Need your brain John

voyagerfan99

voyagerfan99

Master of Turning Things Off and Back On Again
Staff member
I've got someone's laptop. It had a bunch of adware, etc. installed on it. I removed Norton Internet Security, uninstalled crap apps, and ran ADWC and JRT. I'm running MalwareBytes as I type this. The logs are below.

I can't find IE anywhere. The only way I can get an IE window to open if I type an address in an explorer window. Also when I open the Add/Remove Windows Features, the list is empty.
 
# AdwCleaner v4.208 - Logfile created 05/08/2015 at 19:45:44
# Updated 09/07/2015 by Xplode
# Database : 2015-08-01.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Sarah - SARAH-HP
# Running from : C:\Users\Sarah\Desktop\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****

[#] Service Deleted : CltMngSvc
Service Deleted : {027aeb7e-f8c3-4c10-be2c-627699fea100}w64
Service Deleted : {4572b88f-b0f6-490d-ac1d-566e27c62495}w64
Service Deleted : {49cc8637-1cac-4959-aad7-80c36d428d3d}w64
Service Deleted : {7cd3bedc-d669-4e18-8d13-4e15866f5c72}Gw64
Service Deleted : {7cd3bedc-d669-4e18-8d13-4e15866f5c72}w64
Service Deleted : {972dc55c-c6c0-44f6-8b54-5599004975cf}w64
Service Deleted : {9c8cca4c-20fb-4af3-ac83-4f7cb79e9eef}w64
Service Deleted : {a099f353-be27-4260-8532-0fab017d0e4f}w64
Service Deleted : {d11195b7-3360-435c-8dba-aca103f9bec5}w64
Service Deleted : {e808f110-c3bd-4b41-9d1e-f200058e16fe}w64
Service Deleted : {eaa5c94d-f832-4066-99d2-177ee28f0634}w64
Service Deleted : {fa79da02-3bd8-4e75-8e32-8cfb65ae6d40}w64
[#] Service Deleted : afa5aa21
[#] Service Deleted : f081f9a9

***** [ Files / Folders ] *****

Folder Deleted : C:\SearchProtect
Folder Deleted : C:\ProgramData\Conduit
Folder Deleted : C:\ProgramData\Systweak
Folder Deleted : C:\ProgramData\1289530197643474550
Folder Deleted : C:\ProgramData\5507a3fc00004ae6
Folder Deleted : C:\ProgramData\7aeb611900005837
Folder Deleted : C:\ProgramData\{20b9636f-f055-e5d3-20b9-9636ff058dbf}
Folder Deleted : C:\ProgramData\{beb86d31-a7c3-d944-beb8-86d31a7cb4c6}
Folder Deleted : C:\ProgramData\{c9e8962c-a0c5-d6db-c9e8-8962ca0c58b2}
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\couponight
Folder Deleted : C:\Program Files (x86)\eye perform
Folder Deleted : C:\Program Files (x86)\EExstraCOupone
Folder Deleted : C:\Program Files (x86)\ExstraCouponn
Folder Deleted : C:\Program Files (x86)\ExstriaiCoupon
Folder Deleted : C:\Windows\SysWOW64\SearchProtect
Folder Deleted : C:\Users\Sarah\AppData\Local\Temp\eye perform
Folder Deleted : C:\Users\Sarah\AppData\Local\Conduit
Folder Deleted : C:\Users\Sarah\AppData\Local\globalUpdate
Folder Deleted : C:\Users\Sarah\AppData\Local\SearchProtect
Folder Deleted : C:\Users\Sarah\AppData\Local\Wajam
Folder Deleted : C:\Users\Sarah\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Sarah\AppData\Roaming\ASP
Folder Deleted : C:\Users\Sarah\AppData\Roaming\Systweak
Folder Deleted : C:\Users\Sarah\AppData\Roaming\xVidly
File Deleted : C:\END
File Deleted : C:\claraInstaller.txt
File Deleted : C:\Windows\System32\roboot64.exe
File Deleted : C:\Windows\System32\drivers\{027aeb7e-f8c3-4c10-be2c-627699fea100}w64.sys
File Deleted : C:\Windows\System32\drivers\{4572b88f-b0f6-490d-ac1d-566e27c62495}w64.sys
File Deleted : C:\Windows\System32\drivers\{49cc8637-1cac-4959-aad7-80c36d428d3d}w64.sys
File Deleted : C:\Windows\System32\drivers\{7cd3bedc-d669-4e18-8d13-4e15866f5c72}Gw64.sys
File Deleted : C:\Windows\System32\drivers\{7cd3bedc-d669-4e18-8d13-4e15866f5c72}w64.sys
File Deleted : C:\Windows\System32\drivers\{972dc55c-c6c0-44f6-8b54-5599004975cf}w64.sys
File Deleted : C:\Windows\System32\drivers\{9c8cca4c-20fb-4af3-ac83-4f7cb79e9eef}w64.sys
File Deleted : C:\Windows\System32\drivers\{a099f353-be27-4260-8532-0fab017d0e4f}w64.sys
File Deleted : C:\Windows\System32\drivers\{d11195b7-3360-435c-8dba-aca103f9bec5}w64.sys
File Deleted : C:\Windows\System32\drivers\{e808f110-c3bd-4b41-9d1e-f200058e16fe}w64.sys
File Deleted : C:\Windows\System32\drivers\{eaa5c94d-f832-4066-99d2-177ee28f0634}w64.sys
File Deleted : C:\Windows\System32\drivers\{fa79da02-3bd8-4e75-8e32-8cfb65ae6d40}w64.sys
File Deleted : C:\Users\Sarah\AppData\LocalLow\SkwConfig.bin

***** [ Scheduled tasks ] *****

Task Deleted : BackgroundContainer Startup Task
Task Deleted : globalUpdateUpdateTaskMachineCore
Task Deleted : globalUpdateUpdateTaskMachineUA
Task Deleted : Run_Bobby_Browser

***** [ Shortcuts ] *****
 
***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\wajam.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\conduit.com
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [BackgroundContainer]
Key Deleted : HKLM\SOFTWARE\Classes\AmiBs.Installer
Key Deleted : HKLM\SOFTWARE\Classes\AmiBs.Installer.1
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdate.OneClickCtrl.10
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdate.OneClickProcessLauncherMachine
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdate.OneClickProcessLauncherMachine.1.0
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdate.Update3WebControl.4
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CoCreateAsync
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CoCreateAsync.1.0
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CoreClass
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CoreClass.1
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CoreMachineClass
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CoreMachineClass.1
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CredentialDialogMachine
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CredentialDialogMachine.1.0
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassMachine
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassMachine.1.0
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassMachineFallback
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassMachineFallback.1.0
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassSvc
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassSvc.1.0
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.ProcessLauncher
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.ProcessLauncher.1.0
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3COMClassService
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3COMClassService.1.0
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3WebMachine
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3WebMachine.1.0
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3WebMachineFallback
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3WebMachineFallback.1.0
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3WebSvc
Key Deleted : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3WebSvc.1.0
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4
Key Deleted : HKLM\SOFTWARE\Classes\AppID\globalupdate.exe
Key Deleted : HKLM\SOFTWARE\f0fd8725-3490-c71f-2f78-6e0f548e5183
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{afa5aa21}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{f081f9a9}
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3316071
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C007DADD-132A-624C-088E-59EE6CF0711F}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5645E0E7-FC12-43BF-A6E4-F9751942B298}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E0ADB535-D7B5-4D8B-B15D-578BDD20D76A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6EDBF8C0-C94C-4A13-956F-E393BCA5BA4B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{829DD016-D322-481B-8BA3-10064B09EAC4}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{CC6F4F54-6EF8-4E84-BDC6-ABC6F83100BE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{5645E0E7-FC12-43BF-A6E4-F9751942B298}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5645E0E7-FC12-43BF-A6E4-F9751942B298}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EDC057F1-DA73-45DF-8DE5-3E7BCB565BFE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}
Key Deleted : HKCU\Software\1ClickDownload
Key Deleted : HKCU\Software\GlobalUpdate
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\ImInstaller
Key Deleted : HKCU\Software\SweetIM
Key Deleted : HKCU\Software\systweak
Key Deleted : HKCU\Software\BoBrowser
Key Deleted : HKCU\Software\AppDataLow\Software\BackgroundContainer
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\GlobalUpdate
Key Deleted : HKLM\SOFTWARE\SearchProtect
Key Deleted : HKLM\SOFTWARE\SweetIM
Key Deleted : HKLM\SOFTWARE\systweak
Key Deleted : HKLM\SOFTWARE\Clara
Key Deleted : HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}
Key Deleted : HKU\.DEFAULT\Software\IM
Key Deleted : HKU\.DEFAULT\Software\ImInstaller
Key Deleted : HKU\.DEFAULT\Software\SweetIM
Key Deleted : HKU\.DEFAULT\Software\WNLT
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1ClickDownload
Data Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - c:\progra~2\searchprotect\searchprotect\bin\spvc32loader.dll
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\globalupdate.exe
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\app.mam.conduit.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\conduit-apps.com
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.16518


*************************

AdwCleaner[R0].txt - [14219 bytes] - [05/08/2015 19:44:22]
AdwCleaner[S0].txt - [13360 bytes] - [05/08/2015 19:45:44]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [13420 bytes] ##########
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.5.5 (08.05.2015:1)
OS: Windows 7 Home Premium x64
Ran by Sarah on Wed 08/05/2015 at 19:49:45.93
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services

Successfully deleted: [Service] Update eye perform [Reboot required]
Successfully deleted: [Service] Util eye perform [Reboot required]



~~~ Tasks

Successfully deleted: [Task] C:\Windows\system32\tasks\Bidaily Synchronize Task[973b]
Successfully deleted: [Task] C:\Windows\system32\tasks\PageKeeper
Successfully deleted: [Task] C:\Windows\system32\tasks\SmartSpace
Successfully deleted: [Task] C:\Windows\Tasks\Bidaily Synchronize Task[973b].job
Successfully deleted: [Task] C:\Windows\Tasks\PageKeeper.job
Successfully deleted: [Task] C:\Windows\Tasks\SmartSpace.job



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\Update eye perform
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\Util eye perform



~~~ Files

Successfully deleted: [File] C:\Users\Sarah\AppData\Roaming\appdataFr25.bin



~~~ Folders

Successfully deleted: [Folder] C:\Users\Sarah\Appdata\Local\cre





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 08/05/2015 at 19:55:04.02
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 8/5/2015
Scan Time: 8:04 PM
Logfile: mwb.txt
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.08.05.07
Rootkit Database: v2015.08.04.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Sarah

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 361013
Time Elapsed: 37 min, 16 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 12
PUM.Security.Hijack.DisableChromeUpdates, HKLM\SOFTWARE\POLICIES\GOOGLE\UPDATE, Quarantined, [c7746a9ba6e5b680045f1e85f014fe02],
PUP.Optional.CrossRider.C, HKLM\SOFTWARE\WOW6432NODE\APPDATALOW\SOFTWARE\Crossrider, Quarantined, [96a506fffb903cfa52de2aeed92a9a66],
PUP.Optional.Wajam.A, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\jpmbfleldcgkldadpdinhjjopdfpjfjp, Quarantined, [14270bfa4546c4726784a0b8c24148b8],
PUP.Optional.ConduitTB.Gen, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\DACHBOKEKLMHLIKPKLNKMMEALJDFANOH, Quarantined, [0f2c3cc993f841f5db74fa1e966dcc34],
PUP.Optional.ConduitTB.Gen, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\OPFEDMIKIKMAHMPAIMPFELMIKHAIGOBP, Quarantined, [dc5f2dd81e6d62d4341b3ddba2615da3],
PUM.Security.Hijack.DisableChromeUpdates, HKLM\SOFTWARE\WOW6432NODE\POLICIES\GOOGLE\UPDATE, Quarantined, [0734d13496f5c07697cca102af552cd4],
PUP.Optional.ICinema.A, HKU\S-1-5-18\SOFTWARE\I - Cinema-nv, Quarantined, [ae8d6d98d3b84de9edc592aaa75cd828],
PUP.Optional.ICinema.A, HKU\S-1-5-18\SOFTWARE\I - Cinema-nv-ie, Quarantined, [b68507fe4f3c171fd9d951ebdb28fe02],
PUP.Optional.Crossrider.C, HKU\S-1-5-18\SOFTWARE\APPDATALOW\SOFTWARE\_CrossriderRegNamePlaceHolder_, Quarantined, [5fdc60a5e1aae3532e02138b08fcb947],
PUP.Optional.ICinema.A, HKU\S-1-5-21-3953685271-1761966066-80060736-1002\SOFTWARE\I - Cinema-nv-ie, Quarantined, [2318788dc8c3fa3c872b96a61ae952ae],
PUP.Optional.ConduitTB.Gen, HKU\S-1-5-21-3953685271-1761966066-80060736-1002\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\DACHBOKEKLMHLIKPKLNKMMEALJDFANOH, Quarantined, [e75448bda0eb053185cbc25615ee0cf4],
PUP.Optional.ConduitTB.Gen, HKU\S-1-5-21-3953685271-1761966066-80060736-1002\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\OPFEDMIKIKMAHMPAIMPFELMIKHAIGOBP, Quarantined, [8cafda2b1f6c2511d27e0711c93ab14f],

Registry Values: 6
PUM.Security.Hijack.DisableChromeUpdates, HKLM\SOFTWARE\POLICIES\GOOGLE\UPDATE|DisableAutoUpdateChecksCheckboxValue, 1, Quarantined, [c7746a9ba6e5b680045f1e85f014fe02]
PUP.Optional.ConduitTB.Gen, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\dachbokeklmhlikpklnkmmealjdfanoh|path, C:\Users\Sarah\AppData\Local\CRE\dachbokeklmhlikpklnkmmealjdfanoh.crx, Quarantined, [0f2c3cc993f841f5db74fa1e966dcc34]
PUP.Optional.ConduitTB.Gen, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\opfedmikikmahmpaimpfelmikhaigobp|path, C:\Users\Sarah\AppData\Local\CRE\opfedmikikmahmpaimpfelmikhaigobp.crx, Quarantined, [dc5f2dd81e6d62d4341b3ddba2615da3]
PUM.Security.Hijack.DisableChromeUpdates, HKLM\SOFTWARE\WOW6432NODE\POLICIES\GOOGLE\UPDATE|DisableAutoUpdateChecksCheckboxValue, 1, Quarantined, [0734d13496f5c07697cca102af552cd4]
PUP.Optional.ConduitTB.Gen, HKU\S-1-5-21-3953685271-1761966066-80060736-1002\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\dachbokeklmhlikpklnkmmealjdfanoh|path, C:\Users\Sarah\AppData\Local\CRE\dachbokeklmhlikpklnkmmealjdfanoh.crx, Quarantined, [e75448bda0eb053185cbc25615ee0cf4]
PUP.Optional.ConduitTB.Gen, HKU\S-1-5-21-3953685271-1761966066-80060736-1002\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\opfedmikikmahmpaimpfelmikhaigobp|path, C:\Users\Sarah\AppData\Local\CRE\opfedmikikmahmpaimpfelmikhaigobp.crx, Quarantined, [8cafda2b1f6c2511d27e0711c93ab14f]

Registry Data: 0
(No malicious items detected)

Folders: 3
PUP.Optional.IndepthSystem.A, C:\Program Files (x86)\IndepthSystem, Quarantined, [a59618edcac1a29442d84dd549ba4eb2],
PUP.Optional.SystemEnterprise.A, C:\Program Files (x86)\SystemEnterprise, Quarantined, [0a3118ed57349b9bb34e43573aca12ee],
PUP.Optional.MultiPlug, C:\ProgramData\nhoejbmhlhnlakdjflmioljplenkehil, Quarantined, [e655d82d05861f1776cbf0acda2afa06],

Files: 8
PUP.Optional.Bundlore.C, C:\Users\Sarah\Downloads\Setup.exe, Quarantined, [003b30d51774a6902159ff82f70ad52b],
PUP.Optional.IndepthSystem.A, C:\Program Files (x86)\IndepthSystem\IndepthSystem.dll, Quarantined, [a59618edcac1a29442d84dd549ba4eb2],
PUP.Optional.SystemEnterprise.A, C:\Program Files (x86)\SystemEnterprise\SystemEnterprise.dll, Quarantined, [0a3118ed57349b9bb34e43573aca12ee],
PUP.Optional.MultiPlug, C:\ProgramData\nhoejbmhlhnlakdjflmioljplenkehil\lsdb.js, Quarantined, [e655d82d05861f1776cbf0acda2afa06],
PUP.Optional.MultiPlug, C:\ProgramData\nhoejbmhlhnlakdjflmioljplenkehil\background.html, Quarantined, [e655d82d05861f1776cbf0acda2afa06],
PUP.Optional.MultiPlug, C:\ProgramData\nhoejbmhlhnlakdjflmioljplenkehil\content.js, Quarantined, [e655d82d05861f1776cbf0acda2afa06],
PUP.Optional.MultiPlug, C:\ProgramData\nhoejbmhlhnlakdjflmioljplenkehil\fzBKCz.js, Quarantined, [e655d82d05861f1776cbf0acda2afa06],
PUP.Optional.MultiPlug, C:\ProgramData\nhoejbmhlhnlakdjflmioljplenkehil\manifest.json, Quarantined, [e655d82d05861f1776cbf0acda2afa06],

Physical Sectors: 0
(No malicious items detected)


(end)
 
Run this OTL fix.

Code: 
:OTL
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
[2015/08/05 20:04:05 | 000,000,000 | ---D | C] -- C:\Users\Sarah\AppData\Roaming\nCleaner


Also uninstall the program called ncleaner if there is an entry for it.

What issues remain after running everything?
 
ncleaner wasn't installed. It was run from my flashdrive.

I'll double check on other issues, but the Windows Features install/remove page list was blank and the action center didn't say anything about no AV installed. I'm currently running SFC and that instantly brought back any action center items that were missing. I'll run the OTL fix once SFC is done and report back.

The machone was also slow uninstalling stuff, and I checked startup but didn't remove anything so I'll double check that.
 
Here's the OTL fix log

========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
C:\Users\Sarah\AppData\Roaming\nCleaner folder moved successfully.
OTL by OldTimer - Version 3.2.69.0 log created on 08052015_221359



Also in startup there is a file at C:\Windows\System32\Coinme.exe that seems suspicious.
 
You must log in or register to reply here.
Back
Top