Compaq Laptop May Be Infected

[mare_wbpa]

I use FF just about exclusively.  Here's the scan.

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.02.19.02

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
mary ann :: MARYANN-PC [administrator]

2/18/2014 9:19:40 PM
MBAM-log-2014-02-19 (01-44-06).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 444833
Time elapsed: 3 hour(s), 4 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\mary ann\AppData\Local\temp\lpWIt9vh.exe.part (PUP.Optional.OptimumInstaller.A) -> No action taken.

(end)

[Corrine]

Files Detected: 1
C:\Users\mary ann\AppData\Local\temp\lpWIt9vh.exe.part (PUP.Optional.OptimumInstaller.A) -> No action taken.

You need to rescan with Malwarebytes and remove the above.  In checking your previous logs, it was not on your computer during earlier scans, although that was early in December.

After rescanning with MBAM and removing the above, please do the following:

Please download Junkware Removal Tool to your desktop.

Note:  A few seconds after landing on the above link, depending on the browser you are using, you will see the following:

• If you're using Firefox, click Save file: 
  
• If you're using IE, click Save: 

• Disable your protection software now to avoid potential conflicts.
  
• Run the tool by double-clicking it.  If you are using Windows Vista or Seven, right-mouse click it and select "Run as Administrator".
  
• The tool will open and start scanning your system.
  
• Please be patient as this can take a while to complete depending on your system's specifications.
  
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  
• Post the contents of JRT.txt into your next message.
  

[mare_wbpa]

When the scan results, not log, came up after the scan, the "pup optional" came up as an object detected and I removed it with the MBAM.  I don't think that there was "Installer" after it.

[mare_wbpa]

Having one freeze up after another this AM.  All seemed to be working well except for the freeze ups on the one site til now.  Help please.

[Corrine]

Please see my instructions above from February 19 to run the Junkware Removal Tool.

Thanks!

[mare_wbpa]

Ran the MBAM scan.  No threats detected.  Here's the log.

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.02.26.05

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
mary ann :: MARYANN-PC [administrator]

2/26/2014 6:40:58 PM
mbam-log-2014-02-26 (18-40-58).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 452686
Time elapsed: 5 hour(s), 14 minute(s), 9 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

[winchester73]

You've only followed the first part of her instructions, she wants you to run another tool  :D

Here is the next step:


Please download Junkware Removal Tool to your desktop.

Note:  A few seconds after landing on the above link, depending on the browser you are using, you will see the following:

• If you're using Firefox, click Save file: 
  
• If you're using IE, click Save: 

• Disable your protection software now to avoid potential conflicts.
  
• Run the tool by double-clicking it.  If you are using Windows Vista or Seven, right-mouse click it and select "Run as Administrator".
  
• The tool will open and start scanning your system.
  
• Please be patient as this can take a while to complete depending on your system's specifications.
  
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  
• Post the contents of JRT.txt into your next message.
  

[mare_wbpa]

Had every intention of running the JRT but the MBAM didn't finish till the wee hrs, my time, so I posted it and went to bed.  Did the JRT scan this AM.  Here's the log.

Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.2 (02.20.2014:1)
OS: Windows Vista (TM) Home Premium x86
Ran by mary ann on Thu 02/27/2014 at 10:07:45.33
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\installer\upgradecodes\f928123a039649549966d4c29d35b1c9
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{38EDDE75-9689-4887-95E5-13B31E4E2DCB}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5313b6d2-fb85-4978-b2c5-252172d315cd}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0B4A10D1-FBD6-451d-BFDA-F03252B05984}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{60A4E56C-445B-47E9-8637-F329433B1DB3}
Successfully deleted: [Registry Key] "hkey_current_user\software\microsoft\internet explorer\low rights\elevationpolicy\{a5aa24ea-11b8-4113-95ae-9ed71deaf12a}"



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Users\mary ann\appdata\locallow\oovootb"
Successfully deleted: [Folder] "C:\Program Files\coupons"



~~~ FireFox

Successfully deleted the following from C:\Users\mary ann\AppData\Roaming\mozilla\firefox\profiles\zni3qowh.default\prefs.js

user_pref("aim_toolbar.search.searchtype", "web");
Emptied folder: C:\Users\mary ann\AppData\Roaming\mozilla\firefox\profiles\zni3qowh.default\minidumps [136 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 02/27/2014 at 10:12:37.46
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[Corrine]

From the MBAM log:

Time elapsed: 5 hour(s), 14 minute(s), 9 second(s)

It takes a long time to decompress archives to scan and then compress again.  It is only necessary to do a Quick Scan with Malwarebytes.  As Marcin, the founder of Malwarebytes, replied here:

We've designed the quick scan to detect everything. The full scan is there for people who won't believe us.

Having one freeze up after another this AM.  All seemed to be working well except for the freeze ups on the one site til now.  Help please.

Going back to Firefox freezing, with the JRT log showing an accumulated 136 minidumps, although likely since the initial installation, that is still quite a few crashes.  After the removals by JRT, is it still crashing/freezing?

If Firefox continues to crash, I suggest going through the steps here:  Troubleshoot Firefox issues using Safe Mode | Firefox Help.

[mare_wbpa]

Seemed to be working fine for a while.  Yesterday it would freeze up after only a minute or 2 online.  After the MBAB and JRT it seemed to be working fine, then started to freeze up again.  Went to the FF help page, it suggested to reset the FF to default before going thru other measures.  I did that, and right now it seems OK.

[mare_wbpa]

BTW, I forgot to thank you for the info on doing the quick MBAM scan.  I'll keep that in mind next time I have to do MBAM.

[Corrine]

You're welcome.  A Quick Scan will certainly save you hours!  In fact, it would probably be a good idea for you to run a Quick Scan once a week. 

If resetting doesn't solve the problem, follow through with the other suggestions.  Let us know how you make out.

[mare_wbpa]

Scanning weekly sounds like a good idea.  If it prevents problems it will save a lot of time in the long run.  Should I keep JRT or uninstall it.  Is it safe to do the JRT scan in the future should I have similar issues? 

[Corrine]

Both JRT and AdwCleaner are regularly updated with new information provided by members of the security community.  As a result, it is important to always use the most recent version.  JRT has an auto-update feature.  It does NOT create backups of what was removed but it does backup the registry.  Conversely, AdwCleaner does not create a backup but does contain a quarantine file from which files can be dequarantined.  AdwCleaner will also prompt when an old version is run and redirect to the developer's home site.

Bottom line, yes, you can run JRT and/or AdwCleaner if you are comfortable running either or both utilities on your own.  However, we are always happy to provide guidance. 

[mare_wbpa]

Well, in that case, I'll contact you b 4 I do anything in the future.  I was just thinking about not always having to bother you.  You are so kind to do this for people like me.  I really, really appreciate you.