Scorpion Saver Won't go away Windows 7 Home Professional

[WhiteriverSpike]

I seemed to have joined the ranks of those with Scorpion Saver problems. Every time I start up a dialog appears indicating:

C:\Users\Comput~\AppData\Local\Temp\CT3153924\Plugins\TBVerifier.dll

I ran Malwarebytes Pro in Safe Mode and the scan showed a PupOpional Scorpion Saver in the Registry so I deleted it. Rebooted in normal start up but I still get the dialog box indicated above. I also have Windows Essentials but it never seems to catch anything.

 

Here's the log from the scan showing Scorpion Saver:

 

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.07.04

Windows 7 Service Pack 1 x86 NTFS (Safe Mode/Networking)
Internet Explorer 11.0.9600.16428
computer doctor :: COMPUTERDOCTOR [administrator]

Protection: Disabled

12/7/2013 8:42:20 AM
mbam-log-2013-12-07 (08-42-20).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 220356
Time elapsed: 5 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AdpeakProxy (PUP.Optional.ScorpionSaver) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

 

[WhiteriverSpike]

I forgot to mention it was uninstalled through the control panel and no longer shows up in programs.

[Maurice Naggar]

Hello WhiteriverSpike and welcome to Malwarebytes forum.

Please follow my guidance, and refrain from doing any other "fixes" on your own.

If you have any question, please make the time, stop, and ask me first.

This pest, scorpion saver, can be a challenge to fully remove. But have lots of patience and faith.

As much as possible, keep the Windows in regular mode. As long as it starts and is useable, we can get by the dll message as we get further.

Task 1

Close all of your open program windows, saving any of your open work documents, if any.

This next procedure will do a system restart when it finishes.

Download TFC by OldTimer to your desktop

http://oldtimer.geekstogo.com/TFC.exe

Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator.)

It will close all programs when run, so make sure you have saved all your work before you begin.

Click the "Start" button to begin the process. Depending on how often you clean temp files. Let it run uninterrupted to completion.

IF prompted to Reboot, reply "Yes"

Task 2

Save and close any work documents, close any apps that you started.

Temporarily turn off (disable) your antivirus program

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

look down the screen to Action for potentially unwanted programs PUP < = = VERY Important

& look down the screen to Action for potentially unwanted modifications PUM &

& Action for peer-to-peer software P2P

For each one of the 3 by clicking the down arrow ( on each one, one at a time ) ***

select "Show in results list and check for removal" from the drop down (arrow) selections. < = = =

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a Full Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

When all done, Copy & paste the MBAM scan log into a new reply.

Tell me, How is the system ?

Task 3

Show all files in Windows 7:

Press and hold Windows-key+E key on keyboard to start Windows Explorer.

From the Windows Explorer menu options, Select Tools, then Folder Options.

Next click the View tab.

Locate and uncheck "Hide protected operating system files (Recommended).

Locate and click "Show hidden files and folders and drives. "

Click Apply > OK.

Task 4

Download OTL by OldTimer to your desktop:

http://oldtimer.geekstogo.com/OTL.exe

Close all open windows on the Task Bar. Then run OTL

(for Vista, or Windows 7 or 8 Right click the icon and Run as Administrator) to start the program.

In the lower right corner, checkmark "LOP Check" and checkmark Purity Check".

Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes or so. In any event, have lots of infinite patience.

It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.

Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!

Exit OTL by clicking the X at top right.

Download Security Check by screen317 and save it to your Desktop: http://screen317.spywareinfoforum.org/SecurityCheck.exe

Run Security Check

Follow the onscreen instructions inside of the command window.

A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

Then attach the following into your post

OTL.txt

Extras.txt

checkup.txt

Re-enable your antivirus program.

[WhiteriverSpike]

Did'nt find anything:

 

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.07.04

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 11.0.9600.16428
computer doctor :: COMPUTERDOCTOR [administrator]

Protection: Enabled

12/7/2013 10:07:07 AM
mbam-log-2013-12-07 (10-07-07).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 309404
Time elapsed: 43 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

[WhiteriverSpike]

Pressing Windows icon + E brings up the page Computer > Hard Drives and Devises with Removable Storage?

[WhiteriverSpike]

Ok, I did it another way and got into folder options, when I uncheck "Hide protected operating system files (Recommended), I get a message saying editing can make your computer inoperable!

[Maurice Naggar]

Please go ahead and do these tweaks in Windows Explorer.

and then go forward with the OTL tool & the Security Check.

The last MBAM report certainly is a very good one. So, the earlier runs must have done a lot of good work.

[WhiteriverSpike]

got a message from this forum saying post was to long!

[WhiteriverSpike]

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21799
OTL Extras logfile created on: 12/7/2013 12:39:57 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\computer doctor\Downloads
 Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.16428)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.94 Gb Total Physical Memory | 1.77 Gb Available Physical Memory | 60.24% Memory free
5.87 Gb Paging File | 4.68 Gb Available in Paging File | 79.65% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 50.65 Gb Free Space | 67.96% Space Free | Partition Type: NTFS
 
Computer Name: COMPUTERDOCTOR | User Name: computer doctor | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- "%systemroot%\system32\rundll32.exe" "%systemroot%\system32\mshtml.dll",PrintHTML "%1"
http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- C:\Program Files\Advanced System Protector\filetypehelper.exe -scanunknown "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0B0F4DF5-A2F4-41BE-86AC-57B4B66E2FDA}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{137AB172-315B-4E8F-B984-43C657A2385F}" = rport=138 | protocol=17 | dir=out | app=system |
"{22F5C30E-76A9-4D9C-AC24-A4127F59F4B6}" = rport=137 | protocol=17 | dir=out | app=system |
"{311F16CB-802C-4653-BEBC-C1A638B7B316}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{4C069967-6411-4D77-BA8C-BEB94FE135A4}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{5B184C41-2AA1-4A8C-A512-46C914F4DE15}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{5D739ADB-1A31-4EB6-ABF6-43A99F3E2149}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{60B598BE-E1AF-4D2B-AE44-5C947424679A}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{6FE001F6-2067-40D6-B758-FDEF395A0224}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{84C82858-F870-4864-A778-D0C21096E3BD}" = lport=137 | protocol=17 | dir=in | app=system |
"{86CD0D07-BAE7-47DC-93DF-3BBA10DBB782}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{88A92B51-B94F-4E31-9CEE-2C71E090F370}" = rport=10243 | protocol=6 | dir=out | app=system |
"{8A7C9B18-9600-4C32-94A7-B2D56F0D1C3F}" = rport=445 | protocol=6 | dir=out | app=system |
"{8B8AED50-3729-45A4-B25A-D4D55A5BACDC}" = lport=139 | protocol=6 | dir=in | app=system |
"{922A420D-65EA-45A6-B78C-D9F71663DC48}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{932D11BD-B990-494E-B7E1-26CEF2ACBAEC}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{A241772B-88F4-471E-8F84-464FB3589C60}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{A4FCB1D3-C383-4FBB-8B5D-C110129B2D6F}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |
"{AA4CD8C8-529E-4739-9316-4409C74DA5D5}" = lport=445 | protocol=6 | dir=in | app=system |
"{AEEB26FB-517A-40E8-ACD8-F17ADAFA07EC}" = lport=138 | protocol=17 | dir=in | app=system |
"{B2F0D6DE-AA80-4427-B187-91B385513FF1}" = rport=139 | protocol=6 | dir=out | app=system |
"{BA53B11F-742B-4622-ACE2-61D42CE531EC}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{BABFB79F-8D11-482A-9947-1FC83E951720}" = lport=2869 | protocol=6 | dir=in | app=system |
"{C5BEB18C-E9C2-4031-8627-723FEF6AF690}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{CBC22F05-CC3F-4957-8CFB-FC0B57363D0A}" = lport=10243 | protocol=6 | dir=in | app=system |
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{08E6AAC0-7E78-4F39-83EC-79C4232B7C2A}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{1F1B64AF-CD92-45C1-9298-8108F4DC6915}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{208FA78F-BFF6-451A-A4D5-86DC689CE7F3}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{234F000C-8280-4AB7-B137-3783262BEEF9}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{29F05E61-D90E-4845-9699-514AF9C61183}" = dir=in | app=c:\program files\windows live\contacts\wlcomm.exe |
"{2BA18724-2668-4985-80C1-CA74D38C15A7}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{2C5E6C6B-EB41-43DB-BCA2-6A56CA3405F6}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{33C5077E-97D4-4868-B191-66ABE71DEBC9}" = dir=in | app=c:\users\computer doctor\appdata\local\microsoft\skydrive\skydrive.exe |
"{5CADE2AE-ED03-4F16-8A2E-8CFF3B64F80A}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{6E3C8963-4ABF-463E-9468-9801673D91BE}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{77501DF9-A3EC-46CC-8D09-6BA9858494AC}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{AB859E84-158C-4A4B-BE87-1B02011AD798}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{B4CE166C-71A8-4EC5-A967-D58E6132AD4A}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{B9650176-22D2-456D-A612-FB81CAAE4143}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{C949991C-EC7B-494C-9C31-25A6A685F0BE}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{CB925668-A712-4F17-A797-A4419ADCBB73}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{CC50F856-D30D-48A4-991A-81830A582195}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{E9EED122-5BA8-478B-B721-6424D8B16BFE}" = protocol=6 | dir=out | app=system |
"{FFB9C3B1-9029-4D53-B25D-306AC58EFECB}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{03D562B5-C4E2-4846-A920-33178788BE00}" = Windows Live Communications Platform
"{03EDED24-8375-407D-A721-4643D9768BE1}" = kgchlwn
"{073F22CE-9A5B-4A40-A604-C7270AC6BF34}" = ESSSONIC
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0CD47142-BA4F-46B0-AA92-2675864928B8}" = Microsoft Security Client
"{0F929651-F516-4956-90F2-FFBD2CD5D30E}" = Photo Gallery
"{0FF9CC94-EF23-401E-BDBD-37403D1A2B38}" = Windows Live SOXE Definitions
"{11F3F858-4131-4FFA-A560-3FE282933B6E}" = kgchday
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83217045FF}" = Java 7 Update 45
"{2AC01935-3774-4981-98C8-14E93C14372C}" = Windows Live UX Platform Language Pack
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{42938595-0D83-404D-9F73-F8177FDD531A}" = ESScore
"{432C3720-37BF-4BD7-8E49-F38E090246D0}" = CR2
"{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg
"{45898170-E68C-4F02-AA35-C2186BF347A3}" = Movie Maker
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}" = Skype™ 6.3
"{4F524A2D-5637-4300-76A7-A758B70C0700}" = Ask Toolbar
"{5316DFC9-CE99-4458-9AB3-E8726EDE0210}" = skin0001
"{54C8FE84-89C4-40E8-976C-439EB0729BD6}" = CardRd81
"{5A0EE0F0-E909-4F3B-B437-AAD9252427CB}" = Windows Live Installer
"{5E094C92-6288-4F43-AA9A-D452D0218F3F}" = Windows Live Essentials
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{608D2A3C-6889-4C11-9B54-A42F45ACBFDB}" = fflink
"{6389F199-1D6C-4974-9557-693F9DD48736}" = Windows Live Writer Resources
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{693C08A7-9E76-43FF-B11E-9A58175474C4}" = kgckids
"{6B6923B9-8719-425B-916C-CD2908F31AAF}" = Windows Live SOXE
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7C6F0282-3DCD-4A80-95AC-BB298E821C44}" = Windows Live Writer
"{8256F87F-8554-4457-8C3D-3F3324697D9F}" = Windows Live ID Sign-in Assistant
"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
"{89870E0D-9602-41F8-9E83-14F6849346A4}" = Windows Live Mail
"{89C7E0A7-4D9D-4DCC-8834-A9A2B92D7EBB}" = Photo Gallery
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8A8664E1-84C8-4936-891C-BC1F07797549}" = kgcvday
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{8E14DDC8-EA60-4E18-B3E3-1937104D5BDA}" = MSVCRT110
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}" = QuickTime
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BD54685-1496-46A5-AB62-357CD140ED8B}" = kgcinvt
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9C6D5C94-386A-4DE7-B99F-523D3F167B9A}" = Windows Live Messenger
"{A1588373-1D86-4D44-86C9-78ABD190F9CC}" = kgcmove
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AAA94EAA-40A4-458C-9D86-D1DA765B51D5}" = Windows Live Writer
"{AAF91344-2808-4D6B-9242-FBE5AF79D60A}" = Windows Live Family Safety
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
"{B286BAC3-CBE6-4854-BF68-EB72A34CEA56}" = Windows Live Messenger
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 307.83
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 307.83
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.10.8
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{B39A6825-EA20-43EA-AB2D-A6BC0298D9A1}" = Movie Maker
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{BF286606-9E68-472C-BAEA-41162F2BF4D1}" = Windows Live Family Safety
"{C6B0EE9E-2128-4448-B7AE-5E2B46E0F0E7}" = Windows Live Photo Common
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{D604900F-A275-416C-AF9D-CDEDF58B72DB}" = Windows Live Mail
"{D8E4163F-7ED2-429A-B8C5-C7CE5B797831}" = Windows Live MIME IFilter
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{DD7C5FC1-DCA5-487A-AF23-658B1C00243F}" = Photo Common
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E18B549C-5D15-45DA-8D8F-8FD2BD946344}" = kgcbaby
"{E3445598-4424-4EE2-B71C-C23325F7FB71}" = Windows Live PIMT Platform
"{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}" = tooltips
"{EFBCA571-617D-484A-9ECA-E301BB6D0750}" = Windows Live Writer
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"{F0E58739-2B4C-498F-9B0D-FF0F2FD52B61}" = Windows Live UX Platform
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}" = kgcbase
"{F40711CD-60B3-45F5-85C5-F1AA400C1B6E}" = QuickShare
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F6F30C28-38AA-4DBA-AE0B-7E30238E61BB}" = Junk Mail filter update
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"00212D92-C5D8-4ff4-AE50-B20F0F85C40A_Systweak_Ad~B9F029BF_is1" = Advanced System Protector
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Illustrator 9.0.1" = Adobe Illustrator 9.0.1
"Adobe SVG Viewer" = Adobe SVG Viewer
"CCleaner" = CCleaner
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Google Chrome" = Google Chrome
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox 25.0.1 (x86 en-US)" = Mozilla Firefox 25.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"NVIDIA Drivers" = NVIDIA Drivers
"Pdf995" = Pdf995yName
"Revo Uninstaller" = Revo Uninstaller 1.95
"WinLiveSuite" = Windows Live Essentials
 
========== HKEY_CURRENT_USER Uninstall List ==========
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"SkyDriveSetup.exe" = Microsoft SkyDrive
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 12/6/2013 11:41:58 PM | Computer Name = computerdoctor | Source = Microsoft-Windows-CAPI2 | ID = 513
Description = Cryptographic Services failed while processing the OnIdentity() call
 in the System Writer Object.  Details: AddWin32ServiceFiles: Unable to back up image
 of service Soda PDF 5 Service since QueryServiceConfig API failed  System Error: The
 system cannot find the file specified.  .
 
Error - 12/7/2013 12:46:28 AM | Computer Name = computerdoctor | Source = ESENT | ID = 455
Description = Windows (3940) Windows: Error -1811 occurred while opening logfile
 C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS00047.log.
 
Error - 12/7/2013 12:46:29 AM | Computer Name = computerdoctor | Source = Windows Search Service | ID = 9000
Description =
 
Error - 12/7/2013 12:46:29 AM | Computer Name = computerdoctor | Source = Windows Search Service | ID = 7040
Description =
 
Error - 12/7/2013 12:46:29 AM | Computer Name = computerdoctor | Source = Windows Search Service | ID = 7042
Description =
 
Error - 12/7/2013 12:46:29 AM | Computer Name = computerdoctor | Source = Windows Search Service | ID = 9002
Description =
 
Error - 12/7/2013 12:46:29 AM | Computer Name = computerdoctor | Source = Windows Search Service | ID = 3029
Description =
 
Error - 12/7/2013 12:46:29 AM | Computer Name = computerdoctor | Source = Windows Search Service | ID = 3029
Description =
 
Error - 12/7/2013 12:46:29 AM | Computer Name = computerdoctor | Source = Windows Search Service | ID = 3028
Description =
 
Error - 12/7/2013 12:46:29 AM | Computer Name = computerdoctor | Source = Windows Search Service | ID = 3058
Description =
 
Error - 12/7/2013 12:46:29 AM | Computer Name = computerdoctor | Source = Windows Search Service | ID = 7010
Description =
 
Error - 12/7/2013 12:47:29 AM | Computer Name = computerdoctor | Source = Application Error | ID = 0
Description =
 
Error - 12/7/2013 1:41:27 AM | Computer Name = computerdoctor | Source = VSS | ID = 8194
Description =
 
Error - 12/7/2013 12:08:22 PM | Computer Name = computerdoctor | Source = Customer Experience Improvement Program | ID = 1008
Description =
 
[ System Events ]
Error - 12/7/2013 10:48:07 AM | Computer Name = computerdoctor | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
 to start because of the following error:   %%1068
 
Error - 12/7/2013 10:48:07 AM | Computer Name = computerdoctor | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
 to start because of the following error:   %%1068
 
Error - 12/7/2013 10:50:48 AM | Computer Name = computerdoctor | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
 to start because of the following error:   %%1068
 
Error - 12/7/2013 10:50:48 AM | Computer Name = computerdoctor | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
 to start because of the following error:   %%1068
 
Error - 12/7/2013 10:50:48 AM | Computer Name = computerdoctor | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
 to start because of the following error:   %%1068
 
Error - 12/7/2013 10:52:55 AM | Computer Name = computerdoctor | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
 to start because of the following error:   %%1068
 
Error - 12/7/2013 10:52:55 AM | Computer Name = computerdoctor | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
 to start because of the following error:   %%1068
 
Error - 12/7/2013 10:52:55 AM | Computer Name = computerdoctor | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
 to start because of the following error:   %%1068
 
Error - 12/7/2013 10:55:59 AM | Computer Name = computerdoctor | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
   Null
 
Error - 12/7/2013 11:56:35 AM | Computer Name = computerdoctor | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
  It has done this 1 time(s).
 
 
< End of report >

 

[Maurice Naggar]

@whiteriverspike

 

I need for you to attach the other report-file from OTL run .....  the one named OTL.txt

Please arrange for that, so I can review it.

That one is really the meat and potatoes of that tool.

 

Also, do this quick run at your next chance.

Save the attached W7SERV.zip file to the Desktop.

 

Now, exract all content to the desktop.  You will see a W7serv.bat file

Do a right-click on it and select Run as Administrator and allow it to run.

 

This should run quickly in a command-prompt window and at its end, will Restart your system.

 

Once after I see your other OTL report, and have the opportunity to digest, I will get back with you.

 

as we go along, keep me advise as to that "TBVerifier.dll " .... if you are getting any "message" on it.

W7SERV.zip

[WhiteriverSpike]

This is the message I get when trying to post the results of the scan!     An error occurred

post_too_long

[WhiteriverSpike]

I went ahead and ran  W7SERV.zip a couple times and on each restart get the same message about "TBVerifier.dll "

[WhiteriverSpike]

I'm wondering if I could go into the registry and look for that TBVerifier dll and just delete it?

[Maurice Naggar]

Hello,

I would suggest that you not try to do the dll error hunt on your own.

If the OTL txt is too long, do what you can to either attach the file as an attachment or the other way, Copy and paste contents into the reply body --- even if you had to do it in 2 separate replies.

Though I must say, and attachment would be best.

 

In order to attach files you click on the button on the bottom right of your reply called "More Reply Options".  



After you will be taken to a new screen and you can attach files by clicking on the button "Choose Files" at the bottom.

 

Once you have located and picked the file, then you click on the "Attach This File" button.

 

 

 

I may as well get you to do this one too  _  make that reply in a separate one.

Close all non-essential programs & windows that you have open.
Go  http://www.silentrunners.org/sr_download.html
and download & SAVE Silent Runners.vbs (use IE to download it) to a new folder on your drive and run it.

The 1st link on the right is the one to use. Do a Right-click and select SAVE AS  & guide the save to your folder.


The How-to use page for this tool  http://www.silentrunners.org/sr_scriptuse.html

On XP, double-click the VBS file to start the run.
On Vista / WIN7 / 8 ... do a Right-click on Silent Runners.vbs  and select Run as Administrator and allow to run

It generates a log too {name will start with "Startup Programs".

It takes a minute or two and it will notify you with a popup when your log is ready (it will be in the new folder you created).

If your AV queries the script, allow it to run. It's not malicious. It simply generates a report on your system, and does not do any cleanup.

The output-report file will be in the same directory as the script. The name will always start with the words, "Startup Programs"
Please save it to your system. Please attach a copy of it into a new reply.

 

NOTE:

The W7SERV procedure is only intended to be used one time.  That was only intended to square away some important Windows 7 services into standard/default settings.

It is not in any way meant to address the DLL issue.   Which by the way, is most likely just a harmless trace of a leftover toolbar dll.
 

[WhiteriverSpike]

Ok, I got the attachment.

OTL.Txt

[WhiteriverSpike]

 

 

Home Page

 

 

The Script

 

 

Download

 

 

Launch

Points

 

 

Terms

of Use

 

 

Procedures

• Using the Script
• FAQ
• Disinfection
• CWS Removal
• File Comparison

 

 

Thanks

• Acknowledgments
• Press

    

 

 

SAXPAR

 

 

 

Win 8

Install

 

 

 

Contact

Silent Runners

Oops! You’re trying to reach a page that doesn’t exist.

Try clicking on one of the top menu choices to go to a known page and start over from there.

 

Copyright 2013 by Andrew Aronoff

 

 

 

This is what I get going to the link you suggested.

[WhiteriverSpike]

I did finally get it to download and run but, now I can't find where the file went.

[WhiteriverSpike]

On a whim I ran Chameleon then the Malwarebytes scanner found one pup optional, on the restart the TBVerifier dialog box did "NOT" show up! Are we home free?

[Maurice Naggar]

Hello.

No, you are not all clear. There still shows 1 trace of the ad-related ( from Conduit ) dll which we will cleanup shortly in this next procedure.

There are also a few more issues:

a number of unwanted adwares and search hijackers lying around. Conduit, Crossrider, Snapdo.

For example, traces of Conduit in IE browser + Firefox. Snapdo in Chrome.

NOTE: On the SilentRunners, if you did run that script, the report log will be present where you had the VBS file.

The output-report file will be in the same directory as the script. The name will always start with the words, "Startup Programs"

Now then, let's start with the remaining cleanups:

Dont let the sheer size of the list over-whelm you. They wont take that long to run. It is much better for you to be more thorough. At the end of this, your system will be in a whole lot better shape and safer and cleaner.

Task 1

You will want to print out or copy these instructions to Notepad for offline reference!

Temporarily disable your antivirus program and close any programs that you started.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

http://www.bleepingcomputer.com/forums/index.php?showtopic=114351

Download the attached file OTLWHITE.txt and SAVE to your DESKTOP

Start NOTEPAD

Check and make sure "word wrap" is off.

From Notepad main menu bar, Select F (format) and make sure Word Wrap is NOT checked.

IF it -is- checkmarked, click that one time so that it is un-checked.

Open the OTLWHITE.txt that you saved

Copy ALL the lines to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Please double-click OTL.exe to run it. (Note: If you are running on Windows 7/8 or Vista, right-click on the file and choose Run As Administrator).

Right click in the Custom fix block box (under the aqua-blue bar) and choose Paste.

Close any browser(s) windows that may be open.

Using your mouse, click on the red-lettered button RUN FIX

Once you see a message box "Fix complete! Click OK to open the fix log."

Click the OK button

The log will open in Notepad (your default text editor).

Save the log. Attach that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes.

In this case, after the reboot, navigate to the C:\_OTL\MovedFiles folder, and look for the .LOG file, and ATTACH that document into your reply.

Task 2

To Reset Firefox to its default state:

Start Firefox

in the address bar, type in

about:support

Click on the Reset Firefox button at top right of screen.

While in Firefox, press Shift+CTRL+Delete keys and delete temporary internet cache files.

Still in Firefox, on main menu, choose Tools >>> Options

click the General tab

Under the Downloads block

IF the SAVE files to is selected, then Click on (to select) Always ask me where to save files

Then press OK button

Also see http://support.mozilla.org/en-US/kb/reset-preferences-fix-problems?s=reset+search+options&r=2&as=s

Task 3

Start Google Chrome browser.

Press & hold SHIFT+CTRL+Del keys to get menu for clearing browsing data:

Check "Empty the cache"

"Delete cookies and other site and plug-in data"

and press Clear browsing data button

Still in Chrome, press ALT+F then Settings

Click Extensions on the left.

Closely review the browser extensions that are listed. Disable any that you are not familiar with or that you do not trust.

Also see these Google - Chrome articles and take appropriate measures !!

Reset browser settings

https://support.google.com/chrome/answer/3296214

Search engine and other settings taken over by an unwanted program

https://support.google.com/chrome/answer/2765944?hl=en&ref_topic=3227046

Task 4

Start your MBAM MalwareBytes' Anti-Malware.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a QUICK Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

When all done, Copy & paste the MBAM scan log into a new reply.

Task 5

Close any open work documents, if any, saving your work.

Make sure to close any other programs that you started before.

Please download Junkware Removal Tool by Thisisu to your Desktop.

• Please close your security software to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or 7 or 8, right-mouse click JRT.exe and select Run as administrator.
• The tool will open and display information and disclaimer in a Command prompt window.
• I'd suggest you close all internet browsers at this point.
• Press a key on keyboard to start scanning your system.
• Please be very patient as this will take several minutes to complete, depending on your system's specifications.
• There are approximatly 12 phases or so in this tool. You will see each phase listed in the Command prompt window.
• On completion, a log (JRT.txt) is saved to your Desktop and will automatically open. And the command prompt will have been closed.
• Please post the contents of JRT.txt into a new reply.
• Re-enable your security software.

Task 6

Please download "AdwCleaner" & Save to your Desktop from

http://general-changelog-team.fr/en/downloads/finish/20-outils-de-xplode/2-adwcleaner

Close any open documents/programs & all internet browsers you have running.

If your are running Windows XP, double click "adwcleaner.exe" to start it.

Otherwise, Right-click on "adwcleaner.exe" and select Run As Administrator to launch the application.

Now click on the "Clean" button.

Confirm each time with OK.

Your computer will be rebooted automatically. A text file will open after the restart. Please attach that logfile in your reply.

Note: You can find the logfile at C:\AdwCleaner[s1]

OTLWHITE.txt

[WhiteriverSpike]

OTL.exe is the file I can't find!

[WhiteriverSpike]

Sorry, but this don't look right.

OTL.Txt128.txt

[WhiteriverSpike]

last scan:

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.08.03

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 11.0.9600.16428
computer doctor :: COMPUTERDOCTOR [administrator]

Protection: Enabled

12/8/2013 3:26:48 PM
mbam-log-2013-12-08 (15-26-48).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 222977
Time elapsed: 6 minute(s), 35 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

[WhiteriverSpike]

JRT scan:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows 7 Home Premium x86
Ran by computer doctor on Sun 12/08/2013 at 15:47:06.16
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services

Successfully stopped: [service] APNMCP
Successfully deleted: [service] APNMCP



~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\apntbmon
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dealplylive.exe
Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{ae07101b-46d4-4a98-af68-0333ea26e113}



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\protector_dll.protectorbho
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\protector_dll.protectorbho.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\conduit
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\default tab
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\distromatic
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\smartbar
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\smartbarbackup
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\smartbarlog
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\conduit
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\conduitsearchscopes
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\pricegong
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\smartbar
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduit
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\defaulttab
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\systweak
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\visualbee
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\alxssb.alxtbssb
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\alxssb.alxtbssb.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\alxtb2.toolbarproxy
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\alxtb2.toolbarproxy.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\iesmartbar.bandobjectattribute
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\iesmartbar.dockingpanel
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\iesmartbar.iesmartbar
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\iesmartbar.iesmartbarbandobject
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\iesmartbar.smartbardisplaystate
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\iesmartbar.smartbarmenuform
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\speedupmypc
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\au__rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\au__rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\quickshare_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\quickshare_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT3153924
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT3287811
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT3306061
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT3311875
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT3317420
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\mconduitinstaller_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\mconduitinstaller_RASMANCS
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{EA1C467F-C493-44F8-85C1-DFF97B990FB1}
Successfully deleted: [Registry Key] "hkey_current_user\software\askpartnernetwork"
Successfully deleted: [Registry Key] "hkey_local_machine\software\askpartnernetwork"



~~~ Files

Successfully deleted: [File] C:\Windows\System32\Tasks\Dealply
Successfully deleted: [File] C:\Windows\Tasks\Dealply.job
Successfully deleted: [File] "C:\end"



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\apn"
Successfully deleted: [Folder] "C:\ProgramData\conduit"
Successfully deleted: [Folder] "C:\ProgramData\systweak"
Successfully deleted: [Folder] "C:\ProgramData\visualbee"
Successfully deleted: [Folder] "C:\Users\computer doctor\AppData\Roaming\systweak"
Successfully deleted: [Folder] "C:\Users\computer doctor\appdata\local\conduit"
Successfully deleted: [Folder] "C:\Users\computer doctor\appdata\local\cre"
Successfully deleted: [Folder] "C:\Users\computer doctor\appdata\locallow\conduit"
Successfully deleted: [Folder] "C:\Users\computer doctor\appdata\locallow\pricegong"
Successfully deleted: [Folder] "C:\Users\computer doctor\appdata\locallow\smartbar"
Successfully deleted: [Folder] "C:\Program Files\advanced system protector"
Successfully deleted: [Folder] "C:\Program Files\conduit"
Successfully deleted: [Folder] "C:\Program Files\dealply"
Successfully deleted: [Folder] "C:\Program Files\mypc backup"
Successfully deleted: [Folder] "C:\Program Files\optimizer pro"
Successfully deleted: [Folder] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\advanced system protector"
Successfully deleted: [Folder] "C:\Program Files\askpartnernetwork"



~~~ Chrome

Successfully deleted: [Folder] C:\Users\computer doctor\appdata\local\Google\Chrome\User Data\Default\Extensions\amfclgbdpgndipgoegfpkkgobahigbcl
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 12/08/2013 at 15:50:19.39
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

[WhiteriverSpike]

AdwCleaner:

# AdwCleaner v3.014 - Report created 08/12/2013 at 16:19:13
# Updated 01/12/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (32 bits)
# Username : computer doctor - COMPUTERDOCTOR
# Running from : C:\Users\computer doctor\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files\Level Quality Watcher
Folder Deleted : C:\Users\computer doctor\AppData\Local\NativeMessaging
Folder Deleted : C:\Users\COMPUT~1\AppData\Local\Temp\apn
Folder Deleted : C:\Users\computer doctor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pbjikboenpfhbbejgkoklgkhjpfogcam
Folder Deleted : C:\Users\computer doctor\AppData\Local\Google\Chrome\User Data\Default\Extensions\jonjajmpblmjkhjemkalbddhodlehkfg
Folder Deleted : C:\Users\computer doctor\AppData\Local\Google\Chrome\User Data\Default\Extensions\lipgolpfajiadodbcbljdpmbmbdmfcil
File Deleted : C:\Program Files\Mozilla Firefox\browser\nsprotector.js
File Deleted : C:\Program Files\Mozilla Firefox\browser\searchplugins\sweettunes_search.xml
File Deleted : C:\Windows\System32\Tasks\Advanced System Protector
File Deleted : C:\Windows\System32\Tasks\Advanced System Protector_startup

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Google\Chrome\Extensions\pbjikboenpfhbbejgkoklgkhjpfogcam
Key Deleted : HKCU\Software\Google\Chrome\Extensions\jonjajmpblmjkhjemkalbddhodlehkfg
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jonjajmpblmjkhjemkalbddhodlehkfg
Key Deleted : HKCU\Software\Google\Chrome\Extensions\lipgolpfajiadodbcbljdpmbmbdmfcil
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\lipgolpfajiadodbcbljdpmbmbdmfcil
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{1D0B44DE-C0E3-4BE4-AE54-AD7E4422307D}
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1D0B44DE-C0E3-4BE4-AE54-AD7E4422307D}
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{676D5DBC-4638-4223-BDC7-86D007C591AC}
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{676D5DBC-4638-4223-BDC7-86D007C591AC}
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{A385DA1F-475C-45B1-8792-05451F9EB3CA}
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A385DA1F-475C-45B1-8792-05451F9EB3CA}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1F02FB61-2BE5-4C16-8199-AEAA16EB0342}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CCB08265-B35D-30B2-A6AF-6986CA957358}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CD92622E-49B9-33B7-98D1-EC51049457D7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E041E037-FA4B-364A-B440-7A1051EA0301}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{51F04BD6-3888-4849-864C-617FAE709CE0}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8C953EC4-8CFA-44FB-B32E-1249E5505091}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E4E394E0-D331-431F-B76D-E3A19193D5F6}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E57091A7-B5F0-4C42-9329-72ED3E59ED31}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKCU\Software\Alexa Internet
Key Deleted : HKCU\Software\WEDLMNGR
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\Software\Uniblue
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\00212D92-C5D8-4ff4-AE50-B20F0F85C40A_Systweak_Ad~B9F029BF_is1
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\08121C32A9C319F4CB0C11FF059552A4

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16428


-\\ Mozilla Firefox v25.0.1 (en-US)

[ File : C:\Users\computer doctor\AppData\Roaming\Mozilla\Firefox\Profiles\sw33ew90.default-1386536504101\prefs.js ]


-\\ Google Chrome v31.0.1650.63

[ File : C:\Users\computer doctor\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted : icon_url
Deleted : search_url
Deleted : suggest_url
Deleted : keyword
Deleted : homepage
Deleted : urls_to_restore_on_startup

*************************

AdwCleaner[R0].txt - [5469 octets] - [08/12/2013 16:16:54]
AdwCleaner[s0].txt - [5139 octets] - [08/12/2013 16:19:13]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [5199 octets] ##########
 

[WhiteriverSpike]

I noticed several entries about conduit but didn't anything pertaining to Crossrider or Snapdo in Chrome but, my eyes are getting a little fogged up. Don't know how you can keep focused looking at all this stuff.