Dis-ApplePear

Alright, it's done. I'll attach the Kprm log. It's finally done, really all of this took a lot more than I expected it would. When using Kprm I forgot to turn off my antivirus so it was detected as malware, stopped mid process and had to star over, derp. Had to use it twice because of this, so I'll attach the two logs that came out for each instance, just in case. Really, man, thanks a lot for all the help. The log looks alright? I checked and all the stuff was properly removed. If it worked out well then I guess this would be it. kprm-20230507185522.txt kprm-20230507184835.txt

Sorry for the delay. I updated the programs as you indicate. Here's a second SecurityCheck log, just in case. Doesn't seem anything is left to update so it should be well. Just want to make sure before cleaning up everything with kpRM. SecurityCheck.txt

Alright, good to know it worked out well. Here's the Security Check report. From what I'm getting, Discord, Winrar and Zoom need to be updated, at the very least, but can't tell much else. SecurityCheck.txt

Alright, it's done. Everything seems alright? Here's the fixlog. Fixlog.txt

Wow, thanks man, thanks for all the help really. I'll run the script and let you know how it turns out. Gimme a bit.

Really? Huh, well if it's registry I see why I would completely miss them. Thanks for all the help and patience, dude. Do you need anything for the script? A new run with Farbar or such?

I actually did try the Creative Cloud Cleaner Tool before I made this topic (among other methods), but it didn't work for me, for that reason I decided to ask for help here on Malwarebytes. I had managed to uninstall from Control Panel both Adobe Acrobat and Creative Cloud before using the removal tool so I don't know if it would have worked on them, but the removal tool didn't do anything to Photoshop and Illustrator. Maaaaybe it worked on Adobe Genuine Software given that when I tried to uninstall it again after using the Cleanup Tool it said that the program was already removed and offered me to remove it from the list, which could be done without issue (or maybe reinstalling Creative Cloud restored the missing uninstall file, which was the original issue, and then I could just get rid of it with the Cleanup Tool) But, all in all, the fix you gave me worked well and all Adobe Programs are gone. They still showed up in the program list initially, but without their icons, as if they were incomplete, and when I used control panel to uninstall them it simply said those Adobe programs were no longer in the PC so they could be removed from the program list altogether and no longer appear. I also ran the Adobe Creative Cloud Cleaner Tool once more and the only Adobe stuff it detects on the PC is something called "Fix Host File" and something called "Clean All" (Don't know what these are, but they don't appear in the Program List); Photoshop, Illustrator, Creative Cloud, Acrobat and Genuine Software, all that stuff is gone, even the things that were set to autorun when the Windows got started.

I find it a bit funny that after we commented Adobe isn't malware it ended up on the Malware removal section for completely unrelated reasons, lol. Alright, sorry for the delay. Ran the script as you instructed and everything seems good so far? The programs still appear on the program list, but without their icons, just a generic one, but when trying to remove them through the control panel it openly says the adobe programs are no longer on the PC and they can just be removed to from the list, so everything seems to have worked out. Not gonna lie, I was pretty nervous at first because you warned that misuse of the fix script could cause permanent damage to a machine, so I was pretty wary with doing every step properly, but everything worked out in the end it seems. I'll attach the resulting log I got after the fix. Fixlog.txt

My bad, my bad. I didn't mean that Adobe was a malware or anything, more along the lines that removing the programs wasn't going to mess up with important files of the PC and stuff like that. But glad to get confirmation that that's not the case. I tried to download the fixlist file but it's no longer available (I get a message saying it either was removed or the person sharing it doesn't have permission to share it on that location) . Maybe I took to long? (sorry if that was the case). In order to use it I have to use the Farbar Recovery Scan Tool? Mostly asking because the file you mentioned is called FRSTEnglish.exe, while the one I get from the download page is FRST64.exe, however it does have the "fix" option so I am guessing they are the same. Correct? Essentially, put the fixlist and the FRST exe in the same folder and click "fix".

Just to make sure, it's not harmful or anything, correct? Adobe is just media software in the end. Worst case scenario I can simply re-download Creative Cloud and use that to get whichever Adobe software I might need if said need ever arises. All in all, the ones I really need help to uninstall are Photoshop and Illustrator which just refuse to be gone. There should not be issues trying to uninstall Creative Cloud with control panel or a less agressive way. Just in case that removing everything with a script is a bit too forceful or anything. Sorry for dancing around the issue a bit more, but just want to be careful about it. Thanks for the patience, AdvancedSetup.

Sorry for the delay, here it is. I noticed that there's something called Adobe Refresh Manager that's hidden. Given that Creative Cloud was just re-installed and I removed it before I don't think it will be an issue to uninstall it again. Genuine Software popped up again after rebooting, but when I tried to uninstall it it actually did give me the option to do so and I could uninstall it. The big issue are Photoshop CC2019 and Illustrator 2019, since those two kind of refuse to leave. I could try just deleting their files from the folders? But wouldn't that leve traces anyways? Also, saw something called AdsInfoCls. What is that? FRST.txt Addition.txt

Okay, actually digged everywhere and found the old Adobe Credentials and downloaded Creative Cloud again, but that had no effect. None of the software stuck on my PC had an option to be removed in Creative Cloud (it even treated Photoshop and Illustrator as if they weren't installed yet) and trying to remove them from Uninstall Program gave the same erros. Now, I did try something different and went to Control Panel and the option to unistall programs found there. It got mixed results. Genuine Software gave an error that said that the program was already uninstalled and whether I wanted to remove it from the program list, I did so and it's gone from Uninstall Program as well. I also can't find files of it in the discs so... I think that worked out? On the other hand, Photoshop and Illustrator give the same error and can't be removed, said error states "Specified product is not installed on this machine. Please quit the installer and start over" referring to Adobe Installer (I'm guessing, because Photoshop and Illustrator are very much in the PC, I can start up both programs in fact). UPDATE: While Photoshop and Illustrator run after all, when I tried to run them before they sent me to a login screen and since I didn't had my credentials I just closed the program. But now I actually tried to login to see what I could find and it gave me the same error when trying to uninstall them "Specified product is not installed..." etc. Which is strange, all their respective files, are there on the folders and go up to 2GBs in size. It's not like the programs are not there. UPDATE 2: I did find the Adobe Installer EXE in a different folder. It most likely came when I reinstalled Creative Cloud since its creation date is today. UPDATE 3: Urgh, sorry about all of these. Well, found a folder called Adobe Genuine Client, was wondering if it's related to Genuine Software or it was something else. UPDATE 4: Found an uninstaller.exe file among the Adobe folders, actually tried moving the installer and uninstaller to the photoshop folder to see what happened but of course it didn't work. Nothing happens when I execute them either.

Since I don't use Adobe software at all I thought to uninstall it altogether. However, it's incredibly stubborn to get rid of. While I could use Creative Cloud Uninstaller to remove Creative Cloud and could uninstall Acrobat Reader with the Uninstall Programs option from Windows, the rest just remains there (Photoshop, Illustrator and Adobe Genuine Service). Creative Cloud doesn't reach them, I tried the Creative Cloud Cleaner Tool but it failed to remove them (and honestly, don't know if it did anything at all), and when I try to use the Uninstall Program option, they all refuse to be removed because they are missing an uninstall file (Photoshop and Illustrator show an error that says that Uninstall.exe is missing in the proper folder, while Genuine Service says it's missing AdobeCleanUpUtility.exe). There's also a lot of older Adobe files lying around occupying space that I could manually delete, but don't know if would accomplish anything. I looked around for info on the matter. Adobe's solution is to use Uninstall Program (which flat out doesn't work in this case), use the tools mentioned above which only had partial success or redownload Creative Cloud and use that uninstall everything, however, if I even have an account it's lost, and don't want to register on Adobe just to get rid of their stuff I never use (and, quite frankly I don't trust I can uninstall their software this way, pretty sure I'll just be stuck with their things with their uninstallable software). The other is to use uninstaller programs. I've seen some recommended and maybe this is the way to go, but before downloading software that may be harmful to my PC I wanted to ask what do you guys think and if you had any recommendations. Sorry for the mundane question, but I'm really not getting anywhere on my own. Thanks as usual for all the help.

Alright, done so. Ran KPRM which made its cleanup and attached the logs as well. The only thing it didn't delete was the Kaspersky Removal Tool (the one to remove Kaspersky Programs, not the Antivirus one) and the Txt files it created when it was ran, but I could simply delete those manually. Everything is looking good now. so I'd say we're finally done. Thanks again for all the help and patience, AdvancedSetup. Granted there was never really an issue, but it was good to make sure and I kinda dragged on this quite a bit, so again, thanks big time, man. kprm-20230217025554.txt

Done, sorry for the late reply. Attaching the logs. I actually managed to delete the file, surprisingly. To complete some Windows updates my PC restarted, so when I tried again to delete the KVRT folder with the file, this time I actually could get rid of it. My guess is that when you run the Kaspersky Virus Removal Tool the file activates and remains active, and given I hadn't restarted or turned off my PC since then, simply suspended it, it remained active, thus when the PC restarted on its own for the updates, since Kaspersky hadn't been used this time around, the file wasn't being used and could be deleted. Still, attaching the logs just in case to see if there's anything left. If not I'd only have to use KpRm to remove the remaining tools and we'd be done, right? Addition.txt FRST.txt

Alright, everything good in the PC overall. No worries regarding the original issue, so that is all well. Thanks, AdvancedSetup, for all the help, once again. The only thing left is to delete the KVRT folder. The Kaspsersky Removal Tool doesn't seem to work, it doesn't detect the Kaspersky Virus Removal Tool and then tells me no programs were found and gives me the option to manually look for the program I want to remove from a list, but the Virus Removal Tool doesn't appear in it. I tried deleting the files individually in the KVRT folder. Fortunately, all files could be deleted, with the sole exception of a system file called klupd_ad761127a_arkmon.sys, which constantly tells me that's in use so I can't get rid of it. EDIT: Looking at klupd_ad761127a_arkmon.sys' properties, it's a Kaspersky's Lab Anti Rootkit Monitor Driver.

Alrighto, here are the logs. Ran this last cleaning and everything in order it seems. Just to make sure of it (and to let know over here to the person who asked me to make this thread, so they can also be at ease) the logs are fine, right? No corrupted or strange files or anything? All programs are up to date, I updated them with your help the last time I received help over here, so no issues there. The closest thing I can think to a "strange" behaviour was when I ran Eset and the program close by itself when changing whether I wanted to send data or not, but all I had to do was to open it again and it ran normally, so I wouldn't call it a problem or anything. Sorry for this stubborness, BTW, but it's only to let the others know the full picture. If everything is indeed fine, then we're good and we can close this thread. Everything is working fine at least. EDIT: Unrelated, but... how do I remove the Kaspersky Virus Removal Tool folder from the PC? Kprm only deleted the Exe file, but a folder remains in C: which I can't just delete because it mentions being in use. It doesn't seem Kaspersky is still installed as Remove Programs doesn't list it. mbst-grab-results.zip kprm-20230214224155.txt

Well, followed the instructions. I don't store passwords, payments or anything in Chrome, nor I actually sync any accounts, so that wasn't an issue. Though I did follow the instructions to reset everything, after which I reinstalled Malwarebytes Browser Guard, McAfee Web Advisor and installed uBlock replacing Ad-Block. Chrome isn't working strange or anything and there hasn't been any issues fortunately, so worst case scenario it cleaned up things. The detection was a single instance that never really repeated. Now there was another case of the same type of detection yesterday, but this time it didn't happen by itself, I legitimately came across a site that made a fishy connection in it when looking for a comic online. I actually verified it this time, the first time I got the notification, I cleared the history in chrome, entered the site again and got the same notification. All this makes me think that the first notification (the one I made this topic for) could have really been just an iffy connection on a website when I was browsing, rather than my PC having Malware or something, as the only other case was indeed because of that and all cases of other people having something in their PCs that causes outbound connections causes the warnings to pop up repeatedly, which hasn't happened to me fortunately, and neither there has been any weird behaviour or malfuctions either.

Hello, again, and sorry for coming back so soon. The other day when navigating online I got a message from Malwarebytes indicating a connection or website had been blocked. The description it had mentions that the type of event was "Compromised" and it was "Outbound" (Saliente in spanish), done by Chrome in chrome.exe if I recall correctly (apologies, I am not simply putting a screenshot because I deleted the detection by accident with a misclick). Initially I didn't pay much attention to it, it's the first detection I've gotten in several months and simply assumed that Malwarebytes was doing it's job and that coming across fishy connections was unavoidable at some point. But I was told I should be careful with it, as "outbound" means that my PC is the one trying to connect instead of someone breaking in and it may indicate undesired stuff in iside the computer. Now, I made a scan with Malwarebytes (quick, full and full with Rootkits), Windows Defender, McAfee, Microsoft Security Scanner, Kaspersky and Eset and nothing was found. To be fair, my PC doesn't have any weird behaviour or issues and I only got a single detection that never repeated and nothing else after that, unlike other people with a similar issue whom get repeated detections in short periods of time or legitimate malfunctions in their computers, from what I could gather. I insisted that it may just what I mentioned above, but was told to better be safe than sorry and came to ask for a hand. I ran the Malwarebytes Support Tool. I'll attach the logs. Thanks in advance and apologies if this is making a storm in a teacup. mbst-grab-results.zip

Hey, just wanted to mention that everything works alright and no issues. Thanks a lot, AdvancedSetup for all your help and especially all your patience with all of this. Even if Tamper wasn't really an issue, this also helped to update everything and ensure the PC was alright. Really, thanks man.

Will do, thanks. The read is being helpful so far. Just to bring this to an end. The final logs I sent look clear? PC is working well and all and we were good so far with the procedures. Sorry for dragging this. This is the last stretch, promise.

Alright, did so- KpRm essentially cleans the logs and removes all the programs I used during this process to scan and clean my PC correct? Smartscreen was actually wary of this one, this time around. I actually did it twice, once following the procedure we were doing so far and later once again after trying Safety Scanner one more time for what I describe below: Before using KpRm for the second time, I made a test of sorts on my end. I manually disabled Defender and ran the Microsoft Safety Scanner to see if anything happened and yup, it actually detected the VirTool:Win32/DefenderTamperingRestore as a Trojan again. Defender was disabled the first time this detection happened (the instance that prompted me to make this thread). My take here is that any time Defender is disabled for one or another reason, Tampering Restore will kick in to try to enable it and Safety Scanner will detect it as a Trojan. Though I still don't quite get why. I mean, if Tampering Restore is officially part of an update and Safety Scanner being a Microsoft product, shouldn't Safety Scanner recognize it (I did download the newest version of the page, so I don't think it was because Safety Scanner wasn't updated). Another thing that I am wondering about is that Tampering doesn't reactivate Defender, if Windows Defender is disabled I have to manually enable it myself. Sorry for keep dragging this, but I simply want to know. It was the reason I made this topic after all. Though I really appreciate all the help to ensure my PC is clean. Here are the logs of the KpRm (before and after this last Safety Scanner) as requested and the last Safety Scanner, just in case. And, really man, thanks for all your help and patience. msert.log kprm-20230121205933.txt kprm-20230122114935.txt

Okay, so, my PC is clean according to all the reports, correct? There has never been weird behaviour or anything and now it's cleared up that the "virus" that was found was essentially a false positive. But just want to make sure. Regarding McAfee, yeah, would be good to do a final cleanup if necessary. My main antivirus is McAfee Livesafe so most elements must be from that, and I'd rather to leave those, but if there are some remaining that snuck in or still remain after Adobe installed stuff without permission. IIRC, the ones that snuck in with Adobe were McAfee Safe Connect and McAfee Security Scan Plus both which I managed to remove from my PC (I think no trace remains). BTW, man, thanks a lot for all your patience and help here.

Okay, updated the programs. Adobe was a nightmare (Reader sneak installed two McAfee programs that were a pain to uninstall) and got rid of Bonjour. My PC is working well, nothing strange. To be fair, it never showed any strange behaviour nor issues aside detecting the Defender Tampering Restore the first time around which never did again (decided to run Safety Scanner one more time and everything is clean). From what I am getting, the Defender Tampering Restore was added in the Windows Update at some point and is normal, but it was mistakenly identified as a Trojan by Security Scanner, correct? I'll attach the latest Security Check log as well. SecurityCheck.txt

Alright, here it is. I didn't have any problems installing or running the program, Smartscreen didn't say anything. I noticed that the SecurityCheck says that "McAfee Firewall Core Service (mfefire) - The service has stopped" but the Firewall option of McAfee is On and currently working. SecurityCheck.txt