UpdatusUser => 0 B
Enderlé => 741145759 B
RecycleBin => 2581931804 B
EmptyTemp: => 3.6 GB of temporary data deleted.
================================
Results of planned file moves (Boot mode: Normal) (Date&Time: 18-01-2017 12:44:50)
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
End of Fixlog 12:44:50
It was no longer related to the initial problem, but the few lines in the Malwarebytes report were about the ASK search bar.
Better get rid of it on the PC. I ran a scan and then cleaned up with ZHPCleaner.
I think everything is back to normal.
I must sincerely thank you for your valuable help.
I can return the PC to my father.
Better get rid of it on the PC. I ran a scan and then cleaned up with ZHPCleaner.
I think everything is back to normal.
I must sincerely thank you for your valuable help.
I can return the PC to my father.
Ask is easy to remove, it's an extension that you install on web browsers.
A reset is enough.
Okay if everything is back to normal.
A few tips:
To avoid being caught again.
To read - Potentially Unwanted Programs / PUPs: Adware/PUPs file: unwanted and parasitic programs
(Especially enable LPI detections to catch parasitic and adware programs)
--
Please press a key to continue the disinfection...
A reset is enough.
Okay if everything is back to normal.
A few tips:
To avoid being caught again.
To read - Potentially Unwanted Programs / PUPs: Adware/PUPs file: unwanted and parasitic programs
(Especially enable LPI detections to catch parasitic and adware programs)
--
Please press a key to continue the disinfection...