[[Template core/front/global/favico is throwing an error. This theme may be out of date. Run the support tool in the AdminCP to restore the default theme.]] Jump to content

Recommended Posts

Hi, I'm new to the Forum.  I have tried researching the topic online and contacting MBAM support directly.  Neither has helped so far.  I think that is, in part, due to the fact that I want to understand what is going on before jumping on a removal process.  From MBAM's own website:

 

"The 'PUM' (Potentially Unwanted Modification) detections are not false positives or actual infections but rather settings which you may have made and in some cases, malware also makes. So we scan those sections of the registry for changes which differ from default settings.

If you made the modification, you can add them to ignore after your next scan or allow them to be set to Microsoft default settings by our software."

 

But how do I really know if the detected PUM is something I should keep or remove?  I've attached an image of what the screen looks like when MBAM finishes its scan.  I'll also include the log information in an attachment and in the body below.

 

In the days leading up to this problem, I did make some changes.  Kaspersky Internet Security (KIS) wasn't updating, a problem I have experienced before.  After troubleshooting the matter, I had to do an uninstall/reinstall.  Unlike previous uninstall/reinstall instructions, this time I was not told to use the Kavremover tool.  I also took steps to update the NVIDIA driver and downloaded a new program called DrawPlus by Serif.  So, I have been wondering if one of the actions I took did change something on the StartMenu; but I am not experienced enough to figure it out.  Googling only took me so far and there's a lot to process.  

 

During the uninstall/reinstall of KIS, I did have to turn off the firewall too.  So, maybe it isn't an action I took but an actual piece of malware that got in during that time?  But the question remains:  How do I know the difference? 

 

I don't want to prematurely remove the PUM only to cause other problems down the line in the registry.  I am happy to provide the logs and screen shots needed to help you help me figure this out.  Just know that I'll need you to tell me how to get you the logs :)

 

The log I can give you now is the most recent.   I tried the NVIDIA Rollback tool to see if that made a difference. The only difference I noted was that the information in the brackets following the PUM location changed.  Again, I don't know what that even means.    

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 8/25/2015
Scan Time: 5:10 PM
Logfile: 25 August 2015 - FORUM.txt
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.08.25.07
Rootkit Database: v2015.08.16.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Owner

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 423279
Time Elapsed: 19 min, 27 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 1
PUM.Hijack.StartMenu, HKU\S-1-5-21-683834285-2108896767-324524410-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|Start_ShowSearch, 0, Good: (1), Bad: (0),,[d8330706acdffe3830e05ef9da2b45bb]

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

Okay, I think that's it. I very much look forward to your replies.  Your help and input is most welcome and appreciated.

 

 

Image MBAM Results.docx

25 August 2015 - FORUM.txt

Link to post
Share on other sites

Hello,

    

 

They call me TwinHeadedEagle around here, and I'll try to help your with your issue.

 

     

    

Before we start please read and note the following:

  • We're primarily oriented on malware removal here, so you must know that some issues just cannot be solved and you must be prepared for this. Some tools we use here will remove your browser search history, so backup your important links and all the files whose loss is unacceptable.
  • Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
  • Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time. Keep in mind that private life gets in the way too. Note that we may live in totally different time zones, what may cause some delays between answers.
  • Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
  • Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
  • Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
  • Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
:excl: I can't foresee everything, so if anything not covered in my instructions happens, please stop and inform me!

:excl: There are no silly questions. Never be afraid to ask if in doubt!

 

 

 

  warning.gif Rules and policies

 

We won't support any piracy.

That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!

The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

 

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

 

 


Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.

Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Link to post
Share on other sites

I do not see signs of active infection at the moment, but this is probably some kind of leftover from before. Actually there are some things I would like to fix:

FRST.gif Fix with Farbar Recovery Scan Tool

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif

icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.

    (XP users click run after receipt of Windows Security Warning - Open File).

  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please upload it to your reply.


2eyjdoj.png Check Disk

  • Press the WindowsKey.png + R on your keyboard at the same time. Type cmd and click OK.
  • Copy/Enter the command below and press Enter:
  • chkdsk C: /r
  • You should get a message to schedule Check Disk at next system restart. Please type Y and press Enter.
  • All you should do now is to restart your PC and let the Check Disk process finish uninterrupted.
Check Disk report:
  • Press the WindowsKey.png + R on your keyboard at the same time. Type eventvwr and click OK.
  • In the left panel, expand Windows Logs and then click on Application.
  • Now, on the right side, click on Filter Current Log.
  • Under Event Sources, check only Wininit and click OK.
  • Now you'll be presented with one or multiple Wininit logs.
  • Click on an entry corresponding to the date and time of the disk check.
  • On the top main menu, click Action > Copy > Copy Details as Text.
  • Paste the contents into your next reply.

fixlist.txt

Link to post
Share on other sites

I apologize for not replying sooner. My to-do list did not go smoothly. I want to make sure I understand what you are saying.  So, then, it's possible that this message I am getting about the PUM has something to do with a leftover of sorts?  I have more questions, of course, and am so grateful that in your original post, you welcomed all manner of questions.  Here they are:

 

  • What are you seeing that you'd like to fix?
  • How will these fixes improve my computer?
  • Most importantly, when I initially downloaded Farbar, I got an alert warning me that the tool is uncommonly downloaded and asking if I still wanted to proceed.  I agreed, of course, to facilitate the research.  However, I would like some orientation to assist with my confidence levels going forward.  Can a novice like me  handle using this tool, per your instructions, without messing anything up? I had never seen that warning sign before. I didn't think to take a screenshot. For that, I apologize. I hope you know to what I am referring.

 

I plan to print your instructions so that I can do things correctly.  But is there anything else I need to bear in mind before I proceed?  Okay, that's my last question.  Thanks again for your openness. I really do appreciate it.

 

Thank you,

AW

Link to post
Share on other sites

What are you seeing that you'd like to fix? How will these fixes improve my computer?

First step is only a simple maintenance, removing some empty keys, nothing too big. Second step is Check Disk, I saw some errors and it would be fine to check file structure. Basically, you can call it a maintenance.

Most importantly, when I initially downloaded Farbar, I got an alert warning me that the tool is uncommonly downloaded and asking if I still wanted to proceed. I agreed, of course, to facilitate the research. However, I would like some orientation to assist with my confidence levels going forward. Can a novice like me handle using this tool, per your instructions, without messing anything up? I had never seen that warning sign before. I didn't think to take a screenshot. For that, I apologize. I hope you know to what I am referring.

Yes, this happens sometimes. However, I can assure that FRST is legit tool and there is no need to worry about. You can ignore warnings or disable them while running FRST.

Link to post
Share on other sites

Log Name:      Application
Source:        Microsoft-Windows-Wininit
Date:          8/28/2015 9:50:52 PM
Event ID:      1001
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      Owner-PC
Description:

Checking file system on C:
The type of the file system is NTFS.
Volume label is HP.

A disk check has been scheduled.
Windows will now check the disk.                        

CHKDSK is verifying files (stage 1 of 5)...
Cleaning up instance tags for file 0x25d2d.
Cleaning up instance tags for file 0x2c868.
  278784 file records processed.                                        

File verification completed.
  1088 large file records processed.                                  

  0 bad file records processed.                                    

  0 EA records processed.                                          

  63 reparse records processed.                                     

CHKDSK is verifying indexes (stage 2 of 5)...
  354128 index entries processed.                                       

Index verification completed.
  0 unindexed files scanned.                                       

  0 unindexed files recovered.                                     

CHKDSK is verifying security descriptors (stage 3 of 5)...
  278784 file SDs/SIDs processed.                                       

Cleaning up 1523 unused index entries from index $SII of file 0x9.
Cleaning up 1523 unused index entries from index $SDH of file 0x9.
Cleaning up 1523 unused security descriptors.
Security descriptor verification completed.
  37673 data files processed.                                          

CHKDSK is verifying Usn Journal...
  37270352 USN bytes processed.                                           

Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
  278768 files processed.                                               

File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
  136848764 free clusters processed.                                       

Free space verification is complete.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows has made corrections to the file system.

 613551103 KB total disk space.
  65641544 KB in 185811 files.
    111876 KB in 37674 indexes.
         0 KB in bad sectors.
    402623 KB in use by the system.
     65536 KB occupied by the log file.
 547395060 KB available on disk.

      4096 bytes in each allocation unit.
 153387775 total allocation units on disk.
 136848765 allocation units available on disk.

Internal Info:
00 41 04 00 08 69 03 00 d7 64 06 00 00 00 00 00  .A...i...d......
22 05 00 00 3f 00 00 00 00 00 00 00 00 00 00 00  "...?...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Windows has finished checking your disk.
Please wait while your computer restarts.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
    <EventID Qualifiers="16384">1001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-08-29T01:50:52.000000000Z" />
    <EventRecordID>66333</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>Owner-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data>

Checking file system on C:
The type of the file system is NTFS.
Volume label is HP.

A disk check has been scheduled.
Windows will now check the disk.                        

CHKDSK is verifying files (stage 1 of 5)...
Cleaning up instance tags for file 0x25d2d.
Cleaning up instance tags for file 0x2c868.
  278784 file records processed.                                        

File verification completed.
  1088 large file records processed.                                  

  0 bad file records processed.                                    

  0 EA records processed.                                          

  63 reparse records processed.                                     

CHKDSK is verifying indexes (stage 2 of 5)...
  354128 index entries processed.                                       

Index verification completed.
  0 unindexed files scanned.                                       

  0 unindexed files recovered.                                     

CHKDSK is verifying security descriptors (stage 3 of 5)...
  278784 file SDs/SIDs processed.                                       

Cleaning up 1523 unused index entries from index $SII of file 0x9.
Cleaning up 1523 unused index entries from index $SDH of file 0x9.
Cleaning up 1523 unused security descriptors.
Security descriptor verification completed.
  37673 data files processed.                                          

CHKDSK is verifying Usn Journal...
  37270352 USN bytes processed.                                           

Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
  278768 files processed.                                               

File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
  136848764 free clusters processed.                                       

Free space verification is complete.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows has made corrections to the file system.

 613551103 KB total disk space.
  65641544 KB in 185811 files.
    111876 KB in 37674 indexes.
         0 KB in bad sectors.
    402623 KB in use by the system.
     65536 KB occupied by the log file.
 547395060 KB available on disk.

      4096 bytes in each allocation unit.
 153387775 total allocation units on disk.
 136848765 allocation units available on disk.

Internal Info:
00 41 04 00 08 69 03 00 d7 64 06 00 00 00 00 00  .A...i...d......
22 05 00 00 3f 00 00 00 00 00 00 00 00 00 00 00  "...?...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Windows has finished checking your disk.
Please wait while your computer restarts.
</Data>
  </EventData>
</Event>

Fixlog.txt

Link to post
Share on other sites

Okay! I think I did it all correctly.  I had a few hiccups along the way but overall, I think it worked out.  I didn't want to complicate the results with a personal reply. That's why I am adding this reply separately.  I've been nervous these past few days, even after your reply about this not looking like an infection.  I've seen pop-ups that I've never seen before and even though it's likely just coincidence or odd timing, I find myself very eager to know your additional thoughts after receiving the information above. My fingers are crossed!  Thank you again for your time.   

Link to post
Share on other sites

Well, MBAM is still detecting a PUM.  I attached the newest scan log.  Apart from that, I've had some weird popups:

 

A KIS alert about URL b.scorecardresearch.com. I don't even know how that message was triggered but I've seen it twice.

Both times it read "Cannot guarantee authenticity of the domain to which encrypted connection is established".  Each time, I chose the Disconnect option.  One happened after the fix and one happened before.

 

KIS also had trouble loading once after the fix and chkdsk; but it seemed to right itself. An error report was sent.

 

I've also had a few NVIDIA "Display driver stopped responding and has recovered" messages but all while on the same site.

 

I have no idea if all these events are related or if my computer needs different attention after we resolve this matter.  I could look into updating browsers and Java, which has been prompting me today; but I don't even know if I can do that now.  Should I wait until we resolve this matter?

 

I felt like my computer ran a little smoother after the restart, following the fix and chkdsk, apart from the issues above; but I don't know if I'm just really hopeful.  Ultimately, I guess I don't know what kind of feedback to offer.  My only real point of reference is the MBAM scan and the PUM is still being detected.  Everything else may be separate.  So, I really don't know.

 

What do you think? 

 

 

29 August 2015 - FORUM - UPDATE.txt

Link to post
Share on other sites

I never removed the PUM with MBAM, no.  I think that's the same thing as quarantine, right?  MBAM's options are: Ignore Once, Ignore Always, and Remove. I kept selecting Ignore Once so that I could select Finish and return to MBAM's normal, working state.  Since the evaluation revealed that the detected PUM was probably not as a result of an infection, I thought Removing it might cause problems.  I don't know much about computers but I've often seen advice online indicating that the Registry should be left alone. So, that's why I never selected Remove.  I hope this helps. If you need me to run another test, just let me know.  Again, I very much appreciate your willingness to discuss this matter with me.    

Link to post
Share on other sites

I removed it just now and a follow-up scan confirmed it is gone. I'll continue to pay attention as I use the computer in the next few days. 

 

Does this mean I can proceed as usual, updating Java and such?  Also, what do you think about the other things I've noticed?  Is my computer carrying a hidden infection?  This is all so unbelievable over my head. 

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.