thedriver

Thanks Maurice, Attached. Malwarebytes Antimalware has run and cleaned up the detections again. MBST has run this time and been able to complete without blue screening (I did also get a Windows version update in the interim). mbst-grab-results.zip

Thanks Maurice I've done all that. MTB.txt Rkill.txt

Thanks Maurice. I can't run the MBSupport Tool to Gather Logs. When the FRST component runs, my computer blue screens; this happens every time I run the tool and always when FRST is running.

I also scanned with ADWCleaner whilst Chrome Sync was disabled and removed the threats it found (except for Preinstalled software). See attached scan results from yesterday: AdwCleaner[S17].txt AdwCleaner[C17].txt AdwCleaner[S18].txt AdwCleaner[C18].txt AdwCleaner[S19].txt And then scan results from ADWCleaner again from today: AdwCleaner[S20].txt AdwCleaner[S17].txt AdwCleaner[C17].txt AdwCleaner[S18].txt AdwCleaner[C18].txt AdwCleaner[S19].txt AdwCleaner[S20].txt

Detection of 13x PUP.Optional.Push.Notifications has recurred even after removal. See attached scan from yesterday before removal: Malwarebytes Scan Results 2020.09.21.txt I followed instructions provided by Malwarebytes on the forum here to disable Chrome Sync, delete online data, remove the threats, then re-enable Chrome sync. However, after a reboot and a new scan by Malwarebytes, the threats are back. See attached scan from today: Malwarebytes Scan Results 2020.09.22.txt Can you please advise how I remove these? Thanks in advance. Malwarebytes Scan Results 2020.09.21.txt Malwarebytes Scan Results 2020.09.22.txt

@AdvancedSetup Thankssssss! That appears to be a winner. No more notifications from MB3. Is there any way to offer advice why MB3 didn't block this in the first place? I've been using MalwareBytes Premium for years now and I'm really disappointed that it didn't prevent this.

Thanks @AdvancedSetup I've followed those steps (although I didn't delete my favicons and Custom Dictionary files as well). Just restarting now - I'll come back when I have confirmed it is working or not.

Thanks Aura, very much appreciated. I have switched to using FIrefox for the moment, but haven't received the same prompts from MalwareBytes,

Attached MB3 and ADWCleaner scan logs AdwCleaner[S13].txt mb3log-2018.08.23-09.57.txt

Thanks Ron, I followed that (even though I initially said in my post I don't believe it applies to my situation). It appeared to clean, however on launching Chrome, the threat has come back. As noted MalwareBytes ONLY detects the outgoing connection to coin-hive.com, nothing more. MB3 does NOT detect any malware on my system when I run a Threat Scan.

I was wrong - I have just been alerted by MalwareBytes again that it has blocked a connection from Chrome to coin-hive.com and ADWCleaner is again showing the same three detected items. Can I please have some assistance?

I seem to have fixed this on my own after using a range of tools and Windows safe mode.

I've attached a pic of ADWcleaner scan and log and MalwareBytes (Premium) scan. ADWCleaner clearly shows the detections (which are not cleaned after a reboot), yet MB3 doesn't even detect them (nor did it stop them when I initially gt infected). I've already read the sticky about "Chrome Secure Preferences detection always comes back", but that doesn't apply. A: Chrome isn't restarted after before running a second scan with ADWCleaner (after the first scan/clean/reboot). B: I have Chrome sync enabled, but this is an app that has been removed from the Chrome web store because it was infected, so it can't sync anyway. C: I don't have other devices being powered on that I sync Chrome with anyway. D: The extension ID for the detection in ADWCleaner (nonjdcjchghhkdoolnlbekcfllmednbl) doesn't exist in my Chrome appdata amywhere.

I've just bought myself a new laptop because my last was running so slow, installed everything and after signing in to Chrome got a notification from MalwareBytes anti-malware that it's blocked a website connection to coin-hive from Chrome. Here's the report from MalwareBytes: -Log Details- Protection Event Date: 16/08/2018 Protection Event Time: 18:37 Log File: a751317a-a12f-11e8-96bb-106530112b02.json Administrator: Yes -Software Information- Version: 3.5.1.2522 Components Version: 1.0.391 Update Package Version: 1.0.6367 Licence: Premium -System Information- OS: Windows 10 (Build 17134.191) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , , Blocked, [-1], [-1],0.0.0 -Website Data- Category: Malware Domain: coin-hive.com IP Address: 217.182.164.10 Port: [56571] Type: Outbound File: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe I received two more within the next minute and then another about 35 mins later. Subsequent scans with MB3 and BitDefender find nothing though. So I'm guessing it's a Chrome extension as I hadn't really browsed anything at that point. I ran the Farbar Recovery Scan Tool and couldn't see any specific or obvious problems (see attached FRST and Additions files.) I subsequently ran RKill so I could MB3 again (both RKill and MB3 logs attached), but still nothing of any real interest. The rubyw.exe files found by RKill were a little concerning, but I also thought they may be associated with Private Internet Access. I ran ADWCleaner though and got a very different result - see attached ADWCleaner S00 log. ADWCleaner detects a Chrome extension: nonjdcjchghhkdoolnlbekcfllmednbl I can't find this in my extensions though. I run a Google search and find it is Hoverzoom, which I've previously used, and has apparently been pulled from the Chrome Web Store because of malware. 1. Why didn't MB3 stop and prevent this on either this computer or my previous computer? 2. How do I clean it effectively? After running ADWCleaner I opt for Clean and Repair (see attached clean C00 log), then Restart, but on reboot I'm getting the same symptoms.And sure enough RKill finds the rubyw files again and ADWCleaner finds Hoverzoom again (see attached ADWCleaner S01 log).. Addition.txt FRST.txt Rkill.txt MB3_ThreatScan.txt AdwCleaner[S00].txt AdwCleaner[C00].txt AdwCleaner[S01].txt

@AdvancedSetup - thanks. I'm guessing that's going to take a while?

@gonzo - Thanks!

@Firefox - Yes, sort of. The term 'antivirus' is somewhat colloquial. MBAM would fall into the category of an antivirus scanner, even though it specifically targets malware. The point of the article is that scanning the specific files and processes can cause significant performance issues or worse. MBAM scans files and processes in the same way as antivirus software, so excluding the processes from being scanned is still necessary. Can someone please assist me to exclude these processes from being scanned?

It may be locked via GP, but if you can add the role, you can do it this way through the GUI: Start > Control Panel > Programs and Features > Turn Windows features on or off > enable Hyper-V features and select OK, hen restart when prompted. Or you can install it by running Powershell as Administrator: Start > type Power > right click on Windows PowerShell and select Run As Administrator > then type following command: enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -AllThen restart.

Thanks for the amazingly quick replies. To clarify, I'm not trying to exclude the files from being scanned. I'm trying to exclude the process. The files will still be scanned though by the MBAM file scanner. As per the MS document I linked to, it is necessary to exclude these processes from scans. And I'm trying to do that through the Web Exclusions > Add Process function. And it does the same thing on Windows 8.1. This isn't an OS support issue, this is an MBAM interface issue. @gonzo It is is irrelevant that MBAM is running on Server2012 in this instance; this functionality (or lack of) is the same on my Windows 8.1 desktop. If you install the HyperV role on Windows 8.1 and try to exclude these processes from being scanned in MBAM, it does the same thing. MBAM is simply not showing these files as an option to add them as a process. I can show you a screen shot of my Win8.1 desktop doing exactly the same thing, and give you the logs, but it looks exactly the same as from the Windows Server2012. If you look at the screen shot in my first post, you can see the files highlight (vmms.exe and vmwp.exe) in Windows Explorer on the right side of the screen. But as you can see in the Add Web Process Exclusions window on the left of the screen, those processes don't appear in the list of files. PS. I couldn't edit my original post to change vmss to vmms.

Thanks all for the input, unfortunately I still need an answer. I'm simply trying to exclude two Windows process from the scan, these two processes are used for running HyperV. If you want to read more about it, this MS Technet article on AV exclusions for HyperV has the info. Hopefully this helps clarify. @theapple00 - I did mention in my post that I couldn't add these file through the File Exclusion option (which is under the Malware Exclusion section). So I can't do it that way and I don't want to anyway. I want to exclude these from being scanned as processes, not as files. So I need to use the Web Exclusions option to exclude the running process from being scanned. @daledoc1 - I'm running MBAM on a computer (Server2012) running HyperV. The processes I'm trying to exclude from scanning are related to the running of the HyperV role - this is the same for Windows 8.1 as well. I really don't know that the diagnostic logs are going to help in this instance, I don't have any issues with detection of malware at this stage (but they're attached). This appears to be an issue with the MBAM interface not allowing me to add specific processes for exclusion from scanning. @1PW - Sorry, I mistyped it in my post; the process should be vmms.exe, not vmss.exe. Original post edited. These processes are exactly what I would want to exclude from MBAM scans. If I continue scanning these processes, the scans can significantly impact the performance of the guests operating systems. I'm okay for the files to be scanned (hence why I don't want to add them to the File Exclusion), but not the process. FRST.txt Addition.txt CheckResults.txt

I'm trying to exclude two processes in MalwareBytes AntiMalware (MBAM). The processes are: C:\Windows\System32\vmss.exe C:\Windows\System32\vmwp.exe I can see both of these files in Windows Explorer. However, when I try to add the processes in MBAM, I can't see these files. I can see plenty of other files in the path (C:\Windows\System32), but not these. <see attached image> Note: I also don't see these in the Add File Exclusions option - not that I want to do that, but it's interesting to note. I've also run MBAM as Administrator and it doesn't make any difference. How do I add these processes to the exclusions?

Whilst I can't say which is better, I can offer only my experience using them both (and I understand they work differently). I had both Threatfire and Malwarebytes installed on my laptop (Win7 Ultimate x64, Intel Core2Duo 2.4GHz, 4GB RAM, 7200rpm HDD) alongside MS Security Essentials. Initially this was fine but recently Threatfire was causing sever slowdowns in all apllications. This could be overcome by suspending Threatfire and the problem would be immediately resolved. This was repeatable everytime. I have since removed Threatfire and have no further problems. Has anyone else noticed this?