|
Post by choltz on Feb 10, 2014 9:59:10 GMT -8
Attachment DeletedHere is the file after running your script in OTL. When I started the scan I got an error message that "Windows has experienced a problem and will shut down in 1 minute". The scan continued and automatically restared Windows. Everything seems to be running ok. I opened Google Chrome and clicked in the search field....and no rzr pop up! So far so good! I'll play around today and see if I get any pop ups but so far it looks good!
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Feb 10, 2014 13:40:59 GMT -8
That is not the full log only the bottom piece.
Quads
|
|
|
Post by choltz on Feb 10, 2014 17:25:56 GMT -8
Hmmm....not sure what happened. This is the file the program opened after it finished executing the commands you sent. I copied and pasted it to the desk top and attached it to my reply. I just went back in to the 'moved' folder and the file is the same. Is there a way I can re-run the custom scan and get the full file?
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Feb 10, 2014 17:49:58 GMT -8
Hopefully the extensions get get ripped out, one extension it has been found does not allow user accounts to disable it, something about enterprise rights. So I hope to have successfully moved it with brute force.
You may want to read carefully all of this message first before starting the steps.
NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Download the script attached, needs to be the same file name as well (fixlist.txt), have it on the Desktop, so that fixlist.txt is next to FRST64.exe,
DO NOT DRAG AND DROP to download the script, it won't work for FRST (Right click on the attachment link (not the normal left click) and from the menu choose Save As or Save Link as.)
The script tells FRST what to do.
Start FRST64 that is on the desktop When the tool opens click Yes to disclaimer. (if it still does) Press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) please post it to your reply (attach or paste)
Quads
|
|
|
Post by choltz on Feb 11, 2014 6:43:10 GMT -8
Attachment DeletedHere is the Fixlog file from running FRST. When I first opened FRST it updated and put the old version in its own folder. This is the log file from the 'new' updated version....don't think it makes any difference...just info.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Feb 11, 2014 13:15:01 GMT -8
2014-02-10 10:48 - 2014-02-10 10:48 - 0000000 ____D () C:\_OTL\MovedFiles\02102014_104822\C_Users\Cheryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\naaaefjdlbejbglenfklnkfdhapdfohp 2014-02-03 06:48 - 2014-02-10 10:48 - 0000000 ____D () C:\_OTL\MovedFiles\02102014_104822\C_Users\Cheryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\naaaefjdlbejbglenfklnkfdhapdfohp\1.1_0 2014-02-03 06:48 - 2014-02-03 06:48 - 0000000 ____D () C:\_OTL\MovedFiles\02102014_104822\C_Users\Cheryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\naaaefjdlbejbglenfklnkfdhapdfohp\1.1_0\images 2014-02-03 06:48 - 2014-02-03 06:48 - 0000718 _____ () C:\_OTL\MovedFiles\02102014_104822\C_Users\Cheryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\naaaefjdlbejbglenfklnkfdhapdfohp\1.1_0\ffMediaPlayerV1alpha448chaction.js 2014-02-03 06:48 - 2014-02-03 06:48 - 0000588 _____ () C:\_OTL\MovedFiles\02102014_104822\C_Users\Cheryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\naaaefjdlbejbglenfklnkfdhapdfohp\1.1_0\icon.ico 2014-02-03 06:48 - 2014-02-03 06:48 - 0000975 _____ () C:\_OTL\MovedFiles\02102014_104822\C_Users\Cheryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\naaaefjdlbejbglenfklnkfdhapdfohp\1.1_0\manifest.json 2014-02-03 06:48 - 2014-02-03 06:48 - 0007366 _____ () C:\_OTL\MovedFiles\02102014_104822\C_Users\Cheryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\naaaefjdlbejbglenfklnkfdhapdfohp\1.1_0\images\MediaPlayerV1alpha448_128.png 2014-02-03 06:48 - 2014-02-03 06:48 - 0007366 _____ () C:\_OTL\MovedFiles\02102014_104822\C_Users\Cheryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\naaaefjdlbejbglenfklnkfdhapdfohp\1.1_0\images\MediaPlayerV1alpha448_16.png 2014-02-03 06:48 - 2014-02-03 06:48 - 0007366 _____ () C:\_OTL\MovedFiles\02102014_104822\C_Users\Cheryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\naaaefjdlbejbglenfklnkfdhapdfohp\1.1_0\images\MediaPlayerV1alpha448_48.png 2014-02-03 06:48 - 2014-02-03 06:48 - 0008547 _____ () C:\_OTL\MovedFiles\02102014_104822\C_Users\Cheryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\naaaefjdlbejbglenfklnkfdhapdfohp\1.1_0\images\MediaPlayerV1alpha448_64.png
Quads
|
|
|
Post by choltz on Feb 12, 2014 7:03:31 GMT -8
Hi, Your last post was a text log but no instruction. I do remember the path of this video player (naaaefjdlbejbglenfklnkfdhapdfohp) and I made a couple attempts to remove it because I had a feeling this was the 'culprit'. (this was one of the things I did trying to find and remove the rzr virus before I joined this forum). I remember seeing this video player in the 'extensions' list of all 3 browsers; now they are gone. However, there is still one video player extension in the Google Chrome extensions list. I cannot disable this extension and it was installed by "enterprise policy" (not sure what that means). Anyway, I clicked on the "Permissions" link and here is what it says (see attached Word file). I don't know if this has anything to do with the video player path you posted last time, or if this is of no concern....just info. Attachment Deleted
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Feb 12, 2014 14:37:05 GMT -8
When ticking the box to enable the Developer mode Red arrow in Pic below the media player extension does it give an ID like I think what has happened it I have ripped the extension files, so you no longer have the web address / popup problem but the listing is still in Chrome due to the registry key(s). We will find out. Quads
|
|
|
Post by choltz on Feb 13, 2014 6:01:35 GMT -8
Attachment DeletedYes....see attached. This is where I noticed the path before (forgot to send last attachment in developer mode). Still no pop ups from this virus....nice work!
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Feb 13, 2014 9:14:22 GMT -8
Ok so the files have been moved so no Popups etc. BUT still registry key(s) But it could have the ability to reinstall itself Type or copy and paste into the chrome address bar chrome://policy/ then click on the show value seen below in picture What is the folder location??? Example C:\Program files\media player shown in the data at the bottom Quads
|
|