Hi. Looking for some help with an infection that my antivirus isn't completely catching. First off I briefly looked at other posts on this forum and this current topic sounds extremely similar to mine so thinking a similar approach might work.
So foolishly I downloaded and ran a dodgy .exe installer. I dodged a couple of bloatware-agreement prompts but nevertheless, during installation, Bit Defender - my always-on antivirus, flashed up saying it was quarantining files. So I aborted installation and deleted the installer. But it was too late. Strange audio snippets started playing through my speakers and task manager showed many instances of 'Backflow.exe' and 'Tupelo.exe'.
I started a Malwarebytes scan and ended the processes, but they would reappear about 20 seconds later. Malwarebytes and Bitdefender quarantined many threats and prompted for restart which I did. However the processes remained in Task Manager. I re-ran Malwarebytes, Bitdefender as well as Adwcleaner and Spybot Search & Destroy with restarts once or twice until they stopped detecting threats. Also tried Emsisoft Emergency Kit. Simultaneously I was killing Tupelo and Backflow processes, and tracking them to their file location and deleting the .exe, which was possible whilst all active processes were killed. They were appearing in \Program Files (x86)\rimmer\, \Program Files (x86)\manmade\, and \Program Files (x86)\fireflies\, as well as \AppData\Local\. I also deleted a file called pangea.exe in \Program Files (x86)\docherty because it occurred today too and looks suspicious.
After the final restart only backflow.exe was showing in Task Manager, and would always reappear but only in \AppData\Local\. So I put a blank .txt file there and renamed it backflow.exe. It hasn't overwritten this and so is no longer running on my system, however clearly something is still lurking about waiting to make a new one which I'm not happy about. I've also scanned the registry and deleted several references to backflow.exe and tupelo.exe.
Another effect of the virus was to display ads in my google results, but removing a couple of chrome extensions sorted that. However still, when I click a web link in an external application, Chrome will open, but only at my home page - it won't follow the link.
How can I find and destroy whats left of this infection? I've included a copy of my FRST log and the Addition it created, as well as a copy of backflow.exe with the extension changed to .txt in case anyone can analyse it! I looked at it with Resource Hacker but couldn't get any useful information.
Help much appreciated.