Jump to content

How Can I Prevent These Problems From Coming Back?

jp_cent

By jp_cent
in General Windows PC Help

 Share

Recommended Posts

jp_cent

jp_cent

Posted
Posted

I have a trojan/virus/malware that keeps coming back. To remove it I quick scanned with MBAM. Then Scanned with Nod32(Found Nothing With Nod.) So Today I Did a full scan with MBAM Here is my log.

Memory Modules Infected:

C:\WINDOWS\rwlfsdmk.dll (Trojan.FakeAlert) -> Delete on reboot.

C:\WINDOWS\onfwbsak.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{420e8125-ce95-43ca-bd26-c91d430126b6} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{e2164cbe-66c4-4587-9191-f5c4184ef02d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{986f48b3-32c1-45f3-bfc4-35fcebbfd1c2} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{6bb63d88-1867-4fa4-acdc-0510ae4956e4} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{b6187aa1-28e7-4972-9c5b-941cc786895d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{94127e06-f869-4884-ae38-9980562f7401} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{9c097664-75af-469f-8f21-4c676a93ae3b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{b5ae7279-a768-48b9-8544-7585bf60e32c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{3bc2c1be-7b91-4a8b-aebe-b02e3db8ac83} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3bc2c1be-7b91-4a8b-aebe-b02e3db8ac83} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\peltodgx.bmso (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\peltodgx.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\rwlfsdmk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{6bb63d88-1867-4fa4-acdc-0510ae4956e4} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\onfwbsak (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (76487-OEM-0011903-00101) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (h:mm:ss tt) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\eqxk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\rwlfsdmk.dll (Trojan.FakeAlert) -> Delete on reboot.

C:\WINDOWS\peltodgx.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\onfwbsak.dll (Trojan.FakeAlert) -> Delete on reboot.

C:\WINDOWS\fbxrqtwn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\dfmlxbpkwxo.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\.elizley\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Office 2003 Setup(0001).txt (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Office 2003 Setup(0001)_Task(0001).txt (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.

C:\Documents and Settings\jp_cent\Local Settings\Temp\TDSS2b99.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\jp_cent\Local Settings\Temp\TDSS4a20.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\jp_cent\Local Settings\Temp\TDSS964c.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\jp_cent\Local Settings\Temp\TDSSe466.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\jp_cent\Desktop\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\jp_cent\Desktop\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\jp_cent\Desktop\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\jp_cent\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\jp_cent\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\jp_cent\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.

Hopefully it doesn't come back. Although it is a possibility. Please tell me how I can permanently remove this.

My Main Problem is that it gives me 3 icons- Those being Privacy Protector, Error Cleaner, and Spyware & Malware Protection. It also gives me fake windows security alerts. It opens my web browser bringing me to a page where they recommend I should buy software. Please help me prevent this. I have spent many hours trying to fix it for good.

Link to post
Share on other sites
JeanInMontana

JeanInMontana

Posted
Posted

Hi jp_cent and welcome to Malwarebytes. Follow the instructions here http://www.malwarebytes.org/forums/index.php?showtopic=2936 Start your own topic in that forum. Post the requested logs in your reply not as an attachment and someone will be happy to help you. Please be patient, we are having severe site performance issues right now and I can barely make replies.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.