Jump to content

Issue with Malwarebytes Anti-RootKit/AdwCleaner on New Laptop


TimeuTroupe
 Share

Recommended Posts

One of my family members has a new HP Laptop with Windows 11 on it and I suggested they try out Malwarebytes (Trial) on it to decide between either using it or Norton. After setting it up, I heard from them that they had many notifications from Malwarebytes while they were using Mumble. All were rather concerning, they were supposedly trojans and "compromised" notifications from 3 supposed sites ("init6(.)freemyip(.)com", "fastpath(.)fr", and "markolinostyle(.)com"). I looked at it myself and Malwarebytes says it blocked them, but they told me they never accessed any of those nor have they had that issue with Mumble before. We ran scans and nothing came up, so we uninstalled Mumble just to be safe.

I used other programs to double check for anything else, one of which being Malwarebytes's Anti-RootKit scanner. While it setup just fine and did a database update, upon attempting to run a scan we got a BSOD (error code is supposedly code 50?). When I went to use the scanner again, the computer didn't crash and the scan ran successfully and everything came out clean. AdwCleaner was also used and apparently claims that certain HP related stuff (such as HPTouchpointAnalytics) are actually spyware.

I just wanna know what happened exactly with Malwarebytes and Mumble detecting trojans/compromised, why the Anti-RootKit scanner caused a crash, and why AdwCleaner detects HP related stuff as spyware on a new laptop.

Link to post
Share on other sites

3 minutes ago, TimeuTroupe said:

All were rather concerning, they were supposedly trojans and "compromised" notifications from 3 supposed sites ("init6(.)freemyip(.)com", "fastpath(.)fr", and "markolinostyle(.)com").

Those are web blocks. I am moving this topic to the web false positive section.

Please gather some logs from Malwarebytes showing the blocks and post them here.

You can find Scan and Protection logs within the Malwarebytes 4 program in the following location

 

image.png

 

RTP stands for Real-Time Protection and is where automatic protection operations would normally be logged

 

image.png

 

If you click on the View option you should get something similar to the following with other options available.

 

image.png

 

 

 

Thank you

Link to post
Share on other sites

7 minutes ago, TimeuTroupe said:

AdwCleaner was also used and apparently claims that certain HP related stuff (such as HPTouchpointAnalytics) are actually spyware.

Those are pre installed software not spyware and many want them removed. So you are given an option to remove them.

 

10 minutes ago, TimeuTroupe said:

I just wanna know what happened exactly with Malwarebytes and Mumble detecting trojans/compromised

mumble is probably routing their traffic thru servers that have been used for web attacks. That will cause blocks similar to p2p programs.

Link to post
Share on other sites

22 minutes ago, Porthos said:

Those are web blocks. I am moving this topic to the web false positive section.

Please gather some logs from Malwarebytes showing the blocks and post them here.

You can find Scan and Protection logs within the Malwarebytes 4 program in the following location

 

image.png

 

RTP stands for Real-Time Protection and is where automatic protection operations would normally be logged

 

image.png

 

If you click on the View option you should get something similar to the following with other options available.

 

image.png

 

 

 

Thank you

I've got 3 log files for the sites attached (hopefully I did this right)

16 minutes ago, Porthos said:

Those are pre installed software not spyware and many want them removed. So you are given an option to remove them.

 

mumble is probably routing their traffic thru servers that have been used for web attacks. That will cause blocks similar to p2p programs.

So is it ok to remove them or perhaps leave them alone? Other scanners such as HitmanPro also list them as spyware. On the Mumble detections, does that make the program a high risk to use?

malwarebytes_log1.txt malwarebytes_log2.txt malwarebytes_log3.txt

Link to post
Share on other sites

1 minute ago, TimeuTroupe said:

So is it ok to remove them or perhaps leave them alone?

Personally I uninstall most of the HP preinstalled stuff in Windows program and features when I service/setup clients new computers. Personally, I have found no use for ADW cleaner. For me, Malwarebytes does the job including rootkit scanning.

 

4 minutes ago, TimeuTroupe said:

On the Mumble detections, does that make the program a high risk to use?

Probably not, but expect web blocks due to the fact some mumble clients setup and use cheap web hosting for the communication servers.

Link to post
Share on other sites

18 hours ago, Porthos said:

Personally I uninstall most of the HP preinstalled stuff in Windows program and features when I service/setup clients new computers. Personally, I have found no use for ADW cleaner. For me, Malwarebytes does the job including rootkit scanning.

 

Probably not, but expect web blocks due to the fact some mumble clients setup and use cheap web hosting for the communication servers.

Which HP stuff should be removed exactly? I've heard some shouldn't be touched and there's something out there that allows you to remove all the bloat from Windows 11 (iirc it's called ThisIsWindows11)

 

12 hours ago, JPopovic said:

Hello,

freemyip.com - Thee block will be removed.

164.132.202.2 - legit block due to RDP attacks.

79.116.11.71 - The block will be removed

 

Thanks

Thank you, I'm assuming those other 2 addresses aren't malicious at all then?

Link to post
Share on other sites

1 hour ago, TimeuTroupe said:

I'm assuming those other 2 addresses aren't malicious at all then?

Yes.

 

1 hour ago, TimeuTroupe said:

Which HP stuff should be removed exactly?

Do the following and I can assist on what you can uninstall.

Please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

 

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thanks

Link to post
Share on other sites

23 hours ago, Porthos said:

Yes.

 

Do the following and I can assist on what you can uninstall.

Please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Thanks

Something about my post was being registered as spam, and in the process of figuring that out I accidentally attached the same file 3 times, sorry for that.

Link to post
Share on other sites

3 minutes ago, TimeuTroupe said:

Got it

You only have the following actual programs installed. No HP software.

Quote

Malwarebytes version 4.5.19.229 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 4.5.19.229 - Malwarebytes)
Microsoft 365 - en-us (HKLM\...\O365HomePremRetail - en-us) (Version: 16.0.15831.20208 - Microsoft Corporation)
Microsoft Edge (HKLM-x32\...\Microsoft Edge) (Version: 108.0.1462.54 - Microsoft Corporation)
Microsoft Edge WebView2 Runtime (HKLM-x32\...\Microsoft EdgeWebView) (Version: 108.0.1462.54 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-505596444-4234689902-1657722000-1001\...\OneDriveSetup.exe) (Version: 22.238.1114.0002 - Microsoft Corporation)
Microsoft OneNote - en-us (HKLM\...\OneNoteFreeRetail - en-us) (Version: 16.0.15831.20208 - Microsoft Corporation)
Mozilla Firefox (x64 en-US) (HKLM\...\Mozilla Firefox 108.0.1 (x64 en-US)) (Version: 108.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 108.0.1 - Mozilla)
Office 16 Click-to-Run Extensibility Component (HKLM\...\{90160000-008C-0000-1000-0000000FF1CE}) (Version: 16.0.15726.20202 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-007E-0000-1000-0000000FF1CE}) (Version: 16.0.15831.20184 - Microsoft Corporation) Hidden
WinRAR 6.20 beta 3 (64-bit) (HKLM\...\WinRAR archiver) (Version: 6.20.3 - win.rar GmbH)

The following are Windows Store "Apps". All but one of these are "just there" and not running.

Quote

Packages:
=========
Energy Star -> C:\Program Files\WindowsApps\AD2F1837.HPInc.EnergyStar_1.2.0.0_x64__v10z8vjag6ke6 [2022-12-26] (HP Inc.)
HP Audio Center -> C:\Program Files\WindowsApps\AD2F1837.HPAudioCenter_1.37.275.0_x64__v10z8vjag6ke6 [2022-12-26] (HP Inc.)
HP Privacy Settings -> C:\Program Files\WindowsApps\AD2F1837.HPPrivacySettings_1.1.54.0_x64__v10z8vjag6ke6 [2022-12-26] (HP Inc.)
HP QuickDrop -> C:\Program Files\WindowsApps\AD2F1837.HPQuickDrop_2.5.10921.0_x64__v10z8vjag6ke6 [2022-12-26] (HP Inc.)
HP Smart -> C:\Program Files\WindowsApps\AD2F1837.HPPrinterControl_141.2.441.0_x64__v10z8vjag6ke6 [2022-12-26] (HP Inc.)
HP Support Assistant -> C:\Program Files\WindowsApps\AD2F1837.HPSupportAssistant_9.22.14.0_x64__v10z8vjag6ke6 [2022-12-26] (HP Inc.)
HP System Event Utility -> C:\Program Files\WindowsApps\AD2F1837.HPSystemEventUtility_1.3.2.0_x64__v10z8vjag6ke6 [2022-12-26] (HP Inc.)

myHP -> C:\Program Files\WindowsApps\AD2F1837.myHP_10.52244.7.0_x64__v10z8vjag6ke6 [2022-12-26] (HP Inc.) [Startup Task]

I would go ahead and leave them there. They do not run unless you open them.

My HP app runs at start. I would disable it at start if it were mine. To be honest if it was mine I would have wiped the computer from a clean Windows disk but it is not for everyone.

I would suggest removing the following and use 7-zip instead.

Quote

WinRAR 6.20 beta 3

 

Link to post
Share on other sites

On 12/27/2022 at 2:27 PM, Porthos said:

You only have the following actual programs installed. No HP software.

The following are Windows Store "Apps". All but one of these are "just there" and not running.

I would go ahead and leave them there. They do not run unless you open them.

My HP app runs at start. I would disable it at start if it were mine. To be honest if it was mine I would have wiped the computer from a clean Windows disk but it is not for everyone.

 

Thank you. If there's no HP software, what exactly is HPTouchpoint Analytics and its related stuff (adwcleaner labels them as spyware)?

On 12/27/2022 at 2:28 PM, Porthos said:

I would suggest removing the following and use 7-zip instead:

WinRAR 6.20 beta 3

-

Ignore and do Not use ADWcleaner to remove the optional pre-installed software is the bottom line.

Any particular reason for these?

Link to post
Share on other sites

7 minutes ago, TimeuTroupe said:

Any particular reason for these?

7-zip is free and will work for any archived file that Win-Rar can. Win rar is a paid program.

11 minutes ago, TimeuTroupe said:

If there's no HP software, what exactly is HPTouchpoint Analytics and its related stuff (adwcleaner labels them as spyware)?

It is up to you. You can uninstall all of the Windows apps in the list I posted if you wish. If there is an HP printer do not remove HP smart.

I am just concerned that using ADW cleaner to remove them has the potential for error.

Let me see the ADWcleaner log if you can

Link to post
Share on other sites

On 12/29/2022 at 5:19 PM, Porthos said:

7-zip is free and will work for any archived file that Win-Rar can. Win rar is a paid program.

It is up to you. You can uninstall all of the Windows apps in the list I posted if you wish. If there is an HP printer do not remove HP smart.

I am just concerned that using ADW cleaner to remove them has the potential for error.

Let me see the ADWcleaner log if you can

I've used Winrar for a long time, it'll nag you to buy the full version but you can still use it without issues.

I've attached the adwcleaner log as well.

AdwCleaner ScanResults.txt

Link to post
Share on other sites

33 minutes ago, TimeuTroupe said:

I've attached the adwcleaner log as well.

 

On 12/29/2022 at 7:01 PM, TimeuTroupe said:

what exactly is HPTouchpoint Analytics and its related stuff (adwcleaner labels them as spyware)?

The log does not label it as spyware. Just preinstalled. Just because it is preinstalled does not make it spyware.

None of it is needed to be there so if you want uninstall the apps normally first then use ADW cleaner to get rid of leftovers. It is up to you.

33 minutes ago, TimeuTroupe said:

I've used Winrar for a long time, it'll nag you to buy the full version but you can still use it without issues.

I do not put up with nag-ware if there is something just as good or better to use. That is my only point with that recommendation.

 

Link to post
Share on other sites

  • Root Admin

I use both WinRar and 7-Zip as both programs have features the other program does not have. Though I did pay for my copy of WinRar many years ago as I was using it so often I felt it was the right thing to do.

 

Other recommendations since I'm posting.

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.