Is there Malware on this computer?

Viruses and worms
1

I am seeking help for my son-in-law’s computer. It is an HP model A6419FH running Windows Vista Home Premium 32 bit SP2. The initial signs of infection involved the following:

  1. Sometimes cannot access the internet even though IE security settings are set to default level.
  2. Over time it turns off some or all of the Avast shields.
  3. Can no longer uninstall programs.
  4. Runs extremely slow even though nothing is accessing the internet.

I have generated the various log files required for help in this forum by running MBAM, FRST, and aswMBR. The files are attached.

Since installing and running MBAM I have noticed the speed of the computer has improved. I find it odd that I am able to uninstall MBAM if I desire, but no other program installed on the computer from the Control Panel.

I would like to request a resident expert review of the attached logs to see if anything there suggests the presence of malware. If so, could a fixlist be generated? Thank you.

2

The FRST reboot may take a while as the temp files appear to be rather full

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: GroupPolicyUsers\S-1-5-21-3422403103-2533500959-2020679019-1002\User: Group Policy restriction detected <======= ATTENTION HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = SearchScopes: HKU\S-1-5-21-3422403103-2533500959-2020679019-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-3422403103-2533500959-2020679019-1000 -> {3D35BFB4-CB27-4512-B415-BDE7E22DC23D} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd SearchScopes: HKU\S-1-5-21-3422403103-2533500959-2020679019-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://isearch.avg.com/search?cid={569978AA-A809-46AE-8160-210D2A921EF7}&mid=7c3d2560d5f047d09a30d15680af9e66-6cd5ad7352594e6d2ae3325a02f77f156e3370db&lang=en&ds=AVG&pr=pr&d=2012-09-08 21:20:26&v=15.3.0.11&pid=avg&sg=0&sap=dsp&q={searchTerms} BHO: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File BHO: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> No File BHO: No Name -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> No File Toolbar: HKU\S-1-5-21-3422403103-2533500959-2020679019-1000 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File Task: {8DA14069-680B-4B2A-8972-A5358AB76B92} - System32\Tasks\{0BFD5230-C0FF-C4BC-B7AB-635FD79FA94C} => C:\Users\Family\AppData\Roaming\lxlpolx.dll/s "C:\Users\Family\AppData\Roaming\lxlpolx.dll" <==== ATTENTION Task: {A0E5E522-1937-4661-8BBF-532C072FC085} - System32\Tasks\LaunchSignup => C:\Program Files\MyPC Backup\Signup Wizard.exe <==== ATTENTION C:\Users\Family\AppData\Roaming\lxlpolx.dll C:\Program Files\MyPC Backup CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

3

I just noticed the MBAM log file I sent is the wrong one. Is it still possible to recover the scan log file? There were no malware items detected, all were PUP.Optional.

4

No real need as the other FRST and AdwCleaner will kill them

5

The FRST fix has been run and AdwCleaner has been run. Requested logs are attached.
I have looked a little closer at programs that cannot be uninstalled. Some can and some cannot. For example, Java cannot, but Apple product software can be uninstalled. It’s as if something is preventing uninstallation. I don’t know if this is a part of the system design or malware at work.

6

When you try to uninstall them what error do you get ?

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

7

There is no error. When a program is selected in the Programs and Features window, there is no “Uninstall” selection in the menu bar at the top of the list.

8

In that case I would recommend that you use Revo to uninstall the programmes as that will do it without uninstaller data http://www.revouninstaller.com/revo_uninstaller_free_download.html

How is the computer otherwise ?

9

Thanks, I will look into that. Otherwise, the computer is more stable. Takes a while to boot up, but it could be from so many installed programs that I can’t currently uninstall. Internet access is good and Avast shields stay up.

A funny thing, I can’t log into my Avast account from that computer. The orange progress bar hangs part way across. Minor issue. I will have the people here use it for the next several days and see if they are happy with it. Thanks for the help, I’ll be in touch.

10

Let me know when you are happy and I will tidy up

11

Do you recommend running Revo before or after tidying up?

12

Before would be my choice :slight_smile:

13

eb,
Running Revo and a little nervous about it because it wants selection of registry items by the user. Is it safe to select the bold items or should each be analyzed before deletion?

Regarding my previous observation that I couldn’t log into my Avast account from the Aaron computer, is this true of any computer that isn’t in my devices list?

14

Yes you need to add the computer to your device list and link it

For revo do the registry subkeys only… I am running an uninstall at the moment to get a screenshot for you

15

Still waiting for screenshot. Want to make sure I’m doing this right.

I ended up cancelling the uninstall at the registry edit step. The program now has the “uninstall” selection available in Programs and Features. I noticed while using Revo that it indicated it had restored the uninstall feature of the original program. Do you know if I can now just uninstall it normally without using Revo?

16

Yes you can uninstall normally now. So far the programmes I have uninstalled have left nothing behind, which is a bummer. I will download a known programme and then uninstall it as I am sure this question will come up again

17

Concluded running Revo to uninstall programs. Computer is stable, so time to tidy up.

18

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme :wink:

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

19

Cleanup completed. CryptoPrevent and Unchecky have been installed as recommended.

I found there were remnants of a program called CryptoDefense that was still trying to run from the Family user. The error message indicated it couldn’t find the file to run, so I’m confident this malware was removed. I manually removed the command from the registry and all related files from the AppData folder.

The computer is running optimally now. Thank you for your help on this. It is much appreciated.

20

My pleasure :slight_smile: