Removal of s.yimg.com

[Juliet]

Hi Juliet I have no idea what C:\ProgramData\Puohxiilsri\1.0.4.1\hanuxlin.exe is and google is no help either. Now for the FRST scans I have them on desktop I managed to make fixlist.txt which I found in Documents and have made shortcut to desktop , but I'm lost on how to "Fix" you mention a quote box but I'm sorry I dont understand what you mean?. Sorry

Copy and paste the below (beginning with start) should be saved as fixlist.txt , Please open Notepad save it to the Desktop as fixlist.txt
Both should be on desktop, then open Farbar Recovery Scan Tool, look for and click on the FIX button and it should carry out the script that was created.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

start
CreateRestorePoint:
CloseProcesses:
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
SearchScopes: HKLM-x32 -> {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01
BHO: Expat Shield Class -> {3706EE7C-3CAD-445D-8A43-03EBC3B75908} -> No File
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
Toolbar: HKU\S-1-5-21-4116000945-235673462-3313673197-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKU\S-1-5-21-4116000945-235673462-3313673197-1000 -> No Name - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} - No File
FF Extension: (No Name) - C:\Program Files (x86)\TomTom HOME 2\xul\extensions\MapShare-status@tomtom.com [not found]
CHR HKU\S-1-5-21-4116000945-235673462-3313673197-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Nigel\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx <not found>
C:\ProgramData\fontcacheev1.dat
Task: {0AD379C5-5504-43E6-A142-8F50E0E3D24C} - System32\Tasks\{4BE954A3-3C41-4AB0-AC89-E19A30EB9F15} => pcalua.exe -a "C:\Program Files\Hola\app\hola_setup.exe" -c --remove-hola --no-rmt-conf --hola-cr
Task: {0F0DC27D-9F40-4E52-8BF2-2AA4C8A4BDAD} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {1383606C-BC21-4B80-98A7-C5E01E568454} - \{49E65517-C6FF-4662-926A-722036CEACED} -> No File <==== ATTENTION
Task: {17B7ADFC-F0C7-4A13-A09F-26840081CD9A} - System32\Tasks\{FCA8B98D-7B6E-4847-AA86-EAD1A463EB8F} => pcalua.exe -a "C:\Program Files\Hola\app\hola_setup.exe" -c --remove-hola --no-rmt-conf --hola-cr
Task: {1DB3DD4E-A51F-4B7C-98D8-31843575334C} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {2C08F93E-4D64-4926-9F70-779510E5F131} - \{3BCAB8DD-A9A8-467A-9DF8-252117296EF5} -> No File <==== ATTENTION
Task: {3C9B9881-3C6A-4575-A3FB-5ABCF44C3A4B} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {57759F43-E8BD-403C-B4E9-04221655B39B} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {5AD5A731-ACC5-4A85-BB0E-E14B5EB5BC40} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {8951E175-2CFB-4385-AED6-C503308B4852} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {8B3EDE07-409A-4578-962A-7B68D3E4CDFC} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {AA191788-5067-4364-8E02-D592A650CB85} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {AB7F661F-4B3B-403F-BD46-B7B14F74B4AD} - System32\Tasks\{BB7CBED7-C704-4865-80F9-D7034E5EB1CE} => pcalua.exe -a C:\Users\Nigel\AppData\Roaming\webssearches\UninstallManager.exe -c -ptid=slbnew <==== ATTENTION
Task: {AB8D459A-9DF3-4165-8B86-405730A3E3AF} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {ABD943F4-1266-443F-BF02-653F006F58C1} - \{5E281035-07E3-4953-9823-2E84881987F6} -> No File <==== ATTENTION
Task: {B6F5E4F0-B8F9-44BB-BD67-0478C4EB57C5} - \{02776CF1-FDD5-44F5-8243-916C10FDFA96} -> No File <==== ATTENTION
Task: {E33473C9-4870-4013-BE3E-6C5A0F72E8E9} - \{2413066B-5A68-422E-B866-0F489CA77B20} -> No File <==== ATTENTION
Task: {EE0EBC6F-4E44-49CC-A1FE-89A2B2C21B68} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {FC449D2B-AB91-463F-925F-EB33227FBD07} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
ShortcutWithArgument: C:\Users\Public\Desktop\Telstra USB+Wi-Fi.lnk -> C:\Program Files (x86)\Hostless Modem\Telstra USB+Wi-Fi\LaunchWebUI.exe () -> hxxp://m.home
AlternateDataStreams: C:\ProgramData\Temp:1D32EC29 [129]
AlternateDataStreams: C:\ProgramData\Temp:373E1720 [118]
AlternateDataStreams: C:\ProgramData\Temp:93DE1838 [133]
IE trusted site: HKU\S-1-5-21-4116000945-235673462-3313673197-1000\...\hola.org -> hxxp://hola.org
EmptyTemp:
Hosts:
End

~~
Please go to one of the below sites to scan the following files:
Virus Total (Recommended)
jotti.org
VirScan
click on Browse, and upload the following file for analysis:

C:\ProgramData\Puohxiilsri\1.0.4.1\hanuxlin.exe


Then click Submit. Allow the file to be scanned, and then please copy and paste the results link (for Virus Total) here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.

 

[Bobby06]

Ok so now I have FRST64.exe and fixlist.txt both on desktop when I go to "fix" on the tool it says it cant find fixlist.txt.

 

[Juliet]

Does the setup appear as it is in the picture?

 

[Juliet]

Hi Juliet I have no idea what C:\ProgramData\Puohxiilsri\1.0.4.1\hanuxlin.exe is and google is no help either. Now for the FRST scans I have them on desktop I managed to make fixlist.txt which I found in Documents and have made shortcut to desktop , but I'm lost on how to "Fix" you mention a quote box but I'm sorry I dont understand what you mean?. Sorry

This might be the problem.

When you located FRST in your downloads folder, did you right click on and that and use the Send To Desktop button?
If thats the case it wont work.

When you copied and paste the fixlist I created it should not have gone to documents, it should had been saved to desktop.


- Save ALL Tools to your Desktop-

All tools that I have you download should be placed on the desktop unless otherwise stated. If you are familiar with how to save files to the desktop then you can skip this step.

Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser.

Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser.

Choose Options. In the downloads section, click the Browse button, click on the Desktop folder
and the click the "Select Folder" button. Click OK to get out of the Options menu.



If you want, we can put that on hold for a bit.

Please do have C:\ProgramData\Puohxiilsri\1.0.4.1\hanuxlin.exe scanned at Virus Total as previously requested.

Also,
please run the AdwCleaner and JRT tool.

 

[Bobby06]

No the FRST set up does not appear as in the picture.

Community
Statistics
Documentation
FAQ
About

Join our community
Sign in

English

VirusTotal
File not found

The file you are looking for is not in our database.
Take me back to the main page Try another search
Blog | Twitter | contact@virustotal.com | Google groups | ToS | Privacy policy

There appears to be no record of a file C:\ProgramData\Puohxiilsri\1.0.4.1\hanuxlin.exe on my laptop as I tried Jotti.org and Virscan (They asked for a file and there was none to be found).

# AdwCleaner v6.040 - Logfile created 12/12/2016 at 08:55:39
# Updated on 02/12/2016 by Malwarebytes
# Database : 2016-12-11.2 [Server]
# Operating System : Windows 10 Home (X64)
# Username : Nigel - AVRILANDNIGENOT
# Running from : C:\Users\Nigel\Desktop\AdwCleaner.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****



***** [ Folders ] *****

[-] Folder deleted: C:\Users\Nigel\AppData\Local\Hola
[-] Folder deleted: C:\Users\Nigel\AppData\LocalLow\Simple Adblock
[-] Folder deleted: C:\Users\Nigel\AppData\Roaming\Hola
[-] Folder deleted: C:\Program Files\Hola
[-] Folder deleted: C:\Program Files\Enigma Software Group
[-] Folder deleted: C:\extensions


***** [ Files ] *****



***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****

[-] Task deleted: {BB7CBED7-C704-4865-80F9-D7034E5EB1CE}


***** [ Registry ] *****

[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\ExpatSrv
[#] Key deleted on reboot: [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\ExpatSrv
[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\ExpatWd
[#] Key deleted on reboot: [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\ExpatWd
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho
[-] Key deleted: HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar
[-] Key deleted: HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar.1
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar.1
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{7375D127-3955-4654-8E7D-1949A7A9C902}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{D879A501-50A7-BEFC-A4C5-32DC6E0CB208}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{F5A29F21-B121-48A0-A317-737AF8BB106A}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}
[-] Value deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID [{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}]
[-] Key deleted: HKU\.DEFAULT\Software\Hola
[-] Key deleted: HKU\S-1-5-21-4116000945-235673462-3313673197-1000\Software\eSupport.com
[-] Key deleted: HKU\S-1-5-21-4116000945-235673462-3313673197-1000\Software\Hola
[-] Key deleted: HKU\S-1-5-21-4116000945-235673462-3313673197-1000\Software\Microsoft\Tinstalls
[-] Key deleted: HKU\S-1-5-21-4116000945-235673462-3313673197-1000\Software\UpdateStar
[-] Key deleted: HKU\S-1-5-21-4116000945-235673462-3313673197-1000\Software\Yahoo\Companion
[-] Key deleted: HKU\S-1-5-21-4116000945-235673462-3313673197-1000\Software\Yahoo\YFriendsBar
[-] Key deleted: HKU\S-1-5-21-4116000945-235673462-3313673197-1000\Software\AppDataLow\Software\Tbccint
[-] Key deleted: HKU\S-1-5-21-4116000945-235673462-3313673197-1000\Software\AppDataLow\Software\TbccintSearchScopes
[-] Key deleted: HKU\S-1-5-21-4116000945-235673462-3313673197-1000\Software\AppDataLow\Software\Yahoo\Companion
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-4116000945-235673462-3313673197-1000\Software\ExpatShield
[#] Key deleted on reboot: HKU\S-1-5-18\Software\Hola
[#] Key deleted on reboot: HKCU\Software\eSupport.com
[#] Key deleted on reboot: HKCU\Software\Hola
[#] Key deleted on reboot: HKCU\Software\Microsoft\Tinstalls
[#] Key deleted on reboot: HKCU\Software\UpdateStar
[#] Key deleted on reboot: HKCU\Software\Yahoo\Companion
[#] Key deleted on reboot: HKCU\Software\Yahoo\YFriendsBar
[#] Key deleted on reboot: HKCU\Software\AppDataLow\Software\Tbccint
[#] Key deleted on reboot: HKCU\Software\AppDataLow\Software\TbccintSearchScopes
[#] Key deleted on reboot: HKCU\Software\AppDataLow\Software\Yahoo\Companion
[-] Key deleted: HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
[-] Key deleted: HKLM\SOFTWARE\Yahoo\Companion
[-] Key deleted: HKLM\SOFTWARE\MaxPower
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EE171732-BEB4-4576-887D-CB62727F01CA}
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-4116000945-235673462-3313673197-1000\Software\ExpatShield
[#] Key deleted on reboot: [x64] HKCU\Software\eSupport.com
[#] Key deleted on reboot: [x64] HKCU\Software\Hola
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Tinstalls
[#] Key deleted on reboot: [x64] HKCU\Software\UpdateStar
[#] Key deleted on reboot: [x64] HKCU\Software\Yahoo\Companion
[#] Key deleted on reboot: [x64] HKCU\Software\Yahoo\YFriendsBar
[#] Key deleted on reboot: [x64] HKCU\Software\AppDataLow\Software\Tbccint
[#] Key deleted on reboot: [x64] HKCU\Software\AppDataLow\Software\TbccintSearchScopes
[#] Key deleted on reboot: [x64] HKCU\Software\AppDataLow\Software\Yahoo\Companion
[-] Key deleted: [x64] HKLM\SOFTWARE\Hola
[-] Key deleted: [x64] HKLM\SOFTWARE\EnigmaSoftwareGroup
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\st.chatango.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\st.chatango.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\st.chatango.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\st.chatango.com
[-] Value deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [hola]
[-] Key deleted: HKCU\Software\MozillaPlugins\@hola.org/FlashPlayer
[-] Key deleted: HKCU\Software\MozillaPlugins\@hola.org/vlc
[-] Key deleted: HKCU\Software\Google\Chrome\Extensions\fcfenmboojpjinhpgggodefccipikbpd
[#] Key deleted on reboot: [x64] HKCU\Software\Google\Chrome\Extensions\fcfenmboojpjinhpgggodefccipikbpd


***** [ Web browsers ] *****

[-] [C:\Users\Nigel\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: mysearch.avg.com
[-] [C:\Users\Nigel\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: search.yahoo.com
[-] [C:\Users\Nigel\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: search.conduit.com
[-] [C:\Users\Nigel\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: us.yhs4.search.yahoo.com
[-] [C:\Users\Nigel\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: sweet-page.com
[-] [C:\Users\Nigel\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: sweet-page
[-] [C:\Users\Nigel\AppData\Local\Google\Chrome\User Data\Default] [extension] Deleted: fcfenmboojpjinhpgggodefccipikbpd


*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [7528 Bytes] - [12/12/2016 08:55:39]
C:\AdwCleaner\AdwCleaner[S0].txt - [7472 Bytes] - [11/12/2016 11:53:17]
C:\AdwCleaner\AdwCleaner[S1].txt - [7272 Bytes] - [12/12/2016 08:51:06]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [7747 Bytes] ##########
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.9 (09.30.2016)
Operating System: Windows 10 Home x64
Ran by Nigel (Administrator) on 12-Dec-16 at 9:24:49.80
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 0




Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 12-Dec-16 at 9:34:39.29
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[Juliet]

There appears to be no record of a file C:\ProgramData\Puohxiilsri\1.0.4.1\hanuxlin.exe on my laptop as

It was listed as a task. Possible the related files/folders for this could be gone but, if we can get FRST to run we can take it out.
Task: {1AF5BABE-EAFF-41AC-BB6C-4B8E94219134} - System32\Tasks\Puohxiilsri => C:\ProgramData\Puohxiilsri\1.0.4.1\hanuxlin.exe

No the FRST set up does not appear as in the picture

We'll start this over.

- Save ALL Tools to your Desktop-

All tools that I have you download should be placed on the desktop unless otherwise stated. If you are familiar with how to save files to the desktop then you can skip this step.

Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser.

Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser.

Choose Options. In the downloads section, click the Browse button, click on the Desktop folder
and the click the "Select Folder" button. Click OK to get out of the Options menu.

~~

Navigate to your downloads folder
C:\Users\Nigel\Downloads, locate Farbar Recovery Scan Tool, right click on that and select delete.

With the browser set to download to desktop we can continue.

Now, we'll just download a fresh version and run the FIX tool.

Please download Farbar Recovery Scan Tool (x32) or Farbar Recovery Scan Tool (x64) and save the file to your Desktop.
Once it's on desktop, don't run the tool we'll just direct the FIX to run the tool.




Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

start
CreateRestorePoint:
CloseProcesses:
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
SearchScopes: HKLM-x32 -> {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01
BHO: Expat Shield Class -> {3706EE7C-3CAD-445D-8A43-03EBC3B75908} -> No File
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
Toolbar: HKU\S-1-5-21-4116000945-235673462-3313673197-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKU\S-1-5-21-4116000945-235673462-3313673197-1000 -> No Name - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} - No File
FF Extension: (No Name) - C:\Program Files (x86)\TomTom HOME 2\xul\extensions\MapShare-status@tomtom.com [not found]
CHR HKU\S-1-5-21-4116000945-235673462-3313673197-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Nigel\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx <not found>
C:\ProgramData\fontcacheev1.dat
Task: {0AD379C5-5504-43E6-A142-8F50E0E3D24C} - System32\Tasks\{4BE954A3-3C41-4AB0-AC89-E19A30EB9F15} => pcalua.exe -a "C:\Program Files\Hola\app\hola_setup.exe" -c --remove-hola --no-rmt-conf --hola-cr
Task: {0F0DC27D-9F40-4E52-8BF2-2AA4C8A4BDAD} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {1383606C-BC21-4B80-98A7-C5E01E568454} - \{49E65517-C6FF-4662-926A-722036CEACED} -> No File <==== ATTENTION
Task: {17B7ADFC-F0C7-4A13-A09F-26840081CD9A} - System32\Tasks\{FCA8B98D-7B6E-4847-AA86-EAD1A463EB8F} => pcalua.exe -a "C:\Program Files\Hola\app\hola_setup.exe" -c --remove-hola --no-rmt-conf --hola-cr
Task: {1DB3DD4E-A51F-4B7C-98D8-31843575334C} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {2C08F93E-4D64-4926-9F70-779510E5F131} - \{3BCAB8DD-A9A8-467A-9DF8-252117296EF5} -> No File <==== ATTENTION
Task: {3C9B9881-3C6A-4575-A3FB-5ABCF44C3A4B} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {57759F43-E8BD-403C-B4E9-04221655B39B} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {5AD5A731-ACC5-4A85-BB0E-E14B5EB5BC40} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {8951E175-2CFB-4385-AED6-C503308B4852} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {8B3EDE07-409A-4578-962A-7B68D3E4CDFC} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {AA191788-5067-4364-8E02-D592A650CB85} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {AB7F661F-4B3B-403F-BD46-B7B14F74B4AD} - System32\Tasks\{BB7CBED7-C704-4865-80F9-D7034E5EB1CE} => pcalua.exe -a C:\Users\Nigel\AppData\Roaming\webssearches\UninstallManager.exe -c -ptid=slbnew <==== ATTENTION
Task: {AB8D459A-9DF3-4165-8B86-405730A3E3AF} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {ABD943F4-1266-443F-BF02-653F006F58C1} - \{5E281035-07E3-4953-9823-2E84881987F6} -> No File <==== ATTENTION
Task: {B6F5E4F0-B8F9-44BB-BD67-0478C4EB57C5} - \{02776CF1-FDD5-44F5-8243-916C10FDFA96} -> No File <==== ATTENTION
Task: {E33473C9-4870-4013-BE3E-6C5A0F72E8E9} - \{2413066B-5A68-422E-B866-0F489CA77B20} -> No File <==== ATTENTION
Task: {EE0EBC6F-4E44-49CC-A1FE-89A2B2C21B68} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {FC449D2B-AB91-463F-925F-EB33227FBD07} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
ShortcutWithArgument: C:\Users\Public\Desktop\Telstra USB+Wi-Fi.lnk -> C:\Program Files (x86)\Hostless Modem\Telstra USB+Wi-Fi\LaunchWebUI.exe () -> hxxp://m.home
Task: {1AF5BABE-EAFF-41AC-BB6C-4B8E94219134} - System32\Tasks\Puohxiilsri => C:\ProgramData\Puohxiilsri\1.0.4.1\hanuxlin.exe
AlternateDataStreams: C:\ProgramData\Temp:1D32EC29 [129]
AlternateDataStreams: C:\ProgramData\Temp:373E1720 [118]
AlternateDataStreams: C:\ProgramData\Temp:93DE1838 [133]
IE trusted site: HKU\S-1-5-21-4116000945-235673462-3313673197-1000\...\hola.org -> hxxp://hola.org
EmptyTemp:
Hosts:
End

Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

[Bobby06]

Juliet all my Firefox downloads are and were as per your previous message and the box is ticked to download to desktop . Now I have deleted FRST64.exe and Fixlist.exe from C:\Users\Nigel\Downloads as you suggested and have now got FRST64(1) on the desktop as you also suggested , now when I click "Fix" on the tool I get the following message, "No fixlist.txt found. The fixlist.txt should be in the same folder/directory the tool is located".

 

[Juliet]

It's possible the error is in the way Notepad was saved.

Let's move on


[font=helvetica, sans-serif]Please download [/font][font=helvetica, sans-serif]Emsisoft Emergency Kit[/font][font=helvetica, sans-serif] and save it to your desktop.
Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop.

• Leave all settings as they are and click the Extract button at the bottom.
• A folder named EEK will be created in the root of the drive (usually c:\).[/font]

• [font=helvetica, sans-serif]After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.[/font]
• [font=helvetica, sans-serif]The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates.
• Please click Yes so that it downloads the latest database updates.[/font]
• [font=helvetica, sans-serif]When the update process is complete, a new button will appear in the lower-left corner that says Back. Click on this button to return to the Overview screen.[/font]
• [font=helvetica, sans-serif]Click on Scan to be taken to the scan options.
• If you are asked if you want the scanner to scan for Potentially Unwanted Programs, then click Yes.[/font]
• [font=helvetica, sans-serif]Click on the Malware Scan button to start the scan.[/font]
• [font=helvetica, sans-serif]When the scan is completed click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.[/font]
• [font=helvetica, sans-serif]When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.[/font]
• [font=helvetica, sans-serif]Please save the log in Notepad on your desktop, and copy it to your next reply.[/font]
• [font=helvetica, sans-serif]When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.[/font]

Please post this log when finished.

How is your computer now?

 

[Bobby06]

Hi Juliet Emsisoft does not appear to have found anything untoward.

Emsisoft Emergency Kit - Version 12.0
Last update: 13-Dec-16 9:04:47 AM
User account: AVRILANDNIGENOT\Nigel
Computer name: AVRILANDNIGENOT
OS version: Windows 10x64

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Direct disk access: Off

Scan start: 13-Dec-16 9:06:41 AM

Scanned 36735
Found 0

Scan end: 13-Dec-16 10:33:19 AM
Scan time: 1:26:38

 

[Bobby06]

Sorry Juliet I forgot to tell you how my Laptop is performing its the same with "Connected to s.yimg.com" still there in the bottom LH corner of Yahoo7, in fact it comes in on all pages with the word Yahoo in the title. What it does is it slows the page trying to load and when something finally appears it is incomplete and the wheel in the top LH corner never stops rotating.

 

[Juliet]

If AdBlock were disabled does it still try to load?
Remember, owned and operated by Yahoo (not malicious), by using Adblock it stops this extension from completely loading.


If you have Zemana.AntiMalware on your computer, please delete it so we can get an updated version.

Download Zemana AntiMalware:

• open the program and without changing any options, press Scan
• after the scan is finished, if threats are detected press Next to remove them

Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.

• open Zemana AntiMalware again and locate the latest report
• please paste the contents into your reply.

========================

 

[Bobby06]

Juliet

You wont belief this but its working fine now on Firefox, I ran Zemana but it found nothing then it became a pest and kept loading and running scans every time I logged on so I uninstalled the program but it was still present in downloads so I deleted them and noticed that Zemana was finally gone from my installed programs. Whats happened I dont know and cant explain but I have installed Adblock Ultimate and its still working fine. I'll send this and go and check Chrome out so will report later.

 

[Bobby06]

Juliet,

I have checked Chrome out ,and I went there it went to Google.com page and when I went to change it to my homepage (Nine.com.au) , there was a Gear shaped icon it said something had changed the settings so I reset to my preference (Nine.com.au) now its working fine.

 

[Juliet]

Good golly, glad to hear thats over.

Let's remove tools and quarantine folders now.

• Please download DelFix or from Here and save the file to your Desktop.
• Double-click DelFix.exe to run the programme.
• Place a checkmark next to the following items:
• Activate UAC
• Remove disinfection tools
• Click the Run button.
• -- This will remove the specialized tools we used to disinfect your system.
  Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).

**********************

 

[Bobby06]

Juliet,

Finally the dreaded s.yimg.com has gone. I downloaded and ran Delfix which cleaned up everything bar Emsisoft so I deleted manually. No everything is back to normal.

Thank you so much for all your time and effort. May I wish you and Spybot a very Merry Christmas and a Happy New Year!.

 

[Juliet]

Glad to hear all is well with you, wishing you a Merry Christmas and a Happy New Year too. resent:

 

[Juliet]

Glad we could help.

Since this issue appears resolved ... this Topic is closed.