Jump to content

P2PSurveillance App cannot be removed


Meebers1
 Share

Recommended Posts

MWB Prem 4. This app suddenly appeared in my app folder W10 Pro.  The remove function is just a link to, most likely, the outfit that put it there to sell you a fix.  MWB does not detect it even though is is supposed to be a known malware, of the Sality variety. The only mention of it in the forum is dated 2016 which was closed without a solution.  Removal tools all direct you to a list for removal that does not have it listed.  Does not appear in the apps folder.  Notice the different spelling!

p2p.JPG

Link to post
Share on other sites

Hi, 

My name is Maurice. I will be helping and guiding you, going forward on this case.

 

Q:  Did you ( carefully ) right click on these 2 things and then select and look at Properties ?

Q:  what is the extension of those ?

 

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

.

I am going to ask you to run a report, using a tool named FRST.   Be sure you 1st  download and SAVE it to either the Downloads folder, or else to the DESKTOP.

 

I would like to have you run a report tool known as FRST. This has no personal information. It is a well-known & widely used &safe.
FRST will help provide me with a list of installed programs and other information about your computer that will help me see if there are any other problems that are not being detected. Please follow the steps below to run FRST.


1: Please download FRST from the link below and save it to your desktop:


"Download link for 32-Bit version Windows"

"Download link for 64-Bit Version Windows"

Please wait and look toward the top or bottom of your browser for the option to Run or Save.
Click Save to save the file version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


Run report with FRST

Right-click on FRST icon and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.

_Windows 8 or 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._

Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.


Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.





The tool will produce 2  logfiles on your desktop: FRST.txt , Addition.txt 
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

Thank you.

Link to post
Share on other sites

Q:  Did you ( carefully ) right click on these 2 things and then select and look at Properties ?  These files only appear on the list of apps, no where else.  Right click shows no properties.

Q:  what is the extension of those ?  No properties, to view extensions

I did find this in additional.txt  "files (x86)\webrec\p2pclient\3.01.001.0\p2pserver.exe] => (Allow) C:\program files (x86)\webrec\p2pclient\3.01.001.0\p2pserver.exe () [File not signed]"

 

Addition.txtFRST.txt

Link to post
Share on other sites

Hi.   Thank you for the FRST reports.

I notice one thing that does need your attention & follow-up.   The Windows System Restore service is off.  You should insure that it is ON.

See   https://www.tenforums.com/tutorials/4533-turn-off-system-protection-drives-windows-10-a.html

.

There is an installed program named WebClient (HKLM-x32\...\WebClient) (Version:  - )

I cannot tell who the publisher is.   You should do some research on it.

.

I would also like for you to upload a file to Virustotal for analysis

C:\program files (x86)\webrec\p2pclient\3.01.001.0\p2pserver.exe

 

Using your web browser,  

Go to the link https://www.virustotal.com/gui/home/upload

 

You will see Choose file button.   Click that as a first step.   You will then see a dialog grid from Windows.

 

On the white "File name" box  copy and paste in

C:\program files (x86)\webrec\p2pclient\3.01.001.0\p2pserver.exe

 

then click Open button.  It should then Upload a copy of that file.  That file will be analyzed.

Watch the progress.  It should take a short while.

After it has all completed, it will show a completed results page.

Please provide the link address to that results page on your next reply.

.

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Click on the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Link to post
Share on other sites

There is an installed program named WebClient (HKLM-x32\...\WebClient) (Version:  - )   It is required as part of a NVR (camera security network, that only works with IE)  It works on several other computers without issue.  They do not show the P2PSurveilance on the App list.   ESAT underway, will post any negative results.  (¬‿¬)

Link:  https://www.virustotal.com/gui/file/1e2cfe8a9be0ea375ca38802bc7d2b3166625f6b3fac2f7c395b9fa77ef108c1/detection

Link to post
Share on other sites

OK.  Thanks.   I am glad to see ESET reports no malware /  no P U P

 

Windows 10 has the Microsoft Windows Defender which can run the Windows Defender Offline scan.
Windows Defender Offline in Windows 10 can be run directly from within Windows, without having to create bootable media.

Click the Windows Start menu button on the Taskbar, select Settings icon. Then choose Update and Security.
 

In Windows Settings  >>> click on Windows Security from the left side list.

Next, In Windows Security section:  Click on the grey button Open Windows Security

next click on the blue Scan options

Look down the options list.  Tick on Windows Defender Offline scan.   Then click the grey "Scan now" button.


and let it scan the system.

Keep in mind that the design and what is scanned by Windows Defender is a whole different design from Malwarebytes. But do let me know how this scan goes and what the result is.

Link to post
Share on other sites

Thank you for the Windows Defender Offline scan option.  It ran for 14 minutes and then closed.  No issues noted?  Computer restarted back to normal. 

As previously noted, virustotal results only had one "engine" noting this as Adware?    C:\program files (x86)\webrec\p2pclient\3.01.001.0\p2pserver.exe   I am proposing to first make an image backup with Macrium and then go and just delete this .exe file?  ¯\_(ツ)_/¯

 

Thanks for continuing to help me with this.  !!

Link to post
Share on other sites

  • 3 weeks later...

Thanks for the inquiry Maurice.  I think I am 99% sure I have removed it and all traces.  Here is what I did:
1   Performed an image of the "problem drive".  
2.  Searched for a previous image I had done that did not have the problem.  That turned out to be one from November 19 1903 18352.418. Restored that image and then had to proceed to bring it up to date all the way thru to 1909 18363.535.  All the time checking/scanning/sfc /scannow.  Webrec was not there on the cleaned up drive :-).  Rebuilding some of the apps up to current versions.  I have a licensed copy of Malwarebytes wherein I had to de-activate it on the problem drive and then re-activate it on the new drive etc.  All the apps were "begging" to be updated.  I did so even though it was a long process:
3.  Satisfied with the updated drive, I now switched back to the "problem drive" with the intent that I would find it or possible render it useless.  First I did a regedit and found the file "Webrec" was scattered all over the registery. :-(.  I know better than to just start deleting those entries).  Windows search function is very slow and not reliable.  So I found this app called "Everything" that in my opinion is blazing fast and checks everything on the drives.  I found 4 instances of the file "Webrec", 2 were in plain type text entries and 2 were in what appeared to be a hiden? registry type file.  (bunches of numbers and letters).  From within "Everything" it allows you to open the file as well as delete it.  I did one at a time, then rebooted and continued on.  One of the registery type file I deleted, Everything asked me if I wanted to delete this "shortcut" and not "this file" as previously requested.  Ahh-Ha, shortcut??  deleted it and the entry on the apps list was no longer there!  Not sure how the author created a short cut and have it appear on the list of apps??.  All 4 entries were no longer showing when I searched for it!
4.  After all scans were completed, Esat, MWB etc, Health checks etc. seems to be back to normal.  

So the plan is to image the "cleaned up" drive, keep it on hand in the event I have to look for a needed file/email etc and then format it and put it back into service.  It has been a long time getting back to normal since at least when I first posted 12.17.19.  Thanks to your guidance and help, much appreciated.   Mike.

Link to post
Share on other sites

Hello Mike.

Thanks for the notes.  Seems that you have it taken care of.   Bravo.

I am going to pass on these best practices tips, and then mark this case for closure.

 

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).


Free games & free programs are like "candy". We do not accept them from "strangers".


Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

 

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq




Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

.

I am glad things are well.  All best wishes to you.

 

You may delete the download ESET file   "esetonlinescanner_enu.exe"

 

To help cleanup on tools used:

 

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

 

If your security program alerts to Delfix either, accept the alert or turn your security off.

please right-click on Delfix  and choose run as administrator

Make Sure the following items are checked:

  Remove disinfection tools <----- this will remove tools we may have used.



Now click on "Run" and wait patiently until the tool has completed.

Any remaining  files/logs from tools we have used can be deleted.

 

Sincerely,

Maurice

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.