Page 1 of 5 12345 LastLast
Results 1 to 10 of 50

Thread: Adobe.Fake.Zusy

  1. #1
    Member
    Join Date
    Jul 2014
    Posts
    30

    Default

    I'm new here and don't know how to proceed. I've read the "before you post" section, downloaded my registry, the Farbar tool and have a desktop full of icons. I want to remove the zusy trojan from my registry and would welcome help.
    Thanks, ebb124

    I thought I had all the logs posted here but now it's blank so I will try again. Then they reject it as too long. I will try to send separately.
    Be pRun date: 2014-07-23 15:21:39
    -----------------------------
    15:21:39.997 OS Version: Windows x64 6.1.7601 Service Pack 1
    15:21:39.997 Number of processors: 4 586 0x2A07
    15:21:39.998 ComputerName: ED-PC UserName: Ed
    15:21:43.010 Initialize success
    15:21:43.010 VM: initialized successfully
    15:21:43.015 VM: Intel CPU supported virtualizedSuspended
    15:21:52.898 VM: supported disk I/O iaStor.sys
    15:22:13.243 AVAST engine defs: 14072200
    15:22:29.581 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    15:22:29.585 Disk 0 Vendor: WDC_WD10 77.0 Size: 953869MB BusType: 3
    15:22:29.698 Disk 0 MBR read successfully
    15:22:29.702 Disk 0 MBR scan
    15:22:29.709 Disk 0 Windows 7 default MBR code
    15:22:29.727 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 14336 MB offset 2048
    15:22:29.751 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 29362176
    15:22:29.755 Disk 0 default boot code
    15:22:29.769 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 939431 MB offset 29566976
    15:22:29.794 Disk 0 scanning C:\Windows\system32\drivers
    15:22:36.705 Service scanning
    15:22:45.508 Service pcmaxservice C:\Program Files\pcmax\pcmax.exe **INFECTED** Win32:Dropper-gen [Drp]
    15:22:47.672 Service SrvUpdater C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe **INFECTED** Win32:Rootkit-gen [Rtk]
    15:22:51.566 Modules scanning
    15:22:51.581 Disk 0 trace - called modules:
    15:22:51.818 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
    15:22:51.825 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007e07060]
    15:22:51.833 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8005f28050]
    15:22:54.865 AVAST engine scan C:\Windows
    15:22:59.270 AVAST engine scan C:\Windows\system32
    15:26:17.156 AVAST engine scan C:\Windows\system32\drivers
    15:26:56.530 AVAST engine scan C:\Users\Ed
    15:38:44.749 AVAST engine scan C:\ProgramData
    15:40:51.938 Scan finished successfully
    15:42:04.554 Disk 0 MBR has been saved successfully to "C:\Users\Ed\Desktop\MBR.dat"
    15:42:04.560 The log file has been saved successfully to "C:\Users\Ed\Desktop\aswMBR.txt"

    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 23-07-2014 01
    Ran by Ed (administrator) on ED-PC on 23-07-2014 15:02:26
    Running from C:\Users\Ed\Downloads
    Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
    Internet Explorer Version 11
    Boot Mode: Normal

    The only official download link for FRST:
    Download link for 32-Bit version: http://www.bleepingcomputer.com/down...an-tool/dl/81/
    Download link for 64-Bit Version: http://www.bleepingcomputer.com/down...an-tool/dl/82/
    Download link from any site other than Bleeping Computer is unpermitted or outdated.
    See tutorial for FRST: http://www.geekstogo.com/forum/topic...ery-scan-tool/

    ==================== Processes (Whitelisted) =================

    (AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgrsa.exe
    (AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe
    (Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    (AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe
    (AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe
    (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
    (Carbonite, Inc. (www.carbonite.com)) C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe
    (Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
    (Acer Incorporated) C:\Program Files (x86)\Gateway\Registration\GREGsvc.exe
    (Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
    (Acer Incorporated) C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
    (Microsoft Corporation
    ) C:\Windows\vVX6000.exe
    (Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS64.exe
    (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    (Intel Corporation) C:\Windows\System32\hkcmd.exe
    () C:\Program Files\pcmax\pcmax.exe
    (Intel Corporation) C:\Windows\System32\igfxpers.exe
    (Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
    () C:\Users\Ed\AppData\LocalLow\Picasa\IE\PicasaUpdater.exe
    (Google Inc.) C:\Users\Ed\AppData\Local\Programs\Google\MusicManager\MusicManager.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Update\1.3.24.15\GoogleCrashHandler.exe
    (AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe
    (Google) C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe
    (AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgemca.exe
    (Google Inc.) C:\Program Files (x86)\Google\Update\1.3.24.15\GoogleCrashHandler64.exe
    (Dropbox, Inc.) C:\Users\Ed\AppData\Roaming\Dropbox\bin\Dropbox.exe
    () C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe
    () C:\Program Files\HTC\ModeSelection\VMMModeSelection.exe
    (Carbonite, Inc.) C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe
    (SAMSUNG Electornics Co., Ltd.) C:\Users\Ed\AppData\Roaming\VERIZON\UA_ar\UA.exe
    (Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
    (AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgui.exe
    (Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
    (Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
    (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
    (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063) C:\Program Files (x86)\Evernote\Evernote\Evernote.exe
    (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063) C:\Program Files (x86)\Evernote\Evernote\EvernoteTray.exe
    (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063) C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
    (Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Microsoft Corporation) C:\Windows\splwow64.exe
    (Microsoft Corporation) C:\Windows\System32\dllhost.exe
    (Microsoft Corporation) C:\Windows\System32\dllhost.exe
    (Farbar) C:\Users\Ed\Downloads\FRST64 (2).exe




    I appreciate your help.


    ==================== Registry (Whitelisted) ==================

    HKLM\...\Run: [VX6000] => C:\Windows\vVX6000.exe [764784 2010-05-20] (Microsoft Corporation
    )
    HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11660904 2010-11-30] (Realtek Semiconductor)
    HKLM\...\Run: [pcreg] => C:\Program Files\pcmax\service.exe [79088 2014-05-29] ()
    HKLM-x32\...\Run: [Hotkey Utility] => C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe [627304 2011-08-10] ()
    HKLM-x32\...\Run: [VMM Mode Selection] => C:\Program Files\HTC\ModeSelection\VMMModeSelection.exe [43520 2011-02-14] ()
    HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
    HKLM-x32\...\Run: [] => [X]
    HKLM-x32\...\Run: [pcreg] => C:\Program Files\pcmax\service.exe [79088 2014-05-29] ()
    HKLM-x32\...\Run: [Carbonite Backup] => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe [1056976 2014-06-27] (Carbonite, Inc.)
    HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-05-26] (Apple Inc.)
    HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2014\avgui.exe [5179408 2014-06-17] (AVG Technologies CZ, s.r.o.)
    Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\822\G2AWinLogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)
    Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
    HKLM\...\Policies\Explorer: [HideSCAHealth] 1
    HKU\S-1-5-19\...\RunOnce: [mctadmin] => C:\Windows\System32\mctadmin.exe [97280 2009-07-13] (Microsoft Corporation)
    HKU\S-1-5-20\...\RunOnce: [mctadmin] => C:\Windows\System32\mctadmin.exe [97280 2009-07-13] (Microsoft Corporation)
    HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [24477056 2014-06-27] (Google)
    HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\Run: [MusicManager] => C:\Users\Ed\AppData\Local\Programs\Google\MusicManager\MusicManager.exe [7631872 2014-05-15] (Google Inc.)
    HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\Run: [pcreg] => C:\Program Files\pcmax\service.exe [79088 2014-05-29] ()
    HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\Run: [1E90D213CEDA3808F5074AB93AD198C0BA35B469._service_run] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [860488 2014-07-15] (Google Inc.)
    HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\Policies\Explorer: [HideSCAHealth] 1
    HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: E - E:\VZW_Software_upgrade_assistant.exe
    HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: {1e0f0aee-f61e-11e3-987e-38607782c50d} - E:\VZW_Software_upgrade_assistant.exe
    HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: {4a354431-3281-11e1-babf-38607782c50d} - P:\TL-Bootstrap.exe
    HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: {9eb904bd-8c3f-11e3-8ddd-38607782c50d} - E:\VZW_Software_upgrade_assistant.exe
    HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: {d865dce6-2a9e-11e3-b0c7-38607782c50d} - E:\VZW_Software_upgrade_assistant.exe
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Google Calendar Sync.lnk
    ShortcutTarget: Google Calendar Sync.lnk -> C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe (Google)
    Startup: C:\Users\Ed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
    ShortcutTarget: Dropbox.lnk -> C:\Users\Ed\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
    Startup: C:\Users\Ed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Verizon Wireless Software Utility Application for Android – Samsung.lnk
    ShortcutTarget: Verizon Wireless Software Utility Application for Android – Samsung.lnk -> C:\Users\Ed\AppData\Roaming\VERIZON\UA_ar\UA.exe (SAMSUNG Electornics Co., Ltd.)
    ShellIconOverlayIdentifiers: Carbonite.Green -> {95A27763-F62A-4114-9072-E81D87DE3B68} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
    ShellIconOverlayIdentifiers: Carbonite.Partial -> {E300CD91-100F-4E67-9AF3-1384A6124015} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
    ShellIconOverlayIdentifiers: Carbonite.Yellow -> {5E529433-B50E-4bef-A63B-16A6B71B071A} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
    ShellIconOverlayIdentifiers: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File
    ShellIconOverlayIdentifiers: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File
    ShellIconOverlayIdentifiers: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File
    ShellIconOverlayIdentifiers: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => No File
    ShellIconOverlayIdentifiers: GDriveBlacklistedOverlay -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll (Google)
    ShellIconOverlayIdentifiers: GDriveSharedEditOverlay -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll (Google)
    ShellIconOverlayIdentifiers: GDriveSharedOverlay -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll (Google)
    ShellIconOverlayIdentifiers: GDriveSharedViewOverlay -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll (Google)
    ShellIconOverlayIdentifiers: GDriveSyncedOverlay -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll (Google)
    ShellIconOverlayIdentifiers: GDriveSyncingOverlay -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll (Google)
    ShellIconOverlayIdentifiers-x32: Carbonite.Green -> {95A27763-F62A-4114-9072-E81D87DE3B68} => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
    ShellIconOverlayIdentifiers-x32: Carbonite.Partial -> {E300CD91-100F-4E67-9AF3-1384A6124015} => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
    ShellIconOverlayIdentifiers-x32: Carbonite.Yellow -> {5E529433-B50E-4bef-A63B-16A6B71B071A} => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
    ShellIconOverlayIdentifiers-x32: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File
    ShellIconOverlayIdentifiers-x32: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File
    ShellIconOverlayIdentifiers-x32: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File

    ==================== Internet (Whitelisted) ====================

    HKCU\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xC079459ADAEECE01
    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?pc=MSSE
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?pc=MSSE
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?pc=MSSE
    SearchScopes: HKLM - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL =
    SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
    SearchScopes: HKLM - {3939A073-D89B-4984-B23E-0DD0A7FAAC99} URL = http://local.yahoo.com/results?stx={searchTerms}&fr=yie7c
    SearchScopes: HKLM - {4E90EF92-F351-4D40-A980-05032B6D7939} URL = http://images.search.yahoo.com/search/images?p={searchTerms}&fr=yie7c
    SearchScopes: HKLM - {9AE508B0-FE23-405A-B274-F5FFF5DF7532} URL = http://news.search.yahoo.com/search/news?p={searchTerms}&fr=yie7c
    SearchScopes: HKLM - {A7FABC4D-4D86-4FE8-A9E1-417AFE2209A0} URL = http://search.yahoo.com/search?p={searchTerms}&fr=yie7c
    SearchScopes: HKLM - {B4EC393E-AC31-454D-89EC-6164B368FA06} URL = http://video.yahoo.com/video/search?p={searchTerms}&fr=yie7c
    SearchScopes: HKLM - {C187C709-DD8E-4B2C-B27E-65A5FEE0EC96} URL = http://answers.yahoo.com/search/search_result?p={searchTerms}&fr=yie7c
    SearchScopes: HKLM - {DCBE26BD-B538-4FAD-8B4C-B1CF30D91E2F} URL = http://shopping.yahoo.com/search?p={searchTerms}&fr=yie7c
    SearchScopes: HKLM-x32 - DefaultScope value is missing.
    SearchScopes: HKCU - DefaultScope {2ECA7E60-EA21-4D1E-B3A5-3C888283B599} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
    SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
    SearchScopes: HKCU - {2ECA7E60-EA21-4D1E-B3A5-3C888283B599} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
    SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
    SearchScopes: HKCU - {80c554b9-c7f8-4a21-9471-06d606da78a2} URL = http://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
    SearchScopes: HKCU - {A7FABC4D-4D86-4FE8-A9E1-417AFE2209A0} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
    BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
    BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
    BHO-x32: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    BHO-x32: Picasa -> {138B4B0A-923A-4981-AE90-EE90FAC91CE0} -> C:\Users\Ed\AppData\LocalLow\Picasa\IE\Picasa.dll (Google Inc.)
    BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
    BHO-x32: Evernote extension -> {92EF2EAD-A7CE-4424-B0DB-499CF856608E} -> C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
    BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
    BHO-x32: Free Download Manager -> {CC59E0F9-7E43-44FA-9FAA-8377850BF205} -> C:\Program Files (x86)\Free Download Manager\iefdm2.dll (FreeDownloadManager.ORG)
    Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
    Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
    Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
    Toolbar: HKCU - No Name - {25E2E5C9-C43C-4EE8-B23E-4383915F2BCE} - No File
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - No File
    Handler-x32: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
    Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
    Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62

    FireFox:
    ========
    FF ProfilePath: C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\3071iady.default
    FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_14_0_0_145.dll ()
    FF Plugin: @microsoft.com/GENUINE - disabled No File
    FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
    FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_14_0_0_145.dll ()
    FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
    FF Plugin-x32: @Google.com/GoogleEarthPlugin - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
    FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 - C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
    FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
    FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF Plugin HKCU: @citrixonline.com/appdetectorplugin - C:\Users\Ed\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
    FF Plugin HKCU: @lightspark.github.com/Lightspark;version=1 - C:\Program Files (x86)\Lightspark 0.5.3-git\nplightsparkplugin.dll No File
    FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\Ed\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\Ed\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
    FF Extension: RightSurf - C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\3071iady.default\Extensions\{b9a19c25-a741-47e5-91a2-0b62bef307ff}.xpi [2014-01-24]
    FF HKLM-x32\...\Firefox\Extensions: [quickprint@hp.com] - C:\Program Files (x86)\Hewlett-Packard\SmartPrint\QPExtension
    FF Extension: SmartPrintButton - C:\Program Files (x86)\Hewlett-Packard\SmartPrint\QPExtension [2012-01-05]
    FF Extension: Free Download Manager plugin - C:\ProgramData\Free Download Manager\Firefox\Extensions\1.6.0.7 [2014-05-13]

    Chrome:
    =======
    CHR HomePage: hxxp://search.conduit.com/?gd=&ctid=CT3324416&octid=EB_ORIGINAL_CTID&ISID=MA0E1EC7E-5EA3-461B-96CC-6312F10294D2&SearchSource=55&CUI=&UM=2&UP=SP948C915C-8A0C-4F11-9B15-E7C00AB3D423&SSPV=
    CHR StartupUrls: "hxxp://www.chrome.com/"
    CHR DefaultSearchKeyword: maxwebsearch.com_
    CHR DefaultNewTabURL:
    CHR Extension: (Google Drive) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-05-09]
    CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-24]
    CHR Extension: (WOT) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhmmomiinigofkjcapegjjndpbikblnp [2014-07-13]
    CHR Extension: (YouTube) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-07-08]
    CHR Extension: (Google Search) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-07-08]
    CHR Extension: (Google News) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\dllkocilcinkggkchnjgegijklcililc [2014-07-08]
    CHR Extension: (NYTimes) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecmphppfkcfflgglcokcbdkofpfegoel [2014-07-08]
    CHR Extension: (Picasa) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\eghpfmmnfdgagepippghcmpcceacbgjn [2014-05-09]
    CHR Extension: (Google Calendar) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjicmeblgpmajnghnpcppodonldlgfn [2014-07-08]
    CHR Extension: (Google Finance) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcgckldmmjdbpdejkclmfnnnehhocbfp [2014-07-08]
    CHR Extension: (News Today, Major Newspapers) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\joacmnheokpeibjlgbhjhgajocokiogk [2014-07-08]
    CHR Extension: (Google Maps) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\lneaknkopdijkpnocmklfnjbeapigfbh [2014-07-08]
    CHR Extension: (Boomerang for Gmail) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdanidgdpmkimeiiojknlnekblgmpdll [2014-07-08]
    CHR Extension: (Google Wallet) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-05-09]
    CHR Extension: (Readability) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\oknpjjbmpnndlpmnhmekjpocelpnlfdi [2014-07-08]
    CHR Extension: (Evernote Web Clipper) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\pioclpoplcdbaefihamjohnefbikjilc [2014-07-08]
    CHR Extension: (Gmail) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-07-08]
    CHR HKCU\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Ed\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx [2013-05-05]
    CHR HKLM-x32\...\Chrome\Extension: [eghpfmmnfdgagepippghcmpcceacbgjn] - C:\Users\Ed\AppData\LocalLow\Picasa\CHROME\Picasa.crx [2011-09-02]

    ==================== Services (Whitelisted) =================

    R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe [3241488 2014-06-27] (AVG Technologies CZ, s.r.o.)
    R2 avgwd; C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe [289328 2014-06-17] (AVG Technologies CZ, s.r.o.)
    R2 pcmaxservice; C:\Program Files\pcmax\pcmax.exe [241344 2014-05-29] ()
    R2 PicasaUpdater; C:\Users\Ed\AppData\LocalLow\Picasa\IE\PicasaUpdater.exe [18432 2011-09-02] () [File not signed]
    S2 SrvUpdater; C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe [56832 2014-07-12] () [File not signed]

    ==================== Drivers (Whitelisted) ====================

    R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [153368 2014-06-17] (AVG Technologies CZ, s.r.o.)
    R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [242968 2014-06-17] (AVG Technologies CZ, s.r.o.)
    R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [190744 2014-06-17] (AVG Technologies CZ, s.r.o.)
    R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [235800 2014-06-17] (AVG Technologies CZ, s.r.o.)
    R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [328984 2014-06-17] (AVG Technologies CZ, s.r.o.)
    R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [123672 2014-06-17] (AVG Technologies CZ, s.r.o.)
    R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31512 2014-06-17] (AVG Technologies CZ, s.r.o.)
    R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [269080 2014-06-17] (AVG Technologies CZ, s.r.o.)
    R2 npf; C:\Windows\System32\drivers\npf.sys [35344 2011-02-11] (CACE Technologies, Inc.)
    S3 Serial; C:\Windows\system32\drivers\serial.sys [94208 2009-07-13] (Brother Industries Ltd.)
    S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [52736 2012-02-15] (Apple, Inc.) [File not signed]
    R3 VX6000; C:\Windows\System32\DRIVERS\VX6000Xp.sys [2143600 2010-05-20] (Microsoft Corporation
    )
    U3 aswMBR; \??\C:\Users\Ed\AppData\Local\Temp\aswMBR.sys [X]
    U3 aswVmm; \??\C:\Users\Ed\AppData\Local\Temp\aswVmm.sys [X]

    ==================== NetSvcs (Whitelisted) ===================
    Last edited by tashi; 2014-07-23 at 23:06. Reason: Merged posts, removed my response.

  2. #2
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,974

    Default

    Let's continue here.....

    The script I have created below will reboot your computer, please don't be alarmed.

    Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
    Paste this into the open notepad. save it to the Desktop as fixlist.txt
    NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
    It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

    start
    C:\Program Files\pcmax\pcmax.exe
    HKLM\...\Run: [pcreg] => C:\Program Files\pcmax\service.exe [79088 2014-05-29] ()
    HKLM-x32\...\Run: [pcreg] => C:\Program Files\pcmax\service.exe [79088 2014-05-29] ()
    HKLM-x32\...\Run: [] => [X]
    HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\Run: [pcreg] => C:\Program Files\pcmax\service.exe [79088 2014-05-29] ()
    HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: E - E:\VZW_Software_upgrade_assistant.exe
    HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: {1e0f0aee-f61e-11e3-987e-38607782c50d} - E:\VZW_Software_upgrade_assistant.exe
    HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: {4a354431-3281-11e1-babf-38607782c50d} - P:\TL-Bootstrap.exe
    HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: {9eb904bd-8c3f-11e3-8ddd-38607782c50d} - E:\VZW_Software_upgrade_assistant.exe
    HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: {d865dce6-2a9e-11e3-b0c7-38607782c50d} - E:\VZW_Software_upgrade_assistant.exe
    ShellIconOverlayIdentifiers: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File
    ShellIconOverlayIdentifiers: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File
    ShellIconOverlayIdentifiers: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File
    ShellIconOverlayIdentifiers: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => No File
    ShellIconOverlayIdentifiers-x32: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File
    ShellIconOverlayIdentifiers-x32: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File
    ShellIconOverlayIdentifiers-x32: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File
    SearchScopes: HKCU - DefaultScope {2ECA7E60-EA21-4D1E-B3A5-3C888283B599} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
    SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
    SearchScopes: HKCU - {2ECA7E60-EA21-4D1E-B3A5-3C888283B599} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
    SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
    SearchScopes: HKCU - {A7FABC4D-4D86-4FE8-A9E1-417AFE2209A0} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
    Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    Toolbar: HKCU - No Name - {25E2E5C9-C43C-4EE8-B23E-4383915F2BCE} - No File
    FF Extension: RightSurf - C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\3071iady.default\Extensions\{b9a19c25-a741-47e5-91a2-0b62bef307ff}.xpi [2014-01-24]
    CHR HomePage: hxxp://search.conduit.com/?gd=&ctid=CT3324416&octid=EB_ORIGINAL_CTID&ISID=MA0E1EC7E-5EA3-461B-96CC-6312F10294D2&SearchSource=55&CUI=&UM=2&UP=SP948C915C-8A0C-4F11-9B15-E7C00AB3D423&SSPV=
    CHR DefaultSearchKeyword: maxwebsearch.com_
    CHR HKCU\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Ed\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx [2013-05-05]
    R2 pcmaxservice; C:\Program Files\pcmax\pcmax.exe [241344 2014-05-29] ()
    S2 SrvUpdater; C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe [56832 2014-07-12] () [File not signed]
    Reboot:
    end
    Open FRST/FRST64 and press the Fix
    button just once and wait.
    If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
    When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  3. #3
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,974

    Default

    Also, we need this

    AdwCleaner by Xplode

    Click on this link to download : ADWCleaner
    Click on ONE of the Two Blue Download Now buttons That have a blue arrow beside them and save it to your desktop.

    Do not click on any links in the top Advertisment.


    Close all open windows and browsers.


    • Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.

      *****


    • Click the Scan button and wait for the scan to finish.

    • After the Scan has finished the window may or may not show what it found and above the progress bar you will see Pending. Please uncheck elements you don't want to remove.
      NEXT click on CLEAN
    • Click the Report button to get the log
    • Copy and Paste it into your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner.txt.
    • Click the X in the upper right corner of the program or click the File menu and click Exit to close the program.
    • NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.


    *********************

    Download Malwarebytes' Anti-Malware to your desktop.

    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"







    • On the Dashboard click on Update Now
    • Go to the Setting Tab
    • Under Setting go to Detection and Protection
    • Under PUP and PUM make sure both are set to show Treat Dections as Malware
    • Go to Advanced setting and make sure Automatically Quarantine Detected Items is checked
    • Then on the Dashboard click on Scan
    • Make sure to select THREAT SCAN
    • Then click on Scan
    • When the scan is finished and the log pops up...select Copy to Clipboard
    • Please paste the log back into this thread for review
    • Exit Malwarebytes


    ***************************************

    Please post these 2 logs when done.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  4. #4
    Member
    Join Date
    Jul 2014
    Posts
    30

    Default Excuse my ignorance

    Quote Originally Posted by Juliet View Post
    Let's continue here.....

    The script I have created below will reboot your computer, please don't be alarmed.

    Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
    Paste this into the open notepad. save it to the Desktop as fixlist.txt
    NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
    It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)



    Open FRST/FRST64 and press the Fix
    button just once and wait.
    If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
    When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
    Juliet,
    Thank you for jumping in. I have the fixit.txt on the desktop. I have the "shortcut" for FRST next to it on the desktop but when I click scan, it tells me they are not in the same location. Help and thanks

  5. #5
    Member
    Join Date
    Jul 2014
    Posts
    30

    Default

    Quote Originally Posted by ebb124 View Post
    Juliet,
    Thank you for jumping in. I have the fixit.txt on the desktop. I have the "shortcut" for FRST next to it on the desktop but when I click scan, it tells me they are not in the same location. Help and thanks
    sorry, when I click "fix"

  6. #6
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,974

    Default

    Running from C:\Users\Ed\Downloads
    FRST isn't on desktop so they are not in the same location.


    Let's try this
    Go to an open spot on your desktop, right click and a little window will open
    move your mouse down to NEW and hover over that, another window will open and you'll see Folder and click on that.
    now hit the backspace button to clear it out so you can type in FRST, then hit enter.

    Go to your downloads folder, locate FRST, right click and select cut
    Now go to the new created folder FRST right click and select paste. This will place the tool into it's own folder.

    Now, go back to the script I created., take your mouse and drag it to that folder.
    Open the folder and you should see both in there now. open the FRST tool and click on the FIX button.

    If this doesn't work let me know which browser you used to download it from so we can set it to place downloads on desktop.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  7. #7
    Member
    Join Date
    Jul 2014
    Posts
    30

    Default

    Quote Originally Posted by Juliet View Post
    Running from C:\Users\Ed\Downloads
    FRST isn't on desktop so they are not in the same location.


    Let's try this
    Go to an open spot on your desktop, right click and a little window will open
    move your mouse down to NEW and hover over that, another window will open and you'll see Folder and click on that.
    now hit the backspace button to clear it out so you can type in FRST, then hit enter.

    Go to your downloads folder, locate FRST, right click and select cut
    Now go to the new created folder FRST right click and select paste. This will place the tool into it's own folder.

    Now, go back to the script I created., take your mouse and drag it to that folder.
    Open the folder and you should see both in there now. open the FRST tool and click on the FIX button.

    If this doesn't work let me know which browser you used to download it from so we can set it to place downloads on desktop.
    # AdwCleaner v3.216 - Report created 25/07/2014 at 13:07:17
    # Updated 17/07/2014 by Xplode
    # Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
    # Username : Ed - ED-PC
    # Running from : C:\Users\Ed\Downloads\adwcleaner_3.216.exe
    # Option : Clean

    ***** [ Services ] *****


    ***** [ Files / Folders ] *****

    Folder Deleted : C:\Program Files (x86)\SoftwareUpdater
    Folder Deleted : C:\Program Files (x86)\WSE Rocket
    Folder Deleted : C:\Users\Ed\AppData\Local\Rocket
    Folder Deleted : C:\Users\Ed\AppData\Roaming\DriverCure
    Folder Deleted : C:\Users\Ed\AppData\Roaming\RocketUpdater
    Folder Deleted : C:\Users\Ed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Rocket
    Folder Deleted : C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\3071iady.default\Extensions\staged\{ecaa9181-d92a-47b9-8e14-bef9680f204b}
    File Deleted : C:\Users\Ed\Desktop\Uninstall.exe
    File Deleted : C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\3071iady.default\searchplugins\WSE Rocket.xml
    File Deleted : C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\3071iady.default\user.js
    File Deleted : C:\Windows\System32\Tasks\Rocket Updater

    ***** [ Shortcuts ] *****


    ***** [ Registry ] *****

    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}
    Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]
    Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]
    Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
    Value Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]
    Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
    Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}
    Key Deleted : HKCU\Software\BrowserSafeguardInstalled
    Key Deleted : HKCU\Software\InstallCore
    Key Deleted : HKCU\Software\Rocket Browser
    Key Deleted : HKCU\Software\RocketUpdater
    Key Deleted : HKCU\Software\WSE Rocket
    Key Deleted : HKLM\Software\InstallCore
    Key Deleted : HKLM\Software\SoftwareUpdater
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdater
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WSE Rocket

    ***** [ Browsers ] *****

    -\\ Internet Explorer v11.0.9600.17207

    Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]

    -\\ Mozilla Firefox v29.0.1 (en-US)

    [ File : C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\3071iady.default\prefs.js ]

    Line Deleted : user_pref("browser.startup.homepage", "hxxp://rocket-find.com/?f=1&a=rckt_app_14_30_ch&cd=2XzuyEtN2Y1L1QzuyByE0D0EtB0BzyyD0A0AzztCyC0E0DtAtN0D0Tzu0SzytAyBtN1L2XzutAtFtDtFtBtFtDtN1L1CzutCyEtBzytDyD1V1S[...]

    -\\ Google Chrome v36.0.1985.125

    [ File : C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\preferences ]

    Deleted [Search Provider] : hxxp://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1QzuyByE0D0EtB0BzyyD0A0AzztCyC0E0DtAtN0D0Tzu0SyByDtAtN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtBtDtC1N1R&cr=589237676&ir=
    Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
    Deleted [Search Provider] : hxxp://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&CUI=UN19100988751793931&ctid=CT3279414&UM=2
    Deleted [Search Provider] : hxxp://search.babylon.com/?q={searchTerms}&AF=100486&babsrc=SP_ss&mntrId=9ef66ed300000000000074de2b95aa80
    Deleted [Search Provider] : hxxp://dts.search-results.com/sr?src=crb&appid=362&systemid=406&sr=0&q={searchTerms}
    Deleted [Search Provider] : hxxp://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
    Deleted [Search Provider] : hxxp://www2.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=80197&lng=en
    Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
    Deleted [Search Provider] : hxxp://search.conduit.com/Results.aspx?gd=&ctid=CT3324416&octid=EB_ORIGINAL_CTID&ISID=ME14FF9FD-B8FD-46E3-ACC1-6E85C174E6C8&SearchSource=58&CUI=&UM=2&UP=SPA7C31A57-F805-4C45-8B9D-68710E54C18D&q={searchTerms}&SSPV=
    Deleted [Search Provider] : hxxp://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
    Deleted [Homepage] : hxxp://search.conduit.com/?gd=&ctid=CT3324416&octid=EB_ORIGINAL_CTID&ISID=MA0E1EC7E-5EA3-461B-96CC-6312F10294D2&SearchSource=55&CUI=&UM=2&UP=SP948C915C-8A0C-4F11-9B15-E7C00AB3D423&SSPV=

    *************************

    AdwCleaner[R0].txt - [13875 octets] - [26/06/2014 21:42:16]
    AdwCleaner[R1].txt - [4574 octets] - [25/07/2014 13:05:15]
    AdwCleaner[S0].txt - [15138 octets] - [26/06/2014 21:43:52]
    AdwCleaner[S1].txt - [5275 octets] - [25/07/2014 13:07:17]

    ########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [5335 octets] ##########
    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-07-2014 01
    Ran by Ed at 2014-07-25 12:00:12 Run:1
    Running from C:\Users\Ed\Desktop
    Boot Mode: Normal
    ==============================================

    Content of fixlist:
    *****************
    C:\Program Files\pcmax\pcmax.exe
    HKLM\...\Run: [pcreg] => C:\Program Files\pcmax\service.exe [79088 2014-05-29] ()
    HKLM-x32\...\Run: [pcreg] => C:\Program Files\pcmax\service.exe [79088 2014-05-29] ()
    HKLM-x32\...\Run: [] => [X]
    HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\Run: [pcreg] => C:\Program Files\pcmax\service.exe [79088 2014-05-29] ()
    HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: E - E:\VZW_Software_upgrade_assistant.exe
    HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: {1e0f0aee-f61e-11e3-987e-38607782c50d} - E:\VZW_Software_upgrade_assistant.exe
    HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: {4a354431-3281-11e1-babf-38607782c50d} - P:\TL-Bootstrap.exe
    HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: {9eb904bd-8c3f-11e3-8ddd-38607782c50d} - E:\VZW_Software_upgrade_assistant.exe
    HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\...\MountPoints2: {d865dce6-2a9e-11e3-b0c7-38607782c50d} - E:\VZW_Software_upgrade_assistant.exe
    ShellIconOverlayIdentifiers: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File
    ShellIconOverlayIdentifiers: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File
    ShellIconOverlayIdentifiers: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File
    ShellIconOverlayIdentifiers: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => No File
    ShellIconOverlayIdentifiers-x32: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File
    ShellIconOverlayIdentifiers-x32: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File
    ShellIconOverlayIdentifiers-x32: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File
    SearchScopes: HKCU - DefaultScope {2ECA7E60-EA21-4D1E-B3A5-3C888283B599} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
    SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
    SearchScopes: HKCU - {2ECA7E60-EA21-4D1E-B3A5-3C888283B599} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
    SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
    SearchScopes: HKCU - {A7FABC4D-4D86-4FE8-A9E1-417AFE2209A0} URL = http://www.maxwebsearch.com/s?query={searchTerms}&uc=20140501&uid=eac4d236-fb20-420c-bbb0-f52c47a1234d&i_id=websearchy-maxweb&subid=
    Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    Toolbar: HKCU - No Name - {25E2E5C9-C43C-4EE8-B23E-4383915F2BCE} - No File
    FF Extension: RightSurf - C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\3071iady.default\Extensions\{b9a19c25-a741-47e5-91a2-0b62bef307ff}.xpi [2014-01-24]
    CHR HomePage: hxxp://search.conduit.com/?gd=&ctid=CT3324416&octid=EB_ORIGINAL_CTID&ISID=MA0E1EC7E-5EA3-461B-96CC-6312F10294D2&SearchSource=55&CUI=&UM=2&UP=SP948C915C-8A0C-4F11-9B15-E7C00AB3D423&SSPV=
    CHR DefaultSearchKeyword: maxwebsearch.com_
    CHR HKCU\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Ed\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx [2013-05-05]
    R2 pcmaxservice; C:\Program Files\pcmax\pcmax.exe [241344 2014-05-29] ()
    S2 SrvUpdater; C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe [56832 2014-07-12] () [File not signed]
    Reboot:

    *****************

    C:\Program Files\pcmax\pcmax.exe => Moved successfully.
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\pcreg => value deleted successfully.
    HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\pcreg => value deleted successfully.
    HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
    HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\Software\Microsoft\Windows\CurrentVersion\Run\\pcreg => value deleted successfully.
    "HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\S-1-5-21-2439400091-1958991913-3167676542-1000" => Key not found.
    "HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1e0f0aee-f61e-11e3-987e-38607782c50d}" => Key deleted successfully.
    "HKCR\CLSID\{1e0f0aee-f61e-11e3-987e-38607782c50d}" => Key not found.
    "HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4a354431-3281-11e1-babf-38607782c50d}" => Key deleted successfully.
    "HKCR\CLSID\{4a354431-3281-11e1-babf-38607782c50d}" => Key not found.
    "HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9eb904bd-8c3f-11e3-8ddd-38607782c50d}" => Key deleted successfully.
    "HKCR\CLSID\{9eb904bd-8c3f-11e3-8ddd-38607782c50d}" => Key not found.
    "HKU\S-1-5-21-2439400091-1958991913-3167676542-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d865dce6-2a9e-11e3-b0c7-38607782c50d}" => Key deleted successfully.
    "HKCR\CLSID\{d865dce6-2a9e-11e3-b0c7-38607782c50d}" => Key not found.
    "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1" => Key deleted successfully.
    "HKCR\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" => Key deleted successfully.
    "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt2" => Key deleted successfully.
    "HKCR\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" => Key deleted successfully.
    "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt3" => Key deleted successfully.
    "HKCR\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" => Key deleted successfully.
    "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt4" => Key deleted successfully.
    "HKCR\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" => Key deleted successfully.
    "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1" => Key deleted successfully.
    "HKCR\Wow6432Node\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" => Key deleted successfully.
    "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt2" => Key deleted successfully.
    "HKCR\Wow6432Node\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" => Key deleted successfully.
    "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt3" => Key deleted successfully.
    "HKCR\Wow6432Node\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" => Key deleted successfully.
    HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
    "HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
    "HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key not found.
    "HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2ECA7E60-EA21-4D1E-B3A5-3C888283B599}" => Key deleted successfully.
    "HKCR\CLSID\{2ECA7E60-EA21-4D1E-B3A5-3C888283B599}" => Key not found.
    "HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => Key deleted successfully.
    "HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => Key not found.
    "HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A7FABC4D-4D86-4FE8-A9E1-417AFE2209A0}" => Key deleted successfully.
    "HKCR\CLSID\{A7FABC4D-4D86-4FE8-A9E1-417AFE2209A0}" => Key not found.
    HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value deleted successfully.
    "HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" => Key not found.
    HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{25E2E5C9-C43C-4EE8-B23E-4383915F2BCE} => value deleted successfully.
    "HKCR\CLSID\{25E2E5C9-C43C-4EE8-B23E-4383915F2BCE}" => Key not found.
    C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\3071iady.default\Extensions\{b9a19c25-a741-47e5-91a2-0b62bef307ff}.xpi => Moved successfully.
    CHR HomePage: hxxp://search.conduit.com/?gd=&ctid=CT3324416&octid=EB_ORIGINAL_CTID&ISID=MA0E1EC7E-5EA3-461B-96CC-6312F10294D2&SearchSource=55&CUI=&UM=2&UP=SP948C915C-8A0C-4F11-9B15-E7C00AB3D423&SSPV= ==> The Chrome "Settings" can be used to fix the entry.
    CHR DefaultSearchKeyword: maxwebsearch.com_ ==> The Chrome "Settings" can be used to fix the entry.
    "HKCU\SOFTWARE\Google\Chrome\Extensions\apdfllckaahabafndbhieahigkjlhalf" => Key deleted successfully.
    C:\Users\Ed\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx => Moved successfully.
    pcmaxservice => Service stopped successfully.
    pcmaxservice => Service deleted successfully.
    SrvUpdater => Service deleted successfully.


    The system needed a reboot.

    ==== End of Fixlog ====

    Malwarebytes downloaded fine but when I try to open it, I get a message "Malwarebytes has stopped working". I was getting this before which suggested to me I had an infection.

  8. #8
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,974

    Default

    MBAM is just to testie!
    Sometimes it's your onboard antivirus interring.



    We need to reset your browsers .....to completely remove some of the infection.

    Reset browsers


    Please visit each of the following sites and lets reset all of your browsers back to defaults to prevent unexpected issues.
    If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

    Internet Explorer
    How to reset Internet Explorer settings

    Firefox
    Click on Help / Troubleshooting Information then click on the Reset Firefox button.

    Chrome
    Chrome - Reset browser settings


    ************************
    Please Run TFC by OldTimer to clear temporary files:

    Download TFC from here http://oldtimer.geekstogo.com/TFC.exe
    and save it to your desktop.

    Close any open programs and Internet browsers.
    Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
    Please be patient as clearing out temp files may take a while.
    Once it completes you may be prompted to restart your computer, please do so.
    Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

    *****

    Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.


    Please post this log when done.

    How is your computer now?
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  9. #9
    Member
    Join Date
    Jul 2014
    Posts
    30

    Default Response from ebb12

    I followed all your directions to the best of my ability. You were very clear at all times, however, I wasn't able to paste all the tools to the Desktop so I just opened them. You see the logs. Also I'm not sure I ran them as administrator but since I am the A, I guess it happened.
    Did I get rid of ZUSY?
    Are we finished?
    I am very appreciative of your time, patience, and knowledge.
    Will I be able to use malwarebytes?
    ebb124

    Junkware Removal Tool (JRT) by Thisisu
    Version: 6.1.4 (04.06.2014:1)
    OS: Windows 7 Home Premium x64
    Ran by Ed on Fri 07/25/2014 at 16:27:22.34
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    ~~~ Services



    ~~~ Registry Values



    ~~~ Registry Keys

    Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}
    Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\sparktrust
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\sparktrust
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\boostsoftware



    ~~~ Files



    ~~~ Folders

    Successfully deleted: [Folder] "C:\ProgramData\sparktrust"
    Successfully deleted: [Folder] "C:\Users\Ed\AppData\Roaming\sparktrust"
    Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"
    Successfully deleted: [Empty Folder] C:\Users\Ed\appdata\local\{02E43E00-80B9-44FB-A95D-FB3759CA27DC}
    Successfully deleted: [Empty Folder] C:\Users\Ed\appdata\local\{0DB8BC39-7603-403E-94A2-A8027FEF6A78}
    Successfully deleted: [Empty Folder] C:\Users\Ed\appdata\local\{169CD2A2-280F-492F-963C-2B9EC3AE300C}



    ~~~ Event Viewer Logs were cleared





    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on Fri 07/25/2014 at 16:32:34.38
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Last edited by Juliet; 2014-07-25 at 23:41.

  10. #10
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,974

    Default

    Did I get rid of ZUSY?
    How is your computer now? are you getting any alerts or error messages?
    Are we finished?
    We are close now. One more scan or two to check for remnants.

    Will I be able to use malwarebytes?
    What we can try, drop into safe mode and try to run it again, disable your antivirus.

    http://www.bleepingcomputer.com/foru...ware-programs/


    What we can do now is run an online scan with Eset, for the time being it is our most trusted scanner.
    Most reliable and thorough.
    The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
    This scanner can take quite a bit of time to run, depending of course how full your computer is.


    Go here to run an online scanner from ESET.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activeX control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
    • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    • Click Scan
    • Wait for the scan to finish
    • When the scan completes, press the LIST OF THREATS FOUND button
    • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
    • Include the contents of this report in your next reply.
    • Press the BACK button.
    • Press Finish
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •