Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Has anyone heard of PUP.Optional.MindSpark?


  • Please log in to reply
11 replies to this topic

#1 Loopyluu

Loopyluu

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 17 April 2014 - 04:55 AM

Hello,

 

The last 24hrs the desktop has been extremely sluggish and I have run Malware anti virus which detects a large number of  issues which we remove but it just keeps coming back. I have also run the Microsoft Security Essentials scan which doesn't pickup any threats.

 

I couldn't find anything about pup.optional.mindspark  when I ran a search on bleepings site so Im unsure if this is a relative new thing or not.

The net shows numerous sites with easy removal of the virus but Im distrustful of them.

 

Any kind of confirmation that this is real and any info on removing it would be appreciated.

 

We have windows 7.

 

Thanks

Loopyluu



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,279 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:43 PM

Posted 17 April 2014 - 06:59 AM

MindSpark is a toolbar...PUP.Optional.MindSpark is the specific name used by Malwarebytes Anti-Malware to detect it.

In many cases these issues are the result of unwanted toolbars, add-ons/plug-ins, and browser extensions which come bundled with other free software you download. They can often be the source of various issues and problems to include Adware, pop-up ads browser hijacking which may change your home page and search engine, and user profile corruption. As such many of them are classified as Potentially Unwanted Programs (PUPs).

Some toolbars and Add-ons can be removed from within its program group Uninstall shortcut in Start Menu > All Programs or by using Add/Remove Programs or Programs and Features in Control Panel, so always check there first.

Alternatively, you can use a third-party utility like Revo Uninstaller Free or Portable and follow these instructions for using it. Revo will do a more thorough job of searching for and removing related registry entries, files and folders.

* MindSpark Vendor Toolbar Removal Instructions

After doing the above...continue as follows:

Please download and use the following tools (in the order listed) which will search for and remove many potentially unwanted programs (PUPs), adware, toolbars, browser hijackers, extensions, add-ons and other junkware as well as related registry entries (values, keys) and remnants.

RKill created by Grinler (aka Lawrence Abrams), the site owner of BleepingComputer.
AdwCleaner created by Xplode.
Junkware Removal Tool created by thisisu.

1. Double-click on RKill to launch the tool. A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully. A log file will be created and saved to the root directory, C:\RKill.log. Copy and paste the contents of RKill.log in your next reply.

Important: Do not reboot your computer until you complete the next step.

2. Double-click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
-- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on and uncheck any items you want to keep (except you cannot uncheck Chrome and Firefox preferences lines).


Close all open programs and shut down any protection/security software to avoid potential conflicts.

3. Double-click on JRT.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log file named JRT.txt will automatically open and be saved to your Desktop.
  • Copy and paste the contents of JRT.txt in your next reply.
.
4. As a final step, rescan again with Malwarebytes Anti-Malware and post the log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Loopyluu

Loopyluu
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 18 April 2014 - 12:06 AM

Below are the results of each scan...

 

Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 04/18/2014 12:13:49 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
  * HKLM\Software\Classes\exefile\shell\open\command\\IsolatedCommand was changed. It was reset to "%1" %*!

  * HKLM\Software\Classes\exefile\shell\runas\command\\IsolatedCommand was changed. It was reset to "%1" %*!

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 04/18/2014 12:15:00 PM
Execution time: 0 hours(s), 1 minute(s), and 10 seconds(s)

 

 

 

# AdwCleaner v3.023 - Report created 18/04/2014 at 12:51:05
# Updated 01/04/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Rachel - RACHEL-PC
# Running from : C:\Users\Rachel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YN5V07J4\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\Zynga
Folder Deleted : C:\Users\Rachel\AppData\Local\iac
Folder Deleted : C:\Users\Rachel\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Rachel\AppData\LocalLow\Zynga
Folder Deleted : C:\Users\Paul\AppData\Local\iac
Folder Deleted : C:\Users\Paul\AppData\Local\mapsgalaxy_39
Folder Deleted : C:\Users\Paul\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Paul\AppData\LocalLow\mapsgalaxy_39
Folder Deleted : C:\Users\Paul\AppData\LocalLow\Zynga

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2438727
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [MapsGalaxy_39 Browser Plugin Loader 64]
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7B13EC3E-999A-4B70-B9CB-2617B8323822}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{621516D6-4D0D-4B57-8961-F6403C2194F0}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7B13EC3E-999A-4B70-B9CB-2617B8323822}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7B13EC3E-999A-4B70-B9CB-2617B8323822}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BC7E25D7-4681-46A3-AF5A-9A1B865783ED}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7B13EC3E-999A-4B70-B9CB-2617B8323822}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8F0B76E1-4E46-427B-B55B-B90593468AC6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{621516D6-4D0D-4B57-8961-F6403C2194F0}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9A216821-0EC5-49A3-85AC-FB72AE79A1E8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9A216821-0EC5-49A3-85AC-FB72AE79A1E8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{7B13EC3E-999A-4B70-B9CB-2617B8323822}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{7B13EC3E-999A-4B70-B9CB-2617B8323822}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{7B13EC3E-999A-4B70-B9CB-2617B8323822}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{23119123-0854-469D-807A-171568457991}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{36B445BF-1B84-466A-A623-A360A8CFF8C3}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{6CBF5C01-C876-481B-867E-111CB1D2A7D6}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{D97143C2-4282-496B-BDC4-7EC852F1497C}
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\Zynga
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Zynga
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zynga Toolbar

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16521

-\\ Google Chrome v34.0.1847.116

[ File : C:\Users\Rachel\AppData\Local\Google\Chrome\User Data\Default\preferences ]

[ File : C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [5086 octets] - [18/04/2014 12:23:34]
AdwCleaner[S0].txt - [4063 octets] - [18/04/2014 12:51:05]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4123 octets] ##########

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Home Premium x64
Ran by Rachel on Fri 18/04/2014 at 13:08:17.29
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\sweetim
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{b0441a0e-a49a-4e16-afc1-74ecced1921f}

 

~~~ Files

 

~~~ Folders

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 18/04/2014 at 13:13:53.48
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.04.16.11

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16659
Rachel :: RACHEL-PC [administrator]

Protection: Enabled

18/04/2014 1:16:40 PM
MBAM-log-2014-04-18 (14-26-53).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 495192
Time elapsed: 1 hour(s), 8 minute(s), 18 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DCC39ACE-709B-44EA-B062-5F6BE2774644} (PUP.Optional.MyEmoticons.A) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Users\Rachel\AppData\Local\Temp\mgsqlite3.7z (PUP.Optional.SweetIM) -> No action taken.
C:\Users\Rachel\AppData\Local\Temp\mgsqlite3.dll (PUP.Optional.SweetIM) -> No action taken.
C:\Users\Rachel\AppData\Local\Temp\SweetIESetup.exe.7z (PUP.Optional.SweetPacks.A) -> No action taken.
C:\Users\Rachel\AppData\Local\Temp\WhiteLabelSetup.exe (PUP.Optional.SweetPacks.A) -> No action taken.

(end)

 

 

Should I re-run the RKill, AdwCleaner and JRT?

 

Thanks

Loopy



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,279 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:43 PM

Posted 18 April 2014 - 06:59 AM

Try doing an online scan to see if it finds anything else that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner.
If using Mozilla Firefox, you will be prompted to download and use the ESET Smart Installer. Just double-click on esetsmartinstaller_enu.exe to install.
Vista/Windows 7/8 users need to run Internet Explorer/Firefox as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.

  • Click the green esetOnline.png button.
  • Read the End User License Agreement and check the box:
  • Check esetAcceptTerms.png.
  • Click the esetStart.png button.
  • Accept any security warnings from your browser and allow the download/installation of any require files.
  • Under scan settings, check esetScanArchives.png and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click the Start button.
  • ESET will install itself, download virus signature database updates, and begin scanning your computer.
  • The scan can take some time to complete...close all programs and do NOT use the computer while the scan is running.
    If given the option (when threats are found), choose "Quarantine" instead of delete.
  • When the scan completes, push esetListThreats.png
  • Push esetExport.png, and save the file to your desktop as ESETScan.txt.
  • Push the esetBack.png button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply. If no threats are found, there is no option to create a log.


-- Note: If you recognize any of the detections as legitimate programs, it's possible they are "false positives" and you can ignore them or get a second opinion if you're not sure. Eset's detection rate is high and can include legitimate files which it considers suspicious, a Risk Tool, Hacking Tool, Potentially Unwanted Program, a possible threat or even Malware (virus/trojan) when that is not always the case. Be careful what you choose to remove. If in doubt, ask before taking action.
 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Loopyluu

Loopyluu
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 18 April 2014 - 11:10 AM

Wow, that was a 4hr exercise...anyhow the results of the ESET online scan.

Also these are in quarantine I haven't deleted them as of yet.

 

C:\AdwCleaner\Quarantine\C\Program Files (x86)\Conduit\Community Alerts\Alert.dll.vir Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Zynga\tbZyng.dll.vir a variant of Win32/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
C:\New important software\cpu-z_1.56-setup-en.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application deleted - quarantined
C:\Users\Paul\AppData\Local\Temp\Zynga.exe a variant of Win32/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
C:\Users\Rachel\AppData\Local\Temp\WSSetup.exe a variant of Win32/Toolbar.Perion.G potentially unwanted application deleted - quarantined

 

Thanks again

Loopy
 



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,279 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:43 PM

Posted 18 April 2014 - 01:14 PM

Looking good. How is your computer running now?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Loopyluu

Loopyluu
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 18 April 2014 - 06:11 PM

Good!

Everything is downloading nicely with very little delay, videos are actually playing and pictures are loading normally. Opened a couple new tabs of my favourite sites and loading nicely.

Thank you very, very much.

 

Do I need to remove the ESET online scan and also delete whats in quarantine?

And if so should I do the same with the other programs? (If they are still in the system).

 

Is there a recommendation of what to use, anti virus software, to help prevent this from happening again?

The Malwaresbyte Anti Malwares and the Microsoft security essentials is all that we are using.

 

Again thank you for all your help and guidance.

Have a wonderful Easter Quietman7.

 

Loopy



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,279 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:43 PM

Posted 18 April 2014 - 07:31 PM

You can delete the contents of ESET's quarantine...I would leave the rest of the folders alone as the online scan can always be used again as a second opinion scanner.

Tools like JRT and AdwCleaner are frequently updated and if needed again you should always download the latest version.

RKill is a stand-alone tool which does not require installation so there is no uninstaller. To remove RKill, just manually delete the RKill icon on the Desktop by right-clicking on it and choosing delete. Empty the Recycle Bin when done. Repeat those steps for JRT....since JRT extracts files to a temporary folder, any temporary file cleaner should remove them all the next time you run a cleaner.

To remove AdwCleaner, double-click the AdwCleaner icon on your Desktop to run the tool again.
  • Click on the Uninstall button.
  • Click Yes when asked are you sure you want to uninstall.
  • Both AdwCleaner.exe, its folder and all logs will be removed.
Then you should Create a New Restore Point (alternate method) to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Click the Start Orb and in the Search box type: Create a restore point.
  • When the System Properties window opens, under the System Protection tab, select the Create... button at the bottom. Give the restore point a name, then click "Create". The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then to remove all but the newly created Restore Point, use Disk Cleanup
.

Is there a recommendation of what to use, anti virus software, to help prevent this from happening again?
The Malwaresbyte Anti Malwares and the Microsoft security essentials is all that we are using.

Please refer to Supplementing your Anti-Virus Program with Anti-Malware Tools

And a Happy Easter to you as well.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 shiner2348

shiner2348

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 16 November 2017 - 10:39 PM

MindSpark is a toolbar...PUP.Optional.MindSpark is the specific name used by Malwarebytes Anti-Malware to detect it.

In many cases these issues are the result of unwanted toolbars, add-ons/plug-ins, and browser extensions which come bundled with other free software you download. They can often be the source of various issues and problems to include Adware, pop-up ads browser hijacking which may change your home page and search engine, and user profile corruption. As such many of them are classified as Potentially Unwanted Programs (PUPs).

Some toolbars and Add-ons can be removed from within its program group Uninstall shortcut in Start Menu > All Programs or by using Add/Remove Programs or Programs and Features in Control Panel, so always check there first.

Alternatively, you can use a third-party utility like Revo Uninstaller Free or Portable and follow these instructions for using it. Revo will do a more thorough job of searching for and removing related registry entries, files and folders.

* MindSpark Vendor Toolbar Removal Instructions

After doing the above...continue as follows:

Please download and use the following tools (in the order listed) which will search for and remove many potentially unwanted programs (PUPs), adware, toolbars, browser hijackers, extensions, add-ons and other junkware as well as related registry entries (values, keys) and remnants.

RKill created by Grinler (aka Lawrence Abrams), the site owner of BleepingComputer.
AdwCleaner created by Xplode.
Junkware Removal Tool created by thisisu.

1. Double-click on RKill to launch the tool. A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully. A log file will be created and saved to the root directory, C:\RKill.log. Copy and paste the contents of RKill.log in your next reply.

Important: Do not reboot your computer until you complete the next step.

2. Double-click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator.

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
-- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on and uncheck any items you want to keep (except you cannot uncheck Chrome and Firefox preferences lines).


Close all open programs and shut down any protection/security software to avoid potential conflicts.

3. Double-click on JRT.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log file named JRT.txt will automatically open and be saved to your Desktop.
  • Copy and paste the contents of JRT.txt in your next reply.
.
4. As a final step, rescan again with Malwarebytes Anti-Malware and post the log.

 

After following this post to the letter, after 2 weeks of 46 pup constantly returning after removal with Malwarebytes 3.1.1 i can with hesitation recommend following this procedure,



#10 shiner2348

shiner2348

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 17 November 2017 - 02:56 AM

My results i did them in the correct order but i'm posting them as is. There are is a mention of children in the RKILL section what is that???

 

 

Adware

# AdwCleaner 7.0.4.0 - Logfile created on Fri Nov 17 02:12:38 2017
# Updated on 2017/27/10 by Malwarebytes 
# Database: 11-15-2017.1
# Running on Windows 10 Home (X64)
# Mode: scan
 
***** [ Services ] *****
 
No malicious services found.
 
***** [ Folders ] *****
 
RLKILL
 
PUP.Optional.Legacy, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverToolkit
PUP.Optional.Legacy, C:\Program Files (x86)\Common Files\freemake shared
PUP.Optional.Legacy, C:\Program Files\WinZip\WinZip Smart Monitor
PUP.Optional.Legacy, C:\Users\Aa\AppData\Local\AdvinstAnalytics
PUP.Optional.Legacy, C:\Users\Aa\AppData\Roaming\TotalAV
 
 
***** [ Files ] *****
 
No malicious files found.
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
***** [ WMI ] *****
 
No malicious WMI found.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts found.
 
***** [ Tasks ] *****
 
No malicious tasks found.
 
***** [ Registry ] *****
 
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\chatango.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\glassinbox.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\st.chatango.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\st.chatango.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\chatango.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\d1af033869koo7.cloudfront.net
PUP.Optional.Legacy, [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\plarium.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\st.chatango.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\st.chatango.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\chatango.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\d1af033869koo7.cloudfront.net
PUP.Optional.Legacy, [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\plarium.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\st.chatango.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\st.chatango.com
PUP.Optional.Legacy, [Key] - HKU\S-1-5-21-2740808491-4055086260-1723208196-1002\Software\DriverToolkit
PUP.Optional.Legacy, [Key] - HKCU\Software\DriverToolkit
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D66BF89F-B0A2-48F5-A2E4-242EB645AB76}_is1
PUP.Optional.Legacy, [Key] - HKU\S-1-5-21-2740808491-4055086260-1723208196-1002\Software\CoinisRevShare
PUP.Optional.Legacy, [Key] - HKCU\Software\CoinisRevShare
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\AppID\{6536801B-F50C-449B-9476-093DFD3789E3}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\AppID\{BAB04997-93AD-4C13-805A-0409199700BB}
PUP.Optional.Legacy, [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 | Babylon Client
PUP.Optional.SofTonicAssistant, [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\ccleaner.en.softonic.com
PUP.Optional.SofTonicAssistant, [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\en.softonic.com
PUP.Optional.SofTonicAssistant, [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\softonic.com
PUP.Optional.SofTonicAssistant, [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ccleaner.en.softonic.com
PUP.Optional.SofTonicAssistant, [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\en.softonic.com
PUP.Optional.SofTonicAssistant, [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\softonic.com
PUP.Optional.ByteFence, [Value] - HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store | C:\Program Files\ByteFence\Uninstall.exe
PUP.Optional.AuslogicsDriverUpdater, [Key] - HKLM\SOFTWARE\Auslogics
PUP.Optional.FreeMakeConverter, [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | ProductUpdater
PUP.Optional.FreeMakeConverter, [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 | ProductUpdater
PUP.Optional.ProductUpdater, [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs | C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe
PUP.Optional.ProductUpdater, [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs | C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\FMUpdater.dll
PUP.Optional.ProductUpdater, [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs | C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\Newtonsoft.Json.dll
PUP.Optional.ProductUpdater, [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs | C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\GAnalytics.dll
PUP.Optional.ProductUpdater, [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs | C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\GoCartMonad.dll
 
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries.
 
*************************
 
C:/AdwCleaner/AdwCleaner[S0].txt - [7595 B] - [2017/11/17 1:41:52]
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt ##########
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.4 (07.09.2017)
Operating System: Windows 10 Home x64 
Ran by Jack (Administrator) on 17-Nov-17 at 12:55:10.88
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 0 
 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 17-Nov-17 at 12:58:51.84
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
JRT
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.4 (07.09.2017)
Operating System: Windows 10 Home x64 
Ran by Jack (Administrator) on 17-Nov-17 at 12:55:10.88
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 0 
 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 17-Nov-17 at 12:58:51.84
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Everything is fine now i deleted every Chrome extention.
Cheers Loopy
 
 


#11 PinkFluffyUnicorn

PinkFluffyUnicorn

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 17 December 2017 - 01:56 PM

i just ran malwarebytes and looked in quarantine and there were what seemed like 5000 copies of pup.optional.mindstorm



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,279 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:43 PM

Posted 17 December 2017 - 04:59 PM


@ PinkFluffyUnicorn

Welcome to Bleeping Computer.

If you need assistance, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more members at the same time in the same thread. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the possible presence of other malware. Further, posting for assistance in someone else's topic is not considered proper forum etiquette.

Thanks for your cooperation.
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users