Clean scans but still experiencing symptoms

[FrankGeist 0]

I am not sure where exactly I picked it up, but I got a real nasty virus of some kind a couple of days ago. 

 

Ran Malware Bytes, MSE, avast free, crapcleaner, and this thing would reinstall loads more and different adware as soon as I thought everything had been cleaned.  I also tried the Kaspersky Rescue Disk, and TDSS tool... neither one found anything. But I'd reboot, and sure enough, more crapware. 

 

Found Emsisoft Anti-Malware, ran that. It found a bunch of stuff. I attached the quarantine list and log for reference. 

 

After reboot, I opened Chrome and still had "Dealz" installed in the extensions (and it will not allow me to uncheck the "enable" box), and under Add/Remove Programs, "AllPCOptimizer" still showed up. A search for that landed me here in the forums. I followed the basic advice at the bottom of this thread: http://support.emsisoft.com/topic/19013-pc-has-multiple-infections/?hl=%2Ball+%2Boptimizer#entry140384

 

In other words, I installed AdwCleaner and Junkware Removal Tool. AdwCleaner definitely found something the first time I ran it. I have attached those log files as well. 

 

After all of this, AllPCOptimizer is still showing up in my list of installed software. Dealz is still solidly embedded into Chrome extensions.  Worst of all is how hampered my computer's speed is.  The taskbar does this "twitchy" thing, like it's opening and closing programs constantly, and the active window will strobe with the title of the window changing rapidly between Program.exe and Program.exe (Not Responding) for ten to twenty seconds at a time. 

 

I've also included a screengrab of the error message that pops up as soon as I log in to Windows. It's a RunDLL window.

 

I really want to try to avoid re-installing the OS because I have sooooo much software to reinstall just to get back up and running. Gah. 

 

Addition.txt

AdwCleanerC1.txt

AdwCleanerS1.txt

FRST.txt

JRT.txt

Quarantine.log

scan_151201-210943.txt

[Kevin Zoll 309]

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM\...\Run: [Copy Handler] => [X]
HKU\S-1-5-21-2216996135-704350519-4274087971-1001\...\Winlogon: [Shell] C:\Windows\expstart.exe [925184 2015-05-28] () <==== ATTENTION
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
GroupPolicy: Restriction - Chrome <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
CHR HKU\S-1-5-21-2216996135-704350519-4274087971-1001\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2216996135-704350519-4274087971-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
Toolbar: HKU\S-1-5-21-2216996135-704350519-4274087971-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
CHR Extension: (Google Translate) - C:\Users\McCoy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapbdbdomjkkjkaonfhkkikfgjllcleb [2015-01-26] [UpdateUrl: hxxps://epicunitscan.info/00service/update2/crx] <==== ATTENTION
CHR Extension: (Google Docs) - C:\Users\McCoy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-03] [UpdateUrl: hxxps://epicunitscan.info/00service/update2/crx] <==== ATTENTION
CHR Extension: (Google Drive) - C:\Users\McCoy\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-02-03] [UpdateUrl: hxxps://epicunitscan.info/00service/update2/crx] <==== ATTENTION
CHR Extension: (Google+ Notifications) - C:\Users\McCoy\AppData\Local\Google\Chrome\User Data\Default\Extensions\boemmnepglcoinjcdlfcpcbmhiecichi [2015-01-24] [UpdateUrl: hxxps://epicunitscan.info/00service/update2/crx] <==== ATTENTION
CHR Extension: (Chrome Connectivity Diagnostics) - C:\Users\McCoy\AppData\Local\Google\Chrome\User Data\Default\Extensions\eemlkeanncmjljgehlbplemhmdmalhdc [2015-01-27] [UpdateUrl: hxxps://epicunitscan.info/00service/update2/crx] <==== ATTENTION
CHR Extension: (Google Sheets) - C:\Users\McCoy\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-02-03] [UpdateUrl: hxxps://epicunitscan.info/00service/update2/crx] <==== ATTENTION
CHR Extension: (AdBlock) - C:\Users\McCoy\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2015-03-03] [UpdateUrl: hxxps://epicunitscan.info/00service/update2/crx] <==== ATTENTION
CHR Extension: (Hide My AdBlocker) - C:\Users\McCoy\AppData\Local\Google\Chrome\User Data\Default\Extensions\gihcngphjjankfngmgdkihhngndcdflc [2015-01-13] [UpdateUrl: hxxps://epicunitscan.info/00service/update2/crx] <==== ATTENTION
CHR Extension: (Google Voice (by Google)) - C:\Users\McCoy\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcnhkahnjcbndmmehfkdnkjomaanaooo [2015-01-13] [UpdateUrl: hxxps://epicunitscan.info/00service/update2/crx] <==== ATTENTION
CHR Extension: (Replay Poker - Texas Holdem Poker) - C:\Users\McCoy\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdfcdggllbpfgmjiofncgckbjnfenhgo [2015-01-13] [UpdateUrl: hxxps://epicunitscan.info/00service/update2/crx] <==== ATTENTION
CHR Extension: (Tabs saver) - C:\Users\McCoy\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmabfaomlcjlnplkoflgenkmmpilmead [2015-01-13] [UpdateUrl: hxxps://epicunitscan.info/00service/update2/crx] <==== ATTENTION
CHR Extension: (Google Wallet) - C:\Users\McCoy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-03-03] [UpdateUrl: hxxps://epicunitscan.info/00service/update2/crx] <==== ATTENTION
CHR Extension: (Wunderlist for Chrome) - C:\Users\McCoy\AppData\Local\Google\Chrome\User Data\Default\Extensions\ojcflmmmcfpacggndoaaflkmcoblhnbh [2015-03-08] [UpdateUrl: hxxps://epicunitscan.info/00service/update2/crx] <==== ATTENTION
CHR Extension: (TekPassword (App) a password generator) - C:\Users\McCoy\AppData\Local\Google\Chrome\User Data\Default\Extensions\olahljllcindiajgjmnnopeedeahlbhj [2015-01-13] [UpdateUrl: hxxps://epicunitscan.info/00service/update2/crx] <==== ATTENTION
C:\Users\McCoy\AppData\Roaming\Passware
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\SOLID PROGRAM" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\SYSTWEAK" /f
AlternateDataStreams: C:\Program Files\Common Files\Microsoft Shared:9fgdook7V5uKKZn6REYIwHlknv
AlternateDataStreams: C:\Program Files\Common Files\System:aJyLnRoliD4v0hVC4wpRaT5
AlternateDataStreams: C:\ProgramData\Microsoft:7BZUmHyu37O3rfwK37FKckS
AlternateDataStreams: C:\ProgramData\Microsoft:kq4acquFaqjFURWsjZRn
AlternateDataStreams: C:\ProgramData\Microsoft:NGlkiycWX4u1kULBCNhJ
AlternateDataStreams: C:\ProgramData\Microsoft:RxgX6rgNhoJurC3Ia03kNd
AlternateDataStreams: C:\ProgramData\Microsoft:s3VFt3m748zaWijm4507I
AlternateDataStreams: C:\ProgramData\Microsoft:sH5Lpsy6oxhJYFaPRyOgRy4
AlternateDataStreams: C:\ProgramData\Microsoft:Ze2FhK50dbnQXQl52Fgc8
AlternateDataStreams: C:\Users\McCoy\Cookies:5UzJwPh7wte9JeTcbDSsHr
AlternateDataStreams: C:\Users\McCoy\Local Settings:tQO12zbQ6kuy7ckoXwvKfzNC
AlternateDataStreams: C:\Users\McCoy\AppData\Local:tQO12zbQ6kuy7ckoXwvKfzNC
AlternateDataStreams: C:\Users\McCoy\AppData\Local\Application Data:tQO12zbQ6kuy7ckoXwvKfzNC
AlternateDataStreams: C:\Users\McCoy\AppData\Local\Temp:QQac1b1mYVdlbf2L9kIWOIp

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

[Kevin Zoll 309]

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.