Jump to content

Malwarebytes Custom Scan founded Adware.SpecialSearchOffer (for the 2 time)


Eno-Scott

Recommended Posts

During a custom scan with the 'rootkit' option active Malwarebytes found Adware.SpecialSearchOffer for the second time (the other scan was done on August 18th, always with the same method) in the location: C:\PROGRAMDATA\MALWAREBYTES \MBAMSERVICE\TMP\UPDCENTER.EXE-K.MBAM .
After the detection I had set the option to put the malware in quarantine and I restarted, after the restart checking the quarantine there was nothing, checking the Detection History under 'Actions' it indicated 'STRING-NOT-ADDED', checking the Scan Report under 'Actions' said 'Delete on reboot'.
So I don't understand whether the malware has been removed or not also considering the fact that it is the second time that I have  found it in the same position.
My computer is a desktop with Windows 10 installed and my version of Malwarebytes (free) is 5.1.10.127

What have I to do? On your opinion the threat has been removed or not?

P.S. : I've already opened a ticket with the assistance for that,but I'd like to have your opinion about

Screenshot (1613).png

Screenshot (1614).png

Screenshot (1615).png

Screenshot (1616).png

Malwarebytes Report della scansione 2024-09-11 000017.txt

Link to post
Share on other sites

  • Staff

Hello,

Thank you for the report and log.

Log is missing some information though so I can't look up the file or anything.
Does this file still exist on your machine?
C:\PROGRAMDATA\MALWAREBYTES \MBAMSERVICE\TMP\UPDCENTER.EXE-K.MBAM

If so, can you zip it and attach it here? Prefer if you can add "infected" as the archive/zip password.

Thanks!

Link to post
Share on other sites

On 9/12/2024 at 8:37 PM, blender said:

Hello, 

Thank you for the report and log. 

Log is missing some information though so I can't look up the file or anything. 
Does this file still exist on your machine? 
C:\PROGRAMDATA\MALWAREBYTES \MBAMSERVICE\TMP\UPDCENTER.EXE-K.MBAM 

If so, can you zip it and attach it here?  Prefer if you can add "infected" as the archive/zip password. 

Thanks! 

I looked for the file in the location where the scan found it, but it is no longer there..
Is there another way I could look for it in C?
Should I perhaps do a search in File Explorer for 'Adware.SpecialSearchOffer' or for 'UPDCENTER.EXE-K.MBAM'?

P.S. : I've opened a ticket with Mbam assistance for that and they've said that is a false positive..your thoughts about that? 

 

Screenshot (1656).png

Link to post
Share on other sites

2 minutes ago, Eno-Scott said:

I looked for the file in the location where the scan found it, but it is no longer there..
Is there another way I could look for it in C?
Should I perhaps do a search in File Explorer for 'Adware.SpecialSearchOffer' or for 'UPDCENTER.EXE-K.MBAM'?

You are not going to find it since it is a temporary file and was only detected since you have rootkit scanning on.

4 minutes ago, Eno-Scott said:

've opened a ticket with Mbam assistance for that and they've said that is a false positive..your thoughts about that? 

Rootkit scanning is not enabled by default. You may want to disable that unless you think you have a rootkit infection.

Rootkit scanning is really aggressive and does ignore some whitelisting which can result in false positives. 
If you decide to keep rootkit scanning on, just be aware of the possibility of false positives.

  • Thanks 1
Link to post
Share on other sites

  • Staff

Did you previously  have detection for SpecialSearchOffer?
I'm curious if you have a file called updcenter.exe on the pc anywhere.

I just found out that the -k.mbam (and sometimes -u.mbam) is a comparison thing during rootkit scanning. So files are not persistent.

I'm thinking there is a possibility you have updcenter.exe somewhere that was a false positive way back when and we whitelisted it. Quite possible however we whitelisted it, the whitelisting was ignored due to the rootkit scanning being on. (rootkit scanning does ignore some whitelisting stuff so there is always the possibility of false positives - which is why it is off by default.)

  • Like 1
Link to post
Share on other sites

23 hours ago, blender said:

Did you previously  have detection for SpecialSearchOffer?
I'm curious if you have a file called updcenter.exe on the pc anywhere.

I just found out that the -k.mbam (and sometimes -u.mbam) is a comparison thing during rootkit scanning. So files are not persistent.

I'm thinking there is a possibility you have updcenter.exe somewhere that was a false positive way back when and we whitelisted it. Quite possible however we whitelisted it, the whitelisting was ignored due to the rootkit scanning being on. (rootkit scanning does ignore some whitelisting stuff so there is always the possibility of false positives - which is why it is off by default.)

Yes, I have already had a result found for this false positive. And I searched updcenter.exe in file explorer finding it in two results associated with my current Bitdefender antivirus

Link to post
Share on other sites

1 hour ago, blender said:

And those 2 updcenter.exe scan clean without rootkit scanner on?

What you mean?

How could I verify that ?

Are you counseling me to perform a scan on this 2 .exe with MBAM ?

In this case have I to scan them with rootkit option enabled or not ?

 

Plus let me ask a question: at now I've uninstalled Bitdefender Total Security from this PC because I've had to do a system restore from a restore point saved and the av was blocking this process ( I've done that to regain some web searches opened in my Opera browser on where I was working,that I don't know why,suddenly are disappeared ). So I'm thinking ( tell me if is ok ) : it couldn't be useful about that ticket that I've created here, trying right now to perform another custom scan with rootkit option enabled considering that you've said that this Adware.SpecialSearchOffer is related to these two updcenter.exe files ( that at now,I suppose,has been removed from the system considering that I've used the Uninstalling Tool of Bitdefender to remove the av ) ? 

This to see if this false positive is still detected or not .

Let me know your thoughts on this!

Link to post
Share on other sites

  • Staff

Ahh ok, since you removed BitDefender, those 2 updater files are likely no longer present. So ... there shouldn't be any detections now.

No biggy.

Since you were able to find those updcenter.exe files in explorer before removing BD, I was hoping to be able to scan them while having 'scan for rootkits' unchecked. (because the rootkit scanner - by ignoring some whitelisting sometimes causes false positives)
I wanted to make sure we were not detecting the updater file(s) while the rootkit scanner was off.
Anyway - should be no longer an issue now that BD is removed.
I'm guessing that they wouldn't be detected without the rootkit scanner, otherwise we'd have several posts about it already since BD is a pretty common AV.

I have not done a system restore for probably more than 10 years... so not sure how it handles stuff in personal folders such as previous browser searches/tabs/etc. That info might be in your history tab.

 

Link to post
Share on other sites

9 hours ago, blender said:

Ahh ok, since you removed BitDefender, those 2 updater files are likely no longer present. So ... there shouldn't be any detections now.

No biggy.

Since you were able to find those updcenter.exe files in explorer before removing BD, I was hoping to be able to scan them while having 'scan for rootkits' unchecked. (because the rootkit scanner - by ignoring some whitelisting sometimes causes false positives)
I wanted to make sure we were not detecting the updater file(s) while the rootkit scanner was off.
Anyway - should be no longer an issue now that BD is removed.
I'm guessing that they wouldn't be detected without the rootkit scanner, otherwise we'd have several posts about it already since BD is a pretty common AV.

I have not done a system restore for probably more than 10 years... so not sure how it handles stuff in personal folders such as previous browser searches/tabs/etc. That info might be in your history tab.

 

I've done a search just to try and the two updcenter.exe are still there even after the running of Bitdefender Uninstalling Tool ... Their paths are : "C:\Programmi\Bitdefender" and "C:\Programmi\Bitdefender\Bitdefender Security".

Now I'll perform a "normal" scan with rootkit option enabled just to do a test 

Anyway considering that I've used their tool,there isn't strange that these two files are still there ? I've checked also the folder "Programmi" and the Bitdefender folder is still there..

Instead looking in Windows Settings in App there isn't any voice about Bitdefender,the same in Control Panel's Programs and Features.

Link to post
Share on other sites

21 hours ago, Eno-Scott said:

I've done a search just to try and the two updcenter.exe are still there even after the running of Bitdefender Uninstalling Tool ... Their paths are : "C:\Programmi\Bitdefender" and "C:\Programmi\Bitdefender\Bitdefender Security".

Now I'll perform a "normal" scan with rootkit option enabled just to do a test 

Anyway considering that I've used their tool,there isn't strange that these two files are still there ? I've checked also the folder "Programmi" and the Bitdefender folder is still there..

Instead looking in Windows Settings in App there isn't any voice about Bitdefender,the same in Control Panel's Programs and Features.

 

Normal scan with rootkit option enabled haven't founded this false positive,at this point have I to try again a custom scan?

Link to post
Share on other sites

  • Staff

Hello,

Sorry for delay. I didn't see the notification of your replies.

Since you scanned again and found nothing, it should be OK.

Not sure why the BitDefender remover tool failed to remove the BitDefender folder under Programmi
If I had to guess, it was likely looking for "Program Files" but was not coded to understand "Programmi" means "Program Files"
Sometimes too they leave bits behind in case you decide to install again so some settings are left behind there.

Link to post
Share on other sites

4 hours ago, blender said:

Hello,

Sorry for delay. I didn't see the notification of your replies.

Since you scanned again and found nothing, it should be OK.

Not sure why the BitDefender remover tool failed to remove the BitDefender folder under Programmi
If I had to guess, it was likely looking for "Program Files" but was not coded to understand "Programmi" means "Program Files"
Sometimes too they leave bits behind in case you decide to install again so some settings are left behind there.

They've said that is normal.

About the 2 updcenter.exe files,Mbam assistance asked me to scan them with Virus Total and send them the results

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.