Doddger

Will do. Just an FYI... Windows 10 decided to do an update this evening. Took about 3 hrs at 35Mbps.. Must have been a pretty big update. Downloaded TFC and ran it. Took a while to run. Didn't ask to restart but I did anyway. Then downloaded MBAM. Have not run that before. Took a little while to update before starting. Once it updated, I ran that. Took 30 minutes to run. Zero threats found. In order for them to be read, I had to export the Malware and MalwareProtection to txt files. I then sent them to my desktop so i could find them. Don't know if you needed both of them but they are attached below. Malware.txt malwareProtection.txt

Not sure if this helps in troubleshooting.. Seems like this may have been popping up while I was on eBay and then while opening a new tab to do a Google search. Just noticed today the my AdblockPlus was turned off on eBay's site. It's on now. Will report back if it makes a difference. Found this message on another site while searching for the cure. - "this is a known problem being pushed by advertisements on various sites. The file is a dangerous script that involves Windows administration tools to embed malware on your system. I don't know whether the firefox_patch.js that you captured is the same one others users have reported, but it's probably very similar." The light bulb went off when I read that as it seemed this "Firefox Update / Firefox-patch.js " always happened when I was on eBay. EBay has advertisements on the right side of some pages. ???

Ran JRT, AdwCleaner and FRST again. Made sure to close all programs and run as administrator. AdwCleaner did find two "threats" (HKLM\SOFTWARE\CLIENTS\News & [x64] HKLM\SOFTWARE\CLIENTS\News) in the registry. After the reboot, they are gone. Attached latest associated txt files. JRT.txt AdwCleaner[S3].txt FRST.txt Addition.txt

Just popped up again. I copied the link and took a screen shot if needed.

I opened that folder to take a look see. The Temp***.jpg files were all misc pictures that I recognized. Don't know why they were in that folder. I sent them to recycle bin then emptied the bin. Opened the LMIR0001.tmp_r batch file with notepad. I did receive online help with a Windows rep a while back. Guessing this file was created then? File was created 3 months ago. Was unable to attach a .bat file so I renamed it LMIR0001.tmp_r1 and saved it as a TXT file. It's attached below. Also attached new FRST scan results. LMIR0001.tmp_r1.txt FRST.txt Addition.txt

Sophos scan came out clean. Number of threats found: 0 Ran the Farbar Recovery Scan Tool again. Checked the box to get a new a new Additions.txt file as I ran this scan earlier today. The FRST.txt is also attached below. Thanks FRST.txt Addition.txt

AdwCleaner file attached AdwCleaner[C0].txt

Will do. My apologies. Was doing my best trying to follow your instructions to the letter. My confusion in posting the information instead of attaching the .txt file came from Step 2, about 3/4 the way down where it reads - "Copy and paste the contents of that logfile in your next reply." Assumed from that you wanted the entire file posted instead of attached. Again, your help is much appreciated.

About 3.5 hours into the Sophos Virus Removal Tool scan and it looks to be about 1/3rd of the way thru. Will report back when finished.

Moving on to Step 3 Pasted copy of AdwCleaner file below. # AdwCleaner v6.020 - Logfile created 19/09/2016 at 15:49:22 # Updated on 14/09/2016 by ToolsLib # Database : 2016-09-19.1 [Server] # Operating System : Windows 10 Pro (X64) # Username : ***en - MASTERBEDROOM # Running from : C:\Users\***en\Desktop\AdwCleaner.exe # Mode: Clean # Support : https://toolslib.net/forum ***** [ Services ] ***** ***** [ Folders ] ***** ***** [ Files ] ***** ***** [ DLL ] ***** ***** [ WMI ] ***** ***** [ Shortcuts ] ***** ***** [ Scheduled Tasks ] ***** ***** [ Registry ] ***** [-] Key deleted: HKLM\SOFTWARE\Classes\Toolbar.CT2475029 [-] Key deleted: HKLM\SOFTWARE\Classes\Conduit.Engine [#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\Conduit.Engine [-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{1663C10B-0D55-438D-8496-19A3DBAEC0E4} [-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{A43DE495-3D00-47D4-9D2C-303115707939} [-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522B3FB-7A2B-4646-8AF6-36E7F593073C} [-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9522B3FB-7A2B-4646-8AF6-36E7F593073C} [-] Key deleted: HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C} [-] Key deleted: HKU\S-1-5-21-111023754-805910574-853954180-1001\Software\YahooPartnerToolbar [-] Key deleted: HKU\S-1-5-21-111023754-805910574-853954180-1001\Software\AppDataLow\Software\PriceGong [-] Key deleted: HKU\S-1-5-21-111023754-805910574-853954180-1001\Software\AppDataLow\Software\Toolbar [#] Key deleted on reboot: HKCU\Software\YahooPartnerToolbar [#] Key deleted on reboot: HKCU\Software\AppDataLow\Software\PriceGong [#] Key deleted on reboot: HKCU\Software\AppDataLow\Software\Toolbar [-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6} [#] Key deleted on reboot: [x64] HKCU\Software\YahooPartnerToolbar [#] Key deleted on reboot: [x64] HKCU\Software\AppDataLow\Software\PriceGong [#] Key deleted on reboot: [x64] HKCU\Software\AppDataLow\Software\Toolbar ***** [ Web browsers ] ***** [-] [C:\Users\Ken\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: aol.com [-] [C:\Users\Ken\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com ************************* :: "Tracing" keys deleted :: Winsock settings cleared ************************* C:\AdwCleaner\AdwCleaner[C0].txt - [2483 Bytes] - [19/09/2016 15:49:22] C:\AdwCleaner\AdwCleaner[S1].txt - [2698 Bytes] - [19/09/2016 15:26:57] C:\AdwCleaner\AdwCleaner[S2].txt - [2698 Bytes] - [19/09/2016 15:42:16] ########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [2702 Bytes] ##########

Probably should have mentioned, OS is Windows 10 64bit. Shutdown Windows defender prior to JRT scan. Downloaded & ran JRT. Made sure Windows Defender was re-enabled after scan. Requested text file below.. Continuing on to Step 2 (AdwCleaner). Thanks for your help so far! JRT.txt

I've got the Firefox-patch.js popping up every few days now. Came to this forum to get help with removal. Following the recommendation by TwinHeadedEagle I read in another thread, I downloaded the 64bit version of Farbar Recovery Scan Tool to my desktop and ran the scan. I've attached my FRST.txt and Addition.txt logs below. Help with this would be appreciated. FRST.txt Addition.txt