real time protection -- ineffective?

[greylander]

Hello,

 

I had my mother get malwarebytes pro a while back & use realtime protection.  I am somewhat dissappointed.

 

Doesn't real time protection check files as they are written to disk, or at least when downloaded or when/before installers are run?

 

She went to install new version of adobe flash (I'm sure we all know how bad adobe is about bundling PUP's with their reader/flash player software).  And she now has about 5-6 unwanted adware PUPs (the quite obviously fraudulent kind).

 

She clicked "yes" or "OK" to evey warning message malwarebytes put up when the install occurred & it detected these things.  But nonethess there are 6 of these things installed.

 

Why isn't malwarebytes blocking these things that it obviously detected?  Have I missed some configuration setting?

 

I would think that these adobe PUPs would be like the first thing used to QA each new version of malwarebytes.  How does this get through?

 

A couple side questions:

(1) via teamview I scheduled a boot scan and had her restart.  She said nothing happened.  The weird thing is it shows the last scan as having occurred a few minutes ago, but other than that there is no log.  None of the malware has been removed?  Does a boot scan not get triggered on a restart?  She says that as it rebooted she did not see anything indicating a scan was occurring.  There is no log in the history for the boot scan. 

 

(2) Why is the quarantine list not sorted in order by date?  Why can't I click the column header to make it sort by date?

[greylander]

Followup:  so I rand a regular full threat scan.  It detected a great many items.  I did quarantine all & restart.  Open add/remove programs in control panel and 4 of the unwanted PUPs are still there... I know at least one of them was listed as detected:  "Optimizer Pro".  The others are: "Driver Support", "WSE_Astromenda", "Extended Update".  Do these things have defenses against removal by malwarebytes?

[greylander]

Also, although I did the full scan and quaranting huge numbers of items.  There does not appear to be anything new in the quarantine list... certain not nearly as many items dated today.  Although because it is not sorted, it is a bit difficult to tell.  But it does not look like it has anything new.

[greylander]

Another update:  re-running scan.  now detects nothing, even though those 4 items are still in add/remove programs list *and* one of them is displaying a popup even now (optimizer pro).

 

Hope someone can tell me what I'm doing wrong, or are these items just beyond malwarebytes ability to handle?

[MCFatTongue]

 She clicked "yes" or "OK" to evey warning message malwarebytes put up when the install occurred & it detected these things.

 

[greylander]

Thanks for responding... did you mean to add something other than quoting?  Is the default action for malwarebytes such that the affirmative click will *not* do anything rather than block/quarantine? (I'll have to check this out... my assumption is it would be "Yes!  Yes, please block/delete/quarantine this nasty bit of software you have detected!  Make it so!  With prejudice!"

[MCFatTongue]

Hi,

 

My assumption was you click yes to allow, but it's only an assumtion I've not had any blocks for a long time so I could be wrong, and if that's the case I'm sorry.

 

As you say though you'll have to check it out and make sure.

 

I'm sure someone on here infinatly more quallified than me will confirm which action is correct.

 

Kind regards.

[greylander]

I'm also pretty sure 'yes' is to allow it to quarantine.

 

What bothers me more is that a full manual scan supposedly detected & quarantined these items, and yet they were still listed as installed programs.  (update on that, 2 of 4 remaining were listed, but upon uninstall, said they were already uninstalled & justt needed removed from list; however to of them were still installed an active and completely undetected by a followup scan.  I had to manually uninstall them).

[MCFatTongue]

Hello again,

 

I think you missunderstand me, when I said 'yes' to allow I meant allow it onto your computer, in other words no longer block, this is only my assumption.

 

The best thing you can do now is to wait for some other forum member that is in the know (hi daledoc1) to give you a definitive answer.

[daledoc1]

Hello, greylander:
 

The items you mention generally ought to have been detected & removed by MBAM.
However, without seeing either the protection or scan logs or some diagnostic logs from the system, it's impossible to say for sure what's going on.

Here are 2 pinned topics with a lot of helpful information related to your inquiries:

What are the 'PUP' detections, are they threats, and should they be deleted?

The complexity of finding, preventing, and cleanup from malware

 
A couple of thoughts:

• With a new install of MBAM v2.x, the default settings for both PUPs and PUMs is to "Treat Detections as Malware" (IOW to Quarantine them), as shown in the attached screenshot from the settings window.  If those settings were changed (or if the user had them configured differently in version 1.x and then upgraded in place to version 2), then MBAM might either IGNORE or only WARN upon PUP/PUM detections.
• It is impossible to say what your mother did or did not click, but there are a number of different PUP/PUM notifications from MBAM, depending on whether it's a real-time detection or a scan detection, and depending on how the user has configured the "Detection and Protection" settings (see the attached screen shots from the USER GUIDE).
• Depending on the actual type of file detected, the user's anti-virus (AV) may detect the file before MBAM does.

Having said all that, in order to be able to better assist you, we would need to see some basic logs:

1. Please read the following and post back attached to your next reply the 3 requested logs - Diagnostic Logs (the 3 logs are: FRST.txt, Addition.txt and CheckResults.txt)
2. Also, please attach the most recent scan and protection logs showing the detections in question -- instructions to do that are here: How do I access and save logs from Malwarebytes Anti-Malware?

OTOH, the most efficient way to sort this out might be to head over to the malware removal section for free, expert assistance.

This pinned topic >>HERE<< explains the options for free, expert help >>AND<< the preliminary steps to expedite the process.

A malware expert will assist you with checking and cleaning the system.

 

Thank you,

[greylander]

First thank you for that very thorough response.  Not sure if you are a malwarebytes employee, or just a fellow user, but I have worked in tech support and appreciate the effort to cover all the useful information that might be required and giving me a number of useful actions to take to move forward.

 

I'm the one who set up her settings, and pretty sure I chose all the most aggressive options, specifically the ones you mention (treat pups as threats).  Realtime protection is enabled, and I am virtually certain she would have chosen quarantine on the popups.

 

I'll have to double-check that the settings are what I remember and see about getting all the log files.  Hopefully you can discern something useful.

 

I do want to point out again that 4 of the pups were still listed as installed after a malwarebytes scan came through clean.  I am fairly certain that manual uninstall of the pups was successful (seems they are not so malicious as to circumvent uninstall process -- but I will doublecheck that they are still gone tomorrow).

 

I did just now grab the adobe flash player installer, which turns out does not have any of the pups there came along with the one my mother was using.  So I think she did not get it directly from the adobe web site, so perhaps I'm too quick to blame adobe for bundling these.  I'll see if I can get a copy of the installer she was using, if that would help.  At this point I am mainly interested in why malwarebytes appears to have been unable to completely detect/remove these items.

[daledoc1]

Thanks for the update.
Please post back with the requested logs when you're ready, and someone will take a look.
 
Thanks,
 
P.S. No single security application -- not even MBAM Premium -- can possibly protect against 100% of all the innumerable circulating malware variants in the wild.  This is especially so if users do not practice safe computing practices or if they fall victim to the rampant, clever social engineering schemes.
Alas, many (most?) computer infections initiate from the part of the computer between the chair and the keyboard.
Here are a few links with helpful information:
The complexity of finding, preventing, and cleanup from malware
So how did I get infected in the first place?
How did I get infected?
Answers to common security questions - Best Practices
List of well known antivirus products
Six tips to help you stay safer online

[greylander]

Here are the logs.  Hope they are helpful.

 

Of particular interest are the first two scan logs.  In scan1.txt you can see it detecting many pups.  In scan2.txt shortly thereafter it is a clean scan.  At the time scan2 was run, there were 4 pups still listed in the add/remove programs (two of which I later determined were uninstalled, zombie listings).  

 

PUP.Optional.OptimizerPro is one of the ones which was still installed after the clean scan.

 

I had manually uninstalled all the pups, but scan3.txt, from the overnight scan shows how a few snuck back in, which I took care of today.  I am reasonably certain that they are all cleared out now, but will be doublechecking.  (I think I may have inadvertently put them back in while experimenting with the trouble-making installer).

 

I am also attaching the installer that has the PUPs... maybe there is something new in there for which the malwarebytes database needs to be updated.

 

oops, I guess it won't let me... kinda thought that might happen.

 

p.s. I'm hoping that the filenames are retained when this is posted, if not you'll have to go off of time stamps I guess.

 

Addition.txt

CheckResults.txt

FRST.txt

prot1.txt

prot2.txt

scan1.txt

scan2.txt

scan3.txt

scan4.txt

[Firefox]

Hello and Welcome to Malwarebytes

The logs indicate that you are still infected, feel free to follow the instructions below to receive free, one-on-one expert assistance in checking your system and clearing out any infections and correcting any damage done by the malware.

Please see the following pinned topic which has information on how to get help with this: Available Assistance for Possibly Infected Computers

Thank you

[greylander]

Hi Thanks, can you please specify where in the logs you see this? 

[greylander]

I went ahead and took a look at the log files,  I'm going to hazard a guess that this is why you say still infected:

 

Malware Exclusions:

===================

Category: File, Exclusion: C:\Users\genie\AppData\Roaming\WSE_Astromenda\UpdateProc\UpdateTask.exe

Category: File, Exclusion: C:\Users\genie\AppData\Local\Temp\AdvanceElite\AdvanceElite.mg.exe

Category: File, Exclusion: C:\Users\genie\AppData\Roaming\UpdaterEX\UpdateProc\UpdateTask.exe

Category: File, Exclusion: C:\Program Files (x86)\AdvanceElite\updateAdvanceElite.exe

Category: File, Exclusion: C:\Program Files (x86)\AdvanceElite\AdvanceElite.FirstRun.exe

Web Exclusions:

================

Category: Domain, Exclusion: install.advanceelite.com

Category: Domain, Exclusion: api.advanceelite.com

[Firefox]

The experts will help with the rest of the clean up process, as already stated, you need to follow the instructions provided in my post #14.