samak37

All done. The Good seems to have beaten the Bad and the Ugly! I have made a donation which is showing as 'pending' on my account so I guess you will get it in the next day or so. It should be enough for quite a few beers or a bottle of slivovitz. Thanks for everything.

The removal seems to be successful now. I scanned again - log file attached. New log file.txt

Done. We now have a scan log which is attached. Thanks. MWB scan log.txt

If it helps, attached is a screenshot of the application logs. Malwarebytes application logs.docx

True! The most recent scan log is attached but it is from a long time ago. I have run many scans since then but I only have "protection logs" saved in that folder, no scan logs. Strange... Scan log.txt

Thanks. The file is attached. MWB log file 25122015.txt

I think my last post was a stupid question. I restarted the PC and ran Malwarebytes again. The same malware is back!

I haven't done anything since you started helping me. Would you like me to run Malwarebytes again? Restart the PC?

I think we are 9 hours ahead of you so I will go to sleep now and come back tomorrow. Thanks for your help.

This time I selected "1 hour" in Avast shield control and it seemed to run OK. Zoek.exe v5.0.0.1 Updated 22-December-2015 Tool run by Enot on Thu 24/12/2015 at 19:58:28.43. Microsoft Windows 7 Home Premium 6.1.7601 Service Pack 1 x64 Running in: Normal Mode Internet Access Detected Launched: C:\Users\Enot\Desktop\zoek.exe [scan all users] [script inserted] ==== Older Logs ====================== C:\zoek-results2015-12-24-084133.log 3381 bytes ==== System Restore Info ====================== 24/12/2015 8:01:08 PM Zoek.exe System Restore Point Created Successfully. ==== Deleting CLSID Registry Keys ====================== ==== Deleting CLSID Registry Values ====================== ==== Deleting Services ====================== ==== FireFox Fix ====================== ProfilePath: C:\Users\COBAKA~1\AppData\Roaming\Mozilla\Firefox\Profiles\4zpsqgno.default user.js not found ---- FireFox user.js and prefs.js backups ---- prefs_20152412_0641_.backup prefs_20152412_0815_.backup ProfilePath: C:\Users\Enot\AppData\Roaming\Mozilla\Firefox\Profiles\68fq0wcu.default user.js not found ---- Lines yahoo removed from prefs.js ---- user_pref("browser.search.param.yahoo-fr", "chr-greentree_ff&ilc=12&type=407453"); user_pref("capability.policy.maonoscript.sites", "addons.mozilla.org adobe.com afx.ms ajax.googleapis.com akamaihd.net aspnetcdn.com australia.gov.au user_pref("extensions.wrc.SearchRules.yahoo.com.style", ".WRCN {display:none} .sm-hd .WRCN, .sm-links .WRCN, .res h3 > .WRCN {display:inline url(\"IM user_pref("extensions.wrc.SearchRules.yahoo.com.url", "^http(s)?\\:\\/\\/((.)+\\.)?search\\.yahoo\\.com\\/(.)*"); ---- Lines Search removed from prefs.js ---- user_pref("extensions.xpiState", "{\"app-profile\":{\"{73a6fe31-595d-460b-a920-fcc0f8843232}\":{\"d\":\"C:\\\\Users\\\\Enot\\\\AppData\\\\Roaming\\\\M ---- Lines ask.com removed from prefs.js ---- user_pref("extensions.wrc.SearchRules.ask.com.style", ".WRCN {display:none} #yui-main .tsrc_vnru .title + .WRCN, #yui-main #teoma-results .title + .WR user_pref("extensions.wrc.SearchRules.ask.com.url", "^http(s)?\\:\\/\\/(.+\\.)?ask\\.com\\/.*"); ---- FireFox user.js and prefs.js backups ---- prefs_20152412_0641_.backup prefs_20152412_0815_.backup ProfilePath: C:\Users\ENOTST~1\AppData\Roaming\Mozilla\Firefox\Profiles\t7rxbfxk.default-1412317766762 user.js not found ---- Lines yahoo removed from prefs.js ---- user_pref("capability.policy.maonoscript.sites", "28degreescard.com.au 9jumpin.com.au 9msn.com.au aami.com.au abc.net.au abctv.net.au acpo.police.uk a ---- Lines Search removed from prefs.js ---- user_pref("extensions.xpiState", "{\"app-profile\":{\"firefox@ghostery.com\":{\"d\":\"C:\\\\Users\\\\Enot standard\\\\AppData\\\\Roaming\\\\Mozilla\\\ ---- Lines babylon removed from prefs.js ---- user_pref("extensions.ocr@babylon.com.install-event-fired", true); ---- Lines search.com removed from prefs.js ---- user_pref("noscript.untrusted", "acint.net ad-center.com addthis.com adfox.ru adplxmd.com atdmt.com aus99.com.au blogger.com criteo.com d16s8pqtk4uodx ---- FireFox user.js and prefs.js backups ---- prefs_20152412_0641_.backup prefs_20152412_0815_.backup ==== Batch Command(s) Run By Tool====================== Windows IP Configuration Successfully flushed the DNS Resolver Cache. C:\Windows\system32\appdata deleted ==== Deleting Files \ Folders ====================== C:\Windows\syswow64\appdata deleted C:\PROGRA~3\DivX deleted C:\PROGRA~2\GreenTree Applications deleted C:\PROGRA~3\YTD Video Downloader deleted C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YTD Video Downloader deleted C:\windows\SysNative\Tasks\avastBCLRestartS-1-5-21-2975197864-4186856469-2627874181-1000 deleted C:\windows\SysNative\Tasks\avastBCLRestartS-1-5-21-2975197864-4186856469-2627874181-1004 deleted C:\Windows\sysWoW64\config\systemprofile\AppData\LocalLow\Search Settings deleted C:\Windows\sysWoW64\config\systemprofile\AppData\LocalLow\Application Updater deleted C:\Windows\SysNative\config\systemprofile\Searches deleted C:\windows\SysNative\GroupPolicy\Machine deleted C:\windows\SysNative\GroupPolicy\User deleted C:\windows\SysNative\GroupPolicy\gpt.ini deleted C:\Windows\Syswow64\GroupPolicy\gpt.ini deleted C:\Users\COBAKA~1\AppData\Roaming\Mozilla\Firefox\Profiles\4zpsqgno.default\extensions\firefox@ghostery.com.xpi deleted C:\Users\COBAKA~1\AppData\Roaming\Mozilla\Firefox\Profiles\4zpsqgno.default\.autoreg deleted C:\Users\COBAKA~1\AppData\Roaming\Mozilla\Firefox\Profiles\4zpsqgno.default\jetpack deleted C:\Users\Enot\AppData\Roaming\Mozilla\Firefox\Profiles\68fq0wcu.default\jetpack deleted C:\Users\ENOTST~1\AppData\Roaming\Mozilla\Firefox\Profiles\t7rxbfxk.default-1412317766762\extensions\firefox@ghostery.com.xpi deleted C:\Users\ENOTST~1\AppData\Roaming\Mozilla\Firefox\Profiles\t7rxbfxk.default-1412317766762\jetpack deleted C:\Users\Public\Desktop\YTD Video Downloader.lnk deleted "C:\Users\Enot\AppData\Roaming\Mozilla\Firefox\Profiles\68fq0wcu.default\searchplugins\yahoo.xml" deleted "C:\Users\Enot\AppData\Roaming\Mozilla\Firefox\Profiles\68fq0wcu.default\searchplugins\yahoo.xml" deleted ==== Firefox Start and Search pages ====================== ProfilePath: C:\Users\Enot\AppData\Roaming\Mozilla\Firefox\Profiles\68fq0wcu.default user_pref("browser.startup.homepage", "https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1296801505&rver=6.1.6206.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-us&cbcxt=mai&snsc=1"); ProfilePath: C:\Users\ENOTST~1\AppData\Roaming\Mozilla\Firefox\Profiles\t7rxbfxk.default-1412317766762 user_pref("browser.startup.homepage", "https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=12&ct=1412318051&rver=6.4.6456.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fmail.live.com%2Fdefault.aspx%3Frru%3Dinbox&lc=1033&id=64855&mkt=en-us&cbcxt=mai"); ==== Firefox Extensions Registry ====================== [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions] "sp@avast.com"="C:\Program Files\Alwil Software\Avast5\SafePrice\FF" [02/12/2015 04:48 PM] ==== Firefox Extensions ====================== ProfilePath: C:\Users\COBAKA~1\AppData\Roaming\Mozilla\Firefox\Profiles\4zpsqgno.default - ReminderFox - C:\Users\Cobaka takaya\AppData\Roaming\Mozilla\Firefox\Profiles\4zpsqgno.default\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae} - ReminderFox - %ProfilePath%\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae} - TinEye Reverse Image Search - %ProfilePath%\extensions\tineye@ideeinc.com.xpi - NoScript - %ProfilePath%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi - Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi - BetterPrivacy em:version1.69 em:type2 em:creatorGreg Yardley version 0.2 www.yardley.ca em:descriptionquot - %ProfilePath%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi ProfilePath: C:\Users\Enot\AppData\Roaming\Mozilla\Firefox\Profiles\68fq0wcu.default - NoScript - %ProfilePath%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi - Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi ProfilePath: C:\Users\ENOTST~1\AppData\Roaming\Mozilla\Firefox\Profiles\t7rxbfxk.default-1412317766762 - ReminderFox - C:\Users\Enot standard\AppData\Roaming\Mozilla\Firefox\Profiles\t7rxbfxk.default-1412317766762\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae} - ReminderFox - %ProfilePath%\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae} - TinEye Reverse Image Search - %ProfilePath%\extensions\tineye@ideeinc.com.xpi - NoScript - %ProfilePath%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi - Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi - BetterPrivacy em:version1.69 em:type2 em:creatorGreg Yardley version 0.2 www.yardley.ca em:descriptionquot - %ProfilePath%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi AppDir: C:\Program Files (x86)\Mozilla Firefox - Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} - Skype Click to Call - %AppDir%\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi ==== Firefox Plugins ====================== Profilepath: C:\Users\Enot\AppData\Roaming\Mozilla\Firefox\Profiles\68fq0wcu.default 5DF56521E8985BFD8F21A3D97A4D4574 - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_235.dll - Shockwave Flash ==== Chromium Look ====================== HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions dkinklhnkmkhkhofcnapakaoehijaoih - C:\Program Files (x86)\OnlineHD.TV\onhd11.crx[] eofcbnmajmjmplflapaojjnihcjkigck - C:\Program Files\Alwil Software\Avast5\WebRep\Chrome\aswWebRepChromeSp.crx[17/11/2015 02:29 PM] gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\Alwil Software\Avast5\WebRep\Chrome\aswWebRepChrome.crx[17/11/2015 02:29 PM] jfmjfhklogoienhpfnppmbcbjfjnkonk - No path found[] ==== Set IE to Default ====================== Old Values: [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes] "DefaultScope"="{C9061F70-D3B1-4EC1-A00D-B37D4B7F5B0D}" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C9061F70-D3B1-4EC1-A00D-B37D4B7F5B0D}] not found New Values: [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes] "DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}" ==== All HKLM and HKCU SearchScopes ====================== HKLM\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" HKLM\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC HKLM\Wow6432Node\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" HKLM\Wow6432Node\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC HKCU\SearchScopes "DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}" HKCU\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66} - http://www.google.com/search?q={searchTerms} HKCU\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR ==== Deleting Registry Keys ====================== HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Google\Chrome\Extensions\dkinklhnkmkhkhofcnapakaoehijaoih deleted successfully ==== Empty IE Cache ====================== C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully C:\Users\Cobaka takaya\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully C:\Users\Cobaka takaya\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully C:\Users\Enot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully C:\Users\Enot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully C:\Users\Enot standard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully C:\Users\Enot standard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully C:\Windows\serviceprofiles\networkservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully C:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully ==== Empty FireFox Cache ====================== C:\Users\Cobaka takaya\AppData\Local\Mozilla\Firefox\Profiles\4zpsqgno.default\cache2 emptied successfully C:\Users\Enot\AppData\Local\Mozilla\Firefox\Profiles\68fq0wcu.default\cache2 emptied successfully C:\Users\Enot standard\AppData\Local\Mozilla\Firefox\Profiles\t7rxbfxk.default-1412317766762\cache2 emptied successfully ==== Empty Chrome Cache ====================== No Chrome User Data found ==== Empty All Flash Cache ====================== Flash Cache Emptied Successfully ==== Empty All Java Cache ====================== Java Cache cleared successfully ==== C:\zoek_backup content ====================== C:\zoek_backup (files=146 folders=93 47510096 bytes) ==== Empty Temp Folders ====================== C:\Users\Cobaka takaya\AppData\Local\Temp will be emptied at reboot C:\Users\Default\AppData\Local\Temp emptied successfully C:\Users\Default User\AppData\Local\Temp emptied successfully C:\Users\Enot\AppData\Local\Temp will be emptied at reboot C:\Users\Enot standard\AppData\Local\Temp will be emptied at reboot C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp will be emptied at reboot C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully C:\Windows\Temp will be emptied at reboot ==== After Reboot ====================== ==== Empty Temp Folders ====================== C:\Windows\Temp successfully emptied C:\Users\Enot\AppData\Local\Temp successfully emptied ==== Empty Recycle Bin ====================== C:\$RECYCLE.BIN successfully emptied ==== Deleting Files / Folders ====================== "C:\Users\Cobaka takaya\AppData\Local\Temp\avastBCLTMP" deleted "C:\Users\Cobaka takaya\AppData\Local\Temp\Temp10_1tmp00.zip" not found "C:\Users\Cobaka takaya\AppData\Local\Temp\Temp11_1tmp00.zip" not found "C:\Users\Cobaka takaya\AppData\Local\Temp\Temp12_1tmp00.zip" not found "C:\Users\Cobaka takaya\AppData\Local\Temp\Temp13_1tmp00.zip" not found "C:\Users\Cobaka takaya\AppData\Local\Temp\Temp14_1tmp00.zip" not found "C:\Users\Cobaka takaya\AppData\Local\Temp\Temp15_1tmp00.zip" not found "C:\Users\Cobaka takaya\AppData\Local\Temp\Temp16_1tmp00.zip" not found "C:\Users\Cobaka takaya\AppData\Local\Temp\Temp17_1tmp00.zip" not found "C:\Users\Cobaka takaya\AppData\Local\Temp\Temp18_1tmp00.zip" not found "C:\Users\Cobaka takaya\AppData\Local\Temp\Temp19_1tmp00.zip" not found "C:\Users\Cobaka takaya\AppData\Local\Temp\Temp1_1tmp00.zip" not found "C:\Users\Cobaka takaya\AppData\Local\Temp\Temp20_1tmp00.zip" not found "C:\Users\Cobaka takaya\AppData\Local\Temp\Temp21_1tmp00.zip" not found "C:\Users\Cobaka takaya\AppData\Local\Temp\Temp22_1tmp00.zip" not found "C:\Users\Cobaka takaya\AppData\Local\Temp\Temp23_1tmp00.zip" not found "C:\Users\Cobaka takaya\AppData\Local\Temp\Temp24_1tmp00.zip" not found "C:\Users\Cobaka takaya\AppData\Local\Temp\Temp2_1tmp00.zip" not found "C:\Users\Cobaka takaya\AppData\Local\Temp\Temp3_1tmp00.zip" not found "C:\Users\Cobaka takaya\AppData\Local\Temp\Temp4_1tmp00.zip" not found "C:\Users\Cobaka takaya\AppData\Local\Temp\Temp6_1tmp00.zip" not found "C:\Users\Cobaka takaya\AppData\Local\Temp\Temp7_1tmp00.zip" not found "C:\Users\Cobaka takaya\AppData\Local\Temp\Temp8_1tmp00.zip" not found "C:\Users\Cobaka takaya\AppData\Local\Temp\Temp9_1tmp00.zip" not found "C:\Users\Enot standard\AppData\Local\Temp\acrord32_super_sbx" not found "C:\Users\Enot standard\AppData\Local\Temp\avastBCLTMP" deleted "C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp\Low" not deleted ==== EOF on Thu 24/12/2015 at 20:22:19.24 ====================== zoek-results.log

I still have a window which won't close: Zoek.exe is running now. Do not start any browser windows, they may get closed automatically. Please wait! This window will close when finished. A logfile will open afterwards and can also be found on your systemdrive as zoek-results.log I can not restart Zoek

Here you go. I don't know if it is important but (i) the log-file didn't open automatically and (ii) I selected "10 minutes" in Avast shield control and it took much longer than that. I have also attached the file. Thanks for all your help. Zoek.exe v5.0.0.1 Updated 22-December-2015 Tool run by Enot on Thu 24/12/2015 at 18:17:10.75. Microsoft Windows 7 Home Premium 6.1.7601 Service Pack 1 x64 Running in: Normal Mode Internet Access Detected Launched: C:\Users\Enot\Desktop\zoek.exe [scan all users] [script inserted] ==== System Restore Info ====================== 24/12/2015 6:19:26 PM Zoek.exe System Restore Point Created Successfully. ==== Empty Folders Check ====================== C:\PROGRA~3\Logitech deleted successfully C:\PROGRA~3\Oracle deleted successfully C:\PROGRA~3\PlotSoft deleted successfully C:\Users\Cobaka takaya\AppData\Roaming\EncryptStick deleted successfully C:\Users\Cobaka takaya\AppData\Roaming\Macromedia deleted successfully C:\Users\Enot\AppData\Roaming\HpUpdate deleted successfully C:\Users\Enot\AppData\Roaming\Malwarebytes deleted successfully C:\Users\Enot standard\AppData\Roaming\EncryptStick deleted successfully C:\Users\Cobaka takaya\AppData\Local\EmieSiteList deleted successfully C:\Users\Cobaka takaya\AppData\Local\EmieUserList deleted successfully C:\Users\Cobaka takaya\AppData\Local\VirtualStore deleted successfully C:\Users\Cobaka takaya\AppData\Local\{21F858B3-87B4-48B9-A5C2-CA63134DDF2A} deleted successfully C:\Users\Cobaka takaya\AppData\Local\{D5CF053C-21C3-4661-BDE4-8A6983947A2F} deleted successfully C:\Users\Cobaka takaya\AppData\Local\{F8B5D52E-050D-4FE5-8D7E-0AA4ABD4A44A} deleted successfully C:\Users\Enot\AppData\Local\MigWiz deleted successfully C:\Users\Enot standard\AppData\Local\EmieSiteList deleted successfully C:\Users\Enot standard\AppData\Local\EmieUserList deleted successfully C:\Users\Enot standard\AppData\Local\{37D82C29-5C1E-4311-9D74-48C3E2D60733} deleted successfully C:\Users\Enot standard\AppData\Local\{6B49A0F8-027D-434F-9DC6-5E34ADB89169} deleted successfully C:\Users\Enot standard\AppData\Local\{8BC93B6A-C86F-4A0A-8124-286AE4083838} deleted successfully C:\Users\Enot standard\AppData\Local\{BE68615F-0C1B-42CB-A7E4-24260FFBF477} deleted successfully C:\Users\Enot standard\AppData\Local\{DEEC859A-7D5E-441F-807F-4B44DFC8C2B5} deleted successfully C:\Users\Enot standard\AppData\Local\{F1C89D26-9BA9-4B9D-A589-F6441B03E365} deleted successfully ==== Deleting CLSID Registry Keys ====================== HKEY_USERS\S-1-5-21-2975197864-4186856469-2627874181-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} deleted successfully HKEY_USERS\S-1-5-21-2975197864-4186856469-2627874181-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} deleted successfully HKEY_USERS\S-1-5-21-2975197864-4186856469-2627874181-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{318A227B-5E9F-45BD-8999-7F8F10CA4CF5} deleted successfully HKEY_CLASSES_ROOT\CLSID\{318A227B-5E9F-45BD-8999-7F8F10CA4CF5} deleted successfully ==== Deleting CLSID Registry Values ====================== HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{318A227B-5E9F-45BD-8999-7F8F10CA4CF5} deleted successfully HKEY_LOCAL_MACHINE\software\Wow6432Node\mozilla\Firefox\extensions\{F003DA68-8256-4b37-A6C4-350FA04494DF} deleted successfully HKEY_LOCAL_MACHINE\software\Wow6432Node\mozilla\Firefox\extensions\ocr@babylon.com deleted successfully ==== Deleting Services ====================== zoek-results.log

Thanks TwinHeadedEagle. Maybe we can tell these punks to "Go ahead. Make my day" Files attached. FRST.txt Addition.txt

Hi there. I've received an unwanted Xmas present! I've run the scan a few times, tried to remove the items found (tick boxes all checked), restarted the computer and they are still there. Any help much appreciated. Thanks. FRST.txt Addition.txt Malwarebytes scan result.docx