Virus/Malware/PUP and other good stuff...need help again.

[essexboy]

Probably a drive by or an infected ad it is hard to determine

[avastpandainc]

So the laptop was working for a good 24hrs.
Unfortunately the popups started again.

It must be the co-user of this computer, my son.
And he uses IE exclusively.

Here are the four files again.

I suspect that my actions to reset IE was not complete as I did not have to restore the bookmarks.
I thought that was rather suspicious the first time.

Please analyse the attached files and I await patiently for your actions.
Cheers.

[essexboy]

Goes by the name Ryan ? 

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
S3 iscFlash; \??\C:\WINDOWS\TEMP\7zS36E5.tmp\iscflashx64.sys [X]
Task: {DC0EEED3-488A-412F-B611-ECB983E6D9F5} - System32\Tasks\Techsmart Computer Task => C:\Program Files (x86)\Techsmart Computer\ittask.exe [2016-06-09] (East CH Soft) <==== ATTENTION
Task: {C0165DD4-6E04-4391-BC8E-52B323C864FB} - System32\Tasks\Fenix Update => C:\Users\Ryan\AppData\Roaming\Fenix Update\Fenix Update.exe [2016-02-20] () <==== ATTENTION
C:\Program Files (x86)\Techsmart Computer
C:\Users\Ryan\AppData\Roaming\Fenix Update
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your Desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool
  
• Click the Scan button and wait for the process to complete.
  
• Click the logfile button and the log will open in Notepad
  
• Click on the Clean button follow the prompts.
  
• A log file will automatically open after the scan has finished and the PC has rebooted
• Please post the content of that log file with your next answer.
• The report will be saved in the C:\AdwCleaner folder.

[avastpandainc]

Yes, he is the culprit, I suspect!!!

[essexboy]

Have the popups now ceased ?

[avastpandainc]

Hi to all,
When you had asked if all was well with the ceased pop ups.
My initial answer was going to be yes.

But after a few days, my co-user sheepishly informs me that they were back after 3 days.
I am now thinking that we are in a vicious loop, where you are helping with your diagnostics.
But in fact it is us the user that is (unknowingly) venturing into unsafe sites and attracting these viruses/popups.

As I am entering this post, there are auto generated tabs that are popping up.
This is the latest one:
https://www.youtube.com/watch?v=YUYoWPpKs9k

now how can a specific site pop up? 
But I do see the link for admediatracker.com pop up, before the final link is established.

Here are the four files.  And thanks for your patience.

[avastpandainc]

here we go:
But one last observation,
As the MBAM was running, popups were occuring on Chrome only.
So I then shut down all tabs in Chrome.
Guess what?  Fresh pop ups were opening a new browser window!!!

I can't explain.
If you are willing to help me on a periodic basis to neutralize these popups thank you.
If you want to give up and just tell me to delete Chrome altogether, I just might consider it.
But I can not understand how it could be so vulnerable.

Here are the four files. 
Thanks again.

[avastpandainc]

...and now it is attacking MS Edge.
So it is not exclusive to any browser.
And yes, a brand new window opens up with a pop up, when the entire browser is shut down.

Thank you Avast community for any input...

[essexboy]

You need to set him up as a limited user

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
HKU\S-1-5-21-4165596898-673945276-2850935103-1001\...\Run: [Chromium] => c:\users\ryan\appdata\local\chromium\application\chrome.exe [1068544 2016-03-18] (The Chromium Authors)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Start GeekBuddy.lnk [2016-06-19]
ShortcutTarget: Start GeekBuddy.lnk -> C:\Program Files\COMODO\GeekBuddy\launcher.exe (No File)
R2 GeekBuddyRSP; C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe [2485944 2016-03-24] (Comodo Security Solutions, Inc.)
R2 CLPSLauncher; C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe [76944 2016-06-01] (Comodo Security Solutions, Inc.)
R2 rtop; C:\Program Files\ByteFence\rtop\bin\rtop_svc.exe [254264 2016-06-19] ()
2016-06-27 18:32 - 2016-06-27 18:32 - 00000000 ____D C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\ByteFence
2016-06-19 22:29 - 2016-06-19 22:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\COMODO
2016-06-19 21:48 - 2016-06-19 21:48 - 00000000 ____D C:\ProgramData\ByteFence
2016-06-19 21:39 - 2016-06-19 21:39 - 00000000 ____D C:\ProgramData\NortonInstaller
2016-06-19 21:38 - 2016-06-20 06:21 - 00002529 _____ C:\Users\Ryan\Desktop\Chromium.lnk
2016-06-19 21:38 - 2016-06-19 21:38 - 00002380 _____ C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chromium.lnk
2016-06-19 21:38 - 2016-06-19 21:38 - 00000000 ____D C:\Program Files (x86)\Windows System
2016-06-19 21:37 - 2016-06-19 21:40 - 00000000 ____D C:\ProgramData\COMODO
2016-06-19 21:37 - 2016-06-19 21:38 - 00000000 ____D C:\Users\Ryan\AppData\Local\Chromium
2016-06-19 21:36 - 2016-06-27 12:06 - 00000000 ____D C:\ProgramData\{6E90ABF3-E4D2-2135-6214-BF77F85634B9}
2016-06-19 21:36 - 2016-06-19 21:36 - 00003548 _____ C:\WINDOWS\System32\Tasks\ByteFence Scan
2016-06-19 21:36 - 2016-06-19 21:36 - 00003442 _____ C:\WINDOWS\System32\Tasks\ByteFence
2016-06-19 21:35 - 2016-06-27 13:43 - 00000000 ____D C:\Program Files\ByteFence
2016-06-19 21:35 - 2016-06-19 21:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ByteFence Anti-Malware
Task: {255C6121-B2E8-49D6-B92A-DAD33944B9C4} - System32\Tasks\ByteFence Scan => C:\Program Files\ByteFence\ByteFence.exe [2016-05-31] (Byte Technologies LLC) <==== ATTENTION
Task: {630313A1-F8F0-4502-948E-816D008FF338} - System32\Tasks\ByteFence => C:\Program Files\ByteFence\ByteFence.exe [2016-05-31] (Byte Technologies LLC) <==== ATTENTION
Task: {F574A759-0C2D-4A75-8189-04FB8E298F2D} - \{0F080E47-0B7F-7F05-7D11-7D7D0F7D117D} -> No File <==== ATTENTION
Task: C:\WINDOWS\Tasks\Yahoo! Powered lored.job => Wscript.exe  C:\ProgramData\{6E90ABF3-E4D2-2135-6214-BF77F85634B9}\dofo.txt <==== ATTENTION
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your Desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool
  
• Click the Scan button and wait for the process to complete.
  
• Click the logfile button and the log will open in Notepad
  
• Click on the Clean button follow the prompts.
  
• A log file will automatically open after the scan has finished and the PC has rebooted
• Please post the content of that log file with your next answer.
• The report will be saved in the C:\AdwCleaner folder.

[avastpandainc]

Au contraire, it is myself, that is the limited user!

I noticed your last fixlist.txt included Chromium references.
Nobody has intentionally downloaded that app, however I had noticed that the shortcut app logo was on the desktop.
And now it is gone after your reset point.

Thank you for your help...this week.
It feels better already.

On a side note, before your reply, recall that the popups were occurring automatically on MS Edge (instead of Chrome).
I tried to uninstall MS Edge (from memory).
I don't know if I was able to uninstall MS Edge, but actually, on purpose, deleted an important file:
C: users: ryan: AppData : Local: MicrosoftEdge: folderxxx

after deleting this file(folder), all the popups were appearing as an error window.
Probably since MS Edge would not allow a window to open it within.
Added to the fact that MS Edge was disabled.

Regardless at the end of the day, I reinstalled that file(folder) from the trash.


Alas all is good.

[essexboy]

AdwCleaner now clears some adware from edge

Maybe swop user names with him so that he becomes the limited user

What problems now ?