Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Did AdwCleaner clear my MBAM quarantine?


  • Please log in to reply
5 replies to this topic

#1 yamaspiel

yamaspiel

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 05 May 2016 - 08:58 PM

Okay, so I detected a few PUP items with MBAM, and had them quarantined. After I did that I downloaded AdwCleaner and ran it, which brought up a few items. AdwCleaner rebooted my system to finish cleaning, but when I opened MBAM a few moments later i noticed the quarantine was empty. Is it possible AdwCleaner wiped the quarantined items in Malwarebytes?



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:56 PM

Posted 05 May 2016 - 09:17 PM

Did you check AdwCleaner's report log?

When AdwCleaner is first run, all report logs, AdwCleaner[SX].txt and AdwCleaner[CX].txt are saved to C:\AdwCleaner. Just open Windows Explorer, navigate to that location and open the AdwCleaner folder.

Alternatively you can press the WINKEY + R keys on the keyboard or click the Start Orb > Run...
in the Open dialog box, type: C:\AdwCleaner
Click OK or press Enter and the folder containing your logs will open.
Open AdwCleaner[CX].txt to view the contents of the log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 yamaspiel

yamaspiel
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 05 May 2016 - 09:39 PM

Just went through both the Adwcleaner logs and the initial MBAM scan logs.

AdwCleaner log:

 

# AdwCleaner v5.115 - Logfile created 04/05/2016 at 00:16:03
# Updated 01/05/2016 by Xplode
# Database : 2016-05-01.2 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (X64)
# Username : Chris - CHRIS-PC
# Running from : C:\Users\Chris\Downloads\AdwCleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
Folder Found : C:\ProgramData\Ask
Folder Found : C:\ProgramData\Application Data\Ask
 
***** [ Files ] *****
 
 
***** [ DLL ] *****
 
 
***** [ WMI ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E
 
***** [ Web browsers ] *****
 
[C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Found : aaaaaiabcopkplhgaedhbloeejhhankf
 
*************************
 
C:\AdwCleaner\AdwCleaner[S1].txt - [2471 bytes] - [04/05/2016 00:16:03]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [2544 bytes] ##########
 
 
Then there's the MBAM log that first detected the PUPs:
 
Version: 2.2.1.1043
Malware Database: v2016.05.03.07
Rootkit Database: v2016.04.17.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Chris
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 336573
Time Elapsed: 8 min, 18 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 3
PUP.Optional.SearchApp, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\aaaaaiabcopkplhgaedhbloeejhhankf, Quarantined, [dea523ae5c3d4de92cac5101ba4a7987], 
PUP.Optional.SearchApp, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\aaaaaiabcopkplhgaedhbloeejhhankf, Quarantined, [98eb05cc77224cea815764ee29db44bc], 
PUP.Optional.ASK, HKU\S-1-5-21-598416371-601505946-2894549161-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{65191A40-0AAD-429C-ABB5-F62ABF5C511A}, Quarantined, [e1a22aa7d1c84ee846c84c6525dfb24e], 
 
Registry Values: 1
PUP.Optional.ASK, HKU\S-1-5-21-598416371-601505946-2894549161-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{65191A40-0AAD-429C-ABB5-F62ABF5C511A}|URL, http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=F7B65A15-17BF-4C88-AD4C-EEE725092745&apn_sauid=8BC822A8-F06C-4544-980C-115CC7C65A7C, Quarantined, [e1a22aa7d1c84ee846c84c6525dfb24e]
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 1
PUP.Optional.PricePeep, C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.pricepeep.net_0.localstorage-journal, Quarantined, [88fb4a872e6b290d86c57ed0966e55ab], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
I noticed the chrome extension appears in both scans.

 



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:56 PM

Posted 06 May 2016 - 07:00 AM

The logs answer your topic question....AdwCleaner did not clear MBAM's quarantine.

As for the Chrome extension, AdwCleaner detected it in the AppData\Local\Google\Chrome\User Data\Default\Secure Preferences folder while Malwarebytes detected a related registry key.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 yamaspiel

yamaspiel
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 06 May 2016 - 10:44 AM

Well now I'm curious as to where those quarantined items went, I don't recall deleting them.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:56 PM

Posted 06 May 2016 - 02:38 PM

You could have accidentally removed them without realizing it...I have seen it happen before.

Typically when a security tool finds and removes items in another security tool's quarantine, they show in their logs to include the full path where found.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users