Jump to content

PUP.Adware.Heuristic won't quarantine


ljlj

Recommended Posts

Hello :welcome: 

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

This is only a first step. Download and save a file named Iexplore.exe from here https://www.bleepingcomputer.com/download/rkill/dl/11/

and once the browser has finished the download, can you RUN that from there.

That Iexplore is another name for the tool known as RKILL by Bleepingcomputer. Allow me some time to digest your report. We will do more later.

Link to post
Share on other sites

Next actions after the ones above.
Take these actions so that Windows 11 is set to show all hidden files and folders.
Open File Explorer from the taskbar.

Select View > Show > Hidden items.

Select View → Show → File name extensions

(   2   )


Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

>

(   3   )

Please run the following custom script. Read all of this before you start. 

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will remove the 2 registry entries flagged by Adwcleaner. It will attempt to run some scans with Microsoft Defender antivirus. It will attempt to clear Cache files of web browsers.  It will attempt to clear temporary file areas. Depending on the speed of your computer this fix may take 50-55 minutes or more.

Please Close all open work before you actually do begin this run.

Farbar  FRSTENGLISH program location:   Downloads folder. The tool is already on system. That is what we will use.

Please download the attached fixlist.txt file and save it to Downloads

Fixlist.txt <- < - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRSTENGLISH and select "Run as Administraor" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

NOTICE: For potential outside readers,  This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm.

(   4   )

I would recommend getting  readout reports as to update status of some key apps.


Temporarily disable Microsoft SmartScreen to download the next software below 

 

Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then

                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward

Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.

You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

Next,

Download   Farbar's Service Scanner utility

and Save to your Desktop.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked:

  • Internet Services
    Windows Firewall
    System Restore
    Security Center/Action Center
    Windows Update
    Windows Defender
    Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.   Please attach that file.

When all done, you may go back to turn ON the EDGE Smartscreen protection.

Link to post
Share on other sites

Hi Maurice,

Thank you for your help. I proceeded to run the scan as instructed with the Fixlist on Monday. Upon the first reboot after the scan, it never booted into Windows. The MBR was corrupted but it wasn't an easy fix, I kept hitting a wall with several errors. I was able to get it up and running tonight, it took pretty much 2 days to fix.

I was able to fix it via an earlier restore point. I'm back to the point before I ran the fix but this time I have created a restore point and have also run the mbst logs. It is attached here in case you need to provide a new FixList as I did have to install all the tools and remove a virus and 1 malware. I am still getting the 2 recurrent PUPs on AdWcleaner.

Some scans show that I am running Windows 10 Pro but in fact I am running Windows 11 Pro.

Please advise as to how I should proceed. 

mbst-grab-results.zip

Link to post
Share on other sites

Please run the following custom script.  This is a new, modified run. Read all of this before you start. 

Please Close all open work before you actually do begin this run.

Farbar  FRSTENGLISH program location:   Downloads folder. The tool is already on system. That is what we will use.

Please download the attached fixlist.txt file and save it to Downloads

Fixlist.txt <- < - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRSTENGLISH and select "Run as Administraor" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

NOTICE: For potential outside readers,  This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm.

Link to post
Share on other sites

Maurice,

I ran the fix per your instructions and everything went smoothly until the reboot. It again is stuck not wanting to reboot, this time I did not have to use an external windows image to fix it. I am able to run troubleshooting from within the the windows repair dashboard. I have not had any success and didn't want to restore it again. I created a restore point and then I proceeded with the fix. I have extracted the Fixlog.txt and am attaching it here. I have also extracted all the other boot repair logs and attached them here. Let me know how to proceed. At this point I can only go back and restore it as all other options have failed.

Fixlog.txt bcdinfo.txt bootfailure.txt disklayout.txt DISMRepairLogFile.txt SrtTrail.log SrtTrail.txt

Link to post
Share on other sites

I take it that you did manage to get into Windows Recovery Mode.  Right ? If possible at this point, can we simply run a new report with FRST64.

download & save a new copy of the tool FRST64.exe from this link https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/

Go to Downloads folder. RIGHT-click on FRST64 and select 

Run as Administrator

and tap ENTER. And reply YES to allow to proceed.  

  •  When the tool opens click Yes to the disclaimer.  And be very sure to TICK the box for Addition.txt
  • Press the Scan button.

_frst_scan.jpg

  • It will make a log (FRST.txt & Addition.txt) in the same directory the tool is run
  • Have patience since the run may take something like 10 or so minutes  (less depending on your hardware speed)
  • Close Notepad IF those show up on Notepad.
  • Just please Attach the 2 files FRST.txt +Addition.txt  with your next reply.

NOTES:  Any PUP issue, any issue as far as Adwcleaner, OR any issue as to Block notices...all should be set aside as minor level stuff.
These incidents of a Reboot issue, etc, the hunt for the unforeseen, unseen glitches of the O S need to be at the foremost focus.
Just be sure to let me know if there is at this point a working Windows, and if so, what security applications can be Started.
For example, Malwarebytes or Microsoft Defender antivirus ?

Edited by Maurice Naggar
Link to post
Share on other sites

My only options are command prompt to be able to do anything, any other options don't work, it's a vicious cycle where the PC doesn't go into windows, it never starts under any option whether it's safe mode or regular mode. I can keep trying auto repair but in the end I'm back to step one where it will not reboot.

At this point my only option left is to do a system restore, that would take me to the point where I ran FIRST64 and before running the fix.

Link to post
Share on other sites

I restored it back to before applying the fixlist and ran a new report as you requested I got the files before rebooting and am attaching them here.

This fix had the same results. I worked on it all night and after much troubleshooting and trying different options. I was unable to reboot into windows. One option was to restore a backup of the registry but that would bring in the infected keys. Either way, there was nothing in the regback directory.

 

 

Fixlog.txt FRST.txt Addition.txt

Link to post
Share on other sites

Just a quick note. Please do not re-run any Fixlist.  Let us please have added patience. I will be guiding you along.

One new scan here.

TrendMicro HouseCall scan
from this Link

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher
Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

Next it will show the Disclosure window.

Click Next to proceed.

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

I suggest a CUSTOM scan on C drive.

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

The default is a Quick scan.

Click Scan now when ready.

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action  , and select Ignore.

When all done & ready, click the Fix now button.

Link to post
Share on other sites

I tried all night to run Housecall with no success. I also tried it in Safe Mode. It just will not complete the process and freezes at some point. The longest I let it run was about 100 minutes but it got suck on the same file on the 20th minute. I must have tried more than 20 times throughout the night.

I am attaching the 3 files. I never ran a fixlist as instructed. 

Thank you for your continued support.

mbst-grab-results.zip FRST.txt Addition.txt

Link to post
Share on other sites

(   1   )

Download and save a file named Iexplore.exe from here https://www.bleepingcomputer.com/download/rkill/dl/11/

and once the browser has finished the download, can you RUN that from there.

That Iexplore is another name for the tool known as RKILL by Bleepingcomputer. 

(   2   )

This next tool ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed.
get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.
Disregard the title subject of the topic.Run the MBAR tool as listed here 

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

  • when done, I need the MBAR logs.
  • Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.
  • Both files can be found in the extracted MBAR folder on your Desktop.
  • Please attach both files in your next reply.

Question: I wonder if you logoff and shutdown Windows each day when you are finished for the day ?

ALSO, How long has Avast Antivirus been installed on this system ?

As I look back on the 1st available FRST report, on 12 August this system did not have Avast installed. I had requested you to not make changes, additions, tweaks, installs on the system without first checking with me. I have to re-emphasize that to you. It is quite possible that Avast has been the source of "silent" complication in that it would have caused interference !!

Edited by Maurice Naggar
Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.