Need help removing PUM.Homepage infection

[AdvancedSetup]

Okay, please run the following. After it's finished and has rebooted then run Malwarebytes, check for updates and do a Threat Scan and post back that log.

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

 

[BillWasserman]

Thanks. Will do.

[BillWasserman]

Done. Fixlog.txt (with date/time prefix added) is attached.

2017.05.05 20.28 - Fixlog.txt

[AdvancedSetup]

Please restart the computer one more time. Then run a Malwarebytes Threat Scan and post back that new scan log.

Thanks Bill

Ron

 

[BillWasserman]

Hi Ron - will do tomorrow. Time to sleep now

[AdvancedSetup]

Okay, sounds good. Thanks

 

[BillWasserman]

Malwarebytes full scan log is attached.

2017.05.06 - 02.36 - Malwarebytes full scan results.txt

[BillWasserman]

The PC had substantial latency today. I ran a full disk scan with McAfee, as well as scans with JRT, Adwcleaner and RogueKiller. McAfee and JRT found no problems. Adwcleaner reported the same issues (ask.com and aol.com) associated with Internet Explorer (since Chrome and Firefox are uninstalled), and Rogue Killer found PUM.Homepage and PUM.Searchpage. Logs from all scans are attached. (NB - I couldn't find an "Export Results" option in McAfee so I took a screen capture and saved it as a PDF).

2017.05.06 - 11.47.29 - RK Log.txt

2017.05.06 - 11.43.06 - AdwCleaner Log.txt

2017.05.06 - 10.02.43 - McAfee full scan of C.pdf

2017.05.06 - 02.36 - Malwarebytes full scan results.txt

[BillWasserman]

Addendum - Not sure if this has any relevance, but prior to running the scans and fixes described in the post above the sound function of the machine seemed compromised. Sound was very low compared to how it is usually.

[BillWasserman]

Addendum 2 - Repeat scan with RogueKiller again reported PUM.Homepage in both 3 & 64 bit configurations

[BillWasserman]

OOPS - neglected to attach log from RogueKiller scan. Sorry.

2017.05.06 - 12.32.16 - RK Log.txt

[AdvancedSetup]

Sorry for the delay @BillWasserman

Let me review these and see if we can manually verify these entries. The issue/concern is that it's possible that these keys are protected and / or that there is some type of software on the system that restores AOL 

I'll get back with you again later tonight.

Thanks

Ron

 

[BillWasserman]

I tend to agree with you - Internet Explorer has become buggy. Links to my own page on FaceBook are reported as broken or unavailable. Audio arbitrarily cuts out irregularly. 

I look forward to hearing from you. 

[AdvancedSetup]

Can you open REGEDIT.EXE and then click through the path down to this path as reported by the scanners

HKEY_USERS\S-1-5-21-2429143710-1806790246-2615280815-1001\Software\Microsoft\Internet Explorer\Main

Then let me know if you see something like this.

http://my.ebay.com/ws/eBayISAPI.dll?MyEbayBeta&CurrentPage=MyeBayNextSelling&ssPageName=STRK:ME:LNLK:MESEX

 

[BillWasserman]

I've not found a line similar to the one in your post. To guard against poor vision I've done a series of screen captures of the key which include all entries. I also checked the Microsoft Edge key in the same registry area, but found almost nothing there

[BillWasserman]

PC lost sound. I reran the usual scans - only Adwcleaner found and removed anything (see attached log). Sound is sort of back...but PC is clearly doing poorly.

2017.05.09 - 18.25.22 - Adwcleaner log.txt

[AdvancedSetup]

Please start an Elevated admin command prompt and type in the following exactly as a single line and press the Enter key on the keyboard.

 

reg export  "HKEY_USERS\S-1-5-21-2429143710-1806790246-2615280815-1001\Software\Microsoft\Internet Explorer\Main"  "%USERPROFILE%\Desktop\ExplorerSettings.txt" /y

Then look on your desktop for a file named ExplorerSettings.txt and attach that to your next reply, please.

Thank you

 

Edited May 10, 2017 by AdvancedSetup

[BillWasserman]

I carefully typed in the command you provided to a Command prompt run as an administrator. I received an error message. I repeated the command to make certain there were no typing errors - same results. See attached screen capture. The machine continues to behave oddly.

My sign-on uses my image from the webcam. This morning the PC told me to install a webcam. Directions please

 

 

[BillWasserman]

I repeated the command by cut and paste. Cut & paste worked, but I got the same results. I'm going to shut down PC. Re-start & try again.

 

[AdvancedSetup]

That key you posted does not match what I have above. See my post below. That is the key you should be able to copy/paste.

S-1-5-21-2429143710-1806790246-2615280815-1001

 

 

reg export  "HKEY_USERS\S-1-5-21-2429143710-1806790246-2615280815-1001\Software\Microsoft\Internet Explorer\Main"  "%USERPROFILE%\Desktop\ExplorerSettings.txt" /y

 

You should be able to select that entire line and copy it.

Please see this link on how to enable copy/paste to the command prompt

https://www.howtogeek.com/howto/25590/how-to-enable-ctrlv-for-pasting-in-the-windows-command-prompt/

 

[BillWasserman]

Copied from your post & ran. File's attached

ExplorerSettings.txt

[AdvancedSetup]

Okay, that setting is NOT present in the registry where RogueKiller says it is.

Please close all web browsers and run RogueKiller again and post the new log and let's see if it still thinks it is there or not.

 

[AdvancedSetup]

Have to run for a bit, but will check back on you when I get back.

 

[BillWasserman]

Scanned whole PC with McAfee - nothing found & no log. Scanned whole PC with Malwarebytes - nothing found and no log. Scanned whole PC with Malwarebytes yesterday - found PUP.Optional.Vulnerable DellSystemDetect (log attached). I've removed all Dell support apps save those that were included in the factory image. Scanned with JRT - nothing found. Scanned with Adwcleaner - found ask.com and aol.com which were associated with Internet Explorer. Scanned with RogueKiller - nothing found. I've attached all logs available from scans described previously.

The PC no longer communicates with the webcam (USB) or with the UPS USB) but it does communicate with 2 optical drives in external cases with ON/OFF switches. Why isn't MS Office written as well as whatever has infected my PC?

2017.05.10 - MalwareBytes scan report.txt

2017.05.11 - 15.21.18 - AdwCleaner log.txt

2017.05.11 - 15.15.13 - JRT Log.txt

2017.05.11 - 14.46.41 - RogueKiller Log.txt

[AdvancedSetup]

Odd that you'd just recently be getting the Dell threat found. That was over a year ago.

https://blog.malwarebytes.com/threat-analysis/2015/04/dell-system-detect-vulnerability-now-classified-as-a-pup/

So, go ahead and restart the computer one more time and let me know if there are any other issues left. The ASK pup should be gone unless some application you installed is putting it back.