Solved Began with Media Player 2.x and Pop Up Ads everywhere

[mike0921]

I thought I had solved my initial problem, it came back. Saturday I Used the MBAM technique, using MBAM and EEK in safe mode. I have these logs.

Then Sunday I used the "general" guide here to remove anything from my windows computer. I ran scans with TDSSKiller, Rkill, MBAM, HitmanPro, RogueKiller, AdwCleaner, Junkware Removal Tool Utility, and Eset Online Scanner. I have all those logs. Found and quarantined or deleted hundreds of PUP's and cookies, and 11 (or 12) trojans. My machine ran real good at first again but seems to be slowing down again whenever I am have to much going on. Multiple tabs, a Window's Explorer window open, or another program open...

It's a really old machine and one I just acquired so I have no history with it. I want to be sure that it is clean before I look at other issues which might be the cause.

So, just today, I ran scans with AdwCleaner, Frst, and aswMBR. Those logs are attached as requested.

The aswMBR window has buttons that look like they are still "hot" - The STOP, SAVE LOG and EXIT buttons. The The FIX and FIX MBR buttons are greyed out. It appears to be active still though nothing is going on. It is stopped at the line:

Disk 0 Trace - called modules:

Is it pausing in the middle of something, do I need to push a button, or is it finished for your purposes? I uploaded the log that printed at this point. It is still open though. Let me know what to do with it.

And if you want any of the logs I ran prior to starting this thread.

Thanks, much, in advance.

 

[TwinHeadedEagle]

Hello,



They call me TwinHeadedEagle around here, and I'll be working with you.



Before we start please read and note the following:

• At the top of your post, please click on the "Watch thread" button and make sure to check Watch this thread...and receive email notifications. This will send an email to you as soon as I reply to your topic, allowing me to solve your problem faster.
• Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process. Please do not perform System Restore or any other restore.
• Instructions I give to you are very simple and made for complete beginner to follow. That's why you need to read through my instructions carefully and completely before executing them.
• Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.
  
• All tools we use here are completely clean and do not contain any malware. If your antivirus detects them as malicious, please disable your antivirus and then continue.
• If during the process you run across anything that is not in my instructions, please stop and ask. If any tool is running too much time (few hours), please stop and inform me.
• I visit forum several times at day, making sure to respond to everyone's topic as fast as possible. But bear in mind that I have private life like everyone and I cannot be here 24/7. So please be patient with me. Also, some infections require less, and some more time to be removed completely, so bear this in mind and be patient.
• Please stay with me until the end of all steps and procedures and I declare your system clean. Just because there is a lack of symptoms does not indicate a clean machine. If you solved your problem yourself, set aside two minutes to let me know.
  
• Please attach all report using
  
  button below. Doing this, you make it easier for me to analyze and fix your problem.
  
• Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay for the repair.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

Rules and policies

We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
• Wait patiently until the main console will appear, it may take a minute or two.
• In the main box please paste in the following script:
  

  createsrpoint;
  autoclean;
  emptyalltemp;
  ipconfig /flushdns;b

• Make sure that Scan All Users option is checked.
• Push Run Script and wait patiently. The scan may take a couple of minutes.
• When the scan completes, a zoek-results logfile should open in notepad.
• If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

 

[mike0921]

1. I deleted MSE and installed AVG after I ran the programs instructed in your first post (between my post and your reply)
2. I believe the aswMBR log I posted is a faulty log. I have one time stamped 45 minutes later which is the log after aswMBR finished. My comment:

The aswMBR window has buttons that look like they are still "hot" - The STOP, SAVE LOG and EXIT buttons. The The FIX and FIX MBR buttons are greyed out. It appears to be active still though nothing is going on. It is stopped at the line:

Disk 0 Trace - called modules:

Is it pausing in the middle of something, do I need to push a button, or is it finished for your purposes? I uploaded the log that printed at this point. It is still open though. Let me know what to do with it.

was made after I thought it finished. When I returned to my desktop, AswMBR had the rest of the scan finished. I just didn't know it took that long.

3. I have attached the correct log to this post for you.

4. The ZOEK log is attached...
My apologies for my errors.....

You said to post the content. I'm unsure if you mean in this or attach it. Have done both:
========================================================================================================================


Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Mike on Tue 06/30/2015 at 7:53:18.13.
Microsoft Windows 7 Ultimate 6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Mike\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

6/30/2015 8:02:41 AM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~2\MSXML 4.0 deleted successfully
C:\Users\Doug-Desktop\AppData\Roaming\Windows Live Writer deleted successfully
C:\Users\Mike\AppData\Roaming\Windows Live Writer deleted successfully
C:\Users\Doug-Desktop\AppData\Local\{4503AB61-C3F7-475C-BC09-BDDCBBB39160} deleted successfully
C:\Users\Doug-Desktop\AppData\Local\{89ACDC74-AE72-4827-A282-F36AA07713FB} deleted successfully
C:\Users\Doug-Desktop\AppData\Local\{A68A9D39-6E29-4FA0-AF0B-FA95EB462D40} deleted successfully
C:\Users\Mike\AppData\Local\EmieBrowserModeList deleted successfully
C:\Users\Mike\AppData\Local\EmieSiteList deleted successfully
C:\Users\Mike\AppData\Local\EmieUserList deleted successfully
C:\Users\Mike\AppData\Local\VirtualStore deleted successfully

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== Batch Command(s) Run By Tool======================


==== Deleting Files \ Folders ======================

C:\PROGRA~2\QR Code Maker and Decoder deleted
C:\PROGRA~3\28341ff220e0446c9fff27c4493d622e deleted
C:\Users\Doug-Desktop\AppData\Local\32523 deleted
C:\Users\Doug-Desktop\AppData\Local\6384 deleted
C:\PROGRA~2\GUT2D8A.tmp deleted
C:\PROGRA~2\GUM2D89.tmp deleted
C:\A14F.tmp deleted
C:\install.exe deleted
C:\stat_log deleted
C:\Users\Mike\AppData\Roaming\ProductData deleted
C:\PROGRA~3\ProductData deleted
C:\Users\Mike\AppData\Local\CrashRpt deleted
C:\windows\SysNative\Tasks\avastBCLRestart_chrome.exe deleted
C:\Users\Mike\AppData\LocalLow\Company deleted
C:\Windows\SysNative\config\systemprofile\Searches deleted
"C:\Users\Mike\AppData\Roaming\P15ZESxJxZc4" deleted
"C:\PROGRA~3\Package Cache" deleted

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [06/29/2015 06:19 PM]

==== Chromium Look ======================

Google Chrome Version: 43.0.2357.130

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[06/29/2015 06:19 PM]
lifbcibllhkdhoafpjfnlhfpfgnpldfl - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx[05/01/2015 11:17 AM]
pnlccmojcmeohlpggmfnbbiapkmbliob - C:\Program Files (x86)\Siber Systems\AI RoboForm\Chrome\rf-chrome.crx[06/21/2015 03:39 PM]

HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions
lmjegmlicamnimmfhcmpkclmigmmcbeh - No path found[]

Chrome Hotword Shared Module - Doug-Desktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg
A Quotation - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\aafpohheobbibbehfjogminpinjhlpmg
Dictanote - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\aomjekmpappghadlogpigifkghlmebjk
Writebox - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\bbehjmjchoiaglkeboicbgkpfafcmhij
Minimalist for Everything - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmihblnpomgpjkfddepdpdafhhepdbek
Cash Organizer - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\bppdehaogjdmkkiaiokmjdjmjnjicddk
WEEK PLAN - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\caggnmlckgjpgpgpgjeobdcfgbkefioo
Chrome RDP - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\cbkkbcmdlboombapidmoeolnmdacpkch
clipular - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjbjepchlgclmpinlbbeinajphohgfod
Thesaurus.com - Synonyms and Antonyms - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\clljlcapeomdokpgadmegpabakieebci
Google News - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\dllkocilcinkggkchnjgegijklcililc
ShopAtHome.com - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlmebkoiahbppacaicbgncnjhbpdfkcc
Invoice2go - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmjkikjpbpaehaclfdkmjdofdgodaakp
Reditr Web App - The Best Reddit Client - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejmiceoebcclihjdpnmmkdcmcboekibc
Blur - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\epanfjkfahimkgomnigadpkobaefekcd
Android Freeware - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\faijocccbppcdmakdenmbbiflcagbapp
Pandora - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbangkleohkafngihneedemihgfeikcl
NetBank - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\fjnpedghacgigoamalnfnikaagobdbjp
Dictionary by Dictionary.com - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\gikhgcaliglmioibbockkmjknfnepbdh
Voice In - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\gjkogfbjkfchelfjonefnnenhfgglpnn
Avast Online Security - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki
Rapportive - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\hihakjfhbmlmjdnnhegiciffjplmdhin
feedly - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipbfijinpcgfogaopmgehiegacbhmob
Vimeo Couch Mode - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjkdhkejcnlmkfdodbkdkelefnkobfif
Quotes Book - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\ibfjeadhjbcepmknoanimdbemlobmlpe
Knok | Family Travel - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\iehdddmijbgofffjjmhkodckmnombhmf
The Weather Channel for Chrome - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\iflpcokdamgefbghpdipcibmhlkdopop
PDF to Word Converter App - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\jclipofobaadknkadkpgggmjkebddjam
Pocket Website - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\jijgclgmgjipgefcnnnibgllfonlfdap
Kobo Instant Reader - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\jknhjclcchfapglhbceedkoldnkmmhcc
Clipular Research save & share screenshot - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmjbgcjbgmcfgbgikmbdioggjlhjegpp
Google Voice (by Google) - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcnhkahnjcbndmmehfkdnkjomaanaooo
Quick Earth - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\khodocggeplgfhppgagfdpbjkniadmdh
Wave Accounting - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\knpkfcpnjfbniadmfchjpcigfhookhaa
Chrome Hotword Shared Module - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg
Webcam Toy - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\lfbgimoladefibpklnfmkpknadbklade
Skype Click to Call - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl
Google Drive App Launcher - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh
Mint - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\mhgffcfekbglhpcdjkhhjekhdnddkflg
Offline Email Notifier for Gmail™ Helper - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlcdlmnipofbmhgjajfobpeeikdejibj
PHP Docs-to-go - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlilmganaobieaclflbciblffhaagnip
Finance41 Personal Finance Manager - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\nbgkhncobohkmgdjdiijlbgjidpnnkcd
SendHub - Business Phone System - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlijkadphehijfiiigjeklnlnknmmped
Checker Plus for Gmail™ - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\oeopbcgkkoapgobdbedcemjljbihmemj
Scribble - stickies on steroids - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\offpaifnchmpbnjhjbhpdffahlofdkfb
Outlook.com - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\pfpeapihoiogbcmdmnibeplnikfnhoge
Send from Gmail (by Google) - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgphcomnlaojlmmcjmiddhdapjpbgeoc
OMG - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\pmoodaljflkhbojjaiibgnlindbhebme
RoboForm - Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnlccmojcmeohlpggmfnbbiapkmbliob

==== Chromium Startpages ======================

C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Preferences
iadmfchjpcigfhookhaa":"09AD7AA17EED38F22945C168A4AFD12F24B450702B9F525BC7E0C6D883363D3B","lbfehkoinhhcknnbdgnnmjhiladcgbol":"784F27A7B85F54A13D5CC88F7BF2C2D843B3E574A88E8F1DDC09E1D181E8BF2D","lccekmodgklaepjeofjdjpbminllajkg":"87D51C758DE4FCF8033E4839FB9E1FC885A67E4FF6826B5AB1BBB57627652BF5","lfbgimoladefibpklnfmkpknadbklade":"968F48B94022650F1C8C2D5F3DED74C3C54335374E04EF1A4D4FB883515D7582","lifbcibllhkdhoafpjfnlhfpfgnpldfl":"48EC59CBA80E3EC2C59346304B7725B26E8F8D7E7A1992A99A74A9C8CA1B3407","lmjegmlicamnimmfhcmpkclmigmmcbeh":"391403D66015D64F12F1979C777D795D61A6648F0582A1D4AC2DEB51D52E5351","lneaknkopdijkpnocmklfnjbeapigfbh":"B78E779287C610EB53E787CA7D6485B843A57C8E7A8111AC5C9C071E301D1F1D","mfehgcgbbipciphmccgaenjidiccnmng":"9A612A108E224A45E4760655ECEF33ABE2B27E556783FFBC72E8E1391EAB1BB9","mfffpogegjflfpflabcdkioaeobkgjik":"D850F8C8EE8A5B3161BEAFF1C528BED9A91C680A66718D7417199FCF743AD1FD","mgndgikekgjfcpckkfioiadnlibdjbkf":"5CE934EC4137250A7308D1CEA4C16AA235D61FD830AB6E793C75DA555E004914","mhgffcfekbglhpcdjkhhjekhdnddkflg":"1CB196B9942ED97C1799CFD426563274D22733344F645531E40D9F1A43C7D8CB","mhjfbmdgcfjbbpaeojofohoefgiehjai":"F3248FA4C4E32D663C72FBB5630AECCDDEE1A1D7FF7CEA7AE4EB093F3B7EDEA1","mijlebbfndhelmdpmllgcfadlkankhok":"45206F34B9204BA37C6ACB920C721B4104092F15EA3B73D1CEA564E05740B48F","mlcdlmnipofbmhgjajfobpeeikdejibj":"EB2FD5F32FAD27D6277496F4E61B60388A07087318900441F81F8CB40CFF1BCD","mlilmganaobieaclflbciblffhaagnip":"F7A554ECDDB638E1204EE29D2B3148C133F92267953EBD2E2CABE7099DE7A86E","mnnelgnkomjdakpkjpkfehdipjifjmbk":"070527DD46B3F66DB6E290F7D0705E3DA02F710AF5B0B7550B0DA7564C6433C2","nbgkhncobohkmgdjdiijlbgjidpnnkcd":"C09FB106A041D53EC6885243FC3FB00E1DA65D026723CBE62EFD188691169968","nbpagnldghgfoolbancepceaanlmhfmd":"9B8317D67B1D5FE38A8C15BC41828171EAB0B965D51E20600EB183F2B8C74990","neajdppkdcdipfabeoofebfddakdcjhd":"923F2C7F03017842FBE9176821EEBEEB7B9024608B9E6BB848EE47C200C051AF","nffmfbhcjemfledhndnpllechagamlfp":"A653A21FEC2D728E3F2773F0222FEB88803D8EC2B4A913AA02CDEBB774E1D36D","nkeimhogjdpnpccoofpliimaahmaaome":"3EFB8BAB17B9C0C9FAAF414F8FF45E90E9A60ADD9E07C79BD50FCB24C69BCA69","nlijkadphehijfiiigjeklnlnknmmped":"F48F60625086F5A91A22632B3E4CB00CD5E3D13B6099EAC8D151995FE1606781","nmmhkkegccagdldgiimedpiccmgmieda":"CA620C4242A1FEAE53567748C768F1BB947390C378B230B9D89C8DEF872CB481","oadiaahhieelhhffeofkdchgfpjehjok":"ECAD0290849978FF95D4CDD091532345A356D059FF8AFEF1F1DE67CC37CA1A08","oehpjpccmlcalbenfhnacjeocbjdonic":"ED23D76EFF270663D3C791E9D6457EFE2D75110C79F11FE38FC36C36D6FC6625","oeopbcgkkoapgobdbedcemjljbihmemj":"8C1988570B7A25A7D68DCBD0AF7046E9B17A6276841409B093C44839E4423D1D","ofddcjfikfghkmoapnjnmmflbcjohbic":"D994EDDBD5BEDEA0A227F22274E8FBAB9C9A229FFC1231A3CA65E7A2A2F688D3","offpaifnchmpbnjhjbhpdffahlofdkfb":"80FA5B11C1575D28E621D23DBC6BD4B44BD17FEBA410D4C380DAA4D2831F27F1","okgjbfikepgflmlelgfgecmgjnmnmnnb":"81A9A8A7B645D37A21A8BDF5A93F86DCC20726FEA397F5956B4B0DD3A61AC783","paaolpnpehkfkgicikngaihaknonfala":"0C6C10B24173CE407000321980AA3FDA83B81F1207BA52EC8F7B3DFE8127D9A6","pafkbggdmjlpgkdkcbjmhmfcdpncadgh":"A58AA7EFDD9FB2422D07C3626B8AD7F2BE8B07FCF32357075872958DE7D3B7E7","pcfeebemepipakkhapnhljbcdkagkloh":"44562B049742267A75BF4C975E6DFCD67580949205E86944A51DDB1F5519F310","pdabfienifkbhoihedcgeogidfmibmhp":"CC88B8025A68CC84C285F2736D0966D8A0200908EBE52624788B3B5B7EBB19E4","pddaeeclcbikcegjhhgocgkakehngcem":"7600F2510BE2068459AF7E3884DEA04422D2F2AB36FB2BF7AB34DB50AB4450CD","pfiekkcjcnhbjofcjcfblhcccjkpkheh":"F3C41F9BDC7A33286F7C53F0C04FD6B421C6D4A64D91275864BAC25945D3C6FF","pfpeapihoiogbcmdmnibeplnikfnhoge":"DC8EA7F4D9C1F048E99395BE088324E3F4F265187F8F5A714C3BBE3B1EB79F43","pgphcomnlaojlmmcjmiddhdapjpbgeoc":"2DDA6A284B92F478D561CFF6596D23123F39775247E68174F41B94C020F04114","pioclpoplcdbaefihamjohnefbikjilc":"8255408B3551FB676B98190EE321ECD5174144FD7E954BC301F75815434824D5","pjkljhegncpnkpknbcohdijeoejaedia":"3928AB9F05DA8E2BE4D0255AF8EDCE7F0C6AD1F030286D997FBA703A1A7F5FF2","pmoodaljflkhbojjaiibgnlindbhebme":"3EA863C4B959AF64B6A78EF4B7631A67F098F3806D8A7E05502EFDED7F30D18C","pnlccmojcmeohlpggmfnbbiapkmbliob":"7D45DBC4C89E5CE3369FFD58CA69A5C7E4C92C5D81B940F6011937FE48DA6597"}},"google":{"services":{"last_username":"291B97783F73100D2C4BEEC47C6ACCA2F49F97CFCC3A29238495834620011C9E","username":"C6207D00DB01C56483F404F65DD25CDBDF2B32A803FFC10F307C2556EAAFC9D6"}},"homepage":"3F02D8E1DA7E9A2E190D55EE86D3CA7697BFC081C6E6F72F3EAA1A2D9B50CF90","homepage_is_newtabpage":"90667F9770CE88E5609345817DBA3AABFA30799E1E01C90D56B8477AD8468F3E","pinned_tabs":"39AAA04F794A6631EEF2F4877E3C3157C32998E00824456061A5882B6EE8E253","prefs":{"preference_reset_time":"0A15D91E101D60EED02C53F2AA6E72459E7A3A011689FE30840C11A7A516732D"},"profile":{"reset_prompt_memento":"9CA40FD520785AC9AEC7464D1C4C5F887BA580AB6278555B1D4D1CEF6C6E8CE2"},"safebrowsing":{"incidents_sent":"B48B62A32B78BDCB6ACCAC2C335C3DC69AA68E8C976016DE130C326400D972AC"},"search_provider_overrides":"6EA90985E235278005EBB9AC00B14A9F9841C9594F236383C64E0634DA58D8DA","session":{"restore_on_startup":"DBA13C2DC151E4461A7A7D201E1DF6F19EFB955B5309E01B2640938E24DF65D6","startup_urls":"681F4FB7F7F75741AB8DEA8301268A4224BBA3BF6842A47ACD5D0A91705E89F5"},"software_reporter":{"prompt_reason":"388C97456B235A69FD80ADCBEFCE9156C1FC166DB414EA0E45A92CC5ADCB5E49","prompt_seed":"73A02E5A3570ADDDE681BA250E3BFA8B01C3035CBBAD43332F0F2DEE8324997D","prompt_version":"44805135F63920F24A378F0D53549832369A5B3F87DD2EA969C83C6DC34C2638"},"sync":{"remaining_rollback_tries":"7D76515B66083A715005BD4B4680540B1D628C4FC04D25EDCDE70E22CC118708"}},"super_mac":"E39B771ED8B6EAD696C8315BA344FD48203BE0B085E9B535F0C41E5A804D6B01"},"safebrowsing":{"incidents_sent":{"2":{"chrome.dll":"3774509266","chrome_child.dll":"3743713718"},"6":{"script_request_incident":"42"}}},"session":{"restore_on_startup":5,"startup_urls":["http://www.google.com/","","",""]},"sync":{"remaining_rollback_tries":0}}


==== Chromium Fix ======================

C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_gbkeegbaiigmenfmjfclcdgdpimamgkj_0.localstorage deleted successfully
C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_gbkeegbaiigmenfmjfclcdgdpimamgkj_0.localstorage-journal deleted successfully

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://google.com/"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://google.com/"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{E0E10A6B-80FB-4457-9D90-6195BBBAE31B}"
{012E1000-F331-11DB-8314-0800200C9A66} Google Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"
{98A2A4FE-EC22-408B-9FFD-2A9125300E55} Google Url="https://www.google.com/search?q={searchTerms}"
{A15FE79E-FB48-4F01-A053-BCBDF7F82664} Google Url="https://www.google.com/search?q={searchTerms}"
{E0E10A6B-80FB-4457-9D90-6195BBBAE31B} Google Url="https://www.google.com/search?q={searchTerms}"

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\Software\wow6432node\Policies\Google deleted successfully

==== Empty IE Cache ======================

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Doug-Desktop\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Doug-Desktop\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Users\Doug-Desktop\Desktop\Judy's Ghost-XP Tower\Judith\Local Settings\Temp\acrord32_sbx\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Doug-Desktop\Desktop\Judy's Ghost-XP Tower\Judith\Local Settings\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Mike\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Mike\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Users\UpdatusUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

==== Empty FireFox Cache ======================

No FireFox Profiles found

==== Empty Chrome Cache ======================

C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache is not empty, a reboot is needed

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=919 folders=257 34923639 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Doug-Desktop\AppData\Local\Temp emptied successfully
C:\Users\Mike\AppData\Local\Temp will be emptied at reboot
C:\Users\UpdatusUser\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\Mike\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

"C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbkeegbaiigmenfmjfclcdgdpimamgkj" deleted
"C:\Users\Mike\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6VXGQZB7\chaturbate.com" not found
"C:\Users\Mike\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6VXGQZB7\fbstatic-a.akamaihd.net" not found
"C:\Users\Mike\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6VXGQZB7\launch.newsinc.com" not found
"C:\Users\Mike\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6VXGQZB7\www.filmon.com" not found
"C:\Users\Mike\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6VXGQZB7\www.freelifetime#####finder.com" not found
"C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp\Low" not deleted

==== EOF on Tue 06/30/2015 at 8:28:41.10 ======================

I'll learn the vocabulary and procedures quickly. I know all "you guys" donate your time.

 

[TwinHeadedEagle]

How is your PC behaving now?

 

[mike0921]

It is crawling like molasses. There are no pop up ads. And starting one action before a second action causes it to crawl along even slower. The progress circle sometimes freezes and sometimes isn't there at all and there is no indication of processing other than hearing the "mouse prints" of the processor coming from the box.

 

[mike0921]

The browsers make it (the slowness or freezing) occur the most apparent.

 

[TwinHeadedEagle]

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition option is checked.
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

 

[mike0921]

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition option is checked.
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

I just woke up, and noticed I hadn't checked the "Addition" option so I reran the scan. Two things I immediately noticed. 1. It finished quickly.
2. Things were running much better than I reported last reply... I must need to nap more often... I hope that means you will be telling me my machine is all clean!

Here are the logs...

 

[TwinHeadedEagle]

There are still some things we need to do.

CHR dev: Chrome dev build detected! <======= ATTENTION

Chrome is altered by malware, you need to reinstall it.

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

 

[mike0921]

Well, got up early, first thing ran the above as you asked.... but failed to Run as Admin.... so ran it again. Both log files are attached. One named Fixlog_01-07-2015_07-56-48..., the first one....not as administrator. The second one, Fixlog 8_21 ran as administrator. I hope I didn't make things harder, I hadn't finished my wake up espresso... The numbers reflect the time each was run. 7:24 am and 8:21 am.

Something is running in the background I think. After I reinstalled Chrome - from the Google website - the progress circle is always showing up and things are still slow...

I wrote down a log of events as they happened after running the fixlist if you need it I will enter it into notepad and upload it.

 

[TwinHeadedEagle]

I don't know what to say. This is pretty old machine and if you use modern apps with modern operating system, it will start to choke sometimes, that is something you must expect. PC seems clean.

 

[mike0921]

Yeah, it is old and I do understand what you said about that. Thanks, at least you confirmed my hunch...

Thanks a million for helping me to get back to a clean machine. I have spent some time over at Umbra's security configuration, reading kram7750's essay on various malware programs and generally surfing MT.

I'm going to be updating my security config this week to keep this old thing clean this time around!

 

[mike0921]

How do you mark a thread solved? Does the member who started it mark it???? My machine is clean now...

 

[TwinHeadedEagle]

Glad I could help. We will delete all used tools and I'll give you some tips to harden your security and learn how to protect yourself

Recommended reading:
​

MUST READ - security tips:

• Computer Security - a short guide to staying safer online.
• Simple and easy ways to keep your computer safe and secure on the Internet

MUST READ - general maintenance:

• What to do if your Computer is running slowly?

The Importance of Software Updating:
​

In order to stay protected it is very important that you regularly update all of your software. Cybercriminals depend on the apathy of users around software updates to keep their malicious endeavor running.​

Operating systems, such as Windows, and applications, such as Adobe Reader or JAVA, are used by tens of millions of computers and devices around the world, making them a huge target for cybercriminals. Downloading updates and installing them can sometimes be tedious, but the advantages you get from the updates are certainly worth it.

• How to configure and use Automatic Updates in Windows
• How to update Java
• How to update Adobe Reader

Recommended additional software:
​

CCleaner - to clean unneeded temporary files.

Malwarebytes' Anti-Malware - to scan your system from time to time in search for malware.

Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.

McShield - to prevent infections spread by removable media.

Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.

Adblock - to surf the web without annoying ads!

Post-cleanup procedures:​

Download DelFix by Xplode and save it to your desktop.

• Run the tool by right click on the
  
  icon and Run as administrator option.
• Make sure that these ones are checked:
  • Remove disinfection tools
  • Purge system restore
  • Reset system settings
• Push Run and wait until the tool completes his work.
• All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

My help is free for everybody.
If you're happy with the help provided and/or wish to buy me a beer for the assistance you received, then you can consider a donation:
Thank you!​

Stay safe,
TwinHeadedEagle