Vista virus/trojan help please

busiscoming2

Scan completed.
It has shown 10 threats in total. I assume I just 'remove selected'?

aliEnRIK

busiscoming2 wrote: »

Scan completed.
It has shown 10 threats in total. I assume I just 'remove selected'?

yes, then please post the log here

busiscoming2

https://www.malwarebytes.org

Database version: 6853

Windows 6.0.6000
Internet Explorer 7.0.6000.16982

14/06/2011 17:27:23
mbam-log-2011-06-14 (17-27-23).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 282313
Time elapsed: 2 hour(s), 11 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\22535952.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\sam\AppData\Local\Temp\E66A.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\sam\AppData\Local\Temp\E765.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\$RECYCLE.BIN\s-1-5-21-551460022-741998276-120169744-1000\$re2vwpo.download (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\$RECYCLE.BIN\s-1-5-21-551460022-741998276-120169744-1000\$RIDWDS2.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\$RECYCLE.BIN\s-1-5-21-551460022-741998276-120169744-1000\$rjzk8ib.download (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\$RECYCLE.BIN\s-1-5-21-551460022-741998276-120169744-1000\$RLYYAMF.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

busiscoming2

I have restarted pc.

Do I now need to download unhide.exe as per bleepingcomputer.com says?

RussJK

Yeah run unhide.exe and let it finish

Also worth doing a quick rootkit scan with these two, they look for the more common ones that can sometimes come with this kind of malware:
http://support.kaspersky.com/downloads/utils/tdsskiller.exe
http://public.avast.com/~gmerek/aswMBR.htm (follow the guide on the site, it'll explicitly state rootkit code found)

busiscoming2

Oh wow all seems to be back as it was, eternally grateful for your help. I shall have a go at the rootscan later, have to do dinner now!

aliEnRIK

Id recommend a combofix run at some point


Please run COMBOFIX
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out

If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download
(If no log comes up or you lose it, COMBOFIX.TXT can be found in C drive)