api.recomme.me widget

[Chris Parish]

Glad I could help. We will delete all used tools and I'll give you some tips to harden your security and learn how to protect yourself

Recommended reading:
​

MUST READ - security tips:

• Computer Security - a short guide to staying safer online.
• Simple and easy ways to keep your computer safe and secure on the Internet

MUST READ - general maintenance:

• What to do if your Computer is running slowly?

The Importance of Software Updating:
​

In order to stay protected it is very important that you regularly update all of your software. Cybercriminals depend on the apathy of users around software updates to keep their malicious endeavor running.​

Operating systems, such as Windows, and applications, such as Adobe Reader or JAVA, are used by tens of millions of computers and devices around the world, making them a huge target for cybercriminals. Downloading updates and installing them can sometimes be tedious, but the advantages you get from the updates are certainly worth it.

• How to configure and use Automatic Updates in Windows
• How to update Java
• How to update Adobe Reader

Recommended additional software:
​

CCleaner - to clean unneeded temporary files.

Malwarebytes' Anti-Malware - to scan your system from time to time in search for malware.

Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.

McShield - to prevent infections spread by removable media.

Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.

Adblock - to surf the web without annoying ads!

Post-cleanup procedures:​

Download DelFix by Xplode and save it to your desktop.

• Run the tool by right click on the
  
  icon and Run as administrator option.
• Make sure that these ones are checked:
  • Remove disinfection tools
  • Purge system restore
  • Reset system settings
• Push Run and wait until the tool completes his work.
• All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

My help is free for everybody.
If you're happy with the help provided and/or wish to buy me a beer for the assistance you received, then you can consider a donation:
Thank you!​

Stay safe,
TwinHeadedEagle

Hi

I have had the same problem. I have followed the directions above but it has not solved it.

I have uploaded my zoek results & would be very grateful for your help.

Thank you in advance.

Chris

 

[Chris Parish]

....update!! It won't let me upload my zoek file - it says the file is empty ... so I will copy the text below:



Zoek.exe v5.0.0.0 Updated 23-04-2015
Tool run by Chris aka CGP on 27/04/2015 at 18:24:59.22.
Microsoft Windows 8.1 6.3.9600 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Chris aka CGP\Downloads\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

27/04/2015 18:29:05 Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~2\Deal Keeper deleted successfully
C:\PROGRA~2\Optimizer Pro deleted successfully
C:\PROGRA~2\COMMON~1\Symantec Shared deleted successfully
C:\Program Files\PPS deleted successfully
C:\PROGRA~3\374311380 deleted successfully
C:\Users\Chris aka CGP\AppData\Local\CUSTPDF Writer deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-3297290139-40113303-3829120269-1002\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827} deleted successfully
HKEY_USERS\S-1-5-21-3297290139-40113303-3829120269-1002\Software\Microsoft\Internet Explorer\SearchScopes\{8E805679-AD2E-430A-8FEF-7F95E3F96A85} deleted successfully
HKEY_USERS\S-1-5-21-3297290139-40113303-3829120269-1002\Software\Microsoft\Internet Explorer\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{8E805679-AD2E-430A-8FEF-7F95E3F96A85} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8E805679-AD2E-430A-8FEF-7F95E3F96A85} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671} deleted successfully

==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Util Deal Keeper deleted successfully
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Util Deal Keeper deleted successfully
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Update Deal Keeper deleted successfully
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Update Deal Keeper deleted successfully

==== FireFox Fix ======================

ProfilePath: C:\Users\CHRISA~1\AppData\Roaming\Mozilla\Firefox\Profiles\43n2w39d.default

---- Lines Deal Keeper removed from prefs.js ----
user_pref("extensions.Deal Keeper.asul", "1406714659876");
user_pref("extensions.Deal Keeper.aul", "1406714658645");
user_pref("extensions.Deal Keeper.irl", true);
user_pref("extensions.Deal Keeper.is", "isgiwhGB");
user_pref("extensions.Deal Keeper.ug", "C1667FAD-3EA6-4641-90B1-D8A79C2C3CEE");
---- Lines astrmndant removed from prefs.js ----
user_pref("extensions.astrmndant.aflt", "ast_dsites05_14_31_ff");
user_pref("extensions.astrmndant.cd", "2XzuyEtN2Y1L1Qzu0AyEyD0DtAyCyCyCtD0DtB0ByEyCzzyBtN0D0Tzu0SzyyEtCtN1L2XzutBtFtBtCtFtCzztFtAtN1L1CzutCyEtBzytDyD1
user_pref("extensions.astrmndant.cr", "1157670745");
user_pref("extensions.astrmndant.instlRef", "142905_b");
---- Lines astrmndant removed from user.js ----

user_pref("extensions.astrmndant.aflt", "ast_dsites05_14_31_ff");
user_pref("extensions.astrmndant.instlRef", "142905_b");
user_pref("extensions.astrmndant.cr", "1157670745");
user_pref("extensions.astrmndant.cd", "2XzuyEtN2Y1L1Qzu0AyEyD0DtAyCyCyCtD0DtB0ByEyCzzyBtN0D0Tzu0SzyyEtCtN1L2XzutBtFtBtCtFtCzztFtAtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyC0BtCtByBtDtCyCtG0AtA0B0FtGtA0E0C0FtGtBzz0DtCtGtD0BtC0BzzyEyByEyCyC0F0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCzzyD0Bzz0CyE0AtG0FtD0E0FtG0FtD0E0EtGyDyE0C0DtGtCyD0ByBzy0FyCzz0B0CtC0F2Q");

---- Lines browser.startup.page removed from prefs.js ----
user_pref("browser.startup.page", 3);
---- FireFox user.js and prefs.js backups ----

user_042015_1956_.backup
prefs_042015_1956_.backup

==== Batch Command(s) Run By Tool======================


==== Deleting Files \ Folders ======================

C:\PROGRA~2\Deal Keeper not found
C:\PROGRA~2\Optimizer Pro not found
C:\windows\SysNative\Tasks\{5F6010C8-60E5-41f3-BF5B-C3AF5DBE12D4} deleted
C:\Users\Chris aka CGP\.android deleted
C:\PROGRA~2\Connected Music powered by Universal Music Group deleted
C:\Users\Chris aka CGP\AppData\Roaming\DigitalSites deleted
C:\Users\Chris aka CGP\AppData\Local\Z@!-49ff9772-1a66-451c-9107-b6857196151f.tmp deleted
C:\Users\Chris aka CGP\AppData\Local\Z@S!-970d47e1-f2ab-44d1-902c-8234e1712954.tmp deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Shopping and Services deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted
C:\windows\SysNative\tasks\Digital Sites deleted
C:\WINDOWS\tasks\Digital Sites.job deleted
"C:\WINDOWS\Installer\131add.msi" deleted

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [14/04/2015 18:24]

==== Firefox Extensions ======================

ProfilePath: C:\Users\CHRISA~1\AppData\Roaming\Mozilla\Firefox\Profiles\43n2w39d.default
- LastPass - C:\Users\Chris aka CGP\AppData\Roaming\Mozilla\Firefox\Profiles\43n2w39d.default\extensions\support@lastpass.com
- Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF
- LastPass - %ProfilePath%\extensions\support@lastpass.com
- TrackIf Web amp; Price Tracker - %ProfilePath%\extensions\jid0-qmqbjs9nLPAkgUQrbxaBmO3a6gY@jetpack.xpi
- KidStart Savings Prompt - %ProfilePath%\extensions\KidStart@KidStart.xpi
- Google Image Search - %ProfilePath%\extensions\{73007fef-a6e0-47d3-b4e7-dfc116ed6f65}.xpi

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Users\Chris aka CGP\AppData\Roaming\Mozilla\Firefox\Profiles\43n2w39d.default
3D3CAF586124C4E8102764C8B3063BB6 - C:\windows\SysWOW64\Adobe\Director\np32dsw.dll - Shockwave for Director / Shockwave for Director
DFC9460CC37E5C414DC4680B10C19E7A - C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll - Shockwave Flash
9AE02005247DA91AB1743F5208DBEF76 - C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_169.dll - Shockwave Flash
E3D40D344C196E66D4346CCECED7AC1C - C:\Users\Chris aka CGP\AppData\Roaming\HewlettPackard\HPDetect\1.0.0.0\npHPDetect.dll - HPDetect
E3B4EA121F7BDEB0F6366E2BA9608CB5 - C:\Users\Chris aka CGP\AppData\Local\Citrix\Plugins\104\npappdetector.dll - Citrix Online Web Deployment Plugin 1.0.0.104


==== Chromium Look ======================

Google Chrome Version: 42.0.2311.90 (Latest Stable version: 42.0.2311.90) [z-db]

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[19/03/2015 20:22]

HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions
lmjegmlicamnimmfhcmpkclmigmmcbeh - No path found[]

TrackIf Web & Price Tracker - Chris aka CGP\AppData\Local\Google\Chrome\User Data\Default\Extensions\donafdekbhlobcfppmfkpjmeijnnoacd
Bookmark Manager - Chris aka CGP\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik
LastPass - Chris aka CGP\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd
DS Amazon Quick View - Chris aka CGP\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkompbllimaoekaogchhkmkdogpkhojg
Chrome Hotword Shared Module - Chris aka CGP\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg

==== Chromium Startpages ======================

C:\Users\Chris aka CGP\AppData\Local\Google\Chrome\User Data\Default\Preferences
"homepage": "http://trackif.com/",
"startup_urls": [ "http://astromenda.com/?f=7&a=ast_ds...GtCyD0ByBzy0FyCzz0B0CtC0F2Q&cr=1157670745&ir=" ]


==== Chromium Fix ======================

C:\Users\Chris aka CGP\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage deleted successfully
C:\Users\Chris aka CGP\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage-journal deleted successfully
C:\Users\Chris aka CGP\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.winner.co.uk_0.localstorage deleted successfully
C:\Users\Chris aka CGP\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.winner.co.uk_0.localstorage-journal deleted successfully

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://g.uk.msn.com/HPNOT13/2"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://g.uk.msn.com/HPNOT13/2"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{2E00D31D-D171-423D-836D-1A4D7EA7F1A9}"
{012E1000-F331-11DB-8314-0800200C9A66} Google Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Unknown Url="Not_Found"
{2E00D31D-D171-423D-836D-1A4D7EA7F1A9} Bing Url="http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=HPNTDFJS"
{D944BB61-2E34-4DBF-A683-47E505C587DC} eBay Url="http://rover.ebay.com/rover/1/710-29550-11896-25/4"

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-3297290139-40113303-3829120269-1002\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} deleted successfully

==== Deleting CLSID Registry Values ======================


==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\2C0D8C2E79C150C439A9B5310AEF56C5 deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E2C8D0C2-1C97-4C05-939A-5B13A0FE655C} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\2C0D8C2E79C150C439A9B5310AEF56C5 deleted successfully

==== Empty IE Cache ======================

C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Chris aka CGP\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Chris aka CGP\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Chris aka CGP\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\Chris aka CGP\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully

==== Empty FireFox Cache ======================

C:\Users\Chris aka CGP\AppData\Local\Mozilla\Firefox\Profiles\43n2w39d.default\cache2 emptied successfully

==== Empty Chrome Cache ======================

C:\Users\Chris aka CGP\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

No Java Cache Found

==== C:\zoek_backup content ======================

C:\zoek_backup (files=64 folders=45 15332311 bytes)

==== Empty Temp Folders ======================

C:\Users\Chris aka CGP\AppData\Local\Temp will be emptied at reboot
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\WINDOWS\Temp successfully emptied
C:\Users\CHRISA~1\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== EOF on 27/04/2015 at 20:34:50.20 ======================

 

[TwinHeadedEagle]

Hello,



They call me TwinHeadedEagle around here, and I'll be working with you.



Before we start please read and note the following:

• At the top of your post, please click on the "Watch thread" button and make sure to check Watch this thread...and receive email notifications. This will send an email to you as soon as I reply to your topic, allowing me to solve your problem faster.
• Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process. Please do not perform System Restore or any other restore.
• Instructions I give to you are very simple and made for complete beginner to follow. That's why you need to read through my instructions carefully and completely before executing them.
• Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.
  
• All tools we use here are completely clean and do not contain any malware. If your antivirus detects them as malicious, please disable your antivirus and then continue.
• If during the process you run across anything that is not in my instructions, please stop and ask. If any tool is running too much time (few hours), please stop and inform me.
• I visit forum several times at day, making sure to respond to everyone's topic as fast as possible. But bear in mind that I have private life like everyone and I cannot be here 24/7. So please be patient with me. Also, some infections require less, and some more time to be removed completely, so bear this in mind and be patient.
• Please stay with me until the end of all steps and procedures and I declare your system clean. Just because there is a lack of symptoms does not indicate a clean machine. If you solved your problem yourself, set aside two minutes to let me know.
  
• Please attach all report using
  
  button below. Doing this, you make it easier for me to analyze and fix your problem.
  
• Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay for the repair.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

Rules and policies

We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

Scan with Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

[Chris Parish]

THanks for your help. Attached are the two results files.

 

[TwinHeadedEagle]

Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
• Wait patiently until the main console will appear, it may take a minute or two.
• In the main box please paste in the following script:
  

  createsrpoint;
  autoclean;
  emptyalltemp;
  ipconfig /flushdns;b

• Make sure that Scan All Users option is checked.
• Push Run Script and wait patiently. The scan may take a couple of minutes.
• When the scan completes, a zoek-results logfile should open in notepad.
• If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

 

[Chris Parish]

Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
• Wait patiently until the main console will appear, it may take a minute or two.
• In the main box please paste in the following script:
  

  createsrpoint;
  autoclean;
  emptyalltemp;
  ipconfig /flushdns;b

• Make sure that Scan All Users option is checked.
• Push Run Script and wait patiently. The scan may take a couple of minutes.
• When the scan completes, a zoek-results logfile should open in notepad.
• If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

I scanned with zoek prior to scanning with Farbar. I didn't disable my anti-virus-malware. Do I need to do it again?


Zoek.exe v5.0.0.0 Updated 23-04-2015
Tool run by Chris aka CGP on 27/04/2015 at 18:24:59.22.
Microsoft Windows 8.1 6.3.9600 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Chris aka CGP\Downloads\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

27/04/2015 18:29:05 Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~2\Deal Keeper deleted successfully
C:\PROGRA~2\Optimizer Pro deleted successfully
C:\PROGRA~2\COMMON~1\Symantec Shared deleted successfully
C:\Program Files\PPS deleted successfully
C:\PROGRA~3\374311380 deleted successfully
C:\Users\Chris aka CGP\AppData\Local\CUSTPDF Writer deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-3297290139-40113303-3829120269-1002\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827} deleted successfully
HKEY_USERS\S-1-5-21-3297290139-40113303-3829120269-1002\Software\Microsoft\Internet Explorer\SearchScopes\{8E805679-AD2E-430A-8FEF-7F95E3F96A85} deleted successfully
HKEY_USERS\S-1-5-21-3297290139-40113303-3829120269-1002\Software\Microsoft\Internet Explorer\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{8E805679-AD2E-430A-8FEF-7F95E3F96A85} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8E805679-AD2E-430A-8FEF-7F95E3F96A85} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671} deleted successfully

==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Util Deal Keeper deleted successfully
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Util Deal Keeper deleted successfully
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Update Deal Keeper deleted successfully
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Update Deal Keeper deleted successfully

==== FireFox Fix ======================

ProfilePath: C:\Users\CHRISA~1\AppData\Roaming\Mozilla\Firefox\Profiles\43n2w39d.default

---- Lines Deal Keeper removed from prefs.js ----
user_pref("extensions.Deal Keeper.asul", "1406714659876");
user_pref("extensions.Deal Keeper.aul", "1406714658645");
user_pref("extensions.Deal Keeper.irl", true);
user_pref("extensions.Deal Keeper.is", "isgiwhGB");
user_pref("extensions.Deal Keeper.ug", "C1667FAD-3EA6-4641-90B1-D8A79C2C3CEE");
---- Lines astrmndant removed from prefs.js ----
user_pref("extensions.astrmndant.aflt", "ast_dsites05_14_31_ff");
user_pref("extensions.astrmndant.cd", "2XzuyEtN2Y1L1Qzu0AyEyD0DtAyCyCyCtD0DtB0ByEyCzzyBtN0D0Tzu0SzyyEtCtN1L2XzutBtFtBtCtFtCzztFtAtN1L1CzutCyEtBzytDyD1
user_pref("extensions.astrmndant.cr", "1157670745");
user_pref("extensions.astrmndant.instlRef", "142905_b");
---- Lines astrmndant removed from user.js ----

user_pref("extensions.astrmndant.aflt", "ast_dsites05_14_31_ff");
user_pref("extensions.astrmndant.instlRef", "142905_b");
user_pref("extensions.astrmndant.cr", "1157670745");
user_pref("extensions.astrmndant.cd", "2XzuyEtN2Y1L1Qzu0AyEyD0DtAyCyCyCtD0DtB0ByEyCzzyBtN0D0Tzu0SzyyEtCtN1L2XzutBtFtBtCtFtCzztFtAtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyC0BtCtByBtDtCyCtG0AtA0B0FtGtA0E0C0FtGtBzz0DtCtGtD0BtC0BzzyEyByEyCyC0F0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyCzzyD0Bzz0CyE0AtG0FtD0E0FtG0FtD0E0EtGyDyE0C0DtGtCyD0ByBzy0FyCzz0B0CtC0F2Q");

---- Lines browser.startup.page removed from prefs.js ----
user_pref("browser.startup.page", 3);
---- FireFox user.js and prefs.js backups ----

user_042015_1956_.backup
prefs_042015_1956_.backup

==== Batch Command(s) Run By Tool======================


==== Deleting Files \ Folders ======================

C:\PROGRA~2\Deal Keeper not found
C:\PROGRA~2\Optimizer Pro not found
C:\windows\SysNative\Tasks\{5F6010C8-60E5-41f3-BF5B-C3AF5DBE12D4} deleted
C:\Users\Chris aka CGP\.android deleted
C:\PROGRA~2\Connected Music powered by Universal Music Group deleted
C:\Users\Chris aka CGP\AppData\Roaming\DigitalSites deleted
C:\Users\Chris aka CGP\AppData\Local\Z@!-49ff9772-1a66-451c-9107-b6857196151f.tmp deleted
C:\Users\Chris aka CGP\AppData\Local\Z@S!-970d47e1-f2ab-44d1-902c-8234e1712954.tmp deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Shopping and Services deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted
C:\windows\SysNative\tasks\Digital Sites deleted
C:\WINDOWS\tasks\Digital Sites.job deleted
"C:\WINDOWS\Installer\131add.msi" deleted

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [14/04/2015 18:24]

==== Firefox Extensions ======================

ProfilePath: C:\Users\CHRISA~1\AppData\Roaming\Mozilla\Firefox\Profiles\43n2w39d.default
- LastPass - C:\Users\Chris aka CGP\AppData\Roaming\Mozilla\Firefox\Profiles\43n2w39d.default\extensions\support@lastpass.com
- Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF
- LastPass - %ProfilePath%\extensions\support@lastpass.com
- TrackIf Web amp; Price Tracker - %ProfilePath%\extensions\jid0-qmqbjs9nLPAkgUQrbxaBmO3a6gY@jetpack.xpi
- KidStart Savings Prompt - %ProfilePath%\extensions\KidStart@KidStart.xpi
- Google Image Search - %ProfilePath%\extensions\{73007fef-a6e0-47d3-b4e7-dfc116ed6f65}.xpi

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Users\Chris aka CGP\AppData\Roaming\Mozilla\Firefox\Profiles\43n2w39d.default
3D3CAF586124C4E8102764C8B3063BB6 - C:\windows\SysWOW64\Adobe\Director\np32dsw.dll - Shockwave for Director / Shockwave for Director
DFC9460CC37E5C414DC4680B10C19E7A - C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll - Shockwave Flash
9AE02005247DA91AB1743F5208DBEF76 - C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_169.dll - Shockwave Flash
E3D40D344C196E66D4346CCECED7AC1C - C:\Users\Chris aka CGP\AppData\Roaming\HewlettPackard\HPDetect\1.0.0.0\npHPDetect.dll - HPDetect
E3B4EA121F7BDEB0F6366E2BA9608CB5 - C:\Users\Chris aka CGP\AppData\Local\Citrix\Plugins\104\npappdetector.dll - Citrix Online Web Deployment Plugin 1.0.0.104


==== Chromium Look ======================

Google Chrome Version: 42.0.2311.90 (Latest Stable version: 42.0.2311.90) [z-db]

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[19/03/2015 20:22]

HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions
lmjegmlicamnimmfhcmpkclmigmmcbeh - No path found[]

TrackIf Web & Price Tracker - Chris aka CGP\AppData\Local\Google\Chrome\User Data\Default\Extensions\donafdekbhlobcfppmfkpjmeijnnoacd
Bookmark Manager - Chris aka CGP\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik
LastPass - Chris aka CGP\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd
DS Amazon Quick View - Chris aka CGP\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkompbllimaoekaogchhkmkdogpkhojg
Chrome Hotword Shared Module - Chris aka CGP\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg

==== Chromium Startpages ======================

C:\Users\Chris aka CGP\AppData\Local\Google\Chrome\User Data\Default\Preferences
"homepage": "http://trackif.com/",
"startup_urls": [ "http://astromenda.com/?f=7&a=ast_ds...GtCyD0ByBzy0FyCzz0B0CtC0F2Q&cr=1157670745&ir=" ]


==== Chromium Fix ======================

C:\Users\Chris aka CGP\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage deleted successfully
C:\Users\Chris aka CGP\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage-journal deleted successfully
C:\Users\Chris aka CGP\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.winner.co.uk_0.localstorage deleted successfully
C:\Users\Chris aka CGP\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.winner.co.uk_0.localstorage-journal deleted successfully

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://g.uk.msn.com/HPNOT13/2"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://g.uk.msn.com/HPNOT13/2"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{2E00D31D-D171-423D-836D-1A4D7EA7F1A9}"
{012E1000-F331-11DB-8314-0800200C9A66} Google Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Unknown Url="Not_Found"
{2E00D31D-D171-423D-836D-1A4D7EA7F1A9} Bing Url="http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=HPNTDFJS"
{D944BB61-2E34-4DBF-A683-47E505C587DC} eBay Url="http://rover.ebay.com/rover/1/710-29550-11896-25/4"

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-3297290139-40113303-3829120269-1002\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} deleted successfully

==== Deleting CLSID Registry Values ======================


==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\2C0D8C2E79C150C439A9B5310AEF56C5 deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E2C8D0C2-1C97-4C05-939A-5B13A0FE655C} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\2C0D8C2E79C150C439A9B5310AEF56C5 deleted successfully

==== Empty IE Cache ======================

C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Chris aka CGP\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Chris aka CGP\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Chris aka CGP\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\Chris aka CGP\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully

==== Empty FireFox Cache ======================

C:\Users\Chris aka CGP\AppData\Local\Mozilla\Firefox\Profiles\43n2w39d.default\cache2 emptied successfully

==== Empty Chrome Cache ======================

C:\Users\Chris aka CGP\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

No Java Cache Found

==== C:\zoek_backup content ======================

C:\zoek_backup (files=64 folders=45 15332311 bytes)

==== Empty Temp Folders ======================

C:\Users\Chris aka CGP\AppData\Local\Temp will be emptied at reboot
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\WINDOWS\Temp successfully emptied
C:\Users\CHRISA~1\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== EOF on 27/04/2015 at 20:34:50.20 ======================

 

[TwinHeadedEagle]

You did fine. How is your PC behaving now?

 

[Chris Parish]

Still infected - I did NOT do another Zeok scan. That report was from a scan I did last week.

Do I need to do another one?

 

[TwinHeadedEagle]

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition option is checked.
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.