Assistance Confirming Removal of PUP's and ect From Win7(64)

[Truespan]

A family member's laptop exhibited poor performance at start-up and during various operations.  Periodically, an unwanted 'Offers4U' toolbar popped up in IE and displayed advertisements.

 

A preliminary examination revealed several suspect objects

 

• BackGroundContainer
• GoogleUpdateTask
• LogiTech Download Assistant
• Panda Media Booster
• Offers4u
• Alert.dll (Conduit/CommunityAlert/Alert.dll)
• VisualBeeRecovery
• YTD Toolbar
• YTD Video Downloader
• OpenCandyHelperRunOnce
• VER_PRODUCT_NAME service (65brmon.exe)

 

Scans with AdwCleaner and MalWareBytes confirmed the presence of a number of undesireable objects.  AdwCleaner and MWB were run again and used to remove the undesireable objects reported.

 

FarBarRecovery has been run twice, the 2nd time as Administrator. 

 

Please see attachments for reports by AdwCleaner, MalWareBytes and FarBarRecovery.

 

May I please receive assistance to determine whether the machine has been adequately decontaminated.  Are there any further steps to consider?

 

 

 

AdwCleanerC1.txt

AdwCleanerS4.txt

2015.10.30_MalWareBytes_Rpt_01.txt

2015.10.30_MalWareBytes_Rpt_02.txt

2015.10.30_Addition_01.txt

2015.10.30_FRST_02.txt

[TwinHeadedEagle]

Hello,

    

 

They call me TwinHeadedEagle around here, and I'll try to help your with your issue.

 

     

    

Before we start please read and note the following:

• We're primarily oriented on malware removal here, so you must know that some issues just cannot be solved and you must be prepared for this. Some tools we use here will remove your browser search history, so backup your important links and all the files whose loss is unacceptable.
• Note that we may live in totally different time zones, what may cause some delays between answers.
• Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
• Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
• Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

I can't foresee everything, so if anything not covered in my instructions happens, please stop and inform me!

There are no silly questions. Never be afraid to ask if in doubt!

 

 

 

  Rules and policies

 

We won't support any piracy.

That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!

The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

 

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

 

 

---

Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

createsrpoint;autoclean;emptyclsid;emptyalltemp;ipconfig /flushdns >>"%temp%\log.txt";b

• Right-click on icon and select Run as Administrator to start the tool.
• Wait patiently until the main console will appear, it may take a minute or two.
• In the main box please paste in the following script:
• Make sure that Scan All Users option is checked.
• Push Run Script and wait patiently. The scan may take a couple of minutes.
• When the scan completes, a zoek-results logfile should open in notepad.
• If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

[Truespan]

Thank you for taking my case file.

 

I have run ZOEK.exe and attached the results log to this post for your examination.

 

 

zoek-results.log

[TwinHeadedEagle]

Your PC doesn't seem to be infected now. We also removed some Adware leftovers, but nothing serious. Is everything running fine now?

[Truespan]

The PC has only been used sparingly to preclude interfering with diagnosis.  However, there has been no sign of the 'Offers4u' toolbar and time to start up is MUCH improved. I look forward to testing whether disk intensive activity such as a Full Scan by Kaspersky AV also shows improvement.

 

There are a couple of lingering nuisance items for me to address such as: 'Panda Media Booster' in Start Up;  'GameAppIntegrationService' by WildTangent in 'Services'; notifications for Adobe Update
and Windows 10 Upgrade.

 

If these nuisance items are within scope of the Malware Removal Help offered in this forum, assistance will be welcomed.  However, I am grateful for the help you already rendered and can seek out
remedies for those items through other channels on my own.

 

Thank you again for your prompt interaction, expert assistance and professional demeanor!

[TwinHeadedEagle]

Okay, let's see if we can remove all of them:
 
 
Scan with Farbar Recovery Scan Tool
 
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition option is checked.
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please upload them into your next reply.

[Truespan]

Thank you !

 

FRST & Addition attachments appear below .

2015.11.01_Addition_01.txt

2015.11.01_FRST_01.txt

[Truespan]

There are a couple of lingering nuisance items for me to address such as: 'Panda Media Booster' in Start Up;  'GameAppIntegrationService' by WildTangent in 'Services'; notifications for Adobe Update

and Windows 10 Upgrade.

 

I notice references to Google's Chrome in the FRST/Addition files.

 

Chrome residue is a target for removal, too.

[TwinHeadedEagle]

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.

  (XP users click run after receipt of Windows Security Warning - Open File).

• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

fixlist.txt

[Truespan]

Copy of FixLog.

 

Will be offline for several hours, able to take up again afterward ...

 

Thank you

 

 

2015.11.01_Fixlog_01.txt

[TwinHeadedEagle]

Good. How is your PC behaving now? Any other concerns or questions that remain?

[Truespan]

Have only browsed a bit on the machine, pending follow up.

 

Three observations

• Noticed after performing FRST + FixList that there was one or more entries related to Wacom, vendors of a drawing tablet.  Principal user of machine employs a Wacom Bamboo tablet in conjunction with graphics apps.  We will test for Wacom functionality/anomalies in the next 24 hrs, then post back.
• Windows dialog [GWXUX] began appearing, displaying msg "GWXUX has stopped working" A problem caused the program to stop working correctly.  Please close the program."

  Research turns up a few plausibles, as listed next.  No action has been taken, pending your instructions.

  • Posted by DonP81 on answers,Microsoft

    - GWXUX.EXE was installed by Windows Update KB3035583.  This update was put out in late May by Microsoft with virtually no explanation of

    its purpose.

    - I was able to resolve the problem of the "stopped working" notification by doing a System Restore to a time before this message began

    appearing.   I then went to Windows Update in the Control Panel and removed this update.

    - (follow-up) Although I have marked KB3035583 as "Hidden" it showed up again today as an "Important" update.

    It looks like Microsoft has released it again as the Windows 10 general release gets nearer.

    .

  • Posted by FunkyBrewster

    -Uninstalling KB3035583 got rid of the GWXUX icon in the taskbar so I'm hoping that will get rid of the crashes (sfc and chkdsk both found no errors).

    To actually get it uninstalled, I had to kill the GWXUX process before uninstalling or else it was still there after a reboot even if I hid the update.

    .

  • Posted by Sampson1970

    I used IObit Uninstaller 4.3.  In the uninstaller select "Windows Updates" on the left side dropdown.  A list of all updates will be populated.  In the search bar on the right enter KB3035583.  When it finds the update select it and tell it to uninstall.  Reboot your computer.  Done.  No remnants of GWXUX found in any of the folders it once was.

• Adobe Update dialog displayed and icon remains present on toolbar.

Aside from these items, the laptop continues to work as well if not better than it did following the earlier assistance.

I propose putting the machine to regular use for a day and reporting back ...

Thank you !

[TwinHeadedEagle]

Okay, keep me updated.

[Truespan]

A) Follow up:

• The Wacom pen tablet works fine - no issues noted.
• The "GWXUX has stopped working" dialog has not reappeared.
  However, the "Get Windows 10" icon continues to display in the Hidden Icon popup section of the toolbar
  (C:\Windows\System32\GWX\GWX.exe.)
• Adobe Update dialog displayed and icon remains present on toolbar.

B) When looking for oddities in tabs of System Configuration

For Services, I see

• - Adobe Active File Monitor V9
• - MBAMService
• - Nero Update
    C:\Program Files (x86)\Nero\Update\NASvc.exe
• - Wireless PAN DHCP Server

(It appears I can use "Uninstall or Remove Program" to delete Nero Update)

 

For Startup, I see

• - Adobe Updater Startup Utility
    C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe
• - Apple Push
    C:\Program Files (x86)\Common Files\Apple\Apple Appliation Support\APSDaemon.exe
• - Google Update
    C:\Users\Portia\AppData\Local\Google\Update\GoogleUpdate.exe
• - Logitech Download Assistant
    c:\Windows\System32\LogiLDA.dll
• - Nero Launcher
• - Stage Remote Manager
    C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe
• - stage_primary
    C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe 

I will fully understand if the services and startup items are deemed outside
of the scope of this exercise.

 

Thank you.

[TwinHeadedEagle]

You can uninstall what you think is unnecessary. 

[Truespan]

Some items have been uninstalled, others have been disabled - leaving me with
just Adobe Update to be addressed in the future.  During this, I have identified
dditional services to address (ie:  Customer Experience Improvement Program,
Multimedia Class Scheduler ...).

 

Before disappearing down the rabbit holes of Services/Tasks/Events review &
optimization, I thought it a good time for a follow-up post.  The machine is launching
and performing MUCH better than it did to begin with.  Unless there are any further
steps you recommend, I believe we can invoke closure.

 

Thank you once again for your assistance.

 

.

[TwinHeadedEagle]

Since there are no more problems, we can declare this PC clean

Now, we can proceed with post-cleanup procedures. Let's remove my tools and create a new, non infected restore point concurrently deleting old ones.

Step 1. - Creation of system restore point and tools removal.

Download DelFix by Xplode and save it to your desktop.

• Run the tool by right click on the icon and Run as administrator option.
• Make sure that these ones are checked:
  • Remove disinfection tools
  • Purge system restore
  • Reset system settings
• Push Run and wait until the tool completes his work.
• All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt). I don't need it for review.

Tool deletes old system restore points and creates a fresh system restore point after cleaning.

Step 2. - Tips and tricks to keep your computer clean, safe and in a good shape.

Security tips - highly recommended reading:

• Simple and easy ways to keep your computer safe and secure on the Internet

Maintenance tips:

• Optimize Windows for better performance

Additional software that I personally use and install on all my clients devices:

• Malwarebytes' Anti-Malware (paid version highly recommended) - to scan your system from time to time in search for malware.
• Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.
• McShield - to prevent infections spread by removable media.
• Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.
• Adblock - to surf the web without annoying ads!
• Qualys BrowserCheck - cloud service that scans your browsers and plugins to see if they’re all up-to-date.

My help is free for everybody.

If you're happy with the help provided and/or wish to buy me a beer for the assistance you received, then you can consider a donation:

Thank you!

Stay safe,

TwinHeadedEagle

[Truespan]

Post-cleanup procedures completed without a hitch.  Tips and software
suggestions are welcomed.

 

Thirsty work, malware is.  Perhaps a Kabinet or some other beverage
of your choice might prove invigorating as you toil away on the next
case  ?

 

Till next time ...

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!