Jump to content

Informing Malwarebytes and users

genej101

By genej101
in Resolved Malware Removal Logs

 Share
Go to solution Solved by AdvancedSetup,

Recommended Posts

genej101

genej101

Posted
Posted

I have an HP Pavilion with 16GB RAM, i7 CPU. Win10 Pro. I noticed a couple months ago it had slowed considerably but everything was usable. None of my daily scans from Malwarebytes Premium ever showed any issue. I also have a subscription to HP Smart Friends, which I rarely used, but last week my whole system suddenly locked and a cold reboot got it running. I called Smart Friends and they remoted in and found a piece of malware had infected the HP folder and showed me memory usage was at 85% or higher. They used their tools and adwcleaner to remove the malware and all traces of it. I've had Malwarebytes Premium for many years and this is the first time, in 32 plus years of personal computer use that a piece of malware has gotten past my security protocols AND my router hardware firewall. I have no idea what it was nor how it evaded Malwarebytes and my hardware firewall. I just wanted to make users aware that it is possible. I tried to find a way to let the company know but couldn't, so decided I would just let people know here that it's possible. My system is running again at top speed with minimal memory usage. 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Hello @genej101

It may not have been actual malware. It could have been some old, no longer required programs from HP. If you like you can gather some logs and we can review further for you.

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

I would recommend that you go to Control Panel, Programs, Programs and Features and uninstall the following.

Bonjour (Sharing protocol from Apple, not needed on Windows) is a very noisy and often problematic program on Windows
CCleaner (computer experts no longer recommend this program)
 

These programs are probably not needed based on their names

Product Improvement Study for HP OfficeJet Pro 6970 (HKLM\...\{D8B3A7BD-EC78-426F-8106-E411E2CBC265}) (Version: 40.12.1161.1896 - HP Inc.)
Product Improvement Study for HP OfficeJet Pro 8020 series (HKLM\...\{FAF87AEC-40F7-4574-97A7-E9B777F5D262}) (Version: 49.11.4670.2224 - HP Inc.)

 

We should probably clean up the following folder and let it recreate as needed. It is currently in a fault state.

Application errors:
==================
Error: (08/29/2022 05:02:00 PM) (Source: ESENT) (EventID: 447) (User: )
Description: svchost (4468,D,21) SRUJet: A bad page link (error -338) has been detected in a B-Tree (ObjectId: 14, PgnoRoot: 49) of database C:\WINDOWS\system32\SRU\SRUDB.dat (49 => 675, 676).

Tag: BtDownRightMostPagePgnoNextNonNull

Fatal: 1

 

The Google update service is rather old. Google itself may be up to date but the checking tool is a tad old.

Task: {342564F2-FF8E-4FDD-A9D5-8845547BBD77} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [153168 2019-11-18] (Google Inc -> Google Inc.)

 

Not sure if you have a Proxy fully enabled but it looks like it is possibly set to something that may or may not be the default in Firefox

FF NetworkProxy: Mozilla\Firefox\Profiles\gyeqgqjc.default-release -> type", 0

 

These files appear to be from Log Me In but no files should be in the root of parent folders like this. I would check them out and see what they do and why they are where there at.

2020-11-19 17:36 - 2020-11-19 17:36 - 000000726 _____ () C:\Program Files (x86)\LMIR0DB65001.tmp.bat
2020-11-19 17:36 - 2020-11-19 17:36 - 000000530 _____ () C:\Program Files (x86)\LMIR0DB65001.tmp_r.bat
2020-11-19 18:28 - 2020-11-19 18:28 - 000000724 _____ () C:\Users\genej\AppData\Local\LMIR0DB5A001.tmp.bat
2020-11-19 18:28 - 2020-11-19 18:28 - 000000528 _____ () C:\Users\genej\AppData\Local\LMIR0DB5A001.tmp_r.bat

 

The computer does not look to be infected, just a bit of general maintenance.

 

Link to post
Share on other sites
genej101

genej101

Posted
  • Author
Posted

Well, they ran adw yesterday and told me that they cleaned the malware out. As we were looking at programs, I questioned those you mentioned myself. Bonjour came with the machine from HP preinstalled. I did get rid of the other things you suggested as well as I got this machine in Nov 2018 and noticed those hadn't been changed or used since 2019. I deleted SRUDB.dat though I had to stop the policy service to do, then restarted it and it  has recreated the file. I do not use a proxy, I never have, I suspect that is part of Firefox's setup, it isn't causing any problems with the browser which is operating fine and is what I'm respond to you from actually.

So, I got rid of Ccleaner, I can manually empty the caches on my browsers, it was just handy to have that do it for me. What do you suggest as a registry cleaner in it's place? Because that always finds a few errors when I run the program every couple weeks.

I no longer have the 6970 printer but do have an 8023 Office Jet printer from HP. Product Improvement study not needed, it gets updated wirelessly. Thanks for your help! I'm going to send this to you and reboot and see what things look like then. I appreciate it! And love Malwarebytes! :^) gene

Link to post
Share on other sites
  • Root Admin
  • Solution
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
  • Solution
Posted (edited)

Yes, sadly some vendors do include Bonjour but I can assure you that you'll be better off if you uninstall it. It often tries to reinstall from many other Apple software so you may have to keep an eye out for it and if you do see it come back, uninstall it again.

Please see the following about Snake Oil registry cleaners.

advanced_bs.gif

 

Do I need a Windows Registry Cleaner?
https://forums.malwarebytes.org/index.php?showtopic=126481

 

I wouldn't want to break your printer. I don't think a Product Improvement Study would be required to print, but I could be wrong, so up to you what you do with it.

 

Please download and run the following to check for other possible program updates.

Patch My PC Home Updater
https://patchmypc.com/home-updater

 

 

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites
genej101

genej101

Posted
  • Author
Posted

I had been using KCSumo to scan for updates. Patchmypc only found one update needed, Malwarebytes. 5.14. I though it updated itself automatically. I do make an effort to keep everything updated. The printer is working fine without that improvement study. Creating a new system image now. I did see even Microsoft does not recommend cleaning the registry, though there has to be a lot of detritus in there, it doesn't cause problems, so leaving it along is probably best. Thanks for your help! :^) gene

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

You're quite welcome.

Here is some information to consider in order to help keep your data and privacy safer.

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

  • Like 1
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

  • Like 1
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.