Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AV security 2012 hijacking my computer all over place


  • This topic is locked This topic is locked
10 replies to this topic

#1 depogirl

depogirl

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:34 PM

Posted 17 November 2011 - 04:10 AM

apologies i had this posted in the I am infected forum and just realized its the wrong place so re posting here

Posted Yesterday, 09:27 PM
Hello I have run Rkill (2x) Mbytes (3x) and fixed the proxy settings and the viruses will not go away -I used this as a guide http://www.bleepingcomputer.com/virus-removal/remove-av-security-suite

will now try the DDS - would like some guidance please thank you

Posted Today, 12:11 AM
FOlks having a lot of trouble trying to get a GMER log and a DDS file - what now?

Posted Today, 12:38 AM
gmer log (FINALLY)

MER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-17 00:36:26
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\pmanus\LOCALS~1\Temp\kxroypow.sys


---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesProcessed 204

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB54044$\2655319488 0 bytes
File C:\WINDOWS\$NtUninstallKB54044$\459786363 0 bytes
File C:\WINDOWS\$NtUninstallKB54044$\459786363\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB54044$\459786363\bckfg.tmp 963 bytes
File C:\WINDOWS\$NtUninstallKB54044$\459786363\cfg.ini 199 bytes
File C:\WINDOWS\$NtUninstallKB54044$\459786363\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB54044$\459786363\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB54044$\459786363\L 0 bytes
File C:\WINDOWS\$NtUninstallKB54044$\459786363\L\iahonoel 62976 bytes
File C:\WINDOWS\$NtUninstallKB54044$\459786363\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB54044$\459786363\U 0 bytes
File C:\WINDOWS\$NtUninstallKB54044$\459786363\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB54044$\459786363\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB54044$\459786363\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB54044$\459786363\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB54044$\459786363\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB54044$\459786363\U\80000032.@ 96256 bytes

---- EOF - GMER 1.0.15 ----
HELP HELP HELP - running malware bytes again and I cannot get a DDS log HELP

2;22 pm can someone please help??/

Edited by depogirl, 17 November 2011 - 05:22 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:34 AM

Posted 21 November 2011 - 01:53 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers, and all other programs working. Make sure you save your file if working on a document.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html


===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

#3 depogirl

depogirl
  • Topic Starter

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:34 PM

Posted 21 November 2011 - 07:05 PM

THANKYOU NASDAQ should I do this in safe mode??

#4 depogirl

depogirl
  • Topic Starter

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:34 PM

Posted 21 November 2011 - 10:35 PM

logs below


ComboFix 11-11-21.01 - pmanus 11/21/2011 16:36:55.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1470 [GMT -8:00]
Running from: E:\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\pmanus\Application Data\dwme.exe
c:\documents and settings\pmanus\Application Data\ldr.ini
c:\documents and settings\pmanus\g2mdlhlpx.exe
c:\documents and settings\pmanus\GoToAssistDownloadHelper.exe
c:\documents and settings\pmanus\Start Menu\Programs\AV Security 2012
c:\documents and settings\pmanus\Start Menu\Programs\AV Security 2012\AV Security 2012.lnk
c:\documents and settings\Setupws\Application Data\alot
C:\Install.exe
c:\program files\LP
c:\program files\LP\764B\97E.exe
c:\program files\LP\7F0B\7.tmp
c:\program files\LP\7F0B\88B.exe
c:\program files\LP\7F0B\ED.tmp
c:\program files\LP\7F0B\EE.tmp
c:\program files\LP\7F0B\F0.tmp
c:\windows\$NtUninstallKB54044$
c:\windows\$NtUninstallKB54044$\2655319488
c:\windows\$NtUninstallKB54044$\459786363\@
c:\windows\$NtUninstallKB54044$\459786363\bckfg.tmp
c:\windows\$NtUninstallKB54044$\459786363\cfg.ini
c:\windows\$NtUninstallKB54044$\459786363\Desktop.ini
c:\windows\$NtUninstallKB54044$\459786363\kwrd.dll
c:\windows\$NtUninstallKB54044$\459786363\L\iahonoel
c:\windows\$NtUninstallKB54044$\459786363\lsflt7.ver
c:\windows\$NtUninstallKB54044$\459786363\U\00000001.@
c:\windows\$NtUninstallKB54044$\459786363\U\00000002.@
c:\windows\$NtUninstallKB54044$\459786363\U\00000004.@
c:\windows\$NtUninstallKB54044$\459786363\U\80000000.@
c:\windows\$NtUninstallKB54044$\459786363\U\80000004.@
c:\windows\$NtUninstallKB54044$\459786363\U\80000032.@
c:\windows\CSC\d6
c:\windows\system32\AV Security 2012v121.exe
c:\windows\system32\NWGINA.DLL
c:\windows\XSxS
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MYWEBSEARCHSERVICE
.
.
((((((((((((((((((((((((( Files Created from 2011-10-22 to 2011-11-22 )))))))))))))))))))))))))))))))
.
.
2011-11-22 00:10 . 2011-11-22 00:10 -------- d-----w- c:\documents and settings\pmanus\Application Data\wsWWJ77fEL9TZjY
2011-11-22 00:10 . 2011-11-22 00:10 -------- d-----w- c:\documents and settings\pmanus\Application Data\IvvDD3onF4am
2011-11-17 10:05 . 2011-11-17 10:05 -------- d-----w- c:\documents and settings\pmanus\Application Data\W8gTZqhYCkVl
2011-11-17 10:05 . 2011-11-17 10:05 -------- d-----w- c:\documents and settings\pmanus\Application Data\c1uvD2onFpH5W7E
2011-11-17 08:56 . 2011-11-17 08:56 -------- d-----w- c:\documents and settings\pmanus\Application Data\YNtxA0ucSiFpGaJ
2011-11-17 08:56 . 2011-11-17 08:56 -------- d-----w- c:\documents and settings\pmanus\Application Data\AL8gTZqhYwIr
2011-11-17 08:15 . 2011-11-17 08:15 -------- d-----w- c:\documents and settings\pmanus\Application Data\xeeekIIBrzOyx1u
2011-11-17 08:15 . 2011-11-17 08:15 -------- d-----w- c:\documents and settings\pmanus\Application Data\ULL9ggTXqjY
2011-11-17 07:57 . 2011-11-17 07:57 -------- d-----w- c:\documents and settings\pmanus\Application Data\QXqqjjUCelIBzPy
2011-11-17 07:57 . 2011-11-17 07:57 -------- d-----w- c:\documents and settings\pmanus\Application Data\dUUCCelIBtzPyc1
2011-11-17 05:14 . 2011-11-17 05:14 -------- d-----w- c:\documents and settings\pmanus\Application Data\E77fRRL9gTXqUCk
2011-11-17 05:14 . 2011-11-17 05:14 -------- d-----w- c:\documents and settings\pmanus\Application Data\RDD33onG4aQHsW
2011-11-17 02:47 . 2011-11-17 02:47 -------- d-----w- c:\documents and settings\pmanus\Application Data\o222ibFF3pG5QJd
2011-11-17 02:47 . 2011-11-17 02:47 -------- d-----w- c:\documents and settings\pmanus\Application Data\g99hhTXwwUVelB
2011-11-17 02:30 . 2011-11-17 02:30 -------- d-----w- c:\documents and settings\pmanus\Application Data\xrrllONNtx0uS2b
2011-11-17 02:30 . 2011-11-17 02:30 -------- d-----w- c:\documents and settings\pmanus\Application Data\wggRRZqhYC
2011-11-16 22:51 . 2011-11-16 22:51 -------- d-----w- c:\documents and settings\pmanus\Application Data\FbF3pmG5s
2011-11-16 22:51 . 2011-11-16 22:51 -------- d-----w- c:\documents and settings\pmanus\Application Data\DamH6sWJ7E9TqYe
2011-11-16 22:30 . 2011-11-16 22:30 -------- d-----w- c:\documents and settings\pmanus\Application Data\L66ssWK7fRL9TXj
2011-11-16 22:30 . 2011-11-16 22:30 -------- d-----w- c:\documents and settings\pmanus\Application Data\vOBttxPP0yS1iDo
2011-11-16 21:54 . 2011-11-16 21:54 -------- d-----w- c:\documents and settings\pmanus\Application Data\wqjjYYCekIVrONx
2011-11-16 21:54 . 2011-11-16 21:54 -------- d-----w- c:\documents and settings\pmanus\Application Data\HF44aH66WJ7ELgT
2011-11-16 19:36 . 2011-11-16 19:37 -------- d-----w- c:\program files\5A998
2011-11-16 19:36 . 2011-11-16 19:36 -------- d-----w- c:\documents and settings\pmanus\Application Data\yppnnG5aQH6dKfR
2011-11-16 19:36 . 2011-11-16 19:36 -------- d-----w- c:\documents and settings\pmanus\Application Data\mllOONtxP0uc2iD
2011-11-16 19:36 . 2011-11-16 19:36 -------- d-----w- c:\documents and settings\pmanus\Application Data\FKK8fRRZ9
2011-11-16 19:36 . 2011-11-16 19:36 -------- d-----w- c:\documents and settings\pmanus\Application Data\UppmH55sQJdEgRq
2011-11-16 19:36 . 2011-11-17 03:24 -------- d-----w- c:\documents and settings\pmanus\Application Data\B445A
2011-11-15 18:48 . 2011-11-15 18:48 -------- d-----w- C:\Pictures
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-21 19:12 . 2004-08-04 03:59 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-11-16 22:42 . 2007-06-26 17:16 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-11-16 22:42 . 2007-04-10 22:37 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2011-11-16 22:42 . 2007-04-10 22:37 30592 ----a-w- c:\windows\system32\LMIport.dll
2011-11-16 22:42 . 2007-04-10 22:37 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-10-10 14:22 . 2004-08-11 22:12 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2004-08-11 22:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 18:41 . 2008-07-30 02:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2004-08-11 22:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2004-08-11 22:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-15 00:44 . 2011-06-15 00:40 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-06 13:20 . 2004-08-11 22:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-09-01 01:00 . 2010-11-11 21:19 22216 -c--a-w- c:\windows\system32\drivers\mbam.sys
2011-06-16 04:17 . 2011-09-07 18:45 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Novell Messenger"="c:\novell\Messenger\NMCL32.exe" [2007-09-05 1417293]
"ISUSPM"="c:\program files\Common Files\InstallShield_OLD\UpdateService\ISUSPM.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]
"nwiz"="nwiz.exe" [2006-01-19 1519616]
"NVHotkey"="nvHotkey.dll" [2006-01-19 73728]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-09-08 102400]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2011-07-26 59992]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2011-07-26 64088]
"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-05-19 40960]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-15 47904]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-06-17 115560]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-06 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-09-01 1047208]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Application Explorer.lnk - c:\program files\Novell\ZENworks\NalView.exe [2006-6-13 35840]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-6-16 49152]
EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2006-8-25 192512]
Novell iFolder.lnk - c:\program files\Novell\iFolder\trayapp.exe [2007-4-22 266317]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2007-02-13 454656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-11-16 22:42 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2007-01-10 18:52 24576 ----a-w- c:\windows\system32\novell\xtnotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wxvault.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth nwv1_0 nwprovau
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2008-11-10 20:27 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpmw32.exe"=
"c:\\Novell\\GroupWise\\ADDRBOOK.EXE"=
"c:\\Novell\\Messenger\\NMCL32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\pmanus\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Novell\\GroupWise\\grpwise.exe"=
"c:\\Novell\\GroupWise\\notify.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3024:UDP"= 3024:UDP:Clntrust 3024 UDP
"1761:UDP"= 1761:UDP:ZENworks Remote
"38293:UDP"= 38293:UDP:Symantec Antivirus PDS Service
"1761:TCP"= 1761:TCP:Zen-1761-TCP
"1762:TCP"= 1762:TCP:Zen-1762-TCP
"1762:UDP"= 1762:UDP:Zen-1762-UDP
"517:TCP"= 517:TCP:Zen-517-TCP
"517:UDP"= 517:UDP:Zen-517-UDP
"1763:TCP"= 1763:TCP:Zen-1763-TCP
"1763:UDP"= 1763:UDP:Zen-1763-UDP
"21:TCP"= 21:TCP:Zen-21-TCP
"21:UDP"= 21:UDP:Zen-21-UDP
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
.
R0 NifFltr;NifFltr;c:\windows\system32\drivers\niffltr.sys [4/22/2007 12:52 PM 25300]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [4/10/2007 1:50 PM 41336]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [5/23/2005 1:47 PM 6899]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [11/11/2010 12:00 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 11:41 AM 12856]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [5/9/2006 9:59 AM 167936]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [1/10/2007 10:52 AM 61440]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [5/23/2005 1:11 PM 2773]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/9/2011 7:53 AM 106104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [6/17/2010 3:30 PM 23888]
S3 GTKCMOS;GTKCMOS;c:\windows\system32\GTKCMOS.sys [6/15/2004 11:55 AM 7882]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:54848
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
Trusted Zone: LAP2-PATRICK
TCP: Interfaces\{2D7A7045-8166-4C49-AB3E-58549979AE69}: NameServer = 192.168.15.2
DPF: {0459CBCE-8429-4A91-ADB6-88B48FD28D84} - hxxp://ibinder.reallegal.com/sounddepo/ImageViewerRL.cab
DPF: {B541D024-541E-4573-8F6D-0142D2B59633} - hxxp://ibinder.reallegal.com/sounddepo/FileUploadRL.cab
FF - ProfilePath - c:\documents and settings\pmanus\Application Data\Mozilla\Firefox\Profiles\emmg7q2b.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.sounddepo.com/
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZUxdm0805Dus&ptb=GNbi31VKcA6uzhKq26zO2g&ind=2010122213&ptnrS=ZUxdm0805Dus&si=&n=77d007e5&psa=&st=kwd&searchfor=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 54848
FF - prefs.js: network.proxy.type - 1
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe
HKLM-Run-hmghmfoj - c:\windows\hmghmfoj.exe
HKLM-Run-88B.exe - c:\program files\LP\7F0B\88B.exe
HKLM-Run-LLLL9hTXwjUClIt8234A - c:\windows\system32\AV Security 2012v121.exe
HKLM-Run-sXXXwjUVelOBzP - c:\documents and settings\pmanus\Application Data\dwme.exe
HKLM-Run-97E.exe - c:\program files\LP\764B\97E.exe
Notify-NavLogon - (no file)
SafeBoot-42992828.sys
SafeBoot-Symantec Antvirus
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-21 17:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(928)
c:\windows\system32\LMIinit.dll
c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL
c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'lsass.exe'(984)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
- - - - - - - > 'explorer.exe'(2672)
c:\windows\system32\WININET.dll
c:\program files\Novell\ZENworks\NLS\english\NalUIRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Wave Systems Corp\Common\DataServer.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Novell\ZENworks\nalntsrv.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
c:\program files\Novell\ZENworks\wm.exe
c:\program files\Novell\ZENworks\WMRUNDLL.EXE
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\rundll32.exe
c:\windows\stsystra.exe
c:\windows\system32\NWTRAY.EXE
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Novell\ZENworks\NalAgent.exe
.
**************************************************************************
.
Completion time: 2011-11-21 17:47:51 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-22 01:47
.
Pre-Run: 29,364,711,424 bytes free
Post-Run: 30,175,096,832 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - E84EAE113A02488FB55396FC385B1AA2

Results of screen317's Security Check version 0.99.28
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Symantec Endpoint Protection
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 26
Java version out of date!
Adobe Reader 8 (Adobe Reader out of date!)
Mozilla Firefox (5.0.) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
``````````End of Log````````````

#5 depogirl

depogirl
  • Topic Starter

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:34 PM

Posted 22 November 2011 - 09:04 AM

NASDAQ malwares bytes log please advise what to do next have not heard from yoU!

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8213

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/22/2011 5:55:52 AM
mbam-log-2011-11-22 (05-55-44).txt

Scan type: Full scan (C:\|)
Objects scanned: 302405
Time elapsed: 1 hour(s), 33 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 35

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\documents and settings\pmanus\application data\B445A\01976.exe (Trojan.Dropper) -> No action taken.
C:\documents and settings\pmanus\application data\B445A\02C82.exe (Trojan.Dropper) -> No action taken.
C:\documents and settings\pmanus\application data\B445A\BC17F.exe (Trojan.Dropper) -> No action taken.
C:\documents and settings\pmanus\application data\Sun\Java\deployment\cache\6.0\54\2ee7cc76-6f8cdb61 (Trojan.Downloader.adb) -> No action taken.
C:\program files\5A998\lvvm.exe (Trojan.Dropper) -> No action taken.
C:\Qoobox\quarantine\C\documents and settings\pmanus\application data\dwme.exe.vir (Trojan.Dropper) -> No action taken.
C:\Qoobox\quarantine\C\program files\LP\764B\97e.exe.vir (Trojan.Dropper) -> No action taken.
C:\Qoobox\quarantine\C\program files\LP\7F0B\88b.exe.vir (Trojan.Dropper) -> No action taken.
C:\Qoobox\quarantine\C\program files\LP\7F0B\ee.tmp.vir (Trojan.Dropper) -> No action taken.
C:\Qoobox\quarantine\C\WINDOWS\system32\av security 2012v121.exe.vir (Trojan.Dropper) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP945\A0283204.sys (Rootkit.0Access) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP945\A0283222.sys (Rootkit.0Access) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0283296.sys (Rootkit.0Access) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0283330.sys (Rootkit.0Access) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0283483.DLL (PUP.FunWebProducts) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0289572.sys (Rootkit.0Access) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0283442.sys (Rootkit.0Access) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0283454.exe (Trojan.Dropper) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0283478.DLL (PUP.FunWebProducts) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0283488.DLL (Adware.MyWebSearch) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0283515.sys (Rootkit.0Access) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0283524.sys (Rootkit.0Access) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0283531.exe (Trojan.Dropper) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0283565.sys (Rootkit.0Access) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0284564.sys (Rootkit.0Access) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0285564.sys (Rootkit.0Access) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0285572.sys (Rootkit.0Access) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0286572.sys (Rootkit.0Access) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0287572.sys (Rootkit.0Access) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0288572.sys (Rootkit.0Access) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0289585.sys (Rootkit.0Access) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0289593.sys (Rootkit.0Access) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0289599.sys (Rootkit.0Access) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0290599.sys (Rootkit.0Access) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0290606.sys (Rootkit.0Access) -> No action taken.

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:34 AM

Posted 22 November 2011 - 09:58 AM

Open notepad and copy/paste the text in the quote box below into it:


Folder::
c:\documents and settings\pmanus\Application Data\wsWWJ77fEL9TZjY
c:\documents and settings\pmanus\Application Data\IvvDD3onF4am
c:\documents and settings\pmanus\Application Data\W8gTZqhYCkVl
c:\documents and settings\pmanus\Application Data\c1uvD2onFpH5W7E
c:\documents and settings\pmanus\Application Data\YNtxA0ucSiFpGaJ
c:\documents and settings\pmanus\Application Data\AL8gTZqhYwIr
c:\documents and settings\pmanus\Application Data\xeeekIIBrzOyx1u
c:\documents and settings\pmanus\Application Data\ULL9ggTXqjY
c:\documents and settings\pmanus\Application Data\QXqqjjUCelIBzPy
c:\documents and settings\pmanus\Application Data\dUUCCelIBtzPyc1
c:\documents and settings\pmanus\Application Data\E77fRRL9gTXqUCk
c:\documents and settings\pmanus\Application Data\RDD33onG4aQHsW
c:\documents and settings\pmanus\Application Data\o222ibFF3pG5QJd
c:\documents and settings\pmanus\Application Data\g99hhTXwwUVelB
c:\documents and settings\pmanus\Application Data\xrrllONNtx0uS2b
c:\documents and settings\pmanus\Application Data\wggRRZqhYC
c:\documents and settings\pmanus\Application Data\FbF3pmG5s
c:\documents and settings\pmanus\Application Data\DamH6sWJ7E9TqYe
c:\documents and settings\pmanus\Application Data\L66ssWK7fRL9TXj
c:\documents and settings\pmanus\Application Data\vOBttxPP0yS1iDo
c:\documents and settings\pmanus\Application Data\wqjjYYCekIVrONx
c:\documents and settings\pmanus\Application Data\HF44aH66WJ7ELgT
c:\program files\5A998
c:\documents and settings\pmanus\Application Data\yppnnG5aQH6dKfR
c:\documents and settings\pmanus\Application Data\mllOONtxP0uc2iD
c:\documents and settings\pmanus\Application Data\FKK8fRRZ9
c:\documents and settings\pmanus\Application Data\UppmH55sQJdEgRq
c:\documents and settings\pmanus\Application Data\B445A


Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
===

Please Run malwarebytes again and remove all the bad items that is found.
Post the log.
===

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java SE Runtime Environment 6 Update 27.
  • In the box labeled "Java Platform, Standard Edition", click the "Download JRE" button to the right.
  • In the Window that opens, select Windows (or Windows x64), and check the "agree" box and click "Continue".
  • Click on the link to download Windows Offline Installation and save to your Desktop.
  • Then from your Desktop double-click on jre-6u27-windows-i586.exe that you have downloaded to install the newest version.

    For the x64 bit version download this on jre-6u27-windows-x64.exe). Make sure you download the correct version.

    - Note: If you are running Vista or Windows 7, you may need to right-click on the installation file and select Run as Administrator.

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 26

===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
===

Please post the logs.

Let me know what problem persists.

#7 depogirl

depogirl
  • Topic Starter

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:34 PM

Posted 22 November 2011 - 05:04 PM

hello NASDAQ apologies as I just saw your reply I did run malware bytes 3 x after combo fix and I have the following results PLease check this
and let me konw if i still need to run the combo fix again with the log as posted (Posted Today, 06:58 AM - your second post, not the first one) glad to do it need to be sure
Also I fixed java, Adobe, etc. THANKS



Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8217

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/22/2011 1:49:37 PM
mbam-log-2011-11-22 (13-49-37).txt

Scan type: Full scan (C:\|)
Objects scanned: 310085
Time elapsed: 1 hour(s), 32 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0283483.DLL (PUP.FunWebProducts) -> Not selected for removal.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0283478.DLL (PUP.FunWebProducts) -> Not selected for removal.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP948\A0293039.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP948\A0293042.dll (PUP.FunWebProducts) -> Not selected for removal.

Edited by depogirl, 23 November 2011 - 12:49 AM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:34 AM

Posted 23 November 2011 - 10:22 AM

I do not need to see any logs if all is well.

Please confirm.

#9 depogirl

depogirl
  • Topic Starter

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:34 PM

Posted 23 November 2011 - 02:31 PM

NASADAQ
please see latest malware bytes log - I have not re run combo fix please advise what if any action further I should take?
last three files are showing infection still - what do I do here? remove selected?


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8217

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/23/2011 11:29:52 AM
mbam-log-2011-11-23 (11-29-45).txt

Scan type: Full scan (C:\|)
Objects scanned: 312270
Time elapsed: 1 hour(s), 41 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0283483.DLL (PUP.FunWebProducts) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0283478.DLL (PUP.FunWebProducts) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP948\A0293042.dll (PUP.FunWebProducts) -> No action taken.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:34 AM

Posted 24 November 2011 - 07:50 AM

Files Infected:
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0283483.DLL (PUP.FunWebProducts) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP946\A0283478.DLL (PUP.FunWebProducts) -> No action taken.
C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP948\A0293042.dll (PUP.FunWebProducts) -> No action taken.


These files are in your System Restore point. Not doing any harm but you should remove them with Malwarebytes.
===

If everything else is working well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

Surf Safely, and Think Prevention!
===

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:34 AM

Posted 27 November 2011 - 10:06 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users