Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

explorer.exe & winlogon.exe virus


  • Please log in to reply
7 replies to this topic

#1 xm-221

xm-221

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:17 AM

Posted 07 December 2010 - 03:11 AM

G'day all.
First up I must say that I love the site :D Well set out and you're all a friendly bunch.

My problem.
A few days ago my PC froze up completely whilst I was searching for a pic of a big hairy beaver (the animal version .. sheesh dirty minds).
I had to do a hard power down (power button held in until turn off), then restarted the PC,when windows logged on I started Task Manager and sat and watched for a while. mshta.exe popped up after 20mins, it was at this time my PC froze again, there was the culprit (or so I thought). I did the usual google search and confirmed from a few different sites that malwarebytes anitmalware program would get rid of it. I have malwarebytes installed so I did an update and ran the program. Found 4 infections and cleaned them up. Re-booted my PC as asked by the prompt, and opened Task Manager again to see if my problem was fixed ...... mshta.exe popped up again and my pc froze. Did another hard reset and quickly downloaded AVG Free as it's never let me down in the past.
Now it finds the infections, explorer.exe and winlogon.exe, but will only patch them as it is "Object white-listed (critical/system file that should not be removed)". Even after running AVG Free and finding (and healing) 11 infections it will only patch the two mentioned .exe files, so they end up regenerating themselves.

Any advice taken here would be much appreciated.

I already have gmer, dds.scr, hijackthis, defogger and cwshredder on the desktop awaiting (yes I did a bit of reading first :D)

Cheers.
Glenn.

Edited by xm-221, 07 December 2010 - 03:13 AM.


BC AdBot (Login to Remove)

 


#2 sjpritch25

sjpritch25

  • Security Colleague
  • 903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:01:17 PM

Posted 14 December 2010 - 10:19 PM

Welcome to BC :)

Please uninstall AVG because it will affect the tools we are going to run.

Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Microsoft MVP Consumer Security--2007-2010

#3 xm-221

xm-221
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:17 AM

Posted 20 December 2010 - 06:29 AM

The results are in.

ComboFix 10-12-17.02 - glennedkelly 18/12/2010 21:33:48.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.991.743 [GMT 11:00]
Running from: c:\program files\Virus Programs\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\glennedkelly\Application Data\hotfix.exe
c:\documents and settings\glennedkelly\Application Data\install
c:\documents and settings\glennedkelly\Start Menu\Programs\ThinkPoint.lnk
c:\windows\system32\kb.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\explorer.exe

.
((((((((((((((((((((((((( Files Created from 2010-11-18 to 2010-12-18 )))))))))))))))))))))))))))))))
.

2010-12-17 09:23 . 2004-09-13 06:17 2146304 ------w- c:\windows\UNNMP.exe
2010-12-17 09:21 . 2001-07-09 00:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2010-12-17 09:20 . 2010-12-17 09:20 -------- d-----w- c:\documents and settings\glennedkelly\Application Data\Ahead
2010-12-17 09:19 . 2004-10-14 08:19 2285568 ------w- c:\windows\UNNeroVision.exe
2010-12-17 09:19 . 2001-03-08 08:30 24064 ------w- c:\windows\system32\msxml3a.dll
2010-12-17 09:19 . 2010-12-17 09:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2010-12-17 09:19 . 2004-07-20 06:24 476320 ------w- c:\windows\system32\ImagXpr7.dll
2010-12-17 09:19 . 2004-07-20 06:24 471040 ------w- c:\windows\system32\ImagXRA7.dll
2010-12-17 09:19 . 2004-07-20 06:24 262144 ------w- c:\windows\system32\ImagXR7.dll
2010-12-17 09:19 . 2004-07-20 06:24 1568768 ------w- c:\windows\system32\ImagX7.dll
2010-12-17 09:19 . 2004-07-08 22:43 364544 ------w- c:\windows\system32\TwnLib4.dll
2010-12-17 09:19 . 2001-06-25 21:15 38912 ------w- c:\windows\system32\picn20.dll
2010-12-17 09:19 . 2000-06-26 00:45 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2010-12-17 09:19 . 2010-12-17 09:20 -------- d-----w- c:\program files\Common Files\Ahead
2010-12-17 09:19 . 2010-12-17 09:22 -------- d-----w- c:\program files\Ahead
2010-12-17 08:45 . 2010-12-17 09:14 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-12-17 08:45 . 2010-12-17 08:45 -------- d-----w- c:\program files\DVD Shrink
2010-12-17 08:45 . 2010-12-17 08:45 -------- d-----w- c:\program files\SlySoft
2010-12-17 07:50 . 2010-12-17 07:50 83249512 ----a-w- c:\program files\Common Files\Windows Live\.cache\wlc3E.tmp
2010-12-15 21:19 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 21:17 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-15 11:03 . 2010-12-18 10:30 -------- d-----w- c:\program files\Virus Programs
2010-12-06 09:15 . 2010-12-06 09:15 -------- d--h--w- c:\windows\PIF
2010-12-05 10:28 . 2010-12-05 10:28 -------- d-----w- c:\documents and settings\glennedkelly\Application Data\AVG10
2010-12-05 10:15 . 2010-12-05 10:15 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-12-05 10:10 . 2010-12-15 08:24 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-12-05 10:08 . 2010-12-05 10:08 -------- d-----w- c:\program files\AVG
2010-12-05 09:57 . 2010-12-18 10:26 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-11-29 07:57 . 2010-12-02 11:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-18 18:12 . 2010-11-18 18:12 81920 -c----w- c:\windows\system32\dllcache\isign32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-17 09:19 . 2009-07-22 18:28 49152 ----a-w- c:\program files\Common Files\dns.cert
2010-11-18 18:12 . 2009-07-22 08:59 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:34 . 2004-08-04 01:07 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34 . 2004-08-04 01:07 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-06 00:34 . 2004-08-04 01:07 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34 . 2004-08-04 01:07 17408 ------w- c:\windows\system32\corpol.dll
2010-11-03 12:25 . 2004-08-04 01:07 389120 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 01:07 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-04 01:07 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-04 01:07 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo RX530 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAGP.EXE" [2005-04-07 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"EPSON Stylus Photo RX530 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAGP.EXE" [2005-04-07 98304]
"S3TRAY2"="S3tray2.exe" [2003-02-24 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-04 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Nokia\\Nokia Ovi Suite\\NokiaOviSuite.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 2:16 PM 130384]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [8/02/2010 7:50 PM 13224]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [16/07/2010 10:01 PM 137344]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [16/07/2010 10:01 PM 8320]
S3 PRODIGY;PRODIGY;c:\windows\system32\drivers\prodigy.sys [20/12/2009 4:22 PM 32377]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [8/02/2010 7:27 PM 86824]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [8/02/2010 7:27 PM 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [8/02/2010 7:27 PM 114600]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [8/02/2010 7:27 PM 108328]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [8/02/2010 7:27 PM 26024]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [8/02/2010 7:27 PM 104616]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [8/02/2010 7:27 PM 109736]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 2:16 PM 753504]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\glennedkelly\Application Data\Mozilla\Firefox\Profiles\dxa88n4q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: CyberShadow's Bejeweled Blitz 3 Cheat: bejeweledblitz3cheat@thecybershadow.net - %profile%\extensions\bejeweledblitz3cheat@thecybershadow.net
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-18 21:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dnscache]
"ServiceDll"="%CommonProgramFiles%\dns.cert"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-515967899-1844823847-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(860)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\ALCXMNTR.EXE
c:\windows\system32\S3tray2.exe
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-12-18 21:47:35 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-18 10:47
ComboFix2.txt 2010-12-15 08:49

Pre-Run: 14,933,975,040 bytes free
Post-Run: 14,990,987,264 bytes free

- - End Of File - - 86EA4740E0FA7D6CE6147C0012E1179A

#4 sjpritch25

sjpritch25

  • Security Colleague
  • 903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:01:17 PM

Posted 20 December 2010 - 10:18 PM

Posted Image Please download Malwarebytes' Anti-Malware from Here.



Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.
Microsoft MVP Consumer Security--2007-2010

#5 xm-221

xm-221
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:17 AM

Posted 21 December 2010 - 02:52 AM

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5364

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

21/12/2010 6:39:54 PM
mbam-log-2010-12-21 (18-39-54).txt

Scan type: Quick scan
Objects scanned: 137651
Time elapsed: 7 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\common files\dns.cert (Trojan.Agent) -> Quarantined and deleted successfully.

#6 sjpritch25

sjpritch25

  • Security Colleague
  • 903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:01:17 PM

Posted 21 December 2010 - 04:41 PM

How is everything running???
Microsoft MVP Consumer Security--2007-2010

#7 xm-221

xm-221
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:17 AM

Posted 21 December 2010 - 04:55 PM

So far, so good.
Thinkpoint virus is a pain in the Khyber Pass, Combofix gets rid of it as well :D Donation time me thinks.


#8 sjpritch25

sjpritch25

  • Security Colleague
  • 903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:01:17 PM

Posted 21 December 2010 - 05:22 PM

Go to Start ---> Run ---> Type ComboFix /uninstall and press Enter.
Microsoft MVP Consumer Security--2007-2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users