MBAM Registry *Not* Staying, But Vanishing; PUPs Keep Returning, Crashing Computer.

[Timelord2001]

Hello. I am messaging because of recurring problems with PUP bug files causing my computer to freeze or crash. Initially, I bought the Premium version of MBAM to resolve this. However, this fix has only been temporary. I am now finding that, when I can get my machine to stay on and functional long enough, that when I launch MBAM, I am told that the registry and other information is gone, and that I no longer have the latest daily downloaded version, or any prior one, present in my system. I have to then re-enter my product ID and Key numbers to re-enable protection. The same two PUP bug files are repeatedly being found, when I am finally able to complete a Malware scan without my system crashing. They are both of the Vendor "Optional.Spi..." {Not able to view the full Vendor name}, and both of their Item descriptions start with "C:\Users\Tim\..." From that point in the Item names, the first continues "Downloads\FreePDFTabletInstall.exe" and the second one continues "AppData\Local\Temp\Offercast2802_IJBM..." {unable to see the rest of the Item name}. Could someone please look into this? I am worried I may have an issue that has the capacity to work around the protection of even the Premium, paid version of MBAM software. Thank you very much.  

[MrCharlie]

Welcome to the forum.

General P2P/Piracy Warning:

 

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

 

<====><====><====><====><====><====><====><====>

 

Please run a Quick Scan with Malwarebytes (if possible)

For Malwarebytes ver: 1.75

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

For Malwarebytes 2.0, please run a Threat Scan

Click on Settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Quarantine all that's found

Post the log

Then......

Please download Farbar Recovery Scan Tool (FRST) and save it to a folder.

(use correct version for your system.....Which system am I using?)

FRST <----for 32 bit systems

FRST64 <----for 64 bit systems

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button. (make sure the Addition box is checked)
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

If the logs are large, you can attach them:

To attach a log:

Bottom right corner of this page.

New window that comes up.

Last................

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

 

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running. Create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

If I don't respond within 24 hours, please send me a PM

[Timelord2001]

  Hello, and thank you for your assistance. At this time, My Premium copy of MBAM will not launch, so I am not able to run a scan with that program; though, as an aside, I was eventually able to scan with my other software, "WinZip Malware Protector," as well as Microsoft's "Security Essentials," both of which found nothing on this occasion.  

   I am attaching the "FRST.txt" log, as instructed. {Note: I had actually downloaded and run this tool previously. I note that it had to be re-downloaded and installed again, as it had vanished from my system.} 

   Subesequent to that, however, WinZip Malware Protector gave an alert notice that malware had been blocked. I am not able to "attach" this log, and so, am copy-pasting it here.:

 

Nico Mak Computing WinZip Malware Protector Scan Date Thursday, June 05, 2014 Database Version 1828 Total Items Found 6 Objects Scanned : 330708 Time Elapsed : 00:50:40 Name Found Items Item Name trojan-dropper.agent Category Trojan Dropper Threat Level Elevated Action Performed Quarantine Items Found 5 Found Area FileSystem Details File Name c:\program files (x86)\mipony\mipony.exe MD5 0 Signature 1942705155283647711 Md5hash: a160b89076e5675f91faf3f96be23837 Found Area FileSystem Details File Name c:\users\tim\appdata\roaming\microsoft\internet explorer\quick launch\mipony.lnk MD5 0 Signature 1942705155283647711 Md5hash: a160b89076e5675f91faf3f96be23837 Found Area FileSystem Details File Name c:\users\tim\desktop\mipony.lnk MD5 0 Signature 1942705155283647711 Md5hash: a160b89076e5675f91faf3f96be23837 Found Area FileSystem Details File Name c:\users\updatususer\appdata\roaming\microsoft\internet explorer\quick launch\mipony.lnk MD5 0 Signature 1942705155283647711 Md5hash: a160b89076e5675f91faf3f96be23837 Found Area FileSystem Details File Name c:\users\updatususer\desktop\mipony.lnk MD5 0 Signature 1942705155283647711 Md5hash: a160b89076e5675f91faf3f96be23837 Item Name pup.optional Category Potentially Unwanted Application Threat Level High Action Performed Quarantine Items Found 1 Found Area FileSystem Details File Name c:\users\tim\appdata\local\temp\is1658163471\4189746_stp\optimizerpro_600.exe MD5 0 Signature 16020175313665179607 Md5hash: fdbdb60c18b53923af99f8223c7515b9 © 2013 WinZip International LLC. All rights reserved.

 

   I am also giving the Quarantine List, which contained these item-line entries.:

 

  Item Name Quarantine Date False Restricted Settings 6/3/2014 3:31:54 PM False trojan.dropper 6/4/2014 2:05:59 AM False trojan-dropper.agent 6/5/2014 4:27:10 PM False pup.optional 6/5/2014 4:27:17 PM

 

 

   I have also attached the first *and* the most recent (from today) "Addition" logs as well; the second was named "Search.txt" by the system, so I left that name in place.

   When I ran RogueKiller, there were four "PUM" items listed in the registry tab; per my understanding of your instructions, I did *not* delete them. The Note Pad Log of that RK report is attached, above, as an attachment, as well as a prior-date Result.txt for "MiniToolBox by Farbar" from 3-6-14.

   Other Feedback" I believe I did opt to follow this blog prior to making contact. I am not sure how to use System Restore to create a new Restore Point. {Apologies for my relative lack of expertise in such things: My degree is in Philosophy, rather than IT.}

   Thank you very much for your help.

 

-- Tim B. Jones

New reply to MBAM Registry Not Staying, But Vanishing PUPs Keep Returning, Crashing Computer..zip

[Timelord2001]

Sorry, this is the log. It didn't post correctly.

 

Nico Mak Computing WinZip Malware Protector Scan Date Thursday, June 05, 2014 Database Version 1828 Total Items Found 6 Objects Scanned : 330708 Time Elapsed : 00:50:40 Name Found Items Item Name trojan-dropper.agent Category Trojan Dropper Threat Level Elevated Action Performed Quarantine Items Found 5 Found Area FileSystem Details File Name c:\program files (x86)\mipony\mipony.exe MD5 0 Signature 1942705155283647711 Md5hash: a160b89076e5675f91faf3f96be23837 Found Area FileSystem Details File Name c:\users\tim\appdata\roaming\microsoft\internet explorer\quick launch\mipony.lnk MD5 0 Signature 1942705155283647711 Md5hash: a160b89076e5675f91faf3f96be23837 Found Area FileSystem Details File Name c:\users\tim\desktop\mipony.lnk MD5 0 Signature 1942705155283647711 Md5hash: a160b89076e5675f91faf3f96be23837 Found Area FileSystem Details File Name c:\users\updatususer\appdata\roaming\microsoft\internet explorer\quick launch\mipony.lnk MD5 0 Signature 1942705155283647711 Md5hash: a160b89076e5675f91faf3f96be23837 Found Area FileSystem Details File Name c:\users\updatususer\desktop\mipony.lnk MD5 0 Signature 1942705155283647711 Md5hash: a160b89076e5675f91faf3f96be23837 Item Name pup.optional Category Potentially Unwanted Application Threat Level High Action Performed Quarantine Items Found 1 Found Area FileSystem Details File Name c:\users\tim\appdata\local\temp\is1658163471\4189746_stp\optimizerpro_600.exe MD5 0 Signature 16020175313665179607 Md5hash: fdbdb60c18b53923af99f8223c7515b9 © 2013 WinZip International LLC. All rights reserved.

 

   I am also giving the Quarantine List, which contained these item-line entries.:

  Item Name Quarantine Date False Restricted Settings 6/3/2014 3:31:54 PM False trojan.dropper 6/4/2014 2:05:59 AM False trojan-dropper.agent 6/5/2014 4:27:10 PM False pup.optional 6/5/2014 4:27:17 PM
 

[MrCharlie]

Did you use the registry cleaner that comes with this program??
WinZip Malware Protector

------------------------------------------------

For system restore:

http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/ <------W7

http://www.bleepingcomputer.com/tutorials/windows-8-system-restore-guide/
http://www.eightforums.com/tutorials/4690-restore-point-create-windows-8-a.html <---W8 system restore point

-------------------------------------------------

Please do a complete re-install of Malwarebytes:
https://forums.malwarebytes.org/index.php?showtopic=146017

If you need to get your id and key, just download, unzip and run one of the following bat files. (MB.bat for 32 bit systems and MB64.bat for 64 bit systems)
Notepad will open with your key and id towards the bottom of it.

-------------------------------------------------

Let me know if you can now run a scan with Malwarebytes, MrC

[Timelord2001]

Hello again. I was still having trouble getting my computer to stay on long enough, even in safe mode, to do much of anything. I brought it to the computer help desk on campus (UW,  Odegard Library), and they were able to get it cleaned out for me. The scans and other tools they used purged my computer of problems. They recommended being more careful which web sites I visit. I believe the two most suspicious ones (which I no longer go to on my home computer) are:  1.) "CommandersOfEvony.com" which is a bug-ridden beta stage game, and 2.) *Not* youtube, per say, but an advertised link in the comment area from trying to watch "Last Train Home." You cannot watch it on youtube, but a link was placed in the comment area, along with the promise of being able to watch that title for free. It led to a site that offers a 5-day free trial, in exchange for your credit card and contact information. However, this particular title still could not be watched, and the only result was seeing another such product being offered for yet another payment-for-subscription service being tried out. I cancelled immediately, but wanted to communicate to all *not* to visit those two sites. But youtube, proper, remains safe. At this time, then, I believe my issue has been successfully reasolved. Thank you very much for your partial assist.

[MrCharlie]

OK...MrC

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!