Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MindSpark A PUP


  • This topic is locked This topic is locked
39 replies to this topic

#1 pt817

pt817

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 28 March 2017 - 12:18 AM

Hello:

 

My computer was slowing to a crawl and also some odd attempted redirects while I was logged into my bank website. I ran Malwarebytes and it found and removed the MindSpark A PUP.  I found you all through my search on this issue and see there is far more to do that run Malwarebytes.  I have run and attached the first two programs in your preparation process. Thank you![attachment=192165:FRST.txt][attachment=192164:Addition.txt]



BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,847 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:05 PM

Posted 28 March 2017 - 04:26 AM

Hello pt817 and welcome to Bleeping Computer.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested


It appears that Malwarebytes did its job as there is no sign of MindSpark on your computer now but there are some things that need dealt with and we’ll have a couple more checks.

===================================================

Run Farbar Recovery Scan Tool

Open notepad. Please copy the contents of the code box below and paste it into Notepad.

CloseProcesses:
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox
SearchScopes: HKU\.DEFAULT -> {e4a1ece8-ed94-4f93-80ea-75f978ceaf24} URL =
SearchScopes: HKU\S-1-5-19 -> {e4a1ece8-ed94-4f93-80ea-75f978ceaf24} URL =
SearchScopes: HKU\S-1-5-20 -> {e4a1ece8-ed94-4f93-80ea-75f978ceaf24} URL =
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\ssv.dll [2015-03-23] (Oracle Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.40.2 -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\dtplugin\npDeployJava1.dll [2015-03-23] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.40.2 -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-03-23] (Oracle Corporation)
S3 EraserUtilDrv11510; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11510.sys [X]
S3 NAVENG; \??\C:\Program Files (x86)\Norton AntiVirus\NortonData\22.5.2.15\Definitions\SDSDefs\20160701.036\ENG64.SYS [X]
S3 NAVEX15; \??\C:\Program Files (x86)\Norton AntiVirus\NortonData\22.5.2.15\Definitions\SDSDefs\20160701.036\EX64.SYS [X]
Task: {68C0C471-E810-461C-A0D1-69AF08B4D3ED} - \Plus-HD-4.5-chromeinstaller -> No File <==== ATTENTION
Task: {6BC24C0D-8032-4162-8354-BB63D39871EE} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-3367162549-2933853443-4105287630-1001UA => C:\Users\sma\AppData\Local\Facebook\Update\FacebookUpdate.exe [2013-12-19] (Facebook Inc.)
Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3367162549-2933853443-4105287630-1001Core.job => C:\Users\sma\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3367162549-2933853443-4105287630-1001UA.job => C:\Users\sma\AppData\Local\Facebook\Update\FacebookUpdate.exe
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sndappv2 => ""="service"
FirewallRules: [{0107E940-2604-4DD4-BE20-5D9435EA9235}] => (Allow) C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe
FirewallRules: [{AEAA968F-E7CD-468A-9769-9F95CAEC4BDC}] => (Allow) C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe
C:\Program Files\Common Files\mcafee
CMD: ipconfig /flushdns
EmptyTemp:

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST64 then click Fix just once and wait
  • it will create a log on your desktop, (Fixlog.txt); please post it to your reply.

===================================================

Run Zoek

Please temporarily disable your AV program.

Download zoek.exe to your Desktop:

Important: Disable your AntiVirus and AntiSpyware programs, so they do not interfere with the running of Zoek.exe. You can find instructions how to disable your security applications here.

  • on Windows Vista, 7, 8 and 10, right-click Zoek.exe and select: Run as Administrator
  • give it a few seconds to appear
  • copy/paste the entire script inside the codebox below into the input field of Zoek:
    autoclean;
    emptyalltemp;
    emptyclsid;
    FFdefaults;
    iedefaults;
    chrdefaults;
    
  • close any open programs.
  • click the Run script button, and wait. It takes a few minutes to run.
  • when the tool finishes, the zoek-results.log is opened in Notepad: the log can also be found on the systemdrive, normally C:\
  • if a reboot is needed, the log will be opened after the reboot.

===================================================

Run Zemana AntiMalware

Download Zemana AntiMalware:

  • open the program and without changing any options, press Scan
  • after the scan is finished, if threats are detected press Next to remove them

Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.

  • open Zemana AntiMalware again and locate the latest report
  • please paste the contents into your reply.

Logs to include with next post:

Fixlog.txt
zoek-results.log
Zemana AntiMalware report


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 pt817

pt817
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 28 March 2017 - 10:36 AM

Hello Satchfan, thank you for your help.  I did the first step of your process and have attached that log.  The second step of your process, however, has an issue. The link to zoek.exe is a dead link. 



#4 satchfan

satchfan

  • Malware Response Team
  • 2,847 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:05 PM

Posted 28 March 2017 - 11:28 AM

Apologies. Try this one.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 pt817

pt817
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 28 March 2017 - 01:06 PM

Hello Satchwan,

 

The link worked to download the zoeke.exe software, however, although I have turned off my AV the software does not run.  I attempted a second time after waiting 15 minutes in between.  I also checked the task manager and it is not running.

 

Thank you for your help!



#6 pt817

pt817
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 28 March 2017 - 03:15 PM

Hello Stachwan,

 

I Zoeke.exe finally ran. Although, there were issues with getting it to shut down.  I also ran Zemana AntiMalware. When it first opened it opened in Chinese although I had selected English (default). The second time it opened it opened in English, but shut down the internet connection while it was running. I was not shut down at the router so this seemed to have something to do with the software. I do have to say since beginning all of this, I see more adware trying to open as I connect with your website than I have ever seen  before.  I hope we have gotten this fixed and if not that there are other steps to take to ensure that we have.

 

I appreciate your help with all of this.  Thank you!

 

-pt817

 

P.S. I I turned my AV back on after running Aemana. While sending this message my Norton 360 popped up with the following message:

 

Auto-Protect is processing security risk Trojan.Gen.2.

 

P.P.S. Requested files are attached. The Zoeke-results.log would not upload on your system so the results are as follows:

 

Zoek-results.log:

 

 
Zoek.exe v5.0.0.1 Updated 27-09-2015
Tool run by Pam on Tue 03/28/2017 at 11:00:17.54.
Microsoft Windows 7 Home Premium  6.1.7601 Service Pack 1 x64
Running in: Normal Mode No Internet Access Detected
Launched: C:\Users\Pam\Desktop\zoek.exe [Scan all users] [Script inserted] 
 
==== System Restore Info ======================
 
3/28/2017 11:24:21 AM Zoek.exe System Restore Point Created Successfully.[attachment=192185:2017.03.28-12.25.58-i0-t92-d2.txt]

 



#7 pt817

pt817
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 28 March 2017 - 03:19 PM

[attachment=192187:2017.03.28-12.25.58-i0-t92-d2.txt]The Zamana Anti-malware log file is in the prior email, but for some reason wrapped to the prior sentence. I left the default name that Zamana gave the file:

 

 



#8 satchfan

satchfan

  • Malware Response Team
  • 2,847 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:05 PM

Posted 28 March 2017 - 04:36 PM

Please try running Zoek in safe mode.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#9 pt817

pt817
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 28 March 2017 - 04:57 PM

Hello Satchfan,

 

Are you wanting me to rerun Zoek.exe even though it finally ran?

 

Thanks,

 

pt817



#10 satchfan

satchfan

  • Malware Response Team
  • 2,847 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:05 PM

Posted 28 March 2017 - 05:14 PM

It might have run but that didn't result in a full report.

 

Please follow the previous instructions to run Zoek and if it doesn't result with the log mentioned, run it in safe mode.

 

Satchfan


Edited by satchfan, 28 March 2017 - 05:16 PM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#11 pt817

pt817
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 28 March 2017 - 05:29 PM

Already in process as I came to the same conclusion after looking at the report. Will hopefully have it shortly.

#12 satchfan

satchfan

  • Malware Response Team
  • 2,847 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:05 PM

Posted 28 March 2017 - 05:47 PM

I won't reply tonight, (11:45pm GMT), but will check it in the morning.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#13 pt817

pt817
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 28 March 2017 - 05:57 PM

Thank you for the heads up. The process stopped running 10 minutes ago, but did not close. Last line is:

--- Del by CLSID 15:40:53.49

If you think it is done I will close and search for the log and send.

#14 pt817

pt817
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 28 March 2017 - 10:47 PM

Update: I contined to run the Zoeke scan another two hours after my last message to you. It never moved past the line above listed above. So I killed it (rebooted) and restarted a new scan. This one also has stopped at the same line (2 hours ago). This scan has been running a total of 3 hours now. I will let it run overnite and see if it completes. If not, I think we need to consider another tool. I have at this point been dealing with this one tool for 12 hours.

Thanks again for your help. Hope you had a nice evening! BTW I am 8 hours behind you in my time zone (8:45pm PST). I'll check in the morning and update you then.

#15 satchfan

satchfan

  • Malware Response Team
  • 2,847 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:05 PM

Posted 29 March 2017 - 05:13 AM

Did you run it in safe mode?

 

If you did and that also didn't help, please try disabling your antivirus and then try it again.


Edited by satchfan, 29 March 2017 - 05:46 AM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users