Thanks for helping on my desktop. Now my wife’s computer has some issues. It seems to have something which is running a web browser in the background accessing odd websites.
I have done a avast scan during boot and while the system was running and nothing has been caught. Also ran malwarebytes, combofix, and spybot with no success.
I have include the farbar and included the logs.
Could you let me know if this stops it
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint: HKU\S-1-5-21-328026544-1961890695-2546268383-1001\...A8F59079A8D5}\localserver32: <==== ATTENTION! HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-328026544-1961890695-2546268383-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-328026544-1961890695-2546268383-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = Toolbar: HKU\S-1-5-21-328026544-1961890695-2546268383-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File Toolbar: HKU\S-1-5-21-328026544-1961890695-2546268383-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File FF Extension: No Name - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1504\6.6.1088\firefoxextension [Not Found] FF Extension: No Name - C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5 [Not Found] 2015-01-09 15:52 - 2015-01-10 20:19 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8} CustomCLSID: HKU\S-1-5-21-328026544-1961890695-2546268383-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> No File Path EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
Ok run the fix and adw. Here are the logs. Watching the system to see if something pops up.
Any sign of the undemanded browsers ?
Read this ==>http://www.bleepingcomputer.com/forums/t/273628/combofix-usage-questions-help-look-here/
I used combofix per a instruction of a friend who is an admin at a local college. He was willing to work on the system but living around 40 minutes away does limit things. I have been thankful for the people on this forum in assisting.
Ermm. Alright, But even if he is an Admin there, if he ifsn’t trained by the same group as Essex (Or a similar group), he really shouldn’t be using it. Also, you should answer Essex’s question…
Keep monitoring the system so that is why no answer till now. Started getting a rogue process that is running a google chrome process. Nothing on IE though which is good. It is running from a folder which is located here.
C:\Users\Stacy\AppData\LocalLow\EmieUserList\yvdttjqb\vyztfmqu
It also looks like Avast has been kicked off IE.
OK lets kill that
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint: C:\Users\Stacy\AppData\LocalLow\EmieUserList EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
OK, here we are. Now I am not see the little Avast symbol on my IE since the other rogue process flared up. Avast had been blocking the process but it found away to come back. This seems to have knocked it out.
That was a windows folder (it will be re-created so no worries there) and it seems as though adware has found a way to infiltrate it. I’ll add that to my list of bad boys… How is the computer now ?
So far so good. Haven’t seen anything pop up since we finished all this cleaning. Thanks.
What is odd was Avast was blocking the process and then it came back. Thanks for all the help again.
Aye Avast did not know where the file was just that it was using svchost
Subject to no further problems 
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean 
A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:
Remove Combofix
Click Start then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
In the box copy/paste the following command:
ComboFix /Uninstall
Note that there is a space between " ComboFix " and " /Uninstall " .
Then click OK (or press Enter ).
Wait for the uninstall process to complete.
Remove tools
Download and run Delfix
https://dl.dropboxusercontent.com/u/73555776/delfix.JPG
: Keep Java Updated :
WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)
If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version
https://dl.dropboxusercontent.com/u/73555776/javara.JPG
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent install this programme to lock down and prevent crypto ransome ware
https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG
Update and run weekly to keep your system clean
Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme 
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe 
Well, the google chrome resource hog is back and this time it installed itself in the app data for the game Gone Home.
C:\Users\Stacy\AppData\LocalLow\The Fullbright Company\yvdttjqb\vyztfmqu
It has created a process called Dlouhtylolvx.exe.
OK lets have a fresh FRST scan. What may have happened is that Chrome has been changed to the developer version which has no security checks. In my opinion I would cease using chrome until they plug this gaping hole
Please download Farbar Recovery Scan Tool and save it to your Desktop.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.
https://dl.dropboxusercontent.com/u/73555776/frst.JPG
[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.
Here is the updated logs.
Hmm the fullbright company is a new startup that makes games and I do not believe they are very ethical as they appear to hide the updater as a legitimate Google updater.
None of these were evident on the initial log so they must have installed recently, or the updater on their website was substituted
(Google Inc.) C:\Users\Stacy\AppData\Local\Google\Update\GoogleUpdate.exe
() C:\Users\Stacy\AppData\Local\Google\Update\Install{ED87079F-BCFF-4E01-B29F-02C41E7FC379}\40.0.2214.91_39.0.2171.99_chrome_updater.exe
I assume you have uninstalled (!) the game as there is no reference to it in your uninstall list. What is even more unethical is to leave a run key linked to the installer for the bad bits
HKU\S-1-5-21-328026544-1961890695-2546268383-1001.…\Run: [rnrkamxi] => regsvr32.exe /s “C:\Users\Stacy\AppData\Local{C0FB8F9F-FB6E-4090-A939-0F75148F38F7}\rnrkamxi.dll” <===== ATTENTION
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint: Toolbar: HKU\S-1-5-21-328026544-1961890695-2546268383-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File 2015-01-20 21:19 - 2014-08-24 19:35 - 00000000 ____D () C:\Users\Stacy\AppData\Local\{C0FB8F9F-FB6E-4090-A939-0F75148F38F7} HKU\S-1-5-21-328026544-1961890695-2546268383-1001\...\Run: [rnrkamxi] => regsvr32.exe /s "C:\Users\Stacy\AppData\Local\{C0FB8F9F-FB6E-4090-A939-0F75148F38F7}\rnrkamxi.dll" <===== ATTENTION FF Extension: No Name - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1504\6.6.1088\firefoxextension [Not Found] FF Extension: No Name - C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5 [Not Found] CHR Plugin: (Shockwave Flash) - C:\Users\Stacy\AppData\Local\Google\Chrome\Application\39.0.2171.99\gcswf32.dll No File CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32.dll No File CHR Plugin: (Native Client) - C:\Users\Stacy\AppData\Local\Google\Chrome\Application\39.0.2171.99\ppGoogleNaClPluginChrome.dll No File CHR Plugin: (DivX Plus Web Player) - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll No File CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File CHR Plugin: (Silverlight Plug-In) - C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll No File 2015-01-09 15:52 - 2015-01-09 15:53 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage C:\Users\Stacy\AppData\Local\Google\Update\Install\{ED87079F-BCFF-4E01-B29F-02C41E7FC379} C:\Users\Stacy\AppData\Local\Temp\CR_ECF41.tmp C:\Users\Stacy\AppData\LocalLow\The Fullbright Company C:\Users\Stacy\AppData\Local\{C0FB8F9F-FB6E-4090-A939-0F75148F38F7} EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
Here is the fix log.
I uninstalled the game through Steam which is where I installed it from. Gone Home is an excellent narrative driven game by the way. Not one act of violence in the game which was a change. I have had the game on system since 2013 and not one issue until now.
The google resource hog was the same as last time in the EmieUserList\yvdttjqb\vyztfmqu. I think the virus recreated itself in the game folder.
I found some sites which mention a similiar google virus like what I have been experiencing. (http://malwaretips.com/threads/uyitudbeg-exe-32-fake-google-chrome-process-emieuserlist-emiesitelist.36345/)
I thought I read another thread on another board which mentioned they deleted it and it came back in another location too.