Jump to content

How to remove PUP/PUM's using the cli commands

JBOB

By JBOB
in Malwarebytes Nebula

 Share

Recommended Posts

JBOB

JBOB

Posted
Posted

Greeting Experts,

I am hoping somebody on this form can help me out figure out why my mbam-rt utility does not want to remove any malware. I use a .bat script to run mbam-rt (CLI) in the background of computers that are infected with malware.  Malwarebytes updates (i.e. mbam.exe /update -silent), runs the scan (i.e. mbam.exe /scan –full –silent –log –remove), and completes. When I look at the log file the action is as follows“-> No action taken” for each incident found (indicated as a Potentially Unwanted Programs “PUP”). I have used this same process with others systems (i.e. botnets, Rootkits, etc) and it removes the objects with no problem… Is there something that I am missing here… I have looked at the cli command list on the administrators guide and does not show any way to remove the pup’s .. Does anybody know how this can be done?

 

 

Logfile below

 

Malwarebytes Anti-Malware Remediation Tool 1.75.0.1400
www.malwarebytes.org

Database version: v2014.12.05.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.17148


Protection: Disabled

12/5/2014 10:48:23 AM
mbam-log-2014-12-05 (10-48-23).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 532372
Time elapsed: 1 hour(s), 24 minute(s), 11 second(s)

Memory Processes Detected: 3
C:\Program Files (x86)\WordProser_1.10.0.2\Service\wpsvc.exe (PUP.Optional.WordProser.A) -> 2920 -> No action taken.
C:\ProgramData\username\fiFoUHEqU.exe (PUP.Optional.SafeWeb.A) -> 2952 -> No action taken.
C:\Program Files\010\hxaxuacnrr32.exe (PUP.Optional.AdPeak.A) -> 2060 -> No action taken.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 23
HKLM\SYSTEM\CurrentControlSet\Services\wpsvc_1.10.0.2 (PUP.Optional.WordProser.A) -> No action taken.
HKLM\SYSTEM\CurrentControlSet\Services\fiFoUHEqU (PUP.Optional.SafeWeb.A) -> No action taken.
HKCR\CLSID\{3EBB5099-9732-48AE-B032-58B702D86EEC} (PUP.Optional.WordProser.A) -> No action taken.
HKCR\TypeLib\{03A19B15-6866-4B99-97A7-57F359C40931} (PUP.Optional.WordProser.A) -> No action taken.
HKCR\Interface\{D5BCB6C9-3ED8-460D-95F3-BCC309AD1D29} (PUP.Optional.WordProser.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3EBB5099-9732-48AE-B032-58B702D86EEC} (PUP.Optional.WordProser.A) -> No action taken.
HKCR\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C} (PUP.Optional.WebSteroids.A) -> No action taken.
HKCR\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6} (PUP.Optional.DynConIE.A) -> No action taken.
HKLM\SYSTEM\CurrentControlSet\Services\hxaxuacnrr32 (PUP.Optional.AdPeak.A) -> No action taken.
HKLM\SOFTWARE\WordProser_1.10.0.2 (PUP.Optional.WordProser.A) -> No action taken.
HKLM\SOFTWARE\GLOBALUPDATE\UPDATE (PUP.Optional.GlobalUpdate.T) -> No action taken.
HKLM\SOFTWARE\Google\Chrome\Extensions\fjbbjfdilbioabojmcplalojlmdngbjl (PUP.Optional.SmileysWeLove.A) -> No action taken.
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SAFEWEB (PUP.Optional.SafeWeb) -> No action taken.
HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10 (PUP.Optional.GlobalUpdate.A) -> No action taken.
HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4 (PUP.Optional.GlobalUpdate.A) -> No action taken.
HKLM\SYSTEM\CurrentControlSet\Services\wpnfd_1_10_0_2 (PUP.Optional.WordProser.A) -> No action taken.
HKLM\SYSTEM\CurrentControlSet\Services\globalUpdate (PUP.Optional.GlobalUpdate.T) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GOOGLEUPDATE.EXE (PUP.Optional.GlobalUpdate.T) -> No action taken.
HKCR\CLSID\{5645E0E7-FC12-43BF-A6E4-F9751942B298} (PUP.Optional.GlobalUpdate.T) -> No action taken.
HKCR\globalUpdate.OneClickCtrl.10 (PUP.Optional.GlobalUpdate.T) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5645E0E7-FC12-43BF-A6E4-F9751942B298} (PUP.Optional.GlobalUpdate.T) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{5645E0E7-FC12-43BF-A6E4-F9751942B298} (PUP.Optional.GlobalUpdate.T) -> No action taken.
HKCR\CLSID\{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC} (PUP.Optional.GlobalUpdate.T) -> No action taken.

Registry Values Detected: 2
HKLM\SOFTWARE\GlobalUpdate\Update|path (PUP.Optional.GlobalUpdate.T) -> Data: C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe -> No action taken.
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SafeWeb|HelpLink (PUP.Optional.SafeWeb) -> Data: http://www.safewebon....com/about.html-> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 21
C:\Users\username\AppData\Local\SafeWeb (PUP.Optional.SafeWeb.A) -> No action taken.
C:\Program Files\010 (PUP.Optional.AdPeak.A) -> No action taken.
C:\Users\username\AppData\Local\Temp\swlfiles (PUP.Optional.SmileysWeLove.A) -> No action taken.
C:\Users\username\AppData\Local\Temp\swlfiles\x86 (PUP.Optional.SmileysWeLove.A) -> No action taken.
C:\Program Files (x86)\globalUpdate\Update (PUP.Optional.GlobalUpdate.T) -> No action taken.
C:\Program Files (x86)\globalUpdate\Update\1.3.25.0 (PUP.Optional.GlobalUpdate.T) -> No action taken.
C:\Program Files (x86)\globalUpdate\Update\Download (PUP.Optional.GlobalUpdate.T) -> No action taken.
C:\Program Files (x86)\globalUpdate\Update\Install (PUP.Optional.GlobalUpdate.T) -> No action taken.
C:\Program Files (x86)\globalUpdate\Update\Offline (PUP.Optional.GlobalUpdate.T) -> No action taken.
C:\Program Files (x86)\globalUpdate\Update\Offline\{5CA8EA98-0FF0-45F5-BC66-DB4DEAF3BE29} (PUP.Optional.GlobalUpdate.T) -> No action taken.
C:\Users\username\AppData\Local\Temp\comh.102705 (PUP.Optional.GlobalUpdate.A) -> No action taken.
C:\Users\username\AppData\Local\Obrona Block Ads (PUP.Optional.ObronaBlockAds.A) -> No action taken.
C:\Users\username\AppData\Local\Obrona Block Ads\imageformats (PUP.Optional.ObronaBlockAds.A) -> No action taken.
C:\Users\username\AppData\Local\Obrona Block Ads\platforms (PUP.Optional.ObronaBlockAds.A) -> No action taken.
C:\ProgramData\SafeWeb (PUP.Optional.Safeweb.A) -> No action taken.
C:\Program Files\WordProser_1.10.0.2 (PUP.Optional.WordProser.A) -> No action taken.
C:\Program Files\WordProser_1.10.0.2\IE (PUP.Optional.WordProser.A) -> No action taken.
C:\Program Files (x86)\WordProser_1.10.0.2 (PUP.Optional.WordProser.A) -> No action taken.
C:\Program Files (x86)\WordProser_1.10.0.2\3rd Party Licenses (PUP.Optional.WordProser.A) -> No action taken.
C:\Program Files (x86)\WordProser_1.10.0.2\IE (PUP.Optional.WordProser.A) -> No action taken.
C:\Program Files (x86)\WordProser_1.10.0.2\Service (PUP.Optional.WordProser.A) -> No action taken.

Files Detected: 83
C:\Program Files (x86)\WordProser_1.10.0.2\Service\wpsvc.exe (PUP.Optional.WordProser.A) -> No action taken.
C:\ProgramData\JJNmOZDE\fiFoUHEqU.exe (PUP.Optional.SafeWeb.A) -> No action taken.
C:\Program Files (x86)\WordProser_1.10.0.2\IE\WordProserClientIE.dll (PUP.Optional.WordProser.A) -> No action taken.
C:\Program Files\WordProser_1.10.0.2\IE\WordProserClientIE.dll (PUP.Optional.WordProser.A) -> No action taken.
C:\ProgramData\username\dat\lfXnjWzkg.exe (PUP.Optional.SafeWeb.A) -> No action taken.
C:\Users\username\AppData\Local\Temp\Setup-1-.exe (PUP.Optional.SafeWeb.A) -> No action taken.
C:\Users\username\AppData\Local\Temp\setup_424.exe (PUP.Optional.CrossRider.A) -> No action taken.
C:\Users\username\AppData\Local\Temp\setup_ra.exe (PUP.Optional.SilentInstaller.A) -> No action taken.
C:\Users\username\AppData\Local\Temp\ZOG\Setup.exe (PUP.Optional.WordProser.A) -> No action taken.
C:\Users\username\Downloads\download-funny-photo-maker.exe (PUP.Optional.Eguide) -> No action taken.
C:\Users\username\Downloads\download-photoscape.exe (PUP.Optional.Eguide) -> No action taken.
C:\Users\username\Downloads\SoftonicDownloader_for_supereasy-video-booster.exe (PUP.Optional.Softonic) -> No action taken.
C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.boostsaves.com_0.localstorage (PUP.Optional.Boost.A) -> No action taken.
C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.boostsaves.com_0.localstorage-journal (PUP.Optional.Boost.A) -> No action taken.
C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.boostsaves.com_0.localstorage (PUP.Optional.Boost.A) -> No action taken.
C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.boostsaves.com_0.localstorage-journal (PUP.Optional.Boost.A) -> No action taken.
C:\Users\username\AppData\Local\SafeWeb\data2.dat (PUP.Optional.SafeWeb.A) -> No action taken.
C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_inst.shoppingate.info_0.localstorage (PUP.Optional.ShoppingGate.A) -> No action taken.
C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_inst.shoppingate.info_0.localstorage-journal (PUP.Optional.ShoppingGate.A) -> No action taken.
C:\Windows\Tasks\8d89449c-65b1-4eaa-89c6-1cbe7c878898-4.job (PUP.Optional.CrossRider.T) -> No action taken.
C:\Windows\Tasks\globalUpdateUpdateTaskMachineCore.job (PUP.Optional.GlobalUpdate.A) -> No action taken.
C:\Windows\Tasks\globalUpdateUpdateTaskMachineUA.job (PUP.Optional.GlobalUpdate.A) -> No action taken.
C:\Program Files\010\hxaxuacnrr32.exe (PUP.Optional.AdPeak.A) -> No action taken.
C:\Users\username\AppData\Local\Temp\vitruvian-installer-install-v0003 (PUP.Optional.Vitruvian.A) -> No action taken.
C:\Users\username\AppData\Local\Temp\vitruvian-installer-processes-v0002 (PUP.Optional.Vitruvian.A) -> No action taken.
C:\Users\username\AppData\Local\Temp\vitruvian-installer-scheduledtasks-v0001 (PUP.Optional.Vitruvian.A) -> No action taken.
C:\Users\username\AppData\Local\Temp\vitruvian-installer-softwareregkeys-v0002 (PUP.Optional.Vitruvian.A) -> No action taken.
C:\Users\username\AppData\Local\Temp\vitruvian-installer-vmdetect-v0001 (PUP.Optional.Vitruvian.A) -> No action taken.
C:\Users\username\AppData\Local\Temp\swlfiles\BrowserHelper.exe.config (PUP.Optional.SmileysWeLove.A) -> No action taken.
C:\Users\username\AppData\Local\Temp\swlfiles\BrowserHelper.pdb (PUP.Optional.SmileysWeLove.A) -> No action taken.
C:\Users\username\AppData\Local\Temp\swlfiles\browserhelperff.log (PUP.Optional.SmileysWeLove.A) -> No action taken.
C:\Users\username\AppData\Local\Temp\swlfiles\channel_generic.json.old (PUP.Optional.SmileysWeLove.A) -> No action taken.
C:\Users\username\AppData\Local\Temp\swlfiles\smileyswelove.xpi (PUP.Optional.SmileysWeLove.A) -> No action taken.
C:\Users\username\AppData\Local\Temp\swlfiles\smileyswelovetoolbar.crx (PUP.Optional.SmileysWeLove.A) -> No action taken.
C:\Users\username\AppData\Local\Temp\swlfiles\x86\SQLite.Interop.dll (PUP.Optional.SmileysWeLove.A) -> No action taken.
C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe (PUP.Optional.GlobalUpdate.T) -> No action taken.
C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\GoogleCrashHandler.exe (PUP.Optional.GlobalUpdate.T) -> No action taken.
C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\GoogleUpdate.exe (PUP.Optional.GlobalUpdate.T) -> No action taken.
C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe (PUP.Optional.GlobalUpdate.T) -> No action taken.
C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\GoogleUpdateHelper.msi (PUP.Optional.GlobalUpdate.T) -> No action taken.
C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe (PUP.Optional.GlobalUpdate.T) -> No action taken.
C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\goopdate.dll (PUP.Optional.GlobalUpdate.T) -> No action taken.
C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\goopdateres_en.dll (PUP.Optional.GlobalUpdate.T) -> No action taken.
C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll (PUP.Optional.GlobalUpdate.T) -> No action taken.
C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\psmachine.dll (PUP.Optional.GlobalUpdate.T) -> No action taken.
C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\psuser.dll (PUP.Optional.GlobalUpdate.T) -> No action taken.
C:\Users\username\AppData\Local\Temp\comh.102705\GoogleCrashHandler.exe (PUP.Optional.GlobalUpdate.A) -> No action taken.
C:\Users\username\AppData\Local\Temp\comh.102705\GoogleUpdate.exe (PUP.Optional.GlobalUpdate.A) -> No action taken.
C:\Users\username\AppData\Local\Temp\comh.102705\GoogleUpdateBroker.exe (PUP.Optional.GlobalUpdate.A) -> No action taken.
C:\Users\username\AppData\Local\Temp\comh.102705\GoogleUpdateHelper.msi (PUP.Optional.GlobalUpdate.A) -> No action taken.
C:\Users\username\AppData\Local\Temp\comh.102705\GoogleUpdateOnDemand.exe (PUP.Optional.GlobalUpdate.A) -> No action taken.
C:\Users\username\AppData\Local\Temp\comh.102705\goopdate.dll (PUP.Optional.GlobalUpdate.A) -> No action taken.
C:\Users\username\AppData\Local\Temp\comh.102705\goopdateres_en.dll (PUP.Optional.GlobalUpdate.A) -> No action taken.
C:\Users\username\AppData\Local\Temp\comh.102705\npGoogleUpdate4.dll (PUP.Optional.GlobalUpdate.A) -> No action taken.
C:\Users\username\AppData\Local\Temp\comh.102705\psmachine.dll (PUP.Optional.GlobalUpdate.A) -> No action taken.
C:\Users\username\AppData\Local\Temp\comh.102705\psuser.dll (PUP.Optional.GlobalUpdate.A) -> No action taken.
C:\Users\username\AppData\Local\Obrona Block Ads\application.log (PUP.Optional.ObronaBlockAds.A) -> No action taken.
C:\Users\username\AppData\Local\Obrona Block Ads\db.db (PUP.Optional.ObronaBlockAds.A) -> No action taken.
C:\Users\username\AppData\Local\Obrona Block Ads\libeay32.dll (PUP.Optional.ObronaBlockAds.A) -> No action taken.
C:\Users\username\AppData\Local\Obrona Block Ads\LoopbackForWin8.exe (PUP.Optional.ObronaBlockAds.A) -> No action taken.
C:\Users\username\AppData\Local\Obrona Block Ads\msvcp100.dll (PUP.Optional.ObronaBlockAds.A) -> No action taken.
C:\Users\username\AppData\Local\Obrona Block Ads\msvcr100.dll (PUP.Optional.ObronaBlockAds.A) -> No action taken.
C:\Users\username\AppData\Local\Obrona Block Ads\ObronaBlockAds.exe (PUP.Optional.ObronaBlockAds.A) -> No action taken.
C:\Users\username\AppData\Local\Obrona Block Ads\ProxyResetOnKill.exe (PUP.Optional.ObronaBlockAds.A) -> No action taken.
C:\Users\username\AppData\Local\Obrona Block Ads\Qt5Core.dll (PUP.Optional.ObronaBlockAds.A) -> No action taken.
C:\Users\username\AppData\Local\Obrona Block Ads\Qt5Gui.dll (PUP.Optional.ObronaBlockAds.A) -> No action taken.
C:\Users\username\AppData\Local\Obrona Block Ads\Qt5Network.dll (PUP.Optional.ObronaBlockAds.A) -> No action taken.
C:\Users\username\AppData\Local\Obrona Block Ads\Qt5Sql.dll (PUP.Optional.ObronaBlockAds.A) -> No action taken.
C:\Users\username\AppData\Local\Obrona Block Ads\Qt5Widgets.dll (PUP.Optional.ObronaBlockAds.A) -> No action taken.
C:\Users\username\AppData\Local\Obrona Block Ads\ssleay32.dll (PUP.Optional.ObronaBlockAds.A) -> No action taken.
C:\Users\username\AppData\Local\Obrona Block Ads\imageformats\qgif.dll (PUP.Optional.ObronaBlockAds.A) -> No action taken.
C:\Users\username\AppData\Local\Obrona Block Ads\platforms\qwindows.dll (PUP.Optional.ObronaBlockAds.A) -> No action taken.
C:\ProgramData\SafeWeb\data.dat (PUP.Optional.Safeweb.A) -> No action taken.
C:\ProgramData\SafeWeb\SafeWeb.ico (PUP.Optional.Safeweb.A) -> No action taken.
C:\ProgramData\SafeWeb\Uninstall.exe (PUP.Optional.Safeweb.A) -> No action taken.
C:\Program Files (x86)\WordProser_1.10.0.2\terms-of-service.rtf (PUP.Optional.WordProser.A) -> No action taken.
C:\Program Files (x86)\WordProser_1.10.0.2\3rd Party Licenses\buildcrx-license.txt (PUP.Optional.WordProser.A) -> No action taken.
C:\Program Files (x86)\WordProser_1.10.0.2\3rd Party Licenses\Info-ZIP-license.txt (PUP.Optional.WordProser.A) -> No action taken.
C:\Program Files (x86)\WordProser_1.10.0.2\3rd Party Licenses\JSON-simple-license.txt (PUP.Optional.WordProser.A) -> No action taken.
C:\Program Files (x86)\WordProser_1.10.0.2\3rd Party Licenses\nsJSON-license.txt (PUP.Optional.WordProser.A) -> No action taken.
C:\Program Files (x86)\WordProser_1.10.0.2\3rd Party Licenses\Nustache-license.txt (PUP.Optional.WordProser.A) -> No action taken.
C:\Program Files (x86)\WordProser_1.10.0.2\3rd Party Licenses\TaskScheduler-license.txt (PUP.Optional.WordProser.A) -> No action taken.
C:\Program Files (x86)\WordProser_1.10.0.2\3rd Party Licenses\UAC-license.txt (PUP.Optional.WordProser.A) -> No action taken.

(end)

Link to post
Share on other sites
exile360

exile360

Posted
Posted

The problem is that by default, RT is set not to remove PUP and PUM items, only to report them. You can change this setting, however it doesn't stick unless you change the registry key storing the settings to be read-only, otherwise mbam.exe will overwrite it with the default setting the next time it is executed (for example, if you change the setting and then run a scan).

This is something that we intend to fix but at this time that is the only workaround.

Link to post
Share on other sites
Aleron

Aleron

Posted
Posted

The problem is that by default, RT is set not to remove PUP and PUM items, only to report them. You can change this setting, however it doesn't stick unless you change the registry key storing the settings to be read-only, otherwise mbam.exe will overwrite it with the default setting the next time it is executed (for example, if you change the setting and then run a scan).

This is something that we intend to fix but at this time that is the only workaround.

i am agree with that advice.+1

Link to post
Share on other sites
  • Staff
pbust

pbust

Posted
  • Staff
Posted

Ok.. what registry Keys would I need to change in order to change the setting for the PUP's/PUM's to be rmeoved...?

 

Read this: https://forums.malwarebytes.org/index.php?/topic/157029-how-to-customize-mbam-rt-default-settings/

 

 

I would love to test the new bata version...

 

OK will keep you in mind once we have one available.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.