2 replies to this topic

[jp_cent]

I have a trojan/virus/malware that keeps coming back. To remove it I quick scanned with MBAM. Then Scanned with Nod32(Found Nothing With Nod.) So Today I Did a full scan with MBAM Here is my log.



Memory Modules Infected:
C:\WINDOWS\rwlfsdmk.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\onfwbsak.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{420e8125-ce95-43ca-bd26-c91d430126b6} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e2164cbe-66c4-4587-9191-f5c4184ef02d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{986f48b3-32c1-45f3-bfc4-35fcebbfd1c2} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6bb63d88-1867-4fa4-acdc-0510ae4956e4} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b6187aa1-28e7-4972-9c5b-941cc786895d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{94127e06-f869-4884-ae38-9980562f7401} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9c097664-75af-469f-8f21-4c676a93ae3b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b5ae7279-a768-48b9-8544-7585bf60e32c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3bc2c1be-7b91-4a8b-aebe-b02e3db8ac83} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3bc2c1be-7b91-4a8b-aebe-b02e3db8ac83} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\peltodgx.bmso (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\peltodgx.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\rwlfsdmk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{6bb63d88-1867-4fa4-acdc-0510ae4956e4} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\onfwbsak (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://softwarerefer...=MjI6Ojg5&lid=2) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (76487-OEM-0011903-00101) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (h:mm:ss tt) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\eqxk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\rwlfsdmk.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\peltodgx.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\onfwbsak.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\fbxrqtwn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\dfmlxbpkwxo.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\.elizley\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Office 2003 Setup(0001).txt (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Office 2003 Setup(0001)_Task(0001).txt (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\jp_cent\Local Settings\Temp\TDSS2b99.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\jp_cent\Local Settings\Temp\TDSS4a20.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\jp_cent\Local Settings\Temp\TDSS964c.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\jp_cent\Local Settings\Temp\TDSSe466.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\jp_cent\Desktop\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\jp_cent\Desktop\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\jp_cent\Desktop\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\jp_cent\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\jp_cent\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\jp_cent\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.




Hopefully it doesn't come back. Although it is a possibility. Please tell me how I can permanently remove this.
My Main Problem is that it gives me 3 icons- Those being Privacy Protector, Error Cleaner, and Spyware & Malware Protection. It also gives me fake windows security alerts. It opens my web browser bringing me to a page where they recommend I should buy software. Please help me prevent this. I have spent many hours trying to fix it for good.

[JeanInMontana]

Hi jp_cent and welcome to Malwarebytes. Follow the instructions here http://www.malwareby...?showtopic=2936 Start your own topic in that forum. Post the requested logs in your reply not as an attachment and someone will be happy to help you. Please be patient, we are having severe site performance issues right now and I can barely make replies.

[jp_cent]

Thanks, but i thought it would be easier to just go ahead and reformat. Worked like a charm.