Hi - I’m having issues with constant popups from avast, and now, after installing malwarebytes per the pinned instructions for malware on this forum, more even more popups from them. The domain on malwarebytes that’s being blocked is fff5ee.com; and then, another that does not list a domain, but originates with the process c:\windows\sysWOW64\dllhost.exe. I ran all the programs the pinned instructions said to run, and I have all the logs, should I post them? Thanks for any help…

Here are the files

Let me know if this clears it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-748054246-3658752751-2871132807-1000\...\Run: [AdobeBridge] => [X] HKU\S-1-5-21-748054246-3658752751-2871132807-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks! SearchScopes: HKLM - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_frg01_14_36_ch&cd=2XzuyEtN2Y1L1Qzu0B0CyD0F0FyEtA0C0B0E0EyEyEyE0CtAtN0D0Tzu0SzyyByCtN1L2XzutAtFtBtFtCtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyC0C0FtD0CtA0F0AtGyB0BtAtBtG0EzzyD0AtG0C0CzyzytGtC0A0FtAzyyEtCzztD0F0C0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0FtAtCtBzyyBzy0FtGtAtCtDtBtGyE0EyBzytGzzyDtB0FtGtD0F0A0E0EtD0CtDyC0F0E0E2Q&cr=502749240&ir= SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_frg01_14_36_ch&cd=2XzuyEtN2Y1L1Qzu0B0CyD0F0FyEtA0C0B0E0EyEyEyE0CtAtN0D0Tzu0SzyyByCtN1L2XzutAtFtBtFtCtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyC0C0FtD0CtA0F0AtGyB0BtAtBtG0EzzyD0AtG0C0CzyzytGtC0A0FtAzyyEtCzztD0F0C0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0FtAtCtBzyyBzy0FtGtAtCtDtBtGyE0EyBzytGzzyDtB0FtGtD0F0A0E0EtD0CtDyC0F0E0E2Q&cr=502749240&ir= SearchScopes: HKCU - 274425EA38FC45528EA511498F54B669 URL = http://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_frg01_14_36_ch&cd=2XzuyEtN2Y1L1Qzu0B0CyD0F0FyEtA0C0B0E0EyEyEyE0CtAtN0D0Tzu0SzyyByCtN1L2XzutAtFtBtFtCtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyC0C0FtD0CtA0F0AtGyB0BtAtBtG0EzzyD0AtG0C0CzyzytGtC0A0FtAzyyEtCzztD0F0C0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0FtAtCtBzyyBzy0FtGtAtCtDtBtGyE0EyBzytGzzyDtB0FtGtD0F0A0E0EtD0CtDyC0F0E0E2Q&cr=502749240&ir= SearchScopes: HKCU - {7C92ACFB-A825-4490-A1DE-2108318B45D4} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3279141&CUI=UN72470500193212854 CustomCLSID: HKU\S-1-5-21-748054246-3658752751-2871132807-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks? EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

How long is the first fix supposed to run? Its been going about 15 minutes, still running…

Sounds like the emptytemp command has frozen, stop the programme and post the fix log that was generated please

It eventually finished, and I did the second fix too. Here are the logs. Thus far, no more popup alerts. Thank you so much for your quick help!

EmptyTemp: => Removed 10.1 GB temporary data. OK this is why it took a while

Any further problems before I tidy up ?