Possible Virus: Help Appreciated

[danib]

Hi everyone,

Here I am again trying to help my dad with his problem PC.

Please find logs attached; any help would be appreciated.

Many thanks.

Daniel.

[Juliet]

Running from C:\Users\Alan\Downloads

It's best we move Farbar's to desktop.

Please go to your downloads folder, locate Farbar Recovery Scan Tool, right click and select CUT
Go to an open spot on your desktop, right click and select PASTE
You should now have Farbar Recovery Scan Tool on your desktop.


Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

start
CloseProcesses:
SearchScopes: HKLM -> {31090377-0740-419E-BEFC-A56E50500D5B} URL = http://speedial.com/results.php?f=4&q={searchTerms}&a=spd_dsites02_14_23_ie&cd=2XzuyEtN2Y1L1QzutDtDtC0F0CyCyD0FtAyD0AtBtByDzztDtN0D0Tzu0SzzzzzytN1L2XzutBtFtBtDtFtCzytFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StD0E0C0F0A0D0AtCtG0BtCyEtBtGyDtDyEzytGyCtDyDyBtGtDzz0Azy0C0BzyyB0AtBtD0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StB0DtB0EyE0F0C0EtGyC0BtDtAtGyDtD0FyDtGtByByD0AtGyD0D0AyDyE0ByBtAtC0Dzz0C2Q&cr=1833245417&ir=
C:\Users\Alan\AppData\Local\Temp\13-9-legacy_vista_win7_32_dd_ccc_whql.exe
C:\Users\Alan\AppData\Local\Temp\IrsoDLL.dll
C:\Users\Alan\AppData\Local\Temp\jre-7u65-windows-i586-iftw.exe
C:\Users\Alan\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe
C:\Users\Alan\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\Alan\AppData\Local\Temp\jre-8u40-windows-au.exe
C:\Users\Alan\AppData\Local\Temp\nsg1BA8.tmp.exe
C:\Users\Alan\AppData\Local\Temp\optprosetup.exe
C:\Users\Alan\AppData\Local\Temp\Quarantine.exe
C:\Users\Alan\AppData\Local\Temp\ReimagePackage.exe
C:\Users\Alan\AppData\Local\Temp\ReiSysUpdate.exe
lternateDataStreams: C:\ProgramData\TEMP:373E1720
EmptyTemp:
End

Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

~~~~~~~~~~~~~~~~~~~~

AdwCleaner

• Please download AdwCleaner and save the file to your Desktop.
• Right-Click AdwCleaner.exe and select Run as administrator to run the programme.
• Follow the prompts.
• Click Scan.
• Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate.
• Ensure anything you know to be legitimate does not have a checkmark, and click Clean.
• Follow the prompts and allow your computer to reboot.
• After rebooting, a log (AdwCleaner[S0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

please post
Fixlog.txt
C:\AdwCleaner.txt
JRT.txt

[danib]

Hello Juliet,

Thank you, for your help.

I had difficulty running Farbar at first; it just kept 'not responding'. I had noted that the computer was having difficulty running Windows file explorer; it takes a long time to find the files in a location, the green progress bar just sits at the top.

Farbar was moved to the desktop and the logs are attached.

Thanks again.

Daniel.

[Juliet]

Since running those tools are you seeing any improvements?

At times, Norton Internet Security can bog down a machine but, not sure in this case. How long have you had it on the machine and has it had problems running in the past?
If I read the virus definition log correct, it might also need updating.

~~~~~~~~~~~~~`
Please download Malwarebytes Anti-Malware and save it to your desktop.

• Double-click on the setup file (mbam-setup.exe), then click on Run to install.
• Malwarebytes will automatically open to it's Dashboard. If you have never run this version, you should see a red note at the top indicating "A scan has never been run on your system"
• Click on Update Now to download the current database definitions, then click the Scan Now >> button.
• If you have run this version before, you should see a green note at the top indicating "Your system is fully protected".
• You will be prompted to update Malwarebytes...click on the Update Now button.
• The THREAT SCAN will automatically begin.
• When the scan has completed, the results will be displayed. Click on Quarantine All, then click on Apply Actions.
• To complete any actions taken you will be prompted to restart your computer...click on Yes. Failure to reboot normally will prevent Malwarebytes from removing all the malware.
• After rebooting the computer, copy and paste the mbam.log in your next reply.

To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 1)

• Open Malwarebytes Anti-Malware.
• Click the History Tab at the top and select Application Logs.
• Select (check) the box next to Scan Log. Choose the most current scan.
• Click the View button.
• Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
• Alternatively, you can click Export and save the log as a .txt file on your Desktop or another location.
• Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 2)



When the scan is finished and the log pops up...select Copy to Clipboard

Please paste the log back into this thread for review

Exit Malwarebytes

Please post this log (copy and paste) in your next reply instead of attaching.

[danib]

Hi Juliet,

Thank you, for your support. I have to walk to my parents house to access the PC; that is why sometimes it takes a while before I get back to you.

Re your question: Since running those tools are you seeing any improvements?

Yes, I think so. Firefox was doing funny things, opening extra tabs and such like, but I tracked that down to some weird browser extension that's been added called 'extra tab' or something. 'Windows file explorer' is slow too; I can't figure out if that is the PC's spec though.

I noted that Malwarebytes found 8 threats on the system; the log is below.

I have updated Adobe Flash and Adobe Reader; but, Firefox still has Adobe Reader detailed as out of date for some reason.

Thanks for your help once again. I will await your instruction.

All the best,

Daniel.
_____________________________

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 14/07/2015
Scan Time: 16:29:24
Logfile:
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.07.14.04
Rootkit Database: v2015.07.14.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: Alan

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 302439
Time Elapsed: 28 min, 3 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 3
PUP.Optional.SuperOptimizer.C, HKU\S-1-5-18\SOFTWARE\APPDATALOW\{1146AC44-2F03-4431-B4FD-889BC837521F}, Quarantined, [139926bbc6c462d4cf92236fd3311ae6],
PUP.Optional.SuperOptimizer.C, HKU\S-1-5-19\SOFTWARE\APPDATALOW\{1146AC44-2F03-4431-B4FD-889BC837521F}, Quarantined, [affd6180fd8d033362fff39f33d1c937],
PUP.Optional.SuperOptimizer.C, HKU\S-1-5-20\SOFTWARE\APPDATALOW\{1146AC44-2F03-4431-B4FD-889BC837521F}, Quarantined, [2c80954cee9c5dd928397b17d33129d7],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 1
PUP.Optional.AdPeak.A, C:\temp, Quarantined, [3676519002885cdac4ad1c19010239c7],

Files: 4
PUP.Optional.CouponDownloader.A, C:\temp\t_ie.exe, Quarantined, [d3d938a9cac0b77fb1d888af4cb4fa06],
PUP.Optional.InstallCore, C:\Users\Alan\Downloads\AcrobatReaderSetup(1).exe, Quarantined, [733919c8d0baad898f1b08f35ca8748c],
PUP.Optional.SuperCool, C:\Users\Alan\Downloads\AcrobatReaderSetup.exe, Quarantined, [37757e63b5d5c076be3bcf5ae41d649c],
PUP.Optional.AdPeak.A, C:\temp\lsp2.log, Quarantined, [3676519002885cdac4ad1c19010239c7],

Physical Sectors: 0
(No malicious items detected)


(end)
________________________________

[Juliet]

Let's see if Firefox update plugin tool will cure that issue.

https://www.mozilla.org/en-US/plugincheck/

This site will check which version of Flash is on the machine with directions how to update. Note - uncheck McAfee security scan.

http://www.adobe.com/software/flash/about/

~~~~~~~~~~~~~~~~~~~~~~~~
What we can do now is run an online scan with Eset, for the time being it is our most trusted scanner.
Most reliable and thorough.
The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
This scanner can take quite a bit of time to run, depending of course how full your computer is.


ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.


Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

• Please download ESET Online Scan and save the file to your Desktop.
• Temporarily disable your anti-virus software. For instructions, please refer to the following link.
• Double-click esetsmartinstaller_enu.exe to run the programme.
• Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
• Agree to the Terms of Use once more and click Start. Allow components to download.
• Place a checkmark next to Enable detection of potentially unwanted applications.
• Click Advanced settings. Place a checkmark next to:
  
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  
  
• Ensure Remove found threats is unchecked.
• Click Start.
• Wait for the scan to finish. Please be patient as this can take some time.
• Upon completion, click . If no threats were found, skip the next two bullet points.
• Click and save the file to your Desktop, naming it something such as "MyEsetScan".
• Push the Back button.
• Place a checkmark next to and click .
• Re-enable your anti-virus software.
• Copy the contents of the log and paste in your next reply.

[danib]

Hi Juliet,

Please find log contents below:

C:\AdwCleaner\Quarantine\C\Program Files\004\rqpbhevlkc32.exe.vir a variant of Win32/AdWare.Adpeak.F application
C:\FRST\Quarantine\C\Users\Alan\AppData\Local\Temp\IrsoDLL.dll.xBAD a variant of Win32/InstallCore.YX potentially unwanted application
C:\FRST\Quarantine\C\Users\Alan\AppData\Local\Temp\optprosetup.exe.xBAD multiple threats

Regarding Firefox and Adobe: I ran the plugin update tools again and got the same result on Adobe Reader. Research indicates that the Adobe Reader being listed as not updated when it is issue could be because Vista is not supported anymore. There are newer versions out there, but Firefox doesn't know that they don't apply. If that makes sense?

Awaiting instructons.

Thanks again,

Daniel.

[Juliet]

Heres a good article concerning Adobe and windows Vista
https://helpx.adobe.com/acrobat/kb/r...ows-vista.html

Scan came back in good shape, all items already in quarantine folders, no more malware found.

What other issues remain?

[danib]

Hi Juliet,

Good, I can answer this one from my house!

I have increased the Windows Vista virtual memory limit and activated Ready Boost using a USB to give him some extra memory. Hopefully, that will speed up his PC too. In addition, I have tried to update everything for him.

If you are happy, I am happy. Everything seems much better at this end - thank you. I'll tell my dad to watch what he's clicking more closely (again); he's an author and political activist, so he goes on dodgy sites that I just wouldn't contemplate visiting.

One last thing please, could you direct me to the clean up tool that removes all these programs we have put on his PC?

Thanks again, for your kind help.

[danib]

Hi,

One more question please: If we 'unchecked' remove all threats at the start of the ESET Scan, are they still there or did the threats get removed at uninstall or are they OK because they are quarantined?

Thanks.