Suspected Malware

**zizzyb** · 2014-11-25, 18:30

Thanks - that adware blocker has been great.

The logs you asked for are below.

FSS

Farbar Service Scanner Version: 21-07-2014
Ran by Liz (administrator) on 25-11-2014 at 18:29:23
Running from "C:\Users\Liz\Desktop"
Microsoft Windows 8.1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Action Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuaueng.dll".

Windows Autoupdate Disabled Policy:
============================

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed

**** End of log ****

ESET

C:\AdwCleaner\Quarantine\C\Program Files\Conduit\Community Alerts\Alert.dll.vir Win32/Toolbar.Conduit.Y potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Liz\AppData\LocalLow\Expat_Shield\ldrtbExpa.dll.vir a variant of Win32/Toolbar.Conduit.P potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Liz\AppData\LocalLow\Expat_Shield\tbExpa.dll.vir a variant of Win32/Toolbar.Conduit.B potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Liz\AppData\LocalLow\Expat_Shield\plugins\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}\3.5.3\bin\PriceGongIE.dll.vir a variant of Win32/PriceGong.A potentially unwanted application
C:\CCE_Quarantine\{8E4FD266-B92D-4B64-8277-888C0CD70006} a variant of Win32/Keygen.HA potentially unsafe application
C:\CCE_Quarantine\{F6E6E534-F46A-4F9F-AA04-707492D0630B} Win32/PrcView potentially unsafe application
C:\Program Files (x86)\Jelbrus Secure Web\jswchromium.exe a variant of Win32/Techsnab.C potentially unwanted application
C:\Program Files (x86)\Jelbrus Secure Web\jswchromium64.exe a variant of Win32/Techsnab.C potentially unwanted application
C:\Program Files (x86)\Jelbrus Secure Web\jsweb.dll a variant of Win32/Techsnab.C potentially unwanted application
C:\Program Files (x86)\Jelbrus Secure Web\jsweb64.dll a variant of Win32/Techsnab.C potentially unwanted application
C:\Program Files (x86)\Jelbrus Secure Web\jswff.exe a variant of Win32/Techsnab.C potentially unwanted application
C:\Program Files (x86)\Jelbrus Secure Web\jswtask.exe a variant of Win32/Techsnab.C potentially unwanted application
C:\Users\Liz\AppData\Local\Anvisoft\Anvi Slim Toolbar\IEToobar\BHO\{D3C24E2B-C820-4492-9B69-11BF7163F998}\SecureWeb.dll a variant of Win32/Techsnab.C potentially unwanted application
C:\Users\Liz\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\53f57bdbdb0c9508\120712-0049\Att\2000098a\CS4 codes.zip BAT/HostsChanger.A potentially unsafe application
C:\Users\Liz\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\53f57bdbdb0c9508\120712-0049\Att\2000099b\CS4 codes.zip BAT/HostsChanger.A potentially unsafe application
C:\Users\Liz\Desktop\Autodesk AutoCAD 2013 x64\Autodesk AutoCAD 2013 x64.iso a variant of Win32/Keygen.HA potentially unsafe application
C:\Users\Liz\Downloads\ccsetup416.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application

**zizzyb** · 2014-11-25, 18:44

Sorry forgot this one

Code:

HitmanPro 3.7.9.232
www.hitmanpro.com

   Computer name . . . . : LIZ_LAPTOP
   Windows . . . . . . . : 6.3.0.9600.X64/8
   User name . . . . . . : Liz_Laptop\Liz
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Trial (23 days left)

   Scan date . . . . . . : 2014-11-21 16:56:09
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 9m 30s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 20

   Objects scanned . . . : 3,053,191
   Files scanned . . . . : 160,465
   Remnants scanned  . . : 1,189,594 files / 1,703,132 keys

Suspicious files ____________________________________________________________

   C:\Users\Liz\Desktop\FRST64.exe
      Size . . . . . . . : 2,117,120 bytes
      Age  . . . . . . . : 3.2 days (2014-11-18 12:30:08)
      Entropy  . . . . . : 7.5
      SHA-256  . . . . . : 7D55B30D8568092310909B5B8E0630C67AB498D4A9ABA88B730301C0E91F39D4
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 24.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      Forensic Cluster
          0.0s C:\Users\Liz\Desktop\FRST64.exe
          0.1s C:\Windows\AppCompat\Programs\Install\INSTALL_ffff_ec5e0e8b-80d8-4daf-bcfb-639778f446aa.xml
          0.1s C:\Windows\AppCompat\Programs\Install\INSTALL_ffff_ec5e0e8b-80d8-4daf-bcfb-639778f446aa.xml

   C:\Users\Liz\Desktop\FSS.exe
      Size . . . . . . . : 415,232 bytes
      Age  . . . . . . . : 0.0 days (2014-11-21 16:52:09)
      Entropy  . . . . . : 7.9
      SHA-256  . . . . . : 149759CADFDF8C19A4104C7DB08BA490D33CFBD29785640385239087B79E1FD2
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 24.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      Forensic Cluster
         -116.3s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000831
         -115.7s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000832
         -115.4s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000833
         -113.3s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000834
         -112.5s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Media Cache\f_000042
         -111.6s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000835
         -110.5s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Media Cache\f_000043
         -109.1s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Media Cache\f_000044
         -107.6s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Media Cache\f_000045
         -107.6s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Media Cache\f_000046
         -93.4s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000836
         -92.3s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000837
         -92.2s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000838
         -91.8s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000839
         -90.1s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00083a
         -88.6s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00083b
         -85.7s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00083c
         -83.9s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00083d
         -78.6s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00083e
         -72.6s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00083f
         -70.8s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000840
         -65.5s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000841
         -59.5s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000842
         -57.7s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000843
         -52.1s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000844
         -47.7s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000845
         -46.2s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000846
         -39.0s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000847
         -35.4s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.de_0.indexeddb.leveldb\000104.log
         -35.4s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.de_0.indexeddb.leveldb\MANIFEST-000103
         -34.8s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000848
         -34.6s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000849
         -32.3s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00084a
         -31.9s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00084b
         -28.7s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00084c
         -24.3s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00084d
         -24.1s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00084e
         -12.4s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00084f
         -11.6s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000850
         -11.5s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000851
         -11.4s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000852
         -11.2s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000853
         -11.1s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000854
         -11.0s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000855
         -10.8s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000856
         -10.8s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000857
         -10.6s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000858
         -10.1s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000859
         -9.9s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00085a
         -9.9s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00085b
         -4.3s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00085c
         -3.4s C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00085d
          0.0s C:\Users\Liz\Desktop\FSS.exe


Cookies _____________________________________________________________________

   C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cookies:clickbank.net
   C:\Users\Liz\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net
   C:\Users\Liz\AppData\Roaming\Mozilla\Firefox\Profiles\il3venst.default-1416440981933\cookies.sqlite:ad.360yield.com
   C:\Users\Liz\AppData\Roaming\Mozilla\Firefox\Profiles\il3venst.default-1416440981933\cookies.sqlite:ad.mlnadvertising.com
   C:\Users\Liz\AppData\Roaming\Mozilla\Firefox\Profiles\il3venst.default-1416440981933\cookies.sqlite:ads.mediade.sk
   C:\Users\Liz\AppData\Roaming\Mozilla\Firefox\Profiles\il3venst.default-1416440981933\cookies.sqlite:ads.p161.net
   C:\Users\Liz\AppData\Roaming\Mozilla\Firefox\Profiles\il3venst.default-1416440981933\cookies.sqlite:ads.smartstream.tv
   C:\Users\Liz\AppData\Roaming\Mozilla\Firefox\Profiles\il3venst.default-1416440981933\cookies.sqlite:adtech.de
   C:\Users\Liz\AppData\Roaming\Mozilla\Firefox\Profiles\il3venst.default-1416440981933\cookies.sqlite:adtechus.com
   C:\Users\Liz\AppData\Roaming\Mozilla\Firefox\Profiles\il3venst.default-1416440981933\cookies.sqlite:bs.serving-sys.com
   C:\Users\Liz\AppData\Roaming\Mozilla\Firefox\Profiles\il3venst.default-1416440981933\cookies.sqlite:collective-media.net
   C:\Users\Liz\AppData\Roaming\Mozilla\Firefox\Profiles\il3venst.default-1416440981933\cookies.sqlite:googleadservices.com
   C:\Users\Liz\AppData\Roaming\Mozilla\Firefox\Profiles\il3venst.default-1416440981933\cookies.sqlite:media6degrees.com
   C:\Users\Liz\AppData\Roaming\Mozilla\Firefox\Profiles\il3venst.default-1416440981933\cookies.sqlite:revsci.net
   C:\Users\Liz\AppData\Roaming\Mozilla\Firefox\Profiles\il3venst.default-1416440981933\cookies.sqlite:ru4.com
   C:\Users\Liz\AppData\Roaming\Mozilla\Firefox\Profiles\il3venst.default-1416440981933\cookies.sqlite:serving-sys.com
   C:\Users\Liz\AppData\Roaming\Mozilla\Firefox\Profiles\il3venst.default-1416440981933\cookies.sqlite:smartadserver.com
   C:\Users\Liz\AppData\Roaming\Mozilla\Firefox\Profiles\il3venst.default-1416440981933\cookies.sqlite:track.adform.net

**Juliet** · 2014-11-25, 23:22

Thanks - that adware blocker has been great.

*****

Delete cache and other browser data in Chrome

Click the Chrome menu on the browser toolbar.
Select Tools.
Select Clear browsing data.
In the dialogue that appears, select the highlighted check-boxes for the types of information that you want to remove.
- Clear browsing history
- Clear download history
- Empty the cache
- Delete cookies and other site and plug-in data
- Clear saved passwords
- Clear saved Autofill form data
- Clear data from hosted apps
- Deauthorize content licenses
Use the menu at the top to select the amount of data that you want to delete. Select beginning of time to delete everything.
Click Clear browsing data.

*******

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

start
CloseProcesses:
C:\CCE_Quarantine\{8E4FD266-B92D-4B64-8277-888C0CD70006}
C:\CCE_Quarantine\{F6E6E534-F46A-4F9F-AA04-707492D0630B}
C:\Program Files (x86)\Jelbrus Secure Web\jswchromium.exe
C:\Program Files (x86)\Jelbrus Secure Web\jswchromium64.exe
C:\Program Files (x86)\Jelbrus Secure Web\jsweb.dll
C:\Program Files (x86)\Jelbrus Secure Web\jsweb64.dll
C:\Program Files (x86)\Jelbrus Secure Web\jswff.exe
C:\Program Files (x86)\Jelbrus Secure Web\jswtask.exe
C:\Users\Liz\AppData\Local\Anvisoft\Anvi Slim Toolbar\IEToobar\BHO\{D3C24E2B-C820-4492-9B69-11BF7163F998}\SecureWeb.dll
C:\Users\Liz\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\53f57bdbdb0c9508\120712-0049\Att\2000098a\CS4 codes.zip
C:\Users\Liz\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\53f57bdbdb0c9508\120712-0049\Att\2000099b\CS4 codes.zip
C:\Users\Liz\Desktop\Autodesk AutoCAD 2013 x64\Autodesk AutoCAD 2013 x64.iso
C:\Users\Liz\Downloads\ccsetup416.exe
EmptyTemp:
End

Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

*************
Malwarebytes still on the computer?

Open Malwarebytes

On the Dashboard click on Update Now
Go to the Setting Tab
Under Setting go to Detection and Protection
Under PUP and PUM make sure both are set to show Treat Dections as Malware
Go to Advanced setting and make sure Automatically Quarantine Detected Items is checked
Then on the Dashboard click on Scan
Make sure to select THREAT SCAN
Then click on Scan
When the scan is finished and the log pops up...select Copy to Clipboard
Please paste the log back into this thread for review
Exit Malwarebytes

***************************************

Please post
Fixlog.txt
Malwarebytes log

How's the computer now?

**zizzyb** · 2014-11-26, 00:13

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 23-11-2014 01
Ran by Liz at 2014-11-26 00:08:46 Run:1
Running from C:\Users\Liz\Desktop
Loaded Profiles: UpdatusUser & Liz (Available profiles: UpdatusUser & Liz)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
CloseProcesses:
C:\CCE_Quarantine\{8E4FD266-B92D-4B64-8277-888C0CD70006}
C:\CCE_Quarantine\{F6E6E534-F46A-4F9F-AA04-707492D0630B}
C:\Program Files (x86)\Jelbrus Secure Web\jswchromium.exe
C:\Program Files (x86)\Jelbrus Secure Web\jswchromium64.exe
C:\Program Files (x86)\Jelbrus Secure Web\jsweb.dll
C:\Program Files (x86)\Jelbrus Secure Web\jsweb64.dll
C:\Program Files (x86)\Jelbrus Secure Web\jswff.exe
C:\Program Files (x86)\Jelbrus Secure Web\jswtask.exe
C:\Users\Liz\AppData\Local\Anvisoft\Anvi Slim Toolbar\IEToobar\BHO\{D3C24E2B-C820-4492-9B69-11BF7163F998}\SecureWeb.dll
C:\Users\Liz\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\53f57bdbdb0c9508\120712-0049\Att\2000098a\CS4 codes.zip
C:\Users\Liz\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\53f57bdbdb0c9508\120712-0049\Att\2000099b\CS4 codes.zip
C:\Users\Liz\Desktop\Autodesk AutoCAD 2013 x64\Autodesk AutoCAD 2013 x64.iso
C:\Users\Liz\Downloads\ccsetup416.exe
EmptyTemp:
End
*****************

Processes closed successfully.
C:\CCE_Quarantine\{8E4FD266-B92D-4B64-8277-888C0CD70006} => Moved successfully.
C:\CCE_Quarantine\{F6E6E534-F46A-4F9F-AA04-707492D0630B} => Moved successfully.
C:\Program Files (x86)\Jelbrus Secure Web\jswchromium.exe => Moved successfully.
C:\Program Files (x86)\Jelbrus Secure Web\jswchromium64.exe => Moved successfully.
C:\Program Files (x86)\Jelbrus Secure Web\jsweb.dll => Moved successfully.
C:\Program Files (x86)\Jelbrus Secure Web\jsweb64.dll => Moved successfully.
C:\Program Files (x86)\Jelbrus Secure Web\jswff.exe => Moved successfully.
C:\Program Files (x86)\Jelbrus Secure Web\jswtask.exe => Moved successfully.
C:\Users\Liz\AppData\Local\Anvisoft\Anvi Slim Toolbar\IEToobar\BHO\{D3C24E2B-C820-4492-9B69-11BF7163F998}\SecureWeb.dll => Moved successfully.
C:\Users\Liz\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\53f57bdbdb0c9508\120712-0049\Att\2000098a\CS4 codes.zip => Moved successfully.
C:\Users\Liz\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\53f57bdbdb0c9508\120712-0049\Att\2000099b\CS4 codes.zip => Moved successfully.
Could not move "C:\Users\Liz\Desktop\Autodesk AutoCAD 2013 x64\Autodesk AutoCAD 2013 x64.iso" => Scheduled to move on reboot.
C:\Users\Liz\Downloads\ccsetup416.exe => Moved successfully.
EmptyTemp: => Removed 519.9 MB temporary data.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-11-26 00:10:09)<=

C:\Users\Liz\Desktop\Autodesk AutoCAD 2013 x64\Autodesk AutoCAD 2013 x64.iso => Is moved successfully.

==== End of Fixlog ====

**zizzyb** · 2014-11-26, 01:13

Everything seems to be running ok - I still can't run Windows Defender, but I don't mind getting another antivirus anyway.
I reinstalled Firefox and the ads had started reappearing there when I turned the ad blocker off, but I've just reset it and things see to be ok so far.

The log from Malwarebytes is below

Thank you so much for your help!!

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 26/11/2014
Scan Time: 00:17:38
Logfile: Malwarebytes log.txt
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.11.25.16
Rootkit Database: v2014.11.22.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Liz

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 406656
Time Elapsed: 34 min, 35 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

**Juliet** · 2014-11-26, 02:04

As far as cleaning out the malware, I believe your clean now but
for the issues with windows defender, please read this article where people describe issues with it being turned off due to a downloaded or pre-installed antivirus.
http://answers.microsoft.com/en-us/p...0-db801d8be97a
You could try http://windows.microsoft.com/en-us/w...tials-download

Let me know how it goes.

I think we're ready to remove tools and quarantine folders and I'll post preventive tips.

Download Delfix from here
Ensure Remove disinfection tools is ticked
Also tick:
Create registry backup
Click Run
Purge system restore

Any other tools and files found can simply be deleted or uninstall via Add/Remove Programs in the Control Panel etc.

~~~~~~~~~~~~~~~~

Answers to common security questions - Best Practices by quietman7, MVP
How Malware Spreads - How did I get infected? by quietman7, MVP
Simple and easy ways to keep your computer safe and secure on the Internet by Lawrence Abrams, MVP
How to Prevent Malware by miekiemoes, MVP
How to backup and restore your data using Cobian Backup by YourHighness
Slow Computer/browser? It May Not Be Malware by quietman7, MVP

The following programmes come highly recommended in the security community.

AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
CryptoPrevent places policy restrictions on loading points for ransomware (eg.CryptoPrevent), preventing your files from being encrypted.
Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
Secuina PSI will scan your computer for vulnerable softwarethat is outdated, and automatically find the latest update for you.
SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.

**zizzyb** · 2014-11-28, 00:38

Thank you so much for all your help - you're an absolute superhero!
I removed all the diagnostic stuff, and now Defender is up and running fine

I'll definitely be installing some of those other anti malware programs too.

I'm off to donate now, thanks again! Merry Christmas!

**Juliet** · 2014-11-28, 03:26

We're glad to help

**Juliet** · 2014-11-30, 16:29

Glad we could help.

Since this issue appears resolved ... this Topic is closed.

Thread: Suspected Malware

Thread Tools

Display

Posting Permissions