Mkeeper.exe?

[DrDrill]

While doing a Critical Point Scan using SuperAntiSpyware it pauses for some time on this C:\ProgramData\Microsoft\Windows\MKeeperStat\mkeeper.exe. Then carries on without finding anything.

The location is not visible in Windows Explorer or Taskmanager.

Scans using Malwarebytes, ESET etc do not flag anything up.

I'd appreciate any help or suggestions.

[nasdaq]

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

It's my understanding that this tool can remove this program.

If you did not install it then run the this tool and mark all the items to be deleted. It's your call.

Please download Malwarebytes Anti-Malware from Malwarebytes or
from BleepingComputer
 

• Right-click on the MBAM icon and select Run as administrator to run the tool.
• Click Yes to accept any security warnings that may appear.
• Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
• On the left menu pane click the Settings tab, and then select the Protection tab on the top.
• Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
• Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
• Note: The scan may take some time to finish, so please be patient.
• If potential threats are detected, ensure to check mark all the listed items, and click the Quarantine Selected button.
• While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
• The log can also be viewed by clicking the log to select it, then clicking the View Report button.
  

Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

If you have any other issues with this computer download and run this program.

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Ensure that you are in an Administrator Account
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
http://deeprybka.trojaner-board.de/eset/eng/attachlogs.png

Attach the file(s). A 2 Steps process.
Reply to this topic.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach. <- Step 1.
Click Attach this file. <- Step 2.
Click the Add reply button.

Please post the logs  for my review.

Let me know what problems persists.

Wait for further instructions

p.s.
The Farbar program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
You should restore the program from the Quarantine folder.
====

 

[DrDrill]

Many thanks for you time and assistance Nasdaq

Log as requested.

After running Malwarebytes I ran a SuperAntiSpyware scan, still pauses for some time at this. Files Scanned C:\ProgramData\Microsoft\Windows\MKeeperStat\mkeeper.exe. Then carries on without finding anything.

I have run FRST and the files are attached.

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 18/02/2021
Scan Time: 15:04
Log File: 8d4edc5c-71fa-11eb-a373-1c1b0de1e764.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1173
Update Package Version: 1.0.37261
Licence: Trial

-System Information-
OS: Windows 10 (Build 19041.804)
CPU: x64
File System: NTFS
User: DESKTOP-NI83F8D\jonny

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 708477
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 3 hr, 24 min, 58 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
MachineLearning/Anomalous.100%, C:\USERS\JONNY\DESKTOP\WW\COMICRACKSETUP0980.EXE, Quarantined, 0, 392687, 1.0.37261, , shuriken, , A10B66F20E48EF20DB18ADD7212D2FB7, 130094F6AC450BCD896D3A9D306D2EC12AB01A118506029F43CEE7E9D8EC6279

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

Addition.txt FRST.txt

[nasdaq]

Hi,

Your logs are clean.

If the file is not found in the MKeeperStat folder it may be hidden.

Make sure you can see all the files.

Unhide files/folders Windows.
How To:
http://windows.microsoft.com/en-ca/windows/show-hidden-files#show-hidden-files=windows-7
<<<>>>

Check and if found delete the MKeeperStat folder

C:\ProgramData\Microsoft\Windows\MKeeperStat\mkeeper.exe

Restart the computer normally.

p.s.
If the problem persists and you are Syncing Firefox with ther devices check this out.

Navigate to this page and Remove it as suggested.

https://support.mozilla.org/en-US/kb/remove-synced-device-firefox-accounts

When done restart the computer normally.

If all is well.

Return to your Firefox Account and Click the Connect button.

Reset the sync if you want.

Restart the computer normally.
<<<>>>

Is the problem fixed?

[DrDrill]

Hi

My folders are unhidden (i will double check when i get home). There is no   MkeeperStat folder. Only Superantispyware seems to be able to ‘see’ this folder during a scan but, it then moves on and tells me nothing has been found. Could it be a left over from a previously removed or quarantined item? I’ll check the archived Superantispyware and my Windows defender log files and see if anything shows up.

Ive asked the question on the Superantispyware forums but there doesnt appear to be much traffic over there.

Im at work so i’ll check it out when i get home and let you know.

thanks

[DrDrill]

Hi

Everything is definitely unhidden and the path that Superantispyware is looking at C:\ProgramData\Microsoft\Windows\MKeeperStat\mkeeper.exe is not visible/doesn't exist.

 The Scan result is 'No potentially harmful items have been detected'

Nothing on any log files

Nothing Synced on Firefox

Nothing shows on anything except Superantispyware, I still haven't had a reply from the SaS Support forum

Thanks

[nasdaq]

Hi,

Looks like you have some remant items in the registry that are dormant.

Download the Systemlook appropriate for you system.

SystemLook (32-Bit Version) or SystemLook (64-Bit Version)

• Double-click SystemLook.exe/SystemLook_x64.exe
• to run it.
• Copy and paste the content of the following bold text into the main textfield:
  :regfind 
  LIBGLESV2.DLL
  TSUSBFLT
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
• Note: The log can also be found on your Desktop entitled SystemLook.txt.
  

===
 

[DrDrill]

Hi

SystemLook log as requested

 

SystemLook 04.09.10 by jpshortstuff
Log created at 18:55 on 20/02/2021 by jonny
Administrator - Elevation successful

========== regfind ==========

Searching for "LIBGLESV2.DLL"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\749B420750A914B5A870B66767B0D62B]
"66EE4A1DA4DABBE4192B915BCBBE281B"="C:\Program Files (x86)\eM Client\libcef\libGLESv2.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9ABE1AF877A97F04BBAC8C0CCD42F523]
"F90B7EB92D8CE1B48BE33778DFADB8DC"="C:\Program Files (x86)\Garmin\Express\libGLESv2.dll"

Searching for "TSUSBFLT"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{6e400999-5b82-475f-b800-cef6fe361539}]
"ResourceFileName"="%SystemRoot%\system32\drivers\tsusbflt.sys"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{6e400999-5b82-475f-b800-cef6fe361539}]
"MessageFileName"="%SystemRoot%\system32\drivers\tsusbflt.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\tsusbflt]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TsUsbFlt]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TsUsbFlt]
"Description"="@%SystemRoot%\system32\drivers\tsusbflt.sys,-1000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TsUsbFlt]
"DisplayName"="@%SystemRoot%\system32\drivers\tsusbflt.sys,-1000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TsUsbFlt]
"ImagePath"="system32\drivers\tsusbflt.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\tsusbflt]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TsUsbFlt]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TsUsbFlt]
"Description"="@%SystemRoot%\system32\drivers\tsusbflt.sys,-1000"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TsUsbFlt]
"DisplayName"="@%SystemRoot%\system32\drivers\tsusbflt.sys,-1000"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TsUsbFlt]
"ImagePath"="system32\drivers\tsusbflt.sys"
[HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\38\417C44EB]
"@%SystemRoot%\system32\drivers\tsusbflt.sys,-1000"="Remote Desktop USB Hub Class Filter Driver"
[HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\MuiCache\38\417C44EB]
"@%SystemRoot%\system32\drivers\tsusbflt.sys,-1000"="Remote Desktop USB Hub Class Filter Driver"

-= EOF =-

[nasdaq]

HI

Copy all the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\749B420750A914B5A870B66767B0D62B]
"66EE4A1DA4DABBE4192B915BCBBE281B"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9ABE1AF877A97F04BBAC8C0CCD42F523]
"F90B7EB92D8CE1B48BE33778DFADB8DC"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{6e400999-5b82-475f-b800-cef6fe361539}]
"ResourceFileName"="-
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\tsusbflt]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TsUsbFlt]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\tsusbflt]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TsUsbFlt]
[-HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\38\417C44EB]

Restart the computer when completed.

You can delete the fixme.reg file when done.

Is the problem solved?

[DrDrill]

Hi

SASW critical point scan still pauses on C:\ProgramData\Microsoft\Windows\MKeeperStat\mkeeper.exe in files scanned section. But then finishes scan and gives the all clear. This path however does not seem to show up on either a Quick or a Full system scan. (or File Explorer or anything else we've tried)  Could this be a SASW issue rather than anything sinister? Still no reply on the SASW forum.

 

[DrDrill]

After trawling through the Superantispyware forums i found this, looks like Sasw lists the paths it’s looking for rather than the paths it is actually seeing. So when I see the scan pausing on  C:\programdata\microsoft\windows\mkeeperstat\mkeeper.exe it’s not actually telling me this path exists, it’s checking to see if it is there. If this is the case (i’m still waiting for a reply from SASW support) i’m afraid this has been a wild goose chase and I apologise for wasting your time.

[nasdaq]

Hi,

Did you execute my registry Fix?

 

If you do a SystemLook as previously suggested do you see any remnant entries still listed?

 

[DrDrill]

Hi

Yes i did the registry fix. I’ll run SystemLook using the same parameters again when i get home.

Thanks

[DrDrill]

Hi

Latest log

SystemLook 04.09.10 by jpshortstuff
Log created at 19:00 on 21/02/2021 by jonny
Administrator - Elevation successful

========== regfind ==========

Searching for "LIBGLESV2.DLL"
No data found.

Searching for "TSUSBFLT"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{6e400999-5b82-475f-b800-cef6fe361539}]
"ResourceFileName"="%SystemRoot%\system32\drivers\tsusbflt.sys"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{6e400999-5b82-475f-b800-cef6fe361539}]
"MessageFileName"="%SystemRoot%\system32\drivers\tsusbflt.sys"

-= EOF =-

[nasdaq]

Hi

Copy all the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.

Quote

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{6e400999-5b82-475f-b800-cef6fe361539}]
"ResourceFileName"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{6e400999-5b82-475f-b800-cef6fe361539}]
"MessageFileName"=-

 

Restart the computer when completed.

You can delete the fixme.reg file when done.

Is the problem solved?

[DrDrill]

Hi

Forgive my lack of knowledge but what is it about tsusbflt.sys in this instance that makes it suspicious?

[nasdaq]

Hi,

The registry keys delete were referencing the TSUSBFLT.SYS file.

The file is not showing in your logs.
Nothing can come of it.

You can search your computer for the file.
If found check the properties it should be signed by Microsoft.

[DrDrill]

Everything looks clear, many thanks for your help. 👍

SystemLook 04.09.10 by jpshortstuff
Log created at 13:59 on 23/02/2021 by jonny
Administrator - Elevation successful

========== regfind ==========

Searching for "LIBGLESV2.DLL"
No data found.

Searching for "TSUSBFLT"
No data found.

-= EOF =-

 

[nasdaq]

Gi,

Glad we could help.

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you