I'm not sure what to clean/remove.

Hello,

I'm here to help you, and to be sure that all items detected by AdwCleaner must be delete, I will need more data about them. So can you post us the entire log file in your answer ?

You can find it in C:/AdwCleaner/AdwCleaner[SX].txt where X is a number.

Chapi

Thank you for getting back to me.

Explain please how to insert an image that resides on my computer, or upload a file.

I have no trouble knowing where my AdwCleaner logfile is located.

Ok, so just open the logfile by using notepad, then use CTRL + A to select the whole text, then CTRL + C to copy it, then in your answer, use the icon "add an extract of code" between add an image and add an array.

Then paste the code in it with CTRL + V.

If you don't find the "add an extract of code" function, just paste the contents of the log in your answer.

Chapi

Here's the logfile

# AdwCleaner v5.022 - Logfile created 23/11/2015 at 16:08:08
# Updated 22/11/2015 by Xplode
# Database : 2015-11-22.2 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : My Computer - MYCOMPUTER-PC
# Running from : C:\Users\My Computer\Downloads\AdwCleaner.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

Folder Found : C:\ProgramData\Systweak
Folder Found : C:\Users\My Computer\AppData\Local\YSearchUtil
Folder Found : C:\Users\My Computer\AppData\Roaming\ARecEngine
Folder Found : C:\Users\My Computer\AppData\Roaming\Systweak
Folder Found : C:\Users\My Computer\Favorites\Search
Folder Found : C:\Users\My Computer\Favorites\Search
Folder Found : C:\Windows\SysWOW64\config\systemprofile\AppData\Local\YSearchUtil

***** [ Files ] *****

***** [ DLL ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\Classes\pokki
Key Found : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1663C10B-0D55-438D-8496-19A3DBAEC0E4}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}
Key Found : HKLM\SOFTWARE\Classes\Interface\{41E2BE59-5C34-46AB-B743-6678BC94F42C}
Key Found : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Found : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Found : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{52654F2B-3A13-4569-AB52-EF4201F79221}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10921475-03CE-4E04-90CE-E2E7EF20C814}
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{41E2BE59-5C34-46AB-B743-6678BC94F42C}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814}
Key Found : HKCU\Software\distromatic
Key Found : HKCU\Software\systweak
Key Found : HKCU\Software\IObit Apps
Key Found : HKCU\Software\AppDataLow\Software\IObit Apps
Key Found : HKLM\SOFTWARE\systweak
Key Found : HKLM\SOFTWARE\{F2E9660B-98AF-42c0-8258-9CDDF07BF95D}
Key Found : HKLM\SOFTWARE\IObit Apps
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\30C16B15B255BD349A1157B8A83E2AF9
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ED1CAE30F47D14B41B5FC8FA53658044

***** [ Web browsers ] *****

*************************

C:\AdwCleaner[S1].txt - [2969 bytes] - [23/04/2013 13:47:00]

########## EOF - C:\AdwCleaner\AdwCleaner[S14].txt - [3304 bytes] ##########

barsim

Hello,

All theses entries are about : toolbars, extensions and potentially unwanted programs.

You can remove them all by launching again AdwCleaner and choosing the cleaning button.

Can you then post here the cleanning report ?

As AdwCleaner only check for a category of malware, can you follow those instruction to make a deeper analysis of your computer :

• Download ZHPDiag from Nicolas on his website
• Then run it with administrator's rights (with right click)
• Then upload the log file on up2share (you will find it on your desktop, just drop the file on the upload zone)
• Then post the link in your reply

Chapi

The Cleaning Report:

# AdwCleaner v5.022 - Logfile created 24/11/2015 at 15:49:43
# Updated 22/11/2015 by Xplode
# Database : 2015-11-22.2 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : My Computer - MYCOMPUTER-PC
# Running from : C:\Users\My Computer\Downloads\AdwCleaner.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

[-] Folder Deleted : C:\ProgramData\Systweak
[-] Folder Deleted : C:\Users\My Computer\AppData\Local\YSearchUtil
[-] Folder Deleted : C:\Users\My Computer\AppData\Roaming\ARecEngine
[-] Folder Deleted : C:\Users\My Computer\AppData\Roaming\Systweak
[-] Folder Deleted : C:\Users\My Computer\Favorites\Search
[!] Folder Not Deleted : C:\Users\My Computer\Favorites\Search
[-] Folder Deleted : C:\Windows\SysWOW64\config\systemprofile\AppData\Local\YSearchUtil

***** [ Files ] *****

***** [ DLLs ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

[-] Key Deleted : HKCU\Software\Classes\pokki
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1663C10B-0D55-438D-8496-19A3DBAEC0E4}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{41E2BE59-5C34-46AB-B743-6678BC94F42C}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{52654F2B-3A13-4569-AB52-EF4201F79221}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10921475-03CE-4E04-90CE-E2E7EF20C814}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{41E2BE59-5C34-46AB-B743-6678BC94F42C}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814}
[-] Key Deleted : HKCU\Software\distromatic
[-] Key Deleted : HKCU\Software\systweak
[-] Key Deleted : HKCU\Software\IObit Apps
[-] Key Deleted : HKCU\Software\AppDataLow\Software\IObit Apps
[-] Key Deleted : HKLM\SOFTWARE\systweak
[-] Key Deleted : HKLM\SOFTWARE\{F2E9660B-98AF-42c0-8258-9CDDF07BF95D}
[-] Key Deleted : HKLM\SOFTWARE\IObit Apps
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\30C16B15B255BD349A1157B8A83E2AF9
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ED1CAE30F47D14B41B5FC8FA53658044

***** [ Web browsers ] *****

*************************

:: "Tracing" keys removed :: Winsock settings cleared

*************************

C:\AdwCleaner[S1].txt - [2969 bytes] - [23/04/2013 13:47:00]

barsim

########## EOF - C:\AdwCleaner\AdwCleaner[C3].txt - [3610 bytes] ##########

OK, now can you follow the previous instructions concerning a scan with ZHPDiag ?

Attachedt is report.

You gave me the AdwCleaner report, but not the ZHPDiag one, can you follow the previous instructions concerning ZHPDiag to get the report and give it to me ?

Ran the tool, generated the report, becuase I have no French knowledge, guessed by dropping it to the blue square.

Hello,

Just to help you for the logfile part :

• Go to https://up2sha.re/?lang=us
• Click on "Drop your files here". A window will open, browse to your desktop. Double-click on "ZHPDiag.txt".
• The file will be uploaded on Up2Sha.re. A link will appear, just below the blue square, in the form "https://up2sha.re/file?f=xxxxxxxx". It's this part you need to copy and paste here.

Regards,

Hi.  Curious work indeed !!!

We all talk about the application itself, but...

...perhaps the bug is in the downloaded catalog ???

Bonjour. Fonctionnement vraiment déroutant !!!

Nous mettons tous en cause l'exécutable en lui-même, mais...

... peut-être le bug est-il dans le catalogue téléchargé ???

I selected Browsing (the Report is signed by barsim) and Sent the file, where only 1 bug was discovered. It wasn't cleaned yet.

Ok, If i understand, you upload the report on the upshare platform.

Sadly we can't access it if you don't give us a link to it.

So can you repeat the upload, and give us the link.

To do that, just follow fr33tux instructions. If you block on any of those instructions, just tell me, and I will make them clearer.

Hello,

Just to help you for the logfile part :

• Go to https://up2sha.re/?lang=us
• Click on "Drop your files here". A window will open, browse to your desktop. Double-click on "ZHPDiag.txt".
• The file will be uploaded on Up2Sha.re. A link will appear, just below the blue square, in the form "https://up2sha.re/file?f=xxxxxxxx". It's this part you need to copy and paste here.

Regards,

---

fr33tux, 2015-11-26 00:21:27 (UTC)

Chapi

Here's the lkink:

https://up2sha.re/file?f=UGeIG7jQWmiv

Home

Ok, before using a script to eliminate all remaining threats, I need you to tell me about some software that I don't know :

Do you know :

• BankId
• Turbo Tax ( 2010 2013 2014)
• Quick Tax
• Memorex exPressit Label Design Studio
• arcadeparlorconfig

You also have some uncommon Firefox's extensions such as video downloader, a new theme... Do you want them ?

You have a lot of security software. Some are useless and others are not compatible with each other.

Those one are clearly enough :

• Avast
• Windows Defender
• MBAM
• Secunia PSI et CCleaner (not really security software)

Therefore, I recommand you to uninstall :

• Trusteer Endpoint Protection
• Kaspersky Security Scan
• Spybot S&D
• ESET Online Scanner
• Spyware Blaster
• McAfee

To uninstall them, the easyest way, is to launch CCleaner, to go in Tools, Uninstall Programs, then find the programs that I mention, and uninstall them. It also concern the softwares BankId, Turbo Tax... in case you don't use them.

Then just come back telling me what softwares you which softwares you want to keep, and which one you don't want, and I will give you a script.

As usual, if you have a question, just tell me :)

Good luck

Chapi

Hello from Canada,

Ok, before using a script to eliminate all remaining threats, I need you to tell me about some software that I don't know :

Do you know :

• BankId: keeper
• Turbo Tax ( 2010 2013 2014): keeper
• Quick Tax: keeper
• Memorex exPressit Label Design Studio: keeper
• arcadeparlorconfig: definetly remove Spying!!

You also have some uncommon Firefox's extensions such as video downloader, a new theme... Do you want them ?: Yes I do

You have a lot of security software. Some are useless and others are not compatible with each other.

Those one are clearly enough :

• Avast
• Windows Defender
• MBAM
• Secunia PSI et CCleaner (not really security software): keep them all!

Therefore, I recommand you to uninstall :

• Trusteer Endpoint Protection: keeper banking protection from IBM
• Kaspersky Security Scan: used once for online scanning
• Spybot S&D: deleted program
• ESET Online Scanner: used it once
• Spyware Blaster: deleted program
• McAfee: no loger used

To uninstall them, the easyest way, is to launch CCleaner, to go in Tools, Uninstall Programs, then find the programs that I mention, and uninstall them. It also concern the softwares BankId, Turbo Tax... in case you don't use them.

Then just come back telling me what softwares you which softwares you want to keep, and which one you don't want, and I will give you a script.

As usual, if you have a question, just tell me :)

Good luck

Chapi

---

Chapi, 2015-11-26 18:20:51 (UTC)

barsim

Hi from France :)

We will use ZHPFix, another tool from Nicolas Coolman, in order to remove what remains of those softwares and the little thing AdwCleaner missed.

• Go on the download page of ZhpFix, click on the blue button "Download Now".
• Save the file where do you want and launch it with right click : "launch as administrator".
• Follow the instructions during the installation.
• Then click on the shortcut for ZhpFix on your desktop, and as usual, launch it as administrator.
• Select "Import"
• Copy paste this script from "Script ZHPFix" to "EmptyFlash":

Script ZHPFix
P2 - EXT FILE: (...) -- C:\Users\My Computer\AppData\Roaming\Mozilla\Firefox\Profiles\8kyk8yzd.default-1436897542862\extensions\jid1-ZAdIEUB7XOzOJw@jetpack.xpi
HKCU\SOFTWARE\AppDataLow\Software\arcadeparlorconfig
O43 - CFD: 15/03/2015 - [] D -- C:\ProgramData\{65AB91D4-DDD0-48D4-804D-C24E1FC90D44}
HKCU\SOFTWARE\DriverSupport
O43 - CFD: 21/11/2015 - [] D -- C:\ProgramData\ProductData
O43 - CFD: 28/01/2014 - [] D -- C:\Users\My Computer\AppData\Roaming\ProductData
O42 - Logiciel: Kaspersky Security Scan - (.Kaspersky Lab.) [HKLM][64Bits] -- {56009CA3-423B-41F8-884A-E5B049534F15}
O2 - BHO: ExplorerWnd Helper [64Bits] - {10921475-03CE-4E04-90CE-E2E7EF20C814}  (Orphean)
HKLM\SOFTWARE\Wow6432Node\Safer Networking Limited
HKCU\SOFTWARE\Safer Networking Limited
O43 - CFD: 08/03/2015 - [] D -- C:\Program Files (x86)\Spybot - Search & Destroy
O53 - SMSR:HKLM\...\startupreg\SpybotSD TeaTimer  [Key] . (...) -- c:\program files (x86)\spybot - search & destroy\teatimer.exe (.not file.)
HKLM\SOFTWARE\Wow6432Node\Eset
HKLM\SOFTWARE\Wow6432Node\SpywareBlaster
HKCU\SOFTWARE\MCAFEE
O43 - CFD: 17/08/2014 - [0] D -- C:\Program Files (x86)\McAfee
O43 - CFD: 22/11/2015 - [0] D -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpywareBlaster
O43 - CFD: 17/08/2014 - [] D -- C:\ProgramData\McAfee
FirewallRaz
EmptyPrefetch
EmptyTemp
EmptyFlash

• Then click on Go to launch the tool.
• At the end, a report named ZHPFixReport.txt will be create and save on your desktop
• Please Copy/Paste its content in your answer.

Bye

Here's the original script:

Script ZHPFix
P2 - EXT FILE: (...) -- C:\Users\My Computer\AppData\Roaming\Mozilla\Firefox\Profiles\8kyk8yzd.default-1436897542862\extensions\jid1-ZAdIEUB7XOzOJw@jetpack.xpi
HKCU\SOFTWARE\AppDataLow\Software\arcadeparlorconfig
O43 - CFD: 15/03/2015 - [] D -- C:\ProgramData\{65AB91D4-DDD0-48D4-804D-C24E1FC90D44}
HKCU\SOFTWARE\DriverSupport
O43 - CFD: 21/11/2015 - [] D -- C:\ProgramData\ProductData
O43 - CFD: 28/01/2014 - [] D -- C:\Users\My Computer\AppData\Roaming\ProductData
O42 - Logiciel: Kaspersky Security Scan - (.Kaspersky Lab.) [HKLM][64Bits] -- {56009CA3-423B-41F8-884A-E5B049534F15}
O2 - BHO: ExplorerWnd Helper [64Bits] - {10921475-03CE-4E04-90CE-E2E7EF20C814}  (Orphean)
HKLM\SOFTWARE\Wow6432Node\Safer Networking Limited
HKCU\SOFTWARE\Safer Networking Limited
O43 - CFD: 08/03/2015 - [] D -- C:\Program Files (x86)\Spybot - Search & Destroy
O53 - SMSR:HKLM\...\startupreg\SpybotSD TeaTimer  [Key] . (...) -- c:\program files (x86)\spybot - search & destroy\teatimer.exe (.not file.)
HKLM\SOFTWARE\Wow6432Node\Eset
HKLM\SOFTWARE\Wow6432Node\SpywareBlaster
HKCU\SOFTWARE\MCAFEE
O43 - CFD: 17/08/2014 - [0] D -- C:\Program Files (x86)\McAfee
O43 - CFD: 22/11/2015 - [0] D -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpywareBlaster
O43 - CFD: 17/08/2014 - [] D -- C:\ProgramData\McAfee
FirewallRaz
EmptyPrefetch
EmptyTemp
EmptyFlash

Then the improved/imported:

Script ZHPFix P2 - EXT FILE: (...) -- C:\Users\My Computer\AppData\Roaming\Mozilla\Firefox\Profiles\8kyk8yzd.default-1436897542862\extensions\jid1-ZAdIEUB7XOzOJw@jetpack.xpi HKCU\SOFTWARE\AppDataLow\Software\arcadeparlorconfig O43 - CFD: 15/03/2015 - [] D -- C:\ProgramData\{65AB91D4-DDD0-48D4-804D-C24E1FC90D44} HKCU\SOFTWARE\DriverSupport O43 - CFD: 21/11/2015 - [] D -- C:\ProgramData\ProductData O43 - CFD: 28/01/2014 - [] D -- C:\Users\My Computer\AppData\Roaming\ProductData O42 - Logiciel: Kaspersky Security Scan - (.Kaspersky Lab.) [HKLM][64Bits] -- {56009CA3-423B-41F8-884A-E5B049534F15} O2 - BHO: ExplorerWnd Helper [64Bits] - {10921475-03CE-4E04-90CE-E2E7EF20C814}  (Orphean) HKLM\SOFTWARE\Wow6432Node\Safer Networking Limited HKCU\SOFTWARE\Safer Networking Limited O43 - CFD: 08/03/2015 - [] D -- C:\Program Files (x86)\Spybot - Search & Destroy O53 - SMSR:HKLM\...\startupreg\SpybotSD TeaTimer  [Key] . (...) -- c:\program files (x86)\spybot - search & destroy\teatimer.exe (.not file.) HKLM\SOFTWARE\Wow6432Node\Eset HKLM\SOFTWARE\Wow6432Node\SpywareBlaster HKCU\SOFTWARE\MCAFEE O43 - CFD: 17/08/2014 - [0] D -- C:\Program Files (x86)\McAfee O43 - CFD: 22/11/2015 - [0] D -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpywareBlaster O43 - CFD: 17/08/2014 - [] D -- C:\ProgramData\McAfee FirewallRaz EmptyPrefetch EmptyTemp EmptyFlash

I suppose the process has been ended with this, Merci!!!

Hello,

What do you mean with "Then the imprved/imported" ?

Have you followed my instructions ? Can you give me the content of the report named ZHPFixReport.txt that is located on your desktop ?