Jump to content
Fab4

Not sure why MBAM left files un-quarantined

Recommended Posts

I ran into a big problem with the Windows 10 feature update that I couldn't solve. I contacted Microsoft the first time in like 10 years. I requested level 2 support... and MS offered to troubleshoot the headache by remotely assist. Without my consent or knowledge they installed DriverAssist by Megaify Software. Seriously, to troubleshoot a problem with Windows update?  Unfathomable.

After screaming obscenities, I ran Malwarebytes and AdwCleaner to scan & quarantine the PUP's and registry entries. Malwarebytes quarantined all except four files in a folder called C:\Program Files(x86)\Driver Toolkit . Two files are driver package installers (DPInst64.exe and DPInst32.exe) that Virus Total lists as Signed files, Valid signatures by Microsoft Corporation. The other two are dynamic link libraries (msvcp100.dll and msvcr100.dll), again which Virus Total blessed.

I want to delete the entire folder - Driver Toolkit. I don't know why MBAM wouldn't touch them with all the PUP's it found in that folder. Ideas on the best way to handle these ?   

MalwareBytes Forum.JPG

Share this post


Link to post
Share on other sites

To add some clarity (or possibly confusion), the Removal Instructions for DriverToolkit posted here on this forum lists these files as being quarantined. Please refer to the Malwarebytes log (file: 14) from that original post on the Removal Instructions. The question is why didn't MB quarantine these files?

Share this post


Link to post
Share on other sites

alrighty okey-doke then. Since almost 24 hrs passed since my post, I assume the standard protocol on this forum for reaching the support team is to first attach the mbst-grab results zip file. I don't know why exactly this would necessitate invoking a response unless if my screen shot didn't show the same files that are on the list of quarantine files from the Malwarebytes log (file:14) posted on the Removal Instructions

I do need to bring to attention one fact however and that is this. I ran AdwCleaner BEFORE running Malwarebytes 3. AdwCleaner quarantined most of the DriverToolkit PUP's.  Therefore I believed it necessary to attach the log file(s) from AdwCleaner  (before and after quarantine) 

Sorry if I've stepped on anyone's feet. I'm still learning the nightclub two-step      

mbst-grab-results.zip AdwCleaner[C01].txt AdwCleaner[S01].txt

Share this post


Link to post
Share on other sites

Hello @Fab4

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

 

 

Once that is completed please run the following steps for me.

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes 3 installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, please click Clean & Repair.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Share this post


Link to post
Share on other sites

Hello

I've attached all the log files per the instructions.

DriverToolkit PUPs were removed from C:\ProgramFiles(x86)\DriverToolkit.

I'm not at all familiar with the Farbar recovery scan tool. I'm not sure what the tool performs. I don't know where to look to find the quarantined DriverToolkit PUPs 

The Fixlog reported under =Remove Proxy= that 4 registry entries were removed. Also Fixlog reported C:\Program Files(x86)\DriverToolkit  => moved successfully    

 

 

  

Addition.txt FRST.txt AdwCleaner[C02].txt MB3 Threat Scan.txt Fixlog.txt

Share this post


Link to post
Share on other sites

The logs look pretty good overall.

How is the computer running now?
Are there still any signs of an infection?

 

You may want to check and verify you have the latest network driver for your Killer Network card. I believe the link below may be correct for you, but check with your computer manufacturer website to be sure. They may have their own customized version for you to use.
http://support.killernetworking.com/software/

R2 Killer Network Service; C:\WINDOWS\System32\drivers\RivetNetworks\Killer\KillerNetworkService.exe [2484408 2018-07-27] (Rivet Networks LLC -> Rivet Networks)

If there is anything else I can assist you with please let me know.

Cheers

Ron

 

Share this post


Link to post
Share on other sites

The system is running fine thank you... No signs of infection.

I'll check to verify that the OEM has the latest network driver.

Quote
3 hours ago, AdvancedSetup said:

If there is anything else I can assist you with please let me know.

 

I found the files quarantined in C:\ FRST\Quarantine\C \ProgramFiles(x86)\DriverToolkit  

Questions: Do you recommended (deleting) the quarantined files?  Can this entire path directory be safely deleted?  

Share this post


Link to post
Share on other sites

Yes, you can safely delete the entire FRST folder. Due to the inclusion of a backup of your registry hives it may or may not allow full removal without going into Safe Mode

If you do have issues removing the folder though let me know and I can assist.

 

Share this post


Link to post
Share on other sites

Hello Ron,

First of all, I deleted the FRST folder in safe mode.

The real reason I'm responding back is related to a question that I was hoping you can share your thoughts / or a comment regarding the malware that was just removed.

After my initial individual efforts using Malwarebytes3 and AdwCleaner, and also through your guidance, my system now starts to try automatically installing the Intel Software Guard Extensions (SGX) driver. The automatic install repeatedly fails after becoming stuck in queue.  

My question is probably outside the boundaries or scope of this forum, but I was wondering whether SGX may have been waiting to install until recognizing a clean system. The driver tries to install since SGX was set up to be supported in a ready state on my system from the factory configuration in the BIOS setting known as 'Software Controlled'.  

I was wondering whether you know if Windows 10, upon recognizing a clean system and the platform enabled is now trying to install the driver.  I wasn't aware my system even met all the full criteria for SGX until noticing these repeated failures to install the driver.      

Thank you     

Share this post


Link to post
Share on other sites

I'm sorry but I don't have the exact answer for you as none of my computers have or use it.

Maybe opening a new topic in the General PC Help forum others can chime in to help you get this resolved
https://forums.malwarebytes.com/forum/6-general-windows-pc-help/

I'd also post the exact Make, Model of your computer and motherboard and go from there.

Here are some general links I found doing a basic search

 

https://software.intel.com/en-us/sgx

https://www.intel.com/content/www/us/en/architecture-and-technology/software-guard-extensions.html

https://www.youtube.com/watch?v=3MDIPAZnSTw

https://www.tenforums.com/antivirus-firewalls-system-security/101389-sgx-setting-choose-bios.html

https://www.extremetech.com/extreme/275404-new-speculative-execution-security-flaw-cracks-intels-software-guard-extensions

 

 

Share this post


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.