melboy

Hello PUP detections (Potentially Unwanted Programs) are explained here: http://helpdesk.malw...hey-be-deleted- In addition I would read the terms of use & privacy policies before downloading & installing programs. http://shopping-sidekick.com/terms.php http://shopping-sidesidekick.com/privacy.php

It just gets better & better.

What MBAM Pro can do is potentially block Ransomware threats on three fronts - 1. The IP of the exploit. (Website Blocking) 2. The IP of the payload. (Website Blocking) 3. The payload itself. (Filesystem Protection) Add to that the advice above to keep all your software up to date - especially those programs with browser plugins - then you stand a better chance than if you didn't have this protection.

Update > Restore all & re-scan

Hi TableLamp Malwarebytes' Anti-Malware (MBAM) Open Malwarebytes' Anti-Malware Click the Quarantine tab Click to Highlight the item Updater.fpi & click Restore Repeat for Speech.fpi Update & rescan

Yes, I think they are all false positives. The foxit ones have been reported and confirmed to be fixed in the next update. http://forums.malwarebytes.org/index.php?showtopic=124166 The MP3.dll may well also be fixed by that update, if not, I've found a download & can attach the file and dev log. Malwarebytes Anti-Malware (PRO) 1.75.0.1100 www.malwarebytes.org Database version: v2013.03.22.09 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 mel :: OURS [administrator] Protection: Enabled 3/22/2013 18:20:44 MBAM-log-2013-03-22 (18-20-54).txt Scan type: Custom scan (c:\sandbox\mel\defaultbox\drive\c\program files\replay7\mp3 magic\mp3.dll|) Scan options enabled: File System | Heuristics/Shuriken | PUP | PUM | P2P Scan options disabled: Memory | Startup | Registry | Heuristics/Extra Objects scanned: 1 Time elapsed: 3 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 c:\Sandbox\mel\DefaultBox\drive\C\Program Files\Replay7\MP3 Magic\MP3.dll (Trojan.Passwords.LD) -> No action taken. [6da4c202e08bf83e154e422b88784ab6] (end) MP3.zip

You can restore those too. Choose Restore all

@ slack7639 The warning is not applicable in your case, it is relevant only to that user's problems in that thread. This is a confirmed false positive. Follow these instructions to restore the file. Malwarebytes' Anti-Malware (MBAM) Open Malwarebytes' Anti-Malware Click the Quarantine tab Click to Highlight the following file only: Trojan.Vilsel - 2013-03-21 - File - C:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe [*]Click Restore Update mbam & re-scan.

You are correct , It is still being detected after updating to Database version: v2013.03.21.14. (Now I've removed it from the ignore list )

File attached. Malwarebytes Anti-Malware (PRO) 1.75.0.1100 www.malwarebytes.org Database version: v2013.03.21.13 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 mel :: OURS [administrator] Protection: Enabled 3/21/2013 20:44:26 MBAM-log-2013-03-21 (20-44-36).txt Scan type: Custom scan (c:\program files\common files\installshield\engine\6\intel 32\ikernel.exe|) Scan options enabled: File System | Heuristics/Shuriken | PUP | PUM | P2P Scan options disabled: Memory | Startup | Registry | Heuristics/Extra Objects scanned: 1 Time elapsed: 2 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 2 HKCR\TypeLib\{91814EB1-B5F0-11D2-80B9-00104B1F6CEA} (Trojan.Vilsel) -> No action taken. [4f627c479bd05dd949f1f946e71aab55] HKCR\Interface\{0BA4BA22-2EF0-11D3-88C8-00C04F72F303} (Trojan.Vilsel) -> No action taken. [4f627c479bd05dd949f1f946e71aab55] Registry Values Detected: 1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\ENGINE\6\INTEL 32\IKERNEL.EXE (Trojan.Vilsel) -> Data: 3 -> No action taken. [4f627c479bd05dd949f1f946e71aab55] Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 c:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe (Trojan.Vilsel) -> No action taken. [4f627c479bd05dd949f1f946e71aab55] (end) IKernel.zip

I would urge you to get your system cleaned. Sirefef is a serious infection. http://www.microsoft...Win32%2FSirefef

Excuse me for "butting in" I can't see it mentioned in the topic previously, but there's signs of the Sirefef rootkit (ZeroAccess) in the original DDS log. I would repost in the Malware Removal forum. http://forums.malwarebytes.org/index.php?showforum=7

Wherever possible, always run mbam in normal mode, as outlined here - http://helpdesk.malw...e-in-Safe-Mode-

Very sad news - matt was a real gent. RIP Matt.

You're not stuck using that method, but that's the method I'd recommend. It might take a few more seconds of your time, but it's more secure.

That change is by design to secure your system & help protect it from a malware attack. You have autorun enabled for your D & G drives (CD-ROM), which will invoke autoplay - the autoplay options for Mixed Content being to Open folder & view files using Windows Explorer, or Take no action.

Hi, do this: Warning. Please note that this fix is specific for this poster and should not be used by anyone else: Open Notepad & copy the contents of the Code Box below to Notepad. REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer] "HonorAutoRunSetting"= 0x0000000001 "NoDriveAutoRun"=dword:03ffffb7 "NoDriveTypeAutoRun"=dword:00000091 "NoDrives"=dword:00000000 Make sure there are NO blank lines before REGEDIT4 Go to File > save As...Name the file name as fix.reg Change the Save as Type to All Files Save it on the desktopClose Notepad. At the desktop, double-click on the fix.reg file, and when it prompts to merge say yes. REBOOT SystemLook Double-click SystemLook.exe to run it.Copy the content of the following codebox into the main textfield: :reg HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDRom /s HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /s HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer /s HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Click the Look button to start the scan. When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. Note: The log can also be found on your Desktop entitled SystemLook.txt

Can you update us on any issues you are still experiencing.

Hi Backup the Registry: Modifying the Registry can create unforseen problems, so it always wise to create a backup before doing so. Please go here and download ERUNT. ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed. Install ERUNT by following the prompts. Use the default install settings but say no to the portion that asks you to add ERUNT to the Start-Up folder. You can enable this option later if you wish. Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process. Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable. Make sure that at least the first two check boxes are selected.(System registry & Current user registry) Click on OK When the Question pop-up appears click on Yes to create the folder. After a short duration the Registry backup is complete! popup will appear Now click on OK. A backup has been created. Then do this: Warning. Please note that this fix is specific for this poster and should not be used by anyone else: Open Notepad & copy the contents of the Code Box below to Notepad. REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer] "NoDriveTypeAutoRun"=dword:00000091 "NoDriveAutoRun"=dword:03ffffb7 "NoDrives"=dword:00000000 Make sure there are NO blank lines before REGEDIT4Go to File > save As... Name the file name as fix.reg Change the Save as Type to All Files Save it on the desktop Close Notepad. At the desktop, double-click on the fix.reg file, and when it prompts to merge say yes. REBOOT SystemLook Double-click SystemLook.exe to run it. Copy the content of the following codebox into the main textfield: :reg HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDRom /s HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /s HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer /s HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Click the Look button to start the scan. When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. Note: The log can also be found on your Desktop entitled SystemLook.txt

Let us take a look at the settings. Please download SystemLook by jpshortstuff from one of the links below and save it to your Desktop. Download Mirror #1 Download Mirror #2 Double-click SystemLook.exe to run it. Copy the content of the following codebox into the main textfield: :reg HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDRom /s HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /s HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer /s Click the Look button to start the scan. When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. Note: The log can also be found on your Desktop entitled SystemLook.txt

That is default action for Mixed Content.

To increase security, MS changed Autorun functionality with Windows 7 & earlier this year rolled out an update (KB971029) to affect the change in other OS's (Incuding XP SP3) too. http://blogs.technet.com/b/srd/archive/2009/04/28/autorun-changes-in-windows-7.aspx http://blogs.msdn.com/b/e7/archive/2009/04/27/improvements-to-autoplay.aspx From the DDS attach.txt supplied in your malware removal topic you have KB971029 installed. http://support.microsoft.com/kb/971029

Deleted

Most ARK's load a driver that does have the potential to crash a system - infected or not. So no, just because it crashes whilst you are trying to run it doesn't mean your infected. If your seeing specific symptoms to be worried about a rootkit, you should post in the malware removal forum and let an expert check you over.

Hi Only certain User Groups have access to the files. Membership of the group(s) is gained by promotion/invitation only. Please see this topic for further information: http://forums.malwarebytes.org/index.php?showtopic=31139