Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AdwCleaner detecting Driver Setup Utility as PUP--not sure I should remove


  • This topic is locked This topic is locked
30 replies to this topic

#1 Knat

Knat

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 11 September 2017 - 05:50 AM

Here's the log:

(also, is it normal to have a defaultuser0 with app data?)

 

# AdwCleaner 7.0.2.1 - Logfile created on Mon Sep 11 09:41:38 2017
# Updated on 2017/29/08 by Malwarebytes
# Database: 09-08-2017.1
# Running on Windows 10 Home (X64)
# Mode: scan
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

PUP.Optional.Legacy, C:\Users\defaultuser0\AppData\Local\Host App Service
PUP.Optional.Legacy, C:\ProgramData\DriverSetupUtility
PUP.Optional.Legacy, C:\ProgramData\Application Data\DriverSetupUtility
PUP.Optional.Legacy, C:\Program Files\DriverSetupUtility
PUP.Optional.Legacy, C:\Users\All Users\DriverSetupUtility


***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2B51C83A-465D-4EA9-9CDC-1ED95ED09AC6}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\Interface\{7BCA6879-A9F8-47DE-AE05-F5CE7EA3A474}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\TypeLib\{ADF1FA2A-6EAA-4A97-A55F-3C8B92843EF5}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A38C15B2D5649AE4C9CDE19DE50DA96C
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\Installer\Features\A38C15B2D5649AE4C9CDE19DE50DA96C
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\Installer\Products\A38C15B2D5649AE4C9CDE19DE50DA96C
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\AppID\OverlayIcon.DLL


***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries.

*************************

C:/AdwCleaner/AdwCleaner[C0].txt - [1181 B] - [2017/9/11 8:49:18]
C:/AdwCleaner/AdwCleaner[S0].txt - [2055 B] - [2017/9/11 8:48:0]


########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt ##########



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,977 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:42 AM

Posted 11 September 2017 - 08:45 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Read about it.

What is a Potentially Unwanted Program, or PUP?

https://www.howtogeek.com/232791/pups-explained-what-is-a-potentially-unwanted-program/

Decide if you want to keep it.


If you have any problems with this computer I suggest you run the scanning program and post the logs for my review.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

#3 Knat

Knat
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 11 September 2017 - 08:22 PM

FRST logs

 

In case needs explanation, I just had my device repaired. For some reason it came back with a profile set up, named ACER. I could understand this if they'd updated Windows but they had not, so I can't really think of any reason for sending it back like that. I made a new admin profile and deleted the ACER one. I also made a new non-admin profile (as some security experts advise not to use admin for day-to-day use). There still seem to be too many profiles. I have connected to only 1 network (at home), and am not running a VPN.

Attached Files



#4 Knat

Knat
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 11 September 2017 - 08:31 PM

Also, hi, and thanks for the reply.

 

Regarding the AdwCleaner result, maybe I can explain better. I know what PUP is, but "Driver Setup Utility" is published by Acer. I want to know how I can tell if they are a false positive by AdwCleaner and are actually something needed, or if they are bloatware loaded by Acer. This machine is loading Amazon, Priceline, and eBay apps that I do not want or need and can't seem to fully uninstall, as well as pokki start menu PUP (but that's by Sweetlabs--but I can't fully get rid of it, either).

 

Besides the fairly useless label of Acer Driver Setup Utility, these items are labelled stuff like {7BCA6879-A9F8-47DE-AE05-F5CE7EA3A474}. I don't really know how to tell what that refers to. I'm aware that there's a repository of installation packages probably in a hidden folder somewhere, but not sure that finding that hidden folder would enable me to match these long strings of numbers to identify anything.

 

thanks



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,977 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:42 AM

Posted 12 September 2017 - 08:21 AM

Hi,

Remove these programs in bold via the Control Panel > Programs > Programs and Features.
App Explorer (HKU\S-1-5-21-1909323635-36500911-2540057073-1002\...\Host App Service) (Version: 0.272.1.295 - SweetLabs)
App Explorer (HKU\S-1-5-21-1909323635-36500911-2540057073-1003\...\Host App Service) (Version: 0.272.1.295 - SweetLabs)
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} -  No File
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
U0 Aliide; no ImagePath
U0 Amdide; no ImagePath
U0 Cmdide; no ImagePath
S3 GPU-Z; \??\C:\Users\Acer\AppData\Local\Temp\GPU-Z.sys [X] <==== ATTENTION
U0 msahci; no ImagePath
U0 viaide; no ImagePath
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File

Task: {C0713001-B8D2-4B37-8182-13B1B5035186} - System32\Tasks\AmazonAssistantHelper => C:\ProgramData\OEM\Transactional\amazonx@hermes\AmazonX.exe [2017-08-02] ()
C:\Windows\System32\Tasks\AmazonAssistantHelper
C:\ProgramData\OEM\Transactional\amazonx@hermes
FF Extension: (Amazon Assistant for Firefox) - C:\Users\Mica\AppData\Roaming\Mozilla\Firefox\Profiles\hac03oi7.default\Extensions\abb-acer@amazon.com [2017-09-11]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

P.S.
 

Regarding the AdwCleaner result, maybe I can explain better. I know what PUP is, but "Driver Setup Utility" is published by Acer. I want to know how I can tell if they are a false positive by AdwCleaner and are actually something needed, or if they are bloatware loaded by Acer.


Driver setup Utility is bloatware by Acer.

Run the AdwCleaner and remove all the entries listed.

===

Please let me know what problem persists with this computer.

#6 Knat

Knat
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 12 September 2017 - 09:12 PM

Ok, done the AdwCleaner and Fixlist, but results not as desired. Screenshot and logs attached.

 

App Explorer cannot be removed via add/remove programs.

 

Had issues connecting to my router during this process (connected but no internet). Sigh.

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,977 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:42 AM

Posted 13 September 2017 - 08:30 AM

Hi,

Lets see what we can find in the Registry.

Farbar Recovery Scan Tool (FRST) - Registry Search
Follow the instructions below to download and execute a Registry search on your system with FRST, and provide the log in your next reply.
  • Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • In the Search text area, copy and paste the following:
App Explorer;S-1-5-21-1909323635-36500911-2540057073-1002
  • Once done, click on the Search Registry button and wait for FRST to finish the search;
  • On completion, a log will open in Notepad. Copy and paste its content in your next reply;
p.s.
Is your internet connection restored?

#8 Knat

Knat
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 14 September 2017 - 01:30 AM

Hi, here is the result of the registry scan.

 

 

 

p.s.
Is your internet connection restored?

 

Yes, it works now, but I tend to be a bit concerned when it does anything weird since I have had issues in the past. I thought I had it fixed now. May have been caused by another machine on the network. The other machine is unplugged now. One problem at a time.


 

 

Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;

ps, this happened the first time I ran the tool, but not this time

 

 

Thanks.

Attached Files


Edited by Knat, 14 September 2017 - 01:32 AM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,977 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:42 AM

Posted 14 September 2017 - 07:59 AM

Hi,


Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.
 

Windows Registry Editor Version 5.00

[-HKEY_USERS\S-1-5-21-1909323635-36500911-2540057073-1000\Software\Host App Service\Sideload\Apps]
[-HKEY_USERS\S-1-5-21-1909323635-36500911-2540057073-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\Host App Service]
[-HKEY_USERS\S-1-5-21-1909323635-36500911-2540057073-1002\Software\Host App Service\Sideload\Apps]
[-HKEY_USERS\S-1-5-21-1909323635-36500911-2540057073-1002\Software\Microsoft\Windows\CurrentVersion\Uninstall\Host App Service]
[-HKEY_USERS\S-1-5-21-1909323635-36500911-2540057073-1002\Software\Microsoft\Windows\CurrentVersion\Uninstall\Host App Service]
[-HKEY_USERS\S-1-5-21-1909323635-36500911-2540057073-1003\Software\Host App Service\Sideload\Apps]
[-HKEY_USERS\S-1-5-21-1909323635-36500911-2540057073-1003\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps\{BBF1B1A8-138F-4D5D-9DB9-9AD914636327}\RecentItems
[-HKEY_USERS\S-1-5-21-1909323635-36500911-2540057073-1003\Software\Microsoft\Windows\CurrentVersion\Uninstall\Host App Service]


Restart the computer when completed.

You can delete the fixme.reg file when done.

Let me know what problem persists.

#10 Knat

Knat
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 17 September 2017 - 04:21 AM

Hi, thanks.

 

Those instructions worked great and after that I was able to delete Driver Setup Utility and the delete completed. I think that is the first time I have ever edited a registry, but your directions were clear. Then I put my laptop in suspend and left to take care of some other things.

 

Able to reply today. Remaining problems include: I still have App Explorer (sweetlabs). I have not used the PC to see how it is working, but I noticed that my browser preferences have reset (Firefox offers to save passwords, for instance, when I had this disabled: I have had trouble logging in here with Edge). I am still concerned about having too many profiles.



#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,977 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:42 AM

Posted 17 September 2017 - 08:58 AM


Hi,

Repeat the Farbar Search but this time on look for App Explorer I may have missed one registry entry.

===

I have had trouble logging in here with Edge.

Reset your Internet Explorer.
https://www.howtogeek.com/171924/how-to-reset-your-web-browser-to-its-default-settings/
Reset you computer when completed.

If the problem persists it may be that you will have to delete the cookies associated with this site.

===

As for the current profiles you can remove/delete this one defaultuser0
Hot to.
https://superuser.com/questions/1152792/what-is-defaultuser0-and-is-it-safe-to-delete

Keep me posted

#12 Knat

Knat
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 17 September 2017 - 06:25 PM

hi,

 

Ok thanks, I am working on those things... and the security zone settings in my Internet Options have changed again. The Internet setting is still where I left it (default of medium high with protected mode on) but "local intranet" (I have none!) is set to custom settings (just now it defines local intranet as "local sites not listed in other zones, sites that bypass the proxy server, and network paths"), Trusted sites has returned to medium (I don't really have any so I set it to the same as Internet), and Protected Mode has come back off for intranet and trusted. This is something I have to change regularly and I don't understand why. I leave them all the same as Internet, as I don't have anything I would want in intranet or trusted sites.

 

After resetting IE, local intranet was at medium low and with no protected mode. I have no idea where it picks up custom settings. Trusted sites was at medium but with protected mode enabled.

 

I turned off auto-detect under LAN in the Connections tab of Internet Properties.

 

Edge is set to delete cookies and caches, every time I close it. It appears to be still set this way, at least in this profile.

 

I also have Windows Credentials for an SSO_POP_Device. I am not using any mail on this machine, nor have signed in to any MS service at all. It claims to have been modified today.



#13 Knat

Knat
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 17 September 2017 - 06:58 PM

Here is the FRST search log.

 

I cannot delete defaultuser0 by either of those means. It does not show up under Control Panel or account creation/management windows, run as administrator does not show up as an option under right-click for Control Panel (though I am using an admin account just at the moment), and my PC did not come with any installation media. In the past when I attempted to make a backup thumbdrive for my previous PC even though I was coached by a manufacturer rep (online instructions were for CD, which my laptop didn't have: neither does my new one), it failed to be usable when I needed it.

 

Here is one place I can see the various existing accounts:

Administrator (marked disabled)

[my created standard account]

DefaultAccount (marked disabled)

defaultuser0 (marked disabled)

Guest (marked disabled)

LOCAL SERVICE

[my created admin account]

NETWORK SERVICE

 

The ones not in all caps exist in a folder named the same as my computer name. The ones in all caps are not labeled as to what folder they are in.

 

The services I checked are running under specified credentials of an unnamed account with a specified password. (Not, say, "local system account"). Not sure what is usual.

Attached Files



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,977 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:42 AM

Posted 18 September 2017 - 06:37 AM




Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.

Windows Registry Editor Version 5.00

[HKEY_USERS\S-1-5-21-1909323635-36500911-2540057073-1003\Software\Host App Service\Sideload\Apps]
"App Explorer"=-
[HKEY_USERS\S-1-5-21-1909323635-36500911-2540057073-1003\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps\{BBF1B1A8-138F-4D5D-9DB9-9AD914636327}\RecentItems\{7C5998F2-F8DC-4C62-8BF9-03F9A8235B17}]
"Path"=-
[HKEY_USERS\S-1-5-21-1909323635-36500911-2540057073-1003\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps\{BBF1B1A8-138F-4D5D-9DB9-9AD914636327}\RecentItems\{7C5998F2-F8DC-4C62-8BF9-03F9A8235B17}]
"DisplayName"=-
[HKEY_USERS\S-1-5-21-1909323635-36500911-2540057073-1003\Software\Microsoft\Windows\CurrentVersion\Uninstall\Host App Service]
"DisplayName"=-
[HKEY_USERS\S-1-5-21-1909323635-36500911-2540057073-1003\Software\Microsoft\Windows\CurrentVersion\Uninstall\Host App Service]
"DisplayIcon"=-

Restart the computer when completed.

You can delete the fixme.reg file when done.
===

[quote]security zone settings in my Internet Options have changed again[/quote]

Can this article be of any help on this issue?
https://support.microsoft.com/en-ca/help/17479/windows-internet-explorer-11-change-security-privacy-settings
===

[quote]I cannot delete defaultuser0 by either of those means.
There are 3 methods suggested on the article I provided.
If non of them work then I cannot help you on this issues.
---

I suggest you start a new topic in the Windows 10 Forum.
https://www.bleepingcomputer.com/forums/f/229/windows-10-support/

An expert with this operating system should be able to help you better than I can.
It's nor malware and not my forte.

===

I will leave this topic open for 6 days. If you need to return please do.

#15 Knat

Knat
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 20 September 2017 - 08:33 AM

hi,
 

  ===

    I will leave this topic open for 6 days. If you need to return please do.

 

Thanks. :) Non-computer things are taking up a lot of space right now.

  


    There are 3 methods suggested on the article I provided.
    If non of them work then I cannot help you on this issues.

 


I found the third way. It appeared to work.

 


Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.

   
Windows Registry Editor Version 5.00

 


 

 

I did that; thanks.

I restarted Windows. AdwCleaner says it's still there (although it's still unable to clean).

 


    I suggest you start a new topic in the Windows 10 Forum.
    https://www.bleepingcomputer.com/forums/f/229/windows-10-support/

An expert with this operating system should be able to help you better than I can.
    It's nor malware and not my forte.

 


 
Start a new post for the issue of my Internet Options settings sometimes change by themselves--and to something that was not a default setting at all?

 

Ok, new business:

 

I think I clicked a suspicious link recently.

 

Comments on FRST logs about things that might be benign in general, but I don't see any reason to be on my PC in particular:

 

I don't use RA at all.

2017-09-11 00:43 - 2017-09-11 17:38 - 000000000 ____D C:\Program Files\rempl

 

 

why would I need an application virualization handler? My PC is not managed remotely. Maybe there is something I don't understand about virtualization, but everything I can read about it has to do with loading software from somewhere else (or creating a virtual machine, maybe, but that's not something I would be trying to do at the present time)
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

I haven't played any Lucas Arts games as far as I can tell. Definitely not on the 11th.
2017-09-11 20:53 - 2017-09-11 20:53 - 000000000 ____H () C:\ProgramData\DP45977C.lfl

 

There seem to be some XP files, but this PC was bought as a Windows 10 PC. Seems too new for XP. Unless they are needed for my game??

 

I don't use a debugging program

2017-09-13 23:09 - 2017-09-13 23:09 - 000000000 ____D C:\Users\[admin]\AppData\Local\DBG
2017-09-12 21:15 - 2017-09-12 21:15 - 000000000 ____D C:\Users\[standard]\AppData\Local\DBG

 

 

There may be more but those were some of the things I noticed, that might "look fine", but don't seem to be related to anything I have done myself, on this PC. If I need to move that to the other forum, I can.

 

Thanks.

Attached Files


Edited by Knat, 20 September 2017 - 08:35 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users