Invisible possible malware causing slowness, hanging, freezing

[books]

 

No new downloads but Mindspark returns after every scan ( 40 - 650 in 24 hours!). Webroot, windows defender and Malwarebytes Premium all installed and appear to be working. No matter what is found and quarantined the PC still crawls, freezes and hangs. I am at my wit's end. Ran every scan including ADWcleaner (every day for 3 days) and Mindspark is still always returning.  Please tell me if you can see anything in the attached files. I have no idea what more I can do as the end user. I also have no idea where or how Mindspark got in the first time but it absolutely is not leaving and it is the only suspect I could see.

Addition.txt

FRST.txt

Scan Log 10 20 17.txt

scan log 10 21 17.txt

[Android8888]

Hello books.

My screen name is Android8888 but if you wish you can call me Rui which is my real name. I will be helping you with your malware issues. Please ask questions if anything is unclear.

Please re-run FRST with Administrator privileges and attach a new set of logs (FRST.txt and Addition.txt) for my review.

Thank you.

Rui

[books]

Dear Rui, Thank you for assisting me. I am attaching the new scan report. I did not think members of the forum should or would be working off the forum. Something that concerned me was an email from another "member" here, I did not follow up but  it read as follows: 

"2 members active in this conversation (including you)

books Members WolfRules Members

 

general enquiry

 

hi , i work independent of the forum solution people. follow all the options as per below link. i know you have tried some of the scan , but once again do all the steps one after the other as provided in the link and at the end reset your browser to default https://malwaretips.com/blogs/remove-pup-optional-mindspark/

Addition.txt

FRST.txt

[Android8888]

Hello books.

The only members trained and authorized to provide help in malware removal here on the forum are the ones that are entered in one of the groups listed in this link:
Groups authorized to help with malware removal logs

Instructions given by members who do not belong to any of these groups are not authorized by the forum and as such should not be trusted.

Malwarebytes shall not be liable for damages whose cause comes from unauthorized sources instructions and outside Malware Removal Forums at Malwarebytes.

Those situations should be ignored and reported to a Moderator in the forum.

Again, you did not ran the Farbar tool with Administrator privileges.

To do that, right-click on the FRST64.exe file and select Run as administrator.
Then, click Yes to accept the User Account Control security warning that may appear.
The FRST tool will open; Once the tool is open, just wait a few seconds so the tool seach for updates and then press the Scan button and wait.
Then post the two new logs (FRST.txt and Addition.txt) for my review.

Be aware that you must be logged in as Administrator to run the tools. If you are not the Administrator of the computer just let me know.

Thank you.

Rui

[books]

Sorry, I just realized I need to sign in as an administer, I have done so and am running the scan now. Also reported the email from the other member to a moderator. Back Soon with new scan results! Thank You for your guidance.

[books]

OK, I think I did it correctly this time.

Addition.txt

FRST.txt

[books]

Either the last set was correct or this one will be. I have been easily confused since MS made my PC have 2 accounts User Name and administrator and I think to act as administrator I must "Switch User".  I'm sorry if I've been a bit of a pain getting the correct scans to you.

Addition.txt

FRST.txt

[Android8888]

Hello books and thank you for the logs.

I suggest printing out each set of instructions or copy them to a Notepad file and reading the entire post before proceeding. It will make following them easier.

Please DO NOT run any tools on your own or make any other changes to your computer and follow the directions in the order listed, otherwise you can worsen the situation rather than solve it.

Make sure to run all tools from the computer's Desktop and with Administrator privileges (i.e. right-click the tool icon and select Run as administrator).

Please run one scan at a time.

Even if your computer appears to be running better after performing a first set of instructions, it may still be infected as some infections are difficult to remove and can leave remnants on the System. Please consider it clean and safe only when I declare it free of malware.

With that being said let's start.

Please uninstall Chrome Media Router extension as it is known to track your computer's activity.
Instructions on how to remove an extension in Chrome here: https://support.google.com/chromebook/answer/2589434?hl=en

Next,

Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

• Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST64.exe executable is located); DO NOT open or modify that file!
• Right-click on the FRST executable and select Run as Administrator;
• Click on the Fix button;
  
  Credits: Aura
• On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
• Please attach the Fixlog.txt in your next reply;
  

Next,

• Download AdwCleaner and move it to your Desktop
• Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Accept the EULA (I accept), then click on Scan
• Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
  
  Credits: Aura
• Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
• After the restart, a log will open when logging in. Please attach that log in your next reply
  

Next,

• Download Junkware Removal Tool (JRT) and move it to your Desktop
• Right-click on JRT.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Press on any key to launch the scan and let it complete
  
  Credits: Bleeping Computer and Aura
• Once the scan is complete, a log will open. Please attach that log in your next reply
  

 

Next,

Please download Zemana Antimalware and save it to your Desktop.

• Right-click on the icon and select Run as administrator to install the program.
• Click Yes to accept the UAC security warning that may appear.
• Select the language and click the OK button.
• Click the Next button, accept the EULA warning and follow the instructions to continue and install the program.
• Once the installation is complete it will start automatically. Wait a few seconds until the update of signature database is complete.
• Without changing any options, click Scan to begin.
• After the short scan is finished, if threats are detected click Next to remove them.
  Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
• Click on the Back button.
• On the top right corner click on Reports icon (the one with three bars) and double click on the latest report.
• Now click File > Save As, then choose your computer's Desktop and click the Save button.
  

Please attach the saved report in your next reply.

To summarize, please attach the following logs:
Fixlog.txt;
AdwCleaner clean log;
JRT.txt log;
Zemana log.

Let me know in detail how is the system running and what issues or concerns are you still experiencing on this computer.

Thank you.

Rui

fixlist.txt

[books]

I can not seem to generate the fixlist.text. When I try to run as administrator I get what you see in the screen capture. I do have new scan text but can not seem to get the fixlist.text, I can not imagine what I am failing to do but so far have not got through step one of your instructions. I will try switching users and see if that works any better.

[books]

I am needing to copy ADWCleaner text here, it will not save to the desktop! I can open the log files with the cleaner open but nothing will make it save to desktop, though it says it is saved there!  It is not there so I cut and pasted here before moving on to the next step. I still can not generate a fixlist.text so am just enclosing the farbar texts that were generated.

# AdwCleaner 7.0.3.1 - Logfile created on Wed Oct 25 16:52:45 2017
# Updated on 2017/29/09 by Malwarebytes
# Database: 10-17-2017.1
# Running on Windows 10 Pro (X64)
# Mode: scan
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries.

*************************

C:/AdwCleaner/AdwCleaner[C0].txt - [3645 B] - [2017/2/28 20:59:24]
C:/AdwCleaner/AdwCleaner[C2].txt - [1814 B] - [2017/3/29 4:29:11]
C:/AdwCleaner/AdwCleaner[C3].txt - [2182 B] - [2017/3/29 19:11:36]
C:/AdwCleaner/AdwCleaner[S0].txt - [3519 B] - [2017/2/28 20:50:19]
C:/AdwCleaner/AdwCleaner[S10].txt - [1993 B] - [2017/10/19 17:1:0]
C:/AdwCleaner/AdwCleaner[S11].txt - [1941 B] - [2017/10/22 21:15:26]
C:/AdwCleaner/AdwCleaner[S12].txt - [2176 B] - [2017/10/23 3:39:39]
C:/AdwCleaner/AdwCleaner[S13].txt - [2035 B] - [2017/10/23 4:55:58]
C:/AdwCleaner/AdwCleaner[S14].txt - [2104 B] - [2017/10/24 14:42:58]
C:/AdwCleaner/AdwCleaner[S15].txt - [2174 B] - [2017/10/25 16:49:5]
C:/AdwCleaner/AdwCleaner[S1].txt - [1882 B] - [2017/3/29 4:27:39]
C:/AdwCleaner/AdwCleaner[S2].txt - [1622 B] - [2017/3/29 19:10:23]
C:/AdwCleaner/AdwCleaner[S3].txt - [1577 B] - [2017/3/29 21:9:18]
C:/AdwCleaner/AdwCleaner[S4].txt - [1970 B] - [2017/7/24 16:59:43]
C:/AdwCleaner/AdwCleaner[S5].txt - [1485 B] - [2017/8/4 21:6:10]
C:/AdwCleaner/AdwCleaner[S6].txt - [3240 B] - [2017/10/16 19:55:12]
C:/AdwCleaner/AdwCleaner[S7].txt - [2708 B] - [2017/10/16 20:18:47]
C:/AdwCleaner/AdwCleaner[S8].txt - [2777 B] - [2017/10/16 20:22:12]
C:/AdwCleaner/AdwCleaner[S9].txt - [2449 B] - [2017/10/16 20:54:37]

########## EOF - C:\AdwCleaner\AdwCleaner[S16].txt ##########

Addition.txt

FRST.txt

[books]

I have followed your instructions to the very best of my ability. I finally figured out why I could not see the text files I was saving to the desktop. There seemed NO POSSIBLE WAY to generate a fixlist.text and at no time could I generate "fix has been completed" message Thetext docs were saving on the OTHER user desktop and I am now sending them all in order. There were some things I did not understand as follows: NYAS.png, Spcusrh.pngRun, V7SD4EI.png, tLsXbWy.png (I never saw anything with those code letters or the affixed .png extension
I hope that in spite of that, that I have done things correctly!

Addition.txt

FRST.txt

AdwCleaner[S16].txt

JRT.txt

2017.10.25-Zemana.txt

[books]

P.S. It would appear that the computer is now clean. I will be working on it and hope that all the bugs and pups stay gone. Todate, I have used all of the tools you recommended but within 24 hours it was chock-a-block full of "Mindspark pups, pums and crap. I will not know if it is staying clean for a few hours BUT I expect the changes made to Google Chrome will be the biggest difference!  Thank You for your time and attention!

[Android8888]

Hello books and thank you for the logs. They are clean. Yet, that does not mean that your computer is clean and malware free.

There is some more work to do yet. You did not run the fix with the Farbar tool yet. You need to do it.

 

1 hour ago, books said:

There were some things I did not understand as follows: NYAS.png, Spcusrh.pngRun, V7SD4EI.png, tLsXbWy.png (I never saw anything with those code letters or the affixed .png extension

Okay, please go to VirusTotal and submit, one at a time, those files for an online scan and post the correspondent links to the detection results in to your next reply.

Now let's run the fix with the fixlist.txt script file that I attached in my previous post.

To do that just move FRST.exe from the Downloads folder to your computer Desktop.
Download the fixlist.txt file attached in my previous post and save it to you computer Desktop.
Re-run FRST with Administrator privileges and click the Scan button;
Wait a few seconds until the fix is complete;
It will open a Notepad file with the name Fixlog.txt;
Please attach that file in your next reply.

Since you already ran the other tools that I asked you in my previous post, please proceed as follow:

• Open Malwarebytes;
• On the left pane select Settings;
• Select the Protection tab;
• Scroll down to Scan Options and ensure Scan for Rootkits and Scan within Archives are both on and leave all other settings to default.
• Go back to DashBoard and select the blue Scan Now tab; Note: The scan may take some time to finish, so please be patient.
• When the scan completes if potential threats are detected, ensure to check-mark all the listed items, and click the Quarantine Selectedbutton.
• While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), give it a name and save it to your Desktop.
• The log can also be viewed by clicking the log to select it, then clicking the View Report button.

Please attach the log in your next reply.

Next,

Please download RogueKiller_portable64.exe by Tigzy and save it to your computer Desktop.

• Now close all programs and browsers and disconnect any USB or external drives from the computer before you run this scan!
• Right-click on the file RogueKiller_portable64.exeand select Run as administrator to start the tool.
• Click Yes to accept any security warnings that may appear.
• Click the Start Scan button.
• Wait until the scan has finished. Note: This scan may take some time to complete;
• Once finished click on Open Report. It will open a new window.
• Click Export TXT to export the report as a text file, give a name to the file such as RKlog.txt and save it to your computer Desktop.
• Close RogueKiller.
  

Please copy and paste the contents of RKlog.txt to your next reply.

To summarize, in your next reply please attach the following logs:
Fixlog.txt;
Malwarebytes log;
RogueKiller log (RKLog.txt).

And the links corresponding to the results of scanning those *.png files at VirusTotal.

Also let me know if the MindSpark popups still remain.

Thank you.

Rui

[books]

Clarification Please: Okay, please go to VirusTotal and submit, one at a time, those files for an online scan and post the correspondent links to the detection results in to your next reply.

I'm not clear about what you are telling me to do here: Are you Talking about the lines of the text reports from those scans you had me run?

 

[Android8888]

31 minutes ago, books said:

I'm not clear about what you are telling me to do here: Are you Talking about the lines of the text reports from those scans you had me run?

No! I'm talking about those files with extension .png that you mentioned in your previous post. I would like to know if they are legitimate.

This:

2 hours ago, books said:

There were some things I did not understand as follows: NYAS.png, Spcusrh.pngRun, V7SD4EI.png, tLsXbWy.png (I never saw anything with those code letters or the affixed .png extension

Upload those files (one at a time) to VirusTotal. Click the Upload and scan file button and post the link from each result.

Then proceed with the rest of the instructions.

[books]

2 hours ago, books said:

There were some things I did not understand as follows: NYAS.png, Spcusrh.pngRun, V7SD4EI.png, tLsXbWy.png (I never saw anything with those code letters or the affixed .png extension

It's OK, I just clued in! When I copied your instruction post to notepad, those were the notations for the pictures you posted, which, of course, notepad does not copy BUT it did note where they had been in in the text.

[books]

Hi Rui, OK, I have done all that you recommended but STILL FAIL to generate the fixlist.txt scrip and I did do it from the Desktop and again I am sending the screenshot of the result. Though it said there is such a file in the folder/directory where the tool is, I can find no trace. All other reports are attached here.

Addition.txt

FRST.txt

MWBS.txt

Rogue Killer.txt

[Android8888]

Hello,

Okay, please tell me:

Did you downloaded the fixlist.txt file that I attached at the bottom of this post: https://forums.malwarebytes.com/topic/213131-invisible-possible-malware-causing-slowness-hanging-freezing/?tab=comments#comment-1175826. If so, where did you saved it?

 

[books]

Sorry, now I feel pretty stupid. I thought farbar would generate that Fixlist.txt  I am really sorry for being so dense! I did not download that file prior to downloading Farbar. I will do so now! I am assuming the original Farbar download will work with that file.  I should have the proper files supplied to you shortly. THANK YOU SO MUCH FOR YOUR PATIENCE!!

[Android8888]

It's alright. Download the fixlist.txt file to your computer Desktop and re-run FRST.

Then press the Scan button and attach the produced log (Fixlog.txt).

How are the MindSpark popups? Are they keep popping up?

[books]

I think this is what you have been trying to get me to produce.  I do apologiseagain for my stupidity!

Fixlog.txt

[Android8888]

Good job!

That's alright. It is not stupidity asking questions if you don't know something or if something is unclear. It's a smart attitude, not stupid.

Next,

Read the instructions in the following links and clear the cache, cookies and history of all Internet browsers:

Internet Explorer
https://kb.wisc.edu/page.php?id=15141

Mozilla Firefox
https://kb.wisc.edu/helpdesk/page.php?id=17504

Google Chrome
https://support.google.com/accounts/answer/32050?hl=en

Next,

Read the instructions in the following links and reset all Internet browsers settings to default:

Internet Explorer
https://support.microsoft.com/en-us/kb/923737

Mozilla Firefox
https://support.mozilla.org/en-US/kb/reset-preferences-fix-problems

Google Chrome
https://support.google.com/chrome/answer/3296214?hl=en

Now please perform one last scan to search for leftovers of infection using the Sophos Virus Removal Tool.

The Sophos Virus Removal Tool scans the following areas of your computer:

Memory, including system memory on 32-bit (x86) versions of Windows;
The Windows registry;
All local hard drives, fixed and removable;
Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Please download Sophos Virus Removal Tool and save it to your computer's Desktop.

• Right-click the icon and select Run as administrator.
• Click Yes to accept any security warnings that may appear.
• Click the Next button.
• Select 'I accept the terms in the license agreement', then click Next twice.
• Click the Install button and wait until the installation is complete.
• Click the Finish button. The tool created a shortcut icon on the Desktop of your computer.
• Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool.
• Click Yes to accept any security warnings that may appear.
• After it updates and a "Start Scanning" button appears in the lower right:
  
  • Disconnect from the Internet or physically unplug your Internet cable connection.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.

• Click the "Start Scanning" button in the lower right to start the scan.
• After starting the scan, do not use the computer until the scan has completed.
• When finished, if it detected anything there will be a "Start Clean-up" button, click it and allow it to finish.
• When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
• If any threats are found click Details, then View Log file (bottom left-hand corner).
• Copy and paste its contents in your next reply and note any errors encountered.
• Close the Notepad document, close the Threat Details screen, then click Start cleanup.
• Click Exit to close the program.
• If no threats were found, please confirm that result.
  

Note: Whenever necessary, the log will be in the following location:

Windows Vista and above:
C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
 

Please post the contents of the log in your next reply and let me know how is the computer behavior at this point.

[books]

So far so good! The problem was not pop-ups. What ever it had installed was dragging everything on the machine to a crawl or else forbidding anything to be opened and sometimes a reboot would work and sometimes not. All documents, spread sheets and browsers are opening in wghat appears to me to be a normal fashion, now. Thank you so much for the help!

[books]

Does Sophos take a long time, it's running now but the progress bar is really moving slowly. I am on another machine while it does it's scan. I am assuming it is a slower scan than any of the others, is this correct? Also the machine  we have been working with has 2 accounts, "User" and administrative. It is the user account we work on because it has (Unbelievably!) more freedom. When they chaned us over fro windows 7 to windows 10, this was the way MS set it up. SO, do I need to go into the other account tp clean and reset the browsers there as well? I am thinking the answer is likely yes, even though we never  work in the "Administrator" side of that machine.

[Android8888]

Hello books.

Sorry for the delay. It's due to the Time Zone.

 

8 hours ago, books said:

Does Sophos take a long time, it's running now but the progress bar is really moving slowly. I am on another machine while it does it's scan. I am assuming it is a slower scan than any of the others, is this correct?

Yes, it is a very thorough scan and it can take several hours to complete, depending on the number of programs and files installed on the computer.

 

 

8 hours ago, books said:

do I need to go into the other account tp clean and reset the browsers there as well? I am thinking the answer is likely yes, even though we never  work in the "Administrator" side of that machine.

The most important thing is that all tools must be running with Administrator privileges and I see in your last logs that you have been running the tools within the Administrator account:

==================== Accounts: =============================

acer (S-1-5-21-4003829262-2848994777-1340562341-1000 - Limited - Enabled) => C:\Users\acer
Administrator (S-1-5-21-4003829262-2848994777-1340562341-500 - Administrator - Enabled) => C:\Users\Administrator
DefaultAccount (S-1-5-21-4003829262-2848994777-1340562341-503 - Limited - Disabled)
Guest (S-1-5-21-4003829262-2848994777-1340562341-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-4003829262-2848994777-1340562341-1011 - Limited - Enabled)

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 26-10-2017
Ran by Administrator (25-10-2017 19:30:10) Run:1
Running from C:\Users\Administrator\Desktop
Loaded Profiles: acer & Administrator (Available Profiles: acer & Administrator)
Boot Mode: Normal
==============================================

 

Just keep working on that account.

 

Now, please clear the cache and cookies and reset ALL Internet browsers.

 

Does Sophos scan already finished? If so, can you post the contents of the log? It is located here:

C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log

 

Thank you.

Rui