Jump to content

mpengine.dll


NEbr
 Share

Go to solution Solved by Maurice Naggar,

Recommended Posts

I've runned malwarebytes scan and it found mpengine.dll as a threat.

I looked it up and fileinspect.com says its part of Microsoft Malware Protection.

An article on malwarebytes advised to check windows security About for the engine version. Mine seems like it's all zero's.

https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/01/microsoft-issues-83-patches-one-for-actively-exploited-vulnerability/

I've upload an image so you can see.

Can anyone give me any advice how I fix this? Or where can get those Patches?

I use Avast Premium Security and Malwarebytes.

 

01.jpg

02.jpg

Link to post
Share on other sites

Hello @NEbr    :welcome:

My name is Maurice.  Let me know what name you prefer to go by.  I will guide you.

I need a report set for review.   This is a report only.

Please download MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply , like displayed here.
  • To send  ( upload)   attachments please click the "ADD Files"  link . Then browse to where your file is located and select it and click the Open button.

 

_mb_attach.jpg

 

The file at issue is tagged as PUP.optional.slimware.   The set of data from the report will provide much needed information.

Please always attach reports as we go along.

Edited by Maurice Naggar
  • Like 1
Link to post
Share on other sites

After doing the action above, here is what I suggest as next steps.

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

Then I would urge you to do one manual run of "Check for Updates" on the Windows Security section of Windows 10.

From the Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

image.png.53b8290f51fb52ad1f67f2be5d1a7198.png

 

Next, In Windows Security section: Click on the grey button Open Windows Security

image.thumb.png.770ff10e37da546f33963da571bd3378.png

Now, click on the shield Virus and threat protection

By the way, when you see a green check-mark on your display, it means a good status and that protection is on.

 

image.thumb.png.d3c40d161bda6630f463e83ce53f9782.png 

On the next display, look at all the options.  Look down the list and see "Check for Updates" which I have highlighted with a blue icon.

You can click on that to have the system check for updates for Windows Defender.

 

 

image.thumb.png.1bfbd5b3023eeabe0dbea2025a5fa556.png

 

NOTE: On this last screen, be sure to review the section on Exclusions to be sure that nothing of the path, process, or file /folder exclusions are ones that you yourself did not place there on your own.

 

  • Like 1
Link to post
Share on other sites

Thank you, I did those above.

See screenshot I've added.

Microsoft Defender Antivirus options is off.

There are no updates.

Meanwhile I did run malwarebytes adwcleaner and found PUP.Optional.FLVMPlayer and PUP.Optional.Legacy.

Microsoft Saftey Scanner found: Virtool:Win32/DefenderTamperingRestore.

At this point all I have is screenshot, I don't know if you can see those information also in mbst-grab-results.zip.

 

 

04.jpg

Virus & threat protection.jpg

Link to post
Share on other sites

[  A  ]

Thanks for the support-tool ZIP report. I see that Avast antivirus ( with Avast firewall) is the resident antivirus application. So it is standard for the real-time protection of Microsoft Defender to be off.  That is quite normal and expected.
I also see this pc has the Premium Malwarebytes for Windows.
The Microsoft Safety scanner did not report any real malware.  When the pc has Avast, it is expected that Defender's anti-spyware option will be set to Off (since Avast is the main & sole antivirus app here.)

[  B  ]

Do one new scan.

Start Malwarebytes for Windows.

  1. Click Settings.
  2. In the General tab,    click on "Check for Updates " button.   
  3. Watch & follow all prompts. 

  4. Then click the Security tab.  Scroll down and lets be sure the line in SCAN OPTIONs for 

"Scan for rootkits" is ON 👈   Click it to get it ON if it does not show a blue-color .

 

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

MB4_scan_tick_ALL.jpg.d04ef98c885b4f44f51bfe735922fba7.jpg

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine.jpg.8639e1dfc2301bc6d60a8cfb3c339241.jpg

 


Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

  • Like 1
Link to post
Share on other sites

Rootkits was on. I did a normal scan, so not a full scan and it didn't found anything (01.jpg). See report under the name 01.text

But the previous one did found something (02.jpg), which was PUP.Optional.Slimware, and it's still in Quarantined items. I've add that report under the name 02.text

 

 

01.jpg

02.jpg

01.txt 02.txt

Link to post
Share on other sites

The most recent Malwarebytes scan is the one clocked at 7:30 PM local  and it found nothing.  That is what counts.

What is in Quarantine is not a cause for concern because it is permanently out of the way.

Cannot tell what it was about the 1 DLL.  It may have been a one time event.  Maybe a update issue.  But updates for this MS Defender should be not frequent since the resident antivirus here is Avast.

Lets see if we can do a manual on-demand update for Defender using the Windows Powershell.  We will use a custom script.

Please save the (attached file named) FIXLIST.txt   to the   Downloads folder

Fixlist.txt

The custom script on this post is ONLY for this machine and NO other.   

  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

 

The system will be rebooted after the script has run.

 

  • Start the Windows Explorer and then, to the   Downloads  folder.
  • RIGHT click on  FRSTENGLISH.exe   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run the tool. 
  • If the tool warns you the version is outdated, please download and run the updated version.
  • IF Windows prompts you about running this, select YES to allow it to proceed.

 

  • IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

  • on the FRST window:

Click the Fix button just once, and wait.

 

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. 

If you receive a message that a reboot is required, please make sure you allow it to restart normally.

 

The tool will complete its run after restart.

When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

 

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

Edited by Maurice Naggar
  • Like 1
Link to post
Share on other sites

Hello.

The following lists the steps to do a manual ( on-demand ) update of the definitions of the Windows 10' Microsoft Defender antivirus.
Your Windows is a 64-bit one.  The gist of the steps is to download the 64-bit update package AND save it, when done, to run that exe file.
Go to this link at Microsoft   https://www.microsoft.com/en-us/wdsi/defenderupdates

Scroll down to section "Manually download the update".  Look down to the table with list of 7 lines.
Only look at the first line "Microsoft Defender Antivirus for Windows 10 and Windows 8.1".
Then click the blue-color link for "64-bit".
Be sure to SAVE the file.
After that completes, go to where you saved the file mpam-fe.exe
Then double-click on mpam-fe.exe to start the update.
 

Edited by Maurice Naggar
  • Thanks 1
Link to post
Share on other sites

I downloaded the 64-bit, but installation fails. I get loading icon on the mouse cursor, it stops, and nothing happens. I tried with run as administrator, didn't work either. I temporarily disabled Avast and Malwarebytes maybe something was blocking it, didn't work either. Also tried in safe mode with networking, nothing happened.

Event Viewer says:
Windows Error Reporting

Fault bucket 1402879715074637211, type 5
Event Name: MpTelemetry
Response: Not available
Cab Id: 0

Problem signature:
P1: 0x80070645
P2: ProductSearch
P3: N/A
P4: 1.1.18500.10
P5: mpsigstub.exe
P6: unspecified
P7: unspecified
P8:
P9:
P10:

 

Edited by NEbr
Link to post
Share on other sites

It seems this machine has a issue doing updates for Windows.  The following is a custom script to try to help.

First please Delete the prior file named Fixlist.txt   on the Downloads.

then

Please save the (attached file named) FIXLIST.txt   to the   Downloads folder

Fixlist.txt

 

The custom script on this post is ONLY for this machine and NO other.   

  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

 

The system will be rebooted after the script has run.

 

  • Start the Windows Explorer and then, to the   Downloads  folder.
  • RIGHT click on  FRSTENGLISH.exe   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run the tool. 
  • If the tool warns you the version is outdated, please download and run the updated version.
  • IF Windows prompts you about running this, select YES to allow it to proceed.

 

  • IF you get a block message from Windows about this tool......

                          click line More info information on that screen

                           and click button Run anyway on next screen.

 

  • on the FRST window:

Click the Fix button just once, and wait.

 

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. 

If you receive a message that a reboot is required, please make sure you allow it to restart normally.

 

The tool will complete its run after restart.

When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

 

Please attach the FIXLOG.txt with your next reply later at your next opportunity.

Edited by Maurice Naggar
  • Like 1
Link to post
Share on other sites

I still can't install Microsoft Defender Antivirus for Windows 10 64-bit, that may have to do with what you mentioned earlier about real-time protection of microsoft defender being turned off.

Also on computerworld.com they mentioned the same: "It may mean that you have a third-party antivirus installed; it’s taking over for Defender, which is thus properly shut off."

I runned a full scan malwarebytes with rootkits, no threats found.

Hitman Pro keep mentioning FRSTEnglish.exe and another FRST type of file, I gnored them.

Microsoft Safety Scanner, found at one point 778 files infected, I don't get it since this pc is just reinstalled, so if you want to look at it, I add the log as attachment.

Thank you.

Microsoft Safety Scanner.txt

FI.jpg

Edited by NEbr
Link to post
Share on other sites

  • Solution

Thanks for the results from the Microsoft Safety Scanner.  It found NO infection / no virus !  It is a clean good result.   The intermediate displays on-screen must be ignored.  They are not actual problems.  The intermnediate displays of the Safety Scanner during the scan can be mis-leading.  All that counts is the bottom line result.   ( other people have seen similar & also got mis-impression).

 By the way, about what you "saw" on intermediate displays of the Microsoft Safety Scanner  ( your remarks above),  I would like you to review the remarks by AndyDavid about all that on this Microsoft community venue https://docs.microsoft.com/en-us/answers/questions/326108/mar-1721-msert-detects-items-during-scan-but-at-en.html

.

You reported 

Quote

I runned a full scan malwarebytes with rootkits, no threats found.

It is very re-assuring that Malwarebytes for Windows reports no malware infection.  That is another confirmation that this machine is not infected.

It is unfortunate ( but not fatal ) that this pc could not accomplish the manual definitions ( signatures) update for Microsoft Defender.  BUT it is critical to keep in mind that this pc has has AVAST Antivirus. That being the case, Micriosoft Defender is supposed to be turned off and not active.  Avast is the antivirus.

I assume you are sticking with Avast.

I do not see a infection here.  My view is that we can plan to wrap up this case.

  • Thanks 1
Link to post
Share on other sites

You are very welcome.

Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download
Let me suggest that you get your browsers each, as applicable, to have the Malwarebytes Browser Guard.

See Support article how-to

https://support.malwarebytes.com/hc/en-us/articles/360038520374-Install-Malwarebytes-Browser-Guard


Note: If your pc has Windows 10 EDGE browser, or Opera or Brave or Vivaldi browser, you can install the Chrome version of the Malwarebytes Browser Guard ( on each as appropriate).
.
You can delete msert.exe

Delete mbst-grab-results.zip

Delete mb-support-1.8.7.918.exe

To remove the FRST tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to

UNINSTALL.exe

 
Then run that ( double click on it) to begin the cleanup process.

Any other download file I had you download, you may delete. 

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

Stay safe.  I wish you all the best.     :cool:
I am marking this case for closure.

  • Like 1
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

  • Like 1
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.