Solved Aggressive Malware - cdncache-a and "Ads by Notification" POP UPS

[AshleySue]

Still flooded with ads and malware. And every time I click something, the malware popups continue.

 

[argus]

Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
• Wait patiently until the main console will appear, it may take a minute or two.
• In the main box please paste in the following script:
  

  createsrpoint;
  autoclean;
  emptyalltemp;
  ipconfig /flushdns;b

• Make sure that Scan All Users option is checked.
• Push Run Script and wait patiently. The scan may take a couple of minutes.
• When the scan completes, a zoek-results logfile should open in notepad.
• If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

 

[AshleySue]

Zoek.exe v5.0.0.0 Updated 25-11-2014
Tool run by House of Matador on Tue 11/25/2014 at 18:07:47.91.
Microsoft Windows 8.1 6.3.9600 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\House of Matador\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

11/25/2014 6:08:54 PM Zoek.exe System Restore Point Created Succesfully.

==== Empty Folders Check ======================

C:\PROGRA~2\Coolmuster deleted successfully
C:\PROGRA~2\GUME22B.tmp deleted successfully
C:\PROGRA~2\Wondershare deleted successfully
C:\PROGRA~2\COMMON~1\Symantec Shared deleted successfully
C:\PROGRA~3\ALM deleted successfully
C:\PROGRA~3\Malwarebytes' Anti-Malware (portable) deleted successfully
C:\PROGRA~3\Oracle deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-58989595-945218553-2854008374-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1AF8192F-4EEF-4BD1-99F7-9DA0BB4F46B3} deleted successfully
HKEY_USERS\S-1-5-21-58989595-945218553-2854008374-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2290DA4E-636A-4C73-937E-ACB4FC6DF78} deleted successfully
HKEY_USERS\S-1-5-21-58989595-945218553-2854008374-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2C676B1B-52DF-43D8-B962-145316DE3639} deleted successfully
HKEY_USERS\S-1-5-21-58989595-945218553-2854008374-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{674A460E-6A94-40BE-B2F8-69377916F8F1} deleted successfully
HKEY_USERS\S-1-5-21-58989595-945218553-2854008374-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9F5EAF07-9544-4EC7-B573-B5E893B6D} deleted successfully
HKEY_USERS\S-1-5-21-58989595-945218553-2854008374-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BB1A557B-46B-4B78-BBD6-8CA5BB9214} deleted successfully
HKEY_USERS\S-1-5-21-58989595-945218553-2854008374-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E71B07F7-C51A-449B-A77-91758BFE1A93} deleted successfully
HKEY_USERS\S-1-5-21-58989595-945218553-2854008374-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EDCBED07-443E-4C25-B839-A387F0E371A5} deleted successfully

==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== FireFox Fix ======================

ProfilePath: C:\Users\HOUSEO~1\AppData\Roaming\Mozilla\Firefox\Profiles\5jeohazu.default-1414975263666

user.js not found
---- Lines browser.startup.page removed from prefs.js ----
user_pref("browser.startup.page", 3);
---- FireFox user.js and prefs.js backups ----

prefs_20141125_0624_.backup

ProfilePath: C:\Users\HOUSEO~1\AppData\Roaming\Mozilla\Firefox\Profiles\jgcs9iav.default

user.js not found
---- Lines offers removed from prefs.js ----
user_pref("extensions.fbp@fbpurity.com.fbpoptsjson-11807058", "{\"filterappmessages\":1,\"becamefriends\":1,\"becamefan\":1,\"joinedgroup\":1,\"attend
---- Lines browser.startup.page removed from prefs.js ----
user_pref("browser.startup.page", 3);
---- FireFox user.js and prefs.js backups ----

prefs_20141125_0624_.backup

ProfilePath: C:\Users\HOUSEO~1\AppData\Roaming\Thunderbird\Profiles\glac7ek7.default

user.js not found
---- FireFox user.js and prefs.js backups ----

prefs_20141125_0624_.backup

ProfilePath: C:\Users\HOUSEO~1\AppData\Roaming\Mozilla\Firefox\Profiles\6nq4jkl1.Ashley Sue Oct2014

prefs.js not found
user.js not found
---- FireFox user.js and prefs.js backups ----


==== Batch Command(s) Run By Tool======================


==== Deleting Files \ Folders ======================

C:\PROGRA~3\Malwarebytes' Anti-Malware (portable) not found
C:\Users\House of Matador\.android deleted
C:\PROGRA~2\COMMON~1\Wondershare deleted
C:\Users\House of Matador\AppData\Roaming\Upromise RewardU Toolbar deleted
C:\Users\House of Matador\AppData\Roaming\Wondershare deleted
C:\PROGRA~3\boost_interprocess deleted
C:\PROGRA~3\Package Cache deleted
C:\Users\House of Matador\AppData\Local\Wondershare deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted
C:\Users\House of Matador\AppData\LocalLow\Protect deleted
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\LocalLow\Application Updater deleted
C:\windows\SysNative\GroupPolicy\User deleted
C:\WINDOWS\Syswow64\GroupPolicy\gpt.ini deleted
C:\Users\HOUSEO~1\AppData\Roaming\Mozilla\Firefox\Profiles\jgcs9iav.default\jetpack deleted

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"online_banking_69A4E213815F42BD863D889007201D82@kaspersky.com"="C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\online_banking@kaspersky.com" [11/19/2014 11:54 AM]
[HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions]
"smartwebprinting@hp.com"="C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2" [04/24/2014 09:38 AM]

==== Firefox Extensions ======================

ProfilePath: C:\Users\HOUSEO~1\AppData\Roaming\Mozilla\Firefox\Profiles\5jeohazu.default-1414975263666
- Dangerous Websites Blocker - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\content_blocker@kaspersky.com
- Virtual Keyboard - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\virtual_keyboard@kaspersky.com
- Safe Money - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\online_banking@kaspersky.com
- Undetermined - content_blocker_6418E0D362104DADA084DC312DFA8ABC@kaspersky.com
- Undetermined - virtual_keyboard_294FF26A1D5B455495946778FDE7CEDB@kaspersky.com
- Undetermined - online_banking_69A4E213815F42BD863D889007201D82@kaspersky.com

ProfilePath: C:\Users\HOUSEO~1\AppData\Roaming\Mozilla\Firefox\Profiles\jgcs9iav.default
- Dangerous Websites Blocker - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\content_blocker@kaspersky.com
- Safe Money - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\online_banking@kaspersky.com
- Virtual Keyboard - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\virtual_keyboard@kaspersky.com
- Dangerous Websites Blocker - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\content_blocker@kaspersky.com
- Safe Money - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\online_banking@kaspersky.com
- Virtual Keyboard - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\virtual_keyboard@kaspersky.com
- Dangerous Websites Blocker - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\content_blocker@kaspersky.com
- Safe Money - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\online_banking@kaspersky.com
- Virtual Keyboard - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\virtual_keyboard@kaspersky.com
- Dangerous Websites Blocker - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\content_blocker@kaspersky.com
- Safe Money - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\online_banking@kaspersky.com
- Virtual Keyboard - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\virtual_keyboard@kaspersky.com
- F.B. Purity - Cleans Up Facebook - %ProfilePath%\extensions\fbp@fbpurity.com.xpi
- feedly - %ProfilePath%\extensions\feedly@devhd.xpi
- Pin It Button - %ProfilePath%\extensions\jid1-YcMV6ngYmQRA2w@jetpack.xpi

ProfilePath: C:\Users\HOUSEO~1\AppData\Roaming\Mozilla\Firefox\Profiles\6nq4jkl1.Ashley Sue Oct2014
- Undetermined - %ProfilePath%\extensions\abs@avira.com

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Users\House of Matador\AppData\Roaming\Mozilla\Firefox\Profiles\5jeohazu.default-1414975263666
8303B3CEC05500F763B4FA75210598BB - C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_239.dll - Shockwave Flash
18CF51689186AEB9D1D149AEB0E92D03 - C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL - Microsoft Office 2013

Profilepath: C:\Users\House of Matador\AppData\Roaming\Mozilla\Firefox\Profiles\jgcs9iav.default
18CF51689186AEB9D1D149AEB0E92D03 - C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL - Microsoft Office 2013


==== Chromium Look ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
flliilndjeohchalpbbcdekjklbdgfkk - No path found[]
lhmiofmipcpmhgihiecmpiekcacigpgb - C:\ProgramData\Anvisoft\Anvi Smart Defender 2\extensions\chrome.crx[]

Google Voice Search Hotword (Beta) - House of Matador\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn
Shield For Chrome - House of Matador\AppData\Local\Google\Chrome\User Data\Default\Extensions\cbaffjopmgmcijlkoafmgnaiciogpdel

==== Chromium Fix ======================

C:\Users\House of Matador\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.ask.com_0.localstorage deleted successfully
C:\Users\House of Matador\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_services.hearstmags.com_0.localstorage deleted successfully

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com/"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
No DefaultScope Set For HKCU

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com/"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
{012E1000-F331-11DB-8314-0800200C9A66} Google Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"
{8A893382-9C8B-4E55-BE15-2405DA837C45} Google Url="http://www.google.com/search?q={sea...rce}&ie={inputEncoding?}&oe={outputEncoding?}"

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Google\Chrome\Extensions\lhmiofmipcpmhgihiecmpiekcacigpgb deleted successfully

==== Empty IE Cache ======================

C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\House of Matador\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\House of Matador\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully

==== Empty FireFox Cache ======================

C:\Users\House of Matador\AppData\Local\Mozilla\Firefox\Profiles\5jeohazu.default-1414975263666\cache2 emptied successfully

==== Empty Chrome Cache ======================

C:\Users\House of Matador\AppData\Local\Opera Software\Opera Stable\Cache emptied successfully
C:\Users\House of Matador\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=77 folders=50 28068535 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\House of Matador\AppData\Local\Temp will be emptied at reboot
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\WINDOWS\Temp successfully emptied
C:\Users\HOUSEO~1\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== EOF on Tue 11/25/2014 at 18:46:39.74 ======================

 

[argus]

Re-run zoek and run this script:

jid1-YcMV6ngYmQRA2w@jetpack.xpi;ff
abs@avira.com;ff
lhmiofmipcpmhgihiecmpiekcacigpgb;chr
flliilndjeohchalpbbcdekjklbdgfkk;chr
C:\ProgramData\Anvisoft;fs
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b

 

[AshleySue]

Zoek.exe v5.0.0.0 Updated 25-11-2014
Tool run by House of Matador on Tue 11/25/2014 at 20:43:18.08.
Microsoft Windows 8.1 6.3.9600 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\House of Matador\Desktop\zoek.exe [Scan all users] [Script inserted]

==== Older Logs ======================

C:\zoek-results2014-11-25-234639.log 13252 bytes

==== System Restore Info ======================

11/25/2014 8:44:10 PM Zoek.exe System Restore Point Created Succesfully.

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== FireFox Fix ======================

ProfilePath: C:\Users\HOUSEO~1\AppData\Roaming\Mozilla\Firefox\Profiles\5jeohazu.default-1414975263666

user.js not found
---- FireFox user.js and prefs.js backups ----

prefs_20141125_0902_.backup

ProfilePath: C:\Users\HOUSEO~1\AppData\Roaming\Mozilla\Firefox\Profiles\6nq4jkl1.Ashley Sue Oct2014

user.js not found
---- FireFox user.js and prefs.js backups ----

prefs_20141125_0902_.backup

ProfilePath: C:\Users\HOUSEO~1\AppData\Roaming\Mozilla\Firefox\Profiles\jgcs9iav.default

user.js not found
---- Lines jid1-YcMV6ngYmQRA2w@jetpack.xpi removed from prefs.js ----
user_pref("extensions.bootstrappedAddons", "{\"fbp@fbpurity.com\":{\"version\":\"9.8.2\",\"type\":\"extension\",\"descriptor\":\"C:\\\\Users\\\\House
---- Lines jid1-YcMV6ngYmQRA2w@jetpack.xpi modified from prefs.js ----

user_pref("extensions.installCache", "[{\"name\":\"winreg-app-global\",\"addons\":{\"web2pdfextension@web2pdf.adobedotcom\":{\"descriptor\":\"C:\\\\Pr
---- Lines abs@avira.com modified from prefs.js ----

user_pref("extensions.installCache", "[{\"name\":\"winreg-app-global\",\"addons\":{\"web2pdfextension@web2pdf.adobedotcom\":{\"descriptor\":\"C:\\\\Pr
---- FireFox user.js and prefs.js backups ----

prefs_20141125_0902_.backup

ProfilePath: C:\Users\HOUSEO~1\AppData\Roaming\Thunderbird\Profiles\glac7ek7.default

user.js not found
---- FireFox user.js and prefs.js backups ----

prefs_20141125_0902_.backup

==== Batch Command(s) Run By Tool======================


==== Deleting Files \ Folders ======================

C:\ProgramData\Anvisoft deleted
C:\Users\HOUSEO~1\AppData\Roaming\Mozilla\Firefox\Profiles\6nq4jkl1.Ashley Sue Oct2014\extensions\abs@avira.com deleted
"C:\Users\HOUSEO~1\AppData\Roaming\Mozilla\Firefox\Profiles\jgcs9iav.default\extensions\jid1-YcMV6ngYmQRA2w@jetpack.xpi" deleted

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"online_banking_69A4E213815F42BD863D889007201D82@kaspersky.com"="C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\online_banking@kaspersky.com" [11/19/2014 11:54 AM]
[HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions]
"smartwebprinting@hp.com"="C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2" [04/24/2014 09:38 AM]

==== Firefox Extensions ======================

ProfilePath: C:\Users\HOUSEO~1\AppData\Roaming\Mozilla\Firefox\Profiles\5jeohazu.default-1414975263666
- Dangerous Websites Blocker - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\content_blocker@kaspersky.com
- Virtual Keyboard - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\virtual_keyboard@kaspersky.com
- Safe Money - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\online_banking@kaspersky.com
- Undetermined - content_blocker_6418E0D362104DADA084DC312DFA8ABC@kaspersky.com
- Undetermined - virtual_keyboard_294FF26A1D5B455495946778FDE7CEDB@kaspersky.com
- Undetermined - online_banking_69A4E213815F42BD863D889007201D82@kaspersky.com

ProfilePath: C:\Users\HOUSEO~1\AppData\Roaming\Mozilla\Firefox\Profiles\jgcs9iav.default
- Dangerous Websites Blocker - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\content_blocker@kaspersky.com
- Safe Money - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\online_banking@kaspersky.com
- Virtual Keyboard - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\virtual_keyboard@kaspersky.com
- Dangerous Websites Blocker - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\content_blocker@kaspersky.com
- Safe Money - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\online_banking@kaspersky.com
- Virtual Keyboard - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\virtual_keyboard@kaspersky.com
- Dangerous Websites Blocker - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\content_blocker@kaspersky.com
- Safe Money - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\online_banking@kaspersky.com
- Virtual Keyboard - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\virtual_keyboard@kaspersky.com
- Dangerous Websites Blocker - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\content_blocker@kaspersky.com
- Safe Money - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\online_banking@kaspersky.com
- Virtual Keyboard - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\virtual_keyboard@kaspersky.com
- F.B. Purity - Cleans Up Facebook - %ProfilePath%\extensions\fbp@fbpurity.com.xpi
- feedly - %ProfilePath%\extensions\feedly@devhd.xpi

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Users\House of Matador\AppData\Roaming\Mozilla\Firefox\Profiles\5jeohazu.default-1414975263666
8303B3CEC05500F763B4FA75210598BB - C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_239.dll - Shockwave Flash
18CF51689186AEB9D1D149AEB0E92D03 - C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL - Microsoft Office 2013

Profilepath: C:\Users\House of Matador\AppData\Roaming\Mozilla\Firefox\Profiles\jgcs9iav.default
18CF51689186AEB9D1D149AEB0E92D03 - C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL - Microsoft Office 2013


==== Chromium Look ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
flliilndjeohchalpbbcdekjklbdgfkk - No path found[]

Google Voice Search Hotword (Beta) - House of Matador\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn
Shield For Chrome - House of Matador\AppData\Local\Google\Chrome\User Data\Default\Extensions\cbaffjopmgmcijlkoafmgnaiciogpdel
Google Wallet - House of Matador\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com/"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com/"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}"
{012E1000-F331-11DB-8314-0800200C9A66} Google Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"
{8A893382-9C8B-4E55-BE15-2405DA837C45} Google Url="http://www.google.com/search?q={sea...rce}&ie={inputEncoding?}&oe={outputEncoding?}"

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk deleted successfully

==== Empty IE Cache ======================

C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\House of Matador\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\House of Matador\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully

==== Empty FireFox Cache ======================

C:\Users\House of Matador\AppData\Local\Mozilla\Firefox\Profiles\5jeohazu.default-1414975263666\cache2 emptied successfully

==== Empty Chrome Cache ======================

C:\Users\House of Matador\AppData\Local\Opera Software\Opera Stable\Cache emptied successfully
C:\Users\House of Matador\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=87 folders=54 33120546 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\House of Matador\AppData\Local\Temp will be emptied at reboot
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\WINDOWS\Temp successfully emptied
C:\Users\HOUSEO~1\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== EOF on Tue 11/25/2014 at 21:38:03.34 ======================

 

[argus]

How is your PC now? Logs doesn't show active infection.

 

[AshleySue]

The exact same. Infested with "Ads by NotificatOIn", pop ups by "Ads by Notificatoin", and hovering adware / malware on every page. - I can see from my screenshots it used to say "Ads by Notifcation" - spelled correctly, and now they've all changed to the misspelled "notifcatoin". If that information helps at all to determine what virus we're dealing with.

Thank you @argus! I'm hopeful we can figure this out still!

 

[argus]

Install adblock
https://adblockplus.org/en/chrome

 

[AshleySue]

That did absolutely nothing. Also, the primary browser I was using was Firefox. Both continued to get worse and worse by the day. I found an article talking about my issues, and pretty well insisting that the only truly safe thing to do was to reformat. Instead of continuing on this path, I chose to do that. The computer is restored to its original condition, and I moved what I needed safely to other external drives first. I am feeling much better, as I can now use my computer to do my job, pay bills, and entertainment, which for the last month, I was unable to do any of. Thank you very much for your effort, but you can close this thread now as resolved, @argus.