Jump to content

Recommended Posts

Hi, I've used your software for over a year now and I've always loved it, and actually just today got a premium sub! however before i activated it i ran a scan and had some threats show up, and quarantined them, and after checking the forums decided it was in my best interest to delete them completely and do a fresh install of the executable that was infected afterwards, cause i attempted to launch it and it gave me an error message but still launched. anyway, this was my first scan that positively identified something, so i'm gonna post my log from that scan.

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 12/14/17
Scan Time: 5:47 PM
Log File: cc6b1d89-e120-11e7-bbe9-d050992ff81d.json
Administrator: Yes

-Software Information-
Version: 3.2.2.2018
Components Version: 1.0.212
Update Package Version: 1.0.3491
License: Free

-System Information-
OS: Windows 10 (Build 16299.125)
CPU: x64
File System: NTFS
User: DESKTOP-O75K6L4\Frank Rodgers

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 282421
Threats Detected: 4
Threats Quarantined: 4
Time Elapsed: 1 min, 7 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 2
PUP.Optional.IFEO, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\STEAM.EXE, Quarantined, [8731], [239347],1.0.3491
PUP.Optional.IFEO, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\STEAM.EXE, Quarantined, [8731], [239347],1.0.3491

Registry Value: 2
PUP.Optional.IFEO, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\STEAM.EXE|DEBUGGER, Quarantined, [8731], [239347],1.0.3491
PUP.Optional.IFEO, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\STEAM.EXE|DEBUGGER, Quarantined, [8731], [239347],1.0.3491

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

I've since activated the key and did a full scan with rootkits enabled, and also did a full scan with Avast antivirus, and came up with no issues, even after a computer restart. So, my question is, should I be concerned, and how does this usually infect a computer? Not that i don't trust your software, and I've not gone to any weird websites since the scan before this one. Lastly is there anything more i should be doing to see if I have anything else that might be malicious and need removing? 

Share this post


Link to post
Share on other sites

I also subsequently ran Adwcleaner and it removed some files and restarted my computer, here is a log from that aswell!

# AdwCleaner 7.0.5.0 - Logfile created on Fri Dec 15 04:42:40 2017
# Updated on 2017/29/11 by Malwarebytes 
# Database: 12-13-2017.2
# Running on Windows 10 Home (X64)
# Mode: scan
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

PUP.Optional.Legacy, C:\Users\All Users\Documents\Downloaded Installers
PUP.Optional.Legacy, C:\Users\Public\Documents\Downloaded Installers
PUP.Optional.SlimCleanerPlus, C:\Users\Frank Rodgers\AppData\Local\slimware utilities inc
PUP.Optional.SlimCleanerPlus, C:\Users\Frank Rodgers\AppData\Local\SlimWare Utilities Inc


***** [ Files ] *****

PUP.Optional.Legacy, C:\Windows\SysNative\drivers\swdumon.sys


***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.SlimCleanerPlus, [Key] - HKLM\SOFTWARE\SlimWare Utilities Inc


***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries.

*************************

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt ##########

Share this post


Link to post
Share on other sites

Apologies for the triple post, currently unsure if I'm able to edit my previous posts however, Malwarebytes recently scanned and detected the same issue on the same program, Steam, after a fresh install of it, so i worry it may be serious, and as such I've checked the forums some more and seen that a FRST scan may be in order, as such I've done so and will attach the new Malwarebytes Scan along with a the FRST scan and Addition.txt, I realize I'm posting quite a bit however I just want to be safe, sorry.

 

Bytes2.txt

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites

The logs look pretty good overall. Let me have you run the following which will do a little more clean up.


Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

Ron

 

Share this post


Link to post
Share on other sites

Thanks for the reply! attached is the fixlog created. i would like to note that Malwarebytes still had the PUP in quarantine, however besides running the fix I've not bothered to delete or restore it without further instruction. as always I appreciate the help.

Fixlog.txt

Edited by LooseTurnip
spelling mistake

Share this post


Link to post
Share on other sites

Logs look good. If it were my machine I would not restore what Malwarebytes removed already.

Unless there is something else the system looks pretty good now, but if you're seeing something else please let me know.

Thanks

Ron

 

Share this post


Link to post
Share on other sites

I appreciate the help with my issue, unfortunately with my most recent pc boot up it would appear the same problem PUP's have found their way back onto my Steam launcher, so I've again quarantined it and ran adwcleaner and FRST afterward included is a new log from malwarebytes, adwcleaner and FRST + its addition. Could this be a false positive by any chance, as it always seems to be attaching to the same program? your input is greatly appreciated, I'd hate having to reformat my computer

Malwarebytes.txt

AdwCleaner[S2].txt

FRST.txt

Addition.txt

Share this post


Link to post
Share on other sites

I've reviewed the logs and I'm not finding a specific reason why the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\STEAM.EXE  is returning.

My guess is that it may be due either in part or due to the Avast Cleanup Premium software.

If you have the installation key and the installer to reinstall it I would like to try temporarily removing Avast Cleanup Premium and the task scheduler for it.

Task: {09B7A106-3FD3-4126-98E3-99D5B2C6F4EC} - System32\Tasks\Avast TUNEUP Update => C:\Program Files (x86)\AVAST Software\Avast Cleanup\TUNEUpdate.exe [2017-12-18] (AVAST Software)

Task: {5D8088EA-B81C-47C4-9281-666E9AA9B9EB} - System32\Tasks\Avast Software\Overseer => C:\Program Files\Common Files\Avast Software\Overseer\overseer.exe [2017-12-06] (AVAST Software)

https://forum.avast.com/index.php?topic=210028.0

Then run a new Malwarebytes scan and let it remove it. Then post the new log showing it removed. Then reboot and scan again and see if the IMAGE FILE EXECUTION OPTIONS for Steam are back again.

Let me know please.

Thanks

Ron

 

Share this post


Link to post
Share on other sites

I'm slightly confused, just for clarification, you'd like me to uninstall ONLY Avast Cleanup Premium, Not Avast Premier and the task scheduler for it,

18 minutes ago, AdvancedSetup said:

Task: {09B7A106-3FD3-4126-98E3-99D5B2C6F4EC} - System32\Tasks\Avast TUNEUP Update => C:\Program Files (x86)\AVAST Software\Avast Cleanup\TUNEUpdate.exe [2017-12-18] (AVAST Software)

Task: {5D8088EA-B81C-47C4-9281-666E9AA9B9EB} - System32\Tasks\Avast Software\Overseer => C:\Program Files\Common Files\Avast Software\Overseer\overseer.exe [2017-12-06] (AVAST Software)

do i just need to look up those tasks in my file explorer and delete them?

and after that do you want me to un-quarantine the IMAGE FILE EXECUTION OPTIONS that i currently have quarantined?

Quote
15 minutes ago, AdvancedSetup said:

Then run a new Malwarebytes scan and let it remove it

 

that's mainly what I'm confused about, I'm unsure if its Avast's stuff that you want me to remove via malewarebytes OR the IFEO's i currently have listed in my quarantine.

Share this post


Link to post
Share on other sites

Okay, never mind.

I spoke with one of our Research Engineers and he said it due to the Avast PC Tuneup. He said to just add it as an exclusion in Malwarebytes. So when you scan for it and it shows up, select the entries and add them to be Excluded from being detected in the future.

They are basically a false positive.

Ron

 

Edited by AdvancedSetup

Share this post


Link to post
Share on other sites

Add the scan results from mbam related to Steam to exclusions.

For example:

When the scan of mbam completes.

Uncheck the boxes next to these results.

Registry Key: 2
PUP.Optional.IFEO, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\STEAM.EXE, Quarantined, [8731], [239347],1.0.3491
PUP.Optional.IFEO, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\STEAM.EXE, Quarantined, [8731], [239347],1.0.3491

Registry Value: 2
PUP.Optional.IFEO, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\STEAM.EXE|DEBUGGER, Quarantined, [8731], [239347],1.0.3491
PUP.Optional.IFEO, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\STEAM.EXE|DEBUGGER, Quarantined, [8731], [239347],1.0.3491

 

Hit Next. Then hit ignore Always.

 

image.png.f9856bdf16295f1d234984bbccdb3c4b.png

Share this post


Link to post
Share on other sites

Understood! I really appreciate the help I got on the forum over the past few days and am glad i have a satisfactory resolution, I'll get to that as soon as I can! Thanks for all the help Gentleman, Happy Holidays and i hope i didn't make Ya'll pull out too much hair.  :D

Share this post


Link to post
Share on other sites

My hair was gone a long time ago so no worry. Glad we were able to help. Thanks for the follow up @shadowwar

I'll go ahead and close your topic soon, but if you do need further assistance please let us know.

Take care and Happy Holidays to you as well.

Ron

 

Share this post


Link to post
Share on other sites

Hi @LooseTurnip

Before we let you go. We've noticed an error that appears to possibly be from an older driver. I'd like to have you run the following MB-Clean utility to fully remove Malwarebytes, and then reinstall it clean. That should correct the loading error for one of our drivers seen in Chrome in the logs.

Please run that and then reboot the computer a second time even though it won't ask you to, after the reinstall of Malwarebytes. Then run a new scan with FRST and make sure you place a check mark in the Additions.txt check box and post back both new logs.

Thanks

Ron

 

Share this post


Link to post
Share on other sites

Please wait at least 12 hours. Then restart the computer and run the following MB-Check program, with NEW FRST logs. I believe the issue is fixed, but want to verify.

Ron

 

Edited by AdvancedSetup

Share this post


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.