Malware keeps changing my browser home page.

June 12, 2015 at 07:01:56
Specs: Windows 7
My computer recently picked up a program (or programs?) which installed itself without permission and changed several settings including my browser home page. I've managed to remove all of these programs I can find although there may be others I'm not aware of (they don't appear in the list of installed programs when I go to Control Panel, so I have to find them manually).
I've also run a complete system scan with BitDefender and it's come up clean.

I've fixed most issues, but my browser home page still keeps getting changed back to some nonsense. Even if I change this setting to what it should be, the next time I open the browser it'll be changed back. This suggests that either there's still an unwanted program installed that I haven't found yet, or one of those I've since removed has changed a setting elsewhere in my computer which keeps overwriting my browser's home page setting.

My question is essentially, how do I fix this? If it's a program doing this, how do I find it considering it doesn't appear in the list of installed programs (the others I removed didn't either). And if it's a setting, what could possibly do this and how do I change it back? My browser is Firefox, if that helps. IE is installed, although I never use it, and it seems to be unaffected.

On a related matter, this program shouldn't have even be able to install in the first place. I wasn't installing anything at the time, so I didn't accidentally give something permission when I shouldn't have. It just kind of turned up. Is there anything I can do to prevent programs like this from installing themselves without permission?

message edited by UlyssesBlue

See More: Malware keeps changing my browser home page.

Report •

June 12, 2015 at 07:38:03
Ok, I managed to partially solve this issue. I downloaded a program called Junkware Removal Tool, ran it, and it just fixed everything, including a few old issues I thought I'd resolved and removed in full. Only took a few minutes. I'm not entirely clear on what the issue was in the end, only that this tool successfully fixed it.

The only issue that remains is preventing this from happening again.

Junkware Removal Tool can be found here:
To get it just click "Download", then click "Mirror 1".

Report •

June 12, 2015 at 10:08:31
Well done for finding one utility that deals with these pests...

You might also benefit from running two others as well; as each utility goes after different pests...

Run in this order:



One of the frequent ways in which unwanted, junkware, pests/malware etc. is to NEVER use the automatic installation option usually pre-checked (for "your convenience"). ALWAYS use the custom or MANUAL OPTION. And carefully uncheck all those little boxes "so helpfully" pre-checked"). Ensure you instal only the utility or whatever you actually want. The rest is inevitably junk and worse you neither need nor want; and much of it does things you have experienced...

The two utilities above are "freebies"; safe to use and well recommended/regarded here. JRT makes up the third of three - usually recommended... There are others too... And on occasion it helps to scan the system from outside of windows booted up. Kaspersky Rescue Disk is ideal for that. It'a Linux based disk; loads into RAM only. Goes online to update itself and then scans the entire hard drive - and deals with anything it finds. It's also "free".

message edited by trvlr

Report •

June 12, 2015 at 12:49:25
Yes, JRT is widely used on here but run the other two as well.

It will probably take more than all three programs for you to have any confidence that you are malware free. Most likely a Johnw will see this post and give your computer his expert attention.

Please copy/paste the logs of any program you have used to get shot of this problem. That will make it possible to decide what is going on and the severity of the infection.

Always pop back and let us know the outcome - thanks

message edited by Derek

Report •

Related Solutions

June 12, 2015 at 14:37:49
" Most likely a Johnw will see this post"
Ok, I shall wait for the logs.

Report •

June 13, 2015 at 04:06:38
That's the odd thing: I wasn't installing anything when this infection took place. It just suddenly turned up. I'm very confused as to how this could occur.

I have now run all three programs, Junkware Removal Tool, Adware Cleaner, and MalwareBytes, in that order. I will return with the logs.

Report •

June 13, 2015 at 04:09:27
Log from Junkware Removal Tool:

Junkware Removal Tool (JRT) by Thisisu
Version: 6.9.1 (06.08.2015:1)
OS: Windows 7 Home Premium x64
Ran by XXXX on Fri 12/06/2015 at 23:39:28.15

~~~ Services

Successfully stopped: [Service] bdsandbox
Successfully deleted: [Service] bdsandbox
Successfully stopped: [Service] winzipersvc
Successfully deleted: [Service] winzipersvc

~~~ Tasks

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{425ED333-6083-428a-92C9-0CFC28B9D1BF}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{425ED333-6083-428a-92C9-0CFC28B9D1BF}

~~~ Files

Successfully deleted: [File] C:\end
Successfully deleted: [File] C:\Windows\system32\drivers\bdsandbox.sys
Successfully deleted: [File] C:\Windows\system32\drivers\isafenetfilter.sys
Successfully deleted: [File] C:\ProgramData\1319434683.bdinstall.bin
Successfully deleted: [File] C:\ProgramData\1405936594.bdinstall.bin
Successfully deleted: [File] C:\ProgramData\1405936978.bdinstall.bin
Successfully deleted: [File] C:\Users\XXXX\appdata\local\google\chrome\user data\default\local storage\hxxp_www.superfish.com_0.localstorage
Successfully deleted: [File] C:\Users\XXXX\appdata\local\google\chrome\user data\default\local storage\hxxp_www.superfish.com_0.localstorage-journal
Successfully disinfected: [Shortcut] C:\Users\XXXX\AppData\Roaming\microsoft\internet explorer\quick launch\Launch Internet Explorer Browser.lnk

~~~ Folders

Successfully deleted: [Folder] C:\ProgramData\esafe
Successfully deleted: [Folder] C:\ProgramData\iepluginservices
Successfully deleted: [Folder] C:\ProgramData\ihprotectupdate
Successfully deleted: [Folder] C:\ProgramData\trymedia
Successfully deleted: [Folder] C:\Users\XXXX\documents\add-in express

~~~ FireFox

Scan was completed on Fri 12/06/2015 at 23:42:00.43
End of JRT log

Report •

June 13, 2015 at 04:18:48
Log from Adware Cleaner: (Corrected to S0 version)

# AdwCleaner v4.206 - Logfile created 13/06/2015 at 20:03:35
# Updated 01/06/2015 by Xplode
# Database : 2015-06-09.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : XXXX - XXXX-PC
# Running from : C:\Users\XXXX\Documents\Adware Cleaner.exe
# Option : Cleaning

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\IePluginService
Folder Deleted : C:\ProgramData\WPM
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZipper
Folder Deleted : C:\Program Files (x86)\DeviceVM
Folder Deleted : C:\Program Files (x86)\WinZipper
Folder Deleted : C:\Users\XXXX\AppData\Local\Oxy
Folder Deleted : C:\Users\XXXX\AppData\Roaming\Oxy
Folder Deleted : C:\Users\XXXX\AppData\Roaming\WinZipper
Folder Deleted : C:\Users\YYYY\AppData\Roaming\Elex-tech
Folder Deleted : C:\Users\XXXX\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml
File Deleted : C:\Windows\System32\log\iSafeKrnlCall.log
File Deleted : C:\Users\YYYY\AppData\Roaming\Mozilla\Firefox\Profiles\3ic25ss7.default-1419483118955\searchplugins\v9.xml
File Deleted : C:\Users\XXXX\AppData\Local\Google\Chrome\User Data\Default\Extensions\newtab.crx

***** [ Scheduled tasks ] *****

Task Deleted : Escolade
Task Deleted : RunAsStdUser Task

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ifohbjbgfchkkfhphahclmkpgejiplfo
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\oxy.exe
Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\IePluginServices
Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\WsysSvc
Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\IePluginService
Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Wpm
Key Deleted : HKCU\Software\Mozilla\Extends
Key Deleted : HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZipper
Key Deleted : HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZipper
Key Deleted : HKLM\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinZipper
Key Deleted : HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinZipper
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{4F622628-7632-4B28-B184-D7BA0CA3273B}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Escolade
Key Deleted : HKCU\Software\V9
Key Deleted : HKLM\SOFTWARE\dosearchessoftware
Key Deleted : HKLM\SOFTWARE\hdcode
Key Deleted : HKLM\SOFTWARE\SupDp
Key Deleted : HKLM\SOFTWARE\SupTab
Key Deleted : HKLM\SOFTWARE\supWPM
Key Deleted : HKLM\SOFTWARE\Trymedia Systems
Key Deleted : HKLM\SOFTWARE\V9
Key Deleted : HKLM\SOFTWARE\winzipersvc
Key Deleted : HKLM\SOFTWARE\Wpm
Key Deleted : HKLM\SOFTWARE\IHProtect
Key Deleted : HKU\.DEFAULT\Software\Elex-tech
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winzipper
Key Deleted : [x64] HKLM\SOFTWARE\DivX\Install\Setup\WizardLayout\ConduitToolbar

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17840

Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Search Page]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Search_URL]
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Search Page]
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Search_URL]

-\\ Mozilla Firefox v38.0.5 (x86 en-GB)

[3ic25ss7.default-1419483118955\prefs.js] - Line Deleted : user_pref("", "hxxp://");

-\\ Google Chrome v

[C:\Users\XXXX\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://{searchTerms}&ref=YmFzZVVSTH1zZWFyY2g=
[C:\Users\XXXX\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://{searchTerms}
[C:\Users\XXXX\AppData\Local\Google\Chrome\User Data\Default\Preferences] - Deleted [Extension] : cekcjpgehmohobmdiikfnopibipmgnml
[C:\Users\XXXX\AppData\Local\Google\Chrome\User Data\Default\Preferences] - Deleted [Extension] : ifohbjbgfchkkfhphahclmkpgejiplfo
[C:\Users\XXXX\AppData\Local\Google\Chrome\User Data\Default\Preferences] - Deleted [Homepage] : hxxp://
[C:\Users\XXXX\AppData\Local\Google\Chrome\User Data\Default\Preferences] - Deleted [Startup_URLs] : hxxp://
[C:\Users\YYYY\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - Deleted [Extension] : ifohbjbgfchkkfhphahclmkpgejiplfo
[C:\Users\YYYY\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - Deleted [Default_Search_Provider_Data] :

-\\ Chromium v


AdwCleaner[R0].txt - [24560 bytes] - [13/06/2015 19:58:44]
AdwCleaner[R1].txt - [24620 bytes] - [13/06/2015 20:00:54]
AdwCleaner[S0].txt - [5705 bytes] - [13/06/2015 20:03:35]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [5764 bytes] ##########

message edited by UlyssesBlue

Report •

June 13, 2015 at 04:25:30
Thanks for the logs UlyssesBlue, if you hit the AdwCleaner Clean button, the correct log to post is here.


Report •

June 13, 2015 at 04:27:24
Log from MalwareBytes:

Malwarebytes Anti-Malware

Scan Date: 13/06/2015
Scan Time: 8:12:17 PM
Logfile: malwarebytes log 2015-06-13.txt
Administrator: Yes

Malware Database: v2015.03.09.05
Rootkit Database: v2015.02.25.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: XXXX

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 402686
Time Elapsed: 8 min, 46 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 2
PUP.Optional.SupTab.A, HKU\S-1-5-21-1119351232-1643504598-2946436490-1004\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}, Quarantined, [7cfdf54ec1c98ea870ff77a951b20ef2],
PUP.Optional.SupTab.A, HKU\S-1-5-21-1119351232-1643504598-2946436490-1004\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}, Quarantined, [7cfdf54ec1c98ea870ff77a951b20ef2],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 2
PUP.Optional.OneClickDownloader.A, C:\Users\XXXX\Documents\Downloads\HDvid-codec-FF.exe, Quarantined, [b9c02e15c9c1e254b9390f2d16eb60a0],
PUP.Optional.IStartSurf.A, C:\Users\XXXX\AppData\Local\Google\Chrome\User Data\Default\Preferences, Good: (), Bad: ( "search_url": "{searchTerms}",), Replaced,[8fea1e25395169cd01ece23bbd497090]

Physical Sectors: 0
(No malicious items detected)


Report •

June 13, 2015 at 04:31:49
Just in case you don't see it, refer post #8

Report •

June 13, 2015 at 04:33:43
Sorry for the error with the Adware cleaner log. The different types I have available are R0, R1 and S0. I do not see an S1 type. I originally posted the R0, and have now replaced it with the S0. Is this what you're after?

Report •

June 13, 2015 at 04:37:46
"Is this what you're after?"

Nope, run AdwCleaner again please & after hitting the Clean button, post the log please.

Report •

June 13, 2015 at 04:52:30
Ok, I've run it again, and this time got an S1 file, but it was completely clean this time round, so the file is pretty much empty, so I'm not sure if that will be of any use to you.

From what I can tell, the files names increment, so the first time I ran it, it produced an R0 file. Accidentally closed the program, so ran it again, and got the R1 file. Cleaned it, and got S0. Now from the recent iteration it has produced an R2 and S1 file. Are you sure it wasn't the S0 file you were after?

Report •

June 13, 2015 at 04:55:26
"Are you sure it wasn't the S0 file you were after?"
S1 is normal, if the S0 file shows Deleted instead of Found, post it please.

Report •

June 13, 2015 at 04:57:57
We are on the right track.

Download ComboFix onto your Desktop & then run. If your default download location is not the Desktop, drag it out of it's location onto the Desktop. Copy & Paste the contents of the log in your next post please. ComboFix's log should be located at C:\COMBOFIX.TXT.
The logs are large, upload them using this, or upload to a site of your choosing. No account needed. Give us the links please.
Instructions on how to use ZippyShare.
A guide and tutorial on using ComboFix
Manually restoring the Internet connection
There are circumstances ComboFix will hang, crash or stall at various stages due to malware interference, failure to disable other real-time protection tools or the presence of CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) so that it does not complete successfully. Also, depending on how badly a system is infected, ComboFix may take longer to complete its routine than it normally does or fail to run properly. While that is not normal behavior, it is not unusual"
If you think it's frozen, look at the computer clock.
If it's running, Combofix is still working.
NOTE: Do not mouseclick combofix's window while it is running. That may cause it to stall.
NOTE: ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
**Please Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
Once these two steps have been completed, double-click on the ComboFix icon found on your Desktop.
Please Note: Once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.

Report •

June 13, 2015 at 05:03:02
The S0 file does indeed say deleted, not found. It has been posted above in my post with the adware cleaner log file. I'll work on the ComboFix stuff now, and get back to you once that's done.

Report •

June 13, 2015 at 05:05:17
"The S0 file does indeed say deleted, not found"
Yep, spotted that, thought I was going bonkers at first.

Report •

June 13, 2015 at 05:37:57
Ok, all complete. ComboFix produced this log:

I'm not sure if it matters, but I didn't end up disabling my firewall when I ran this. Got everything else though, just thought I'd got the firewall too, when I hadn't. It seemed to run ok though.

Report •

June 13, 2015 at 05:43:00
"I'm not sure if it matters"
Looks Ok, I cover user error by being very thorough, try not to assume anything.

Please download Farbar Recovery Scan Tool and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
If we have to run Farbar more than once, refer this SS.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt).
The logs are large, upload them using this, or upload to a site of your choosing. No account needed. Give us the links please.
Instructions on how to use ZippyShare.

Report •

June 13, 2015 at 06:07:14
FRST log:
Zippy Share is being glitchy and I can't seem to upload the Addition file.

Report •

June 13, 2015 at 06:11:03
Any site that doesn't need an account will do.

It also sounds like you don't have an Ad killer.

I use this.

Ad Muncher

Report •

June 13, 2015 at 06:22:10
Addition log:

I actually have AdBlock Plus. I'm not seeing any ads on Zippy Share.

message edited by UlyssesBlue

Report •

June 13, 2015 at 06:24:11
"I actually have AdBlock Plus. I'm not seeing any ads on Zippy Share"
Good one.

Back in about 10 mins.

Report •

June 13, 2015 at 06:34:15
Copy & Paste the text in Blue below & save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

CustomCLSID: HKU\S-1-5-21-1119351232-1643504598-2946436490-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\XXXX\AppData\Roaming\Dropbox\bin\Dropbox.exe /autoplay No File
AlternateDataStreams: C:\Windows\SysWOW64\FlashPlayerInstaller.exe:BDU
AlternateDataStreams: C:\ProgramData\TEMP:0CFF5F08
AlternateDataStreams: C:\ProgramData\TEMP:36608448
AlternateDataStreams: C:\ProgramData\TEMP:4EC7F009
AlternateDataStreams: C:\ProgramData\TEMP:58E38390
AlternateDataStreams: C:\Users\XXXX\Desktop\ComboFix.exe:BDU
AlternateDataStreams: C:\Users\XXXX\Desktop\Farbar Recovery Scan Tool 64bit.exe:BDU
AlternateDataStreams: C:\Users\XXXX\Documents\MalwareBytes-setup-
AlternateDataStreams: C:\Users\YYYY\Downloads\337.88-desktop-win8-win7-winvista-64bit-english-whql.exe:BDU
AlternateDataStreams: C:\Users\YYYY\Downloads\ophcrack-win32-installer-3.5.0.exe:BDU
GroupPolicyUsers\S-1-5-21-1119351232-1643504598-2946436490-1000\User: Group Policy Restriction detected <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1119351232-1643504598-2946436490-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
ShellExecuteHooks: - {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No File [ ]
FF Plugin: -> disabled No File
FF Plugin:,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll No File
FF Plugin-x32: -> disabled No File
FF Plugin-x32:,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll No File
U4 bdselfpr; No ImagePath
S3 catchme; \??\C:\ComboFix\catchme.sys [X]

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.

message edited by Johnw

Report •

June 13, 2015 at 06:51:17
Thanks for that. Just so I know, what will this do?

Report •

June 13, 2015 at 06:57:20
We are dismantling all the nasties & unwanted files, bit by bit, we are nearly there.

Report •

June 13, 2015 at 07:25:25
Ok, completed.
Fix log: Fixlog
Everything go ok?

message edited by UlyssesBlue

Report •

June 13, 2015 at 07:31:07
I shall leave this with you & I will be back in about 9 hours.
I'm here.

You have installed the Premium version, which is very good & can be run in conjunction with your current Anti-Virus ( AV ) It would have prevented the adware installs. If you don't want to buy it, do this to avoid the purchase nag screens.
Open Malwarebytes, on the Dashboard, click on ‘End Free Trial’ link which, then will be instantly converted to the free version.

Run ESET Online Scanner, Copy and Paste the contents of the log in your reply please. This scan may take a very long while, so please be patient. Maybe start it before going to work or bed.
If your comp is unbootable, or won't let you download, you will have to download ESET from a good computer, put it on a flash/thumb/pen/usb drive & run it from there.
Create a ESET SysRescue CD or USB drive
How do I use my ESET SysRescue CD or USB flash drive to scan and clean my system?
Configure ESET this way & disable your AV.
How to Temporarily Disable your Anti-virus
Which web browsers are compatible with ESET Online Scanner?
Online Scanner not working
My ESET product detected a threat—what should I do?
Why Would I Ever Need an Online Virus Scanner? I already have an antivirus program installed, isn't that enough?
Once onto a machine, malware can disable antivirus programs, prevent antimalware programs from downloading updates, or prevent a user from running antivirus scans or installing new antivirus software or malware removal tools. At this point even though you are aware the computer is infected, removal is very difficult.
5: Why does the ESET Online Scanner run slowly on my computer?
If you have other antivirus, antispyware or anti-malware programs running on your computer, they may intercept the scan being performed by the ESET Online Scanner and hinder performance. You may wish to disable the real-time protection components of your other security software before running the ESET Online Scanner. Remember to turn them back on after you are finished.
17: How can I view the log file from ESET Online Scanner?
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the Desktop.
If no threats are found, you will simply see an information window that no threats were found.

Report •

June 13, 2015 at 07:35:16
Thanks for that. I'll get back to you once I've run that.

Report •

Ask Question