Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A multitude of PuP's! What else?


  • Please log in to reply
11 replies to this topic

#1 daveyden

daveyden

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 23 January 2015 - 06:03 PM

My partner heard me talking about Ccleaner and its benefits some time ago, and unfortunately, in error, downloaded ProCleaner plus onto my old 32 bit laptop I gave her, and you can probably guess the rest! She asked me why she was getting pop-ups and the machine was running so slowly. I immediately ran Malwarebytes and was shocked to find we had 2001 PuP's and 2 trojans on board. I let MWB do the clean up and re-ran the program, which left 53 PuP's still infesting the laptop, although it appears to have been successful with the trojans.

We looked at my partners gmail page and it had been hi-jacked by Omiga plus. By now I was quite worried and so called on Adw cleaner which detected the 53 problems in folders, files, short cuts and registry keys, but when I press the "Clean" button the program can't progress beyond the "deleting folders" stage, which as you may know, that is right at the start of the cleaning process on the Adw program.

I looked here earlier and followed someone's advise to try the clean-up in safe mode, which I did, but only got the same results, so I'm hoping one or more of you good people can help us? Cheers...


Edited by Chris Cosgrove, 23 January 2015 - 06:10 PM.
Moved to 'Am I infected?'


BC AdBot (Login to Remove)

 


#2 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:06:08 PM

Posted 23 January 2015 - 06:23 PM

Please follow the following steps, in order:

  1. Download RKill. Run it and paste the log's output here.
  2. Download JRT. Run it and paste the log's output here.
  3. Re-run AdwCleaner. If it works, see if Omiga is still hijacking your browser. If it is, paste the AdwCleaner log here. If it doesn't run, then inform us of this fact.

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#3 daveyden

daveyden
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 24 January 2015 - 09:22 AM

Thanks, I am trying to follow your instructions, but omiga has taken over the browsers (google chrome and I/E, and also the short cut to bleeping computer. I am using my (Clean) laptop to contact you...is there a way round this?



#4 daveyden

daveyden
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 24 January 2015 - 10:49 AM

Rkill 2.7.0 by Lawrence Abrams (Grinler)
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 01/24/2015 03:36:12 PM in x86 mode.
Windows Version: Windows Vista ™ Home Basic Service Pack 2
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * C:\Windows\system32\STacSV.exe (PID: 264) [WD-HEUR]
 * C:\Windows\sttray.exe (PID: 3616) [WD-HEUR]
 
2 proccesses terminated!
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Checking Windows Service Integrity: 
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  ÿþ1 2 7 . 0 . 0 . 1               l o c a l h o s t 
 
   : : 1               l o c a l h o s t 
 
   
 
Program finished at: 01/24/2015 03:38:06 PM
Execution time: 0 hours(s), 1 minute(s), and 54 seconds(s)


#5 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:06:08 PM

Posted 24 January 2015 - 10:54 AM

Great, let me know if you can run the other programs. I would advise using a flash drive to transfer the other two programs.

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#6 daveyden

daveyden
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 24 January 2015 - 11:11 AM

not sure how, but here is the jtr report?~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows Vista ™ Home Basic x86
Ran by dave on 24/01/2015 at 15:54:24.65
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}\\DisplayName
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}\\URL
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{632F07F3-19A1-4d16-A23F-E6CE9486BAB5}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}
 
 
 
~~~ Files
 
Successfully deleted: [File] C:\Windows\System32\Tasks\ProPCCleaner_Popup
Successfully deleted: [File] C:\Windows\System32\Tasks\ProPCCleaner_Start
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\Users\dave\AppData\Roaming\nosibay"
Successfully deleted: [Folder] "C:\Users\dave\AppData\Roaming\vopackage"
Successfully deleted: [Folder] "C:\Users\dave\Local Settings\Application Data\pro_pc_cleaner"
Successfully deleted: [Folder] "C:\Users\dave\AppData\Roaming\microsoft\windows\start menu\programs\vopackage"
Successfully deleted: [Folder] "C:\Users\dave\documents\propccleaner"
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 24/01/2015 at 16:01:23.63
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#7 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:06:08 PM

Posted 24 January 2015 - 11:35 AM

Is your browser better? I would still advise attempting to run AdwCleaner.

If you cannot run AdwCleaner or your browser is still being hijacked, please follow the following. If not, congrats!
Download and run the ESET online scanner tool: http://www.eset.com/us/online-scanner-popup/. Ensure 'Remove Found Threats' and 'Scan Unwanted Applications' are checked. Run the scanner.
Paste the log located at C:\Program Files\EsetOnlineScanner\log.txt (open with Notepad).

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#8 daveyden

daveyden
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 24 January 2015 - 11:36 AM

The system seems to be clean now, browsers working and no noticeable problems...will wait a couple of hours before closing post. Thank you.



#9 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:06:08 PM

Posted 24 January 2015 - 11:38 AM

Great! :thumbsup2:

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#10 daveyden

daveyden
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 24 January 2015 - 11:56 AM

In reply to your post #7, I ran AdwCleaner successfully after following your much appreciated advice...you're a star Ian! Once again thanks from us both for helping to get rid of all that dodgy stuff.



#11 daveyden

daveyden
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 25 January 2015 - 05:36 AM

All is still well with the laptop Ian, apart from all the files/folders that were infected no longer work from the quickstart icons on the desktop, but I will re-set these.  :thumbup2:



#12 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:06:08 PM

Posted 25 January 2015 - 07:47 PM

Glad to hear it! Let me know if it comes back.

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users