Eliminate Extutil and Managera

Viruses and worms
1

Still trying to get Extutil and Managera from my system. Here’s the attachments requested from your post-it threads. Can anyone help me?

2

Is this in Chrome or Firefox ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-3813676637-318073184-1201432588-1002\...\Winlogon: [Shell] C:\WINDOWS\EXPLORER.EXE [2374784 2014-08-22] (Microsoft Corporation) <==== ATTENTION AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\VC64Loader.dll => C:\Program Files (x86)\SearchProtect\SearchProtect\bin\VC64Loader.dll [257808 2015-02-02] (Client Connect LTD) AppInit_DLLs-x32: C:\PROGRA~2\SearchProtect\SearchProtect\bin\VC32Loader.dll => C:\Program Files (x86)\SearchProtect\SearchProtect\bin\VC32Loader.dll [221968 2015-02-02] (Client Connect LTD) HKU\S-1-5-21-3813676637-318073184-1201432588-1002\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trovi.com/?gd=&ctid=CT3321848&octid=EB_ORIGINAL_CTID&ISID=M6B18F889-1026-4D3D-89B7-627CAC10A22D&SearchSource=55&CUI=&UM=8&UP=SP9E37F7D4-9E43-4632-8A89-6EC2CC7BF99D&SSPV= SearchScopes: HKU\S-1-5-21-3813676637-318073184-1201432588-1002 -> {887669F4-CB67-42FC-AEC4-C1CDFC173CB8} URL = http://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_app_14_43_ch&cd=2XzuyEtN2Y1L1Qzu0Bzz0C0AtA0A0CyByB0BtBtCzz0AtC0DtN0D0Tzu0StCtDtBtAtN1L2XzutAtFtBtFtCtFyDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StBtC0FtC0A0EtCtCtGzzzztD0AtGzzyDyBtDtGyEtDyCtBtGtA0FyByB0D0DtDyByD0FtCyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szy0E0A0CzztC0CtAtGyE0FyB0BtGyE0B0C0BtG0ByB0D0BtGzy0FtCyByBtAzy0CtD0D0BtB2Q&cr=598863696&ir= SearchScopes: HKU\S-1-5-21-3813676637-318073184-1201432588-1002 -> {B44E3C66-701D-4434-95C2-45D731042E05} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3289663&CUI=UN21419526293155210&UM=2 CHR HomePage: Default -> hxxp://search.conduit.com/?ctid=CT3289663&SearchSource=48&CUI=UN15615234277296186&UM=2&SSPV= CHR StartupUrls: Default -> "hxxp://www.trovi.com/?gd=&ctid=CT3321848&octid=EB_ORIGINAL_CTID&ISID=M6B18F889-1026-4D3D-89B7-627CAC10A22D&SearchSource=55&CUI=&UM=8&UP=SP9E37F7D4-9E43-4632-8A89-6EC2CC7BF99D&SSPV=", "hxxp://search.conduit.com/?ctid=CT3289663&SearchSource=48&CUI=UN15615234277296186&UM=2", "hxxp://astromenda.com/?f=7&a=ast_app_14_43_ch&cd=2XzuyEtN2Y1L1Qzu0Bzz0C0AtA0A0CyByB0BtBtCzz0AtC0DtN0D0Tzu0StCtDtBtAtN1L2XzutAtFtBtFtCtFyDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StBtC0FtC0A0EtCtCtGzzzztD0AtGzzyDyBtDtGyEtDyCtBtGtA0FyByB0D0DtDyByD0FtCyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szy0E0A0CzztC0CtAtGyE0FyB0BtGyE0B0C0BtG0ByB0D0BtGzy0FtCyByBtAzy0CtD0D0BtB2Q&cr=598863696&ir=" 2015-02-12 12:53 - 2015-02-12 12:54 - 00000000 ____D () C:\Program Files (x86)\SearchProtect 2015-02-12 12:53 - 2015-02-12 12:53 - 00000000 ____D () C:\Users\Tresha\AppData\Local\SearchProtect 2015-02-10 01:18 - 2015-02-10 01:18 - 00003502 _____ () C:\WINDOWS\System32\Tasks\avaxvyyvyf 2015-02-10 01:17 - 2015-02-10 01:17 - 00012300 _____ () C:\Users\Tresha\Downloads\EF398E2FA8EBB46205120E0D4E3E511807B84D33.torrent 2015-02-10 01:16 - 2015-02-10 21:27 - 00000000 ____D () C:\Users\Tresha\AppData\Local\avaxvyyvyf Task: {0FDD5B30-6411-4E3E-A17F-87987D27E273} - System32\Tasks\LaunchSignup => C:\Program Files (x86)\MyPC Backup\Signup Wizard.exe <==== ATTENTION Task: {5A54E072-35EE-4CFC-90F5-944536EE71A0} - System32\Tasks\avaxvyyvyf => C:\Users\Tresha\AppData\Local\avaxvyyvyf\avaxvyyvyf.exe [2015-02-02] () C:\Program Files (x86)\MyPC Backup C:\ProgramData\Dell Click 2 Fix+-64-bit-V2546.exe C:\ProgramData\Restoreinfo.bat C:\Users\Tresha\Downloads\Unconfirmed 733056.crdownload C:\Users\Tresha\Downloads\Player Setup.exe C:\Users\Tresha\AppData\Local\124771703dsisetup1247739062.exe EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

3

Fixlog attached. Who creates these pieces of crap?

4

Oh, and it’s in Chrome

5

Wasn’t sure which of these you needed, so here’s both.

6

Avast still sees the infection present. Stubborn son of a bitch.

7

Is this within Firefox ?

If so then reset firefox to defaults

1.Click the menu button and then click help .
2.From the Help menu choose Troubleshooting Information. …
3.Click the Reset Firefox… button in the upper-right corner of the Troubleshooting Information page.
4.To continue, click Reset Firefox in the confirmation window that opens

8

No, like I said above, this is in Chrome.

9

Okay, I reset to the defaults in Chrome, tried removing the add-ons with Avast, then restarted. I am no longer getting the bogus search screens when I start Chrome, but Avast still reads Extutil and Managera as being present.

Any more ideas?

10

Could I have a fresh FRST scan please

11

There you go.

12

You seem to have regained trovi and conduit in chrome, how is the computer behaving

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: CHR HomePage: Default -> hxxp://search.conduit.com/?ctid=CT3289663&SearchSource=48&CUI=UN15615234277296186&UM=2&SSPV= CHR StartupUrls: Default -> "hxxp://www.trovi.com/?gd=&ctid=CT3321848&octid=EB_ORIGINAL_CTID&ISID=M6B18F889-1026-4D3D-89B7-627CAC10A22D&SearchSource=55&CUI=&UM=8&UP=SP9E37F7D4-9E43-4632-8A89-6EC2CC7BF99D&SSPV=", "hxxp://search.conduit.com/?ctid=CT3289663&SearchSource=48&CUI=UN15615234277296186&UM=2", "hxxp://astromenda.com/?f=7&a=ast_app_14_43_ch&cd=2XzuyEtN2Y1L1Qzu0Bzz0C0AtA0A0CyByB0BtBtCzz0AtC0DtN0D0Tzu0StCtDtBtAtN1L2XzutAtFtBtFtCtFyDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StBtC0FtC0A0EtCtCtGzzzztD0AtGzzyDyBtDtGyEtDyCtBtGtA0FyByB0D0DtDyByD0FtCyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szy0E0A0CzztC0CtAtGyE0FyB0BtGyE0B0C0BtG0ByB0D0BtGzy0FtCyByBtAzy0CtD0D0BtB2Q&cr=598863696&ir=" EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

13

I’m not sure if I’m attaching the right log at this point. Feels like we’re going in circles. I told my fiance you just have to live with it like Herpes.

I also ran another FRST scan, attached.

14

Are you synching chrome ? If so you will need to delete that as it is re-installing the adware

Once you have done that then reset Chrome

1.Click the icon that looks like three stacked lines at the top right of the browser window. …
2.Select ‘Settings’ in the drop-down menu. …
3.Click on ‘Show advanced settings’ at the bottom of the Web page. …
4.Select ‘Reset browser settings’ at the bottom of the page.

15

If you mean syncing with another device, there is nothing of that kind happening.

I deleted the sync data and disconnected from Google, reset the settings, restarted the computer.

Viruses are still there.

16

Could you temporarily uninstall Spybot and then re-run the previous fix please