Here is the file after running your script in OTL. When I started the scan I got an error message that "Windows has experienced a problem and will shut down in 1 minute". The scan continued and automatically restared Windows. Everything seems to be running ok. I opened Google Chrome and clicked in the search field....and no rzr pop up! So far so good! I'll play around today and see if I get any pop ups but so far it looks good!
Hmmm....not sure what happened. This is the file the program opened after it finished executing the commands you sent. I copied and pasted it to the desk top and attached it to my reply. I just went back in to the 'moved' folder and the file is the same. Is there a way I can re-run the custom scan and get the full file?
Hopefully the extensions get get ripped out, one extension it has been found does not allow user accounts to disable it, something about enterprise rights. So I hope to have successfully moved it with brute force.
You may want to read carefully all of this message first before starting the steps.
NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Download the script attached, needs to be the same file name as well (fixlist.txt), have it on the Desktop, so that fixlist.txt is next to FRST64.exe,
DO NOT DRAG AND DROP to download the script, it won't work for FRST (Right click on the attachment link (not the normal left click) and from the menu choose Save As or Save Link as.)
The script tells FRST what to do.
Start FRST64 that is on the desktop When the tool opens click Yes to disclaimer. (if it still does) Press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) please post it to your reply (attach or paste)
Here is the Fixlog file from running FRST. When I first opened FRST it updated and put the old version in its own folder. This is the log file from the 'new' updated version....don't think it makes any difference...just info.
Hi, Your last post was a text log but no instruction. I do remember the path of this video player (naaaefjdlbejbglenfklnkfdhapdfohp) and I made a couple attempts to remove it because I had a feeling this was the 'culprit'. (this was one of the things I did trying to find and remove the rzr virus before I joined this forum). I remember seeing this video player in the 'extensions' list of all 3 browsers; now they are gone.
However, there is still one video player extension in the Google Chrome extensions list. I cannot disable this extension and it was installed by "enterprise policy" (not sure what that means). Anyway, I clicked on the "Permissions" link and here is what it says (see attached Word file). I don't know if this has anything to do with the video player path you posted last time, or if this is of no concern....just info.