Revived HP laptop issues

[NetBuse]

I am using a HP laptop that was restored from an old and failing HD by copying the entire thing to a new hard drive. Afterwards I installed Malwarebytes using the Chameleon route and it removed over 1000 items; most were PUPs while some were malware.

Afterwards the performance increased but I feel that there are some lingering issues as when I first ran Firefox again (after a scan that came up as clear) today it did something odd when it ran, so I closed it and ran another scan and suddenly PUP.Optional.V9.A was listed as the sole thing it found. The file responsible was quarentined but it appeared only after Firefox was run so I am worried about other PUPs or hidden malware being activated if specific programs are run.... it turns out that a PUP.Optional.WeatherAlerts.A was activated when I started FireFox again to do this post. What is hiding on this laptop that only appears when certain programs are run and please list if they are a threat or an annoyance.

Another note, just as I was about to press post some text became garbled, but preview shows no garbled text. Before anyone asks why no new OS was installed the owner, a friend wanted the old OS back, despite being told there were likely to be issues since it was doing some odd thngs before. I am working with an OS that should be replaced but sentimentle value is causing blindness to what should have been done, but the stuation is what it is.

FRST.txt

Addition.txt

Shortcut.txt

 

[Psychotic]

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

• First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
• Perform everything in the correct order. Sometimes one step requires the previous one.
• If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
• Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
• Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
• Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
• My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  

• Important: To help me reviewing your logs, please post them in code boxes. You can create them by clicking on the <>-symbol on top of the reply window.
  

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

• Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  
  • Sections
  • IAT/EAT
  • Show All ( should be unchecked by default )
    

  [*]Leave everything else as it is. [*]Close all other running programs as well as your Browser. [*]Click the Scan button & wait for it to finish. [*]Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop. [*]Please post the content of the ark.txt here.
  

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.zip and extract to your desktop

• Execute TDSSKiller.exe by doubleclicking on it.
• Press Start Scan
  
• If Malicious objects are found, do NOT select Copy to quarantine. Change the action to Skip, and save the log.
  
• Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt
  

Please attach this file to your next reply.

[NetBuse]

Ok I done both, but since quickscan was the default level of intensity for GMER (whch was used as per instructions) instead of an intensive scan of the whole C: drive, the results are still good enough for you correct? TDSS by default did not scan Modules but I left the settings alone as well, so is that ok too for the results? Just curious.

GMER: ark.txt

TDSS:  TDSSKiller.3.0.0.44_23.01.2015_12.04.22_log.txt

[Psychotic]

We need to remove some programs with Revo Uninstaller Free:


Note: Revo Uninstaller is more thorough in deleting programs on your computer than using the Add/Remove option in Windows. Since it is a more powerful tool, please be sure to follow the instructions carefully.
Note: If the program you want to uninstall is not listed by Revo, let me know and we will try an altenate method of removal.

• Please download and install Revo Uninstaller Free
  note: there is no need to click anything on that page, the download will start automatically
• Double click Revo Uninstaller to run it
• From the list of programs double click on the listed program(s), or anything similar, to remove it:
  

  BeFrugal.com Toolbar

• When prompted if you want to uninstall click Yes
• Be sure the Moderate option is selected then click Next
• The program will run, If prompted again click Yes
• When the built-in uninstaller is finished click on Next
• Once the program has searched for leftovers click Next
• Check the items in bold only on the list then click Delete
  note: you may have to expand some folders by clicking the "+" mark
• When prompted click on Yes and then on Next
• Put a check on any folders that are found and select Delete
• When prompted select Yes then Next
• Once done click Finish
  

 

 

 

Fix with FRST (normal mode)

WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

• Download the attached fixlist.txt and save it to the location where FRST is saved to.
• Run FRST.exe (on 64bit, run FRST64.exe) and press the Fix button just once and wait.
• The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.
  

 
 
 
Full System Scan with Malwarebytes Antimalware

• 
  If not existing, please download

Malwarebytes Anti-Malware to your desktop. Double-click the downloaded setup file and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

• Launch Malwarebytes Anti-Malware
• A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.

[*]Click Finish.

If the program is already installed:

• Run Malwarebytes Antimalware
• On the Dashboard, click the 'Update Now >>' link
• After the update completes, click the 'Scan Now >>' button.
• Or, on the Dashboard, click the Scan Now >> button.
• If an update is available, click the Update Now button.
• A Threat Scan will begin.
• When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
• In most cases, a restart will be required.
• Wait for the prompt to restart the computer to appear, then click on Yes.
  

• After the restart once you are back at your desktop, open MBAM once more.
• Click on the History tab > Application Logs.
• Double click on the scan log which shows the Date and time of the scan just performed.
• Click 'Copy to Clipboard'
• Paste the contents of the clipboard into your reply.
  

fixlist.txt

[NetBuse]

Got to running FRST64.exe and clicked on FIx but it crashed during if I remember the text right " deleting the temp folder" or something around that style. It was in the process of deleting the temp folder of the main account, now that it is mentioned since there are two accounts (the admin and then Standard) would FRST64.exe delete the temp folder from both at once? Currently in the admin account, but since there are two accounts I think I have a valid concern that I mentioned.

So do I rerun FRST64.exe with the fixlist or what? I do not know what to do since FRST64.exe crashed during the fixing process.

[Psychotic]

Please have a look for the fixlog.txt.

If it exists, please proceed with MBAM and post both logs, when ready.

 

If not, please tell me.

[NetBuse]

Here is the: Fixlog.txt

 

Here is the Malwarebytes scan info:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 1/27/2015
Scan Time: 12:32:38 PM
Logfile:
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.01.27.07
Rootkit Database: v2015.01.14.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Hilda

Scan Type: Custom Scan
Result: Completed
Objects Scanned: 597721
Time Elapsed: 4 hr, 0 min, 38 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Warn

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

[Psychotic]

Scan with ESET Online Scan

Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

• Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
• Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
• Click the blue Run ESET Online Scanner button
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
• Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
• Click on Advanced Settings
• Make sure that the option Remove found threats is unticked.
• Ensure these options are ticked
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology

  [*]Click Start[*]Wait for the scan to finish[*]When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."[*] Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.[*]Close the ESET online scan, and let me know how things are now.

[NetBuse]

ESET Scan results:

C:\$Recycle.Bin\S-1-5-21-406499392-2183913844-3492909602-1001\$R0LNQ1K\upfst_us_107.exe    a variant of Win32/Adware.EoRezo.AJ application
C:\Users\Hilda\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DBWE3RMM\SpeedUpMyPC-standalone-setup[1].exe    Win32/SpeedUpMyPC potentially unwanted application
C:\Users\Hilda\AppData\Local\Temp\2441d679-ed41-4176-a595-72147ea19175\software\2040-2082_Re-markit.exe    multiple threats
C:\Users\Hilda\AppData\Local\Temp\2441d679-ed41-4176-a595-72147ea19175\software\speedupmypc.exe    Win32/SpeedUpMyPC.A potentially unwanted application
C:\Users\Hilda\AppData\Local\Temp\is-BIE3V.tmp\SpeedUpMyPC-standalone-setup.exe    Win32/SpeedUpMyPC potentially unwanted application
C:\Users\Hilda\Downloads\couponcomcouponprinter-setup(1).exe    Win32/DownloadAdmin.G potentially unwanted application
C:\Users\Hilda\Downloads\couponcomcouponprinter-setup.exe    Win32/DownloadAdmin.G potentially unwanted application

[Psychotic]

Fix with FRST (normal mode)

WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 

• Download the attached fixlist.txt and save it to the location where FRST is saved to.
• Run FRST.exe (on 64bit, run FRST64.exe) and press the Fix button just once and wait.
• The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

 

 

 

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.

• Run adwcleaner.exe
• Hit Scan and wait for the scan to finish.
• Confirm the message but don´t uncheck anything.
• Hit Clean
• When the run is finished, it will open up a text file
• Please post its contents within your next reply
• You´ll find the log file at C:\AdwCleaner[s1].txt also
  

Delete junk with JRT

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.
  

SecurityCheck

Reboot your system before starting!

Please download SecurityCheck: LINK Mirror (if the link is down)

• Save it to your desktop, start it and follow the instructions in the window.
• After the scan finished the (checkup.txt) will open. Copy its content to your thread (Note: Do NOT post this one into a code box!
  

Are any problems left or may I post the final reply?

fixlist.txt

[NetBuse]

Here are the log files.

FRST: Fixlog.txt

AdwCleaner:  AdwCleanerR0.txt   AdwCleanerS0.txt

JRT:  JRT.txt

SecurityCheck:  checkup.txt

[Psychotic]

Your system is clean now!

 

 

Java runtime Environment out of date

Your Java runtime environment is outdated. We will fix this.

• Get the actual JRE from
   
   
   
   
   
  Recommendations: How to protect yourself
  
  • System Updates
    Please ensure to have automatic updates activated in your control panel.
    For further information and a tutorial, see this Microsoft Support article.
  • Protection
    What you need is one (not more) virus scanner with background protection. Additionally I recommend a special malware scanner to run on demand weekly.
    Personally I am using avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer good protection for free.
    
    • To keep your browser free of advertising, you may install the Adblock Plus browser extension.
      It will filter unwanted advertising out of the website´s content.
    • To protect yourself from accidentally visiting malicious web sites, install the Web of Trust (WOT) browser extension.
      It will display a green (safe), yellow (unknown) or red (potentially dangerous) icon for a visited website within your browser.
      In addition, before accessing a dangerous classified web site, a warning screen is displayed.
      

    [*]Up to date Software
    Keep your Windows and your third party software up to date. The easiest way to get infected is an outdated windows, followed by: browser(s) (including add-ons and plug-ins), Adobe Flash Player and Adobe Reader, Java Runtime Environment, your antivirus program and so on. These links may help you to check:
    

    • Secunia Personal Software Inspector - checks if your software has updates available.
    • SecurityCheck (by screen317) - scans your computer for most vulnerable outdated software.
    • Mozilla: Check your plugins - The webpage will tell you if you have outdated plugins running in your Firefox browser.
      

    [*]Backup
    Hardware issues, malware, fire, lightning strike: There is a long list of different ways to loose all your data. Back up your files regularly. Use the windows internal backup function or a third party tool and save your data onto an external hard drive, cloud storage, optical media like CDs or DVDs or (if available) a professional network backup system. [*]Behaviour
    The commonest error when using a computer is "error 80" - what means that the error is located about 80cm in front of the monitor. This is a common joke between IT support technicians but it shows that all the safety mechanisms won´t help if you aren´t careful enough.
    

    • While surfing the internet, don´t click on anything you don´t know. In the worst case, it infects your system with malware.
    • Watch your step in social networks! Many cyber criminals use them to spread malware, mine personal pata (to be sold to advertising companies, for example) or simply do damage to other users. Even if a received hyperlink within a message seems to be coming from one of your friends, have a closer look. In addition, don´t click everything.
    • When installing software, have a look to each of the setup windows and uncheck any additional toolbars or free programs that may be offered additionally. Most of today´s setup procedures contain potentially unwanted programs so keep them off your system.
    • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
      They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
      

    
    
    

[NetBuse]

Okay I did the steps and the only restore point left is the one created by delfix (has the description End of Disinfection) and I used TFC.  Now that this whole process is done the laptop can be given back and be used for work again?

[NetBuse]

The computer can be used again since the cleaning process is done, correct?

[Psychotic]

As we declared it clean, you may use it normally again!

Enjoy...

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!