Adobe.Fake.Zusy

Status
Not open for further replies.
E

ebb124

New member
I'm new here and don't know how to proceed. I've read the "before you post" section, downloaded my registry, the Farbar tool and have a desktop full of icons. I want to remove the zusy trojan from my registry and would welcome help.
Thanks, ebb124

I thought I had all the logs posted here but now it's blank so I will try again. Then they reject it as too long. I will try to send separately.
Be pRun date: 2014-07-23 15:21:39
-----------------------------
15:21:39.997 OS Version: Windows x64 6.1.7601 Service Pack 1
15:21:39.997 Number of processors: 4 586 0x2A07
15:21:39.998 ComputerName: ED-PC UserName: Ed
15:21:43.010 Initialize success
15:21:43.010 VM: initialized successfully
15:21:43.015 VM: Intel CPU supported virtualizedSuspended
15:21:52.898 VM: supported disk I/O iaStor.sys
15:22:13.243 AVAST engine defs: 14072200
15:22:29.581 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
15:22:29.585 Disk 0 Vendor: WDC_WD10 77.0 Size: 953869MB BusType: 3
15:22:29.698 Disk 0 MBR read successfully
15:22:29.702 Disk 0 MBR scan
15:22:29.709 Disk 0 Windows 7 default MBR code
15:22:29.727 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 14336 MB offset 2048
15:22:29.751 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 29362176
15:22:29.755 Disk 0 default boot code
15:22:29.769 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 939431 MB offset 29566976
15:22:29.794 Disk 0 scanning C:\Windows\system32\drivers
15:22:36.705 Service scanning
15:22:45.508 Service pcmaxservice C:\Program Files\pcmax\pcmax.exe **INFECTED** Win32:Dropper-gen [Drp]
15:22:47.672 Service SrvUpdater C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe **INFECTED** Win32:Rootkit-gen [Rtk]
15:22:51.566 Modules scanning
15:22:51.581 Disk 0 trace - called modules:
15:22:51.818 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
15:22:51.825 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007e07060]
15:22:51.833 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8005f28050]
15:22:54.865 AVAST engine scan C:\Windows
15:22:59.270 AVAST engine scan C:\Windows\system32
15:26:17.156 AVAST engine scan C:\Windows\system32\drivers
15:26:56.530 AVAST engine scan C:\Users\Ed
15:38:44.749 AVAST engine scan C:\ProgramData
15:40:51.938 Scan finished successfully
15:42:04.554 Disk 0 MBR has been saved successfully to "C:\Users\Ed\Desktop\MBR.dat"
15:42:04.560 The log file has been saved successfully to "C:\Users\Ed\Desktop\aswMBR.txt"

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 23-07-2014 01
Ran by Ed (administrator) on ED-PC on 23-07-2014 15:02:26
Running from C:\Users\Ed\Downloads
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Carbonite, Inc. (www.carbonite.com)) C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Acer Incorporated) C:\Program Files (x86)\Gateway\Registration\GREGsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Acer Incorporated) C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
(Microsoft Corporation
) C:\Windows\vVX6000.exe
(Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
() C:\Program Files\pcmax\pcmax.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
() C:\Users\Ed\AppData\LocalLow\Picasa\IE\PicasaUpdater.exe
(Google Inc.) C:\Users\Ed\AppData\Local\Programs\Google\MusicManager\MusicManager.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.24.15\GoogleCrashHandler.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe
(Google) C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgemca.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.24.15\GoogleCrashHandler64.exe
(Dropbox, Inc.) C:\Users\Ed\AppData\Roaming\Dropbox\bin\Dropbox.exe
() C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe
() C:\Program Files\HTC\ModeSelection\VMMModeSelection.exe
(Carbonite, Inc.) C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe
(SAMSUNG Electornics Co., Ltd.) C:\Users\Ed\AppData\Roaming\VERIZON\UA_ar\UA.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgui.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Evernote Corp., 305 Walnut Street, Redwood City, CA 94063) C:\Program Files (x86)\Evernote\Evernote\Evernote.exe
(Evernote Corp., 305 Walnut Street, Redwood City, CA 94063) C:\Program Files (x86)\Evernote\Evernote\EvernoteTray.exe
(Evernote Corp., 305 Walnut Street, Redwood City, CA 94063) C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Farbar) C:\Users\Ed\Downloads\FRST64 (2).exe




I appreciate your help.


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [VX6000] => C:\Windows\vVX6000.exe [764784 2010-05-20] (Microsoft Corporation
)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11660904 2010-11-30] (Realtek Semiconductor)
HKLM\...\Run: [pcreg] => C:\Program Files\pcmax\service.exe [79088 2014-05-29] ()
HKLM-x32\...\Run: [Hotkey Utility] => C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe [627304 2011-08-10] ()
HKLM-x32\...\Run: [VMM Mode Selection] => C:\Program Files\HTC\ModeSelection\VMMModeSelection.exe [43520 2011-02-14] ()
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [pcreg] => C:\Program Files\pcmax\service.exe [79088 2014-05-29] ()
HKLM-x32\...\Run: [Carbonite Backup] => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe [1056976 2014-06-27] (Carbonite, Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-05-26] (Apple Inc.)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2014\avgui.exe [5179408 2014-06-17] (AVG Technologies CZ, s.r.o.)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\822\G2AWinLogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-19\...\RunOnce: [mctadmin] => C:\Windows\System32\mctadmin.exe [97280 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-20\...\RunOnce: [mctadmin] => C:\Windows\System32\mctadmin.exe [97280 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [24477056 2014-06-27] (Google)
HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\Run: [MusicManager] => C:\Users\Ed\AppData\Local\Programs\Google\MusicManager\MusicManager.exe [7631872 2014-05-15] (Google Inc.)
HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\Run: [pcreg] => C:\Program Files\pcmax\service.exe [79088 2014-05-29] ()
HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\Run: [1E90D213CEDA3808F5074AB93AD198C0BA35B469._service_run] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [860488 2014-07-15] (Google Inc.)
HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: E - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: {1e0f0aee-f61e-11e3-987e-38607782c50d} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: {4a354431-3281-11e1-babf-38607782c50d} - P:\TL-Bootstrap.exe
HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: {9eb904bd-8c3f-11e3-8ddd-38607782c50d} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: {d865dce6-2a9e-11e3-b0c7-38607782c50d} - E:\VZW_Software_upgrade_assistant.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Google Calendar Sync.lnk
ShortcutTarget: Google Calendar Sync.lnk -> C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe (Google)
Startup: C:\Users\Ed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Ed\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\Ed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Verizon Wireless Software Utility Application for Android – Samsung.lnk
ShortcutTarget: Verizon Wireless Software Utility Application for Android – Samsung.lnk -> C:\Users\Ed\AppData\Roaming\VERIZON\UA_ar\UA.exe (SAMSUNG Electornics Co., Ltd.)
ShellIconOverlayIdentifiers: Carbonite.Green -> {95A27763-F62A-4114-9072-E81D87DE3B68} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers: Carbonite.Partial -> {E300CD91-100F-4E67-9AF3-1384A6124015} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers: Carbonite.Yellow -> {5E529433-B50E-4bef-A63B-16A6B71B071A} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: GDriveBlacklistedOverlay -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll (Google)
ShellIconOverlayIdentifiers: GDriveSharedEditOverlay -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll (Google)
ShellIconOverlayIdentifiers: GDriveSharedOverlay -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll (Google)
ShellIconOverlayIdentifiers: GDriveSharedViewOverlay -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll (Google)
ShellIconOverlayIdentifiers: GDriveSyncedOverlay -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll (Google)
ShellIconOverlayIdentifiers: GDriveSyncingOverlay -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll (Google)
ShellIconOverlayIdentifiers-x32: Carbonite.Green -> {95A27763-F62A-4114-9072-E81D87DE3B68} => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers-x32: Carbonite.Partial -> {E300CD91-100F-4E67-9AF3-1384A6124015} => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers-x32: Carbonite.Yellow -> {5E529433-B50E-4bef-A63B-16A6B71B071A} => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers-x32: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers-x32: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers-x32: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xC079459ADAEECE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?pc=MSSE
HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?pc=MSSE
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?pc=MSSE
SearchScopes: HKLM - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL =
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKLM - {3939A073-D89B-4984-B23E-0DD0A7FAAC99} URL = http://local.yahoo.com/results?stx={searchTerms}&fr=yie7c
SearchScopes: HKLM - {4E90EF92-F351-4D40-A980-05032B6D7939} URL = http://images.search.yahoo.com/search/images?p={searchTerms}&fr=yie7c
SearchScopes: HKLM - {9AE508B0-FE23-405A-B274-F5FFF5DF7532} URL = http://news.search.yahoo.com/search/news?p={searchTerms}&fr=yie7c
SearchScopes: HKLM - {A7FABC4D-4D86-4FE8-A9E1-417AFE2209A0} URL = http://search.yahoo.com/search?p={searchTerms}&fr=yie7c
SearchScopes: HKLM - {B4EC393E-AC31-454D-89EC-6164B368FA06} URL = http://video.yahoo.com/video/search?p={searchTerms}&fr=yie7c
SearchScopes: HKLM - {C187C709-DD8E-4B2C-B27E-65A5FEE0EC96} URL = http://answers.yahoo.com/search/search_result?p={searchTerms}&fr=yie7c
SearchScopes: HKLM - {DCBE26BD-B538-4FAD-8B4C-B1CF30D91E2F} URL = http://shopping.yahoo.com/search?p={searchTerms}&fr=yie7c
SearchScopes: HKLM-x32 - DefaultScope value is missing.
SearchScopes: HKCU - DefaultScope {2ECA7E60-EA21-4D1E-B3A5-3C888283B599} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
SearchScopes: HKCU - {2ECA7E60-EA21-4D1E-B3A5-3C888283B599} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
SearchScopes: HKCU - {80c554b9-c7f8-4a21-9471-06d606da78a2} URL = http://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKCU - {A7FABC4D-4D86-4FE8-A9E1-417AFE2209A0} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO-x32: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO-x32: Picasa -> {138B4B0A-923A-4981-AE90-EE90FAC91CE0} -> C:\Users\Ed\AppData\LocalLow\Picasa\IE\Picasa.dll (Google Inc.)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Evernote extension -> {92EF2EAD-A7CE-4424-B0DB-499CF856608E} -> C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Free Download Manager -> {CC59E0F9-7E43-44FA-9FAA-8377850BF205} -> C:\Program Files (x86)\Free Download Manager\iefdm2.dll (FreeDownloadManager.ORG)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKCU - No Name - {25E2E5C9-C43C-4EE8-B23E-4383915F2BCE} - No File
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - No File
Handler-x32: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62

FireFox:
========
FF ProfilePath: C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\3071iady.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_14_0_0_145.dll ()
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_14_0_0_145.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 - C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin - C:\Users\Ed\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Plugin HKCU: @lightspark.github.com/Lightspark;version=1 - C:\Program Files (x86)\Lightspark 0.5.3-git\nplightsparkplugin.dll No File
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\Ed\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\Ed\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Extension: RightSurf - C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\3071iady.default\Extensions\{b9a19c25-a741-47e5-91a2-0b62bef307ff}.xpi [2014-01-24]
FF HKLM-x32\...\Firefox\Extensions: [quickprint@hp.com] - C:\Program Files (x86)\Hewlett-Packard\SmartPrint\QPExtension
FF Extension: SmartPrintButton - C:\Program Files (x86)\Hewlett-Packard\SmartPrint\QPExtension [2012-01-05]
FF Extension: Free Download Manager plugin - C:\ProgramData\Free Download Manager\Firefox\Extensions\1.6.0.7 [2014-05-13]

Chrome:
=======
CHR HomePage: hxxp://search.conduit.com/?gd=&ctid=CT3324416&octid=EB_ORIGINAL_CTID&ISID=MA0E1EC7E-5EA3-461B-96CC-6312F10294D2&SearchSource=55&CUI=&UM=2&UP=SP948C915C-8A0C-4F11-9B15-E7C00AB3D423&SSPV=
CHR StartupUrls: "hxxp://www.chrome.com/"
CHR DefaultSearchKeyword: maxwebsearch.com_
CHR DefaultNewTabURL:
CHR Extension: (Google Drive) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-05-09]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-24]
CHR Extension: (WOT) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhmmomiinigofkjcapegjjndpbikblnp [2014-07-13]
CHR Extension: (YouTube) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-07-08]
CHR Extension: (Google Search) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-07-08]
CHR Extension: (Google News) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\dllkocilcinkggkchnjgegijklcililc [2014-07-08]
CHR Extension: (NYTimes) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecmphppfkcfflgglcokcbdkofpfegoel [2014-07-08]
CHR Extension: (Picasa) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\eghpfmmnfdgagepippghcmpcceacbgjn [2014-05-09]
CHR Extension: (Google Calendar) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjicmeblgpmajnghnpcppodonldlgfn [2014-07-08]
CHR Extension: (Google Finance) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcgckldmmjdbpdejkclmfnnnehhocbfp [2014-07-08]
CHR Extension: (News Today, Major Newspapers) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\joacmnheokpeibjlgbhjhgajocokiogk [2014-07-08]
CHR Extension: (Google Maps) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\lneaknkopdijkpnocmklfnjbeapigfbh [2014-07-08]
CHR Extension: (Boomerang for Gmail) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdanidgdpmkimeiiojknlnekblgmpdll [2014-07-08]
CHR Extension: (Google Wallet) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-05-09]
CHR Extension: (Readability) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\oknpjjbmpnndlpmnhmekjpocelpnlfdi [2014-07-08]
CHR Extension: (Evernote Web Clipper) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\pioclpoplcdbaefihamjohnefbikjilc [2014-07-08]
CHR Extension: (Gmail) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-07-08]
CHR HKCU\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Ed\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx [2013-05-05]
CHR HKLM-x32\...\Chrome\Extension: [eghpfmmnfdgagepippghcmpcceacbgjn] - C:\Users\Ed\AppData\LocalLow\Picasa\CHROME\Picasa.crx [2011-09-02]

==================== Services (Whitelisted) =================

R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe [3241488 2014-06-27] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe [289328 2014-06-17] (AVG Technologies CZ, s.r.o.)
R2 pcmaxservice; C:\Program Files\pcmax\pcmax.exe [241344 2014-05-29] ()
R2 PicasaUpdater; C:\Users\Ed\AppData\LocalLow\Picasa\IE\PicasaUpdater.exe [18432 2011-09-02] () [File not signed]
S2 SrvUpdater; C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe [56832 2014-07-12] () [File not signed]

==================== Drivers (Whitelisted) ====================

R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [153368 2014-06-17] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [242968 2014-06-17] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [190744 2014-06-17] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [235800 2014-06-17] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [328984 2014-06-17] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [123672 2014-06-17] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31512 2014-06-17] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [269080 2014-06-17] (AVG Technologies CZ, s.r.o.)
R2 npf; C:\Windows\System32\drivers\npf.sys [35344 2011-02-11] (CACE Technologies, Inc.)
S3 Serial; C:\Windows\system32\drivers\serial.sys [94208 2009-07-13] (Brother Industries Ltd.)
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [52736 2012-02-15] (Apple, Inc.) [File not signed]
R3 VX6000; C:\Windows\System32\DRIVERS\VX6000Xp.sys [2143600 2010-05-20] (Microsoft Corporation
)
U3 aswMBR; \??\C:\Users\Ed\AppData\Local\Temp\aswMBR.sys [X]
U3 aswVmm; \??\C:\Users\Ed\AppData\Local\Temp\aswVmm.sys [X]

==================== NetSvcs (Whitelisted) ===================
 
Last edited by a moderator:
Let's continue here.....

The script I have created below will reboot your computer, please don't be alarmed.

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

start
C:\Program Files\pcmax\pcmax.exe
HKLM\...\Run: [pcreg] => C:\Program Files\pcmax\service.exe [79088 2014-05-29] ()
HKLM-x32\...\Run: [pcreg] => C:\Program Files\pcmax\service.exe [79088 2014-05-29] ()
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\Run: [pcreg] => C:\Program Files\pcmax\service.exe [79088 2014-05-29] ()
HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: E - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: {1e0f0aee-f61e-11e3-987e-38607782c50d} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: {4a354431-3281-11e1-babf-38607782c50d} - P:\TL-Bootstrap.exe
HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: {9eb904bd-8c3f-11e3-8ddd-38607782c50d} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: {d865dce6-2a9e-11e3-b0c7-38607782c50d} - E:\VZW_Software_upgrade_assistant.exe
ShellIconOverlayIdentifiers: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers-x32: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers-x32: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers-x32: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File
SearchScopes: HKCU - DefaultScope {2ECA7E60-EA21-4D1E-B3A5-3C888283B599} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
SearchScopes: HKCU - {2ECA7E60-EA21-4D1E-B3A5-3C888283B599} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
SearchScopes: HKCU - {A7FABC4D-4D86-4FE8-A9E1-417AFE2209A0} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKCU - No Name - {25E2E5C9-C43C-4EE8-B23E-4383915F2BCE} - No File
FF Extension: RightSurf - C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\3071iady.default\Extensions\{b9a19c25-a741-47e5-91a2-0b62bef307ff}.xpi [2014-01-24]
CHR HomePage: hxxp://search.conduit.com/?gd=&ctid=CT3324416&octid=EB_ORIGINAL_CTID&ISID=MA0E1EC7E-5EA3-461B-96CC-6312F10294D2&SearchSource=55&CUI=&UM=2&UP=SP948C915C-8A0C-4F11-9B15-E7C00AB3D423&SSPV=
CHR DefaultSearchKeyword: maxwebsearch.com_
CHR HKCU\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Ed\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx [2013-05-05]
R2 pcmaxservice; C:\Program Files\pcmax\pcmax.exe [241344 2014-05-29] ()
S2 SrvUpdater; C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe [56832 2014-07-12] () [File not signed]
Reboot:
end
Click to expand...

Open FRST/FRST64 and press the Fix
button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
 
Also, we need this

AdwCleaner by Xplode

Click on this link to download : ADWCleaner
Click on ONE of the Two Blue Download Now buttons That have a blue arrow beside them and save it to your desktop.

Do not click on any links in the top Advertisment.


Close all open windows and browsers.


  • Right click the AdwCleaner icon
    RightClickonAdwCleanerIcon.jpg
    on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.

    *****
    AdwCleaner.GIF


  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above the progress bar you will see Pending. Please uncheck elements you don't want to remove.
    NEXT click on CLEAN
  • Click the Report button to get the log
  • Copy and Paste it into your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner.txt.
  • Click the X in the upper right corner of the program or click the File menu and click Exit to close the program.
  • NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

*********************

Download Malwarebytes' Anti-Malware to your desktop.

  • Windows XP : Double click on the icon to run it.
  • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"






  • On the Dashboard click on Update Now
  • Go to the Setting Tab
  • Under Setting go to Detection and Protection
  • Under PUP and PUM make sure both are set to show Treat Dections as Malware
  • Go to Advanced setting and make sure Automatically Quarantine Detected Items is checked
  • Then on the Dashboard click on Scan
  • Make sure to select THREAT SCAN
  • Then click on Scan
  • When the scan is finished and the log pops up...select Copy to Clipboard
  • Please paste the log back into this thread for review
  • Exit Malwarebytes

***************************************

Please post these 2 logs when done.
 
Excuse my ignorance

Juliet said:
Let's continue here.....

The script I have created below will reboot your computer, please don't be alarmed.

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)



Open FRST/FRST64 and press the Fix
button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
Click to expand...
Juliet,
Thank you for jumping in. I have the fixit.txt on the desktop. I have the "shortcut" for FRST next to it on the desktop but when I click scan, it tells me they are not in the same location. Help and thanks
 
ebb124 said:
Juliet,
Thank you for jumping in. I have the fixit.txt on the desktop. I have the "shortcut" for FRST next to it on the desktop but when I click scan, it tells me they are not in the same location. Help and thanks
Click to expand...

sorry, when I click "fix"
 
Running from C:\Users\Ed\Downloads
FRST isn't on desktop so they are not in the same location.


Let's try this
Go to an open spot on your desktop, right click and a little window will open
move your mouse down to NEW and hover over that, another window will open and you'll see Folder and click on that.
now hit the backspace button to clear it out so you can type in FRST, then hit enter.

Go to your downloads folder, locate FRST, right click and select cut
Now go to the new created folder FRST right click and select paste. This will place the tool into it's own folder.

Now, go back to the script I created., take your mouse and drag it to that folder.
Open the folder and you should see both in there now. open the FRST tool and click on the FIX button.

If this doesn't work let me know which browser you used to download it from so we can set it to place downloads on desktop.
 
Juliet said:
Running from C:\Users\Ed\Downloads
FRST isn't on desktop so they are not in the same location.


Let's try this
Go to an open spot on your desktop, right click and a little window will open
move your mouse down to NEW and hover over that, another window will open and you'll see Folder and click on that.
now hit the backspace button to clear it out so you can type in FRST, then hit enter.

Go to your downloads folder, locate FRST, right click and select cut
Now go to the new created folder FRST right click and select paste. This will place the tool into it's own folder.

Now, go back to the script I created., take your mouse and drag it to that folder.
Open the folder and you should see both in there now. open the FRST tool and click on the FIX button.

If this doesn't work let me know which browser you used to download it from so we can set it to place downloads on desktop.
Click to expand...
# AdwCleaner v3.216 - Report created 25/07/2014 at 13:07:17
# Updated 17/07/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Ed - ED-PC
# Running from : C:\Users\Ed\Downloads\adwcleaner_3.216.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files (x86)\SoftwareUpdater
Folder Deleted : C:\Program Files (x86)\WSE Rocket
Folder Deleted : C:\Users\Ed\AppData\Local\Rocket
Folder Deleted : C:\Users\Ed\AppData\Roaming\DriverCure
Folder Deleted : C:\Users\Ed\AppData\Roaming\RocketUpdater
Folder Deleted : C:\Users\Ed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Rocket
Folder Deleted : C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\3071iady.default\Extensions\staged\{ecaa9181-d92a-47b9-8e14-bef9680f204b}
File Deleted : C:\Users\Ed\Desktop\Uninstall.exe
File Deleted : C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\3071iady.default\searchplugins\WSE Rocket.xml
File Deleted : C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\3071iady.default\user.js
File Deleted : C:\Windows\System32\Tasks\Rocket Updater

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Value Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}
Key Deleted : HKCU\Software\BrowserSafeguardInstalled
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Rocket Browser
Key Deleted : HKCU\Software\RocketUpdater
Key Deleted : HKCU\Software\WSE Rocket
Key Deleted : HKLM\Software\InstallCore
Key Deleted : HKLM\Software\SoftwareUpdater
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdater
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WSE Rocket

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17207

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]

-\\ Mozilla Firefox v29.0.1 (en-US)

[ File : C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\3071iady.default\prefs.js ]

Line Deleted : user_pref("browser.startup.homepage", "hxxp://rocket-find.com/?f=1&a=rckt_app_14_30_ch&cd=2XzuyEtN2Y1L1QzuyByE0D0EtB0BzyyD0A0AzztCyC0E0DtAtN0D0Tzu0SzytAyBtN1L2XzutAtFtDtFtBtFtDtN1L1CzutCyEtBzytDyD1V1S[...]

-\\ Google Chrome v36.0.1985.125

[ File : C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted [Search Provider] : hxxp://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1QzuyByE0D0EtB0BzyyD0A0AzztCyC0E0DtAtN0D0Tzu0SyByDtAtN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtBtDtC1N1R&cr=589237676&ir=
Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
Deleted [Search Provider] : hxxp://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&CUI=UN19100988751793931&ctid=CT3279414&UM=2
Deleted [Search Provider] : hxxp://search.babylon.com/?q={searchTerms}&AF=100486&babsrc=SP_ss&mntrId=9ef66ed300000000000074de2b95aa80
Deleted [Search Provider] : hxxp://dts.search-results.com/sr?src=crb&appid=362&systemid=406&sr=0&q={searchTerms}
Deleted [Search Provider] : hxxp://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
Deleted [Search Provider] : hxxp://www2.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=80197&lng=en
Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
Deleted [Search Provider] : hxxp://search.conduit.com/Results.aspx?gd=&ctid=CT3324416&octid=EB_ORIGINAL_CTID&ISID=ME14FF9FD-B8FD-46E3-ACC1-6E85C174E6C8&SearchSource=58&CUI=&UM=2&UP=SPA7C31A57-F805-4C45-8B9D-68710E54C18D&q={searchTerms}&SSPV=
Deleted [Search Provider] : hxxp://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
Deleted [Homepage] : hxxp://search.conduit.com/?gd=&ctid=CT3324416&octid=EB_ORIGINAL_CTID&ISID=MA0E1EC7E-5EA3-461B-96CC-6312F10294D2&SearchSource=55&CUI=&UM=2&UP=SP948C915C-8A0C-4F11-9B15-E7C00AB3D423&SSPV=

*************************

AdwCleaner[R0].txt - [13875 octets] - [26/06/2014 21:42:16]
AdwCleaner[R1].txt - [4574 octets] - [25/07/2014 13:05:15]
AdwCleaner[S0].txt - [15138 octets] - [26/06/2014 21:43:52]
AdwCleaner[S1].txt - [5275 octets] - [25/07/2014 13:07:17]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [5335 octets] ##########
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-07-2014 01
Ran by Ed at 2014-07-25 12:00:12 Run:1
Running from C:\Users\Ed\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
C:\Program Files\pcmax\pcmax.exe
HKLM\...\Run: [pcreg] => C:\Program Files\pcmax\service.exe [79088 2014-05-29] ()
HKLM-x32\...\Run: [pcreg] => C:\Program Files\pcmax\service.exe [79088 2014-05-29] ()
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\Run: [pcreg] => C:\Program Files\pcmax\service.exe [79088 2014-05-29] ()
HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: E - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: {1e0f0aee-f61e-11e3-987e-38607782c50d} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: {4a354431-3281-11e1-babf-38607782c50d} - P:\TL-Bootstrap.exe
HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: {9eb904bd-8c3f-11e3-8ddd-38607782c50d} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: {d865dce6-2a9e-11e3-b0c7-38607782c50d} - E:\VZW_Software_upgrade_assistant.exe
ShellIconOverlayIdentifiers: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers-x32: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers-x32: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers-x32: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File
SearchScopes: HKCU - DefaultScope {2ECA7E60-EA21-4D1E-B3A5-3C888283B599} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
SearchScopes: HKCU - {2ECA7E60-EA21-4D1E-B3A5-3C888283B599} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
SearchScopes: HKCU - {A7FABC4D-4D86-4FE8-A9E1-417AFE2209A0} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKCU - No Name - {25E2E5C9-C43C-4EE8-B23E-4383915F2BCE} - No File
FF Extension: RightSurf - C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\3071iady.default\Extensions\{b9a19c25-a741-47e5-91a2-0b62bef307ff}.xpi [2014-01-24]
CHR HomePage: hxxp://search.conduit.com/?gd=&ctid=CT3324416&octid=EB_ORIGINAL_CTID&ISID=MA0E1EC7E-5EA3-461B-96CC-6312F10294D2&SearchSource=55&CUI=&UM=2&UP=SP948C915C-8A0C-4F11-9B15-E7C00AB3D423&SSPV=
CHR DefaultSearchKeyword: maxwebsearch.com_
CHR HKCU\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Ed\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx [2013-05-05]
R2 pcmaxservice; C:\Program Files\pcmax\pcmax.exe [241344 2014-05-29] ()
S2 SrvUpdater; C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe [56832 2014-07-12] () [File not signed]
Reboot:

*****************

C:\Program Files\pcmax\pcmax.exe => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\pcreg => value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\pcreg => value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\Software\Microsoft\Windows\CurrentVersion\Run\\pcreg => value deleted successfully.
"HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\S-1-5-21-2439400091-1958991913-3167676542-1000" => Key not found.
"HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1e0f0aee-f61e-11e3-987e-38607782c50d}" => Key deleted successfully.
"HKCR\CLSID\{1e0f0aee-f61e-11e3-987e-38607782c50d}" => Key not found.
"HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4a354431-3281-11e1-babf-38607782c50d}" => Key deleted successfully.
"HKCR\CLSID\{4a354431-3281-11e1-babf-38607782c50d}" => Key not found.
"HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9eb904bd-8c3f-11e3-8ddd-38607782c50d}" => Key deleted successfully.
"HKCR\CLSID\{9eb904bd-8c3f-11e3-8ddd-38607782c50d}" => Key not found.
"HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d865dce6-2a9e-11e3-b0c7-38607782c50d}" => Key deleted successfully.
"HKCR\CLSID\{d865dce6-2a9e-11e3-b0c7-38607782c50d}" => Key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1" => Key deleted successfully.
"HKCR\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" => Key deleted successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt2" => Key deleted successfully.
"HKCR\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" => Key deleted successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt3" => Key deleted successfully.
"HKCR\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" => Key deleted successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt4" => Key deleted successfully.
"HKCR\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" => Key deleted successfully.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" => Key deleted successfully.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt2" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" => Key deleted successfully.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt3" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" => Key deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
"HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key not found.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2ECA7E60-EA21-4D1E-B3A5-3C888283B599}" => Key deleted successfully.
"HKCR\CLSID\{2ECA7E60-EA21-4D1E-B3A5-3C888283B599}" => Key not found.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => Key deleted successfully.
"HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => Key not found.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A7FABC4D-4D86-4FE8-A9E1-417AFE2209A0}" => Key deleted successfully.
"HKCR\CLSID\{A7FABC4D-4D86-4FE8-A9E1-417AFE2209A0}" => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value deleted successfully.
"HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{25E2E5C9-C43C-4EE8-B23E-4383915F2BCE} => value deleted successfully.
"HKCR\CLSID\{25E2E5C9-C43C-4EE8-B23E-4383915F2BCE}" => Key not found.
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\3071iady.default\Extensions\{b9a19c25-a741-47e5-91a2-0b62bef307ff}.xpi => Moved successfully.
CHR HomePage: hxxp://search.conduit.com/?gd=&ctid=CT3324416&octid=EB_ORIGINAL_CTID&ISID=MA0E1EC7E-5EA3-461B-96CC-6312F10294D2&SearchSource=55&CUI=&UM=2&UP=SP948C915C-8A0C-4F11-9B15-E7C00AB3D423&SSPV= ==> The Chrome "Settings" can be used to fix the entry.
CHR DefaultSearchKeyword: maxwebsearch.com_ ==> The Chrome "Settings" can be used to fix the entry.
"HKCU\SOFTWARE\Google\Chrome\Extensions\apdfllckaahabafndbhieahigkjlhalf" => Key deleted successfully.
C:\Users\Ed\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx => Moved successfully.
pcmaxservice => Service stopped successfully.
pcmaxservice => Service deleted successfully.
SrvUpdater => Service deleted successfully.


The system needed a reboot.

==== End of Fixlog ====

Malwarebytes downloaded fine but when I try to open it, I get a message "Malwarebytes has stopped working". I was getting this before which suggested to me I had an infection.
 
MBAM is just to testie!
Sometimes it's your onboard antivirus interring.



We need to reset your browsers .....to completely remove some of the infection.

Reset browsers


Please visit each of the following sites and lets reset all of your browsers back to defaults to prevent unexpected issues.
If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

Internet Explorer
How to reset Internet Explorer settings

Firefox
Click on Help / Troubleshooting Information then click on the Reset Firefox button.

Chrome
Chrome - Reset browser settings


************************
Please Run TFC by OldTimer to clear temporary files:

Download TFC from here http://oldtimer.geekstogo.com/TFC.exe
and save it to your desktop.

Close any open programs and Internet browsers.
Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
Please be patient as clearing out temp files may take a while.
Once it completes you may be prompted to restart your computer, please do so.
Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

*****
thisisujrt.gif

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Please post this log when done.

How is your computer now?
 
Response from ebb12

I followed all your directions to the best of my ability. You were very clear at all times, however, I wasn't able to paste all the tools to the Desktop so I just opened them. You see the logs. Also I'm not sure I ran them as administrator but since I am the A, I guess it happened.
Did I get rid of ZUSY?
Are we finished?
I am very appreciative of your time, patience, and knowledge.
Will I be able to use malwarebytes?
ebb124

Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Home Premium x64
Ran by Ed on Fri 07/25/2014 at 16:27:22.34
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\sparktrust
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\sparktrust
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\boostsoftware



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\sparktrust"
Successfully deleted: [Folder] "C:\Users\Ed\AppData\Roaming\sparktrust"
Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"
Successfully deleted: [Empty Folder] C:\Users\Ed\appdata\local\{02E43E00-80B9-44FB-A95D-FB3759CA27DC}
Successfully deleted: [Empty Folder] C:\Users\Ed\appdata\local\{0DB8BC39-7603-403E-94A2-A8027FEF6A78}
Successfully deleted: [Empty Folder] C:\Users\Ed\appdata\local\{169CD2A2-280F-492F-963C-2B9EC3AE300C}



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 07/25/2014 at 16:32:34.38
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Last edited by a moderator:
Did I get rid of ZUSY?
Click to expand...
How is your computer now? are you getting any alerts or error messages?
Are we finished?
Click to expand...
We are close now. One more scan or two to check for remnants.

Will I be able to use malwarebytes?
Click to expand...
What we can try, drop into safe mode and try to run it again, disable your antivirus.

http://www.bleepingcomputer.com/for...nti-virus-firewall-and-anti-malware-programs/


What we can do now is run an online scan with Eset, for the time being it is our most trusted scanner.
Most reliable and thorough.
The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
This scanner can take quite a bit of time to run, depending of course how full your computer is.


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish
 
Reply from ebb124

Juliet said:
How is your computer now? are you getting any alerts or error messages?

We are close now. One more scan or two to check for remnants.


What we can try, drop into safe mode and try to run it again, disable your antivirus.

http://www.bleepingcomputer.com/for...nti-virus-firewall-and-anti-malware-programs/


What we can do now is run an online scan with Eset, for the time being it is our most trusted scanner.
Most reliable and thorough.
The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
This scanner can take quite a bit of time to run, depending of course how full your computer is.


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish
Click to expand...

It quarantined everything but the worm!

C:\Users\All Users\Spybot - Search & Destroy\Recovery\WebCakeBHO9.zip Win32/Bagle.gen.zip worm
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SoftwareUpdater\AppsUpdater.exe.vir a variant of MSIL/Vittalia.D potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SoftwareUpdater\UpdaterService.exe.vir a variant of MSIL/Vittalia.D potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SoftwareUpdater\UpdaterService.exe_old.vir a variant of MSIL/Vittalia.D potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\jccpjpmiegdnbmbnaiaicnaakpacgbdi\10.22.5.10_0\nativeMessaging\TBMessagingHost.exe.vir a variant of Win32/Toolbar.Conduit.AH potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\jccpjpmiegdnbmbnaiaicnaakpacgbdi\10.22.5.10_0\plugins\ConduitChromeApiPlugin.dll.vir a variant of Win32/Toolbar.Conduit.AH potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\jccpjpmiegdnbmbnaiaicnaakpacgbdi\10.22.5.10_0\TBHostSupport\TBHostSupport.dll.vir a variant of Win32/Toolbar.Conduit.AA potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\Ed\AppData\Local\NativeMessaging\CT3279414\1_0_0_4\TBMessagingHost.exe.vir a variant of Win32/Toolbar.Conduit.AH potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\Ed\AppData\Roaming\0D0S1L2Z1P1B0T1P1B2Z\Zip Opener Packages\uninstaller.exe.vir Win32/InstallCore.AZ potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\3071iady.default\Extensions\gx93i@cpd-uey.org\content\bg.js.vir Win32/Adware.MultiPlug.H application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\3071iady.default\Extensions\{7557724b-30a9-42a4-98eb-77fcb0fd1be3}\Plugins\npConduitFirefoxPlugin.dll.vir a variant of Win32/Conduit.SearchProtect.N potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\Ed\AppData\Roaming\RocketUpdater\UpdateProc\UpdateTask.exe.vir a variant of Win32/DealPly.S potentially unwanted application deleted - quarantined
C:\FRST\Quarantine\C\Program Files\pcmax\pcmax.exe.xBAD a variant of Win32/Conduit.SearchProtect.O potentially unwanted application deleted - quarantined
C:\ProgramData\Spybot - Search & Destroy\Recovery\WebCakeBHO9.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\temp\guardian.exe1D9555A943640A426523FB696C6DC76F667A3B2E03687886 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe1D9555A943640A426523FB69ED550F9C1624F22AA386AFD0 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe1D9555A943640A426523FB69ED550F9C92284217 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe1D9555A943640A42F10F79B8 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe1D9555A9B267AD62 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe56C5973A62BD130C8A89C316 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe56C5973A62BD130CA3730ACA22DEBB882319C902 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe56C5973A62BD130CA3730ACA2359255864098B81 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe56C5973AB3EF2037384DD6E4AAF6DE7E02041028 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe56C5973AB3EF2037384DD6E4AAF6DE7EE77AF4C5 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe56C5973AB3EF20379A2A32136886C65D a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe56C5973AC70441CA a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\launcher.exe Win32/Conduit.SearchProtect.M potentially unwanted application deleted - quarantined
C:\temp\red.exe Win32/Conduit.SearchProtect.M potentially unwanted application deleted - quarantined
C:\temp\white2.exe Win32/Conduit.SearchProtect.M potentially unwanted application deleted - quarantined
C:\Users\Ed\AppData\Local\Viber\Helper.dll a variant of Win32/Toolbar.SearchSuite.P potentially unwanted application deleted - quarantined
C:\Users\Ed\AppData\Roaming\0T1M1P0A1E1E0M1T1G\AdwCleaner Packages\uninstaller.exe Win32/InstallCore.PC potentially unwanted application deleted - quarantined
C:\Users\Ed\Downloads\AdwCleaner Setup.exe Win32/OutBrowse.S potentially unwanted application deleted - quarantined
C:\Users\Ed\Downloads\cbsidlm-cbsi188-Trojan_Remover-ORG-75964423.exe a variant of Win32/CNETInstaller.B potentially unwanted application deleted - quarantined
 
Actually it turned out good.

What was found has been previously dealt with by Spybot. To remove them from your computer completely, open Spybot, go to the Recovery folder and delete everything that’s in there.

Are we ready to remove tools and quarantine folders and post preventive tips?
 
It's me again, ebb124

Juliet said:
Actually it turned out good.

What was found has been previously dealt with by Spybot. To remove them from your computer completely, open Spybot, go to the Recovery folder and delete everything that’s in there.

Are we ready to remove tools and quarantine folders and post preventive tips?
Click to expand...

Good morning!
I didn't find a "Recovery Folder" on Spybot so I ran another scan. I then got the message: malware not working. The same thing I get with malwarebytes. On the scan I ran I did find some cookies, etc.
I'm a little discouraged although I realize I may be responsible for these quirks.
Help!
 
You can uninstall MalwareBytes and try again.
I haven't seen where others have had this issue just trying to run a scan....unless your antivirus has stopped it.

Have you tried running a scan in safe mode?

We can try to see if FRST can remove that file in SpyBot recovery folder.
Might be it's encrypted and not allowed.

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

start
C:\Users\All Users\Spybot - Search & Destroy\Recovery\WebCakeBHO9.zip
C:\ProgramData\Spybot - Search & Destroy\Recovery\WebCakeBHO9.zip
End
Click to expand...

Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
 
Zusy

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-07-2014 01
Ran by Ed at 2014-07-26 10:39:30 Run:2
Running from C:\Users\Ed\Desktop
Boot Mode: Normal
==============================================
Thank you for your perseverance! I will try malwarebytes and spybot again in safe mode BUT I need help there. My safemode will not open with either F8 or F12. I wondered if that was part of the malware. Below is the log you requested.



Content of fixlist:
*****************
C:\Users\All Users\Spybot - Search & Destroy\Recovery\WebCakeBHO9.zip
C:\ProgramData\Spybot - Search & Destroy\Recovery\WebCakeBHO9.zip
*****************

"C:\Users\All Users\Spybot - Search & Destroy\Recovery\WebCakeBHO9.zip" => File/Directory not found.
"C:\ProgramData\Spybot - Search & Destroy\Recovery\WebCakeBHO9.zip" => File/Directory not found.

==== End of Fixlog ====
 
Last edited by a moderator:
C:\Users\All Users\Spybot - Search & Destroy\Recovery\WebCakeBHO9.zip Win32/Bagle.gen.zip worm

C:\ProgramData\Spybot - Search & Destroy\Recovery\WebCakeBHO9.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined

Might be already gone.
If not we'll have to uninstall SpyBot then reinstall.


First, try just uninstalling Malwarebytes, reinstall and try to run a scan in normal mode.


Also please download Windows Repair (all in one) from here
Please download from BleepingComputers.

step-4-tab.jpg

Install the program then go to step 4 and create a new system restore point and new registry backup.

Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:
p22001645.gif




NEXT
On the the Start Repairs tab => Click the Start
start-repairs-tab.jpg



Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):
p22001647.gif


Click on box next to the Restart System when Finished. Then click on Start.
 
Back again

I messed up the one time only ESET scan so did the 30 day free trial and scanned the entire computer, Sorry! This is the result (71 threats):

C:\FRST\Quarantine\C\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\3071iady.default\Extensions\{b9a19c25-a741-47e5-91a2-0b62bef307ff}.xpi.xBAD Win32/BrowseFox.B potentially unwanted application No action
C:\Users\Ed\AppData\Local\CRE\jccpjpmiegdnbmbnaiaicnaakpacgbdi.crx a variant of Win32/Toolbar.Conduit.AA potentially unwanted application No action
G:\ED-PC\Backup Set 2014-04-06 192742\Backup Files 2014-04-13 195910\Backup files 18.zip Win32/DownloadAdmin.G potentially unwanted application No action
G:\ED-PC\Backup Set 2014-04-06 192742\Backup Files 2014-04-13 195910\Backup files 19.zip a variant of Win32/InstallCore.IU potentially unwanted application No action
G:\ED-PC\Backup Set 2014-04-06 192742\Backup Files 2014-04-13 195910\Backup files 2.zip Win32/InstallCore.AZ potentially unwanted application No action
G:\ED-PC\Backup Set 2014-04-06 192742\Backup Files 2014-04-13 195910\Backup files 3.zip multiple threats No action
G:\ED-PC\Backup Set 2014-04-06 192742\Backup Files 2014-04-13 195910\Backup files 4.zip a variant of Win32/Toolbar.Conduit.AA potentially unwanted application No action
G:\ED-PC\Backup Set 2014-04-06 192742\Backup Files 2014-04-13 195910\Backup files 6.zip a variant of Win32/Toolbar.Conduit.AH potentially unwanted application No action
G:\ED-PC\Backup Set 2014-04-06 192742\Backup Files 2014-04-13 195910\Backup files 7.zip Win64/Toolbar.Conduit.B potentially unwanted application No action
G:\ED-PC\Backup Set 2014-04-06 192742\Backup Files 2014-05-04 190000\Backup files 2.zip multiple threats No action
G:\ED-PC\Backup Set 2014-04-06 192742\Backup Files 2014-05-04 190000\Backup files 7.zip Win32/DownloadAdmin.G potentially unwanted application No action
G:\ED-PC\Backup Set 2014-04-06 192742\Backup Files 2014-05-11 211809\Backup files 2.zip a variant of Win32/Conduit.SearchProtect.P potentially unwanted application No action
G:\ED-PC\Backup Set 2014-05-18 202456\Backup Files 2014-05-18 202456\Backup files 10.zip a variant of Win32/Conduit.SearchProtect.P potentially unwanted application No action
G:\ED-PC\Backup Set 2014-05-18 202456\Backup Files 2014-05-18 202456\Backup files 12.zip a variant of Win32/Toolbar.Conduit.AH potentially unwanted application No action
G:\ED-PC\Backup Set 2014-05-18 202456\Backup Files 2014-05-18 202456\Backup files 24.zip Win32/DownloadAdmin.G potentially unwanted application No action
G:\ED-PC\Backup Set 2014-05-18 202456\Backup Files 2014-05-18 202456\Backup files 25.zip a variant of Win32/InstallCore.IU potentially unwanted application No action
G:\ED-PC\Backup Set 2014-05-18 202456\Backup Files 2014-05-18 202456\Backup files 41.zip Win32/DownloadAdmin.G potentially unwanted application No action
G:\ED-PC\Backup Set 2014-05-18 202456\Backup Files 2014-05-18 202456\Backup files 6.zip Win32/InstallCore.AZ potentially unwanted application No action
G:\ED-PC\Backup Set 2014-05-18 202456\Backup Files 2014-05-18 202456\Backup files 8.zip multiple threats No action
G:\ED-PC\Backup Set 2014-05-18 202456\Backup Files 2014-05-25 192314\Backup files 2.zip Win32/Conduit.SearchProtect potentially unwanted application No action
G:\ED-PC\Backup Set 2014-05-18 202456\Backup Files 2014-06-16 091350\Backup files 2.zip a variant of Win32/Conduit.SearchProtect.P potentially unwanted application No action
G:\ED-PC\Backup Set 2014-05-18 202456\Backup Files 2014-06-29 190000\Backup files 1.zip a variant of Win32/DomaIQ.BB potentially unwanted application No action
G:\ED-PC\Backup Set 2014-05-18 202456\Backup Files 2014-06-29 190000\Backup files 2.zip Win32/Toolbar.Montiera.B potentially unwanted application No action
G:\ED-PC\Backup Set 2014-07-06 190001\Backup Files 2014-07-06 190001\Backup files 11.zip a variant of Win32/Toolbar.SearchSuite.P potentially unwanted application No action
G:\ED-PC\Backup Set 2014-07-06 190001\Backup Files 2014-07-06 190001\Backup files 23.zip Win32/Toolbar.Montiera.B potentially unwanted application No action
G:\ED-PC\Backup Set 2014-07-06 190001\Backup Files 2014-07-06 190001\Backup files 7.zip Win32/BrowseFox.B potentially unwanted application No action

Again, thanks for your efforts. I didn't delete anything.
 
Last edited by a moderator:
You were infected when you made some backups so, the back ups are infected and need to be removed.
When we're finished I suggest, you create a new restore point and then make a backup.


Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

start
C:\Users\Ed\AppData\Local\CRE\jccpjpmiegdnbmbnaiaicnaakpacgbdi.crx
G:\ED-PC\Backup Set 2014-04-06 192742\Backup Files 2014-04-13 195910\Backup files 18.zip
G:\ED-PC\Backup Set 2014-04-06 192742\Backup Files 2014-04-13 195910\Backup files 19.zip
G:\ED-PC\Backup Set 2014-04-06 192742\Backup Files 2014-04-13 195910\Backup files 2.zip
G:\ED-PC\Backup Set 2014-04-06 192742\Backup Files 2014-04-13 195910\Backup files 3.zip
G:\ED-PC\Backup Set 2014-04-06 192742\Backup Files 2014-04-13 195910\Backup files 4.zip
G:\ED-PC\Backup Set 2014-04-06 192742\Backup Files 2014-04-13 195910\Backup files 6.zip
G:\ED-PC\Backup Set 2014-04-06 192742\Backup Files 2014-04-13 195910\Backup files 7.zip
G:\ED-PC\Backup Set 2014-04-06 192742\Backup Files 2014-05-04 190000\Backup files 2.zip
G:\ED-PC\Backup Set 2014-04-06 192742\Backup Files 2014-05-04 190000\Backup files 7.zip
G:\ED-PC\Backup Set 2014-04-06 192742\Backup Files 2014-05-11 211809\Backup files 2.zip
G:\ED-PC\Backup Set 2014-05-18 202456\Backup Files 2014-05-18 202456\Backup files 10.zip
G:\ED-PC\Backup Set 2014-05-18 202456\Backup Files 2014-05-18 202456\Backup files 12.zip
G:\ED-PC\Backup Set 2014-05-18 202456\Backup Files 2014-05-18 202456\Backup files 24.zip
G:\ED-PC\Backup Set 2014-05-18 202456\Backup Files 2014-05-18 202456\Backup files 25.zip
G:\ED-PC\Backup Set 2014-05-18 202456\Backup Files 2014-05-18 202456\Backup files 41.zip
G:\ED-PC\Backup Set 2014-05-18 202456\Backup Files 2014-05-18 202456\Backup files 6.zip
G:\ED-PC\Backup Set 2014-05-18 202456\Backup Files 2014-05-18 202456\Backup files 8.zip
G:\ED-PC\Backup Set 2014-05-18 202456\Backup Files 2014-05-25 192314\Backup files 2.zip
G:\ED-PC\Backup Set 2014-05-18 202456\Backup Files 2014-06-16 091350\Backup files 2.zip
G:\ED-PC\Backup Set 2014-05-18 202456\Backup Files 2014-06-29 190000\Backup files 1.zip
G:\ED-PC\Backup Set 2014-05-18 202456\Backup Files 2014-06-29 190000\Backup files 2.zip
G:\ED-PC\Backup Set 2014-07-06 190001\Backup Files 2014-07-06 190001\Backup files 11.zip
G:\ED-PC\Backup Set 2014-07-06 190001\Backup Files 2014-07-06 190001\Backup files 23.zip
G:\ED-PC\Backup Set 2014-07-06 190001\Backup Files 2014-07-06 190001\Backup files 7.zip
End
Click to expand...

Open FRST/FRST64 and press the Fix
button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
 
from ebb124

C:\Users\All Users\Spybot - Search & Destroy\Recovery\WebCakeBHO9.zip Win32/Bagle.gen.zip worm
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SoftwareUpdater\AppsUpdater.exe.vir a variant of MSIL/Vittalia.D potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SoftwareUpdater\UpdaterService.exe.vir a variant of MSIL/Vittalia.D potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SoftwareUpdater\UpdaterService.exe_old.vir a variant of MSIL/Vittalia.D potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\jccpjpmiegdnbmbnaiaicnaakpacgbdi\10.22.5.10_0\nativeMessaging\TBMessagingHost.exe.vir a variant of Win32/Toolbar.Conduit.AH potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\jccpjpmiegdnbmbnaiaicnaakpacgbdi\10.22.5.10_0\plugins\ConduitChromeApiPlugin.dll.vir a variant of Win32/Toolbar.Conduit.AH potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\jccpjpmiegdnbmbnaiaicnaakpacgbdi\10.22.5.10_0\TBHostSupport\TBHostSupport.dll.vir a variant of Win32/Toolbar.Conduit.AA potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\Ed\AppData\Local\NativeMessaging\CT3279414\1_0_0_4\TBMessagingHost.exe.vir a variant of Win32/Toolbar.Conduit.AH potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\Ed\AppData\Roaming\0D0S1L2Z1P1B0T1P1B2Z\Zip Opener Packages\uninstaller.exe.vir Win32/InstallCore.AZ potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\3071iady.default\Extensions\gx93i@cpd-uey.org\content\bg.js.vir Win32/Adware.MultiPlug.H application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\3071iady.default\Extensions\{7557724b-30a9-42a4-98eb-77fcb0fd1be3}\Plugins\npConduitFirefoxPlugin.dll.vir a variant of Win32/Conduit.SearchProtect.N potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\Ed\AppData\Roaming\RocketUpdater\UpdateProc\UpdateTask.exe.vir a variant of Win32/DealPly.S potentially unwanted application deleted - quarantined
C:\FRST\Quarantine\C\Program Files\pcmax\pcmax.exe.xBAD a variant of Win32/Conduit.SearchProtect.O potentially unwanted application deleted - quarantined
C:\ProgramData\Spybot - Search & Destroy\Recovery\WebCakeBHO9.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\temp\guardian.exe1D9555A943640A426523FB696C6DC76F667A3B2E03687886 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe1D9555A943640A426523FB69ED550F9C1624F22AA386AFD0 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe1D9555A943640A426523FB69ED550F9C92284217 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe1D9555A943640A42F10F79B8 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe1D9555A9B267AD62 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe56C5973A62BD130C8A89C316 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe56C5973A62BD130CA3730ACA22DEBB882319C902 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe56C5973A62BD130CA3730ACA2359255864098B81 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe56C5973AB3EF2037384DD6E4AAF6DE7E02041028 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe56C5973AB3EF2037384DD6E4AAF6DE7EE77AF4C5 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe56C5973AB3EF20379A2A32136886C65D a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe56C5973AC70441CA a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\launcher.exe Win32/Conduit.SearchProtect.M potentially unwanted application deleted - quarantined
C:\temp\red.exe Win32/Conduit.SearchProtect.M potentially unwanted application deleted - quarantined
C:\temp\white2.exe Win32/Conduit.SearchProtect.M potentially unwanted application deleted - quarantined
C:\Users\Ed\AppData\Local\Viber\Helper.dll a variant of Win32/Toolbar.SearchSuite.P potentially unwanted application deleted - quarantined
C:\Users\Ed\AppData\Roaming\0T1M1P0A1E1E0M1T1G\AdwCleaner Packages\uninstaller.exe Win32/InstallCore.PC potentially unwanted application deleted - quarantined
C:\Users\Ed\Downloads\AdwCleaner Setup.exe Win32/OutBrowse.S potentially unwanted application deleted - quarantined
C:\Users\Ed\Downloads\cbsidlm-cbsi188-Trojan_Remover-ORG-75964423.exe a variant of Win32/CNETInstaller.B potentially unwanted application deleted - quarantined

Sorry if I repeated this submission. I wasn't sure it was transmitted. I am not being impatient; rather I am very appreciative of your prompt and comprehensive replies.

C:\Users\All Users\Spybot - Search & Destroy\Recovery\WebCakeBHO9.zip Win32/Bagle.gen.zip worm
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SoftwareUpdater\AppsUpdater.exe.vir a variant of MSIL/Vittalia.D potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SoftwareUpdater\UpdaterService.exe.vir a variant of MSIL/Vittalia.D potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SoftwareUpdater\UpdaterService.exe_old.vir a variant of MSIL/Vittalia.D potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\jccpjpmiegdnbmbnaiaicnaakpacgbdi\10.22.5.10_0\nativeMessaging\TBMessagingHost.exe.vir a variant of Win32/Toolbar.Conduit.AH potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\jccpjpmiegdnbmbnaiaicnaakpacgbdi\10.22.5.10_0\plugins\ConduitChromeApiPlugin.dll.vir a variant of Win32/Toolbar.Conduit.AH potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\jccpjpmiegdnbmbnaiaicnaakpacgbdi\10.22.5.10_0\TBHostSupport\TBHostSupport.dll.vir a variant of Win32/Toolbar.Conduit.AA potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\Ed\AppData\Local\NativeMessaging\CT3279414\1_0_0_4\TBMessagingHost.exe.vir a variant of Win32/Toolbar.Conduit.AH potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\Ed\AppData\Roaming\0D0S1L2Z1P1B0T1P1B2Z\Zip Opener Packages\uninstaller.exe.vir Win32/InstallCore.AZ potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\3071iady.default\Extensions\gx93i@cpd-uey.org\content\bg.js.vir Win32/Adware.MultiPlug.H application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\3071iady.default\Extensions\{7557724b-30a9-42a4-98eb-77fcb0fd1be3}\Plugins\npConduitFirefoxPlugin.dll.vir a variant of Win32/Conduit.SearchProtect.N potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\Ed\AppData\Roaming\RocketUpdater\UpdateProc\UpdateTask.exe.vir a variant of Win32/DealPly.S potentially unwanted application deleted - quarantined
C:\FRST\Quarantine\C\Program Files\pcmax\pcmax.exe.xBAD a variant of Win32/Conduit.SearchProtect.O potentially unwanted application deleted - quarantined
C:\ProgramData\Spybot - Search & Destroy\Recovery\WebCakeBHO9.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\temp\guardian.exe1D9555A943640A426523FB696C6DC76F667A3B2E03687886 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe1D9555A943640A426523FB69ED550F9C1624F22AA386AFD0 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe1D9555A943640A426523FB69ED550F9C92284217 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe1D9555A943640A42F10F79B8 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe1D9555A9B267AD62 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe56C5973A62BD130C8A89C316 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe56C5973A62BD130CA3730ACA22DEBB882319C902 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe56C5973A62BD130CA3730ACA2359255864098B81 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe56C5973AB3EF2037384DD6E4AAF6DE7E02041028 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe56C5973AB3EF2037384DD6E4AAF6DE7EE77AF4C5 a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe56C5973AB3EF20379A2A32136886C65D a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\guardian.exe56C5973AC70441CA a variant of Win32/AdWare.SmartApps.A application cleaned by deleting - quarantined
C:\temp\launcher.exe Win32/Conduit.SearchProtect.M potentially unwanted application deleted - quarantined
C:\temp\red.exe Win32/Conduit.SearchProtect.M potentially unwanted application deleted - quarantined
C:\temp\white2.exe Win32/Conduit.SearchProtect.M potentially unwanted application deleted - quarantined
C:\Users\Ed\AppData\Local\Viber\Helper.dll a variant of Win32/Toolbar.SearchSuite.P potentially unwanted application deleted - quarantined
C:\Users\Ed\AppData\Roaming\0T1M1P0A1E1E0M1T1G\AdwCleaner Packages\uninstaller.exe Win32/InstallCore.PC potentially unwanted application deleted - quarantined
C:\Users\Ed\Downloads\AdwCleaner Setup.exe Win32/OutBrowse.S potentially unwanted application deleted - quarantined
C:\Users\Ed\Downloads\cbsidlm-cbsi188-Trojan_Remover-ORG-75964423.exe a variant of Win32/CNETInstaller.B potentially unwanted application deleted - quarantined
 
Last edited by a moderator:
Sorry if I repeated this submission. I wasn't sure it was transmitted. I am not being impatient; rather I am very appreciative of your prompt and comprehensive replies.
Click to expand...
Yes, I did see the log and replied to delete the infected backup s you had made.
I had created another FRST script.
Did you see that?, thats the log I need to see now.

check post #18
 
Last edited:
Status
Not open for further replies.
Back
Top