I'm seeing LOTS of messages like this:
"HKU\GUIDofaUSER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools" belongs to adware or PUA 'Paypopup AdClick' (of type Adware).
Usually for every Roaming profile currently cached on the machine. The first entry is usually preceded by:
File "C:\Documents and Settings\USER1\Local Settings\Temporary Internet Files\Content.IE5\9UEQ0TJA\popup[1].htm" belongs to adware or PUA 'Paypopup AdClick' (of type Adware).
Registry value "HKU\GUIDofUSER1\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools" belongs to adware or PUA 'Paypopup AdClick' (of type Adware).
Registry value "HKU\GUIDofUSER2\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools" belongs to adware or PUA 'Paypopup AdClick' (of type Adware).
Sometimes that first entry is identified as a Java exploit and the same registry keys are reported, but this time with reference to the Java Malware.
However since there is a GPO that sets this flag I am somewhat confused. I also cannot clean it up from the console, I get
'None of these alerts can be cleaned up'.
So I suppose my query is three fold:
1) Is this a false positive, and if so how can we eliminate them?
2) How is it there is a file in the internet cache that is being detected as potentially unwanted when I've got on access scanning for PUA and HIPS, with web scanning set to 'As Access'?
3) How do I clean it up (at the very least there is the remnants of something in the user's TIF or Java cache)?
Many thanks
Nick
This thread was automatically locked due to age.
