Jump to content

Malware files detected, but how to truly get rid of them?


Go to solution Solved by Maurice Naggar,

Recommended Posts

Dear support,

I ask for help for the removal of two files that Malwarebytes has detected on laptop. My laptop's performance became very slow, it was creating random beeping sounds, and I watched the that task manager says it is running on max memory even tough I have almost no programs on my laptop. What malwarebytes detected were two files called PUP.Optional Spigot and as a location it says HKU S 1-5-21 with other following numbers. I have noticed an extension which I have removed, and quarantined the two files. However I still don't know if I have removed all completely. Can you please help me out? Thank you so much and I am waiting to hear from you!

Here I have posted the txt file from the scanning history:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 11/19/21
Scan Time: 10:32 PM
Log File: 9ff10eaa-4988-11ec-b65f-a01d48a8aed0.json

-Software Information-
Version: 4.4.11.149
Components Version: 1.0.1513
Update Package Version: 1.0.47385
License: Trial

-System Information-
OS: Windows 10 (Build 18363.1556)
CPU: x64
File System: NTFS
User: DESKTOP-97185F6\Krasimir

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 328336
Threats Detected: 2
Threats Quarantined: 2
Time Elapsed: 12 min, 28 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 1
PUP.Optional.Spigot, HKU\S-1-5-21-925016652-2326629312-3528064532-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{489FE4AC-606D-4ED6-904A-7608BF46D063}, Quarantined, 145, 243431, 1.0.47385, , ame, , , 

Registry Value: 1
PUP.Optional.Spigot, HKU\S-1-5-21-925016652-2326629312-3528064532-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{489FE4AC-606D-4ED6-904A-7608BF46D063}|URL, Quarantined, 145, 243431, 1.0.47385, , ame, , , 

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

Hello  :welcome:

In order to begin to help you properly, I will need a diagnostic report in order to review & diagnose.
Specifically the FRST Farbar diagnostic report.  It is safe to get & use.
https://support.malwarebytes.com/hc/en-us/articles/360039025013-Run-Farbar-Recovery-Scan-Tool-to-gather-logs

Attach FRST.txt + Addition.txt with your reply.  You may if you wish, ZIP the 2 into a zip file & then attach.
{ just please do not copy, paste their contents in main body of reply box here.)
 

  • Like 1
Link to post
Share on other sites

Hello.    :D

Thank you.  I am listing here the next steps.   Please do as much of them as you can.

[    1    ]

As a next basic step, Please  make very very sure to  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

[    2    ]

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it

https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner

Then be sure to close all web browsers.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean

Attach the clean log.

 

Link to post
Share on other sites

Dear Maurice,

here I have attached the log. As well I have enabled for my file explorer to show all files and there were some transparent temp files that showed up. 

The only thing that the adwcleaner found was a pre-installed software in the name of preinstalled.lenovo.easy.camera from vimicro.corp and with its registered key. The program is asking me if I want to quarantine the file?

Let me know what you think!

cleanlog.txt

Link to post
Share on other sites

Dear Maurice,

So I have deselected now the lenovoeasycamera , while the 8 pup legacy files still remained selected, and now the adwcleaner is asking me that all the processes will be closed before quarantining the selected items, so the correct step to press continue, right?

Link to post
Share on other sites

Thank you! I have a message from windows that pops up frequently too that the account password might be changed and it sends me to fix it in the shared experiences from the settings. However, I am not the owner of this computer, but it is my sister's boyfriend who gave it to me last year, so I do not have access to the Microsoft account itself. Should I warn him to check regularly his account for any activities outside of himself?

 

Link to post
Share on other sites

Try to get a screen-image-grab of that screen so I can see what it looks like.

>

Do keep in mind that we will run some other different scans later.

Next steps:

You need to Uninstall 2 Adobe Flash apps because they are obsolete & no longer supported,  nor recommended.
Adobe Flash Player 32 NPAPI 
Adobe Flash Player 32 PPAPI

1. Press & hold  the Windows key on keyboard & then tap the R key   to open the Run box-windoww.
2. Type 

appwiz.cpl 


and tap Enter.
The Programs and Features window will appear.   

3. Locate on the list "Adobe Flash Player 32 NPAPI".

Do a right-click on it.  Then choose Uninstall.   Let it proceed.

4. Locate on the list "Adobe Flash Player 32 PPAPI".

Do a right-click on it.  Then choose Uninstall.   Let it proceed.

5.  Exit out of the Programs and Features  app when completed.

>

We will use FRST64.exe  on Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  DobyB27  only / for this machine only.

This custom script has some specific things, plus some general aspect to help the system overall.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will clear the cache for Chrome browser & the EDGE browser.  It will look for leftover (if any) entries for Adobe Flash & remove them.

NOTE-2:   This build of Windows 10 is out of support at Microsoft. Meaning, there needs to be ( at some later point.  action by someone) to get it updated t the latest current Release.  This script will do a housecleaning to get Microsoft Windows Update in good shape.  The current build on this machine is from Fall 2019.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 
If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder   

Fixlist.txt


Start the Windows Explorer and then, to your Downloads folder


RIGHT click on  FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it run and finish.

In later rounds, I will guide you to a couple of report requests & other scans.   Patience & persistence recommended.

I will check back as I can.  Simply keep in mind I am a volunteer & doing this as I get free time.

  • Like 1
Link to post
Share on other sites

Dear Maurice,

Thank you so much for your help! I will perform these step when I have some more time as well to follow the procedures. It was of utmost importance for me that the laptop is not in immediate malware threat and with your help I really think it is all good for now! Thank you again and take care of yourself! I will keep the post updated.

With respect,

Doby 

  • Like 1
Link to post
Share on other sites

Just to point out.  The fix script can be started at like the end-of-day when you are not needing to use the system otherwise.

You would start the run as outlined.  Once you see it has started & is progressing, then you can walk away and let it just run.  When you get back, you should see the result message.  Or if Windows ent into sleep mode, you would just log back on.  and then see.

Just makin a suggestion to help this system along.   :D   It would not take much effort.

After you finish this, there would be a couple of other reports to get.

  • Like 1
Link to post
Share on other sites

Good afternoon.  Thank you for the Fixlog.  The custom run is good.  The Windows System File Checker did not find any problem.  This machine should be in a much better state for future Microsoft Updates.

Let me have you run 2 reports.  These do not take a lot of time.

Download   Farbar's Service Scanner utility

and Save to your Desktop.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked:

  • Internet Services
    Windows Firewall
    System Restore
    Security Center/Action Center
    Windows Update
    Windows Defender
    Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.   Please attach that file.  

[     2    ]

Now a readout report as to update status of some key apps.   I need this to get additional detail on status of Microsoft Defender.

Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

and save the tool on the desktop.

  •                                If Windows's  SmartScreen block that with a message-window, then

                                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

  • This tool is safe.   Smartscreen is overly sensitive.
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward

Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

  • Like 1
Link to post
Share on other sites

  • Solution

Doing well, thanks.
The FSS report is good and normal. What follows are the items that you need to look at & insure they have the latest Update release ( or in a few cases, to be Uninstalled ) as per the SecurityCheck.

WinRAR 5.70 (64-bit) v.5.70.0  Warning!  Download Update
Zoom v.5.7.7 (1105)  Warning!  Download Update

µTorrent v.3.5.0.43916  Warning!   Ad-supported P2P-client.

iTunes v.12.5.4.42  Warning!  Download Update
^Please use Apple Software Update tool.^

Mozilla Firefox (x64 en-US) v.94.0.1  Warning!  Download Update

Avast Secure Browser v.95.0.12827.70  Warning!  Download Update

Wondershare Helper Compact 2.6.0 v.2.6.0 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering.

Skype Click to Call v.8.5.0.9167 Warning! Browser's toolbar. It can slow down the working of your browser and have violation privacy problems.
 

  • Like 1
Link to post
Share on other sites

Hello Doby.

You are very welcome. I am glad to have worked with you.

We can proceed with cleanup of tools we used.

To remove the FRST64 tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRST64.exe & select RENAME & then change it to

UNINSTALL.exe

.
Then run that ( double click on it) to begin the cleanup process.

Delete Fss.exe
Delete Securitycheck.exe

Adwcleaner you may keep and use as needed.
Any other download file I had you download, you may delete.
Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

I am marking this case for closure.
I wish you all the best. Stay safe.
Sincerely.

Maurice

  • Like 1
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

  • Like 1
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.