My laptop infected and not able to install malwarebytes

[jakej]

Dear Malware removal advice team,

Sorry for the long post, new member here and pretty much a novice.

My Dell 1347 laptop has been recently infected, like two days back. This happened when I was trying to install a version of PDFXchange viewer from a website, it seemed genuine and hence I went ahead. But, on opening the .exe file though no changes were happening on the desktop window, I could feel that something was wrong, because I could hear  my hard drive continuously spinning for some time and my system slowed down during that. After that, when I tried to open my google chrome browser for downloading Avast antivirus (this is because McAfee subscription had expired sometime back), all of a sudden so many pages of chrome would open with some page starting with 123 as address in the address bar. On closing them, this kept on repeating and the same was happening with Microsoft Edge browser too. After I managed to download Avast, this continuos opening was blocked by Avast, but still the homepage that was opening was the same with the 123 address in it. Later, after a bit of searching in the web, came to know that I was infected with ADware, Malware and PUP and that too a lot of them. As per instruction given in one site, I went ahead and downloaded Spy Hunter, after the scan it showed around 6000 files to be infected and for the removal was asking to buy the premium version of their software. But, since I do not have a credit card (because its hard to get a credit card where I am from) I couldn't purchase it. Later, after some googleing came to know of Malware byte and downloaded the same. But, on running the .exe file, it was showing that the certificate is blocked. So, I tried to install file unsigner and after that on trying the installer is opening, but after choosing the language, it is showing an error message, "Runtime error at 47:120, could not call proc" . So, as an alterative tried installing ADW cleaner, and ran it after unsigning. At that time, desktop window showed Mozilla firefox, Big Bang empie, Bigfarm etc and webbrowsers were opening Luckystarting site. After running ADW cleaner, 30 threats were found and these were cleaned. But, then that removed my Chrome browser too, and now I am not able to install chrome back. Plus I still think my laptop is infected. Please help. I still can see lot of unknown processes running when I check my task manager. Attaching the log file for the first cleaning attempt using ADW cleaner.

AdwCleaner[C2].txt

[jakej]

Kindly find attached txt files.

Addition.txt

FRST.txt

[jakej]

Hey,

I could finally install Malwarebytes anti malware scanner via Malwarebytes chameleon, and on running the scan found 60 infections, removed them and restarted the PC, but still unable to install google chrome.exe and still some processes running in the task manager seem to be repeating themselves. Scanned using Malwarebytes again and that returned ZERO infections. Attaching the screenshot from task manager as well as the malwarebyte scan report.

malwarebyte.txt

[Aura]

Hi jakej

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

• As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
• As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
• The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
• If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
• If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
• Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
• I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules;
• In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
• I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
  This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
  

This being said, it's time to clean-up some malware, so let's get started, shall we?

Can you run FRST again and provide me a fresh set of logs (FRST.txt and Addition.txt)? Since Malwarebytes removed quite a bit of stuff, I expect them to be different from the first ones you attached.

[jakej]

Hi Aura/ Yoan,

First of all thanks a lot for taking your time to help me out with this malware issue. Since I was travelling and my laptop was not with me for the last couple of days, I would like to apologize for the delay in posting the requested results for the FRST scan. I assure you that here after my responses would be immediate and asap. Kindly go through the attached FRST.txt and Addition.txt of the latest scan. Thanks in advance.

 

Addition.txt

FRST.txt

[Aura]

No problem, it's all good!

Malicious Programs Warning!

I noticed that you have malicious programs installed on your system. I'll ask you to uninstall them since uninstalling such programs before running malware removal tools will ensure a better clean-up.

• AlphaGo
  

If you have an issue when uninstalling a program, please let me know.

After running the FRST fix below, a .zip file will be created on your desktop named "DATE_TIME.zip" with the DATE and TIME being the date and time on which the FRST fix was ran. Please upload that file to the link below.

http://www.bleepingcomputer.com/submit-malware.php?channel=194

Farbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

• Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located);
• Right-click on the FRST executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
• Click on the Fix button;
  
• On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
• Copy and paste its content in your next reply;
  

Your next reply(ies) should include:

• Confirmation that you uninstalled the program listed above;
• Confirmation that you uploaded the .zip file to the link provided above;
• Copy/pasted content of FRST's fixlog.txt;
  

[jakej]

Hi Aura,

A small clarification required.

On ‎5‎/‎23‎/‎2017 at 5:42 PM, Aura said:

Download the attached fixlist.txt file, and save it on your Desktop

I couldn't find any attachments in your reply.

The program AlphaGo has been uninstalled.

Adding to above issue, I am still unable to install google chrome from a newly downloaded .exe file. Also, it cannot be launched from the chrome shortcut too, "the program this shortcut refers to is missing". However, in the add/ remove program window it shows chrome to be already installed. Kindly help me out so that I may proceed with the steps advised by you.

[Aura]

Sorry, it seems that I forgot to attach the fixlist in the previous post, it should be in this one now.

And we'll troubleshoot the Google Chrome issue once we're done removing the infection  

fixlist.txt

[jakej]

Hi Aura,

Thank you for the prompt response.

A) Uninstalled the program Alpha Go

B) Ran the fix and uploaded the .zip file to the link provided

C) Here is the copy/ pasted content of the fixlog.txt

Fix result of Farbar Recovery Scan Tool (x64) Version: 24-05-2017
Ran by Jacob (24-05-2017 23:56:57) Run:1
Running from C:\Users\Jacob\Downloads
Loaded Profiles: Jacob (Available Profiles: Jacob & Guest)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:

Zip: C:\Program Files (x86)\Anomerck\pihadom.exe;C:\Program Files\YouTube Data Recovery;C:\Program Files (x86)\Bagsarah\Application\chrome.exe;C:\Program Files (x86)\Firefox\Firefox.exe

HKU\S-1-5-21-3459302873-74453530-171219410-1002\...\Run: [GoogleChromeAutoLaunch_BE49B27017FD712DF1E70FE7861589BC] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [1143640 2017-05-02] (Google Inc.)
IFEO\GoogleUpdate.exe: [Debugger] 324095823984.exe
IFEO\GoogleUpdaterService.exe: [Debugger] 8736459873644.exe

FF HKLM-x32\...\Firefox\Extensions: [daplinkchecker@speedbit.com] - C:\Program Files (x86)\DAP\daplinkchecker => not found

CHR DefaultProfile: ChromeDefaultData
CHR DefaultSearchURL: ChromeDefaultData -> hxxp://www.luckysearch123.com/search.php?type=ds&ts=1494501982&from=c8350511&uid=st500lt012-1dg142_s3pbc3zkxxxxs3pbc3zk&z=35b1e4fced63f293a08fe29gfz7tezdw3e6oagegcg&q={searchTerms}
CHR DefaultSearchKeyword: ChromeDefaultData -> luck
CHR Profile: C:\Users\Jacob\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-05-11] <==== ATTENTION

S2 tw676174281; C:\ProgramData\tw676174281.exe [X]

CustomCLSID: HKU\S-1-5-21-3459302873-74453530-171219410-1002_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\Jacob\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3459302873-74453530-171219410-1002_Classes\CLSID\{8C46158B-D978-483C-A312-16EE5013BE04}\InprocServer32 -> C:\Users\Jacob\AppData\Local\Google\Update\1.3.33.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3459302873-74453530-171219410-1002_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA}\InprocServer32 -> C:\Users\Jacob\AppData\Local\Google\Update\1.3.32.7\psuser_64.dll => No File

Task: {0BB71898-DE14-4344-9FE5-D64E2C4460FF} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
Task: {22C0CBAD-27E6-474C-BAEB-BAD8DE6C991E} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {2BC62D3B-F458-464C-9DA0-F16516D6EFEC} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {3309AD65-02AE-4CA6-8395-7AF7867ABC26} - \McAfee\McAfee Idle Detection Task -> No File <==== ATTENTION
Task: {3EA0C4A2-5FB2-42B5-9BE4-FF5E22E12422} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {428D6217-37B9-4F84-82DF-F5CFBB6B478C} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {5201CCBE-CD86-4615-AE15-3D52D7242B46} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {70096978-2DF2-4810-A795-D9181DF86DD5} - System32\Tasks\{CE7EFCF0-2928-4ECD-9CB0-1B103E334A2B} => Chrome.exe hxxp://www.skype.com/go/downloading?source=lightinstaller&amp;ver=7.4.0.102&amp;LastError=12002
Task: {998F432D-A7B9-4B9C-BDCC-F0BD4CDA795F} - \Microsoft\Windows\MemoryDiagnostic\VideoMemoryDiagnostic -> No File <==== ATTENTION
Task: {9CBAF803-3F37-4604-BD2B-D3BB211CFCD4} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {A1C72A4A-2506-4070-9983-5F28FC93C35C} - \CCleanerSkipUAC -> No File <==== ATTENTION
Task: {AB6D6F8F-63C8-4EFD-BA7E-654CFC7B183E} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
Task: {AE078E7B-935A-4F83-9A65-DE526FA97300} - System32\Tasks\Voqeysocis Schedule => C:\Program Files (x86)\Anomerck\pihadom.exe
Task: {D3C54CAD-09D0-406A-9694-287E5713B482} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {D8931CB5-E042-4383-9931-023FE892F972} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {DC9CA1CE-A29C-405D-AB0E-D267420A456F} - System32\Tasks\YouTube Data Recovery => Rundll32.exe "C:\Program Files\YouTube Data Recovery\YouTube Data Recovery.dll",dAQomlykWESA
Task: {FB334FB1-029C-456C-BF2E-55B4F8915FA1} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {FD48E8ED-0286-4CA3-AFFD-CB7A63FDA714} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION

AlternateDataStreams: C:\ProgramData\TEMP:56E2E879 [135]

HKU\S-1-5-21-3459302873-74453530-171219410-1002\...\StartupApproved\Run: => "GoogleChromeAutoLaunch_BE49B27017FD712DF1E70FE7861589BC"

FirewallRules: [UDP Query User{E3886D7E-C3A5-4947-803C-17721C59AFAD}C:\windows\kmsemulator.exe] => (Allow) C:\windows\kmsemulator.exe
FirewallRules: [TCP Query User{2769AFB6-2FE6-4AF2-81FF-C1A0C1C7D147}C:\windows\kmsemulator.exe] => (Allow) C:\windows\kmsemulator.exe
FirewallRules: [{E3922CD8-4C50-4515-B4D9-14D2A125969B}] => (Allow) C:\Program Files (x86)\MIO\loader\st500lt012-1dg142_s3pbc3zkxxxxs3pbc3zk.dat
FirewallRules: [{28A5CC4D-35AF-4AFA-A098-168732000CDA}] => (Allow) C:\Program Files (x86)\MIO\loader\st500lt012-1dg142_s3pbc3zkxxxxs3pbc3zk.dat
FirewallRules: [{91C72C09-4118-46BF-86F9-1B0E7A8933F2}] => (Allow) C:\Program Files (x86)\Bagsarah\Application\chrome.exe
FirewallRules: [{A56B9E50-A413-4B42-A802-ED1749AB099D}] => (Allow) C:\Program Files (x86)\Firefox\Firefox.exe

C:\Program Files\84XT6B5U1Z
C:\Program Files\67P153YJL0
C:\Program Files\12W01CVNZF
C:\Program Files\Z8QRTW3C6B
C:\Program Files\XV1ODXPFIA
C:\Program Files\MVR9II9WJ2
C:\Program Files\1NIVBWDOEW
C:\Program Files\MK
C:\Program Files\i7w852aa
C:\Program Files\YouTube Data Recovery
C:\Program Files (x86)\Bagsarah
C:\Program Files (x86)\Firefox
C:\Program Files (x86)\MIO
C:\Program Files (x86)\Anomerck
C:\Program Files (x86)\Anomerck_
C:\Program Files (x86)\Default Company Name
C:\Program Files (x86)\DAP
C:\ProgramData\log.ewbt
C:\ProgramData\log.ewbb
C:\ProgramData\log.binb
C:\Users\Jacob\AppData\Local\Anerhutherlajoied
C:\Users\Jacob\AppData\Local\Setup.exe
C:\windows\kmsemulator.exe
C:\WINDOWS\SysWOW64\00
C:\WINDOWS\SysWOW64\11
C:\WINDOWS\SysWOW64\1111
C:\WINDOWS\SysWOW64\1111111
C:\WINDOWS\SysWOW64\22
C:\WINDOWS\SysWOW64\3333333

EmptyTemp:
*****************

Processes closed successfully.
Restore point was successfully created.
================== Zip: ===================
"C:\Program Files (x86)\Anomerck\pihadom.exe" -> not found
C:\Program Files\YouTube Data Recovery -> copied successfully to C:\Users\Jacob\Desktop\24.05.2017_23.57.38.zip
"C:\Program Files (x86)\Bagsarah\Application\chrome.exe" -> not found
"C:\Program Files (x86)\Firefox\Firefox.exe" -> not found
=========== Zip: End ===========
HKU\S-1-5-21-3459302873-74453530-171219410-1002\Software\Microsoft\Windows\CurrentVersion\Run\\GoogleChromeAutoLaunch_BE49B27017FD712DF1E70FE7861589BC => value removed successfully
HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\GoogleUpdate.exe => key removed successfully
HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\GoogleUpdaterService.exe => key removed successfully
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\daplinkchecker@speedbit.com => value removed successfully
CHR DefaultProfile: ChromeDefaultData => Error: No automatic fix found for this entry.
Chrome DefaultSearchURL => removed successfully
Chrome DefaultSearchKeyword => removed successfully
C:\Users\Jacob\AppData\Local\Google\Chrome\User Data\ChromeDefaultData => moved successfully
HKLM\System\CurrentControlSet\Services\tw676174281 => key removed successfully
tw676174281 => service removed successfully
HKU\S-1-5-21-3459302873-74453530-171219410-1002_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4} => key removed successfully
HKU\S-1-5-21-3459302873-74453530-171219410-1002_Classes\CLSID\{8C46158B-D978-483C-A312-16EE5013BE04} => key removed successfully
HKU\S-1-5-21-3459302873-74453530-171219410-1002_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0BB71898-DE14-4344-9FE5-D64E2C4460FF} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0BB71898-DE14-4344-9FE5-D64E2C4460FF} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{22C0CBAD-27E6-474C-BAEB-BAD8DE6C991E} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{22C0CBAD-27E6-474C-BAEB-BAD8DE6C991E} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2BC62D3B-F458-464C-9DA0-F16516D6EFEC} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2BC62D3B-F458-464C-9DA0-F16516D6EFEC} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3309AD65-02AE-4CA6-8395-7AF7867ABC26} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3309AD65-02AE-4CA6-8395-7AF7867ABC26} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\McAfee\McAfee Idle Detection Task => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3EA0C4A2-5FB2-42B5-9BE4-FF5E22E12422} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3EA0C4A2-5FB2-42B5-9BE4-FF5E22E12422} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{428D6217-37B9-4F84-82DF-F5CFBB6B478C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{428D6217-37B9-4F84-82DF-F5CFBB6B478C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5201CCBE-CD86-4615-AE15-3D52D7242B46} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5201CCBE-CD86-4615-AE15-3D52D7242B46} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{70096978-2DF2-4810-A795-D9181DF86DD5} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{70096978-2DF2-4810-A795-D9181DF86DD5} => key removed successfully
C:\WINDOWS\System32\Tasks\{CE7EFCF0-2928-4ECD-9CB0-1B103E334A2B} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{CE7EFCF0-2928-4ECD-9CB0-1B103E334A2B} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{998F432D-A7B9-4B9C-BDCC-F0BD4CDA795F} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{998F432D-A7B9-4B9C-BDCC-F0BD4CDA795F} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MemoryDiagnostic\VideoMemoryDiagnostic => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9CBAF803-3F37-4604-BD2B-D3BB211CFCD4} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9CBAF803-3F37-4604-BD2B-D3BB211CFCD4} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A1C72A4A-2506-4070-9983-5F28FC93C35C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A1C72A4A-2506-4070-9983-5F28FC93C35C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CCleanerSkipUAC => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AB6D6F8F-63C8-4EFD-BA7E-654CFC7B183E} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AB6D6F8F-63C8-4EFD-BA7E-654CFC7B183E} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OfficeSoftwareProtectionPlatform\SvcRestartTask => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AE078E7B-935A-4F83-9A65-DE526FA97300} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AE078E7B-935A-4F83-9A65-DE526FA97300} => key removed successfully
C:\WINDOWS\System32\Tasks\Voqeysocis Schedule => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Voqeysocis Schedule => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D3C54CAD-09D0-406A-9694-287E5713B482} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D3C54CAD-09D0-406A-9694-287E5713B482} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D8931CB5-E042-4383-9931-023FE892F972} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D8931CB5-E042-4383-9931-023FE892F972} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{DC9CA1CE-A29C-405D-AB0E-D267420A456F} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DC9CA1CE-A29C-405D-AB0E-D267420A456F} => key removed successfully
C:\WINDOWS\System32\Tasks\YouTube Data Recovery => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\YouTube Data Recovery => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FB334FB1-029C-456C-BF2E-55B4F8915FA1} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FB334FB1-029C-456C-BF2E-55B4F8915FA1} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{FD48E8ED-0286-4CA3-AFFD-CB7A63FDA714} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FD48E8ED-0286-4CA3-AFFD-CB7A63FDA714} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess => key removed successfully
C:\ProgramData\TEMP => ":56E2E879" ADS removed successfully.
HKU\S-1-5-21-3459302873-74453530-171219410-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\GoogleChromeAutoLaunch_BE49B27017FD712DF1E70FE7861589BC => value removed successfully
HKU\S-1-5-21-3459302873-74453530-171219410-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\GoogleChromeAutoLaunch_BE49B27017FD712DF1E70FE7861589BC => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{E3886D7E-C3A5-4947-803C-17721C59AFAD}C:\windows\kmsemulator.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{2769AFB6-2FE6-4AF2-81FF-C1A0C1C7D147}C:\windows\kmsemulator.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E3922CD8-4C50-4515-B4D9-14D2A125969B} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{28A5CC4D-35AF-4AFA-A098-168732000CDA} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{91C72C09-4118-46BF-86F9-1B0E7A8933F2} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A56B9E50-A413-4B42-A802-ED1749AB099D} => value removed successfully
C:\Program Files\84XT6B5U1Z => moved successfully
C:\Program Files\67P153YJL0 => moved successfully
C:\Program Files\12W01CVNZF => moved successfully
C:\Program Files\Z8QRTW3C6B => moved successfully
C:\Program Files\XV1ODXPFIA => moved successfully
C:\Program Files\MVR9II9WJ2 => moved successfully
C:\Program Files\1NIVBWDOEW => moved successfully
C:\Program Files\MK => moved successfully
C:\Program Files\i7w852aa => moved successfully
C:\Program Files\YouTube Data Recovery => moved successfully
"C:\Program Files (x86)\Bagsarah" => not found.
"C:\Program Files (x86)\Firefox" => not found.
C:\Program Files (x86)\MIO => moved successfully
"C:\Program Files (x86)\Anomerck" => not found.
C:\Program Files (x86)\Anomerck_ => moved successfully
"C:\Program Files (x86)\Default Company Name" => not found.
"C:\Program Files (x86)\DAP" => not found.
C:\ProgramData\log.ewbt => moved successfully
C:\ProgramData\log.ewbb => moved successfully
C:\ProgramData\log.binb => moved successfully
C:\Users\Jacob\AppData\Local\Anerhutherlajoied => moved successfully
C:\Users\Jacob\AppData\Local\Setup.exe => moved successfully
"C:\windows\kmsemulator.exe" => not found.
C:\WINDOWS\SysWOW64\00 => moved successfully
C:\WINDOWS\SysWOW64\11 => moved successfully
C:\WINDOWS\SysWOW64\1111 => moved successfully
C:\WINDOWS\SysWOW64\1111111 => moved successfully
C:\WINDOWS\SysWOW64\22 => moved successfully
C:\WINDOWS\SysWOW64\3333333 => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 3287339 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 65709404 B
Java, Flash, Steam htmlcache => 1191 B
Windows/system/drivers => 2750700 B
Edge => 137720159 B
Chrome => 266842372 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 1127 B
systemprofile32 => 33 B
LocalService => 96204 B
NetworkService => 170210 B
Jacob => 80318663 B
Guest => 19865 B

RecycleBin => 0 B
EmptyTemp: => 531.1 MB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 23:59:07 ====

[Aura]

Awesome Now, are you able to install Malwarebytes, or are you getting the same error message?

[jakej]

Hi Aura,

As I have mentioned in one of the replies before you started assisting me, I tried to install Malwarebytes via the chameleon method and was able to successfully do that and run the program. Would you like me to uninstall the presently installed one and try installing again from the .exe file to check for the error message? 

[Aura]

For now, please uninstall Malwarebytes, and install the latest version of Malwarebytes using the link below.

https://downloads.malwarebytes.com/file/mb3

And yes, let me know if you still cannot install Malwarebytes and if so, what error you're encountering.

[jakej]

Hi Aura,

I just tried installing from the .exe file, but I am getting the same error message, attaching a screenshot for your reference.

[jakej]

Oops, guess I jumped the gun, sorry, shall do as you said and report back.

[jakej]

Hi,

I tried uninstalling the already installed Malwarebytes and installing the newly downloaded one from the link you sent me. At first it was showing the certificate was not valid, hence I used the file unsigner and then gave run as administrator. But, this time too a similar error got displayed, only difference being, instead of Runtime error at 47:120 it gave error at 49:120. Kindly advice.

[Aura]

Alright, uninstall Malwarebytes, and follow the instructions in the post below.

https://forums.malwarebytes.com/topic/201187-runtime-error-at-47120-could-not-call-proc/?do=findComment&comment=1129347

 

[jakej]

Hey,

The link you sent me was helpful, I was able to install Malwarebytes after I deleted the certificates for Malwarebytes from the untrusted list. Also I ran a scan with Malwarebytes and no threats found. But, a certain point of concern for me is that there are a whole lot of other certificates of all other antivirus and adware removal software added in that list. Is that normal? attaching a screenshot for your reference. Thank you.  

[Aura]

No, it isn't normal. You can delete every certificates there (from your screenshot). This will allow other security vendor products to be installed in the future. There's currently a new malware (or at least, a variant of an existing family) going around, adding security vendors certificates to the "Untrusted Certificates" list, which prevent you from installing their programs. I have yet to find a sample for it, and so does Malwarebytes I think, but we're all actively looking for one.

Now that you can install Malwarebytes, please run a scan and provide me the log after.

[jakej]

Hi Aura,

After installing Malwarebytes I ran a scan immediately after and found everything to be fine (no threats detected). Later, to see whether the google chrome installation problem had solved, tried to install chrome and that too was successful. But, today just now tried running another Malwarebytes scan after seeing your post. But, that showed a threat (Adware.Elex). Further I quarantined the item and deleted it via Malwarebytes. Attaching the logs for both the scans. Also, could you just comment on how this infection was not detected in the first scan, but cropped up during the second one?

 

 

Edited May 27, 2017 by jakej
removed attachments .txt

[jakej]

First scan report

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 5/27/17
Scan Time: 1:46 AM
Log File: malwarebytes scan1.txt
Administrator: Yes

-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.122
Update Package Version: 1.0.2027
License: Trial

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: JACOBZ\Jacob

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 393122
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 10 min, 54 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

(end)

 

Second scan report

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 5/27/17
Scan Time: 4:20 PM
Log File: malwarebytes scan.txt
Administrator: Yes

-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.122
Update Package Version: 1.0.2031
License: Trial

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: JACOBZ\Jacob

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 393218
Threats Detected: 1
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 10 min, 59 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 1
Adware.Elex, C:\USERS\JACOB\APPDATA\ROAMING\Grohation, No Action By User, [2], [402156],1.0.2031

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

(end)

[Aura]

It's possible that this detection was added later on to Malwarebytes database. Which means, the folder was present when you ran the 1st scan, but not yet flagged by Malwarebytes, and added to the database when you ran the second one.

In the meantime, let's see if JRT and AdwCleaner have to report (if AdwCleaner still have something to find on your system).

Junkware Removal Tool (JRT)

• Download Junkware Removal Tool (JRT) and move it to your Desktop;
• Right-click on JRT.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
• Press on any key to launch the scan and let it complete;
  
  Credits : BleepingComputer.com
• Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;
  

AdwCleaner - Fix Mode

• Download AdwCleaner and move it to your Desktop;
• Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
• Accept the EULA (I accept), let the database update, then click on Scan;
• Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Cleaning button. This will kill all the active processes;
  
• Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
• After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply;
  

Your next reply(ies) should therefore contain:

• Copy/pasted JRT log;
• Copy/pasted AdwCleaner clean log;
  

[jakej]

Hi,

I ran the AdwCleaner as well as the JRT. Both showed a number of infections. Posting the log reports for both.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows 10 Home x64 
Ran by Jacob (Administrator) on 27-May-17 at 17:42:02.88
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

File System: 6 

Successfully deleted: C:\ProgramData\productdata (Folder) 
Successfully deleted: C:\Users\Jacob\AppData\Local\installer (Folder) 
Successfully deleted: C:\WINDOWS\system32\Tasks\Driver Booster SkipUAC (Jacob) (Task)
Successfully deleted: C:\WINDOWS\system32\Tasks\PCDEventLauncherTask (Task)
Successfully deleted: C:\WINDOWS\system32\Tasks\PCDoctorBackgroundMonitorTask (Task)
Successfully deleted: C:\WINDOWS\wininit.ini (File) 

Registry: 1 

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{8CE44C56-C654-4310-824E-4D52202F4C3F} (Registry Key)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 27-May-17 at 17:46:30.44
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

 

# AdwCleaner v6.047 - Logfile created 27/05/2017 at 17:50:06
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-05-26.6 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : Jacob - JACOBZ
# Running from : C:\Users\Jacob\Downloads\adwcleaner_6.047.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support

***** [ Services ] *****

***** [ Folders ] *****

[-] Folder deleted: C:\ProgramData\VideoMemoryDiagnostic
[#] Folder deleted on reboot: C:\ProgramData\Application Data\VideoMemoryDiagnostic

***** [ Files ] *****

***** [ DLL ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled Tasks ] *****

***** [ Registry ] *****

[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\dogpile.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\info.dogpile.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\solvusoft.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.solvusoft.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\dogpile.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\info.dogpile.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\solvusoft.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.solvusoft.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\dogpile.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\info.dogpile.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\solvusoft.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.solvusoft.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\dogpile.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\info.dogpile.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\solvusoft.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.solvusoft.com

***** [ Web browsers ] *****

[-] [C:\Users\Jacob\AppData\Local\Google\Chrome\User Data\ChromeDefaultData] [homepage] Deleted: hxxp://search.conduit.com/?ctid=CT1547340&SearchSource=48

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [1874 Bytes] - [12/05/2017 12:29:18]
C:\AdwCleaner\AdwCleaner[C2].txt - [2996 Bytes] - [13/05/2017 03:14:50]
C:\AdwCleaner\AdwCleaner[C3].txt - [1601 Bytes] - [13/05/2017 15:51:03]
C:\AdwCleaner\AdwCleaner[C4].txt - [4800 Bytes] - [27/05/2017 17:50:06]
C:\AdwCleaner\AdwCleaner[S0].txt - [8240 Bytes] - [12/05/2017 12:12:31]
C:\AdwCleaner\AdwCleaner[S1].txt - [1959 Bytes] - [12/05/2017 12:27:33]
C:\AdwCleaner\AdwCleaner[S2].txt - [2849 Bytes] - [13/05/2017 00:21:22]
C:\AdwCleaner\AdwCleaner[S3].txt - [2823 Bytes] - [13/05/2017 03:07:29]
C:\AdwCleaner\AdwCleaner[S4].txt - [1700 Bytes] - [13/05/2017 15:49:22]
C:\AdwCleaner\AdwCleaner[S5].txt - [5536 Bytes] - [27/05/2017 17:29:03]

########## EOF - C:\AdwCleaner\AdwCleaner[C4].txt - [5311 Bytes] ##########
 

[jakej]

Adding on, further to running the AdCleaner and JRT, I just happened to find a post in Bleeping computers regarding .elex files, and a method for removing them, which was ESET Online scanner. So, out of curiosity I tried running ESET Online scan and that found around 15 infections/ threats. Mostly these were the files already in quarantine by FRST and AdwCleaner. I have deleted those quarantined files via ESET itself.

[Aura]

Alright, Just by curiosity, if you run Malwarebytes again, does it detect anything?

[jakej]

Hi Aura,

I tried running Malwarebytes and the scan came clean. So should I assume that my system is clean. Also, attaching a screenshot of my taskmanager. Is it normal to have so many .exe files running for chrome alone, when only a single window is open for chrome. I am not so familiar with the new taskmanager layout in Windows 10. So, could you share your thoughts on this one.

Edited May 27, 2017 by jakej