Sub

The AdwCleaner process got split into two logs because a restart didn't occur after the first scan. I did a subsequent scan and restart. Adw1.txt Adw2.txt RogueKiller.txt

Sorry, I've been distracted by work. I went ahead and did the things you requested, but when I try to paste the contents in my post I am being given this message: Would you like me to attach the logs instead?

Does this result mean that some of the things installed by the malware aren't malicious? For instance, I still have Degas (listed in the FRST log as being installed at the timestamp when all the nasties were put on) on my pc and its folder houses docility and the docility.dll as well as whatever that "Doped" program is and I guess Dawdling is still there and the two tasks put in System32 named "thudding" and "thuddingthudding" I was able to delete the above manually at this point, something the system wouldn't allow me to do earlier so I hope that is sufficient in removing them. Here is the result of the MBAM scan: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/1/18 Scan Time: 11:34 AM Log File: 02fc222c-7d55-11e8-9b16-bc5ff41ac965.json Administrator: Yes -Software Information- Version: 3.5.1.2522 Components Version: 1.0.374 Update Package Version: 1.0.5715 License: Free -System Information- OS: Windows 10 (Build 17134.112) CPU: x64 File System: NTFS User: DESKTOP-L8ONDEA\isaac -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 308105 Threats Detected: 1 Threats Quarantined: 0 (No malicious items detected) Time Elapsed: 4 min, 58 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 PUP.Optional.SweetPacks, C:\USERS\ISAAC\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Removal Failed, [188], [455283],1.0.5715 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end)

FRST-2.txt

Contents of Fixlog.txt: Fix result of Farbar Recovery Scan Tool (x64) Version: 20.06.2018 Ran by isaac (30-06-2018 14:54:59) Run:1 Running from C:\Users\isaac\Desktop Loaded Profiles: isaac (Available Profiles: isaac) Boot Mode: Normal ============================================== fixlist content: ***************** CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes CMD: bcdedit.exe /set {default} recoveryenabled yes ***************** ========= bcdedit.exe /set {bootmgr} displaybootmenu yes ========= The operation completed successfully. ========= End of CMD: ========= ========= bcdedit.exe /set {default} recoveryenabled yes ========= The operation completed successfully. ========= End of CMD: ========= ==== End of Fixlog 14:54:59 ====

Okay, now that I have my initial post successfully created I'm going to include as much of the information that I wanted to include in the first place as I can without it getting flagged as spam (?) A bit ridiculous. Direct copy/paste of parts of my original post follows: So, after the MBAM scan and subsequent quarantine and removal I no longer get the audio pop-under webpages, which is a start. However, this isn't my first malware rodeo so I began looking for processes that I didn't recognize. I found several, including a service that I had zero luck killing because the system deemed it a "protected process". What I found was the service being "nirzhotsvc" which I fully believe to be tied to other items created around the suspected time of infection. You'll see it just after the 2018-06-29 22:42 timestamp which is where the malware related things seem to start. I'll see processes in my Task Manager for things like "Docility", "Doped 32bit" and "Dawdling", the latter I believe to be the thing that controlled the audio ads since those pages would sometimes hang and my pc would tell me that "Dawdling was not responding" so I may have killed that part of the malware since I no longer experience those. I am concerned about "nirzhotsvc" though since I found that it has been placed in System32 and I can't get rid of the applications created around the time of infection because they are "in use" by this service I suspect. Thank you for your time.

I'm going to have to share most of my information in a follow-up post since the forum keeps telling me my post has wording consistent with spam (????). I'm going to gut this initial post so I can get it to even post to the forum at all. Problem: Had the All-Radio program. Deleted it manually via Windows. Ran MBAM last night and found plenty of threats, including yelloader trojans. Quarantined and removed those including a system restart. This ended the pop-under audio ads I was getting but I know I still have unwanted processes/programs on my pc. Logs are included from this morning. Note that this is not the MBAM log that cleaned the trojans, that would be last night if it automatically made a log (I didn't tell it to). FRST.txt Addition.txt MBAM.txt