[SVCVMX.exe] Removed using MBAR, Stuck in boot

[Diligence]

This is a continuance of a previous topic I created which I am unable to reply to after the topic was locked and reopened.

here is the original topic: 

 

[kevinf80]

I`ve just sent a new fix via PM, you can post results back to this thread...

[Diligence]

Sorry about the wait.

Here is the newest logs requested.

FRST.txt

Addition.txt

[kevinf80]

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Please open Malwarebytes Anti-Malware.

Please open Malwarebytes Anti-Malware.   On the Settings tab > Protection Scroll to and make sure the following are selected: Scan for Rootkite Scan within Archives   Scroll further to Potential Threat Protection make sure the following are set as follows: Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended) Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)   Click on the Scan make sure Threat Scan is selected, A Threat Scan will begin. With some infections, you may or may not see this message box. 'Could not load DDA driver'   Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions. When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab If asked to restart your computer to complete the removal, please do so When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard. Wait for the prompt to restart the computer to appear, then click on Yes. After the restart once you are back at your desktop, open MBAM once more to retrieve the log. To get the log from Malwarebytes do the following:   Click on the Reports tab > from main interface. Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options: Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply   Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Post those logs, also give an update on remaining issues/concerns... Thank you, Kevin

 

 

fixlist.txt

[Diligence]

here is the new fixlog.

the PC is restarting now, I will post the results from mbam when i get them.

Fixlog.txt

[kevinf80]

Thanks for the update/log. Post Malwarebytes log when ready.... Also let me know how your PC is responding, any issues or concerns...

[Diligence]

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 9/27/17
Scan Time: 2:37 AM
Log File: bfe93cbf-a356-11e7-91a2-00ffe0795a89.json
Administrator: Yes

-Software Information-
Version: 3.2.2.2029
Components Version: 1.0.188
Update Package Version: 1.0.2896
License: Trial

-System Information-
OS: Windows 8.1
CPU: x64
File System: NTFS
User: System

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 552638
Threats Detected: 76
Threats Quarantined: 76
Time Elapsed: 1 hr, 3 min, 22 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 19
PUP.Optional.AnonymizerGadget.PrxySvrRST, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES, Quarantined, [1162], [-1],0.0.0
PUP.Optional.AnonymizerGadget, HKU\S-1-5-21-1247558443-1730035855-211264144-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\AnonymizerGadget, Quarantined, [1570], [364596],1.0.2896
PUP.Optional.REOptimizer, HKU\S-1-5-21-1247558443-1730035855-211264144-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CloudExtender, Quarantined, [7619], [412227],1.0.2896
PUP.Optional.PSScriptLoad.ACMB3, HKU\S-1-5-21-1247558443-1730035855-211264144-1001\CONSOLE\%SYSTEMROOT%_SYSTEM32_SVCHOST.EXE, Quarantined, [5399], [425124],1.0.2896
PUP.Optional.PSScriptLoad.ACMB3, HKU\S-1-5-21-1247558443-1730035855-211264144-1001\CONSOLE\TASKENG.EXE, Quarantined, [5399], [425125],1.0.2896
PUP.Optional.SpecialSearchOffer.ShrtCln, HKU\S-1-5-21-1247558443-1730035855-211264144-1001\SOFTWARE\SpecialSearchOffer, Quarantined, [8666], [405205],1.0.2896
Adware.REOptimizer, HKU\S-1-5-21-1247558443-1730035855-211264144-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\119, Quarantined, [7038], [417947],1.0.2896
PUP.Optional.PrimeUpdater, HKU\S-1-5-21-1247558443-1730035855-211264144-1001\SOFTWARE\PRIMEUPDATER, Quarantined, [1157], [404850],1.0.2896
PUP.Optional.BetterAds, HKLM\SOFTWARE\WOW6432NODE\betterads, Quarantined, [492], [383836],1.0.2896
PUP.Optional.SpringFiles, HKLM\SOFTWARE\WOW6432NODE\SrpnFiles, Quarantined, [2930], [182876],1.0.2896
Adware.IStartSurf, HKLM\SOFTWARE\WOW6432NODE\MBS_INSTALL, Quarantined, [812], [401921],1.0.2896
Adware.BetterAds.PrxySvrRST, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\winsrcsrv_RASAPI32, Quarantined, [5891], [407460],1.0.2896
Adware.BetterAds.PrxySvrRST, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\winsrcsrv_RASMANCS, Quarantined, [5891], [407460],1.0.2896
PUP.Optional.AnonymizerGadget.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{85CAE2DB-F222-4539-8E2F-CF07506D7612}, Quarantined, [1162], [356684],1.0.2896
PUP.Optional.AnonymizerGadget.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AGProxyCheck, Quarantined, [1162], [356698],1.0.2896
Adware.DNSUnlocker.ACMB2, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\11598763487076930564, Quarantined, [1741], [424293],1.0.2896
PUP.Optional.BetterAds, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{376CA350-6C34-4F10-B8DC-586F8CA03009}_is1, Quarantined, [492], [383837],1.0.2896
PUP.Optional.Spoutly, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{730E03E4-350E-48E5-9D3E-4329903D454D}, Quarantined, [7407], [386530],1.0.2896
Trojan.Clicker, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\Dataup, Quarantined, [21], [377136],1.0.2896

Registry Value: 18
PUP.Optional.AnonymizerGadget.PrxySvrRST, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [1162], [-1],0.0.0
PUP.Optional.AnonymizerGadget.PrxySvrRST, HKU\S-1-5-21-1247558443-1730035855-211264144-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [1162], [-1],0.0.0
PUP.Optional.AnonymizerGadget.PrxySvrRST, HKU\S-1-5-21-1247558443-1730035855-211264144-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [1162], [-1],0.0.0
PUP.Optional.AnonymizerGadget.PrxySvrRST, HKU\S-1-5-21-1247558443-1730035855-211264144-501\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [1162], [-1],0.0.0
PUP.Optional.AnonymizerGadget.PrxySvrRST, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER, Quarantined, [1162], [-1],0.0.0
PUP.Optional.AnonymizerGadget.PrxySvrRST, HKU\S-1-5-21-1247558443-1730035855-211264144-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER, Quarantined, [1162], [-1],0.0.0
PUP.Optional.AnonymizerGadget.PrxySvrRST, HKU\S-1-5-21-1247558443-1730035855-211264144-501\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER, Quarantined, [1162], [-1],0.0.0
PUP.Optional.AnonymizerGadget.PrxySvrRST, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [1162], [-1],0.0.0
PUP.Optional.AnonymizerGadget.PrxySvrRST, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER, Quarantined, [1162], [-1],0.0.0
PUP.Optional.PSScriptLoad.ACMB3, HKU\S-1-5-21-1247558443-1730035855-211264144-1001\CONSOLE\%SYSTEMROOT%_SYSTEM32_SVCHOST.EXE|WINDOWPOSITION, Quarantined, [5399], [425124],1.0.2896
PUP.Optional.PSScriptLoad.ACMB3, HKU\S-1-5-21-1247558443-1730035855-211264144-1001\CONSOLE\%SYSTEMROOT%_SYSTEM32_WINDOWSPOWERSHELL_V1.0_POWERSHELL.EXE|WINDOWPOSITION, Quarantined, [5399], [425126],1.0.2896
PUP.Optional.PSScriptLoad.ACMB3, HKU\S-1-5-21-1247558443-1730035855-211264144-1001\CONSOLE\TASKENG.EXE|WINDOWPOSITION, Quarantined, [5399], [425125],1.0.2896
Adware.REOptimizer, HKU\S-1-5-21-1247558443-1730035855-211264144-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\119|DISPLAYNAME, Quarantined, [7038], [417947],1.0.2896
PUP.Optional.AnonymizerGadget, HKU\S-1-5-21-1247558443-1730035855-211264144-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ANONYMIZERGADGET|DISPLAYICON, Quarantined, [1570], [364612],1.0.2896
PUP.Optional.PrimeUpdater, HKU\S-1-5-21-1247558443-1730035855-211264144-1001\SOFTWARE\PRIMEUPDATER|ADDPARTSCHECK, Quarantined, [1157], [404850],1.0.2896
Adware.IStartSurf, HKLM\SOFTWARE\WOW6432NODE\MBS_INSTALL|CHANNEL, Quarantined, [812], [401921],1.0.2896
PUP.Optional.AnonymizerGadget.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{85CAE2DB-F222-4539-8E2F-CF07506D7612}|PATH, Quarantined, [1162], [356684],1.0.2896
PUP.Optional.CustomNewTab, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\EXTENSIONS|@CUSTOMNEWTAB, Quarantined, [2011], [344390],1.0.2896

Registry Data: 14
Adware.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|NameServer, Replaced, [1741], [-1],0.0.0
Adware.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|DhcpNameServer, Replaced, [1741], [-1],0.0.0
Adware.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{309129DF-40FB-444C-9BAE-176C16836360}|NameServer, Replaced, [1741], [-1],0.0.0
Adware.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{3A9DC65E-112B-40C1-B6B7-072FEB01F07D}|NameServer, Replaced, [1741], [-1],0.0.0
Adware.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{3A9DC65E-112B-40C1-B6B7-072FEB01F07D}|DhcpNameServer, Replaced, [1741], [-1],0.0.0
Adware.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{4C6AE50F-77B4-4BEE-A608-BE54339F5E62}|NameServer, Replaced, [1741], [-1],0.0.0
Adware.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{4DC21152-C0F3-4B8A-AD2E-B0B5693725FD}|NameServer, Replaced, [1741], [-1],0.0.0
Adware.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{52658E3E-6CF5-4D6C-87D7-C08552340D09}|NameServer, Replaced, [1741], [-1],0.0.0
Adware.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{55818A8D-FFD8-4859-A514-A7AE0E7F715E}|NameServer, Replaced, [1741], [-1],0.0.0
Adware.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{55818A8D-FFD8-4859-A514-A7AE0E7F715E}|DhcpNameServer, Replaced, [1741], [-1],0.0.0
Adware.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{8718928D-CBEB-45EA-A621-800A9249001D}|NameServer, Replaced, [1741], [-1],0.0.0
Adware.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{E0795A89-9A7A-4453-ACE6-4AA4F25FCF4C}|NameServer, Replaced, [1741], [-1],0.0.0
Adware.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{FED7B254-E990-48B6-9A68-F0BC79347413}|NameServer, Replaced, [1741], [-1],0.0.0
Adware.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{FED7B254-E990-48B6-9A68-F0BC79347413}|DhcpNameServer, Replaced, [1741], [-1],0.0.0

Data Stream: 0
(No malicious items detected)

Folder: 5
PUP.Optional.BlockAdsPro, C:\USERS\CONNOR\APPDATA\ROAMING\MICROSOFT\BLOCKADSPRO, Quarantined, [8793], [421128],1.0.2896
PUP.Optional.AnonymizerGadget.PrxySvrRST, C:\USERS\CONNOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ANONYMIZERGADGET, Quarantined, [1162], [329210],1.0.2896
PUP.Optional.AnonymizerGadget, C:\Users\connor\AppData\Roaming\AGData\bin, Quarantined, [1570], [338259],1.0.2896
PUP.Optional.AnonymizerGadget, C:\USERS\CONNOR\APPDATA\ROAMING\AGDATA, Quarantined, [1570], [338259],1.0.2896
PUP.Optional.AnonymizerGadget, C:\PROGRAM FILES (X86)\ANONYMIZERGADGET, Quarantined, [1570], [364596],1.0.2896

File: 20
PUP.Optional.AnonymizerGadget.PrxySvrRST, C:\USERS\CONNOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ANONYMIZERGADGET\ANONYMIZERGADGET.LNK, Quarantined, [1162], [329210],1.0.2896
PUP.Optional.AnonymizerGadget, C:\USERS\CONNOR\APPDATA\ROAMING\AGDATA\CONFIG.JSON, Quarantined, [1570], [338259],1.0.2896
PUP.Optional.AnonymizerGadget, C:\Users\connor\AppData\Roaming\AGData\bin\add.json, Quarantined, [1570], [338259],1.0.2896
PUP.Optional.AnonymizerGadget, C:\Users\connor\AppData\Roaming\AGData\bin\AGLoader.dll, Quarantined, [1570], [338259],1.0.2896
PUP.Optional.AnonymizerGadget, C:\Users\connor\AppData\Roaming\AGData\add.json, Quarantined, [1570], [338259],1.0.2896
PUP.Optional.CustomNewTab, C:\USERS\CONNOR\APPDATA\ROAMING\MOZILLA\FIREFOX\@CUSTOMNEWTAB.XPI, Quarantined, [2011], [344394],1.0.2896
PUP.Optional.AnonymizerGadget.PrxySvrRST, C:\WINDOWS\SYSTEM32\TASKS\AGPROXYCHECK, Quarantined, [1162], [356709],1.0.2896
PUP.Optional.AnonymizerGadget, C:\PROGRAM FILES (X86)\ANONYMIZERGADGET\AGUTILS.DLL, Quarantined, [1570], [364596],1.0.2896
PUP.Optional.AnonymizerGadget, C:\Program Files (x86)\AnonymizerGadget\AGLoader.dll, Quarantined, [1570], [364596],1.0.2896
PUP.Optional.AnonymizerGadget, C:\Program Files (x86)\AnonymizerGadget\AGService.exe, Quarantined, [1570], [364596],1.0.2896
PUP.Optional.AnonymizerGadget, C:\Program Files (x86)\AnonymizerGadget\AnonymizerLauncher.exe, Quarantined, [1570], [364596],1.0.2896
PUP.Optional.AnonymizerGadget, C:\Program Files (x86)\AnonymizerGadget\uninstaller.exe, Quarantined, [1570], [364596],1.0.2896
PUP.Optional.S5Mark, C:\USERS\CONNOR\DESKTOP\S5.LNK, Quarantined, [1032], [384361],1.0.2896
PUP.Optional.SysTweak, C:\WINDOWS\SYSTEM32\ROBOOT64.EXE, Quarantined, [238], [395666],1.0.2896
Trojan.Clicker, C:\WINDOWS\SYSTEM32\TPRDPW64.EXE, Quarantined, [21], [399773],1.0.2896
PUP.Optional.REOptimizer, C:\USERS\CONNOR\APPDATA\LOCAL\UNINSTALLCE.EXE, Quarantined, [7619], [412227],1.0.2896
Rootkit.Agent.PUA, C:\PROGRAMDATA\MALWAREBYTES' ANTI-MALWARE (PORTABLE)\NDISTPR64.SYS-K.MBAM, Quarantined, [6035], [384893],1.0.2896
PUP.Optional.OpenCandy, C:\USERS\CONNOR\APPDATA\ROAMING\UTORRENT\UPDATES\3.4.2_37754.EXE, Quarantined, [520], [431539],1.0.2896
PUP.Optional.GameHack, C:\PROGRAM FILES (X86)\CHEAT ENGINE 6.5\STANDALONEPHASE1.DAT, Quarantined, [689], [393793],1.0.2896
Adware.InstallMonster, C:\USERS\CONNOR\DOWNLOADS\PHONERESCUE-3.2.ZIP, Quarantined, [120], [417100],1.0.2896

Physical Sector: 0
(No malicious items detected)

(end)

 

Seems to be running much smoother. 

the startup process is still a little slower than normal.

no other obvious issues yet.

[Diligence]

One thing I notice actually is every time I open a website.. anything from google.com to malwarebytes.com, I get a notification from mbam that "betteradsoftware.com" was blocked.

Edited September 28, 2017 by Diligence

[kevinf80]

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

 

[Diligence]

FRST.txt

Addition.txt

[kevinf80]

Thanks for those logs, continue as follows...

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

Download AdwCleaner by Malwarebytes onto your Desktop. Or from this Mirror   Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply Post those logs, also tell me if the blocks cease when you are surfing... Thanks, Kevin...

 

 

fixlist.txt

[Diligence]

here is the newest fixlog. downloading adwcleaner now.

Fixlog.txt

[Diligence]

Seems to be persistent.. 

Attached is a screenshot of SpecialSearchOffer trying to re-enable itself immediately after running AdwCleaner and restarting.

Obviously I clicked "Remove from chrome".

Below is the pasted AdwCleaner log.

# AdwCleaner 7.0.3.0 - Logfile created on Fri Sep 29 15:44:54 2017
# Updated on 2017/28/09 by Malwarebytes 
# Running on Windows 8.1 (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services deleted.

***** [ Folders ] *****

No malicious folders deleted.

***** [ Files ] *****

Deleted: C:\END

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks deleted.

***** [ Registry ] *****

Deleted: [Key] - HKU\S-1-5-21-1247558443-1730035855-211264144-1001\Software\Microsoft\Tinstalls
Deleted: [Key] - HKCU\Software\Microsoft\Tinstalls
Deleted: [Key] - HKLM\SOFTWARE\MPC
Deleted: [Key] - HKLM\SOFTWARE\xs
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\{94ebd7b5-82ae-449t-b679-3d04078ed154}
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\{1f7ee1a8-4436-4ffc-b97b-b5b01e87d3d2}
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\s5m
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}
Deleted: [Key] - HKLM\SOFTWARE\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4
Deleted: [Key] - HKLM\SOFTWARE\Classes\Installer\Features\4E30E037E0535E84D9E3349209D354D4
Deleted: [Key] - HKLM\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4
Deleted: [Value] - HKU\S-1-5-21-1247558443-1730035855-211264144-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|cmd
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\{1f7ee1a8-4436-4ffc-b97b-b5b01e87d3d2}

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries deleted.

***** [ Chromium (and derivatives) ] *****

Plugin deleted: SpecialSearchOffer - 

*************************

::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0

*************************

C:/AdwCleaner/AdwCleaner[S0].txt - [2438 B] - [2017/9/29 15:42:1]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########

Edited September 29, 2017 by Diligence
more info

[kevinf80]

Lets make a clean re-install of Chrome, see if that helps......

If your Chrome Bookmarks are important do this first: Go to this link: http://www.wikihow.com/Export-Bookmarks-from-Chrome follow the instructions and Export your Bookmarks from Chrome, save to your Desktop or similar. Note the instructions can also be used to Import the bookmarks..... Continue for a clean install: Download Chrome installer and save to install later: https://www.google.com/intl/en_uk/chrome/browser/desktop/index.html https://www.google.com/intl/en_usa/chrome/browser/desktop/index.html Remove all synced data from Chrome go here: https://support.google.com/chrome/answer/6386691?hl=en-GB follow those instructions... It is essntial that any/all synced data is removed when the browser is hijacked or exploited in anyway... Uninstall Chrome: https://support.google.com/chrome/answer/95319?hl=en-GB follow those instructions, ensure the option to "Also delete your browsing data" is selected. <<--- Very important!! Navigate to C:\Users\Your user name\Appdata\Local from that folder delete the folder named Google (you will need to show hidden files/folders to see the folder Appdata) For XP that will be My Computer > C:\ Documents and Settings\Your User Name\Application Data\Roaming How to show hidden files and folders for windows: http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/ Install Google Chrome : Install Adblock Plus to Chrome: https://chrome.google.com/webstore/detail/adblock-plus/cfhdojbkjhnklbpkdaibdccddilifddb Install DrWeb Link Ant-virus Link Checker: https://chrome.google.com/webstore/detail/drweb-anti-virus-link-che/aleggpabliehgbeagmfhnodcijcmbonb?hl=en Any improvement...?

[Diligence]

followed all your instructions carefully.

immediately after opening chrome I get the notification again .

attached is a screenshot.

[kevinf80]

I assume from your reply that all synced data was cleared, try the following...

Run Chrome cleanup tool from here: https://www.google.com/chrome/cleanup-tool/

Next,

Download AdwCleaner by Malwarebytes onto your Desktop. Or from this Mirror   Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply Next, Please download Zemana AntiMalware and save it to your Desktop.   Install the program and once the installation is complete it will start automatically. Without changing any options, press Scan to begin. After the short scan is finished, if threats are detected press Next to remove them. Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.   Open Zemana AntiMalware again. Click on icon and double click the latest report. Now click File > Save As and choose your Desktop before pressing Save. Attach saved report in your next message. Next, Scan with HitmanPro In any case don't remove on your own anything that Hitman Pro detects! This scanner is really good for checking, it has however been known for deleting files instead of curing them, in some cases this may render the machine unbootable. Any removals will be done manually after careful analysis of the scan results! Please download HitmanPro by SurfRight and save it to your desktop. Temporary disable your AntiVirus and AntiSpyware protection - instructions here.   Right-click on icon and select Run as Administrator to start the tool. If the program won't run please run it while holding down the left CTRL key until it's loaded! Click on the Next button. You must agree with the terms of EULA (if asked). Check the box beside No, I only want to perform a one-time scan to check this computer. Click on the Next button. The program will start to scan the computer. It would only take several minutes. When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore. If there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro!Navigate to C:\ProgramData\HitmanPro\Logs, open the report and include it it your next reply. Click on the Next button. Click on the Save Log button. Save that file to your desktop. Please include that logfile in your next reply. Don't forget to re-enable your security! Let me see those logs, also give an update on any remaining issues or concerns... Thank you, Kevin....

 

[Diligence]

Updated adwcleaner and ran the scan; found and removed one result.

Here is the adwcleaner log:

# AdwCleaner 7.0.3.1 - Logfile created on Mon Oct 02 17:18:38 2017
# Updated on 2017/29/09 by Malwarebytes 
# Database: 09-29-2017.1
# Running on Windows 8.1 (X64)
# Mode: scan
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries.

*************************

C:/AdwCleaner/AdwCleaner[C0].txt - [2262 B] - [2017/9/29 15:44:54]
C:/AdwCleaner/AdwCleaner[S0].txt - [2438 B] - [2017/9/29 15:42:1]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt ##########

 

I previously installed Zemana when I first attempted to rid my machine of svcvmx.exe and it appears my trial license has expired..

I am unable to perform this scan without purchasing a license for the product.

Here are the results from Hitman: HitmanPro_20171002_1349.log

[kevinf80]

Zemana should revert to free version after trial finishes, scans should be availabe in that mode...

Run Hitman Pro again, this time to not change found entries to "Ignore" leave as "Delete" or "Quarantine" hit the next tab then follow prompts to deal with the found entries...

what happens with Chrome now, does the rogue extension comeback...?

Edited October 3, 2017 by kevinf80

[kevinf80]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!