Jump to content
stanoak

PC Repair Pro PUP

Recommended Posts

For about the past week or two, Malwarebytes is finding and quarantining two items that are marked "PUP.Optional.EnvoyServicesPCRepairPRO".  One is a folder, C:\PROGRAMDATA\WIN-NET and one is a file in that folder, C:\PROGRAMDATA\WIN-NET\ukf4gjb7yvpmtv7rn3k6oovuohciesy.  I don't actually see the folder on my PC.  Every day, I tell Malwarebytes to delete these two items but by the next day they are back.

How can I get rid of this?

pup.txt

Share this post


Link to post
Share on other sites

Hi.

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner  detects factory Preinstalled applications too!

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

Thanks.  Keep me advised.

 

Share this post


Link to post
Share on other sites

Thank you.

[    1   ]

To see all folders, you need to adjust setting in Windows File Explorer

What follows is a first step to have Windows 10 show all files and folder. Do not let this spook you out.

There is a how-to at Tenforums. Use either option one or two or three

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

 

[   2   ]

Run a scan with Malwarebytes.
Start Malwarebytes from the Windows  Start menu.

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.

Then click the SECURITY  tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color

Now click the small X  to get back to the main menu window.


Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Be sure all items were removed. Then too, Repeat the scan one more time. It does not take long.

and again, be sure all detected items are removed.


Let it remove what it has detected.

 

 

Share this post


Link to post
Share on other sites

Ok, I turned on "show all folders".  At the moment, there's no c:\programdata\win-net folder since I had Malwarebytes delete it earlier today.  

I checked and "scan for rootkits" was turned on.

I ran the Threat scan twice but it didn't find anything.

Is there anything else I should do at this point or do we just wait to see if it comes back tomorrow?

Stan

Share this post


Link to post
Share on other sites

So I just ran the Threat scan again and the two items are back.  I quarantined them.

Still no sign of the win-net folder that they're supposed to be in.

What now?

Stan

Share this post


Link to post
Share on other sites

I have to "see" what exactly those 2 "items" were  & where located.

 

Please only just attach   all report files, etc  that I ask for as we go along.

 


I would appreciate  getting some key details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

 

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.

Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.5.4.760.exe  to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

 

Please know I help here as a volunteer.  and that I am not on 24 x 7.

Help on this forum is one to one.   Again, please be sure to ONLY attach report files  with your reply (s)  as we go along.  Do not do a copy / paste into main body.

Thank you,

Sincerely.

Share this post


Link to post
Share on other sites

Just so you know, You are welcome.  Helping others to get rid of malware is a passion of mine.

"PUP.Optional.EnvoyServicesPCRepairPro" is how Malwarebytes classifies this potentially unwanted "program"   [  P U P ]

That is not in the class of a malicious /dangerous / destructive "malware".    More like a unwanted pest.

 

What follows is a first step to have Windows 10 show all files and folder. Do not let this spook you out.

There is a how-to at Tenforums. Use either option one or two or three

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

 

[    2   ]

I did not spot something name "pc repair" in the detailed FRST reports.   But we will go ahead and do a look-see & clean out of the folder C:\PROGRAMDATA\WIN-NET

 

Please Close and Save any open work you may have open.

Please close as many un-needed app-windows that you yourself may have open at this point.   So you can have a clear field of view.

 

This custom script is for   stanoak   only / for this machine only.

Close and save any open work files before starting this procedure. 

 

Please Close and save any open work files before you start this next step.  It will involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRSTENGLISH tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRSTENGLISH.exe   tool    should be alreday on the Downloads folder

Start the Windows Explorer and then, to the Desktop.


RIGHT click on  FRSTENGLISH    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:
Click the Fix button just once, and wait.

 

FRST_Fixl.png.c4c1c0dddcc49b11fa400590f070bd5e.png

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

[   3   ]

Next, do a new Scan with Malwarebytes for Windows.   Let me know the result of that scan.   IF any item was found & tagged, please send me a copy of that last Scan Log

Cheers.

Fixlist.txt

Share this post


Link to post
Share on other sites

That is very good.   Thanks.

Let's do a couple of follow-ups.   They will not take a great deal of time.

[  1  ]

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Let me know the result of this.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your reply.

[   2   ]

Please download RogueKiller (x64) using the link below.
→ http://download.adlice.com/api?action=download&app=roguekiller&type=x64

Save the file first,
Close any running programs that you started on your own ( if any).

Double-click  RogueKillerx64.exe to run the program.
Follow the prompts. If a browser window opens, close the window.

In the HOME tab, click Start Scan.
Upon completion, a browser window may open. Close this window.
 Important: Please do not have RogueKiller remove any detected items.
Click the HISTORY tab followed by Scan Reports.
Double-click the scan log. Click Export TXT, enter a filename and save the file to your Desktop.
Please attach the file in your next reply.

Cheers.
 

Share this post


Link to post
Share on other sites

Good morning Maurice.

I ran the two scans you suggested.  I had actually run the Microsoft Safety Scanner before getting in touch with you and it didn't find anything then or now.

Rogue Killer did find three items as you can see in the attached logfile.  

Malwarebytes didn't find anything.

Stan

msert.log stanrogue.txt

Share this post


Link to post
Share on other sites

Good morning, Stan.

Thanks for the reports.  I am glad to see that the MS Safety Scanner reported no threats.

As to the RogueKiller report,  I would suggest removing one item.

[ A  ]
Show all folders/files
What follows is a first step to have Windows 10 show all files and folder. Do not let this spook you out.
There is a how-to at Tenforums. Use either option one or two or three
https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

[  B  ]
Get to a Elevated Command-prompt window:
 for Windows 10
Select the Windows key and X key together, from the xmenu select Command Prompt (Admin)

[  C  ]
Then COPY the entire following line ( as is )  and then Paste it onto the Coomand prompt

del /s /q C:\Users\deuts\AppData\Local\PackageAware

then tap the Enter-key.    Close the command-prompt when done.

 

Let me know if you need anything else.

Safety tips for your web browsers:

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

 

If this pc has the Google Chrome browser, or the Brave browser, I suggest you install the Malwarebytes Browser guard for Chrome.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

 

Also suggested for Chrome or Brave browser, the NoScript add-on extension for added protection from script exploits 

https://chrome.google.com/webstore/detail/noscript/doojmbjmlfjjnbmnoijecmcbfeoakpjm

 

.

If the pc has Mozilla Firefox, to get & install the Malwarebytes Browser Guard  Firefox extension.

Open this link in your Firefox browser:   

https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

Then proceed with the setup.

That link is for English US.   There are other language version.  Just go to the very bottom right of the page and look at “Change language” list drop down.

.

Share this post


Link to post
Share on other sites

In my version of Windows, the Command prompt has been replaced by Windows Powershell.

I pasted the command into the prompt but got this error:

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\WINDOWS\system32> del /s /q C:\Users\deuts\AppData\Local\PackageAware
Remove-Item : A positional parameter cannot be found that accepts argument '/q'.
At line:1 char:1
+ del /s /q C:\Users\deuts\AppData\Local\PackageAware
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Remove-Item], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.RemoveItemCommand

PS C:\WINDOWS\system32>

Share this post


Link to post
Share on other sites

Use this

del /s  C:\Users\deuts\AppData\Local\PackageAware

 

Share this post


Link to post
Share on other sites

Similar problem:

 

PS C:\WINDOWS\system32> del /s  C:\Users\deuts\AppData\Local\PackageAware
Remove-Item : A positional parameter cannot be found that accepts argument 'C:\Users\deuts\AppData\Local\PackageAware'.
At line:1 char:1
+ del /s  C:\Users\deuts\AppData\Local\PackageAware
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Remove-Item], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.RemoveItemCommand

Share this post


Link to post
Share on other sites

Please delete this folder   C:\Users\deuts\AppData\Local\PackageAware

Share this post


Link to post
Share on other sites

ok, that worked.  I'll take a look at all your browser recommendations.

Thanks again for all your help!

Share this post


Link to post
Share on other sites

Good.  You are welcome.   Just let me know if you need something else.

Cheers.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.