Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PUP ResultsHub failed removal attempts with malwarebytes and Adware cleaner


  • This topic is locked This topic is locked
14 replies to this topic

#1 splungee

splungee

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 10 October 2015 - 09:09 PM

This is the second attempt to remove ResultsHub.  It resisted Malwarebytes antimalware and Adware Cleaner and I was reccommended to run FRST and create a new topic

 

Here's the original posting: http://www.bleepingcomputer.com/forums/t/592917/pup-resultshub-high-jacked-home-page/

 

Thanks in advance for any help!

 

 

Attached Files


Edited by splungee, 10 October 2015 - 09:21 PM.


BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,937 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:05:02 AM

Posted 11 October 2015 - 06:16 AM

Hello splungee and welcome to Bleeping Computer’s Malware Removal Forum.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:
 

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

You need to move Farbar Recovery Scan Tool to your desktop otherwise fixes will not work.

  • go to D:\downloads k and locate Farbar Recovery Scan Tool
  • right click and select Cut
  • go to an empty spot on your desktop, right click and select Paste

Farbar Recovery Scan Tool should now be on your desktop.

===================================================

Run Farbar Recovery Scan Tool

Open notepad. Please copy the contents of the code box below and paste it into Notepad.


Winsock: Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File
Winsock: Catalog5 09 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File
Winsock: Catalog5-x64 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File
Winsock: Catalog5-x64 09 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1612100080-1659462607-2348990995-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
CHR RestoreOnStartup: Default -> "hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggUdwkNUwwXERgRJlsBTA0SEw0OIgoJVRQXEVEUeFxbVAkUF1QFIk0FA1oDB0VXfV5bFElXTwhxJUpNDU0CaUBB"
EmptyTemp:

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST64 then click Fix just once and wait
  • it will create a log (Fixlog.txt); please post it to your reply.

================================================

Download zoek.exe to your Desktop:

Important: Disable your AntiVirus and AntiSpyware programs, so they do not interfere with the running of Zoek.exe. You can find instructions how to disable your security applications here.

  • on Windows Vista, 7/8, right-click Zoek.exe and select: Run as Administrator
  • give it a few seconds to appear
  • copy/paste the entire script inside the codebox below into the input field of Zoek:
    createsrpoint;
    autoclean;
    emptyalltemp;
    ipconfig /flushdns;b
    
  • close any open programs.
  • click the Run script button, and wait. It takes a few minutes to run.
  • when the tool finishes, the zoek-results.log is opened in Notepad: the log can also be found on the systemdrive, normally C:\
  • if a reboot is needed, the log will be opened after the reboot.

Logs to include with next post:

Fixlog.txt
zoek-results.log


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 splungee

splungee
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 11 October 2015 - 12:36 PM

Thanks Satchfan for your attention and help

After running FRST fix, and restarting, I was thrilled to see on starting Chrome, a message that Chrome settings had been reset and the home page reverting to Google.  Unfortunately, after running ZOEK and restarting, the home page reverted to yahoo.

 

Here's the fixlog:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:10-10-2015
Ran by valued customer (2015-10-11 10:15:27) Run:1
Running from C:\Users\valued customer\Desktop
Loaded Profiles: valued customer (Available Profiles: valued customer)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Winsock: Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File
Winsock: Catalog5 09 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File
Winsock: Catalog5-x64 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File
Winsock: Catalog5-x64 09 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL No File
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1612100080-1659462607-2348990995-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
CHR RestoreOnStartup: Default -> "hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggUdwkNUwwXERgRJlsBTA0SEw0OIgoJVRQXEVEUeFxbVAkUF1QFIk0FA1oDB0VXfV5bFElXTwhxJUpNDU0CaUBB"
EmptyTemp:
*****************
 
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000008" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000009" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000008" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000009" => key removed successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-1612100080-1659462607-2348990995-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
Chrome RestoreOnStartup => removed successfully
EmptyTemp: => 7.2 GB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 10:15:30 ====
 
Here's the ZOEK results log:
 
 
Zoek.exe v5.0.0.1 Updated 08-October-2015
Tool run by valued customer on Sun 10/11/2015 at 10:20:03.17.
Microsoft Windows 7 Home Premium  6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\valued customer\Desktop\zoek.exe [Scan all users] [Script inserted] 
 
==== System Restore Info ======================
 
10/11/2015 10:20:52 AM Zoek.exe System Restore Point Created Successfully.
 
==== Empty Folders Check ======================
 
C:\PROGRA~2\Belarc deleted successfully
C:\PROGRA~2\MSXML 4.0 deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Services ======================
 
 
==== Batch Command(s) Run By Tool======================
 
 
==== Deleting Files \ Folders ======================
 
C:\PROGRA~2\Belarc not found
C:\PROGRA~3\Package Cache deleted
 
==== Firefox Extensions Registry ======================
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [10/04/2015 05:30 PM]
 
==== Chromium Look ======================
 
Google Chrome Version: 45.0.2454.101
 
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
eofcbnmajmjmplflapaojjnihcjkigck - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx[10/04/2015 05:30 PM]
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[10/04/2015 05:30 PM]
 
Avast Online Security - valued customer\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki
Chrome Hotword Shared Module - valued customer\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg
 
==== Set IE to Default ======================
 
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
No DefaultScope Set For HKCU
 
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}"
 
==== All HKCU SearchScopes ======================
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"
 
==== Empty IE Cache ======================
 
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\valued customer\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\valued customer\Desktop\Valued Customer\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\valued customer\Desktop\Valued Customer\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
 
==== Empty FireFox Cache ======================
 
No FireFox Profiles found
 
==== Empty Chrome Cache ======================
 
C:\Users\valued customer\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
 
==== Empty All Flash Cache ======================
 
Flash Cache Emptied Successfully
 
==== Empty All Java Cache ======================
 
No Java Cache Found
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=13 folders=15 14060598 bytes)
 
==== Empty Temp Folders ======================
 
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\valued customer\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\Windows\Temp successfully emptied
C:\Users\VALUED~1\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== Deleting Files / Folders ======================
 
"C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp\MpCmdRun.log" not found
 
==== EOF on Sun 10/11/2015 at 10:32:18.13 ======================
 
 
What's next?


#4 satchfan

satchfan

  • Malware Response Team
  • 2,937 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:05:02 AM

Posted 11 October 2015 - 02:05 PM

Zoek can be a bit too "helpful" when trying to protect you.

I don't use Chrome myself but I'm hoping these directions will work for you.

Try setting the page that opens when you start Chrome.

  • click on the Customize icon, Chrome.gif, at the top right, click on Settings
  • under "Appearance", tick the box Show Home button
  • below "Show Home button," click Change to choose your homepage
  • set your start page to the page you wish, eg www.google.com

Please let me know if that worked or if there is a remaining problem.

Satchfan
 

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 splungee

splungee
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 11 October 2015 - 04:02 PM

No luck:  I followed the instructions and opening a new tab still brings up yahoo.  When I check settings, it still lists google as the home page.

 

Should I run malewarebytes and see if it still detects ResultsHub?  Reinstall Chrome?



#6 satchfan

satchfan

  • Malware Response Team
  • 2,937 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:05:02 AM

Posted 11 October 2015 - 04:21 PM

I think that uninstalling Chrome may the best answer. You cannot remove some Chrome problems except with an uninstall/re-install of Chrome, (even though Google have been aware of this since 2008 and haven't bothered to do anything about it).


Uninstall/Reinstall Google Chrome

First save all your bookmarks/favourites.

  • open Chrome, click on the 3 bars in the top right hand corner, select Bookmarks and then Bookmarks Manager
  • click on Organise and then select Export Bookmarks to HTML file, then choose Desktop to save it
  • again, click on the three bars in the top right hand corner and select Settings
  • in the list of Settings under “Sign in” click on Disconnect your Google Account – (if “Disconnect your Google Account” is not there, you will have to sign in using your Chrome username and password first to make it visible)
  • in the text of the next window click on “Google Dashboard” then, at the “Chrome sync” screen, click on Stop and Clear at the bottom
  • a box will open and ask for confirmation, click on OK (wait for this to complete before doing the next step)
  • when confirmation appears close that page and then click on Disconnect account
  • shut Google Chrome, click on Start > Control Panel > Programs and Features (or Add/Remove Programs in XP) and uninstall Google Chrome. Select Everything for removal if asked.

Reboot the system and then reinstall Google Chrome from here

Repeat the process to reinstate your bookmarks by going to Bookmarks > Bookmarks Manager > Organise and select Import Bookmarks.

Let me know if that has solved the problem.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 splungee

splungee
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 11 October 2015 - 06:39 PM

Hurray!  It worked!

 

Chrome is reinstalled and working fine, Malwarebytes doesn't detect ResultsHub, the sun is shining and the birds are singing!

 

Thanks Satchfan.

 

 

If you have time, can you offer advice/link article to avoid PUP's?  Why you dislike Chrome and what you prefer?  What the various malware removal products do and why some helped and others didn't?  I fancy myself having a clue when it comes to computers, but this is outside my experience.



#8 satchfan

satchfan

  • Malware Response Team
  • 2,937 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:05:02 AM

Posted 12 October 2015 - 03:04 AM

can you offer advice/link article to avoid PUP's?

Many of these are downloaded as byproducts of other, (usually legitimate), programs. I’ll give advice about this when we tidy up.
 

Why you dislike Chrome and what you prefer?

I could write a book about that but I’ll keep it brief. :)

When I started my training in malware removal, Google’s were accepting money to put a bad program, (which was spelt similarly to the legitimate one), at the top of their listings and many of the computers I was working on were infected because of it. As I have said, even now we have more Chrome-related problems than with any other browser.

I tend to flit between Firefox and Internet Explorer. I use Firefox for the forums and Internet explorer for all other purposes and have never had problems with either. Windows 10 now has Microsoft Edge which appears to be OK but I tend to use my Win 7 machine more than the Win 10 one at the moment.

===================================================

Let’s run an online scan to be sure nothing is left and if that’s clear I’ll send instructions to tidy up.

Run ESET Online Scan

Note: This may take a long time so please be patient.

IMPORTANT Please make sure you uncheck the box next to Remove found threats. Eset will detect anything that looks even slightly suspicious, which could include legitimate program files. If you do not uncheck the box, Eset will automatically remove all suspicious files which could leave some of your software inoperable.

Note: You can use Internet Explorer, FireFox or  Chrome for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.

ESET OnlineScan

  • click the Run Eset online Scanner button
  • for alternate browsers only: (Microsoft Internet Explorer users can skip these steps)


    o    click on esetinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    o    double click on the Eset installer icon on your desktop.
     

  • check Yes, I accept the Terms of Use
  • click the Start button
  • accept any security warnings from your browser
  • check Enable detection of potentially unwanted applications
  • click Advanced settings and select the following:


    o    scan archives
    o    scan for potentially unsafe applications
    o    enable Anti-Stealth technology


    Note: Do not check Remove found threats
     

  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • when the scan completes, push List of found threats
  • push Export to Text file and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.


    Note - if ESET doesn't find any threats, no report will be created.
     

  • push the back button.
  • push Finish

When the scan is complete:

If no threats were found:


o    put a checkmark in "Uninstall application on close"
o    close program
o    report to me that nothing was found.
 

If threats were found:


o    click on "list of threats found"
o    click on "export to text file" and save it as ESET results and save to the desktop
o    click on back
o    put a checkmark in "Uninstall application on close"
o    click on finish
o    close program
o    copy and paste the report here.
 

Thanks

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#9 splungee

splungee
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 13 October 2015 - 06:15 PM

Sorry for the delay- I tried scanning with an external drie attached and a backup partition loaded as a drive and it aborted.  Here's a regular ESET scan:

 

 

D:\My Documents\Downloads\ccsetup309.exe Win32/Bundled.Toolbar.Google.E potentially unsafe application
D:\My Documents\Downloads\ccsetup324.exe Win32/Bundled.Toolbar.Google.E potentially unsafe application
D:\My Documents\Downloads\dfsetup211.exe Win32/Bundled.Toolbar.Google.E potentially unsafe application
D:\My Documents\Downloads\hwmonitor_1.18-setup.exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
D:\My Documents\Downloads\PandoraRecovery2.1.1Setup.exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
D:\My Documents\Downloads\wufinstall (1).exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
D:\My Documents\Downloads\wufinstall (2).exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
D:\My Documents\Downloads\wufinstall.exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
 
I assume I should delete the DL's?


#10 satchfan

satchfan

  • Malware Response Team
  • 2,937 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:05:02 AM

Posted 14 October 2015 - 02:40 AM

This will deal with those that were found:

Please copy all text in the code box below and paste it into Notepad:
 

@echo off
del /f /s /q "D:\My Documents\Downloads\ccsetup309.exe”
del /f /s /q “D:\My Documents\Downloads\ccsetup324.exe”
del /f /s /q “D:\My Documents\Downloads\dfsetup211.exe”
del /f /s /q “D:\My Documents\Downloads\hwmonitor_1.18-setup.exe”
del /f /s /q “D:\My Documents\Downloads\PandoraRecovery2.1.1Setup.exe”
del /f /s /q "D:\My Documents\Downloads\wufinstall (1).exe”
del /f /s /q "D:\My Documents\Downloads\wufinstall (2).exe”
del /f /s /q "D:\My Documents\Downloads\wufinstall.exe”
del %0
  • save the Notepad file to your desktop and name it delfiles.bat
  • save type as "All Files"
  • on your desktop, double-click on delfiles.bat to run it, (a black CMD window will flash, then disappear - this is normal).

The files/folders, if found, will have been deleted and the "delfile.bat" file will also be deleted.

Are there any remaining problems?
 

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#11 splungee

splungee
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 14 October 2015 - 05:03 PM

I reran ESET and got the following:

 

D:\My Documents\Downloads\ccsetup309.exe Win32/Bundled.Toolbar.Google.E potentially unsafe application
D:\My Documents\Downloads\ccsetup324.exe Win32/Bundled.Toolbar.Google.E potentially unsafe application
D:\My Documents\Downloads\dfsetup211.exe Win32/Bundled.Toolbar.Google.E potentially unsafe application
D:\My Documents\Downloads\hwmonitor_1.18-setup.exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
D:\My Documents\Downloads\PandoraRecovery2.1.1Setup.exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
D:\My Documents\Downloads\wufinstall (1).exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
D:\My Documents\Downloads\wufinstall (2).exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
D:\My Documents\Downloads\wufinstall.exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
D:\Old PC\backupdriveF\Mods\civmods\MedalOfHonorAlliedAssaultv1.1PLUS1Trainer.ZIP a variant of Win32/GameHack.S potentially unsafe application
D:\Program Files (x86)\IObit\Advanced SystemCare 8\DriverBooster.exe a variant of Win32/OpenCandy.C potentially unsafe application
D:\VALUEDCUSTOMER\Backup Set 2015-10-04 230439\Backup Files 2015-10-07 232022\Backup files 10.zip Win32/BrowseFox.CC potentially unwanted application
D:\VALUEDCUSTOMER\Backup Set 2015-10-04 230439\Backup Files 2015-10-07 232022\Backup files 55.zip Win32/Bundled.Toolbar.Google.D potentially unsafe application
 
Did the  delete file fail?  Are these new detections?


#12 satchfan

satchfan

  • Malware Response Team
  • 2,937 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:05:02 AM

Posted 15 October 2015 - 02:36 AM

I don’t know why it didn’t work but it appears not to have, (and yes, there appear to be some additional ones), so the best way to deal with them is to delete them manually using Windows Explorer, (Win key+E).

First:

Show hidden Files and Folders

  • open Windows Explorer, (Windows key+E)
  • at the top, click on Organise, >Folder and search options
  • click on the “View” tab
  • under “Files and Folders”, place a check in Show hidden files, folders and drives

Next

Delete this file:

D:\My Documents\Downloads\ccsetup309.exe

  • open Windows Explorer, (Windows key+E)
  • in the left window, click on D:\
  • in the right window, double-click on each of these in turn: My Documents>Downloads
  • right-click on the file ccsetup309.exe and then on Delete

Using the same method, locate and do the same for the entries shown below to delete those in red:

 

D:\My Documents\Downloads\ccsetup324.exe
D:\My Documents\Downloads\dfsetup211.exe
D:\My Documents\Downloads\hwmonitor_1.18-setup.exe
D:\My Documents\Downloads\PandoraRecovery2.1.1Setup.exe
D:\My Documents\Downloads\wufinstall (1).exe
D:\My Documents\Downloads\wufinstall (2).exe
D:\My Documents\Downloads\wufinstall.exe
D:\Old PC\backupdriveF\Mods\civmods\MedalOfHonorAlliedAssaultv1.1PLUS1Trainer.ZIP
D:\Program Files (x86)\IObit


As far as these are concerned, deleting the zip file will get rid of all backups, (if they are the only ones you have):

D:\VALUEDCUSTOMER\Backup Set 2015-10-04 230439\Backup Files 2015-10-07 232022\Backup files 10.zip
D:\VALUEDCUSTOMER\Backup Set 2015-10-04 230439\Backup Files 2015-10-07 232022\Backup files 55.zip


If that is the case you would be better unzipping them and then running another scan to find out which files are infected and delete only those.

When you've deleted those, reboot, run Eset again and let me know how that goes.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#13 splungee

splungee
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 15 October 2015 - 07:57 PM

Satchfan, looks like it's clean.  I deleted manually the implicated files and rechecking with ESET finally came up with no suspicious files.

 

Got advice on avoiding PUP's in the future?

Thanks so much for your time!



#14 satchfan

satchfan

  • Malware Response Team
  • 2,937 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:05:02 AM

Posted 16 October 2015 - 02:43 AM

Satchfan, looks like it's clean.  I deleted manually the implicated files and rechecking with ESET finally came up with no suspicious files.

Good work.
 

Got advice on avoiding PUP's in the future?

Some advice is included below.
 

Thanks so much for your time!

You’re welcome.

Now that you’re free from malware, as long as your computer seems to be running well, please follow these simple steps to tidy up you computer and decrease the likelihood of getting infected again:


Uninstall AdwCleaner

  • double click on adwcleaner.exe to run the tool
  • click on Uninstall
  • confirm with Yes.

===================================================

Download & run Delfix

  • download Delfix from here to remove many of the tools we've used during the cleaning process.
  • ensure “Remove disinfection tools” is checked.

Also place a checkmark next to:


o    Create registry backup
o    Purge system restore

  • click the Run button.

You can delete all other logs and programs we’ve used that are on your desktop. Just click on them and press Delete.

===================================================

Windows updates

I notice that Windows updates are waiting to be installed. Click here for information on how to get the latest Windows updates:

===================================================

Recommended programs

SpywareBlaster. SpywareBlaster protects against bad ActiveX, it immunizes your PC against them. It blocks over 11,000 bad sites and uses no resources of your computer.

======================

Update and run Malwarebytes. This really is an excellent program that you should also update and run on a regular basis, probably weekly.

======================

It’s important to keep programs up to date so that malware doesn't exploit any old security flaws.

FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated.

======================

Download WOT

Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:


green if it's safe
yellow for caution
red for unsafe
 

You can download the WOT add-on for Firefox, Chrome, Internet Explorer, Opera, and Safari browsers. It does not slow down your browsing experience, it is easy to use and free. Just click “Download” and you are ready to go!

======================

MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

A couple of links with information here and here which can answer any questions you might have about installing/using it.

======================

Unchecky

Be careful when downloading free software. Many free programs come bundled with adware, many of which cause redirects/popups and verge on being malware. There is a program that automatically “unckecks” the boxes you may not notice when downloading programs.

Download and install Unchecky .

======================

Download and install CryptoPrevent

Crypto Ransomware Warning

There are particularly nasty “Ransomware” infections out there at the moment that encrypt your files and the only way possible to get them “de-crypted” is to pay a ransome. You can read more about this here.

  • download CryptoPrevent
  • save the file to your Desktop and then open the program by clicking Run when prompted from your browser or by going to the desktop where the file was saved and double-clicking.
  • accept all the defaults during the install. The last screen of the install has a checkmark in "Launch CryptoPrevent". This will launch the program once you click Finish
  • you will get a prompt asking if you purchased a Product Key for Automatic Updates. Click No
  • you will then be prompted to learn more about automatic updates or if you want to purchase a key. This is up to you but you don't have to
  • click OK to continue and select your protection level. Go ahead and click OK.
  • click the Apply button to set Default protection
  • you may get a message stating that Windows Sidebar and Desktop Gadgets are a major security vulnerability and asking you if you want to disable them. If you don't use these features, answer Yes.

You are now protected.

Note: The free version doesn't provide automatic updates but should be updated often, (at least weekly), as this infection has serious consequences. To update it manually, open the program, select the “Updates” menu then select Check for Updates to see if there are any available.

===================================================

I also recommend that you read the following:

How to prevent malware by miekiemoes

Help! My computer is slow! by miekiemoes

Simple and easy ways to keep your computer safe and secure on the Internet  by Lawrence Abrams


I will keep this open for 24 hours in case you have any problems, after which I’ll close the topic.

Safe computing

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#15 satchfan

satchfan

  • Malware Response Team
  • 2,937 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:05:02 AM

Posted 18 October 2015 - 07:20 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users