Jump to content

odd pop up saying reovery dll cant be found? constantly pops up


Recommended Posts

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 8/16/20
Scan Time: 9:30 AM
Log File: fc563f2a-dfcc-11ea-8d3c-ec9a7456ff68.json

-Software Information-
Version: 4.1.2.73
Components Version: 1.0.1003
Update Package Version: 1.0.28571
License: Trial

-System Information-
OS: Windows 10 (Build 18362.959)
CPU: x64
File System: NTFS
User: Betapheles\Jesse

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 302424
Threats Detected: 20
Threats Quarantined: 20
Time Elapsed: 9 min, 13 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 11
Trojan.Clicker.FMS, HKLM\SOFTWARE\CLASSES\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}, Quarantined, 1777, 174741, , , , , , 
Trojan.Clicker.FMS, HKU\S-1-5-21-2328842320-4189466198-4226340722-1000_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}, Quarantined, 1777, 174741, , , , , , 
Trojan.Clicker.FMS, HKLM\SOFTWARE\CLASSES\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32, Quarantined, 1777, 174741, , , , , , 
Trojan.Clicker.FMS, HKU\S-1-5-21-2328842320-4189466198-4226340722-1000_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32, Quarantined, 1777, 174741, , , , , , 
PUP.Optional.WebDiscoverBrowser, HKU\S-1-5-18\SOFTWARE\WebDiscoverBrowser, Quarantined, 1726, 253912, 1.0.28571, , ame, , , 
PUP.Optional.WebDiscoverBrowser, HKU\S-1-5-21-2328842320-4189466198-4226340722-1000\SOFTWARE\WebDiscoverBrowser, Quarantined, 1726, 253912, 1.0.28571, , ame, , , 
PUP.Optional.WebDiscoverBrowser, HKLM\SOFTWARE\WebDiscoverBrowser, Quarantined, 1726, 253915, 1.0.28571, , ame, , , 
PUP.Optional.ASK, HKU\S-1-5-21-2328842320-4189466198-4226340722-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2FA28606-DE77-4029-AF96-B231E3B8F827}, Quarantined, 281, 341070, , , , , , 
PUP.Optional.ASK, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2FA28606-DE77-4029-AF96-B231E3B8F827}, Quarantined, 281, 341070, , , , , , 
PUP.Optional.ASK, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2fa28606-de77-4029-af96-b231e3b8f827}, Quarantined, 281, 341070, 1.0.28571, , ame, , , 
PUP.Optional.WebDiscoverBrowser, HKLM\SOFTWARE\WOW6432NODE\WebDiscoverBrowser, Quarantined, 1726, 253915, 1.0.28571, , ame, , , 

Registry Value: 3
PUP.Optional.ASK, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2fa28606-de77-4029-af96-b231e3b8f827}|URL, Quarantined, 281, 341070, 1.0.28571, , ame, , , 
PUP.Optional.ASK, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2fa28606-de77-4029-af96-b231e3b8f827}|URL, Quarantined, 281, 341070, 1.0.28571, , ame, , , 
PUP.Optional.ASK, HKU\S-1-5-21-2328842320-4189466198-4226340722-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2fa28606-de77-4029-af96-b231e3b8f827}|URL, Quarantined, 281, 341071, 1.0.28571, , ame, , , 

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 2
Trojan.Clicker.FMS, C:\PROGRAMDATA\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}, Quarantined, 1777, 174741, 1.0.28571, , ame, , , 
PUP.Optional.Avanquest, C:\PROGRAM FILES (X86)\ONESAFE DRIVER MANAGER, Quarantined, 1421, 383722, 1.0.28571, , ame, , , 

File: 4
Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\8afc49b02429a, Quarantined, 1777, 174741, , , , , F3A7535539BBD94CB3E5BAA19D2BF963, 5E1EE3FF9418E844243DCBBE53048843B84191EFCAB8BA975978AA075C7486FC
Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\recovery.dll, Quarantined, 1777, 174741, , , , , , 
PUP.Optional.Avanquest, C:\Program Files (x86)\OneSafe Driver Manager\SDMTray.exe, Quarantined, 1421, 383722, , , , , 2E62D233E3C2DD67D006D7CBE685113C, AD0E826D34DF4B5E1CED439ED9498F4E7ADCF4E7557288A0720487DEEF6D9058
PUP.Optional.OpenCandy, C:\USERS\JESSE\APPDATA\ROAMING\UTORRENT\UPDATES\3.4.3_40097.EXE, Quarantined, 1258, 157963, 1.0.28571, , ame, , B8B5AA849F8B7006AB098E14750ABFF5, E42599B83A9FB4A7C29D9A8B9375691A72D85231F9A51AB8152A28AA6893B80D

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

Please always just attach each report as we go along.  Not copy - paste as that makes the thread way huge.   and I cant easily search as opposed to a actual file.

I need for you to run the Farbar F R S T  tool like in the link cited above by me.

 

  • To upload attachments please click the link as shown below. Then browse to where your file is located and select it and click the Open button.

_mb_attach.jpg

 

Link to post
Share on other sites

Just when is it  & how you get to see ....a message about "recovery.dll" ?

Can you get a screenshot capture ?   and attach the image-copy here ?

See "Take a Screenshot on Windows"
https://lifehacker.com/how-to-take-a-screenshot-or-picture-of-whats-on-your-co-5825771

How to Take Screenshots in Windows 10
https://www.howtogeek.com/226280/how-to-take-screenshots-in-windows-10/

Also, this computer now runs on Windows 10 build 1903.   Was this machine upgraded in the past from a Windows version that used to have Media Center ?

.

also

Get and run a special  report  tool from Microsoft. 

It does not make changes. It will be just a report.

 

  • Please download Sysinternals Autoruns from here and save it to your desktop.
  • Note: you also need to do the following:
  • Right-click on Autoruns.exe and select Properties
  • Click on the Compatibility tab
  • Under Privilege Level check the box next to Run this program as an administrator
  • Click on Apply then click OK


Double-click Autoruns.exe to run it.
Once it starts, please press the Esc key on your keyboard.
Now that scanning is stopped, click on the Options button at the top of the program and select Filter Options...

In the Autoruns Filter Options dialogue, verify that the following are unchecked, if they are checked, uncheck them:

  • Include empty locations
  • Hide Microsoft entries
  • Hide Windows entries


Verify that the following is checked, if it is unchecked, check it:

  • Verify code signatures


Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.


Right click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
Attach the Autoruns.zip folder you just created to your next reply

 

Thank you.

 

Edited by Maurice Naggar
Link to post
Share on other sites

i believe it was updated some time ago, the prompt usually pops up if im scolling over a tasked icon on the bottom list tab and also just randomly pops up, also noticed it happening if i plug a phone in or a bluetooth speaker, or even hovering over any image icon, i will try to get, a picture of it. i did searc your forums and looked like there was an older post about te same issue in 2015.  this is the error code C:ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\recovery.dll ? 

 

Link to post
Share on other sites

Hello.

Thanks for sending the zip file.

 

I would like you to do a  special search.

There is the FRST64  tool on the Downloads folder.   We will use that to do a search.

Find &   then start FRST64
Type the following ( better yet, use COPY  then Paste)   into the search box exactly as show then press the Search Files button 
 

SearchAll: recovery.dll


 
Please wait while the program searches for all entries relating to this program, when done a  search.txt    log will be saved to the desktop. Please attach this log to your next reply. 

Thanks for your patience.

Link to post
Share on other sites

Thanks for the reports.   I am not seeing where some "thing" is mentioning "reovery.dll"  or "recovery.dll".

.

This here is just unrelated, but something needed so that the Microsoft Windows Defender is fully enabled.

There is one setting in Malwarebytes that needs to be off.   So that the Microsoft Windows Defender is all enabled.   The Premium ( or trial ) protections of Malwarebytes will still be on.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 

Click the Security Tab. Scroll down to 

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".

{  all the way to the left for OFF }

 

Then on the Security tab. 

scroll down to the section Potentially Unwanted items.   We need the next 2 lines   ( for P U P  & for P U  M)  to be set to "Always ( Recommended) ".

You can make the change by clicking on the down-arrow selection list-control.   We want all P U P  &  P U M to be marked for removal.

 

Next, click the small x on the Settings line   to go to the main Malwarebytes Window.

Next click the blue button marked Scan.

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).

 

Then click on Quarantine selected.

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

Link to post
Share on other sites

The report you last provided is from Sunday the 16th.  and is apparently the same report you sent before.

 

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner  detects factory Preinstalled applications too!

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

Thanks.  Keep me advised.

 

Link to post
Share on other sites

Thanks.   That is a good run of the Adwcleaner program.   It cleaned out some adwares.

Please download RogueKiller (x64) using the link below.
→ http://download.adlice.com/api?action=download&app=roguekiller&type=x64

  •  
  • Save the file first,
  • Close any running programs that you started on your own ( if any).
  • Please disconnect any USB or external drives from the computer before you run this scan!

 

Double-click  RogueKillerx64.exe to run the program.

Follow the prompts. If a browser window opens, close the window.

 

In the HOME tab, click Scan button

Next, on the Quick scan pane, click om the Start button to proceed.

.

Upon completion, a browser window may open. Close this window.

 Important: Please do not have RogueKiller remove any detected items.

Click the HISTORY tab followed by Scan Reports.

Double-click the scan log. Click Export TXT, enter a filename and save the file to your Desktop.

Please attach the file in your next reply.

Link to post
Share on other sites

Hello.   Thanks for the Roguekiller scan report.   There is just one item to be removed,  under the Rehistry section.

Find where you saved the Roguekiller_portable64.exe

Do a Right-click with your mouse on it and select Run as Administrator.

If prompted by Windows, reply Yes to have it proceed.

From the left-side list of options , click the Scan icon.

Next, look on the left-side pane “Advanced Scan”   & then click the Scan button.

The advanced scan should take something like under 30 minutes to run.

 

After the scan finished,   then click the Results button.

You can inspect and choose the elements to remove in the results tab.
Select in the Registry section the line item for

[PUP.Slimware (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SWDUMon

 

and press the “Removal” button to start removal.

 

After a removal, only selected items are displayed and their status is updated with what the engine did with them.

 

The Removal report is  made available with the “Report” button.

Please use the Report function.  Save a copy of it and attach with your next reply.

When done, click the Finish button and exit the tool.

 

 

Link to post
Share on other sites

Allright.   That is a good run.   How is the situation now ?

 

I would suggest a free scan with the ESET Online Scanner
Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.

You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Be sure to ley me know, How things are at that point.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.