Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My background wallpaper just got replaced


  • This topic is locked This topic is locked
5 replies to this topic

#1 macilvaine33

macilvaine33

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 16 January 2010 - 03:25 AM

Hello,

I have been helped on this site before and you guys do a great job. I have a new problem that I don't think I ever fixed. Please help me remove it once and for all! I do have Malwarebytes Anti-Malware and am running a scan with it now, here is the result of the quick scan that I ran before I posted this. Please help me and let me know if I am doing the right thing to start off with. Oh and I cant boot in safe mode. Please help! Thanks

-Macilvaine33

Malwarebytes' Anti-Malware 1.41
Database version: 3177
Windows 5.1.2600 Service Pack 2

1/16/2010 12:04:15 AM
mbam-log-2010-01-16 (00-02-50).txt

Scan type: Quick Scan
Objects scanned: 124357
Time elapsed: 8 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\spool\prtprocs\w32x86\00002303.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00003f70.tmp (Trojan.FakeAlert) -> No action taken.

BC AdBot (Login to Remove)

 


#2 roadclosed

roadclosed

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 16 January 2010 - 07:01 AM

You have run a scan with definitions from way back in September 2009

Malwarebytes' Anti-Malware 1.41


I suggest you open the program and click on 'Update now' to fully update the program to the latest definitions which are

January 7th, 2010 Malwarebytes' Anti-Malware version 1.44 released.


Please then reboot and run a full computer scan with the up-to-date definitions;



  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Please Copy and Paste the entire report for someone to check for you

#3 macilvaine33

macilvaine33
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 16 January 2010 - 01:07 PM

thanks for your help, I updated the version and ran a full scan, here it is. It did make me restart because 3 of the items were too harmful to remove and I think it removed them after the restart:

Malwarebytes' Anti-Malware 1.44
Database version: 3574
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

1/16/2010 9:50:44 AM
mbam-log-2010-01-16 (09-50-44).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 193918
Time elapsed: 1 hour(s), 7 minute(s), 7 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 12

Memory Processes Infected:
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\Program Files\InternetSecurity2010\IS2010.exe (Rogue.Installer) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\helper32.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\IS2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet security 2010 (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\InternetSecurity2010 (Rogue.InternetSecurity2010) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\helper32.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\InternetSecurity2010\IS2010.exe (Rogue.Installer) -> Delete on reboot.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP412\A0066196.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matt C\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matt C\Start Menu\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00000867.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\0000372a.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00006e06.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#4 macilvaine33

macilvaine33
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 17 January 2010 - 01:27 AM

Now what should I do, can someone please help me.

Thanks

Macilvaine33

#5 macilvaine33

macilvaine33
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 17 January 2010 - 03:21 AM

I also just ran a SUPER Anti Spyware scan, here are the results:



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/17/2010 at 00:02 AM

Application Version : 4.30.1004

Core Rules Database Version : 4486
Trace Rules Database Version: 2302

Scan type : Complete Scan
Total Scan Time : 00:59:48

Memory items scanned : 666
Memory threats detected : 0
Registry items scanned : 5850
Registry threats detected : 0
File items scanned : 61028
File threats detected : 10

Trojan.Agent/Gen
C:\WINDOWS\system32\lowsec\local.ds
C:\WINDOWS\system32\lowsec\user.ds
C:\WINDOWS\system32\lowsec\user.ds.lll
C:\WINDOWS\system32\lowsec

Rogue.InternetSecurity2010
C:\Documents and Settings\Matt C\Desktop\Internet Security 2010.lnk

Trojan.Agent/Gen-Nullo[Short]
C:\AVENGER\IS2010.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP413\A0066249.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP413\A0066250.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP413\A0066259.DLL

Trojan.Agent/Gen-SDRA
C:\WINDOWS\SYSTEM32\SDRA64.EXE


Please help me with the next steps if there are any, thanks!

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:31 AM

Posted 24 January 2010 - 08:27 PM

closing this ,i am working their other topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users