Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PUP Removal


  • This topic is locked This topic is locked
15 replies to this topic

#1 LostInTheSupermarket

LostInTheSupermarket

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:41 PM

Posted 04 March 2015 - 06:21 PM

I've never seen such cockroach-like malware as I've seen the past month. I have switched from a Samsung to a new Dell - both running Win 7 Home Premium -- and can't rid either computer of this stuff.

 

By "stuff" I mean tabs that suddenly open telling me things like my new Flash Player is ready for download (from splayersv.net) and young ladies wanting to know if I'd like to chat.

 

Both laptops were new and used for business, only by me. I was very judiscious in loading programs: MS Office, and IE, Firefox, Chrome, plus Malwarebytes -- all latest versions loaded on a clean computer.

 

Malwarebytes scan reveals two instances of PUP.Optional.Goobzo, which I quarantined. Repeatedly, because they re-installed themselves with every start-up.

 

Digging around, I found a recommendation that permanantly getting rid of this interference would require several programs, which I downloaded and ran in this order:

 

AdwCleaner

Junkware Removal

Malwarebytes

Hitman pro

 

I have done this protocol several times, to no avail. The Goobzo continues to appear on startup; the hijacked tabs appear no matter which browser I use. 

 

Any solutions would be very much welcome. 

 

ADDENDUM:

 

While on this site on Chrome (and let me say I fully understand it's not this site; only mentioning it for irony), a new tab popped up "informing" me that I needed to have my system analyzed with a phone # to call, etc.

 

This was a particularly insidious one, as I couldn't close the dialog box; couldn't close the tab; couldn't even click to another tab. Other than the cursor, the laptop was frozen. The only course of action was a complete re-start. Which would, of course, mean any work in other tabs would be lost.

 



BC AdBot (Login to Remove)

 


m

#2 buddy215

buddy215

  • BC Advisor
  • 12,616 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:41 PM

Posted 05 March 2015 - 06:26 AM

Eset Online Scanner removes Goobzo from the computer. After using it, and scanning again with both AdwCleaner and Junkware Remover, reset Google Chrome.

 Post the results of all scans except CCleaner...just let it do its thing...clean.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Hold down Control and click on this link to open ESET OnlineScan in a new window. (Eset can take more than an hour to run so plan accordingly)

  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

 

Google Chrome gives you the option to reset your browser settings in one easy click. In some cases, programs that you install can change your Chrome settings without your knowledge. You may see additional extensions and toolbars or a different search engine. Resetting your browser settings will reset the unwanted changes caused by installing other programs. However, your saved bookmarks and passwords will not be cleared or changed.

Reset your browser settings
  1. In the top-right corner of the browser window, click the Chrome menu
  2. Select Settings.
  3. At the bottom, click Show advanced settings.
  4. Under the section "Reset settings,” click Reset settings.
  5. In the dialog that appears, click Reset.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 LostInTheSupermarket

LostInTheSupermarket
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:41 PM

Posted 05 March 2015 - 01:56 PM

Hi, Buddy 215

Thanks for your help. I followed your instructions to the letter. Here were the only entries on the list after running ESET:

 

C:\2014\Wipe Hard Drives\Installer.exe a variant of Win32/CNETInstaller.B potentially unwanted application deleted - quarantined
C:\Wipe Hard Drives\Installer.exe a variant of Win32/CNETInstaller.B potentially unwanted application deleted - quarantined
 

However, after completing all stages -- including re-setting Chrome, when I re-started my laptop I ran MalwareBytes Premium and it still found:

 

C:\Program Files (x86)\Common Files\Goobzo

C:\Program Files\Common Files\Goozbo

Note that in earlier instances, the final was named "PUP.Optional.Goobzo

 

Also, before the re-set, Chrome would pop up a tab with an offering telling me I have to dial an 866 # to rid my machine of infection. Neither the dialog box nor the tab would close and I couldn't switch to any other tab, forcing me into a complete system re-start. The last such incident had in the URL line: 

 

S24pmg.security2015.pw

 

I had very high hopes, but still not there. Are there any other approaches I could take? Hitman Pro (trial) keeps telling me it has cleaned everything, but that doesn't appear to be true. Ditto for JRT.

 

Thanks.

 

EDIT: Like the overanxious person I am, I got so involved with running ESET properly I missed your reference to re-running AdwCleaner and Junkware REmover (is that the same as JRT?) Should I start over from the beginning?


Edited by LostInTheSupermarket, 05 March 2015 - 02:00 PM.


#4 buddy215

buddy215

  • BC Advisor
  • 12,616 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:41 PM

Posted 05 March 2015 - 02:38 PM

Yes that is the same as JRT.

 

Open CCleaner and click on Tools. Choose Startups. On that page you will see a List of Windows Startups and at the top you will see tabs for browsers and Scheduled Tasks.

At the bottom right of the page you will see a button when clicked will allow you to Copy and Paste the list of Windows Startups and Scheduled Tasks into your next post. 

 

Now open Tools again and choose Uninstall. On that page you will see a list of programs installed on your computer. At the bottom right you will see a button when clicked

will allow you to Copy and Paste that list into your next post.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#5 LostInTheSupermarket

LostInTheSupermarket
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:41 PM

Posted 05 March 2015 - 05:22 PM

Three logs

 

CC Cleaner:

Startups log:

 

Yes HKCU:Run CCleaner Monitoring Piriform Ltd "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
Yes HKCU:Run Google Update Google Inc. "C:\Users\Michael\AppData\Local\Google\Update\GoogleUpdate.exe" /c
Yes HKCU:Run GoogleChromeAutoLaunch_1D7305B07635F8E0A4CF4B02D1C53C4D Google Inc. "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-startup-window
Yes HKLM:Run Adobe ARM Adobe Systems Incorporated "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
Yes HKLM:Run Broadcom Wireless Manager UI Dell Inc. C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe
Yes HKLM:Run HotKeysCmds Intel Corporation "C:\Windows\system32\hkcmd.exe"
Yes HKLM:Run IgfxTray Intel Corporation "C:\Windows\system32\igfxtray.exe"
Yes HKLM:Run iTunesHelper Apple Inc. "C:\Program Files\iTunes\iTunesHelper.exe"
Yes HKLM:Run MSC Microsoft Corporation "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
Yes HKLM:Run Persistence Intel Corporation "C:\Windows\system32\igfxpers.exe"
Yes HKLM:Run QuickSet Dell Inc. c:\Program Files\Dell\QuickSet\QuickSet.exe
Yes HKLM:Run RtHDVBg Realtek Semiconductor "C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe" /MAXX5REC
Yes HKLM:Run RTHDVCPL Realtek Semiconductor "C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe" -s
Yes HKLM:Run SynTPEnh Synaptics Incorporated %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
Yes HKLM:Run USB3MON Intel Corporation "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
Yes HKLM:Run WavesSvc Waves Audio Ltd. "C:\Program Files\Realtek\Audio\HDA\WavesSvc64.exe"
Yes Startup Common Bluetooth.lnk Broadcom Corporation. C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

 

CC Cleaner Install log:

 

Adobe Flash Player 16 ActiveX Adobe Systems Incorporated 2/6/2015 6.00 MB 16.0.0.305
Adobe Flash Player 16 NPAPI Adobe Systems Incorporated 2/6/2015 6.00 MB 16.0.0.305
Adobe Reader XI (11.0.10)  MUI Adobe Systems Incorporated 1/14/2015 633 MB 11.0.10
Apple Application Support (32-bit) Apple Inc. 2/15/2015 94.3 MB 3.1.1
Apple Application Support (64-bit) Apple Inc. 2/15/2015 107 MB 3.1.1
Apple Mobile Device Support Apple Inc. 2/15/2015 27.9 MB 8.1.0.18
Apple Software Update Apple Inc. 2/15/2015 2.38 MB 2.1.3.127
Bonjour Apple Inc. 2/15/2015 2.00 MB 3.0.0.10
CCleaner Piriform 3/5/2015  5.03
Dell Backup and Recovery Dell Inc. 8/5/2014  1.7.5.63
Dell Data Vault  8/5/2014  
Dell Digital Delivery Dell Products, LP 12/15/2014 3.38 MB 3.0.3999.0
Dell SupportAssist Dell 2/14/2015 197 MB 1.0.6584.52
Dell SupportAssistAgent Dell 3/5/2015 26.3 MB 1.0.2.57295
Dell Touchpad Synaptics Incorporated 8/5/2014 46.4 MB 18.0.7.1
DW WLAN Card Utility Dell Inc. 8/5/2014  6.30.223.99
eBay eBay Inc. 8/5/2014  1.4.0
ESET Online Scanner v3  3/5/2015  
Google Chrome Google Inc. 2/28/2015  40.0.2214.115
Google Talk Plugin Google 2/6/2015 15.2 MB 5.40.2.0
HitmanPro 3.7 SurfRight B.V. 2/28/2015  3.7.9.238
Intel® Management Engine Components Intel Corporation 8/5/2014  9.5.23.1766
Intel® Processor Graphics Intel Corporation 8/5/2014  10.18.10.3412
Intel® USB 3.0 eXtensible Host Controller Driver Intel Corporation 8/5/2014  2.5.3.34
iTunes Apple Inc. 2/15/2015 234 MB 12.1.0.71
Malwarebytes Anti-Malware version 2.0.4.1028 Malwarebytes Corporation 12/28/2014 57.2 MB 2.0.4.1028
MalwareProtection360  12/15/2014  
Microsoft .NET Framework 4.5.2 Microsoft Corporation 1/14/2015 38.8 MB 4.5.51209
Microsoft Office Microsoft Corporation 8/5/2014 317 MB 15.0.4569.1506
Microsoft Office Professional 2010 Microsoft Corporation 2/6/2015  14.0.7015.1000
Microsoft Security Essentials Microsoft Corporation 2/28/2015  4.7.205.0
Microsoft Visual C++ 2005 Redistributable (x64) Microsoft Corporation 8/5/2014 708 KB 8.0.61000
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 Microsoft Corporation 8/5/2014 788 KB 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 Microsoft Corporation 2/14/2015 788 KB 9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 Microsoft Corporation 2/14/2015 13.8 MB 10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 Microsoft Corporation 2/14/2015 11.1 MB 10.0.40219
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) Microsoft Corporation 2/14/2015  10.0.50903
Quickset64 Dell Inc. 8/5/2014  11.1.18
Realtek Card Reader Realtek Semiconductor Corp. 8/5/2014  6.2.9600.39054
Realtek High Definition Audio Driver Realtek Semiconductor Corp. 8/5/2014  6.0.1.7161
Skype™ 6.11 Skype Technologies S.A. 2/6/2015 26.9 MB 6.11.102
WIDCOMM Bluetooth Software Broadcom Corporation 8/5/2014 290 MB 6.5.1.4800

 

For good measure, ESET found threats (second time through):

 

C:\Program Files (x86)\Dell Backup and Recovery\Components\DBRUpdate\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application deleted - quarantined
C:\Users\Michael\Downloads\ccsetup503.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted - quarantined

 

Thanks for any insight and guidance

 



#6 buddy215

buddy215

  • BC Advisor
  • 12,616 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:41 PM

Posted 05 March 2015 - 05:37 PM

Were there no Scheduled Tasks or did you overlook posting the list? Repeat: 

Open CCleaner and click on Tools. Choose Startups. On that page you will see a List of Windows Startups and at the top you will see tabs for browsers and Scheduled Tasks.

At the bottom right of the page you will see a button when clicked will allow you to Copy and Paste the list of Windows Startups and Scheduled Tasks into your next post.

 

Suggest disabling these startups:

Yes HKCU:Run CCleaner Monitoring Piriform Ltd "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
Yes HKCU:Run Google Update Google Inc. "C:\Users\Michael\AppData\Local\Google\Update\GoogleUpdate.exe" /c
Yes HKCU:Run GoogleChromeAutoLaunch_1D7305B07635F8E0A4CF4B02D1C53C4D Google Inc. "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-startup-window
Yes HKLM:Run Adobe ARM Adobe Systems Incorporated "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

Yes HKLM:Run IgfxTray Intel Corporation "C:\Windows\system32\igfxtray.exe"
Yes HKLM:Run iTunesHelper Apple Inc. "C:\Program Files\iTunes\iTunesHelper.exe"


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#7 LostInTheSupermarket

LostInTheSupermarket
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:41 PM

Posted 05 March 2015 - 06:15 PM

I did indeed overlook also exporting the Scheduled Tasks.

This is it:

 

Yes Task Adobe Flash Player Updater Adobe Systems Incorporated C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Yes Task CCleanerSkipUAC Piriform Ltd "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)
Yes Task Dell SupportAssistAgent AutoUpdate Dell Inc. C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssist.exe AutoUpdate
Yes Task GoogleUpdateTaskMachineCore Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c
Yes Task GoogleUpdateTaskMachineUA Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
Yes Task GoogleUpdateTaskUserS-1-5-21-2888455996-3814515952-354008950-1000Core Google Inc. C:\Users\Michael\AppData\Local\Google\Update\GoogleUpdate.exe /c
Yes Task GoogleUpdateTaskUserS-1-5-21-2888455996-3814515952-354008950-1000UA Google Inc. C:\Users\Michael\AppData\Local\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
Yes Task Malware Protection 360 MalwareProtection360 C:\Program Files (x86)\MalwareProtection360\malwareprotection360.exe
Yes Task Malware Protection 360 Updater  C:\Program Files (x86)\MalwareProtection360\updater.exe
Yes Task PCDEventLauncherTask PC-Doctor, Inc. "C:\Program Files\Dell\SupportAssist\sessionchecker.exe"
Yes Task PCDoctorBackgroundMonitorTask PC-Doctor, Inc. "C:\Program Files\Dell\SupportAssist\uaclauncher.exe" -backgroundmon scripts\backgroundmon.xml -st PCDoctorBackgroundMonitorTask --ignoresecondarysplash --runsilently
Yes Task SystemToolsDailyTest  "uaclauncher.exe" -silentenumeration -st SystemToolsDailyTest --ignoresecondarysplash --runsilently

 

If it's helpful, here is the MBytes log:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 3/5/2015
Scan Time: 5:56:03 PM
Logfile: MB March 5.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.03.05.03
Rootkit Database: v2015.02.25.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Michael

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 339100
Time Elapsed: 8 min, 59 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 2
PUP.Optional.Goobzo, C:\Program Files (x86)\Common Files\Goobzo, , [9c0d7fa3375359dd782c5e29897a8b75],
PUP.Optional.Goobzo, C:\Program Files\Common Files\Goobzo, , [c3e641e1fa90a78fb2f2c7c016ede31d],

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

Does this information change your recommendations as to which startups to disable?

 

Apologies for overlooking parts of your directions. I appreciate the help and your tenacity. 
 



#8 buddy215

buddy215

  • BC Advisor
  • 12,616 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:41 PM

Posted 05 March 2015 - 07:38 PM

The MBAM log doesn't show that Goobzo was quarantined. Look in the logs and confirm those two were quarantined. Logs can be found under the History tab.

 

Disable these Scheduled Tasks:

Yes Task Adobe Flash Player Updater Adobe Systems Incorporated C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Yes Task CCleanerSkipUAC Piriform Ltd "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)
Yes Task Dell SupportAssistAgent AutoUpdate Dell Inc. C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssist.exe AutoUpdate (Unless the Comp is still under warranty)
Yes Task GoogleUpdateTaskMachineCore Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c
Yes Task GoogleUpdateTaskMachineUA Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
Yes Task GoogleUpdateTaskUserS-1-5-21-2888455996-3814515952-354008950-1000Core Google Inc. C:\Users\Michael\AppData\Local\Google\Update\GoogleUpdate.exe /c
Yes Task GoogleUpdateTaskUserS-1-5-21-2888455996-3814515952-354008950-1000UA Google Inc. C:\Users\Michael\AppData\Local\Google\Update\GoogleUpdate.exe /ua /installsource scheduler

 

Let me know if you are still getting popups/ ads, etc.

 

EDIT: Did JRT remove anything?


Edited by buddy215, 05 March 2015 - 07:43 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#9 Czar_92

Czar_92

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 05 March 2015 - 08:30 PM

I had the same issue awhile ago with "gorillaprice", no matter what I could not remove it. So I created a new user and made sure not to copy the files from local temp or the location the virus scan shows it is in! 
I used the command prompt as admin to do it but you can try the regular way first.



#10 LostInTheSupermarket

LostInTheSupermarket
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:41 PM

Posted 06 March 2015 - 08:49 AM

The MBAM log doesn't show that Goobzo was quarantined. Look in the logs and confirm those two were quarantined. Logs can be found under the History tab.

 

Disable these Scheduled Tasks:

Yes Task Adobe Flash Player Updater Adobe Systems Incorporated C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Yes Task CCleanerSkipUAC Piriform Ltd "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)
Yes Task Dell SupportAssistAgent AutoUpdate Dell Inc. C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssist.exe AutoUpdate (Unless the Comp is still under warranty)
Yes Task GoogleUpdateTaskMachineCore Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c
Yes Task GoogleUpdateTaskMachineUA Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
Yes Task GoogleUpdateTaskUserS-1-5-21-2888455996-3814515952-354008950-1000Core Google Inc. C:\Users\Michael\AppData\Local\Google\Update\GoogleUpdate.exe /c
Yes Task GoogleUpdateTaskUserS-1-5-21-2888455996-3814515952-354008950-1000UA Google Inc. C:\Users\Michael\AppData\Local\Google\Update\GoogleUpdate.exe /ua /installsource scheduler

 

Let me know if you are still getting popups/ ads, etc.

 

EDIT: Did JRT remove anything?

 

Laptop is still under warranty.

 

Two JRT logs. One 5/3, the other this morning. I have not yet disabled the scheduled tasks, but will do that next -- using CC Cleaner, I presume?

 

Is there any value to HitmanPro? I have it as a trial and have used it a couple of times in this process, but I haven't seen any effect.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.3 (03.01.2015:1)
OS: Windows 7 Home Premium x64
Ran by Michael on Fri 03/06/2015 at  8:42:22.19
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\pcdr"
Successfully deleted: [Folder] "C:\Users\Michael\AppData\Roaming\pcdr"

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 03/06/2015 at  8:45:21.62

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.3 (03.01.2015:1)
OS: Windows 7 Home Premium x64
Ran by Michael on Fri 03/06/2015 at  8:42:22.19
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\pcdr"
Successfully deleted: [Folder] "C:\Users\Michael\AppData\Roaming\pcdr"

 

~~~ Event Viewer Logs were cleared
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

re: Malwarebytes Quarantine. The History log shows multiple quarantines of the same PUP.Optional.Goobzo infections. I don't see a way to export that log, but it logs 52 quarantines of those files in the past 2 weeks. I have MB scanned and quarantined these as part of how I begin any session with this laptop.


Edited by LostInTheSupermarket, 06 March 2015 - 09:42 AM.


#11 buddy215

buddy215

  • BC Advisor
  • 12,616 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:41 PM

Posted 06 March 2015 - 09:01 AM

Okay...yes, use CCleaner. Click on each item to highlight and then on the right choose Disable.

 

Is MBAM still finding the same adware.... even though it has quarantined it? Did you check the MBAM logs?

 

If you are still getting ads it will require posting another topic in the Malware Removal forum where other tools and expertise is used to find and remove the culprit.

Once you have posted the new topic...DO NOT bump it...wait for a response. It could be a few days as they are very busy.

 

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.

When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#12 LostInTheSupermarket

LostInTheSupermarket
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:41 PM

Posted 06 March 2015 - 09:58 AM

Hi, Buddy

 

Yes, as stated this morning:

 

re: Malwarebytes Quarantine. The History log shows multiple quarantines of the same PUP.Optional.Goobzo infections. I don't see a way to export that log, but it logs 52 quarantines of those files in the past 2 weeks. I have MB scanned and quarantined these as part of how I begin any session with this laptop.

 

It found these two PUP programs again this morning. But as I said, this is before I do the Startup disables, which I'm going to do right now.



#13 LostInTheSupermarket

LostInTheSupermarket
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:41 PM

Posted 06 March 2015 - 01:29 PM

from CC Cleaner Free --> Tools --> Startup.

Here is the current disabled list. As advised, I did not disable Dell Support Assistant because the laptop is still under warranty.

 

This look OK to you? If so, I'll proceed to the FRST portion. Thanks.

 

No Task Adobe Flash Player Updater Adobe Systems Incorporated C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
No Task CCleanerSkipUAC Piriform Ltd "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)
Yes Task Dell SupportAssistAgent AutoUpdate Dell Inc. C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssist.exe AutoUpdate
No Task GoogleUpdateTaskMachineCore Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c
No Task GoogleUpdateTaskMachineUA Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
No Task GoogleUpdateTaskUserS-1-5-21-2888455996-3814515952-354008950-1000Core Google Inc. C:\Users\Michael\AppData\Local\Google\Update\GoogleUpdate.exe /c
No Task GoogleUpdateTaskUserS-1-5-21-2888455996-3814515952-354008950-1000UA Google Inc. C:\Users\Michael\AppData\Local\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
Yes Task Malware Protection 360 MalwareProtection360 C:\Program Files (x86)\MalwareProtection360\malwareprotection360.exe
Yes Task Malware Protection 360 Updater  C:\Program Files (x86)\MalwareProtection360\updater.exe
Yes Task PCDEventLauncherTask PC-Doctor, Inc. "C:\Program Files\Dell\SupportAssist\sessionchecker.exe"
Yes Task PCDoctorBackgroundMonitorTask PC-Doctor, Inc. "C:\Program Files\Dell\SupportAssist\uaclauncher.exe" -backgroundmon scripts\backgroundmon.xml -st PCDoctorBackgroundMonitorTask --ignoresecondarysplash --runsilently
Yes Task SystemToolsDailyTest  "uaclauncher.exe" -silentenumeration -st SystemToolsDailyTest --ignoresecondarysplash --runsilently
 



#14 buddy215

buddy215

  • BC Advisor
  • 12,616 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:41 PM

Posted 06 March 2015 - 01:53 PM

Yes...post the new topic if you are still getting hit with ads.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#15 LostInTheSupermarket

LostInTheSupermarket
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:41 PM

Posted 06 March 2015 - 05:41 PM

Topic Moved to

 

http://www.bleepingcomputer.com/forums/t/569296/vampire-goobzo-and-broswer-freeze-pop-ups/

 

Please close this topic. Thank you for your efforts and patience.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users