Need help removing PUM.Homepage infection

[BillWasserman]

My Windows 10 PC has been running slow and, at times, doing strange things - telling me Chrome is unresponsive when I click on a link in email (when Chrome is working well) and occasionally attempting to connect with www.invokefun.com which McAffee blocks and reports as a "bad" site. Scans with McAfee, MalwareBytes and JRT report no problems. Scan with AdwCleaner finds and removed ask.com and aol.com LOG FILE entry "Chrome pref Found:  [C:\Users\Bill\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com
Chrome pref Found:  [C:\Users\Bill\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com". Scan with RogueKiller finds and removes PUM.Homepage BUT repeat scans after using the PC again find PUM.Homepage. 

I realize I'm unable to fix this problem on my own and appeal for help from the experts. Thanks, in advance, for reading this post and reaching out to me. 

[Android8888]

Hello BillWasserman and  Forums.

Please read the content of the topic I'm infected - What do I do now?, perform a scan with FRST and attach the two logs (FRST.txt and Addition.txt) for review.

We need to see those logs in order to help you.

Thank you.

Android8888

[BillWasserman]

The instructions aren't clear as to whether the files should be attached to a reply to your message or the new topic. Accordingly, I'm posting them as an attachment here and will post them as an attachment to the new post created from the link in "I'm infected - What do I do now?," I'm at my volunteer gig this morning until 2PM EST and will wait to hear from you before doing anything else. 

Thank you for your help. 

Addition.txt

FRST.txt

[BillWasserman]

I've run FRST and posted the logs as you directed. I can not find the new post I made. Additionally, the MalwareBytes service is now unable to start. 

[Android8888]

Hello BillWasserman.

I apologize for the late reply. I have been very busy and I am in a different time zone so I will ask you to be patient. Even so I will try to be as quick as possible in my answers. Thank you for your understanding.

 

18 minutes ago, BillWasserman said:

I can not find the new post I made.

Your post was merged with this one. Please do not duplicate topics since that can be confusing for others who may think that you are still not being assisted.

 

 

40 minutes ago, BillWasserman said:

Additionally, the MalwareBytes service is now unable to start. 

Please try the instructions in the link below to uninstall and re-install Malwarebytes and see if that solves the problem.

https://forums.malwarebytes.com/topic/200226-unable-to-startunable-to-connect-to-service/#comment-1121308

 

Okay, for the McAfee issue about the "bad" site message, please read in the following link and see if that can help you. As far as I know that site does not have malicious contents, so you need to add an exclusion for it to your McAfee Antivirus.
How to exclude URL from On-Access Scan

 

Next,

Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

• Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST64.exe executable is located); DO NOT open or modify that file!
• Right-click on the FRST executable and select Run as Administrator;
• Click on the Fix button;
  
  Credits: Aura
• On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
• Please attach the fixlog.txt in your next reply;
  

Please clear the browsing data cache and history of Google Chrome:
How to delete your browsing history

Please reset you Google Chrome browser:
How to reset Chrome settings to default

Next,

I will ask you to re-run RogueKiller with the instructions posted below. NOTE: DO NOT remove any entries it finds. They are all not bad and need to be analyzed carefully.

• Close all programs and browsers.
• Please disconnect any USB or external drives from the computer before you run this scan!
• Right-click on the RogueKiller icon and select Run as administrator.
• Click Yes to accept any security warnings that may appear.
• Click the Scan tab and then click the Start Scan button.
• Wait until the scan has finished. This may take some time consuming.
• Once finished click on Open Report. It will open a new window.
• Click Export TXT to export the report as a text file, give a name to the file such as RKlog.txt and save it to your Desktop.
• Close RogueKiller.
• Please attach the RKlog.txt to your next reply.

To summarize please attach in your next reply the following logs for my review:
fixlog.txt;
RKlog.txt.

Thank you.

fixlist.txt

[BillWasserman]

Attached, per your directions, are the logs from RogueKiller Fix (RKLog.txt)  and FRST (Fixlog.txt). I'm aware that you live several time zones distant from me and rather than being impatient, I'm frightened by what's happened despite my best efforts to be careful. Furthermore, I'm in awe of your computing skills and prowess and thoroughly grateful for your help. If anything I've written has seemed to the contrary, please accept my most sincere apologies. 

The uninstall/reinstall of MalwareBytes seems to have worked - no messages reporting "MalwareBytes Service Can't Start" have appeared and the MalwareBytes Service is reported to be running in the Services app. RogueKiller has an update available - can I allow it to be installed or should I wait until your work on this PC is completed?

2017.05.01-RKlog.txt

Fixlog.txt

[Android8888]

Hello BillWasserman.

 

5 hours ago, BillWasserman said:

Furthermore, I'm in awe of your computing skills and prowess and thoroughly grateful for your help. If anything I've written has seemed to the contrary, please accept my most sincere apologies.

You are very welcome and thank you for providing me those logs.

Please tell me, have you clear the browser cache/history and reset the settings to default on Chrome?

RogueKiller has an update available - can I allow it to be installed or should I wait until your work on this PC is completed?

Okay, just leave RogueKiller for now and proceed with the instructions below.

Next,

• Download Junkware Removal Tool (JRT) and move it to your Desktop;
• Right-click on JRT.exe and select Run as Administrator;
• Press on any key to launch the scan and let it complete;
  
  Credits: Bleeping Computer and Aura
• Once the scan is complete, a log will open. Please attach that log in your next reply;
  

Next,

• Download AdwCleaner and move it to your Desktop;
• Right-click on AdwCleaner.exe and select Run as Administrator;
• Accept the EULA (I accept), let the database update, then click on Scan;
• Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Cleaning button. This will kill all the active processes;
  
  Credits: Aura
• Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
• After the restart, a log will open when logging in. Please attach that log in your next reply;
  

Next,

• Open Malwarebytes;
• On the left pane select Settings;
• Select the Protection tab;
• Scroll down to Scan Options and ensure Scan for Rootkits and Scan within Archives are both on and leave all other settings to default.
• Go back to DashBoard and select the blue Scan Now tab; Note: The scan may take some time to finish, so please be patient.
• When the scan completes if potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selectedbutton.
• While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), give it a name and save it to your Desktop.
• The log can also be viewed by clicking the log to select it, then clicking the View Report button.
• Please attach the log in your next reply.

In your next reply please attach:
The JRT.txt log;
The AdwCleaner clean log;
The Malwarebytes log.

Please tell me in detail what issues are you still having with the computer at this point.

Thank you.

[BillWasserman]

Yes, I've followed your instructions to the "T". Chrome browser history is deleted from all time and cache is completely cleaned. JRT, Adwcleaner and MalwareBytes (complete) scan run - logs are attached. 

I suspect other PCs on our home network may have been compromised as well. I presume I need to test with MalwareBytes, JRT, Adwcleaner & RogueKiller. If PUM.Homepage is found I think I should open a new ticket. Are my assumptions correct?

AdwCleaner[C0].txt

JRT.txt

MalwareBytes export summary.txt

[BillWasserman]

1) This AM upon startup MalwareBytes generated a pop-up informing me my PC wasn't completely protected. I opened the program and discovered that Exploit Protection was not turned on. A click on the "enable protection" button of the pop-up corrected the situation.

2) MalwareBytes Anti-Exploit was largely missing. I reinstalled and it found my activation number without input from me. 

3) When I checked the status of a shipment on the China Post website MalwareBytes generated a pop-up reporting an outbound attempt to contact a website was blocked. I've exported the three (3) reports from MalwareBytes and have attached them to this email. 

2017.05.03 - Protection Report-MalwareBytes website block #2.txt

2017.05.03 - Protection Report-MalwareBytes website block #3.txt

2017.05.03 - Protection Report-MalwareBytes website block.txt

[BillWasserman]

I seem to be right back where I started. Re-booted PC - was advised MalwareBytes service won't start. Will uninstall and reinstall, but that won't solve the problem. Ran scans with JRT, Adwcleaner and RogueKiller. JRT found nothing, Adwcleaner again found ask.com and aol.com in the same (Chrome start) place as before and RogueKiller found PUM.Homepage again. MalwareBytes reported it blocked three (3) outbound attempts to contact a web site. I put the reports out to file and am appending them to this message. 

2017.05.03 - Protection Report-MalwareBytes website block #2.txt

2017.05.03 - Protection Report-MalwareBytes website block #3.txt

2017.05.03 - Protection Report-MalwareBytes website block.txt

[Android8888]

Hello BillWasserman.

I apologize for the delay in responding.

Please wait for further instructions as I will need to check further your logs.

I will be back soon as I can.

Thank you.

Rui

[BillWasserman]

No problem

[AdvancedSetup]

Hello Bill - @BillWasserman

Rui - @Android8888 has asked me to take a look and see if I can assist you getting your system working well with Malwarebytes.

I see you have a task set to run Norton Identity Safe but I don't see that Norton is still installed anymore. Do you still use it in any way? If not then we should remove it.

There are a few errors in the logs including ones indicating the Windows Search Service potentially has a corrupted index file.

Make sure you backup the Registry or create a new System Restore point before making changes to the registry. If you open REGEDIT.EXE and browse to the
following location:  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search
Look for this key: SetupCompletedSuccessfully  and reset it to 0

If you set that value to 0, and then reboot, Windows Will reset the search index back to default values, and then create your index. This includes putting all of the default index locations back as well. So, this must be the same as doing a "factory reset" for the Search Index.

You have code integrity errors that could be due to disk controller or hard drive issues, or it could be that security software is possibly blocking or helping to cause this issue. It's best you run a Full disk check to make sure there are no errors on the hard drive. Running the script below will try to envoke the disk check for you on restart.

 

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

 

Once that's done please post back the logs. Then run the following.

Please read the following topic and then run the Malwarebytes Clean Removal tool mb-clean, but DO NOT allow the removal tool to download and install Malwarebytes for you. Say no.

The download link for the tool is:  https://downloads.malwarebytes.com/file/mb_clean

Then after the computer restarts go here and get the lastest beta version of Malwarebytes and download it to your computer and install it, Activate it,  and update it.

NEW BETA!  Malwarebytes 3.1.0.1716
https://forums.malwarebytes.com/topic/200230-new-beta-malwarebytes-3101716/

Then restart the computer again and let me know if the Protection Module are now loading.

 

Thank you

Ron

 

 

Edited May 4, 2017 by AdvancedSetup

[BillWasserman]

Hello - thanks for the assist. I'm headed out to my volunteer gig and will follow through with your instructions when I get home and post all requested logs. 

[BillWasserman]

Hi Ron & Android8888, 

I updated the Registry Key - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search - SetupCompletedSuccessfully to O as you instructed. I then rebooted and ran the script you provided in FRST. I've renamed the FixLog.txt to 2017.05.04 - FixLog.txt to minimize the chances for submitting the wrong file. The log is attached to this note. When I rebooted the PC it did a full disk check which took about 2.5 hours. Throughout the check Windows informed me that 10% of the job was completed. Although I know that Windows generally does a poor job of reporting the percentage complete of most jobs and understand that a full disk check is a lengthy process I was worried after 2 hours. I began a long plaintive note outlining the possibilities and seeking advice on my tablet. By the time I was done the job was done as well - BIG RELIEF. 

I've downloaded and run the Malwarebytes Clean Removal tool and rebooted the PC. The Clean Removal tool created a log which I'm sending in case it's useful. I then downloaded the Malwarebytes Beta (which was 3.1.1.1722 rather than 3.1.1.1716) and installed it and entered my software key. I observe that MalwareBytes Anti-Exploit has vanished from my PC - I'm not particularly distressed as: 1) It was of no help preventing PUM.Homepage from infecting my PC & 2) It's not especially costly if you recommend I replace it and my software key no longer works. 

I also wiped the total history from Chrome although you didn't tell me to do that. I've searched for Norton Identity Safe - it's not present. I looked through Task Manager and found no Norton Identity Safe tasks after scrolling through all pages twice - is there another place where I should look? 

I'll wait to hear from you and continue to delay installing the few applications I didn't get to when setting up the PC late last month. Thanks, again, for your help. 

 

bill

2017.05.04 - Fixlog.txt

2017.05.04 - mb-clean-results.txt

[AdvancedSetup]

Hi Bill,

The Anti-Exploit and Anti-Ransomware are both built-in to Malwarebytes 3 now.

Is the PUM.homepage hijack still there or has it been corrected now?

Are all the protection modules loading for Malwarebytes? Any issues with the new version?

 

[BillWasserman]

The PC seems to be running well - little, if any latency. The beta-Malwarebytes loads, updates and runs as I believe it should. May I run scans with:

1) Malwarebyted?

2) JRT?

3) Adwcleanet?

4) RogueKiller?

     4a) May I update to the newest version of RogueKiller? 

I've learned it's best to follow your instructions to the "T", and minimize use of PC until certain of full cleansing. Please advise. 

[BillWasserman]

MalwareBytes beta installed w/o any issues and is running correctly. I checked the Services app & MalwareBytes service is running. Performed Threat Scan with MalwareBytes - nothing found. Performed scan with JRT - no issues reported. Performed scan with Adwcleaner - found the usual suspects - aol.com & ask.com in the usual places. Performed scan with updated version of RogueKiller - reported finding and removing PUM.Homepage. All scans were run as Administrator. All logs are appended to this note. 

I will perform the same scans again later in the day to determine if what was found was the remnants of the infection problem or if it persists. 

2017.05.05 - RogueKiller Log.txt

2017.05.05 - Adwcleaner Log.txt

JRT.txt

2017.05.05 - Malwarebytes Log.txt

[BillWasserman]

Hi Advanced Setup

I've run another set of scans and received disappointing results. Specifically, I began with JRT which found no problems. Next I ran AdwCleaner which again found ask.com and aol.com in the AppData folders for Chrome. I then ran RogueKiller which again found and reportedly removed PUM.Homepage. A scan of the entire PC with Malwarebytes Beta was next - nothing suspicious was found. I re-ran RogueKiller which (sadly) found PUM.Homepage. All logs with positive findings are attached for your consideration. 

On the chance it will help I will rerun FRST64 and post that log for your review as well. I look forward to hearing from you about what to do next. Thanks, as always and in advance for your consideration and response. 

 

bill

2017.05.05 15.22.15 - RogueKiller Log.txt

2017.05.05 13.59 - Malwarebytes full scan log.txt

2017.05.05 -13.19.53 - RogueKiller Log.txt

2017.05.05 13.08.58 PM EST- Adwcleaner Log.txt

2017.05.05 13.08 PM EST- Adwcleaner Log.txt

[AdvancedSetup]

These scanners cannot fully fix some settings in Chrome. You also need to fully disable, clean Chrome. Please save, export your Chrome bookmarks, disable or clear your Sync data with Chrome. Then uninstall Chrome. Reboot, do not reinstall Chrome

Then run a new FRST scan and post back both new logs.

Thanks

Ron

 

[BillWasserman]

I don't understand what's meant by "disable" Chrome or "disable or clear Sync data" - please provide a bit more detail in instructions. . Clean I believe means delete all history of every sort.

[BillWasserman]

Answered my own questions by doing Google searches. All history's been deleted. All Sync's been disabled. All bookmarks have been exported. Will uninstall Chrome after I finish this post and then reboot machine and run FRST64

Thanks for your patience with me. 

[AdvancedSetup]

Again, make sure you do not reinstall Chrome as it often will try to reinstall

 

Please visit each of the following sites and let's reset all of your browsers back to defaults to prevent unexpected issues.
If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

Internet Explorer
How to reset Internet Explorer settings

Firefox
Click on Help / Troubleshooting Information then click on the Reset Firefox button.

Chrome

I would like to reset Chrome back to defaults to completely clear out what is going on with Chrome.

You can keep your “Bookmarks” if you want to keep them, but you have to export them first – >> Export Bookmarks << – Everything else should be removed.

Then I need you to go to >> Google Sync << and sign into your account.
Scroll down until you see the “reset sync” button and click on the button
At the prompt click on “Ok”.

.
Reset Your Browser Settings
.

1. In the top-right corner of the browser window, click the “Chrome Menu” icon (Three horizontal lines)
2. Select “Settings”.
3. At the bottom, click “Show advanced settings…”
4. Scroll down until you see “Reset settings”, Then click on the button “Reset Settings”.
5. In the dialog that appears, click “Reset”.

.
Close Chrome and restart it and check it out for me please

[BillWasserman]

OK - All Chrome data's been expunged from both Local Machine and my Google account. Chrome's been uninstalled from my PC. NB - Windows reported an issue with Chrome that caused problems uninstalling it. I used Revo Uninstaller Pro which, IMO, does a most thorough job of removing unneeded/unused registry keys, folders, etc.

Reran FRST64 and labeled log files with date and time to reduce likelihood of errors in selecting files, and will upload them as attachments to this note.

2017.05.05 - 17.04 - .FRST.txt

2017.05.05 - 17.04 - Addition.txt

[BillWasserman]

I've uninstalled Firefox and don't plan to re-install it. I expunged all Chrome data from the local machine and from my Google account and reset Chrome to factory defaults prior to uninstalling it. I will await your instructions before I reinstall it. I've cleared all browsing history and restored to factory defaults in both Internet Explorer (which I dislike) and Microsoft Edge (which I despise).