Jump to content

Persistent Adware.Elex


Recommended Posts

Hi all,

I've been battling adware for around 2 months now. I've been using Malwarebytes' Premium trial for almost a month now (6 days left on the trial.) I had the free version of malwarebytes before that but something prevented it from starting up (I think it was avast, which was refusing to start its own shields for a while, too.) So for all I know this problem may have started some time last year. Anyhow, over the last few months, I've been trying to fix this with adaware, adwcleaner, Avast Pro, chrome cleanup tool, Hitman Pro, Junkware Removal Tool, Malwarebytes Premium, spyhunter (that was very short lived,) rkill, Roguekiller, secunia, shortcut cleaner, TDSS killer and Zemana...and varying combinations of these scans. To. No. Avail. Malwarebytes picks it up a lot of the time, but then RightCoupon popups show up my browser and occasionally (and inconsistently) I'm seeing Mandarin characters where I should see icons (like search, cart, heart type icons.) So I decided to search this problem again, this time popping up a result from this forum. So this is the last port of call before I reformat and/or call a computer guy to come fix it for me and I'd really rather not do either of those things. So all of this became a rather long winded way of saying I cannot fix this problem myself, I desperately need some help. (Sorry, I didn't intend for it to become so long winded but I figured some history might help with resolving this.)

I have attached FRST.txt and Addition.txt as instructed. Thanks for your time. 
Cheers!

FRST.txt

Addition.txt

Link to post
Share on other sites

  • Root Admin

Hello @BabyPineapples and :welcome:

Sorry for the delay. If your only issue is popups from advertisements, then that is not something most antivirus programs are designed for. There are specific programs designed to help with ad blocking. We can scan your system and see what we find though to make sure there isn't something else there that doesn't belong.

 

Please restart the computer first and then run the following steps and post back the logs when ready. Make sure you temporarily disable your antivirus when running the scans and re-enable it when done.

STEP 01
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 02

adwcleaner_new.png Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

STEP 03
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View Log file (bottom left-hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found, please confirm that result.

STEP 04
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Link to post
Share on other sites

Okay, but just so it's clear I stopped short of giving my entire backstory here because well, honestly it has become an epic. I'm using both Adblock and uBlock Origin in chrome. I had I think 3 (?) rootkits, (Kitty.exe, Snare, and WinSAP or some other,) and I think a trojan, too, that have been dealt with in the past few weeks. At one point Malwarebytes returned 14000 results (!). The adware and the Mandarin characters that appear on shops are just the most visible of my problems here, and since that and all the other weird browser stuff - I am being perhaps overly concise with that. This all started when Chrome very abruptly shut down then I was prompted to restore it with an alert that was again using Mandarin characters in the bar section, (all my language settings are English US or UK,) so I closed that and opened up chrome again...which started on some search engine I'd never heard of. It also inserted the home button which I never use, and redirected google searches...And mind, this only happens in Chrome. I also have Chrome Canary, Firefox/Firefox dev, Safari, Opera and Avast's safe browser...none of those are affected by this. Anyhow, the strange browser behaviour all started before the rootkits (etc.) were discovered in a few different scans, so I assume they are connected.

Here are the scan results you requested. Sophos found no threats and only prompted me to exit. In fact as far as I can tell, AdwCleaner is the only one to pick up anything, and it was the startpageing123 crap that all this started with. Also since restoring my browser session, these ads are still showing, and the Mandarin characters are also showing where I think a font rather than an image for the icons is used. I have attached some screenshots as well. Hope they are not too large.

 

JRT.txt

AdwCleaner[C7].txt

Addition.txt

FRST.txt

Woolworths Supermarket   Buy Groceries Online.png

Pleated Metallic Cape   Forever 21   2000149077.png

Stock photos  royalty free images   video clips   iStock.png

Trend   Fashion Trends Online   ASOS1.png

Oh K    Oh K  Pocket Mirror.png

Link to post
Share on other sites

  • Root Admin

Please read the following article concerning the use of MSCONFIG
Msconfig Is Not A Startup Manager

 

Please visit each of the following sites and let's reset all of your browsers back to defaults to prevent unexpected issues.
If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

Internet Explorer
How to reset Internet Explorer settings

Firefox
Click on Help / Troubleshooting Information then click on the Reset Firefox button.

Chrome

I would like to reset Chrome back to defaults to completely clear out what is going on with Chrome.

You can keep your “Bookmarks” if you want to keep them, but you have to export them first – >> Export Bookmarks << – Everything else should be removed.

Then I need you to go to >> Google Sync << and sign into your account.
Scroll down until you see the reset sync button and click on the button
At the prompt click on Ok.

.
Reset Your Browser Settings
.

  1. In the top-right corner of the browser window, click the “Chrome Menu” icon (Three horizontal lines)
  2. Select Settings.
  3. At the bottom, click Show advanced settings…
  4. Scroll down until you see “Reset settings”, Then click on the button Reset Settings.
  5. In the dialog that appears, click Reset.

.
Close Chrome and restart it and check it out for me please

 

 

Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

 

Restart the computer and let me know if anything is any better or not.

 

 

Link to post
Share on other sites

Okay so have been looking at this. I have had several other things that needed doing in the mean time so this has been quite slow going.

Did the chrome cleanup, then tested. With regards to the second url, I stopped allowing popups a while back with no exceptions. I scanned with Malwarebytes. Things are the same except now (possibly before though as I don't use speakers, just headphones) one of the tabs I opened started playing audio. The message was a computer generated voice telling me that they had detected that my computer was infected with (some virus,) and that it was stealing personal details/banking info etc. and that I should contact the number on my screen (there was none) to work with their techs to remove the virus otherwise they would have take action to alert the authorities. (The internet police, I presume! Because Australia and every other country online is obviously governed by the same laws with regards to passively spreading viruses and such, right? :P) Just now I got an annoying beeping sound on ebay. 

I have been using inspect to have a look around. I think what's happened is the actual blocking part of this is being blocked itself. I am seeing errors in the inspect panel that say something to that effect and I got video of the message that it's blocking (I clicked a link in one. I know, it's bad. But I figure I am infected already, and likely just going to reformat anyhow, I figured it could help in diagnosis and such for others.) Unfortunately, or fortunately depending on your perspective really, the sound didn't record, but I can assure you it was annoying.


I'll try and capture more video if and as I run across these things again. 

This problem is still entirely just google chrome. Google Canary and firefox aren't showing anything of the sorts. I've scanned this evening with adwcleaner, got 3 results, rebooted and the problem is still occurring so I will be performing a few more scans tonight to see if I can resolve it. Will let you know how I go.

Link to post
Share on other sites

  • Root Admin

Yeah, that is a fake BSOD screen trying to trick you into calling them so they can scam you out of hundreds of dollars on your Credit Card.

Please save your bookmarks in Chrome. Then login and delete all cache as it says above. Then uninstall Chrome but DO NOT reinstall it. Then run FRST again and post back both new logs.

Thanks

Ron

 

Link to post
Share on other sites

Hi Ron,

I actually kind of figured that was the next step and uninstalled last night, but did not clear the cache. Is there a way to do it without reinstalling chrome? (I seem to recall that there is, just can't remember how.) I also still have google chrome canary, should I uninstall that as well? It has been completely unaffected as far as I can tell. Even just now some firefox update tool or some such showed up in a hitman pro scan but canary is still going strong. I will have to get back to you with this FRST scan as my desktop seems to have disappeared behind the browser. :unsure:

ETA: logs added

FRST.txt

Addition.txt

Edited by BabyPineapples
adding logs
Link to post
Share on other sites

Hi again,

Just updating here: I am doing a backup of my files today, just in case this is not resolvable, but I've noticed several icons appearing either on the desktop or in my taskbar. For instance, I uninstalled chrome, and removed the pinned icon from my taskbar yesterday, but today both chrome and firefox are pinned to it. On the desktop there is a new firefox and chrome shortcut, and shortcuts for "Big Bang Empire" and "Big Farm." These names both showed up in the threats of a scan by Malwarebytes (IIRC. I certainly remember "Bagsarah" folder got removed.) Obviously I didn't install these games and the icons have all appeared since removing all that junk.

The target for the Chrome browser is ""C:\Program Files (x86)\Eggper\Application\chrome.exe""

The target for firefox seems legit, but still "C:\Program Files (x86)\Firefox\Firefox.exe"

The target for Big Farm is "C:\Program Files (x86)\Bagsarah\Application\chrome.exe" http://bigfarm.goodgamestudios.com/?w=239064 

The start in path is "C:\Program Files (x86)\Bagsarah\Application"

The target for Big Bang Empire is "C:\Program Files (x86)\Bagsarah\Application\chrome.exe" http://www.bigbangempire.com/?ref=281-000-000-005

And again, Start In is "C:\Program Files (x86)\Bagsarah\Application"

 

Anyway hope this is pertinent/helpful to someone. 

Link to post
Share on other sites

  • 2 weeks later...

Sorry to hear that! I do hope you're well now though at least. 

I am still fighting this battle, but have mostly been away from my computer these last couple weeks house sitting. The same problems - I uninstalled chrome and firefox, only edge, opera and chrome canary remain, yet I still had a chrome link appear on my desktop, and a chrome link and a firefox link pinned to taskbar. Big bang empire and Big Farm links also re-appeared on my desktop linking all linking to new directories (Shutdear and Hippig IIRC, though these all sound like they might be randomly generated anyhow.) When I went to update a program (Rogue Killer, I think,) it opened chrome. It had a home button displayed, which was one of the first things I noticed was different about Chrome when this all started, so I checked and luckystarting or some such was the home page. I've done a few scans since - each one picks up different things. Adwcleaner seems to have gotten much of it though I'm expecting Rogue Killer will find more. 

Link to post
Share on other sites

  • Root Admin

Yes, Chrome is a very annoying program to uninstall. I really wish Google would stop this practice. They make it almost like self-protective malware to repair, reinstall itself and put files, folders, registry settings all over the computer. Certainly not the awesome browser it was years ago. I do not even have Chrome installed on my home computers as I just do not care for their practice of coding and making it difficult to do a "clean removal" easily.

If you're trying to do a clean removal of Chrome, please disable any linked accounts inside of Google login. Then uninstall Chrome, and reboot. Then run FRST again and attach both new logs and I will review and help you to fully remove Chrome.

 

Link to post
Share on other sites

Really! I thought it was the malware spoofing chrome or something. Chrome was definitely my favorite browser, but that is very dodgy. 

 

Anyway, I've uninstalled Chrome Canary (removed my profile and all browsing data and everything, seemed to work as well as it opened a survey up in edge,) and I ran FRST. Attached are the FRST and Addition txt files.

 

 

Addition.txt

FRST.txt

Edited by BabyPineapples
Link to post
Share on other sites

  • Root Admin

 

The logs indicate the Google Chrome was not removed and the computer restarted before a new FRST scan was run. Google Chrome is up and running and installed in these logs.

Google Chrome (HKLM-x32\...\Google Chrome) (Version: 58.0.3029.96 - Google Inc.)
Google Chrome Canary (HKU\S-1-5-21-1581611794-1634886039-3925248525-1000\...\Google Chrome SxS) (Version: 60.0.3093.1 - Google Inc.)
Google Update Helper (x32 Version: 1.3.33.5 - Google Inc.) Hidden
C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.96\libglesv2.dll
C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.96\libegl.dll
FirewallRules: [{B9603A8C-BB4E-46AC-9FAE-51B1C261044C}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
CustomCLSID: HKU\S-1-5-21-1581611794-1634886039-3925248525-1000_Classes\CLSID\{144DF3B2-2402-47AE-9583-5A045929A8D4}\InprocServer32 -> C:\Users\Amber\AppData\Local\Google\Update\1.3.33.5\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1581611794-1634886039-3925248525-1000_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\Amber\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1581611794-1634886039-3925248525-1000_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\Amber\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1581611794-1634886039-3925248525-1000_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\Amber\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1581611794-1634886039-3925248525-1000_Classes\CLSID\{8C46158B-D978-483C-A312-16EE5013BE04}\InprocServer32 -> C:\Users\Amber\AppData\Local\Google\Update\1.3.33.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1581611794-1634886039-3925248525-1000_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA}\InprocServer32 -> C:\Users\Amber\AppData\Local\Google\Update\1.3.32.7\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1581611794-1634886039-3925248525-1000_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\Amber\AppData\Local\Google\Update\1.3.33.5\psuser_64.dll (Google Inc.)
Task: {6D9CE2E8-FCCA-4E9B-A7C6-88BBE899E4F0} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1581611794-1634886039-3925248525-1000UA => C:\Users\Amber\AppData\Local\Google\Update\GoogleUpdate.exe [2017-04-21] (Google Inc.)
Task: {771577F7-0E02-400E-BC9E-93CF28AD9720} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1581611794-1634886039-3925248525-1000Core => C:\Users\Amber\AppData\Local\Google\Update\GoogleUpdate.exe [2017-04-21] (Google Inc.)
Task: {B176E126-9309-4902-A583-6AAF8BBBFF1E} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1581611794-1634886039-3925248525-1000UA1d2ba4498e9d12a => C:\Users\Amber\AppData\Local\Google\Update\GoogleUpdate.exe [2017-04-21] (Google Inc.)
Task: {DCD1CF26-C1F1-42D8-A24B-BE2C9EE11501} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-04-11] (Google Inc.)
Task: {EE97EACF-561F-4299-920F-6D0FE13A976B} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-04-11] (Google Inc.)
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1581611794-1634886039-3925248525-1000Core.job => C:\Users\Amber\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1581611794-1634886039-3925248525-1000UA.job => C:\Users\Amber\AppData\Local\Google\Update\GoogleUpdate.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.5\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.5\GoogleCrashHandler64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
HKU\S-1-5-21-1581611794-1634886039-3925248525-1000\...\Run: [Google Update] => C:\Users\Amber\AppData\Local\Google\Update\1.3.33.5\GoogleUpdateCore.exe [601168 2017-04-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin HKU\S-1-5-21-1581611794-1634886039-3925248525-1000: @tools.google.com/Google Update;version=3 -> C:\Users\Amber\AppData\Local\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin HKU\S-1-5-21-1581611794-1634886039-3925248525-1000: @tools.google.com/Google Update;version=9 -> C:\Users\Amber\AppData\Local\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
Chrome:
=======
CHR StartupUrls: Default -> "hxxp://www.google.com/","hxxp://www.startpageing123.com/?type=hp&ts=1489361979&z=43e2bb84d992c99931ab3a7g5zbb2t4cbqag8t1m5t&from=che0812&uid=WDCXWD10EZEX-00BN5A0_WD-WCC3F4JZ6VPKZ6VPK"
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default [2017-05-09]
CHR Extension: (Google Slides) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-04-11]
CHR Extension: (Entanglement Web App) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd [2017-04-11]
CHR Extension: (Google Art Project) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\akimgimeeoiognljlfchpbkpfbmeapkh [2017-04-11]
CHR Extension: (Google Docs) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-04-11]
CHR Extension: (Google Drive) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-04-11]
CHR Extension: (YouTube) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-04-11]
CHR Extension: (Add to Amazon Wish List) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciagpekplgpbepdgggflgmahnjgiaced [2017-04-11]
CHR Extension: (uBlock Origin) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2017-04-23]
CHR Extension: (MakeGIF Video Capture) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnhdjbfjheoohmhpakglckehdcgfffbl [2017-04-20]
CHR Extension: (Email this page (by Google)) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbeoemfhkdniadbojeencpkgmobndpai [2017-04-11]
CHR Extension: (Dropbox for Gmail) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\dpdmhfocilnekecfjgimjdeckachfbec [2017-04-11]
CHR Extension: (Adobe Acrobat) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2017-04-11]
CHR Extension: (Mobile/Responsive Web Design Tester) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\elmekokodcohlommfikpmojheggnbelo [2017-04-11]
CHR Extension: (Avast SafePrice) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2017-04-11]
CHR Extension: (Google Sheets) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-04-11]
CHR Extension: (KB SSL Enforcer) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\flcpelgcagfhfoegekianiofphddckof [2017-04-11]
CHR Extension: (Google Docs Offline) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-04-11]
CHR Extension: (Pastebin.com) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghipmampnddcpdlppkkamoankmkmcbmh [2017-04-11]
CHR Extension: (AdBlock) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2017-04-14]
CHR Extension: (Avast Online Security) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2017-04-11]
CHR Extension: (Pinterest Save Button) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpdjojdkbbmdfjfahjcgigfpmkopogic [2017-04-22]
CHR Extension: (WhatFont) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\jabopobgcpjmedljpbcaablpmlmfcogm [2017-04-11]
CHR Extension: (AUSkey for Chrome) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmegndhbalhkegdidohofafobbcabine [2017-04-11]
CHR Extension: (Poppit!) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2017-04-11]
CHR Extension: (Google Mail Checker) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\mihcahmgecmbnbcchbopgniflfhgnkff [2017-04-11]
CHR Extension: (ProgrammerAppeal) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\nffmonhnmojnphlkppocceaclkncgknn [2017-04-11]
CHR Extension: (RSS Subscription Extension (by Google)) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlbjncdgjeocebhnmkbbbdekmmmcbfjd [2017-04-11]
CHR Extension: (Moqups · Mockups, Wireframes & Prototyping) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfbhphohgafllkjnakmdppmmkjfbnke [2017-04-11]
CHR Extension: (Awesome Screenshot: Screen capture, Annotate) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlipoenfbbikpbjkfpfillcgkoblgpmj [2017-04-11]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-04-11]
CHR Extension: (Buffer) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\noojglkidnpfjbincgijbaiedldjfbhh [2017-05-06]
CHR Extension: (Gmail) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-04-11]
CHR Extension: (Chrome Media Router) - C:\Users\Amber\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-04-28]
CHR HKU\S-1-5-21-1581611794-1634886039-3925248525-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [jmegndhbalhkegdidohofafobbcabine] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
C:\Users\Amber\AppData\Roaming\Google
2017-04-21 12:12 - 2017-05-08 20:29 - 00002507 _____ C:\Users\Amber\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome Canary.lnk
2017-04-21 12:11 - 2017-04-28 15:29 - 00003710 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1581611794-1634886039-3925248525-1000UA1d2ba4498e9d12a
2017-04-21 12:11 - 2017-04-28 15:29 - 00003442 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1581611794-1634886039-3925248525-1000Core1d2ba4498909841

 

Please read the following article concerning the use of MSCONFIG
Msconfig Is Not A Startup Manager

 

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\Services: AdobeARMservice => 2
MSCONFIG\Services: AdobeFlashPlayerUpdateSvc => 3
MSCONFIG\Services: AdobeUpdateService => 2
MSCONFIG\Services: AGSService => 2
MSCONFIG\Services: AMD External Events Utility => 2
MSCONFIG\Services: Apple Mobile Device Service => 2
MSCONFIG\Services: Bonjour Service => 2
MSCONFIG\Services: c2cautoupdatesvc => 2
MSCONFIG\Services: c2cpnrsvc => 2
MSCONFIG\Services: dbupdate => 2
MSCONFIG\Services: dbupdatem => 3
MSCONFIG\Services: DbxSvc => 2
MSCONFIG\Services: gupdate => 2
MSCONFIG\Services: gupdatem => 3
MSCONFIG\Services: Intel(R) PROSet Monitoring Service => 2
MSCONFIG\Services: iPod Service => 3
MSCONFIG\Services: MBAMService => 2
MSCONFIG\Services: Mobile Broadband HL Service => 2
MSCONFIG\Services: MozillaMaintenance => 3
MSCONFIG\Services: OpenVPNService => 3
MSCONFIG\Services: Origin Client Service => 3
MSCONFIG\Services: Origin Web Helper Service => 2
MSCONFIG\Services: PlaysService => 2
MSCONFIG\Services: SkypeUpdate => 2
MSCONFIG\Services: Steam Client Service => 3
MSCONFIG\startupreg: BingSvc => C:\Users\Amber\AppData\Local\Microsoft\BingSvc\BingSvc.exe
MSCONFIG\startupreg: EADM => "C:\Program Files (x86)\Origin\Origin.exe" -AutoStart
MSCONFIG\startupreg: Raptr => "C:\Program Files (x86)\Raptr\raptrstub.exe" --startup
MSCONFIG\startupreg: Skype => "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
MSCONFIG\startupreg: Steam => "C:\Program Files (x86)\Steam\steam.exe" -silent
HKLM\...\StartupApproved\StartupFolder: => "WinZip Preloader.lnk"
HKLM\...\StartupApproved\StartupFolder: => "Update Notifier.lnk"
HKLM\...\StartupApproved\Run: => "AdobeAAMUpdater-1.0"
HKLM\...\StartupApproved\Run: => "iTunesHelper"
HKLM\...\StartupApproved\Run: => "WindowsDefender"
HKLM\...\StartupApproved\Run: => "ZAM"
HKLM\...\StartupApproved\Run32: => "Acrobat Assistant 8.0"
HKLM\...\StartupApproved\Run32: => "Adobe Creative Cloud"
HKLM\...\StartupApproved\Run32: => "Raptr"
HKLM\...\StartupApproved\Run32: => "Dropbox"
HKLM\...\StartupApproved\Run32: => "PlaysTV"
HKU\S-1-5-21-1581611794-1634886039-3925248525-1000\...\StartupApproved\Run: => "Adobe Acrobat Synchronizer"
HKU\S-1-5-21-1581611794-1634886039-3925248525-1000\...\StartupApproved\Run: => "OneDrive"
HKU\S-1-5-21-1581611794-1634886039-3925248525-1000\...\StartupApproved\Run: => "Spotify"
HKU\S-1-5-21-1581611794-1634886039-3925248525-1000\...\StartupApproved\Run: => "Spotify Web Helper"
HKU\S-1-5-21-1581611794-1634886039-3925248525-1000\...\StartupApproved\Run: => "Icecream_Screen_Recorder_Prefetcher"
HKU\S-1-5-21-1581611794-1634886039-3925248525-1000\...\StartupApproved\Run: => "Screenpresso"
2017-04-11 21:42 - 2017-04-28 08:12 - 00003416 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2017-04-11 21:42 - 2017-04-28 08:12 - 00003292 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2017-05-03 08:05 - 2015-09-29 14:49 - 00002272 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-04-21 22:26 - 2016-07-21 15:13 - 00000926 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1581611794-1634886039-3925248525-1000UA.job
2017-04-21 22:26 - 2016-07-21 15:13 - 00000874 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1581611794-1634886039-3925248525-1000Core.job
2017-04-21 12:12 - 2015-09-29 14:48 - 00000000 ____D C:\Users\Amber\AppData\Local\Google
2017-04-11 21:43 - 2015-09-29 14:48 - 00000000 ____D C:\Program Files (x86)\Google
2017-03-23 19:57 - 2017-03-23 19:57 - 47921768 _____ (Google Inc.) C:\Users\Amber\AppData\Local\Temp\{91B8341F-D3C5-4FD2-B6CC-0B2870DCE50A}-59.0.3049.0_chrome_installer.exe

 


Also see the following artilce as you have many of these folders from Adobe.

Adobe tempzxpsign…… Temporary Files
http://blog.nalates.net/2016/11/12/adobe-tempzxpsign-temporary-files/

https://forums.adobe.com/message/8870807

 

Link to post
Share on other sites

  • Root Admin

Okay then, sorry you had to go that way, but if done right a clean fresh install of Windows will run much faster and smoother than one that's been running for years.

I'll go ahead then and close your topic.

Take care and stay safe out there. Might want to check out some System Imaging style backup in case of future rebuild needs.

Backup Software


Cheers

Ron

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.