svchost accessing malicious URLs

Hi, I’ve got a problem with Avast flagging svchost attempting to access about 14 malicious URLs on startup. If anyone could help that would be great!

Logs are attached.

Thanks!

Hello,

https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png
Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

[*]Right-click on
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[]Wait patiently until the main console will appear, it may take a minute or two.
[
]In the main box please paste in the following script:

createsrpoint;
autoclean;
emptyalltemp;
bitsadmin /reset /allusers;b
ipconfig /flushdns;b

[*]Make sure that Scan All Users option is checked.
[*]Push Run Script and wait patiently. The scan may take a couple of minutes.
[*]When the scan completes, a zoek-results logfile should open in notepad.
[*]If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

Hey Argus,

Thanks for getting back to me.

As requested here are the zoek results:

Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Roxie on 01/06/2015 at 4:30:07.85.
Microsoft Windows 8.1 6.3.9600 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Roxie\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

01/06/2015 04:31:38 Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\Program Files\Google deleted successfully
C:\Program Files\PowerISO deleted successfully
C:\PROGRA~3\Syncrosoft deleted successfully
C:\PROGRA~3\Validity deleted successfully
C:\Users\Roxie\AppData\Local\C0A6AFB3-1430936391-E211-B6A2-A8C632B84C4F deleted successfully
C:\Users\Roxie\AppData\Local\VirtualStore deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-3771581112-3909732738-711342803-1002\Software\Microsoft\Internet Explorer\SearchScopes{4486B029-2C10-4264-BD6E-623C8AB797FE} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes{4486B029-2C10-4264-BD6E-623C8AB797FE} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{4486B029-2C10-4264-BD6E-623C8AB797FE} deleted successfully

==== Deleting CLSID Registry Values ======================

==== Deleting Services ======================

==== Batch Command(s) Run By Tool======================

==== Deleting Files \ Folders ======================

C:\PROGRA~3\Package Cache deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Shopping and Services deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted
C:\windows\SysNative\Tasks\avastBCLRestartS-1-5-21-3771581112-3909732738-711342803-1002 deleted
“C:\windows\Installer\f552.msi” deleted
“C:\Users\Roxie\AppData\Roaming\JnjZDLQy” deleted
“C:\ProgramData\cm-lock” not deleted

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
wrc@avast.com”=“C:\Program Files\AVAST Software\Avast\WebRep\FF” [07/05/2015 06:50]

==== Firefox Extensions ======================

ProfilePath: C:\Users\Roxie\AppData\Roaming\TomTom\HOME\Profiles\0036i0iv.default

  • Emulator - %ProfilePath%\extensions\Navcore.8.080.9662@tomtom.com

==== Firefox Plugins ======================

==== Chromium Look ======================

Google Chrome Version: 43.0.2357.81

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
eofcbnmajmjmplflapaojjnihcjkigck - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx[11/04/2015 23:36]
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[11/04/2015 23:36]

Google Voice Search Hotword (Beta) - Roxie\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn
Linky - Roxie\AppData\Local\Google\Chrome\User Data\Default\Extensions\bknechokhjgchpodgplolmkgicojmgnd
FullContact for Gmail™ - Roxie\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnaibnehbbinoohhjafknihmlopdhhip
Tampermonkey - Roxie\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo
Avast SafePrice - Roxie\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
Bookmark Manager - Roxie\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik
Avast Online Security - Roxie\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki
TweetDeck by Twitter - Roxie\AppData\Local\Google\Chrome\User Data\Default\Extensions\hbdpomandigafcibbmofojjchbcdagbl
Words - Crossword Game - Roxie\AppData\Local\Google\Chrome\User Data\Default\Extensions\icjjnigcoehkmcjegedmcnmmkhlngkeo
WorkFlowy - Roxie\AppData\Local\Google\Chrome\User Data\Default\Extensions\koegeopamaoljbmhnfjbclbocehhgmkm
Chrome Hotword Shared Module - Roxie\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg
Colorblendy - Roxie\AppData\Local\Google\Chrome\User Data\Default\Extensions\mngmafdcpeeloikhhabijcnddgildokk
Do Share - Roxie\AppData\Local\Google\Chrome\User Data\Default\Extensions\oglhhmnmdocfhmhlekfdecokagmbchnf

==== Chromium Startpages ======================

C:\Users\Roxie\AppData\Local\Google\Chrome\User Data\Default\Preferences
“:{“srtt”:22036},“supports_spdy”:true},“www.youtube.co.uk:80”:{“alternative_service”:[{“port”:80,“probability”:1.0,“protocol_str”:“quic”}]},“www.youtube.com:443”:{“alternative_service”:[{“port”:443,“probability”:1.0,“protocol_str”:“quic”}],“network_stats”:{“srtt”:25794},“supports_spdy”:true},“www.youtube.com:80”:{“alternative_service”:[{“port”:80,“probability”:0.0,“protocol_str”:“quic”}],“network_stats”:{“srtt”:28318}},“youtu.be:443”:{“alternative_service”:[{“port”:443,“probability”:1.0,“protocol_str”:“quic”}],“supports_spdy”:true},“youtube.com:443”:{“network_stats”:{“srtt”:86791},“supports_spdy”:true},“youtube.com:80”:{“alternative_service”:[{“port”:80,“probability”:1.0,“protocol_str”:“quic”}],“network_stats”:{“srtt”:23578}},“yt3.ggpht.com:443”:{“alternative_service”:[{“port”:443,“probability”:1.0,“protocol_str”:“quic”}],“network_stats”:{“srtt”:19006},“supports_spdy”:true}},“supports_quic”:{“address”:“192.168.0.7”,“used_quic”:true},“version”:3}},“ntp”:{“app_page_names”:[“Apps”]},“partition”:{“per_host_zoom_levels”:{“2166136261”:{“www.google.co.uk”:-0.5778829311823857}}},“password_bubble”:{“nopes”:0},“plugins”:{“migrated_to_pepper_flash”:true,“plugins_list”:,“removed_old_component_pepper_flash_settings”:true},“profile”:{“avatar_bubble_tutorial_shown”:2,“avatar_index”:0,“content_settings”:{“exceptions”:{“app_banner”:{},“auto_select_certificate”:{},“automatic_downloads”:{},“cookies”:{},“fullscreen”:{”[.]www.native-instruments.com,“:{“setting”:1},”[.]www.netflix.com,“:{“setting”:1},“http://www.netflix.com:80,http://www.netflix.com:80”:{“setting”:1},“https://[.]www.youtube.com:443,”:{“setting”:1},“https://www.youtube.com:443,https://www.youtube.com:443”:{“setting”:1}},“geolocation”:{},“images”:{},“javascript”:{},“media_stream”:{},“media_stream_camera”:{},“media_stream_mic”:{},“metro_switch_to_desktop”:{},“midi_sysex”:{},“mixed_script”:{},“mouselock”:{},“notifications”:{},“plugins”:{”[.]keepvid.com,“:{“setting”:1}},“popups”:{},“ppapi_broker”:{},“protocol_handlers”:{},“push_messaging”:{},“ssl_cert_decisions”:{“https://www.ciarecords.co.uk:443,https://www.ciarecords.co.uk:443”:{“setting”:{“cert_exceptions_map”:{“4294967094c8kARdteQxe4T96GNNl+DMZn5KjbdI8/x56VtabX4BQ=”:1},“guid”:“8A508B3D-EBC3-4537-B3E9-30E9BAAC1924”,“version”:1}}}},“pattern_pairs”:{”[.]keepvid.com,“:{“plugins”:1},”[.]www.native-instruments.com,“:{“fullscreen”:1},”[.]www.netflix.com,“:{“fullscreen”:1},“http://www.netflix.com:80,http://www.netflix.com:80”:{“fullscreen”:1},“https://[.]www.youtube.com:443,”:{“fullscreen”:1},“https://www.avis.co.uk:443,https://www.avis.co.uk:443”:{“geolocation”:1,“last_used”:{“geolocation”:1426513105.318542}},“https://www.youtube.com:443,https://www.youtube.com:443”:{“fullscreen”:1}},“pref_version”:1},“created_by_version”:“42.0.2311.135”,“default_content_settings”:{},“exit_type”:“Crashed”,“exited_cleanly”:true,“gaia_info_picture_url”:“https://lh5.googleusercontent.com/-emV1RO_p0VA/AAAAAAAAAAI/AAAAAAAAABA/meYitFHtdF0/s256-c/photo.jpg",“gaia_info_update_time”:“13077575662462404”,“icon_version”:3,“managed_user_id”:“”,“managed_users”:{},“migrated_content_settings_exceptions”:true,“migrated_default_content_settings”:true,“migrated_default_media_stream_content_settings”:true,“name”:"First user”,“per_host_zoom_levels”:{}},“protection”:{“macs”:{“extensions”:null}},“reverse_autologin”:{“enabled”:false},“savefile”:{“default_directory”:“C:\Users\Roxie\Desktop”,“type”:1},“selectfile”:{“last_directory”:“C:\Users\Roxie\Desktop”},“session”:{“restore_on_startup_migrated”:true,“startup_urls_migration_time”:“13075441696008641”},“signin”:{“signedin_time”:“13077214300789378”},“sync”:{“encryption_bootstrap_token”:“AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAHfcNPRSuHkavFow9vxuHDAAAAAACAAAAAAAQZgAAAAEAACAAAACI/6hdMPVgTj9JpaFufNXnCtaEaUJkef0US2/oed3heQAAAAAOgAAAAAIAACAAAAC0hauDDl2gWft/7DXHlWI1DrixyPlySflcUP/j3LhSNkAAAAAtpWSvf1vixsNsjTRjHihQkvRJYq09FgBv621U9xkfwRPUv8M3clGCvuH4YLF2dIc076lHlTriXN8K1bG6FpjnQAAAAPPWCYYl5lSkap5bt1JVmD621KDe7REG08GqHe2w2fH3FdzPQQBuIcT/niz3gkNuY9ckQfwY754PCn9ScHAoCtk=”,“first_sync_time”:“13077214300810227”,“has_setup_completed”:true,“keystore_encryption_bootstrap_token”:“AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAHfcNPRSuHkavFow9vxuHDAAAAAACAAAAAAAQZgAAAAEAACAAAAB+ZVlV/fZMxwo1zePtOVL4enjhpSn0q2l7DLrgKlSSkwAAAAAOgAAAAAIAACAAAAAmvMN1MlNvOks9kZYi2c8ZVB9U9qwifxfyVme/rvL9bVAAAAC9Ppt0OGga64KKAv9uivRReY66bacOyY/YuOdvfMnSW/NAFhBShC+vuN29NQsS7tkqt0QglX87gAvcaObTHK812XhDAC8E5aRVdCdFNcpE10AAAAAHt/Yyh93WHl+2ZPfCMuFsD4wYGuqNw5F15hdk1yHzlZ4IZdVKjzPMfJF0C9lvSMTMvDxXMx4RjyEdMjkAOFsb”,“last_synced_time”:“13077602803560553”,“session_sync_guid”:“session_syncWwJ8vSHm4VX0sPdJhNXVAQ==”,“suppress_start”:false},“translate_accepted_count”:{“en”:1,“fr”:0,“it”:0},“translate_blocked_languages”:[“en”],“translate_denied_count”:{“en”:0,“fr”:2,“it”:1},“translate_last_denied_time”:1431528623732.348,“translate_too_often_denied”:true,“translate_whitelists”:{}}
64756BCE8970AAF8C2238BD6F499C807”},“software_reporter”:{“prompt_reason”:“170F0B513FD9674D8FD414B7BC6BD054979F7F40087E1CF6EFBAE73AE135DCC5”,“prompt_seed”:“015395D816E625CBEB3F101A59F6B26D3C31612BDFE96E94014BE21D9593CF10”,“prompt_version”:“6FD2914979A2748E08EB403A27C8595CABCB4A499BD0F073DDCCC5915A0A02C9”},“sync”:{“remaining_rollback_tries”:“C1E07BFAE4D4EE027055EB4841E8142356BA09F23FBB561BBC490586308E0E45”}},“super_mac”:“8661BAE61A869239A5940DA8F38FA080405801B2BAEDC78E16305633C188E60B”},“session”:{“restore_on_startup”:5,“startup_urls”:[“http://google.co.uk/",“https://mail.google.com/mail/#inbox”]},“sync”:{"remaining_rollback_tries”:0}}

==== Chromium Fix ======================

C:\Users\Roxie\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_lyrics.wikia.com_0.localstorage deleted successfully
C:\Users\Roxie\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_lyrics.wikia.com_0.localstorage-journal deleted successfully
C:\Users\Roxie\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.metrolyrics.com_0.localstorage deleted successfully
C:\Users\Roxie\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.metrolyrics.com_0.localstorage-journal deleted successfully
C:\Users\Roxie\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage deleted successfully
C:\Users\Roxie\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage-journal deleted successfully
C:\Users\Roxie\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_business-cloud-storage-services.toptenreviews.com_0.localstorage deleted successfully
C:\Users\Roxie\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_business-cloud-storage-services.toptenreviews.com_0.localstorage-journal deleted successfully
C:\Users\Roxie\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.hotukdeals.com_0.localstorage deleted successfully
C:\Users\Roxie\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.hotukdeals.com_0.localstorage-journal deleted successfully

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Start Page”=“http://g.uk.msn.com/HPNOT13/2

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Start Page”=“http://g.uk.msn.com/HPNOT13/2

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
“DefaultScope”=“{0633EE93-D776-472f-A0FF-E1416B8B2E3A}”
{012E1000-F331-11DB-8314-0800200C9A66} Google Url=“http://www.google.com/search?q={searchTerms}
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url=“http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=HPNTDFJS
{D944BB61-2E34-4DBF-A683-47E505C587DC} eBay Url=“http://rover.ebay.com/rover/1/710-29550-11896-25/4

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FEEF40788A6AE7E41B42DB16226CE6C2 deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall{8704FEEF-A6A8-4E7E-B124-BD6122C66E2C} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\FEEF40788A6AE7E41B42DB16226CE6C2 deleted successfully

==== Empty IE Cache ======================

C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Roxie\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Roxie\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Roxie\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\Roxie\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully

==== Empty FireFox Cache ======================

No FireFox Profiles found

==== Empty Chrome Cache ======================

C:\Users\Roxie\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

No Java Cache Found

==== C:\zoek_backup content ======================

C:\zoek_backup (files=49 folders=33 144395664 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Roxie\AppData\Local\Temp will be emptied at reboot
C:\Users\UpdatusUser\AppData\Local\Temp emptied successfully
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\WINDOWS\Temp successfully emptied
C:\Users\Roxie\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

“C:\ProgramData\cm-lock” not deleted

==== EOF on 01/06/2015 at 4:50:36.71 ======================

Cheers

Re-run zoek and run this script:

createsrpoint;
autoclean;
C:\Users\Roxie\AppData\Local\Google\Chrome\User Data\Default\Preferences;f
emptyalltemp;
ipconfig /flushdns;b

Post its content into your next reply.

Hey,

Zoek results as requested:

Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Roxie on 01/06/2015 at 14:14:55.08.
Microsoft Windows 8.1 6.3.9600 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Roxie\Desktop\zoek.exe [Scan all users] [Script

inserted]

==== Older Logs ======================

C:\zoek-results2015-06-01-035036.log 15320 bytes

==== System Restore Info ======================

01/06/2015 14:19:31 Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~3\1dd1c5210000359c deleted successfully
C:\PROGRA~3\Validity deleted successfully
C:\Users\Roxie\AppData\Local\VirtualStore deleted successfully

==== Deleting CLSID Registry Keys ======================

==== Deleting CLSID Registry Values ======================

==== Deleting Services ======================

==== Batch Command(s) Run By Tool======================

==== Deleting Files \ Folders ======================

"C:\Users\Roxie\AppData\Local\Google\Chrome\User Data\Default

\Preferences" deleted
“C:\ProgramData\cm-lock” not deleted

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
wrc@avast.com”=“C:\Program Files\AVAST Software\Avast\WebRep\FF”

[07/05/2015 06:50]

==== Firefox Extensions ======================

ProfilePath: C:\Users\Roxie\AppData\Roaming\TomTom\HOME\Profiles

\0036i0iv.default

  • Emulator - %ProfilePath%\extensions\Navcore.8.080.9662@tomtom.com

==== Firefox Plugins ======================

==== Chromium Look ======================

Google Chrome Version: 43.0.2357.81

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
eofcbnmajmjmplflapaojjnihcjkigck - C:\Program Files\AVAST Software\Avast

\WebRep\Chrome\aswWebRepChromeSp.crx[11/04/2015 23:36]
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast

\WebRep\Chrome\aswWebRepChrome.crx[11/04/2015 23:36]

Google Voice Search Hotword (Beta) - Roxie\AppData\Local\Google\Chrome

\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn
Linky - Roxie\AppData\Local\Google\Chrome\User Data\Default\Extensions

\bknechokhjgchpodgplolmkgicojmgnd
FullContact for Gmail™ - Roxie\AppData\Local\Google\Chrome\User Data

\Default\Extensions\cnaibnehbbinoohhjafknihmlopdhhip
Tampermonkey - Roxie\AppData\Local\Google\Chrome\User Data\Default

\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo
Avast SafePrice - Roxie\AppData\Local\Google\Chrome\User Data\Default

\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
Bookmark Manager - Roxie\AppData\Local\Google\Chrome\User Data\Default

\Extensions\gmlllbghnfkpflemihljekbapjopfjik
Avast Online Security - Roxie\AppData\Local\Google\Chrome\User Data

\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki
TweetDeck by Twitter - Roxie\AppData\Local\Google\Chrome\User Data

\Default\Extensions\hbdpomandigafcibbmofojjchbcdagbl
Words - Crossword Game - Roxie\AppData\Local\Google\Chrome\User Data

\Default\Extensions\icjjnigcoehkmcjegedmcnmmkhlngkeo
WorkFlowy - Roxie\AppData\Local\Google\Chrome\User Data\Default

\Extensions\koegeopamaoljbmhnfjbclbocehhgmkm
Chrome Hotword Shared Module - Roxie\AppData\Local\Google\Chrome\User

Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg
Colorblendy - Roxie\AppData\Local\Google\Chrome\User Data\Default

\Extensions\mngmafdcpeeloikhhabijcnddgildokk
Do Share - Roxie\AppData\Local\Google\Chrome\User Data\Default

\Extensions\oglhhmnmdocfhmhlekfdecokagmbchnf

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Start Page”=“http://g.uk.msn.com/HPNOT13/2

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Start Page”=“http://g.uk.msn.com/HPNOT13/2

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
“DefaultScope”=“{0633EE93-D776-472f-A0FF-E1416B8B2E3A}”
{012E1000-F331-11DB-8314-0800200C9A66} Google

Url=“http://www.google.com/search?q={searchTerms}
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing

Url="http://www.bing.com/search?q={searchTerms}

&form=IE10TR&src=IE10TR&pc=HPNTDFJS"
{D944BB61-2E34-4DBF-A683-47E505C587DC} eBay

Url=“http://rover.ebay.com/rover/1/710-29550-11896-25/4

==== Empty IE Cache ======================

C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Roxie\AppData\Local\Microsoft\Windows\INetCache\Content.IE5

emptied successfully
C:\Users\Roxie\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5

emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft

\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft

\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows

\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows

\INetCache\Content.IE5 emptied successfully
C:\Users\Roxie\AppData\Local\Microsoft\Windows\INetCache\IE emptied

successfully
C:\Users\Roxie\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied

successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft

\Windows\INetCache\IE emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows

\INetCache\IE emptied successfully

==== Empty FireFox Cache ======================

No FireFox Profiles found

==== Empty Chrome Cache ======================

C:\Users\Roxie\AppData\Local\Google\Chrome\User Data\Default\Cache

emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

No Java Cache Found

==== C:\zoek_backup content ======================

C:\zoek_backup (files=50 folders=33 144450193 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Roxie\AppData\Local\Temp will be emptied at reboot
C:\Users\UpdatusUser\AppData\Local\Temp emptied successfully
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Temp emptied

successfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\Temp emptied

successfully
C:\WINDOWS\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\WINDOWS\Temp successfully emptied
C:\Users\Roxie\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

“C:\ProgramData\cm-lock” not deleted

==== EOF on 01/06/2015 at 14:41:23.35 ======================

How is your PC now?

Seems to be fine, no threats as yet! :slight_smile: :smiley: :slight_smile:

Thank you very very much!!!

The following will implement some post-cleanup procedures:

Download DelFix by Xplode and save it to your desktop.

[*]Run the tool by right click on the
http://www.imgdumper.nl/uploads6/51a5ce45267c1/51a5ce45263de-delfix.png
icon and Run as administrator option.
[*]Make sure that these ones are checked:

[]Remove disinfection tools
[
]Purge system restore
[*]Reset system settings

[*]Push Run and wait until the tool completes his work.
All tools we used should be gone. Tool will create an report for you (C:[B]DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Regards.

Thank you very much for all your help!