Jump to content

Preinstalled.Pokki File detected by ADWCleaner w/ MWB P - Windows 11


Recommended Posts

So long story short, this is a fresh fully updated install of Windows 11 Home from cleaned drives 3 days ago. Updated ASUS TUF B450-M PLUS-GAMING bios to 4002. Installed AMD Chipset Drivers, Realtek Ethernet and Audio drivers. Malwarebytes Premium. Full hardware protection available via Windows Security: CPU Virtualization & Memory, TPM2.0, Secure Boot. I use Edge with Browser Guard. I've scanned my PC since my fresh install multiple times a day with Windows, MWB, ADWCleaner, and NPE.

During those scans nothing came up.

 

These results are from a scan immediately after MWB Premium blocked a malicious site for me about 10 mins ago. That block came immediately after I clicked Generate Picture on (website in spoiler):

Spoiler

www.aiimagegenerator.org

***** [ Preinstalled Software ] *****

Deleted       Preinstalled.Pokki   File   C:\Users\username\Desktop\Start Menu.lnk

 

The file was just a Shortcut I created manually with file path and have already scanned for multiple days. It was to my Start Menu folder in hidden ProgramFiles that contains Programs > installed app shortcuts, windows tools, startup folder

 

Blocked outbound connection:

Spoiler

plXXXXXXXX.highrevenuegate.com - 173.233.139.164 - 443 - msedge.exe

 

Link to post
Share on other sites

I am also concerned about the AMD Chipset Drivers I installed. Afterwards I had a program called DTS for headphones installed, which I got rid of. And I didn't think before leaving everything selected in the installer for the chipset drivers: AMD Ryzen Power Plan, 2 GPUIO thingies (1 driver 1 software?), and 3 others I can't quite remember.

Link to post
Share on other sites

- AMD GPIO Driver, - AMD GPIO Driver (for Promontory), something, - AMD SMBus Driver, - AMD PSP Driver, -AMD Ryzen Power Plan

Sorry for spam, I didn't think I'd remeber but found out this should not be the issue.

Link to post
Share on other sites

Hello @spenny and welcome back:

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, or its subsets, please carefully follow these instructions:

  1. Download the Malwarebytes Support Tool.
  2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
  3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have sent.

Thank you.

Link to post
Share on other sites

  • Root Admin

I would simply ignore the detection by AdwCleaner if you made a shortcut yourself.

The logs do not indicate any type of infection, but we can do another scan if you like.

 

 

Please run the following ESET Online Scanner and perform a Full Scan

 

Click the following link to save the installer for ESET Online Scanner

https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get started. 
  • When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use
  • On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue
  • When prompted for scan type, Click on the Full Scan button
  • Enable  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click the Start scan button.
  • Have patience.  The entire process may take a few hours or more.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log and give it a name and location you remember.
  • If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to turn off the offer for “periodic scanning”.
  • Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Please attach the ESET scan log you saved at the end to your next reply

 

Link to post
Share on other sites

I think I found the culprit. There was probably a shortcut within Start Menu folder created by Windows Store install of a mobile friendly social app.

I believe this Pokki Preinstalled warning was caused by the Windows Store app Instagram. It was preinstalled on my computer by Windows 11 in the new install/setup screen they made for they’re bootable install devices.

This screen gives you 5 or so options of what you use your device for, Gaming, Social, Family, etc. and preinstalls I guess all these other apps. I clicked them because I thought it would tailor my system towards gaming not install fing instagram.

I will run that ESET scan and post if something is whack. I think this a false positive or whatever the term is for file detections.

Link to post
Share on other sites

I meant to add. I had to disable Memory integrity in Windows Security since I got 6 error boxes when first starting ESET "A driver can't load on this device" "ehdrv.sys".

As well, while waiting and exploring Windows Security I clicked on the Programs tab in App Exploit protection and noticed many overrides. From what I have researched these should all be safe. PresentationHost.exe has 6 overrides.

Spoiler

ExtExport.exe - 1 - Mandatory ASLR

ie4uinit.exe - 1 - Mandatory ASLR

ieinstal.exe - 1 - Mandatory ASLR

ielowutil.exe - 1 - Mandatory ASLR

ieUnatt.exe - 1 - Mandatory ASLR

iexplore.exe - 1 - Mandatory ASLR

mscorsvw.exe - 1 - Disable extension points

msfeedssync.exe - 1 - Mandatory ASLR

mshta.exe - 1 - Mandatory ASLR

ngen.exe - 1 - Disable extension points

ngentask.exe - 1 - Disable extension points

PresentationHost.exe - 6 -  DEP , mandatory ASLR , Bottom-up ASLR , SEHOP , Validate heap integrity

PrintDialog.exe - 1 - Disable extension points

runtimebroker.exe - 1 - Disable extension points

SystemSettings.exe - 1 - Disable extension points

 

Link to post
Share on other sites

  • Root Admin

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites

  • Root Admin

Great, that's a good thing. It confirms no issue with active threat found.

Yes, there are often locked files that cannot be opened for scanning and is normal.

 

Please run the following

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

Great, glad to hear all is well

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please attach that file to your next reply. (not compulsory)

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Link to post
Share on other sites

Thanks for the info above. Again, more boops and beeps happened. Two Windows notifications "Part of this app has been blocked" one for "Malware Scanner"  (very informative) and another which I accidentally cleared. I believe I saw KPRM or the other KV..something.

Do you know a way to see cleared/clicked on notifications in Windows 11 other than Event Viewer?

kprm-20230509165708.txt

Link to post
Share on other sites

4:57PM - Event Logs - Code Integrity (IG.exe seems to be related to MWB 4? I want to make sure its working properly)

Each event is followed by a Event 3089 - Signature information for another event. Match using the Correlation Id.

Spoiler

Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\cmd.exe) attempted to load \Device\HarddiskVolume3\Users\spenc\AppData\Local\Temp\kprm-dosdevtqqpndl.exe that did not meet the Enterprise signing level requirements or violated code integrity policy

Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\cmd.exe) attempted to load \Device\HarddiskVolume3\Users\spenc\AppData\Local\Temp\kprm-dosdevtqqpndl.exe that did not meet the Enterprise signing level requirements.

Code Integrity determined that a process (\Device\HarddiskVolume3\Users\spenc\AppData\LocalLow\IGDump\naycutpefjcdaonhrkmtzwozsgsylvps\ig.exe) attempted to load \Device\HarddiskVolume3\Users\spenc\AppData\LocalLow\IGDump\naycutpefjcdaonhrkmtzwozsgsylvps\dipjzhxyyozpqhsrvqvzpijwfrxqmmvq.ext that did not meet the Enterprise signing level requirements or violated code integrity policy 

Code Integrity determined that a process (\Device\HarddiskVolume3\Users\spenc\AppData\LocalLow\IGDump\naycutpefjcdaonhrkmtzwozsgsylvps\ig.exe) attempted to load \Device\HarddiskVolume3\Users\spenc\AppData\LocalLow\IGDump\naycutpefjcdaonhrkmtzwozsgsylvps\dipjzhxyyozpqhsrvqvzpijwfrxqmmvq.ext 

 

Link to post
Share on other sites

  • 3 weeks later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.