Jump to content

PUP Optional PSScriptLoad EncJob keys


Recommended Posts

Having the same issue.  These registry changes relating to PUP.Optional.PSScriptLoad.EncJob keep coming back. I have occasionally (ie, when I happen to be watching) seen a window appear briefly on screen at about 16:30h local time (Adelaide Australia) and following this if I run a MB v3.1.2.1733 scan, the 5 PUPs (registry keys and values) are found.  I quarantine them, restart and MB no longer finds the PUPs.  Neither are they found next morning.  They appear again after 1630h aprox. So every evening I have to scan quarantine and re-boot.

AdwCleaner initially found 2 items which I removed - it no longer finds anything

It would be nice to permanently get rid of these annoyances

Cheers

 

Link to post
Share on other sites

A similar topic has been closed by the MB moderator shadowwar, but I’m still having the problem, so I'd like some further discussion. 

I am using MBAM v3.1.2.1733, component package 1.0.141 and update package 1.0.2227. In MBAM, I have clicked Install Application updates but no updates are available. I also have automatic downloads On.

Each morning, I run a scan and MBAM reports nothing found.

Every evening at 1625 local time (Adelaide Australia) I see a window flash quickly on screen and I then get a MB outbound connection website blocked warning for a site named forallshop.info:53485

If I immediately run a MB scan, there are 5 PUPs identified. There are all related to registry keys and values. They are:

PUP Optional PSScriptLoad.EncJob – registry value

PUP Optional PSScriptLoad.SHHKRST – registry value

PUP Optional PSScriptLoad.SHHKRST – registry key

PUP Optional PSScriptLoad.EncJob – registry value

PUP Optional PSScriptLoad.EncJob – registry key

I quarantine these and re-boot (required). A subsequent MBAM re-scan shows they are gone.

This whole scenario occurs each day at the same time.

Nothing is found with a full scan in Windows Defender

Your help in eliminating these recurring PUPs would be appreciated

Regards

JediKnight

Link to post
Share on other sites

  • Staff

Can you locate some files for me and zip and attach them here?

 

C:\PROGRA~3\f2e9b9f6\82dcaf26.dll (program files or programdata for the short name)

C:\ProgramData\{B69BC514-0130-72BF-9589-CA1BF4DEEFA7}\CE727210-79D9-C5BB-E3F5-0242729C55C9.exe

 

Would like a look at these first before i give you a fixlist.

 

Thanks.

 

 

Link to post
Share on other sites

Hi shadowwar

Attached is the zipped 82dcaf26.dll

This was found in folder C:\AdwCleaner\quarantine\files\slmawirhnbwxfcmjedtkgliehouceedt

However I cannot locate

C:\ProgramData\{B69BC514-0130-72BF-9589-CA1BF4DEEFA7}\CE727210-79D9-C5BB-E3F5-0242729C55C9.exe

I used Windows Explorer to search the entire drive C: (and D:).  Hidden items in View is checked and I also allowed system files to be shown, so I think this should show everything.  

In C:\ProgramData there are 4 folders (not .exe’s) with long hex names but none are close to the one above.  Searching for the whole long file name or just a part string such as -  0242729C55C9.exe

finds nothing on my entire computer.

I also listed every *.exe and there’s nothing like the filename above. Sorry – am I doing something wrong?

Regards

JediKnight

82dcaf26.zip

Link to post
Share on other sites

  • Staff

 

ok thanks for all the effort. Attached is a fixlist.txt

Place this in the same directory as frst.

Run frst and click fix.

Please post back the log from the fix.

Also can you zip up the folder from frst once the fix is done above. It should be located here:

c:\frst

And attach it here after the fixlist is completed.

 

fixlist.txt

 

Also any idea what you may have installed recently that did all this?

Edited by shadowwar
Link to post
Share on other sites

Hello shadowwar

Thanks for your help. I’ve followed all your instructions.  I’ll let you know what happens this evening after 1825h when these PUPs seem to re-appear (and oops.. in my original post I said 1630h).

I can't attach the zipped folder from C:\FRST as requested. It's 32.8MB and I can only attach 29.3MB to this reply.  Is there another way to get this file to you? I just use the Win 10 zip software.

Attached is the Fixlog.txt.

I am not a downloader of stuff, so I don’t have much on my PC.  I do some video editing and production plus some Delphi programming for SQL Server.  Other than that, it’s writing, email and web browsing. 

I always download software into a folder on drive D:\ into specifically labelled sub-directories with the name of the download (eg D:\Downloads\FarBar). The software is run/installed from there using the software’s default settings.  Looking at this list, the most recent download was Calibre (back in May).  This software converts docx files into files compatible with Amazon Kindle.  Most of the other stuff has been there for some time –although I generally update any existing software when asked.

Regards

JediKnight

Fixlog.txt

Link to post
Share on other sites

Hello shadowwar

Sorry to tell you this, but at 1825h, I saw the blue window flash on screen, and the usual MBAM warning that an outbound website (the usual one – forallshop.info) had been blocked.  I scanned and the usual PUPs were back again. Quarantined them and had to re-boot to get rid of them.

Anything else we can try?

Regards

JediKnight

Link to post
Share on other sites

  • Staff

Ok looks like we got all the tasks that were launching at 630 your time. all the ones in the quarantine folder were set to that time. Its possible that maybe you didnt reboot.

Attached is one more fixlist. There is a remnant of dns unlocker in your dhcp settings.

Run this fixlist with frst.

Reboot after.

Also fire up task scheduler. This can be accessed from from the search box near start button by typing

task scheduler

Take a look in there and see if you still see any set to launch around the 1825h

screenshot example below.

The current additon.txt doesnt show anything so it should be clean. Guess we will see again when that time happens.

 

 

fixlist.txt

5953a947806d3_Screenshot2017-06-2809_03_40.thumb.png.4be2bd3992ae8ee023560d932f5c2276.png

 

Edited by shadowwar
Link to post
Share on other sites

Hello shadowwar

Attached are the log files from the most recent fixlst

I ran this as soon as I received your fix yesterday and then did a restart.  I have since shut down my PC completely (as I always do overnight).  I started up this morning and later in the afternoon today, I ran a MBAM scan – no threats detected.

I have looked at Event Scheduler. Under Task Status for the past 7 days, there have been no events.  Also attached is a screen shot of the TS Library. There are other events listed, but none have a time allocated for them - not sure if these are relevant

Adware.DNS Unlocker was found and removed by MBAM a few weeks ago (can't remember when exactly - maybe when I first upgraded to v3)

I’ll let you know what happens at 18:30 tonight

Regards

FRST.txt

Addition.txt

Task Scheduler Libary.jpg

Link to post
Share on other sites

Hello shadowwar

It’s past 18:30h.  I didn’t see a window flash on screen. At 18:34, I did a MBAM scan – NO threats detected. Repeat scan 30 min later – NO threats detected. Repeat scan late this evening – NO threats detected

I’ll check again over the next few days and let you know the outcome. But at the moment and on day 1, it looks like you have been successful in solving the issue.

Are you able to give me a brief outline of the problem? I am interested in such things, having been around computers since the days of the TRS-80 and Apple II.

You guys/girls are just brilliant. 

Thank you so much.

Link to post
Share on other sites

Hi shadowwar,

Just to finish this off, the malware has not re-appeared since last Thursday and multiple scans find nothing, so it all looks good.  I hope this issue allowed you to add some more antimalware code to MBAM.

As I said earlier, I would be interested to hear how you think this came to reside on my PC and how it kept coming back.  However, I know you will be busy and may not have the chance to do this.

Regards

JediKnight

Link to post
Share on other sites

  • Staff

This usually comes bundled with applications that you download to install. Have to be very careful on what is preselected when you go to install something.

Lately we have seen them bundled with PUPs SystemHealer or OneSystemCare but others have them as well.

Our code changes are almost complete so really appreciate you helping us out!

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.