Author Topic: What to do with win32:PUP-gen[PUP]  (Read 30013 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
What to do with win32:PUP-gen[PUP]
« on: July 01, 2014, 06:06:58 PM »
I did a boot-time scan and came up with C:\windows\AutoKMS.exel>[Embedded_I#05c46] is infected by win32:PUP-gen[PUP].  I tried option 1 "Automatically fix" but then I got something like Windows - are you sure?  Well, no, I'm not sure at all.   Then I tried Repair and got Repair Error 42060 (the file was not repaired).  I have learned that PUP is Potentially Unwanted--so question #1 is how do I tell if it is really virus/malware etc. Question #2 is, if it IS something harmful, how do I deal with it?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37608
  • Not a avast user
« Last Edit: July 01, 2014, 06:18:30 PM by Pondus »

REDACTED

  • Guest
Re: What to do with win32:PUP-gen[PUP]
« Reply #2 on: July 01, 2014, 08:33:55 PM »
That's a helpful start.  No good reason for it, because I have a legal copy of Office.  Can you tell me if it is the "crack" itself that is causing the boot-time problem, or do I actually have a virus/malware etc.?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37608
  • Not a avast user
Re: What to do with win32:PUP-gen[PUP]
« Reply #3 on: July 01, 2014, 08:43:32 PM »
PUP = not virus / Possible Unwanted Program / riskware

malwarebytes PUP info
https://www.malwarebytes.org/pup/

you can upload and test suspicious files at these places
www.virustotal.com / www.metascan-online.com / www.jotti.org



« Last Edit: July 01, 2014, 10:25:07 PM by Pondus »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37608
  • Not a avast user
Re: What to do with win32:PUP-gen[PUP]
« Reply #4 on: July 01, 2014, 08:45:19 PM »
if you want a check, follow instructions and attach requested logs.   https://forum.avast.com/index.php?topic=53253.0


REDACTED

  • Guest
Re: What to do with win32:PUP-gen[PUP]
« Reply #5 on: July 02, 2014, 07:20:53 AM »
I ended up with far too many files, but I think the ones attached are the correct ones.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37608
  • Not a avast user
Re: What to do with win32:PUP-gen[PUP]
« Reply #6 on: July 02, 2014, 07:25:10 AM »
Malwarebytes log you have attached is protection log .....
we need the scan log..... if nothing was detected no need for it




REDACTED

  • Guest
Re: What to do with win32:PUP-gen[PUP]
« Reply #7 on: July 02, 2014, 02:42:37 PM »
I hope this is the right file.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: What to do with win32:PUP-gen[PUP]
« Reply #8 on: July 02, 2014, 03:27:51 PM »
Hi,

Looks like MBAM has been remove the all bad thing. Let's check if there is anything undetected ...


Please download Farbar Recovery Scan Tool () by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.


  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

REDACTED

  • Guest
Re: What to do with win32:PUP-gen[PUP]
« Reply #9 on: July 03, 2014, 12:46:55 AM »
Files attached as directed.

Did the previous logs tell you whether the "bad" file was actually infected, or if it was just suspicious?  If it was actually a part of my Office program and wasn't malware itself, or infected with malware, would it be okay to restore it?

My late husband was very good with computers and had set up a complex home network.  I just don't want to mess anything up until I can find out where he put my legit copy of Office and have it installed.

I really do appreciate all your help.  My husband was a great geek, but a lousy teacher, so I'm having to figure out all of this stuff from the ground up.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37608
  • Not a avast user
Re: What to do with win32:PUP-gen[PUP]
« Reply #10 on: July 03, 2014, 01:20:55 AM »
Quote
Did the previous logs tell you whether the "bad" file was actually infected, or if it was just suspicious?  If it was actually a part of my Office program and wasn't malware itself, or infected with malware, would it be okay to restore it?
see detection name given at the bottom of your malwarebytes log
now google that name for info....


riskware
http://en.m.wikipedia.org/wiki/Riskware
http://usa.kaspersky.com/internet-security-center/threats/riskware#.U7SUiF8aySM





« Last Edit: July 03, 2014, 01:27:55 AM by Pondus »

REDACTED

  • Guest
Re: What to do with win32:PUP-gen[PUP]
« Reply #11 on: July 03, 2014, 01:56:38 AM »
Hi, Pondus:  Googling the suspicious filename was the very first thing I did when it was detected.  There was so much conflicting information that I gave up very quickly and turned to Avast! help and discovered these forums.  The impression I get from what I have read so far is that it Auto.kms isn't recommended, but isn't necessarily unsafe, either.  When I Googled the filename at first, I saw one post that said Office will run just fine without that file, but I wanted to confirm that with Avast! experts because I have no idea whether the person who posted that comment knows what they're talking about.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: What to do with win32:PUP-gen[PUP]
« Reply #12 on: July 03, 2014, 01:34:02 PM »
Did the previous logs tell you whether the "bad" file was actually infected, or if it was just suspicious?  If it was actually a part of my Office program and wasn't malware itself, or infected with malware, would it be okay to restore it?

AutoKMS.exe is a time reseter, and it is appear in the logs as it start with Windows in attempt to reset Office back to day 1 of usage with each start. A program allow up to 180 days of free usage without rebooting. I'm not sure how much days it allow, I didn't check ...

This file can not be measured as real malware threat but yet again, this program does fraud (pirate) something which requires some payment for someones hardwork. And M$ does not offer Office for free so ... File is illegal by itself but not real malware threat.
Same goes for adobe programs. The adobe CS5 is not legal as well ...
You need to think about further proceedings.

In addition to the above, FRST does not show any loaded malware. The DelFix tool shall remove malware rmeoval tool. MBAM shall stay installed.



The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
Remove disinfection tools
Create registry backup
Purge System Restore

Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.




« Last Edit: July 03, 2014, 01:36:13 PM by magna86 »

REDACTED

  • Guest
Re: What to do with win32:PUP-gen[PUP]
« Reply #13 on: July 03, 2014, 03:41:34 PM »
Thank you Polonus, Pondus and magna86 for all your help!  This has been a real learning experience.  I don't know why my legal copy of Office wasn't installed, but I will attempt to find it and install it.  The clear explanation of what the Auto.KMS is and what it does are very much appreciated! :D