Jump to content

PUP.Heuristic detects at random times

droplet

By droplet
in Resolved Malware Removal Logs

 Share

Recommended Posts

droplet

droplet

Posted
Posted (edited)

Hello, recently I did a clean reinstall of my pc. I shouldn't have any detections but recetly I got some random ones both from NPE + ADWCleaner. Thing is it's only from them, and nothing else. Last night I got the detecions and this morning they dissappeared and everything came out clean , I still scanned in safe mode + net for hours with various tools and there were 0 detections then after I restarted in the evening I scanned again with NPE+ ADWCleaner the same results showed up. Full system scan with Mbam was clean, everything is clean besides these two. 

ADWCleaner gives me this while NPE is even weirder false flagging what I believe are MB stuff?? Added screenshots in post.

Thank you in advance. 

 

guyguygug.png

dqwdwqdwedwed.png

Edited by AdvancedSetup
Corrected font issues
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Good day @droplet

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites
droplet

droplet

Posted
  • Author
Posted
1 minute ago, AdvancedSetup said:

ATTENTION: System Restore is disabled (Total:150.73 GB) (Free:77.62 GB) (51%)

I don't see an obvious issue. Perhaps ESET is at time conflicting with other security software?

 

When do you see this?

 

Last night around evening time. And today around the same even after I scanned all day and they didn't show up until it was evening again.Sometime scheduled that hides?  Haven't yet got it during the day. Should I quarantine these items and see if they keep returning? I'm worried it could be something bad not yet caught by anyone, hoping it's a strange false positive. 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Were you using ESET as your main antivirus or as a secondary scanner?

We can do some other scans and see what they find if you like.

Please disable any real-time antivirus temporarily and run the following

 

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

 

Link to post
Share on other sites
droplet

droplet

Posted
  • Author
Posted

ESET is my primary and MBAM is my secondary.

Just ran ADWcleaner+ NortonPE (as they were the only ones with detections) again out of curiosity, and the detections disappeared again, but that's not really reassuring me as it seems to pop up during a specific time in the evening and could come back tomorrow. 

Here are the results. 

msert.log

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Okay, please disable ESET again temporarily and run the following. Do not run other programs while it's scanning that can cause potential false positives

 

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

That looks clean as well.

Perhaps temporarily uninstall ESET

Then use Windows Defender and Malwarebytes together and see if the issue still remains

Open Malwarebytes, click on the small gear icon to get into the Settings.

Then go to the Security tab and turn off Register with the Security Center

image.png

 

Then restart the computer and check how things work now

 

Link to post
Share on other sites
droplet

droplet

Posted
  • Author
Posted

This morning I ran ADWcleaner + Norton again to test and nothing came up again. But it didn't the previous daytime either so that doesn't help much anymore. 

In order to test out the ESET removal advice I'll wait and see if they show up again at the same time this evening, otherwise I won't know if it worked anyway. Yesterday they didn't pop up in safe mode while I was scanning as ESET wasn't active there but right after, they did, still couldn't be sure if that was due to lack of conflict or timing. 

Another detail I remember that worried me, a couple of days ago when I booted up my pc MBAM randomly said it completed a scan of "new downloads"... but I haven't downloaded anything.. my memory is fuzzy but it said it scanned like 100k items ?? I have no trace of this except that now when I scan my scanned objects have jumped from from 400k something to 600k something... I find that worrying as I don't understand what that could be from..  

Link to post
Share on other sites
droplet

droplet

Posted
  • Author
Posted

Last night I did scans non stop with ADWcleaner+NPE around the time frame the detections popped up in the previous nights but this time nothing popped up. Also the detections in both scanners weirdly always popped up together but this time nothing happened. (BTW, when I clicked on show location of the flagged sys files from NPE, it opened the folder but none of those files were there and if I searched for them manually NPE would just close by itself ...)

I wonder if it was a strange false positive event or I had randomly caught something smart acting up and now it knows when to hide/how to hide better and I'm simply not catching it with ADWcleaner in the correct timing...... 

That random scan with the downloads that happened wasn't something I manually started or scheduled , it was those automatic type scans when you download something or plug in a usb.... very weird. I opened my laptop and the window just popped up and started scanning items. I hope it's a glitch.

Anyway currently nothing is showing up with any of the various scanners I'm using, I'll report back if I manage to catch something again. Am I being too cautious/paranoid over that ADWcleaner detection or, considering what is it, am I right to be wary? 

 

Thank you for the help so far 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Okay, thanks for the update.

Please run the following and I'll check back on you later today

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites
droplet

droplet

Posted
  • Author
Posted

Nothing has shown up since with periodic scanning, but today I caught this, only with RK and nothing else. Can't find any info on this. Removed it even though I'm not sure if it was a false positive or not.. but nothing seemed to break on my system. (yet) 

image.png

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

The "FOUND.000" folder is typically created by Windows when it runs a disk check or "chkdsk" operation. This folder contains files that were recovered by the operating system after it encountered errors or corruption on the file system.

When chkdsk runs, it scans the file system for inconsistencies and attempts to repair them. If it finds a file that is damaged or unreadable, it will attempt to recover as much of the data as possible and save it to a new file in the FOUND.000 folder.

The files in the FOUND.000 folder are typically named FILE0000.CHK, FILE0001.CHK, and so on. These files may contain fragments of different original files that were recovered by chkdsk, and they may not have meaningful names or extensions.

It's important to note that the presence of the FOUND.000 folder and its contents can indicate that there are issues with the file system or hard drive, and it's recommended to investigate and resolve any underlying issues.

I would suggest that you run a Hard Drive diagnostic program to ensure the integrity of your hard drive. This could potentially be a sign of impending failure

 

 

If there is nothing else we should be about done here. Please let me know.

Cheers @droplet

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please attach that file to your next reply. (not compulsory)

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.