DrDrill Posted February 18, 2021 ID:1439678 Share Posted February 18, 2021 While doing a Critical Point Scan using SuperAntiSpyware it pauses for some time on this C:\ProgramData\Microsoft\Windows\MKeeperStat\mkeeper.exe. Then carries on without finding anything. The location is not visible in Windows Explorer or Taskmanager. Scans using Malwarebytes, ESET etc do not flag anything up. I'd appreciate any help or suggestions. Link to post Share on other sites More sharing options...
nasdaq Posted February 18, 2021 ID:1439683 Share Posted February 18, 2021 Hello, Welcome to Malwarebytes. I'm nasdaq and will be helping you. If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed. === It's my understanding that this tool can remove this program. If you did not install it then run the this tool and mark all the items to be deleted. It's your call. Please download Malwarebytes Anti-Malware from Malwarebytes or from BleepingComputer Right-click on the MBAM icon and select Run as administrator to run the tool.Click Yes to accept any security warnings that may appear.Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.On the left menu pane click the Settings tab, and then select the Protection tab on the top.Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan buttonNote: The scan may take some time to finish, so please be patient.If potential threats are detected, ensure to check mark all the listed items, and click the Quarantine Selected button.While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.The log can also be viewed by clicking the log to select it, then clicking the View Report button. Please post the log for my review. Note: If asked to restart the computer, please do so immediately. === If you have any other issues with this computer download and run this program. Download the Farbar Recovery Scan Tool (FRST).Choose the 32 or 64 bit version for your system. and save it to a folder on your computer's Desktop. Ensure that you are in an Administrator Account Double-click to run it. When the tool opens click Yes to disclaimer. Press Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply. How to attach a file to your reply: In the Reply section in the bottom of the topic Click the "more reply Options" button.http://deeprybka.trojaner-board.de/eset/eng/attachlogs.png Attach the file(s). A 2 Steps process. Reply to this topic. Select the "Choose a File" navigate to the location of the File.Click the file you wish to Attach. <- Step 1.Click Attach this file. <- Step 2.Click the Add reply button. Please post the logs for my review. Let me know what problems persists. Wait for further instructions p.s. The Farbar program is updated often. If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided. You should restore the program from the Quarantine folder. ==== Link to post Share on other sites More sharing options...
DrDrill Posted February 18, 2021 Author ID:1439736 Share Posted February 18, 2021 Many thanks for you time and assistance Nasdaq Log as requested. After running Malwarebytes I ran a SuperAntiSpyware scan, still pauses for some time at this. Files Scanned C:\ProgramData\Microsoft\Windows\MKeeperStat\mkeeper.exe. Then carries on without finding anything. I have run FRST and the files are attached. Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 18/02/2021 Scan Time: 15:04 Log File: 8d4edc5c-71fa-11eb-a373-1c1b0de1e764.json -Software Information- Version: 4.3.0.98 Components Version: 1.0.1173 Update Package Version: 1.0.37261 Licence: Trial -System Information- OS: Windows 10 (Build 19041.804) CPU: x64 File System: NTFS User: DESKTOP-NI83F8D\jonny -Scan Summary- Scan Type: Custom Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 708477 Threats Detected: 1 Threats Quarantined: 1 Time Elapsed: 3 hr, 24 min, 58 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 MachineLearning/Anomalous.100%, C:\USERS\JONNY\DESKTOP\WW\COMICRACKSETUP0980.EXE, Quarantined, 0, 392687, 1.0.37261, , shuriken, , A10B66F20E48EF20DB18ADD7212D2FB7, 130094F6AC450BCD896D3A9D306D2EC12AB01A118506029F43CEE7E9D8EC6279 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) Addition.txt FRST.txt Link to post Share on other sites More sharing options...
nasdaq Posted February 19, 2021 ID:1439893 Share Posted February 19, 2021 Hi, Your logs are clean. If the file is not found in the MKeeperStat folder it may be hidden. Make sure you can see all the files. Unhide files/folders Windows. How To:http://windows.microsoft.com/en-ca/windows/show-hidden-files#show-hidden-files=windows-7 <<<>>> Check and if found delete the MKeeperStat folder C:\ProgramData\Microsoft\Windows\MKeeperStat\mkeeper.exe Restart the computer normally. p.s. If the problem persists and you are Syncing Firefox with ther devices check this out. Navigate to this page and Remove it as suggested. https://support.mozilla.org/en-US/kb/remove-synced-device-firefox-accounts When done restart the computer normally. If all is well. Return to your Firefox Account and Click the Connect button. Reset the sync if you want. Restart the computer normally. <<<>>> Is the problem fixed? Link to post Share on other sites More sharing options...
DrDrill Posted February 19, 2021 Author ID:1439912 Share Posted February 19, 2021 Hi My folders are unhidden (i will double check when i get home). There is no MkeeperStat folder. Only Superantispyware seems to be able to ‘see’ this folder during a scan but, it then moves on and tells me nothing has been found. Could it be a left over from a previously removed or quarantined item? I’ll check the archived Superantispyware and my Windows defender log files and see if anything shows up. Ive asked the question on the Superantispyware forums but there doesnt appear to be much traffic over there. Im at work so i’ll check it out when i get home and let you know. thanks Link to post Share on other sites More sharing options...
DrDrill Posted February 19, 2021 Author ID:1439959 Share Posted February 19, 2021 Hi Everything is definitely unhidden and the path that Superantispyware is looking at C:\ProgramData\Microsoft\Windows\MKeeperStat\mkeeper.exe is not visible/doesn't exist. The Scan result is 'No potentially harmful items have been detected' Nothing on any log files Nothing Synced on Firefox Nothing shows on anything except Superantispyware, I still haven't had a reply from the SaS Support forum Thanks Link to post Share on other sites More sharing options...
nasdaq Posted February 20, 2021 ID:1440097 Share Posted February 20, 2021 Hi, Looks like you have some remant items in the registry that are dormant. Download the Systemlook appropriate for you system. SystemLook (32-Bit Version) or SystemLook (64-Bit Version) Double-click SystemLook.exe/SystemLook_x64.exeto run it.Copy and paste the content of the following bold text into the main textfield::regfind LIBGLESV2.DLL TSUSBFLTClick the Look button to start the scan.When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.Note: The log can also be found on your Desktop entitled SystemLook.txt. === Link to post Share on other sites More sharing options...
DrDrill Posted February 20, 2021 Author ID:1440136 Share Posted February 20, 2021 Hi SystemLook log as requested SystemLook 04.09.10 by jpshortstuff Log created at 18:55 on 20/02/2021 by jonny Administrator - Elevation successful ========== regfind ========== Searching for "LIBGLESV2.DLL" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\749B420750A914B5A870B66767B0D62B] "66EE4A1DA4DABBE4192B915BCBBE281B"="C:\Program Files (x86)\eM Client\libcef\libGLESv2.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9ABE1AF877A97F04BBAC8C0CCD42F523] "F90B7EB92D8CE1B48BE33778DFADB8DC"="C:\Program Files (x86)\Garmin\Express\libGLESv2.dll" Searching for "TSUSBFLT" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{6e400999-5b82-475f-b800-cef6fe361539}] "ResourceFileName"="%SystemRoot%\system32\drivers\tsusbflt.sys" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{6e400999-5b82-475f-b800-cef6fe361539}] "MessageFileName"="%SystemRoot%\system32\drivers\tsusbflt.sys" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\tsusbflt] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TsUsbFlt] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TsUsbFlt] "Description"="@%SystemRoot%\system32\drivers\tsusbflt.sys,-1000" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TsUsbFlt] "DisplayName"="@%SystemRoot%\system32\drivers\tsusbflt.sys,-1000" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TsUsbFlt] "ImagePath"="system32\drivers\tsusbflt.sys" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\tsusbflt] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TsUsbFlt] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TsUsbFlt] "Description"="@%SystemRoot%\system32\drivers\tsusbflt.sys,-1000" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TsUsbFlt] "DisplayName"="@%SystemRoot%\system32\drivers\tsusbflt.sys,-1000" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TsUsbFlt] "ImagePath"="system32\drivers\tsusbflt.sys" [HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\38\417C44EB] "@%SystemRoot%\system32\drivers\tsusbflt.sys,-1000"="Remote Desktop USB Hub Class Filter Driver" [HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\MuiCache\38\417C44EB] "@%SystemRoot%\system32\drivers\tsusbflt.sys,-1000"="Remote Desktop USB Hub Class Filter Driver" -= EOF =- Link to post Share on other sites More sharing options...
nasdaq Posted February 20, 2021 ID:1440147 Share Posted February 20, 2021 HI Copy all the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\749B420750A914B5A870B66767B0D62B] "66EE4A1DA4DABBE4192B915BCBBE281B"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9ABE1AF877A97F04BBAC8C0CCD42F523] "F90B7EB92D8CE1B48BE33778DFADB8DC"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{6e400999-5b82-475f-b800-cef6fe361539}] "ResourceFileName"="- [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\tsusbflt] [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TsUsbFlt] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\tsusbflt] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TsUsbFlt] [-HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\38\417C44EB] Restart the computer when completed. You can delete the fixme.reg file when done. Is the problem solved? Link to post Share on other sites More sharing options...
DrDrill Posted February 20, 2021 Author ID:1440153 Share Posted February 20, 2021 Hi SASW critical point scan still pauses on C:\ProgramData\Microsoft\Windows\MKeeperStat\mkeeper.exe in files scanned section. But then finishes scan and gives the all clear. This path however does not seem to show up on either a Quick or a Full system scan. (or File Explorer or anything else we've tried) Could this be a SASW issue rather than anything sinister? Still no reply on the SASW forum. Link to post Share on other sites More sharing options...
DrDrill Posted February 21, 2021 Author ID:1440241 Share Posted February 21, 2021 After trawling through the Superantispyware forums i found this, looks like Sasw lists the paths it’s looking for rather than the paths it is actually seeing. So when I see the scan pausing on C:\programdata\microsoft\windows\mkeeperstat\mkeeper.exe it’s not actually telling me this path exists, it’s checking to see if it is there. If this is the case (i’m still waiting for a reply from SASW support) i’m afraid this has been a wild goose chase and I apologise for wasting your time. Link to post Share on other sites More sharing options...
nasdaq Posted February 21, 2021 ID:1440254 Share Posted February 21, 2021 Hi, Did you execute my registry Fix? If you do a SystemLook as previously suggested do you see any remnant entries still listed? Link to post Share on other sites More sharing options...
DrDrill Posted February 21, 2021 Author ID:1440255 Share Posted February 21, 2021 Hi Yes i did the registry fix. I’ll run SystemLook using the same parameters again when i get home. Thanks Link to post Share on other sites More sharing options...
DrDrill Posted February 21, 2021 Author ID:1440297 Share Posted February 21, 2021 Hi Latest log SystemLook 04.09.10 by jpshortstuff Log created at 19:00 on 21/02/2021 by jonny Administrator - Elevation successful ========== regfind ========== Searching for "LIBGLESV2.DLL" No data found. Searching for "TSUSBFLT" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{6e400999-5b82-475f-b800-cef6fe361539}] "ResourceFileName"="%SystemRoot%\system32\drivers\tsusbflt.sys" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{6e400999-5b82-475f-b800-cef6fe361539}] "MessageFileName"="%SystemRoot%\system32\drivers\tsusbflt.sys" -= EOF =- Link to post Share on other sites More sharing options...
nasdaq Posted February 22, 2021 ID:1440453 Share Posted February 22, 2021 Hi Copy all the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry. Quote Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{6e400999-5b82-475f-b800-cef6fe361539}] "ResourceFileName"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{6e400999-5b82-475f-b800-cef6fe361539}] "MessageFileName"=- Restart the computer when completed. You can delete the fixme.reg file when done. Is the problem solved? Link to post Share on other sites More sharing options...
DrDrill Posted February 22, 2021 Author ID:1440460 Share Posted February 22, 2021 Hi Forgive my lack of knowledge but what is it about tsusbflt.sys in this instance that makes it suspicious? Link to post Share on other sites More sharing options...
nasdaq Posted February 23, 2021 ID:1440694 Share Posted February 23, 2021 Hi, The registry keys delete were referencing the TSUSBFLT.SYS file. The file is not showing in your logs. Nothing can come of it. You can search your computer for the file. If found check the properties it should be signed by Microsoft. Link to post Share on other sites More sharing options...
DrDrill Posted February 23, 2021 Author ID:1440699 Share Posted February 23, 2021 Everything looks clear, many thanks for your help. 👍 SystemLook 04.09.10 by jpshortstuff Log created at 13:59 on 23/02/2021 by jonny Administrator - Elevation successful ========== regfind ========== Searching for "LIBGLESV2.DLL" No data found. Searching for "TSUSBFLT" No data found. -= EOF =- Link to post Share on other sites More sharing options...
nasdaq Posted February 23, 2021 ID:1440769 Share Posted February 23, 2021 Gi, Glad we could help. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 23, 2021 Root Admin ID:1440783 Share Posted February 23, 2021 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts