Solved

MindSpark PUP how do I get rid of it?

Posted on 2015-02-22
11
277 Views
Last Modified: 2015-03-03
Toshiba Portégé R705 Laptop
Windows 7 Home Premium, Service Pack 1, 64-bit
Intel Core i3 processor, M 370  @ 2.40 Ghz 2.40 Ghz
4 GB installed memory (3.73 GB usable)

User received a message from xFinity that his laptop may be infected with a bot.

User’s laptop could not download files from either Google Chrome (latest version) or Internet Explorer Version 11. Laptop was using Microsoft Essentials for virus protection.

Programs that required updates through the internet functioned properly.

Laptop was running slow so I ran CCleaner setup from my flash card. I deleted files and cleaned the registry.

Deleted the following programs: Ask Toolbar,  and Juniper, and Skype
Unable to delete Billing Edge, Quicken WillMaker 2008, Sigma Flow, One-Click Skype and Kaspersky Pure 2.0.  (All gave uninstall errors.)

Ran ComboFix, TDSS Killer, JunkwareRemoval Tool, Malware Bytes, and Rogue Killer. Still had the same problem, no change.

I removed Microsoft Essentials and installed AVG Internet 2015.

I restored the computer to a 1/25/2015 date. Interestingly the next available restore point after that was from 2013.

Ran the same sequence of virus removal tools. Used CCleaner to cleanup the registry and did a Restart. No change.

I installed and ran SpyHunter but it only found to adware programs which track internet activity.

Based on the log files I assumed I was dealing with one of the Mindspark [PUP] viruses, so I also ran ADW Cleaner and Hitman-Pro 64 bit. Neither of these two programs found any viruses.

I am moderately capable of PC troubleshooting personal computers. Since my last job was at a church, I haven’t taken any Microsoft classes since Windows NT server.

I did edit the registry several times. I removed Kaspersky 2.0, One Click Skype and SonicFlow references. Each time I was careful to back up the registry before-hand and afterward ran a CCleaner registry sweep and either a Restart or Shutdown afterword.

Somewhere in the middle of all this I deleted and re-installed Google Chrome but did not go through the registry to eliminate Google Chrome references. I’ve done nothing with Internet Explorer because the last time I tried to delete and reinstall IE I booted to a black monitor and had to repair the problem.

I installed Mozilla Firefox from a flash drive and I am able to download files but was unable to run the application. Message: These files can’t be opened Your Internet security settings prevented one or more files from being opened.

I removed AVG and re-activited Windows Defender.

Still can’t install exe files, and I followed  instructions to change Defender’s security but these didn’t work.

I probably did some things that I have listed, but I am out of ideas. So my question is “Can anyone help?”.
ComboFix-1.txt
JRT-1.txt
Rkill-1.txt
ComboFix-2.txt
JRT-2.txt
Rkill-2.txt
TDSSKiller.3.0.0.44-20.02.2015-08.22.00-
TDSSKiller.3.0.0.44-20.02.2015-16.31.40-
Scan-Comparisons-Registry.pdf
0
Comment
Question by:Mary Bock
  • 5
  • 4
  • 2
11 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 40624985
Check internet options control panel, connection, Ian to make sure there was no worm/virus that set itself as the proxy which would..

Are you able to create a new user, and login as that user to see whether the issue is profile limited.

You've made too many things before identifying an issue that might explain the situation.
Younghv, who has an article on fighting might disagree again, but given you tried everything else, booting in safe mode and checking the system would be one thing to consider.


For future troubleshooting guide would be first to inquire approximately  when the issue arose.
 Then looking at the program (appwiz.cpl) to see what was installed around that time.  Have seen an application/media codec or a player the user though they were downloading and installing from a reputable source was actually loaded with malware, etc. removing applications  back to those dates helps.

C:\windows\prefetch clear all the .pf files from here.
Look at the taskmanager (tasklist) to see what is running and terminating process that do not seem "right"
0
 
LVL 92

Expert Comment

by:nobus
ID: 40625194
0
 

Author Comment

by:Mary Bock
ID: 40626778
Arnold

I had already checked Internet Options under Control Panel. I did add BleepingComputers to the Local Intranet.  I created a new user and had no problems, so the problem is in the laptop's owners user id's profile.

I ran all removal programs under Safe Mode.  I deleted the .pf files. Afterwards the results were the same.  I downloaded JRT from BleepingComputers. I can download the file but cannot execute the program. Still getting "Files cannot be opened" message.

Nobus
I ran ADWCleaner in Safe Mode. Found a problem and deleted. Did not resolve the problem. Same error message

The user vague about when the problem first occurred, just said he had been having trouble for a couple months, it was the email from xFinity that made him contact me.
AdwCleaner-R1-.txt
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 77

Accepted Solution

by:
arnold earned 167 total points
ID: 40626808
Now that you've determined/confirmed the issue is with the profile, change the new user that you created as admin, and disable the old user after you copy the files from the old profile to the new profile.

%userprofile%\application data look for files that are referenced in registry to start
in the current user profile look at hkCU\software\microsoft\windows\currentversion\run to see what is there eliminating stuff that points to application data of the user.
There are multiple location where one has to search
0
 
LVL 92

Expert Comment

by:nobus
ID: 40627555
run hijackthis - and post the file here  : http://sourceforge.net/projects/hjt/
0
 

Author Comment

by:Mary Bock
ID: 40629623
The creator of hijackthis is not taking log files while testing a new version. Where can I upload this? I have a login for Bleeping Computer but don't know the steps to have someone review the log.
hijackthis.log
0
 
LVL 92

Assisted Solution

by:nobus
nobus earned 333 total points
ID: 40630043
there seems to be a lot of problems with kaspersky total security - can you uninstall it - or reinstall it
Bad news - no trace of the popup
make a restore POINT before changing things - then :

in case you don't know this - you can delete this :

O4 - HKLM\..\Run: [BackupNowEZtray] "C:\Program Files (x86)\NTI\NTI Backup Now EZ\BackupNowEZtray.exe" -k

O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://remote.cmegroup.com/dana-cached/sc/JuniperSetupClient.cab

O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\windows\system32\IEEtwCollector.exe (file missing)

O23 - Service: NTI BackupNowEZSvr - NTI Corporation - C:\Program Files (x86)\NTI\NTI Backup Now EZ\BackupNowEZSvr.exe

O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\windows\system32\Wat\WatAdminSvc.exe (file missing)

you can also uninstall a couple of toolbars from skype &
0
 

Author Comment

by:Mary Bock
ID: 40631342
Here is a new HijackThis without Kapersky installed
hijackthis.log
0
 
LVL 92

Assisted Solution

by:nobus
nobus earned 333 total points
ID: 40632486
now i found  these :
O9 - Extra button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - (no file)

O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - (no file)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} -

O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\windows\system32\IEEtwCollector.exe (file missing)

O23 - Service: NTI BackupNowEZSvr - NTI Corporation - C:\Program Files (x86)\NTI\NTI Backup Now EZ\BackupNowEZSvr.exe

O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\windows\system32\Wat\WatAdminSvc.exe (file missing)
0
 

Assisted Solution

by:Mary Bock
Mary Bock earned 0 total points
ID: 40634243
Thank you both for your help. The user is using a new user name and all software he needs is loaded and operative. I think Microsoft Essentials failed to stop an infected download, but without knowing the program or time frame it makes it difficult to pinpoint the cause.

Personally, I would restore the laptop to it's shipped state and reload software as there only two main suites/program which are important. Everything else he does on his tablet. But I will have to wait until he is ready to do that as he was without his laptop for a week.
0
 

Author Closing Comment

by:Mary Bock
ID: 40641574
Unfortunately I couldn't have kept the laptop long enough to resolve the problem with the time I had to work on it. And in the process I've learned many things I didn't know.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows pro to home 2 86
Laptop fan running all the time 21 98
Lenovo Helix Laptop: Bitlocker appears to be preventing boot 7 86
obsev.719 virus in win 7 pc 9 40
There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question