4 Replies Latest reply on Apr 27, 2011 9:29 AM by newjack

    Quarantined Pups Help please...

      I have had some pups quarantined for awhile now.  One in particular is Beast2.dll.  I restored it once, but McAfee quarantined it again.  When I reboot my desktop, a RUNDLL window pops up saying: Error Loading c:\windows\beast2.dll.  Specified module cannot be found.  I click ok and continue on.  Is Beast2.dll valid?  I have done searches on Microsoft and McAfee but no help.  Also, when trying to load the Quarantined PUPS from McAfee, it does take a long time and I do get a message about the script and my system may become unresponsive.  Since I finally killed the process, I'm not sure what all is included the Quarantine and would like to see what they are before deleting.  How can I do that?  I know that there were some Cookies-207, etc. but not sure what else is there.

       

      I also have another window pop up when booting up: the Common directory.  That started after an update, but not sure if McAfee or Windows left it as both were updated the same afternoon.  I have not noticed any problems running my normal applications (IE8, Word, Excel, etc.).

       

      Any suggestions would be greatly appreciated....

       

      Linda

        • 1. Re: Quarantined Pups Help please...

          Hi Linda,I am not sure that is a good .dll.You may want to leave it for now.I would run malwarebytes for a second opinion.You can get it from here for free.Download the free version on the left.Update and run a full scan.See what it finds.

          http://www.malwarebytes.org/  Then delete anything that is quarantined by malwarebytes.

          • 2. Re: Quarantined Pups Help please...

            I downloaded the free version of malwarebytes and ran the full scan.  It showed infections but didn't quarantine them.  It show on the scanner screen the malicious software on the machine.  Alot of them were Adware.Mywebsearch, some Funwebproducts, and others.  The path of one is:

            HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> No action taken.  Most of them are HKEY_LOCAL_MACHINE.  Another path is:

            HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ED403E8- 470A-4A8A-85A4-D7688CFE39A3} (Adware.Gamevance) .  These are under Registry Keys infected.

            One that is under Files infected is:  c:\WINDOWS\trueinstall.exe (Trojan.Agent) -> No action taken.  Quite a few are Microsoft\Windows\.......various files.   I used copy/paste to put the log below here.  As I said previously, these were not quarantined.  Just shows on the scanner screen.  Do I remove them?

             

            Malwarebytes' Anti-Malware 1.50.1.1100

            www.malwarebytes.org

            Database version: 6450

            Windows 5.1.2600 Service Pack 3

            Internet Explorer 8.0.6001.18702

            4/26/2011 9:11:50 PM

            mbam-log-2011-04-26 (21-11-41).txt

            Scan type: Full scan (C:\|)

            Objects scanned: 335243

            Time elapsed: 1 hour(s), 45 minute(s), 29 second(s)

            Memory Processes Infected: 0

            Memory Modules Infected: 0

            Registry Keys Infected: 26

            Registry Values Infected: 2

            Registry Data Items Infected: 2

            Folders Infected: 14

            Files Infected: 42

            Memory Processes Infected:

            (No malicious items detected)

            Memory Modules Infected:

            (No malicious items detected)

            Registry Keys Infected:

            HKEY_CLASSES_ROOT\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} (Adware.MyWebSearch) -> No action taken.

            HKEY_CLASSES_ROOT\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC} (Adware.MyWebSearch) -> No action taken.

            HKEY_CLASSES_ROOT\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3} (Adware.MyWebSearch) -> No action taken.

            HKEY_CLASSES_ROOT\Typelib\{F42228FB-E84E-479E-B922-FBBD096E792C} (Adware.MyWebSearch) -> No action taken.

            HKEY_CLASSES_ROOT\Interface\{6E74766C-4D93-4CC0-96D1-47B8E07FF9CA} (Adware.MyWebSearch) -> No action taken.

            HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FA F1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> No action taken.

            HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1- 072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> No action taken.

            HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18E A1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> No action taken.

            HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1- A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> No action taken.

            HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{1E0DE2 27-5CE4-4EA3-AB0C-8B03E1AA76BC} (Adware.MyWebSearch) -> No action taken.

            HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ED403E8- 470A-4A8A-85A4-D7688CFE39A3} (Adware.Gamevance) -> No action taken.

            HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1E0DE227- 5CE4-4EA3-AB0C-8B03E1AA76BC} (Adware.MyWebSearch) -> No action taken.

            HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549B5CA7- 4A86-11D7-A4DF-000874180BB3} (Trojan.Agent) -> No action taken.

            HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3} (Trojan.Agent) -> No action taken.

            HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> No action taken.

            HKEY_CLASSES_ROOT\DOWNLOADER.DownloaderCtrl.1 (Adware.2020search) -> No action taken.

            HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> No action taken.

            HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> No action taken.

            HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> No action taken.

            HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> No action taken.

            HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> No action taken.

            HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> No action taken.

            HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.

            HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookA ddin (Adware.MyWebSearch) -> No action taken.

            HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddi n (Adware.MyWebSearch) -> No action taken.

            HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSear ch bar Uninstall (Adware.MyWebSearch) -> No action taken.

            Registry Values Infected:

            HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> Value: f3PopularScreensavers -> No action taken.

            HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch) -> Value: FunWebProducts -> No action taken.

            Registry Data Items Infected:

            HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

            HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

            Folders Infected:

            c:\program files\funwebproducts (Adware.MyWebSearch) -> No action taken.

            c:\program files\funwebproducts\screensaver (Adware.MyWebSearch) -> No action taken.

            c:\program files\funwebproducts\screensaver\Images (Adware.MyWebSearch) -> No action taken.

            c:\program files\funwebproducts\Shared (Adware.MyWebSearch) -> No action taken.

            c:\program files\funwebproducts\Shared\Cache (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\1.bin (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Cache (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Game (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\History (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Settings (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\SrchAstt (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\SrchAstt\1.bin (Adware.MyWebSearch) -> No action taken.

            Files Infected:

            c:\WINDOWS\trueinstall.exe (Trojan.Agent) -> No action taken.

            c:\program files\funwebproducts\screensaver\Images\0091F3D4.urr (Adware.MyWebSearch) -> No action taken.

            c:\program files\funwebproducts\Shared\Cache\cursormaniabtn.html (Adware.MyWebSearch) -> No action taken.

            c:\program files\funwebproducts\Shared\Cache\mailstampbtn.html (Adware.MyWebSearch) -> No action taken.

            c:\program files\funwebproducts\Shared\Cache\mystationerybtn.html (Adware.MyWebSearch) -> No action taken.

            c:\program files\funwebproducts\Shared\Cache\smileycentralbtn.html (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\1.bin\F3BKGERR.JPG (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\1.bin\F3SPACER.WMV (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\1.bin\F3WALLPP.DAT (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Cache\0007B69C.bin (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Cache\0007B92C.bin (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Cache\0007BA16.bin (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Cache\0007BAF1.bin (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Cache\0007BBCC.bin (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Cache\000C9FB0.bin (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Cache\000CA108.bin (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Cache\000CA28E.bin (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Cache\00CD3831 (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Cache\02A683A5 (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Cache\0345BA40.bin (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Cache\0345BCE0.bin (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Cache\0345BDEA.bin (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Cache\0345BF12.bin (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Cache\05016693.bin (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Cache\09EFE9E1 (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Cache\1F0F26B0.bin (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Cache\1F0F2CFA.bin (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Cache\1F0F2ECE.bin (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Cache\1F0F2FD8.bin (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Cache\1F0F30F1.bin (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Cache\1F0F3D17.bin (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Cache\1F0F3E11.bin (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Cache\files.ini (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Game\CHECKERS.F3S (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Game\CHESS.F3S (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Game\REVERSI.F3S (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\History\search (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Settings\hs_err_pid2364.log (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Settings\prevcfg.htm (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Settings\settings.dat (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Settings\settings.htm (Adware.MyWebSearch) -> No action taken.

            c:\program files\mywebsearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> No action taken.

             

            Message was edited by: Lindaj I forgot to mention that the machine seems to run okay.  I do have a wireless network.  This pc is wired to the router while a notebook connects via wireless network. Linda on 4/26/11 10:41:18 PM CDT
            • 3. Re: Quarantined Pups Help please...

              First update malwarebtes.Then check the setting in the settings box of malwarebytes.Make sure it is checked for removal.I am not an expert.But from what i have seen some of the funweb products are suspect.Spyware,adware,ect.If you want to get rid of them you should be able to by checking for removal.If you look at your post it says no action taken.I am only assuming the the settings for Malwarebytes are set to show results only.Here is an image below.See if you are set this way.Then I would delete these items.Also here are some of the facts for funwebproducts.Not sure why Site advisor still rates as green.But if you read the reviews not very encouraging.Also rated red by wot.

              Good luck

               

              malwarbytes.JPG

              • 4. Re: Quarantined Pups Help please...

                You may wont to look at this.https://community.mcafee.com/docs/DOC-2168

                 

                Not sure if they can help you in the Getsup community.I noticed you have a Trojan.You should probably open the above document and about half way down there are places to register.Such as bleepingcomputer,what the tech,ect.You should login in one of these places and ask for help.These guys are very good at what they do.You may have to wait a bit.But will be worth it in my opinion.I am surprised that site advisor has funweb rated green.As 38 people have rated as a bad site only 1 rated good! This site is rated Red by wot.

                 

                Message was edited by: newjack on 4/27/11 10:29:23 AM EDT