Jump to content

Malwarebytes couldnt remove PUM.userwload


alwyna

Recommended Posts

This trouble had started long back. When a live streaming site was opened, Mcafee said it has deleted some Trojans and then a series of things. It was dormant after I did a System restore. However, recently our Netbanking site locked our account and emailed saying it detected a Malware. I couldnt open any sites relating to Virus / forums / malwarebytes in normal mode. I uninstalled the Mcafee and I downloaded and ran a Quick scan in Safe mode with Networking. It identified just one - PUM.userwload and said I should restart to delete it. It doesnt seem to have deleted it, because in regular mode i am still unable to open malwarebytes website and another scan also revealed the same.

Attached are the DDS.txt and Attach.txt.

dds.txt

attach.txt

Link to post
Share on other sites

Hello alwyna and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

Step 1

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 2

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

aswMBR2.png

In your next reply, post the following log files:

  • Malwarebytes' Anti-Malware log
  • aswMBR log

Link to post
Share on other sites

Hi,

I am sorry, but I didnt receive a notification and hence the delay.

1. Malwarebytes Quick Scan was run. PUM.userWload was identified and Removed.

Malwarebytes Anti-Malware 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.10.02

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)

Internet Explorer 9.0.8112.16421

joshua :: JOSHUA_JADON [administrator]

10-11-2012 13:52:09

mbam-log-2012-11-10 (13-52-09).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 212703

Time elapsed: 7 minute(s), 34 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 1

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (PUM.UserWLoad) -> Data: C:\Users\joshua\LOCALS~1\Temp\msuauhelv.exe -> Delete on reboot.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

2. aswMBR Scan was run. and Log below

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software

Run date: 2012-11-10 14:09:47

-----------------------------

14:09:47.579 OS Version: Windows x64 6.1.7601 Service Pack 1

14:09:47.579 Number of processors: 4 586 0x2505

14:09:47.579 ComputerName: JOSHUA_JADON UserName: joshua

14:09:48.811 Initialize success

14:09:53.553 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

14:09:53.553 Disk 0 Vendor: ST950032 D005 Size: 476940MB BusType: 3

14:09:53.585 Disk 0 MBR read successfully

14:09:53.585 Disk 0 MBR scan

14:09:53.585 Disk 0 Windows VISTA default MBR code

14:09:53.585 Disk 0 Partition 1 00 DE Dell Utility DELL 4.1 39 MB offset 63

14:09:53.600 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 14144 MB offset 81920

14:09:53.616 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 239106 MB offset 29048832

14:09:53.616 Disk 0 Partition - 00 0F Extended LBA 223649 MB offset 518737920

14:09:53.647 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 111824 MB offset 518739968

14:09:53.647 Disk 0 Partition - 00 05 Extended 111824 MB offset 747755520

14:09:53.678 Disk 0 Partition 5 00 07 HPFS/NTFS NTFS 111823 MB offset 747757568

14:09:53.709 Disk 0 scanning C:\Windows\system32\drivers

14:10:02.633 Service scanning

14:10:21.790 Modules scanning

14:10:21.790 Disk 0 trace - called modules:

14:10:21.805 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll

14:10:21.821 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004bb1060]

14:10:21.821 3 CLASSPNP.SYS[fffff88001b4e43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004913050]

14:10:21.821 Scan finished successfully

14:10:29.652 Disk 0 MBR has been saved successfully to "C:\Users\joshua\Desktop\MBR.dat"

14:10:29.699 The log file has been saved successfully to "C:\Users\joshua\Desktop\aswMBR.txt"

Link to post
Share on other sites

Hello,

I have run MBAM in Normal mode and it identified the PUM.userWload once again.Clicked Remove Selected and prompted for a restart. I cannot access the Malwarebytes forum in normal mode, hence reply in Safe mode with Networking.

Malwarebytes Anti-Malware 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.10.10

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

joshua :: JOSHUA_JADON [administrator]

11-11-2012 11:24:29

mbam-log-2012-11-11 (11-24-29).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 214328

Time elapsed: 7 minute(s), 33 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 1

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (PUM.UserWLoad) -> Data: C:\Users\joshua\LOCALS~1\Temp\msuauhelv.exe -> Delete on reboot.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Link to post
Share on other sites

  • 3 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.