This morning I checked the SOA Scan Log (see attached image). It found:

\AppData\Roaming\DigitalSites\UpdateProc\UpdateTask.exe

three times on a single computer.

Web info on this is unclear but MalwareBytes calls it a PUP and provides some explanation of what it does.

This is another case of SOA somehow collecting Scan Log information without any “scheduled scan” turned on.

But not only that, I went to the machine in question and did the following:

Ran MalwareBytes on the user’s \AppData.… folder. It found the issue and I told it to remove it. MalwareBytes claimed to have removed it and asked me to reboot. When I did so, the same folders and files were still there in the \AppData\ folder.

So then I manually scanned the user’s \AppData.… folder with Avast. It found “no threat”.

What is going on here?

Thanks.

You need to delete the entire digital sites folder as there is still adware contained within that, it may also have created a windows task to re-install itself. As for the detection it may have been by file shield as it was trying to install

MBAM only removes the offending file and not the entire folder

Thank you.

Yes, I deleted the entire folder structure, and restarted and verified that it was not restored.

However, MBAM didn’t appear to have actually deleted any files from those folders. Strange.

And… I expect Shields to report findings in the Shield Log, not the Scan Log. I expect only scheduled or manual scans to report findings in the Scan Log.

I use AIS so I do not have any real knowledge about the business version and how scans are ordered or formatted, mayhap a webshield/fileshield detection will trigger a scan