Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan pretending to be security system


  • Please log in to reply
1 reply to this topic

#1 Adalanne

Adalanne

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 16 January 2010 - 04:26 PM

Hello,

So I appear to have a trojan pretending to be a security program. It popped up with a window saying I was infected and should click "okay" to let it download an "official" malware deleting program. ("Attention! System detected a potential hazard (TrojanSPM/LX) on your computer that may infect executable files, etc.") Naturally, I didn't click on it. It also changed my wallpaper to a big "YOUR SYSTEM IS INFECTED" sign.

First thing I did was run AVG. It didn't find anything.

Then I ran Malwarebytes. It found 8 things, but could not get rid of one of them: C://windows/system32/41.exe It said it would delete on reboot, but upon reboot, I ran Malwarebytes again and it was still there.

I ran Spybot Search & Destroy, it found a few things and deleted them no problem, but still couldn't delete through Malwarebytes.

I attempted a manual delete but it wouldn't let me.

I'm just at a loss of where to go from here. If you have any help you can offer, that would be great.

My Malwarebytes log is below.

Thanks,
Ady


Malwarebytes' Anti-Malware 1.41
Database version: 3259
Windows 5.1.2600 Service Pack 3

1/16/2010 4:26:35 PM
mbam-log-2010-01-16 (16-26-35).txt

Scan type: Quick Scan
Objects scanned: 124178
Time elapsed: 7 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Delete on reboot.

BC AdBot (Login to Remove)

 


#2 Adalanne

Adalanne
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 17 January 2010 - 12:47 AM

Ended up doing system restore. Problem seems to have gone away, but I'm updating all my scanners and running them again.

Couldn't find a way to delete the thread, but it can be closed.

Thanks,
Ady




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users