Superantispyware Status: Active Problem

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by bearsound, Mar 27, 2024.

  1. bearsound

    bearsound Private E-2

    Downloaded yesterday SuperAntiSpyware from both MajorGeeks and from RealDefense, both exe files scanned with VT4Browser, both had "PUA:Win32/Softcnapp", the two exe files were not run but was unable to delete the files from downloads, ran Windows Defender, "Potentially unwanted app found for both, took action "Quarantine" for both, but still Status: Active
    I have run the Farbar Recovery Scan Tool and attached both First and Addition reports.
     

    Attached Files:

    bearsound, Mar 27, 2024
    #1
  2. Oh My!

    Oh My! Malware Expert Staff Member

    Greetings and welcome to the Major Geeks Malware Forum.

    Please allow me some time to review what you have posted.

    However, one point of clarification. Are the files actually gone from the Downloads folder but Windows Defender is "detecting" them or you literally are unable to remove the actual files?
     
    Oh My!, Mar 27, 2024
    #2
  3. bearsound

    bearsound Private E-2

    After running Defender and blocking the two files, the files are no longer in downloads, Defender shows the two files are blocked but still active.
     
    bearsound, Mar 27, 2024
    #3
  4. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you for the clarification and your patience.

    The problem lies with Windows Defender history files rather than the inability to remove malware. Clearing out these history files can be a little complicated because of permissions issues so please be patient while we work through this.

    Let's start with this.

    ===================================================

    Modifying Chrome Notification Settings

    --------------------
    • Launch Chrome. If you can't, skip this step.
    • Copy and paste the below in the address bar then hit Enter
    chrome://settings/content/notifications?search=notification
    • Under Allow examine each entry and for any entry not recognized or not wanted click on the 2 horizontal dots to the right and select Block
    • Confirm the entry was moved under the Block section
    • Close Chrome
    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST64 icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST64 will do it for you
    Code:
    Start::
SystemRestore: On
CreateRestorePoint:
CloseProcesses:
Powershell: Set-MpPreference -EnableControlledFolderAccess Disabled
Powershell: Set-MpPreference -DisableRealtimeMonitoring $true
cmd: del /f /s /q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\Detections.log"
cmd: del /f /s /q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\History.Log"
cmd: del /f /s /q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\Unknown.Log"
cmd: del /f /s /q "C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db"
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\00\*
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\01\*
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\02\*
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\03\*
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\04\*
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\05\*
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\06\*
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\07\*
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\08\*
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\09\*
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\10\*
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\11\*
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\12\*
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\13\*
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\14\*
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\15\*
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\16\*
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\17\*
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\18\*
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\19\*
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\20\*
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\21\*
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\22\*
Powershell: Set-MpPreference -EnableControlledFolderAccess Enabled
Powershell: Set-MpPreference -DisableRealtimeMonitoring $false
Powershell: Get-MpThreatDetection
Task: {132FBF17-BA96-4A46-97E9-C7A8963F0275} - \Optimize Start Menu Cache Files-S-1-5-21-791178245-4102192951-2932335266-500 -> No File <==== ATTENTION 
Task: {1CDFE966-AA3C-45C8-A965-079F447646B0} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION 
Task: {1EA8C2B7-DC7C-43C8-88F4-7FCD3C839105} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION 
Task: {5388B36A-118A-4CE4-930C-2D7CEDF465B5} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION 
Task: {543A853C-DA55-4FE7-A025-56D58084B2DC} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION 
Task: {69D0DA77-71FF-403B-ACD7-2CF15ECDCD0C} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION 
Task: {8AE28147-2137-4AA4-A925-2EC6E257C238} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION 
Task: {8F63567F-2BED-4DAA-8E45-C1D981095031} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION 
Task: {AC06D23E-9F0F-4D8C-B52A-CCD052846DEB} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION 
Task: {BDFCE7DB-0500-444D-8BF1-CD1CB7BBA045} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION 
Task: {F3EF2C05-AD7B-4EDC-A4E5-E6580E41FF1B} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION 
Task: {F685F1E6-8253-4FEE-9849-FF72C3365110} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION 
Task: {FD87D263-6224-4929-B3C3-3247722CA459} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION 
Task: {EEBB03FD-C4CA-491A-A943-99B3A8EF9540} - System32\Tasks\GlaryUpdate 5 => C:\Program Files (x86)\Glary Utilities 5\CheckUpdate.exe  /schedulestart (No File) 
Task: {C83D9278-3A69-4EBC-BFFD-962BAD8ED38F} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473 => C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\iumsvc.exe  --automatic (No File) 
Task: {352E6CA0-7314-4DF4-89C4-682368D80D57} - System32\Tasks\Microsoft\Windows\Workplace Join\Automatic-Workplace-Join => %SystemRoot%\System32\AutoWorkplace.exe  join (No File) 
Task: {BA348972-E5E5-43E4-8979-DF79218C4730} - System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-791178245-4102192951-2932335266-500 => %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe  (No File) 
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File 
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File 
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File 
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File 
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File 
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File 
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File 
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File 
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File 
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File 
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File 
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File 
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File 
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File 
ContextMenuHandlers1: [IObitUnstaler] -> [CC]{836AB26C-2DE4-41D3-AC24-4C6C2699B960} =>  -> No File 
S3 iobit_monitor_server2021; no ImagePath 
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION 
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <==== ATTENTION 
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <==== ATTENTION 
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION 
HKU\S-1-5-21-791178245-4102192951-2932335266-1001\Software\Classes\regfile:  <==== ATTENTION 
HKU\S-1-5-21-791178245-4102192951-2932335266-1001\Software\Classes\.reg:  =>  <==== ATTENTION 
HKU\S-1-5-21-791178245-4102192951-2932335266-1001\Software\Classes\.bat:  =>  <==== ATTENTION 
HKU\S-1-5-21-791178245-4102192951-2932335266-1001\Software\Classes\.cmd:  =>  <==== ATTENTION 
AlternateDataStreams: C:\ProgramData:EEF49EE5D3688B03 [217] 
AlternateDataStreams: C:\Users\All Users:EEF49EE5D3688B03 [217] 
AlternateDataStreams: C:\ProgramData\Application Data:EEF49EE5D3688B03 [217] 
AlternateDataStreams: C:\ProgramData\PACE:1983ACF19ABADA25 [217] 
AlternateDataStreams: C:\ProgramData\PACE:95C2A9E314066346 [217] 
AlternateDataStreams: C:\ProgramData\PACE:D3528FF419F66B92 [217] 
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [136] 
cmd: sfc /scannow
cmd: DISM /Online /Cleanup-Image /CheckHealth
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Chrome Notifications reviewed?
    • Fixlog
     
    Oh My!, Mar 28, 2024
    #4
  5. bearsound

    bearsound Private E-2

    Chrome notifications checked and Fixlog attached
    Note: FRST64 was updated 25.3.2024.0 to 28.3.2024 before fix
    Note: MS Defender now does not show at all the previously active files in "Protection history"
    Note: After running FRST64 a new Defender item appeared "Protected memory access blocked: ABService.exe" (needed for AOMEI Backupper) with "Allow" a possible action.
    Note: Forum says Fixlog too large to paste into post, so it is attached
     

    Attached Files:

    Last edited: Mar 28, 2024
    bearsound, Mar 28, 2024
    #5
  6. Oh My!

    Oh My! Malware Expert Staff Member

    Great to hear.

    You can allow AOMEI Backupper if you wish.

    The Fixlog looks fantastic.

    Let's run one last online scan. Please do this.

    ===================================================

    ESET Online Scanner

    --------------------

    Note: You can expect this process to take a long time, up to several hours or more.
    • Download ESET Free Online Scanner and save it to your Desktop
    • Right click on esetonlinescanner_enu.exe and select Run as administrator
    • NOTE: If the program immediately crashes rename esetonlinescanner_enu.exe to ESET.exe and attempt it again
    • Click Computer Scan
    • Click Full scan
    • Select Enable ESET to detect and quarantine potentially unwanted applications
    • Click Start scan
    • Once completed click View detailed results
    • Review the list of detected items for things you don't want to remove (sometimes Potentially Unwanted Applications)
    • If there entries you would like to keep click Restore cleaned files
    • Place a check mark in each entry you would like to restore then click Restore files then confirm the action
    • Click Finish
    • Save scan log and save it to your Desktop as ESETScan.txt
    • Click Continue then finally click Close
    • Copy and paste the ESETScan.txt file contents in your reply
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
    • ESET report
     
    Oh My!, Mar 28, 2024
    #6
  7. bearsound

    bearsound Private E-2

    Skipped ahead too fast, but requested ESET report yesterday by email, but not received, so a results .png of the almost 8 hour scan attached, all 17 items have been quarantined, most are Glary related.
     

    Attached Files:

    bearsound, Mar 30, 2024
    #7
  8. Oh My!

    Oh My! Malware Expert Staff Member

    Nothing of any significance there. Things look good. Are there any remaining questions or concerns you might have before I post some tool/log clean up instructions and other information for you to consider going forward?
     
    Oh My!, Mar 30, 2024
    #8
  9. bearsound

    bearsound Private E-2

    Thank You for the help, and any additional clean up instructions and info appreciated.

    The biggest related problem I have not been able to solve is periodic protected folder access denied, have tried TakeOwnershipPro, but usually get "Failed" when using it, don't recall ever having this problem before switching to Microsoft Defender, and sometimes I resort to first saving into "Downloads" folder that never seems to have the save or open problems.
     
    bearsound, Mar 30, 2024
    #9
  10. Oh My!

    Oh My! Malware Expert Staff Member

    Though it may be a bit complicated to tweak things there are things you can do to Customize controlled folder access.

    Here is our final step and some additional information to consider.

    ===================================================

    KpRm by Kernel-panik

    --------------
    • Download KpRm and save it to your Desktop (see here if you must use Chrome)
    • Note: If the file is detected as malware it is not and it is safe to download. The detection is a false positive.
    • Right click on the icon and select Run as administrator
    • Click Yes on the Disclaimer
    • Place a check mark in Delete Tools, Create Restore Point, and Delete in 7 days
    • Click Run
    • Click OK on All operations are completed
    • KpRm will delete itself from you Desktop and you can either save or remove the report that is generated
    • You are free to remove any other tools/reports still remaining
    ===================================================

    All Clean!

    --------------

    Your computer is now clean. Please consider this going forward.

    ===================================================

    Please take the time to read below on how to secure the machine and take the necessary steps to keep it clean.

    Thank you for placing your trust in Major Geeks. It was a pleasure serving you.
     
    Oh My!, Mar 31, 2024
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds