LiquidTension

Lets check for remants and confirm your machine appears free of malware. We can then proceed by updating your vulnerable software and removing the tools we've used. STEP 1 Malwarebytes Anti-Malware (MBAM) Please download the updated Malwarebytes Anti-Malware Free to your Desktop.Double-click mbam-setup.x.x.xxxx.exe (x represents the version #) and follow the prompts to install the programme.Launch the programme and click Update.Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.Click the Scan tab, ensure Threat Scan is checked and click Scan Now.Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards.If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.Upon completion of the scan (or after the reboot), click the History tab.Click Application Logs and double-click the Scan Log.Click Copy to Clipboard and paste the log in your next reply. STEP 2 ESET Online Scan Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled. Please download ESET Online Scan and save the file to your Desktop.Temporarily disable your anti-virus software. For instructions, please refer to the following link.Double-click esetsmartinstaller_enu.exe to run the programme.Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.Agree to the Terms of Use once more and click Start. Allow components to download.Place a checkmark next to Enable detection of potentially unwanted applications.Click Hide advanced settings. Place a checkmark next to:Scan archivesScan for potentially unsafe applicationsEnable Anti-Stealth technologyEnsure Remove found threats is unchecked.Click Start.Wait for the scan to finish. Please be patient as this can take some time.Upon completion, click . If no threats were found, skip the next two bullet points.Click and save the file to your Desktop, naming it something unique such as MyEsetScan.Push the Back button.Place a checkmark next to and click .Re-enable your anti-virus software.Copy the contents of the log and paste in your next reply.====================================================== STEP 3 Logs In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked. MBAM Scan logESET Online Scan log

Good job. How is your computer performing?

Keep me informed, Jim.

OK. Good luck with the reformat. I shall close this topic.

Hello Jim, Did you install these Firefox extensions? FF Extension: Youtube MP3 ConverterFF Extension: YouTube2mp3.to: Convert YouTube Video to MP3 FF Extension: Youtube Downloader - Media Downloader FF Extension: WonTube Free YouTube to MP3/MP4/FLV FF Extension: YouTube to MP3 STEP 1 Farbar Recovery Scan Tool (FRST) Script Press the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.Copy the entire contents of the codebox below and paste into the Notepad document. startHKLM-x32\...\Run: [] => [X]HKU\S-1-5-21-419457526-2912272509-3820656120-1002\...A8F59079A8D5}\localserver32: <==== ATTENTION!FF Extension: TopArcadeHits - C:\Users\Jim\AppData\Roaming\Mozilla\Firefox\Profiles\940rbffc.default\Extensions\{0113D088-8ED1-468C-B225-585A9C53B5E3} [2013-07-28]HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\15266472.sys => ""="Driver"HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\15266472.sys => ""="Driver"Folder: C:\Users\Jim\AppData\Local\140DD743-8669-4D39-AAF2-9E149CADE104.aplzodCMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: netsh int ipv4 resetCMD: netsh int ipv6 resetCMD: bitsadmin /reset /allusersEmptyTemp:endClick File, Save As and type fixlist.txt as the File Name. Important: The file must be saved in the same location as FRST64.exe. NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System. Right-Click FRST64.exe and select Run as administrator to run the programme.Click Fix.A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply. STEP 2 AdwCleaner Please download AdwCleaner and save the file to your Desktop.Right-Click AdwCleaner.exe and select Run as administrator to run the programme.Follow the prompts. Click Scan. Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate. Ensure anything you know to be legitimate does not have a checkmark, and click Clean. Follow the prompts and allow your computer to reboot. After rebooting, a log (AdwCleaner[s0].txt) will open. Copy the contents of the log and paste in your next reply.-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt. STEP 3 Junkware Removal Tool (JRT) Please download Junkware Removal Tool and save the file to your Desktop.Note: If you unchecked any items in AdwCleaner, please backup the associated folders/files before running JRT.Temporarily disable your anti-virus software. For instructions, please refer to the following link.Right-Click JRT.exe and select Run as administrator to run the programme.Follow the prompts and allow the scan to run uninterrupted. Upon completion, a log (JRT.txt) will open on your desktop.Re-enable your anti-virus software.Copy the contents of JRT.txt and paste in your next reply. ====================================================== STEP 4 Logs In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked. Did you install the extensions?Fixlog.txtAdwCleaner[s0].txtJRT.txt

Hi Jim, Please download and run the following programme. Farbar Recovery Scan Tool (FRST) Scan Please download Farbar Recovery Scan Tool (x64) and save the file to your Desktop.Right-Click FRST64.exe and select Run as administrator to run the programme.Click Yes to the disclaimer.Ensure the Addition.txt box is checked.Click the Scan button and let the programme run.Upon completion, click OK, then OK on the Addition.txt pop up screen.Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.

Unfortunately, that isn't the case. The machine is infected with Poweliks, and remnants of ZeroAccess. Both infections open a backdoor on the compromised machine. Do you require additional assistance now that you have decided to reformat?

Hello Dmass, welcome to Malwarebytes' Malware Removal forum! My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems. If you would allow me to call you by your first name I would prefer that. General P2P/Piracy Notice: ====================================================== Please read through the points below to ensure this process moves as quickly and efficiently as possible. Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.Please do not post logs using the CODE, QUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation & providing the best set of instructions for you.Please backup important documents before proceeding with my instructions.If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before you run anything.Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.Ensure you are following this topic. Click at the top of the page. ====================================================== Please consider the following warning, and let me know how you wish to proceed.

Hello WxM9, welcome to Malwarebytes' Malware Removal forum! My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems. If you would allow me to call you by your first name I would prefer that. General P2P/Piracy Notice: ====================================================== Please read through the points below to ensure this process moves as quickly and efficiently as possible. Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.Please do not post logs using the CODE, QUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation & providing the best set of instructions for you.Please backup important documents before proceeding with my instructions.If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before you run anything.Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions. ====================================================== Please work your way through the following. STEP 1 Uninstall IOBit Software I see you have IOBit software installed on your computer. The company behind this product was found to be stealing Malwarebytes' database. I would not trust installing software from a company that resorts to stealing someone's technology in order to sell their product. IOBit Steals Malwarebytes' Intellectual PropertyIOBit's Denial of Theft UnconvincingIOBit Theft ConclusionIObit: Trusting Your Antivirus VendorIObit accused of stealing from MalwarebytesI recommend removing IOBit software from your computer. Press the Windows Key + r on your keyboard at the same time. Type appwiz.cpl and click OK.Search for the following programmes, right-click and click Uninstall one at a time.IObit Malware Fighter STEP 2 AdwCleaner Please download AdwCleaner and save the file to your Desktop.Right-Click AdwCleaner.exe and select Run as administrator to run the programme.Follow the prompts. Click Scan. Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate. Ensure anything you know to be legitimate does not have a checkmark, and click Clean. Follow the prompts and allow your computer to reboot. After rebooting, a log (AdwCleaner[s0].txt) will open. Copy the contents of the log and paste in your next reply.-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt. STEP 3 Junkware Removal Tool (JRT) Please download Junkware Removal Tool and save the file to your Desktop.Note: If you unchecked any items in AdwCleaner, please backup the associated folders/files before running JRT.Temporarily disable your anti-virus software. For instructions, please refer to the following link.Right-Click JRT.exe and select Run as administrator to run the programme.Follow the prompts and allow the scan to run uninterrupted. Upon completion, a log (JRT.txt) will open on your desktop.Re-enable your anti-virus software.Copy the contents of JRT.txt and paste in your next reply. STEP 4 Farbar Recovery Scan Tool (FRST) Scan Right-Click FRST64.exe and select Run as administrator to run the programme.Click Yes to the disclaimer.Ensure the Addition.txt box is checked.Click the Scan button and let the programme run.Upon completion, click OK, then OK on the Addition.txt pop up screen.Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. ====================================================== STEP 5 Logs In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked. Did the two Anti-Virus software uninstall successfully? Did Spybot uninstall successfully?Did IObit Malware Fighter uninstall successfully?AdwCleaner[s0].txtJRT.txtFRST.txtAddition.txt

Hello HSC, welcome to Malwarebytes' Malware Removal forum! My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems. If you would allow me to call you by your first name I would prefer that. General P2P/Piracy Notice: Once you've considered the above, and taken any necessary action, please rerun FRST, place a checkmark next to Addition.txt and click Scan. Attach both logs in your next reply.

Hello Jim Brown, welcome to Malwarebytes' Malware Removal forum! My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems. If you would allow me to call you by your first name I would prefer that. General P2P/Piracy Notice: ====================================================== Please read through the points below to ensure this process moves as quickly and efficiently as possible. Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.Please do not post logs using the CODE, QUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation & providing the best set of instructions for you.Please backup important documents before proceeding with my instructions.If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before you run anything.Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.Ensure you are following this topic. Click at the top of the page. ====================================================== Please discuss and consider the following warning with the owner of the machine, and let me know how you/the owner wishes to proceed.

Hello Patrick23, welcome to Malwarebytes' Malware Removal forum! My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems. If you would allow me to call you by your first name I would prefer that. General P2P/Piracy Notice: ====================================================== Please read through the points below to ensure this process moves as quickly and efficiently as possible. Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.Please do not post logs using the CODE, QUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation & providing the best set of instructions for you.Please backup important documents before proceeding with my instructions.If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before you run anything.Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.Ensure you are following this topic. Click at the top of the page. ====================================================== Please consider the following warning, and let me know how you wish to proceed.

Hello Lui, welcome to Malwarebytes' Malware Removal forum! My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems. If you would allow me to call you by your first name I would prefer that. General P2P/Piracy Notice: ====================================================== Please read through the points below to ensure this process moves as quickly and efficiently as possible. Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.Please do not post logs using the CODE, QUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation & providing the best set of instructions for you.Please backup important documents before proceeding with my instructions.If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before you run anything.Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.Ensure you are following this topic. Click at the top of the page. ====================================================== Please consider the following warning, and let me know how you wish to proceed.

Hello ghostarcana, welcome to Malwarebytes' Malware Removal forum! My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems. If you would allow me to call you by your first name I would prefer that. General P2P/Piracy Notice: ====================================================== Please read through the points below to ensure this process moves as quickly and efficiently as possible. Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.Please do not post logs using the CODE, QUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation & providing the best set of instructions for you.Please backup important documents before proceeding with my instructions.If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before you run anything.Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.Ensure you are following this topic. Click at the top of the page. ====================================================== Please consider the following warning, and let me know how you wish to proceed.

OK. In the meantime, lets check for HDD errors and damaged System Files. STEP 1 CHKDSK Note: If you have a Solid State Drive (SSD), do not run CHKDSK. Skip STEP 1, and proceed with STEP 2.Press the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.Copy the entire contents of the codebox below and paste into the Notepad document. @echo offcmd /c chkdsk c: |find /v "percent" >> "%userprofile%\desktop\chkdskquery.txt"notepad %userprofile%\Desktop\chkdskquery.txtdel %0Click Format. Ensure Wordwrap is unchecked.Click File, Save As and name the file chkdsk.bat.Select All Files as the Save as type.Save the file to your Desktop.Locate chkdsk.bat (W8/7/Vista) on your Desktop. Right-click the icon and click Run as administrator.CHKDSK may take up to an hour to complete. Allow the programme to run uninterrupted, and do not use your computer during the process. Upon completion, a log (chkdskquery.txt) will open on your Desktop. Please copy the contents of the log and paste in your next reply. STEP 2 System File Checker (SFC) Press the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.Copy the entire contents of the codebox below and paste into the Notepad document. sfc /scannowfindstr /c:"[SR]" %windir%\Logs\CBS\CBS.log >"%userprofile%\Desktop\sfcresults.txt"notepad %userprofile%\Desktop\sfcresults.txtdel %0Click Format. Ensure Wordwrap is unchecked.Click File, Save As and name the file querysfc.bat.Select All Files as the Save as type.Save the file to your Desktop.Locate querysfc.bat (W8/7/Vista) on your Desktop. Right-click the icon and click Run as administrator.Upon completion, a log (sfcresults.txt) will open on your Desktop. Copy the contents of the log and paste in your next reply. ====================================================== STEP 3 Logs In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked. chkdskquery.txtsfcresults.txt

OK, no problem.

OK. That's identified two other cracked games. The script below will remove the threats flagged by ESET, and the two cracked game folders from CKScanner. After completing the below, please provide an update on your computer. Is the reboot issue the only issue remaining? Have all malware issues been resolved? Farbar Recovery Scan Tool (FRST) Script Press the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.Copy the entire contents of the codebox below and paste into the Notepad document. startc:\users\aaron\appdata\local\virtualstore\program files (x86)\electronic arts\the battle for middle-earth ™ iic:\users\aaron\documents\game stuff\games\lotr bfmeC:\Program Files (x86)\Installer Files\BitTorrent-6.4b.exeC:\Program Files (x86)\Installer Files\Free Ipod Video Converter setup.exeC:\Users\Aaron\AppData\Local\Downloaded Installations\{557CEC25-E448-49C7-883A-40B2460C468C}\Mobile Mouse Server.msiC:\Users\Aaron\AppData\Local\Temp\AskInstallChecker.exeC:\Users\Aaron\AppData\Local\Temp\bitool.dllC:\Users\Aaron\AppData\Local\Temp\~+JF6159530706802982684.tmpC:\Users\Aaron\AppData\Local\Temp\16f8\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XSFKF674\thisistheindex[1].htmC:\Users\Aaron\Documents\Game Stuff\Games\Star Wars Empire at WarC:\Users\Aaron\Documents\Miscellaneous\Harry Potter Audio Books, movies\j.k. rowling - harry potter series complete [books 1-7] [epub].exeC:\Users\Aaron\Downloads\Galaxy.On.Fire.2.HD-RELOADEDC:\Users\Aaron\Music\LoL_psf\winamp5622_full_emusic-7plus_en-us.exeEmptyTemp:endClick File, Save As and type fixlist.txt as the File Name.Important: The file must be saved in the same location as FRST64.exe. NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.Right-Click FRST64.exe and select Run as administrator to run the programme.Click Fix.A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.

Hello Aaron, We can use the following programme. Bear in mind the programme is not all inclusive, and may not identify all cracked programmes/games on your machine. As long as we remove the files identified by ESET, and any files by CKScanner, we should be good to continue. CKScanner Please download CKScanner and save the file to your Desktop.Right-Click CKScanner.exe and select Run as administrator to run the programme.Click Search For Files.When the cursor hourglass disappears, click Save List To File.A message box will verify the file saved.Please run this programme only once.A log (CKFiles.txt) will be created on your Desktop. Copy the contents of the log and paste in your next reply.

It's now over two weeks since my last set of instructions, and over one week since you said you would have access to the machine. If semi-regular access to this machine is not possible then I would appreciate you letting me know. Thank you.

Hello, These look like cracked games. Is this the case? Please consider the following warning, and remove any cracked software from your machine.

Run MBAM Clean, and reinstall MBAM. https://forums.malwarebytes.org/index.php?/topic/146017-mbam-clean-removal-process-2x/#entry815211 Ensure you pick the right option (Premium or Free).

OK Aaron, Lets check for remnants and rule out malware, and then proceed with troubleshooting this reboot issue. STEP 1 Update/Remove Java Download the latest version of Java from here (watch out for "Optional Offers" during the update process).Press the Windows Key + r on your keyboard at the same time. Type appwiz.cpl and click OK.Search for the following programmes, right-click and click Uninstall one at a time.Note: The programmes below may not be present. If this is the case, please skip to the next step.Java 7 Update 9Java™ 6 Update 22Java™ 6 Update 7 ​Follow the prompts, and reboot if necessary. STEP 2 Malwarebytes Anti-Malware (MBAM) Open Malwarebytes Anti-Malware and click Update Now.Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.Click the Scan tab, ensure Threat Scan is checked and click Scan Now.Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards. If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.Upon completion of the scan (or after the reboot), click the History tab.Click Application Logs and double-click the Scan Log.Click Copy to Clipboard and paste the log in your next reply. STEP 3 ESET Online Scan Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled. Please download ESET Online Scan and save the file to your Desktop.Temporarily disable your anti-virus software. For instructions, please refer to the following link.Double-click esetsmartinstaller_enu.exe to run the programme. Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.Agree to the Terms of Use once more and click Start. Allow components to download.Place a checkmark next to Enable detection of potentially unwanted applications.Click Hide advanced settings. Place a checkmark next to:Scan archivesScan for potentially unsafe applicationsEnable Anti-Stealth technologyEnsure Remove found threats is unchecked.Click Start.Wait for the scan to finish. Please be patient as this can take some time.Upon completion, click . If no threats were found, skip the next two bullet points. Click and save the file to your Desktop, naming it something unique such as MyEsetScan.Push the Back button.Place a checkmark next to and click .Re-enable your anti-virus software.Copy the contents of the log and paste in your next reply. ====================================================== STEP 4 Logs In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked. Did Java update/remove successfully? MBAM Scan logESET Online Scan log

Aaron, when did this issue with rebooting start occuring?

Good job. Please provide an update on your computer after completing the steps below. Are there any outstanding issues? STEP 1 Farbar Recovery Scan Tool (FRST) Script Press the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.Copy the entire contents of the codebox below and paste into the Notepad document. start(Tiger Green Productions LLC) C:\Program Files (x86)\X3watch\x3watch.exeHKLM-x32\...\Run: [x3watch] => C:\Program Files (x86)\X3watch\x3watch.exe [299008 2010-05-22] (Tiger Green Productions LLC)C:\Program Files (x86)\X3watchHKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://sunglasshut.reflexisinc.com/HOTSPOT/HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cndtHKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cndtHKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htmURLSearchHook: HKCU - YTNavAssistPlugin Class - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No FileURLSearchHook: HKCU - YTNavAssistPlugin Class - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)SearchScopes: HKLM - {B0F394C7-FAAC-45D1-A748-ACBFC7CC9C4A} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdtSearchScopes: HKLM - {BCE37996-EAFF-46C0-9054-A198BD8E6E19} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpdSearchScopes: HKLM-x32 - {B0F394C7-FAAC-45D1-A748-ACBFC7CC9C4A} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdtSearchScopes: HKCU - {B0F394C7-FAAC-45D1-A748-ACBFC7CC9C4A} URL = http://search.yahoo.com/search?p={searchTerms}&ei=UTF-8&fr=w3i&type=W3i_DS,136,0_0,Search,20130416,19890,0,8,0Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No FileHandler: ipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - No FileFF SearchEngineOrder.user_pref("browser.search.order.1", "");: user_pref("browser.search.order.1", "");FF SearchEngineOrder.user_pref("browser.search.order.1,S", "");: user_pref("browser.search.order.1,S", "");2014-09-29 11:13 - 2014-09-29 11:13 - 00000000 ____D () C:\Users\Aaron\AppData\Roaming\IObit2014-09-29 11:13 - 2014-09-29 11:13 - 00000000 ____D () C:\ProgramData\IObit2014-09-29 11:13 - 2014-09-29 11:13 - 00000000 ____D () C:\Program Files (x86)\IObit2014-10-08 15:07 - 2010-08-18 19:45 - 00000000 ____D () C:\Users\Public\Documents\x3watch2014-09-27 23:28 - 2013-04-16 22:16 - 00000000 ____D () C:\ProgramData\Yahoo! Companion2014-09-27 23:09 - 2008-09-19 15:27 - 00094720 _____ () C:\Users\Aaron\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.iniHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\30473069.sys => ""="Driver"HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\30473069.sys => ""="Driver"C:\Program Files (x86)\Mozilla Firefox\components\npCouponPrinter.xptC:\Program Files (x86)\Yahoo!\Companion\Installs\cpn3\visic_coupon.dllC:\ProgramData\Microsoft\Windows\Start Menu\Programs\CouponsC:\Users\All Users\Microsoft\Windows\Start Menu\Programs\CouponsC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uninstall HelperC:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Uninstall HelperFolder: C:\32788R22FWJFWCMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: netsh int ipv4 resetCMD: netsh int ipv6 resetCMD: bitsadmin /reset /allusersEmptyTemp:endClick File, Save As and type fixlist.txt as the File Name. Important: The file must be saved in the same location as FRST64.exe. NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System. Right-Click FRST64.exe and select Run as administrator to run the programme.Click Fix.A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply. STEP 2 DelFix Please download DelFix and save the file to your Desktop.Double-click DelFix.exe to run the programme.Remove the checkmark next to the following items:Remove disinfection toolsPlace a checkmark next to the following items:Create registry backupClick the Run button. STEP 3 Reg Fix Press the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.Copy the entire contents of the codebox below and paste into the Notepad document. Windows Registry Editor Version 5.00[-HKEY_CURRENT_USER\Software\AppDataLow\Software\CouponAlert_2pEI][-HKEY_CURRENT_USER\Software\Visicom\Coupon][-HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{7b9f8c21-46ec-4c0b-8683-e755ef84577a}][-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cpbrkpie.Coupon6Ctrl.1][-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{87255C51-CD7D-4506-B9AD-97606DAF53F3}][-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F6C2BABA-9E4C-425F-9AEC-24AB8F2B640D}][-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\cpbrkpie.Coupon6Ctrl.1][-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{87255C51-CD7D-4506-B9AD-97606DAF53F3}][-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{F6C2BABA-9E4C-425F-9AEC-24AB8F2B640D}][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\CouponAlert_2pService][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CouponAlert_2p Browser Plugin Loader][-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\cpbrkpie.Coupon6Ctrl.1][-HKEY_USERS\S-1-5-21-2270372850-1355340376-1848647039-1000\Software\AppDataLow\Software\CouponAlert_2pEI][-HKEY_USERS\S-1-5-21-2270372850-1355340376-1848647039-1000\Software\Visicom\Coupon][-HKEY_USERS\S-1-5-21-2270372850-1355340376-1848647039-1000\Software\Classes\Wow6432Node\CLSID\{7b9f8c21-46ec-4c0b-8683-e755ef84577a}][-HKEY_USERS\S-1-5-21-2270372850-1355340376-1848647039-1000_Classes\Wow6432Node\CLSID\{7b9f8c21-46ec-4c0b-8683-e755ef84577a}][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\My Web Search Bar Search Scope Monitor][-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2270372850-1355340376-1848647039-1000\Software\MyWebSearch][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MyWebSearch Email Plugin][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MyWebSearch Plugin][-HKEY_USERS\S-1-5-21-2270372850-1355340376-1848647039-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2270372850-1355340376-1848647039-1000\Software\MyWebSearch][-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SelectRebatesUninstall][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SelectRebates][-HKEY_USERS\S-1-5-21-2270372850-1355340376-1848647039-1000\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SelectRebatesUninstall][-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Uninstall Helper 2.0.1.0][-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E5C2FB287A9731A45B805D6EA4B541E1][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uninstall Helper\"=-[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7550B20E5BA652945B93C3290DFB0BD2][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD4C641309D32D44E80F3A78DE131EB2][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F2E620FE26B36F843BED474FA2594E69][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\E5C2FB287A9731A45B805D6EA4B541E1][-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Uninstall Helper 2.0.1.0][-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{82BF2C5E-79A7-4A13-B508-D5E64A5B141E}][-HKEY_USERS\S-1-5-21-2270372850-1355340376-1848647039-1000\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Uninstall Helper 2.0.1.0]Click Format. Ensure Wordwrap is unchecked. Click File, Save As and name the file regfix.reg.Select All Files as the Save as type.Save the file to your Desktop. Locate regfix.reg on your Desktop. Right-click the file and click Merge with the Registry. Accept any prompts. Reboot your computer for the changes to take effect. ====================================================== STEP 4 Logs In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked. Fixlog.txtDid the regfix merge successfully?Update on computer

Hi Aaron, Lets see what Uninstall Helper left over. Please rerun SystemLook, using the script below instead. :filefind*Uninstall Helper**InstallX*:folderfind*Uninstall Helper**InstallX*:regfindUninstall HelperInstallX