slow, junkware, malware

qbert79 · Oct 23, 2015

I am cleaning this computer for my nephew because he told me the computer was getting really slow. When I checked it I found the computer was running slow and loaded with junkware/malware(and who knows what else). It had browser redirection and popups/new tabs after google web searches. It also had popups in windows telling me that the computer was infected and wanting me to call a number to have the computer cleaned for a fee, it was coming from some unwanted program my nephew said he never installed. I tried to uninstall it with negative results, but I noticed that on the same day it was installed several other programs had installed in early september of this year.

I ran the junkware removal tool as part of the browser redirection thread but it exited without leaving a log. The junkware removal tool seemed to fix most of the performance issues and the pop up issues, as well as removing the program that was asking me to call and pay to clean the pc. I completed the rest of the malware removal steps and the logs are attached. The logs did indicate malware still exists. I also looked and several unwanted programs are still installed from 9/4/2015 when about 10 or more unwanted programs installed. I didn't try to uninstall those since completing the steps in this forum because I figured I had better post my logs and get feedback before proceeding so I don't screw it up.

dr.moriarty · Oct 24, 2015

Hello, qbert79

Are you knowingly setup to use a proxy?

qbert79 · Oct 24, 2015

It's not my computer, it's my sister/nephew's but as far as I am aware the answer to that is a big no. I am guessing by the question that there is a proxy set up on the computer. What do I need to do next?

qbert79 · Oct 24, 2015

Also, I wanted to add that the computer never seems to shut down. When I try to shut down via the start menu/shutdown it goes to a screen that says shutting down, with no indication that it is installing updates or anything like that. It just keeps saying that it is shutting down with a circle spinning. I left it on over night after a reboot and in the morning it still said it is shutting down. Checking with my sister she has left it on for over a week waiting for it to shut down properly to no avail. Also when I press and hold the power button after a significant time waiting for it to shut down and do a hard shut down, the next time I turn it on it doesn't go to a menu indicating windows shut down incorrectly and ask if i want to boot to safe mode. I have been doing some online reading and it looks like this could be do to malware or any number of issues. Considering the possible malware correlation I figured it would be good to mention the possible additional symptom.

dr.moriarty · Oct 24, 2015

qbert79 said: ↑

I am guessing by the question that there is a proxy set up on the computer. What do I need to do next?
Click to expand...

Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.

Note: Make sure you download the correct version for your PC. Only the correct version will work.

Double-click to run it. When the tool opens click Yes to disclaimer.

Press Scan button.

It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.

The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

qbert79 · Oct 24, 2015

Well the scan is still running, it has been running now for 4-5 hours, it seems to be stuck at "Scanning System errors: 276421" and has been on that for most of the time I have been waiting. I did notice that the logs are on the desktop though. So I am going to attach the logs. Should I stop/kill the scan or ride it out?

dr.moriarty · Oct 26, 2015

*Other than the tools our guide instructed you to save there, I strongly recommend that you clean up this account's Desktop immediately leaving only shortcut links. [ C:\Users\Joe & Emily\Desktop ] Do not store downloads, exe files, iso files....etc on your Desktop. First it is not a safe place to keep them (i.e., you may loose them due to malware, and a cluttered Desktop is an easy hiding place for malware), and last but not least - it can have an effect on your PCs performance.

Re-run HitmanPro and activate the 30-day trial. Have it fix all detections found under the headings:
Malware
Potential Unwanted Programs

Afterwards, click the Next button.
HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.
After reboot and when you are back in Windows, run another scan with HitmanPro and then attach the latest HitmanPro log

Please re-run RogueKiller and run a scan. After it finishes the scan, select the Registry tab and then select any of the below that exist and then click the Delete button.

[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a235e1e3-6296-4710-af39-104a7faa6c7c} -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f236ca79-3123-4afb-9f74-e98117ad5625} -> Found
[PUP.Ask|PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2932777127-504153465-3726424614-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://home.tb.ask.com/index.jhtml?n=781BD5C7&p2=^Y6^xdm003^S14243^us&ptb=182A597E-DA37-4ACC-AE7F-F1C4596A4B20&si=CJrUz9351scCFUuRHwod7kgJ3A -> Found
[PUP.Ask|PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2932777127-504153465-3726424614-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://home.tb.ask.com/index.jhtml?n=781BD5C7&p2=^Y6^xdm003^S14243^us&ptb=182A597E-DA37-4ACC-AE7F-F1C4596A4B20&si=CJrUz9351scCFUuRHwod7kgJ3A -> Found
Click to expand...

Then immediately reboot your PC.

After reboot, run a new scan with RogueKiller and save a log as in the original instructions and attach the new log.

Now shut down your protection software (antivirus, antispyware...etc) to avoid possible conflicts. *Re-enable them before physically reconnecting to your ISP.

Using "Programs & Features" uninstall: (If you do not find it or it will not uninstall, just keep going.)
AnySend
Easy Driver Pro
Faster Web
Friendly Error
FromDocToPDF Internet Explorer Toolbar
Google Update Helper
Java 2 Runtime Environment, SE v1.4.2_18
Java 8 Update 31
Java(TM) 6 Update 35
Java(TM) 6 Update 5

NOTE: This script was written specifically for this user for use on this particular computer. Running this on another machine may cause damage to your operating system.

Save the attached (fixlist.txt) to your desktop.

Right click FRST and run it as admin.

Click the FIX button.

A report should pop up, please attach it here in your next reply.

Next download AdwCleaner by Xplode and save to your Desktop.

Close all open windows and browsers.

Double click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator

Click on the Scan button.

AdwCleaner will begin...be patient as the scan may take some time to complete.

When it's done you'll see: Pending: Please uncheck elements you don't want removed.

Now click on the Logfile button...a logfile (AdwCleaner[S#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).

Look over the log especially under Files/Folders for any program you want to save.

If there's a program you may want to save, just uncheck it from AdwCleaner.

If you're not sure, post the log for review. (all items found are either adware/spyware/foistware)

If you're ready to clean it all up.....click the Cleaning button.

After rebooting, a logfile report (AdwCleaner[C#].txt) will open automatically.

Attach that logfile to your next reply.

A copy of all logfiles are saved in the C:\AdwCleaner folder which are created when running the tool.

Now install the current 64 bit version of Oracle Java
Java Runtime Environment 64-Bit 8 Update 66

Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select "Run As Administrator").

Then attach the below logs:

updated Hitman Pro log.txt

updated RKreport.txt

Fixlog.txt

C:\MGlogs.zip

AdwCleaner[C#].txt

Make sure you tell me how things are working now!

qbert79 · Oct 26, 2015

So, when I last checked the PC yesterday around 9:00 PM it was still trying to Farbar recovery tool was still stuck in "Scanning System errors: 276421"(which I would guess was about 27 hours of it running with that system errors message displayed). I got your message this morning and when I turned on the monitor it was just a black screen. Moving the mouse and keyboard presses did nothing. I turned off the computer and turned it back on, it showed windows starting but then just went to a black screen and not to the log on screen. I waited about 20 minutes and still nothing. I turned it off and on again and now it is trying to run something called Start up repair. I will try to do that and let you know if I can even get the computer to turn on so I can complete the next steps

qbert79 · Oct 27, 2015

Ok, they start up repair failed and suggested I do a restore. it restored to day on the 24th and it started fine at that point. It was scary when it wouldn't start but I think it's good now.

I ran hitman pro without any issues and it had 3 items listed as malware and I had it fix those. There were some listed as riskware but I had it ignore those. When in hitman pro there were a bunch of other items, but none were labeled potential unwanted programs, looking at the log now I see them listed as potential unwanted programs but while I was in hitman pro they were listed as the names in the parentheses like mindspark, coupon bar, etc but they weren't labeled as pups there. Should I rerun hitman pro and have it remove those?

I ran rogue killer without any issues but none of the listed items were there so I just saved the log file.

I uninstalled some of the programs on the list, some weren't there and some gave errors. I did what I could and moved on.

I ran FRST and the log is attached.

I ran ADWcleaner and without any issues and the log is attached.

I installed the latest java.

I ran mglogs.bat

The computer seems to be running well now and I am not noticing any issues at that point.

dr.moriarty · Oct 27, 2015

Looking better now.

Please re-run Hitman Pro as before and remove all detections found under:
Malware
Potential Unwanted Programs

Afterwards, click the Next button.

HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.
*After reboot and when you are back in Windows, run another scan with HitmanPro and then attach the latest HitmanPro log .

Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select "Run As Administrator").

Then attach the below logs:

updated Hitman Pro log.txt

updated C:\MGlogs.zip

qbert79 · Oct 29, 2015

The logs are attached

dr.moriarty · Oct 29, 2015

Your logs look good. Any remaining problems?

qbert79 · Oct 29, 2015

No problems now. It seems to be running really well

dr.moriarty · Oct 29, 2015

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase it, it provide no protection. It do not use any significant amount of resources ( except a little disk space ) until you run a scan.

Go back to step 6 of the READ ME and re-enable your Disk Emulation software with Defogger if you had disabled it.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If running Vista, Win 7/8 - it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Go to the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

If you are running Win 7/8, Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning procedures pointed to by step 7 of the READ ME
for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work through the below link:

How to Protect yourself from malware!

Safe surfing! http://i268.photobucket.com/albums/jj5/drmoriarty/Emoticons/char145.gif

qbert79 · Oct 30, 2015

thanks for all the help. I couldn't have done it without you

dr.moriarty · Oct 30, 2015

You're very welcome.

Log in or Sign up

slow, junkware, malware

qbert79 Private E-2

Attached Files:

HitmanPro_20151023_0836.log

malwarebytes.txt

RogueKiller.txt

TDSSKiller.3.1.0.5_23.10.2015_06.07.23_log.txt

MGlogs.zip

dr.moriarty Malware Super Sleuth Staff Member

qbert79 Private E-2

qbert79 Private E-2

dr.moriarty Malware Super Sleuth Staff Member

qbert79 Private E-2

Attached Files:

FRST.txt

Addition.txt

dr.moriarty Malware Super Sleuth Staff Member

Attached Files:

fixlist.txt

qbert79 Private E-2

qbert79 Private E-2

Attached Files:

AdwCleaner[C1].txt

Fixlog.txt

HitmanPro_20151026_1923.log

MGlogs.zip

newRogueKiller.txt

dr.moriarty Malware Super Sleuth Staff Member

qbert79 Private E-2

Attached Files:

HitmanPro_20151028_2001.log

MGlogs.zip

dr.moriarty Malware Super Sleuth Staff Member

qbert79 Private E-2

dr.moriarty Malware Super Sleuth Staff Member

qbert79 Private E-2

dr.moriarty Malware Super Sleuth Staff Member