Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: bookend on March 24, 2012, 04:47:51 AM
-
First post. I already typed a post more than hour ago, which doesn't seem to gop through. I tried again and it said I already posted message, but I don't see it. I also have trouble reading the scrunched up verification words and have to type several times to get right. I ran Avast free scan and it said I have MBR: Alureon-k [rlk] Physical drive0\partition 2. I have 2 drives -one is never used. The scan result said I can "Repair, or move to chest or delete" - Repair says "Repair action postponed till next reboot. "Move to chest says "Error: Request not supported (50). Only other choice is "delete". I don't know if I should delete. How can I get rid of a MBR virus?
-
You might have received a quicker response if you posted in the correct area of the forum under Virsus/Worms section, however we can still help you here. The best option is to always put things in the Virus Chest where it is safe from other parts of your machine. If you delete it, it may contain vital files needed for your machine to work.
Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0).
Follow the directions of obtaining an MBAM log (make sure you update MBAM first) and the OTS logs (save them as ANSI), and aswMBR log. Post the logs as an attachment (Additional Options > Attach > Post).
I am going to refer you to our Certified Malware expert, named Essexboy. He will also review your logs and give you further instructions, however he comes on the forum late UK time. He will respond to you in this thread, so remember to check this thread daily.
Please do not make any further changes to your machine after you have provided the logs.
IMPORTANT: If you are on a home network, disconnect the affected machine from the network. Do not share a USB/flash drive with this affected machine. Do not use this machine unless Essexboy instructs you do to malware removal instructions; use a different machine to check email, sync your phone, etc. if possible.
Let us know if you have any questions. Thank you.
Essexboy has been notified.
-
Hi I will also need the aswMBR log
-
To SafeSurf and Essex Boy, thank you both for your replies, but I don't know enough about logs or other things you ask me for. I've had a computer for many years, but only a few viruses and was able to find a removal tool from a virus site to remove the virus. I don't know what an MBAM log is, how to update it, or how to attach it to upload it. To Essex boy - I don't know what an aswMBR log is or where to find it. I am not even familiar yet with navigating this site and didn't know where the worms and virus section was.. Maybe I'll come back when I know more about what these logs are, where to find them and how to send them. Thank you for your replies.
-
you find it in the link that safe surf posted
here it is again http://forum.avast.com/index.php?topic=53253.0
-
you find it in the link that safe surf posted
here it is again http://forum.avast.com/index.php?topic=53253.0
I will read the link above more closely. It's confusing as I don't know anything about the files mentioned in the link. I've had a few viruses but not for a long time and they were easier to get rid of. I saw a thread where Marcifo(sp had/has the same virus/trojan I have and Essex replied to him. I checked discmgment as Essex suggested to Marcifo and it shows Drive C and D and I (DVDrom) but at top of the lists is "1 MB Basic (healthy) unknown Partition" - its the only partition which has a "delete" choice. It has no drive letter. Maybe its part of C drive. C and D partitions are on the same hard drive and both have Win XP Pro on them. My other hard drive is not used. I will see if I can figure out the above link. Thanks Pondus.
-
Checking in to see if you have any questions that we can help you with to assist you in getting us those logs so we can get rid of the malware. It's normal to be overwhelmed and confused, so feel free to ask questions. Please update us when you can. Thanks.
-
Could you post a screen shot of the disc managemnet as I feel the 1MB partition is the malware part
-
Checking in to see if you have any questions that we can help you with to assist you in getting us those logs so we can get rid of the malware. It's normal to be overwhelmed and confused, so feel free to ask questions. Please update us when you can. Thanks.
SafeSurf -Thanks for your post. I am still studying about logs. I did a print screen as a .jpg of my discmanagement page as Essex has asked in his post right after yours.
I don't do print screens or check discmanagement very often so hope I did it right. I now have to figure out how to attach the jpg to my the post Essex sent me.
-
Could you post a screen shot of the disc managemnet as I feel the 1MB partition is the malware part
Hi Essex: I went to disc management in Control panel (long way around but same thing). I printed screen to Paint in .bmp form, then changed it to .jpg. I wondered about that 1 MB part as I don't remember it always being there,but can't remember. Its only the last week or two I got the MBR virus on a virus scan. You will notice my D drive is my boot drive. I meant to use C as the boot drive and put another OS on D drive, but things got mixed u p after formatting, and didn't turn out right. The D drive being boot has worked OK for past year till I get around to fixing the drives to make C the boot drive, but haven't done so yet. BTW, I can't get the part on the right side of C:\ part in disc management to show fully. I use 800X600 but even changing to higher res. it still didn't show up. Now I will see if I can figure out how to attach the jpg to your site.
-
Could you post a screen shot of the disc managemnet as I feel the 1MB partition is the malware part
Essex, I just sent you a post and thought I sent you an attachment of a print screen of disc management. I don't think it went through right as I didn't say something like "attachment uploaded". I pressed alt+s as it says at the bottom but that didn't seem to work. Now I will try clicking on "Attachments and other options" and will browse to my folder and attach the .jpg file and hope you get it this time.
BTW, when I come to the forum and want to find my original post, I keep having to go down the whole list to find my original post to remind myself what was said where there are no Unread posts for example? Thanks.
-
Could you post a screen shot of the disc managemnet as I feel the 1MB partition is the malware part
Hi again Essex, looks like my .jpg of discmanagement got uploaded last with my last message, but not with the first one. But the attachment I sent doesn't show a small part of the right side of disc management for some reason. A little more showed up on the right side on my .jpg including the vertical line on the right side of the C:\ drive area which starts " 1MB " but the rest is missing on the right side. But maybe it is enough info for your purposes (I hope).
-
Hi bookend,
Thank you for your post. I think the screenshot should be enough. We'll wait for Essexboy to respond. He should be back on the forum late UK time zone. So wait for further instruction. Thank you.
-
OK that is a bad partition
Could you go to disc management again
Right click that partition and select delete
Then
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%Temp%\smtmp\1\*.*
%Temp%\smtmp\2\*.*
%Temp%\smtmp\3\*.*
%Temp%\smtmp\4\*.*
>C:\commands.txt echo list vol /raw /hide /c
/wait
>C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
/wait
type c:\diskreport.txt /c
/wait
erase c:\commands.txt /hide /c
/wait
erase c:\diskreport.txt /hide /c
CREATERESTOREPOINT
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs
-
OK that is a bad partition
Could you go to disc management again
Right click that partition and select delete
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs
I only quoted parts of your message which I need to ask about before going further. I followed your instructions and after I finished I ended up with Otl.txt and Extras.txt as icons on my desktop. When opened each log takes up a lot of pages and takes up a lot of space. Do you mean I should upload all pages of OTL.txt log and extras.txt log? or the icons of each log?
Also, I was so busy concentrating on your instructions, that I didn't see the top part of your message where you said go to disc management and delete the 1MB partition which you said is a "bad partition", so I deleted the bad partition AFTER I created the OTL and Extras logs. Does that matter? I will wait for you to get back to me. Thanks.
-
Hi bookend,
Thank you for your post. I think the screenshot should be enough. We'll wait for Essexboy to respond. He should be back on the forum late UK time zone. So wait for further instruction. Thank you.
I answered his message but asked him a couple of things before I can give him information he needs. I am on North America EST, and Essex is 5 hours ahead of where I am. I am not very familiar with how to get around the board yet. When I come here, I can go to "see new posts to me" or whatever it says, but when I answer someones post or lose my first post with all replies on it, I can't find it again and need to go down all messges from yesterday or day before. It takes me a while. There is probably an easier way.
-
Could you attach the main OTL log initially, if it is to large then upload to an online site like mediafire and post the sharing link
-
Could you attach the main OTL log initially, if it is to large then upload to an online site like mediafire and post the sharing link
I am attaching otl.txt and extras.txt. What I was asking you in my last message when I said the .txt files are large, was did you want the .txt files of both otl and extras which were created as .txt files and appeared on my Desktop, or if you wanted the text files opened and pasted on a post to you which might take too much space on the board. I am uploading the two .txt files and hope that's what you want. I hope so as I know nothing about Media fire site and many other things you mention on the board.
-
What are your current problems ?
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
[2011/10/30 02:21:07 | 000,000,344 | ---- | C] () -- D:\Documents and Settings\All Users.WINDOWS\Application Data\6DSS92c31Apgjk
:Files
ipconfig /flushdns /c
:Commands
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
What are your current problems ?
After I deleted MBR -1MB "bad" partition of the C drive, when I ran Avast, there is no error about it now. I haven't had a chance to check if any other problems regarding the MBR problem. But I have different problems when I run Malwarebytes. I was going to mention them to you once I got the MBR problem solved. When I run Malwarebytes it comes up with 6 errors which say:
PUM.Disabled 28/03/12
PUM. " 26/3/12
(another 3 PUM.disabled errors the same as above but different dates.
Trojan Dropper - 26/03/12
Should I ignore the Malwarebytes result and see if I can follow your instructions in this message you are sending me? I am not sure what to do next. Thanks.
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
[2011/10/30 02:21:07 | 000,000,344 | ---- | C] () -- D:\Documents and Settings\All Users.WINDOWS\Application Data\6DSS92c31Apgjk
:Files
ipconfig /flushdns /c
:Commands
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Yes run the OTL fix and then do a quick scan with MBAM after updating it, then post that log
-
Hi Essex, things didn't go well this time. I hope its OK to quote some things from your last message to me. If I do "Reply", I will forget some things you said.Please scroll down.
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
I disabled.
I copied and pasted your instructions (which I left here at the end of this message) in the space at the bottom of OTL and clicked "Run Fix" at the top of OTL and it said at the bottom Status area "Killing processes -Do not interrupt. I let the computer run and came back after 20 minutes - scan still running. Came back after an hour, same. Left again. I figured its taking too long.Came back after 2 hours and an hourglass was on the screen (not good), and in blue area at the top of the screen said "Not responding". My computer had hung. Had to turn off computer and restart. I was glad my desktop icons came back.
I wonder if I copied and pasted the contents you gave me to run OTL are all at the right places? I started copying your instructions before I pasted (but can't remember if I put :OTL or just OTL and how much does it matter? I copied your message and left spaces in the same places between lines. The last word at the end which I included in my copy and paste was "reboot" - but not sure if the word "reboot" part was for me or part of the copy and paste instructions.
I checked my C:\ drive sometime after I deleted the 1MB "bad" partition as you had instructed and notice now in my C:\ drive files under "Documents and Settings" in Windows Explorer, when I click on that line it says "Documents and settings is not accessible - access denied". On my D:\ drive I can access Documents and settings OK. I may be completely off. I'm sure you will know.
I also wonder if it didn't work because the "bad" partition was in C:\ drive and I boot from D:\ drive and maybe the OTL was running on the D:\ drive? or maybe nothing to do with that. Much of it is over my head, but I try to learn what I can, but never had many viruses to need to learn these things I am glad to say :) Thanks.
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
[2011/10/30 02:21:07 | 000,000,344 | ---- | C] () -- D:\Documents and Settings\All Users.WINDOWS\Application Data\6DSS92c31Apgjk
:Files
ipconfig /flushdns /c
:Commands
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
[/quote]
[/quote]
-
OK that is MBAM being a total pain in the posterior now
If you boot from the D drive and try to access a different user on the C drive then windows will assume you are a different user and deny access
Re-run OTL with this modified script please
:OTL
[2011/10/30 02:21:07 | 000,000,344 | ---- | C] () -- D:\Documents and Settings\All Users.WINDOWS\Application Data\6DSS92c31Apgjk
:Files
ipconfig /flushdns /c
:Commands
[CREATERESTOREPOINT]
[Reboot]
-
OK that is MBAM being a total pain in the posterior now .
I disabled MBAM before running OTL.
If you boot from the D drive and try to access a different user on the C drive then windows will assume you are a different user and deny access.
I boot from the D drive but only access the C drive by using Windows Explorer to get to it. I don't sign on as a different user to get to C drive. I don't have a dual boot. I am the only administrator and don't use any passwords.
Re-run OTL with this modified script please
I used your script below and it ran for about 3 seconds the a window came up with "OTL-The system requires a reboot to finish removing files, click OK to Reboot". I clicked ok and it rebooted. I ran OTL again and clicked on "Quick scan which said at the bottom status line "Looking for newly created files" then after a minute changed to "looking for modified files". took a few minutes.
I checked C:\documents and settings in Windows explorer again, and it still says "Documents and settings not accessible, access denied." I am uploading OTL2.txt (renamed) so as not to mix it up with otl.txt of a few days ago. I see you put (b) for that purpose below. I didn't notice the (b) till right now. Was I supposed to include the (b) in the script below? Does the OTL log I just created and I am attaching solve anything?
:OTL
[2011/10/30 02:21:07 | 000,000,344 | ---- | C] () -- D:\Documents and Settings\All Users.WINDOWS\Application Data\6DSS92c31Apgjk
:Files
ipconfig /flushdns /c
:Commands
[CREATERESTOREPOINT]
[Reboot]
-
Just one left to remove now
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
O4 - Startup: D:\Documents and Settings\MMary.MARY\Start Menu\Programs\Startup\_uninst_88490121.lnk = File not found
:Files
ipconfig /flushdns /c
:Commands
[CREATERESTOREPOINT]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Can you take ownership of the errant documents and settings http://www.winxptutor.com/ownership.htm
How is the computer running now ?
-
Just one left to remove now
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
O4 - Startup: D:\Documents and Settings\MMary.MARY\Start Menu\Programs\Startup\_uninst_88490121.lnk = File not found
:Files
ipconfig /flushdns /c
:Commands
[CREATERESTOREPOINT]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
OTL3.txt attached.
Can you take ownership of the errant documents and settings http://www.winxptutor.com/ownership.htm
Not quite yet. I had a problem with take ownership. I think you mean for me to take ownership of "C:\Documents and Settings." I accessed winxptutor.com and followed along about "To take ownership of a folder, follow these steps:"
Under Security tab, I have 3 lines, the first one is "Adminstrator (and my name), below that is "Everyone", below that is "System". I clicked on "Advanced at bottom for "Special permissions or for "Advanced Settings click Advanced".
Next page - click on "owner",next page "Administrator (my name), next line My name by itself. Check at bottom "Replace owner or subcontainers and objects", click OK.
Then "if you do not have permissions to read contents of directory\??\C:\Documents and Settings", do you want to replace the directory permissions with permissions granting Full Control?- All permissions will be replaced if yes"
I am not sure if I should say Yes.
Under the window where it says about permissions, there is a smaller window says "unable to set new owner on Documents and Settings" but if I click on Yes to get full control which I haven't done till I hear back from you, maybe that window will disappear.
Sorry to put all the above in, but I don't want to do this part wrong. I've never checked permissions or administrator stuff except when installing an OS, as I have always been administrator and there was no need to check.
How is the computer running now ?
It seems to be running OK except I haven't yet completed "documents and settings in C:\" - I don't know why the files which were there before disappeared and there is still PUM- disabled which can be deleted or restored, but will leave for now..
I think we are getting there. It's been quite complicated and challenging.
-
Well the good news is that there is no apparent malmare remaining ;D
If you are still trouble free tomorrow let me know and I will remove my tools and tidy up
-
Well the good news is that there is no apparent malmare remaining ;D
If you are still trouble free tomorrow let me know and I will remove my tools and tidy up
Hi Essex:
Seems to be ok today. But would like to ask 2 questions about things still to do.
1. In Quarantine tab in Malwarebytes can I safely delete 6 items -5 PUM-disabled registry data and one trojan dropper file. Choices are Delete or Restore. I ran Malwarebytes today and it said I had 3 - PUM.disabled registry data in Quarantine. I dont know if they are new or part of the group already there. Anyway, Can I delete the Quarantine list and other 3 listed today?
2. After running Winxptutor.com link you gave me, can I take the last step to take ownership of C:\documents and settings as full administrator so I can access the C:\documents and settings folder?. I have always been the only administrator. I don't know how I lost access.
Thank you.
-
Yes take the last step, the way windows sees it is, as it is from a different operating system (i.e. on the C and not D drive) it does not belong to you. However, taking the final step will give you ownership
Yes you can delete the MBAM quarantine
-
Yes take the last step, the way windows sees it is, as it is from a different operating system (i.e. on the C and not D drive) it does not belong to you. However, taking the final step will give you ownership
Yes you can delete the MBAM quarantine
Hi Essex:
I deleted all stuff in Quarantine MBAM and did quick scan and seems to be all clear. So thats done.
Only one more thing:
I changed "Documents and settings" to being the only owner, but now there are about 15 folders under C:\documents and settings (even with me as only administrator) that say either "access denied" or the folder is empty. Also, some new folders have appeared under C:\documents and settings I've never seen before such as "Migwiz" and "ACE" which has some programming language in it. Are they part of your changes or nothing to do with that? Should I delete them? Also should I delete folders which say Access denied or are empty folders in C:\Documents and settings. I guess they are old folders before I changed to one owner.
Thank you.
-
Migwiz and ace are windows folders, once you have what you need then I would recommend that you delete the folders
-
Migwiz and ace are windows folders, once you have what you need then I would recommend that you delete the folders
Do you mean delete the migwiz and ace folders, or do you mean it's OK to delete the 15 empty or "not accessible" C:\documents and settings folders I was asking about in my last message? Thanks. I'll soon be done thanks to your great help.
-
Aye delete the lot - then this problem should not rear its head again ;D
-
Aye delete the lot - then this problem should not rear its head again ;D
Hi Essex, Can't be deleted. When I tried to delete any folders in C:\documents and settings, it says "canot delete. The files cannot be accessed by the system" - same message when I try to delete empty folders such as "All Users" and several
other folders. I thought that might happen. I think the virus in C:\documents messed things up. But I have decided to leave it as it is in case I delete things that create more problems.
I don't access the C:\documents and folders anyway. The D:\documents and folders is all I really need. When I get around to it, I will format the drive and C:\ will be the boot drive which I was eventually going to do. Its ok the way it is for now.
Thank you for your help and for sticking with me. I figured when I first posted here, its too difficult for me to run programs you were telling people to run. I had never heard of Malwarbytes or OTL. I was just looking for a virus remover. Something much easier. But with a little push from SafeSurf and Pondus at the start, I decided to give it a try. But without your patience and clear step by step detailed instructions I could never have done it. Sorry for the questions, but it was the only way I can learn. I learned a lot. You're good!. Thanks again. Hope I don't have to come back for a while :)
-
Questions are good, as they also make me think ;D
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[emptytemp]
[CLEARALLRESTOREPOINTS]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif) Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:- Go to this site (http://java.com/en/) and click Do I have Java
- It will check your current version and then offer to update to the latest version
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php).
Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit - Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)Keep safe :wave:
-
Hi Essex,
I thought you had removed your tools a few days ago. What tools are they?
Here is what I did according to your last message:
-Ran OTL and followed your instructions.
-Updated Sun Java
-I usually "show all hidden files" so left that for now.
-I will use Malwarebytes from now on - Its free for virus scanning but you pay a fee
for Protection - is that right?
I will check the other suggestions you made in your post.
One thing I want to mention is:
When I run Malwarebytes Quick Scan, it shows the same 3 items which I "delete all" but next time I reboot and run scan again, they are usually there again, though sometimes skips a time, in "Quarantine" tab even after I put checkmark in "delete all" 3 lines the time before. I am attaching a log file of mabm.txt which I copied before deleting the lines. I didn't attach Protection log as its OK.
The 3 lines are identical and say:
PUM.Disabled - Registry Data HKLM\Software\Microsoft\Security Center (Bad (1).
Those 3 lines have been there when I first posted here but won't stay deleted.
What is PUM ? I just did a "Find" in the Registry for PUM and it brought up about 3 or 4 dozen entries for things such as "free mp3downloads", "freecasino", free games, etc -I've never been to any of those sites and I am not interested in them. How can I get rid of them?
-
The MBAM report is of no real import as they are entirely dependant on how you run your system.. I ignore them on my system
PUM is Possible Unwanted Modification
Of no real import to my mind
That is correct the free MBAM is an on demand scanner, and to be honest that is all you really need it for
OTL is actually the only tool we used - I forgot to remove the "s" from my stock reply system
What area where those sites in ?
As they may be old Spybot entries or IE block entries
-
PUM is definitely not wanted. see my comments below.
I will keep the free version of MBAM and run it regularly. Right now, I have Protection in trial mode, but I will stick with free. Is there a good free Protection program that is not a trial? I've used Spyware Blaster for quite a while, but I am not sure how effective it is.
Yes, "tools" sounds more mysterious than one "tool" OTL :)
About PUM's. I looked closer at the Registry. I said there is probably 3 or 4 dozen. More like 2 or 2 hundred entries. I checked some -they are all names from spam /porno /casino sites. They are under HKEY USERS and seem to be all from the same source. They are under Windows\Current Version\Internet settings\ZoneUP. The actual start of the long list is under "ZoneUP" and sub from it is "Domains", then under "Domains" is list names like "gamecard.net", 008i.com, adware.cc, ibieroi.it, google.it, gay.net, family.ru, thespy.cn. - under each name is "www" and on the right side of Registry where Data Value is, they all have the same number 0000004(4) -forget exact number.
I think I saw a few of these names one time a while back when checking something but didn't pay much attention. I saw a couple of spam/casinos sites but was not having a problem so went no further. When I look now there are a lot more entries than I thought, like gaysites and who knows what. I could probably delete the entire list from ZoneUP, as they are all from the same source. All Data Values are identical on each entry. I wonder if that would cause any problem? The entries are disabled, but intermittely are picked up again by MABM as being PUM- malicious in Quarantine tab.
I don't think they are old Spybot entries, though not positive. I used to use Spybot sometimes, but never had a problem with it. Spybot didnt seem to run all those entries at one time and how would they end up in the registry if it was spybot? I doubt they are blocked IE entries. IE doesn't usually block entries unless you use a spam or malware program to tell them, do they? It would involve hundreds of blocked entries which I would think I would have noticed somewhere along the way. I really don't know how they got in the registry.
-
Those are part of IE8's blacklist so I would say keep them there. Also that is why I no longer suggest the MSVP Host file any more as it will be a duplication
They are basically the restricted sites as set in IE http://blogs.technet.com/b/heyscriptingguy/archive/2005/05/02/how-can-i-add-a-site-to-internet-explorer-s-restricted-sites-zone.aspx
-
Those are part of IE8's blacklist so I would say keep them there. Also that is why I no longer suggest the MSVP Host file any more as it will be a duplication
They are basically the restricted sites as set in IE http://blogs.technet.com/b/heyscriptingguy/archive/2005/05/02/how-can-i-add-a-site-to-internet-explorer-s-restricted-sites-zone.aspx
I don't use IE8, though I did install it about a year or more ago. I didn't like it (too much junk and bloated added "features" I didn't like and some other things I can't remember. So I went back to IE7 for the time being. But I guess when I installed IE8, it put in all these domains.
I don't know what the above link means. What does it mean? and why did IE 8.0 put hundreds of spam/porno etc. sites in the registry? What was the purpose? is there any benefit to the computer user? So since these sites were for use in IE 8.0 and I have IE7.0 I should be able to delete them? So far, IE 7.0 runs all the programs I need without problems. I will upgrade later.
P.S. what is the MSVP host file?
-
They are kill bits and block access to those sites by putting them in the restricted i.e. don't go here area of of the web. It is an additional layer of protection IE will not allow access to them
http://winhelp2002.mvps.org/hosts.htm
-
They are kill bits and block access to those sites by putting them in the restricted i.e. don't go here area of of the web. It is an additional layer of protection IE will not allow access to them
http://winhelp2002.mvps.org/hosts.htm
Thanks for the link. Looks like you are right about that long list of entries in IE. Maybe its there in Internet 7 as well, though I've never noticed the long list in the Registry, but I never looked at HKEY USERS settings. I never knew IE blocked any sites.
I would have to set my Security to Restricted to enable all those blocked sites which gives Securty High default. I usually use "Internet" which allows me to choose high,medium or low for Security. I choose Medium. If I use Restricted, I will probably not be able to go on a lot of my "regular" sites because of my High restriction setting. Right now, I don't think Restricted sites is Enabled, so doesn't matter if the list of entries is left in the Registry. When I run Malware Bytes the same 3 PUM will come up , so I guess I will just delete them every time. Thanks.
-
They are kill bits and block access to those sites by putting them in the restricted i.e. don't go here area of of the web. It is an additional layer of protection IE will not allow access to them
http://winhelp2002.mvps.org/hosts.htm
Essexboy, thanks for all your help and information. I have learned quite a few things here. It all helps :)