Win32:PUP (I think) Help!

Posted: Tue May 01, 2012 8:41 pm

Need your help, guys. I'll try to make this brief (ish).

My HP Pavilion laptop was getting very slow and then started doing weird things, like: the sound icon in the launch tray vanished, the laptop would start ringing like crazy, upon starting, some keys suddenly being disabled, or letters of one word I would type, scrolling 100 lines apart. It was a gradual process but it got worse and worse. AVG and Adaware found nothing.

A couple of days ago, I used all utilities I could get my hands on and the computer worked great and fast. Except... the next day got bad again. Downloaded Avast and only on boot scan it found Win32:PUP. It put it in a vault. Everything was working great again.

This morning - laptop is going crazy, doesn't even boot beyond the HP logo, deafening ringing I can't stop, keys don't respond. I was eventually able to boot through F12, I think, but the keys were still not responding. Pushing everywhere, I somehow managed to open Avast, which said that everything was A-OK. I tried to run another boot scan - everything crashed. CTRL ALT DEL did nothing, the screen was just jumping. Anyway - I had to force the shut-of manually and even that didn't work right away.

I have since read that Win32:PUP can hide and bring itself back to life, so to speak, when the system is off, but I thought that if it was quarantined it would be blocked.

What do I do now? Help, please.

Posted: Tue May 01, 2012 9:42 pm

certain things can trigger virus activation, some reside in the registry so every time you boot they are activated so quarantining it is pointless unless you get the source
honestly, if you can only get as far as the logo I would go with full format and reinstall operating system
it's going to save you in the long run

Posted: Tue May 01, 2012 11:13 pm

gsxr_rider wrote:

... if you can only get as far as the logo I would go with full format and reinstall operating system
it's going to save you in the long run

Thanks, rider. I do know that reinstalling is an option but I'm not ready for that yet, plus - I lost my boot CD when I was moving. SOMETIME it does boot, though I didn't try again after today's craziness, but if it does - I'd like to try something, if possible.

I found these removal instructions: http://blog.teesupport.com/permanently-remove-win32pup-gen-manually-delete-win32pup-gen/
but I would need a little bit of hand-holding to do it, especially in the state the laptop is in (I'm a good study), and also I'm not sure whether the suggestion is even kosher.

Question about Avast: in a regular scan, it decides itself on a fix or recommends one. In the boot scan, it just gave me options, such as "heal", "delete", "put in a vault", etc. Frankly, I didn't know what to choose so I picked what I see most often. Should I have picked something else?

Posted: Wed May 02, 2012 2:14 am

Here's a better guide for removing it. Wink

http://www.cleanpcguide.com/download/

Posted: Wed May 02, 2012 2:33 am

normally yes but with this virus heal, delete or put in vault only gets rid of the symptoms not the problem

try the guide djdezzie posted as it looks to target it specifically and maybe your best way as it's listed as an extremely hard one to get rid off

get these, install and update. good prevention software to have

ccleaner
Malwarebytes
Spybot-S&D
rKill

reboot and run in safe mode F8

run rKill and wait until you get the log in notepad, it will take a while (up to 5 minutes)
run ccleaner. on tab cleaner and registry click analyze click run cleaner. repeat until nothing comes up on analyze
run malwarebites
run spybob

reboot in normal mode

see how that gos

you may have a reply to your post at geekstogo by then
http://www.geekstogo.com/forum/topic/317507-win32pup-i-think-laptop-went-berserk-is-an-understatement-help/

Posted: Wed May 02, 2012 2:42 am

you shouldn't need a boot disc unless you deleted the recovery partition,HP has included one for years on their machines.personally i would just go with a fresh install rather than waste hours/days fighting problems.during startup it's f10 or f11 or something like that it normally tells you during startup the f key for it.

Posted: Wed May 02, 2012 7:33 pm

Thank you guys. I don't even know if this site is legit...
http://www.cleanpcguide.com/download/
Plus, they don't mention my specific virus.
Maybe I'm being paranoid now, but it looks suspicious to me.

Not getting any help in the other forum. Other similar questions, posted a day after mine got dozens of replies...

I think had I posted my question as a guy _ I would have had many more responses. I'm not even a PC person, and in this case, I mean "Politically Correct." Smile

Posted: Thu May 03, 2012 7:04 am

finding a legit site is half the problem. the link you posted says C:\Windows\System32\spoolsv.exe is the virus. that's bogus for starters, it's Print+Fax Spooler
Spooling allows you to print in the background without your computer being tied up.

sofsof007 wrote:

Not getting any help in the other forum. Other similar questions, posted a day after mine got dozens of replies...

did the other replies have anything that would help you?

sofsof007 wrote:

I think had I posted my question as a guy _ I would have had many more responses.

well actually I found it to be the other way around Laughing

try the software I listed and follow the instructions but after running rKill do a clean install of your antivirus. Avast is a good program but some virus's can remove themselves from the definition database

run in safe mode with network enabled
run rKill (terminates known issues)
install and update keeping it in safe mode
avast
ccleaner.
malwarebites
spybob

and run all

and see how you go. it will get most but as I already said, from what I found it is a difficult virus to remove.
also known as,
Backdoor.Ciadoor.B
VBS.Masscal.Worm (vbs)
Hacktool.Privshell

the one thing in your favour is it's been around since 2003 so it's not like your trying to get the latest virus

as nephilim said, if you haven't removed the partition where disk recovery is I wouldn't rule out the format and reinstall option

keep us posted

Posted: Thu May 03, 2012 2:14 pm

Real time report:

gsxr_rider, I may have misunderstood you and thought I should run the programs you listed in a previous comment in safe mode, and THEN run it again as stated in your last comment - in Safe Mode WITH Network Enabled.

Anyway, had to restore to a restore point from last night, to do anything. While in regular Safe Mode, I found that the restore deleted Malwarebytes, which I downloaded much earlier than the restore point, I think.

Ran rkill 3 times, it never worked, even though I waited 6-7 minutes each time. I did have SuperAntiSpyware downloaded, ran that. Crashed. Looked in processes, there were 3 rkills running... Stopped that. Supera crashed again, now, on the third try it's running. It has now ran for 1 hour and 30 minutes and found:

Memory Items

Scanned: 250
Detected: 0

Registry Items

Scanned: 31980
Detected: 66

File items

Scanned: 4025
Detected: 1

1 Adware.Tracking Cookie

and

66 (!) Security.HiJack[ImageFileExecution]

Again - THANKS for trying to help. Smile

P.S. I just read that I should have disabled System Restore prior to this "operation", to prevent the malware from re-appearing, but it cannot be disabled in Safe Mode. Advice?

Posted: Thu May 03, 2012 3:46 pm

that's the problem with this media, people interpret txt differently

sofsof007 wrote:

By the way - again - thanks for trying to help. Smile

no problem, hope it works is all

was reading up on this malware and I get conflicting stories, the only thing they are all certain is it's hard to get.
so, want to try and get the most aggressive scan we can so run them all in safe mode for starters
so to recap step by step

download rKill

start in safe mode and run rKill. as you have so much rubbish running in the background it could take a really long time for the log to appear in notepad so if you have to, walk away.
do a new install and run of each software but don't let it reboot if it's part of the install process just yet. just move on to the next program, install and run. don't want to give it a chance to move or whatever, and as it's an older virus I'm hoping each program can identify it without the update

once you have gone through them all, hoping they have picked up a heap, reboot back to safe mode and run whatever required the reboot for installation.
run rKill again and run all programs again.
reboot back to safe mode with network enabled and run rKill. update whatever needs updating and run them all again.

unless someone else has a suggestion, that's about the most aggressive scan I can suggest.

pointers, you should only have 1 antivirus program as they can conflict with each other. you said you had Avast. it's a good one so stick with it
you should be able to have superantispyware there with malwarebites and spybot
the trial version of superantispyware doesn't have real-time blocking, um, I don't think malwarebites does either so you may want to consider buying a paid version to give yourself the added protection

well thats you evening blown Laughing

hope it works, let us know how you get on

Posted: Thu May 03, 2012 4:08 pm

If its that bad I would uninstall Avast !!
Then get a trial of ESET NOD32 Antivirus
or Kaspersky don't have both or they will conflict then run a full scan with system restore disabled ..If that sorts it out I would remove the trial then install Avast again with the other apps already said..

Posted: Thu May 03, 2012 6:23 pm

Thank you, guys.

I wanted to let SuperAntispyware a chance to finish the scan, before I proceed with your suggestions, especially since it found things other scans did not, BUT...

it has been running, in Safe Mode, for 4.5 hours now!

It's not crashed, because I see names of different files being scanned "running" under Scanning Progress , but 4.5 hours? Even on an older laptop?.. It hasn't detected any threats after the 67 it got in the first two minutes of the scan. Is it at all possible to run that long or do you think it's the malware making it go in circles?

What say you?

Posted: Thu May 03, 2012 7:01 pm

What is the model of laptop?
What OS?
Right now you should be backing up any important data and preparing to reinstall. There is always a way to get an install disc providing you have a valid serial key.

Also as iamnephilim said, you most likely dont even need an install disc; most laptops have a restore partition.

Posted: Thu May 03, 2012 7:11 pm

cbilljones wrote:

What is the model of laptop?
What OS?

HP Pavilion dv6000
Windows Vista

I saved my documents already, which was the most important thing. On SAS forum, it says that if I stop the scan, it will still get rid of what it already found, and that I should run ComboFix.

I don't like giving up, but it's been a few evenings and a full day today already...

I've been wanting to ask a question from the very beginning, but felt that it would be like insulting a gracious host who just served you a huge dinner, but I'm ready to ask now. Embarassed

Should I assume that I got all my problems from this site?

Posted: Thu May 03, 2012 7:21 pm

people are responsible for what they do and cause their own problems by not checking things first and downloading shady stuff.

this site has nothing to do with that,it's merely a search engine (think google).