Win32:InstallBrain-F [PUP]

My sister’s Vista computer is infected by this Trojan. I’m looking for a way to remove it and I was wondering if someone could offer me assistance.

Avast can detect this infection, but it cannot repair or remove it. Is there an additional client I could use?

Hello,
actualy the whole name of detection is “Win32:InstallBrain-F [PUP]” nad PUP means “Potentially Unwanted Program” not tojan.

Milos

Thank you for clarifying.

If someone with experience with this potentially (DEFINITELY) unwanted program, i would be very grateful for some help.

give full file name and location of file detected

Windows XP SP3

Locations:

C:\Documents and Settings\user\local settings\temp\softonic_ssk_conduit.exe
C:\program files\uninstall information\ib_uninst_514\uninstall.exe
C:\program files\uninstall information\ib_uninst_519\uninstall.exe
C:\system volume information_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP362\A0071297.exe
C:\System Volume Information_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP362\A0071298.exe

She forgot to mention a second problem with something called Win32:Hupigon-ONX(Trj)

It is located: C:\hiberfil.sys

is it the first one detected as PUP …conduit? … some toolbar crap
those in volum information are copys in system restore points

follow guide and attach logs. (not copy and paste) http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

when done, removal experts will be notified and help will arrive later today

Log Placeholder

last scan done.

awaiting any help i can possibly get

Looks to be mainly gone, could you confirm it is no longer present

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://search.chatzum.com/?q={searchTerms}
O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKU\S-1-5-21-982589402-2606329012-1961160341-1006\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-982589402-2606329012-1961160341-1006\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-982589402-2606329012-1961160341-1006\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKU\S-1-5-21-982589402-2606329012-1961160341-1006\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O4 - HKLM..\Run: [] File not found

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Running this now. Status bar says, killing processes do not interrupt, and I have left it. Does it normally take a long time for this step of the fix?

If it completes, I’ll have my sister use the laptop and determine whether it is behaving normally. Ill report back.

OK it is MBAM stopping it

Stop OTL and run this fresh script


:OTL
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://search.chatzum.com/?q={searchTerms}
O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKU\S-1-5-21-982589402-2606329012-1961160341-1006\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-982589402-2606329012-1961160341-1006\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-982589402-2606329012-1961160341-1006\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKU\S-1-5-21-982589402-2606329012-1961160341-1006\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O4 - HKLM..\Run: [] File not found

:Commands
[resethosts]
[CREATERESTOREPOINT]
[Reboot]

heres the log for the scan.

Let me know when she is happy and I will tidy up :slight_smile: