14 replies to this topic

[WSR]

Someone in my English class had given a Trojan unwittingly, and it had migrated to my school Laptop (with Vista Business and McAfee Virus Scan Enterprise etc..) and therefore my 4Gb USB flash drive.

I had gone to use my USB flash drive (not knowing it was infected) on my home computer with XP Professional SP2 with MBAM 1.39 and frankly nothing else. (my total mistake).

Immediately, I saw a command prompt with C:Documents and Settings\Family\Family.exe open up, with nothing shown in it.

I closed it and proceeded to copy some files to the pen drive. Then I disconnected the drive and realised the viruses were on it.

I found iexplore.exe in the C:Documents and Settings\Family directory and mrjidu.exe.

I deleted both fully.

So I opened up MBAM and scanned the Full System.

It took over 3 hours, but here's the log of it.

Malwarebytes' Anti-Malware 1.39
Database version: 2432
Windows 5.1.2600 Service Pack 2

16/07/2009 7:13:03 PM
mbam-log-2009-07-16 (19-13-03).txt

Scan type: Full Scan (C:\|)
Objects scanned: 496741
Time elapsed: 3 hour(s), 28 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Family\local settings\Temp\UACee9b.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Family\local settings\Temp\UACf08f.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UAChhbwwosdipylkmovd.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\UACamrqhxnriltabuxnk.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Then thinking it was gone, I restarted and deleted the files from quarantine and the command prompt came up again.
I closed it and I ran another quick scan.

Malwarebytes' Anti-Malware 1.39
Database version: 2432
Windows 5.1.2600 Service Pack 2

16/07/2009 8:41:56 PM
mbam-log-2009-07-16 (20-41-56).txt

Scan type: Quick Scan
Objects scanned: 57005
Time elapsed: 1 hour(s), 0 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I'm thinking that the rootkit is still there, so I'm installing HJT and Avast Home Free Edition.

[miekiemoes]

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[WSR]

It came up in Chinese, and also Avast had found heaps of things and deleted them already since first post.

But anyway:

ComboFix 09-07-20.05 - Family 7/2009 Tue 22:49.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.2047.1525 [GMT 10:00]
执行位置: c:\documents and settings\Family\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090720-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

注意 - 这台电脑没有安装恢复控制台 ！！
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\progra~1\COMMON~1\{30492~1
c:\progra~1\COMMON~1\{E0492~1
c:\progra~1\COMMON~1\{E0492~1\directordll.lzma
c:\progra~1\COMMON~1\{E0492~1\directorexe.lzma
c:\program files\baidu
c:\program files\Common Files\Real\WeatherBug\MiniBugTransporter.dll
c:\recycler\S-1-5-21-725345543-776561741-682003330-1004
c:\recycler\S-1-5-21-861567501-162531612-682003330-1003
c:\windows\desktop

.
((((((((((((((((((((((((( 2009-06-21 至 2009-07-21 的新的档案 )))))))))))))))))))))))))))))))
.

2009-07-19 14:49 . 2009-07-19 14:49 -------- d-----w- c:\documents and settings\Jon\Application Data\Skype
2009-07-18 05:53 . 2009-07-18 05:53 -------- d-----w- c:\documents and settings\Family\Local Settings\Application Data\Temp
2009-07-16 10:50 . 2009-07-16 10:50 -------- d-----w- c:\program files\Trend Micro
2009-07-16 10:49 . 2009-02-05 22:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-16 10:49 . 2009-02-05 22:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-16 10:49 . 2009-02-05 22:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-07-16 10:49 . 2009-02-05 22:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-16 10:49 . 2009-02-05 22:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-07-16 10:49 . 2009-02-05 22:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-07-16 10:49 . 2009-02-05 22:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-16 10:49 . 2009-02-05 22:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-07-16 10:49 . 2009-02-05 22:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-16 10:49 . 2009-07-16 10:49 -------- d-----w- c:\program files\Alwil Software
2009-07-16 05:34 . 2009-02-04 23:36 3138218138 ----a-w- c:\temp\burnoutParadise.zip
2009-07-11 15:15 . 2009-06-08 21:08 77690152 ----a-w- c:\temp\itunes.exe
2009-07-11 08:05 . 1997-05-12 07:53 314368 ----a-w- c:\windows\uninst.exe
2009-07-11 08:03 . 2009-07-11 08:03 -------- d-----w- c:\documents and settings\Family\WINDOWS
2009-06-28 13:31 . 2009-06-07 06:24 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2009-06-28 13:31 . 2009-06-07 06:16 819200 ----a-w- c:\windows\system32\xvidcore.dll
2009-06-26 16:12 . 2009-06-26 16:12 -------- d-sh--w- c:\documents and settings\Dad\IETldCache
2009-06-25 06:56 . 2009-06-25 06:56 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY.000\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-21 12:47 . 2009-01-20 10:22 -------- d-----w- c:\documents and settings\Family\Application Data\Skype
2009-07-21 08:28 . 2005-07-06 03:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-18 16:02 . 2009-01-02 23:45 -------- d-----w- c:\program files\easyMule
2009-07-15 01:50 . 2009-01-20 12:46 -------- d-----w- c:\documents and settings\Family\Application Data\vlc
2009-07-14 02:41 . 2009-06-07 04:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-14 02:41 . 2009-06-21 06:09 3775176 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-13 03:36 . 2009-06-07 04:32 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 03:36 . 2009-06-07 04:32 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-05 01:28 . 2009-01-21 12:17 -------- d-----w- c:\documents and settings\Family\Application Data\dvdcss
2009-07-04 08:06 . 2009-05-10 03:15 -------- d-----w- c:\program files\Handmark
2009-06-28 13:31 . 2006-01-10 15:40 -------- d-----w- c:\program files\XviD
2009-06-20 07:39 . 2009-06-20 07:02 98304 ----a-w- c:\documents and settings\Family\Application Data\Soldat\BattlEye\BEClient.dll
2009-06-20 07:02 . 2009-06-20 07:02 -------- d-----w- c:\documents and settings\Family\Application Data\Soldat
2009-06-16 14:55 . 2004-08-04 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-11 06:30 . 2009-04-23 06:04 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-06-07 04:32 . 2009-06-07 04:32 -------- d-----w- c:\documents and settings\Family\Application Data\Malwarebytes
2009-06-07 04:32 . 2009-06-07 04:32 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-06-03 19:27 . 2004-08-04 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-05-31 11:02 . 2006-10-08 09:42 -------- d-----w- c:\program files\MobiMate
2009-05-31 10:37 . 2009-05-10 04:17 286720 ----a-w- c:\windows\iun506.exe
2009-05-28 09:00 . 2009-05-28 09:00 -------- d-----w- c:\program files\Paint.NET
2009-05-28 08:59 . 2009-01-20 10:36 87568 ----a-w- c:\documents and settings\Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-26 11:25 . 2009-05-26 10:58 -------- d-----w- c:\documents and settings\Family\Application Data\U3
2009-05-25 12:11 . 2009-05-25 12:11 -------- d-----w- c:\program files\NaturalMotion
2009-05-23 17:09 . 2006-10-09 11:35 -------- d-----w- c:\program files\Advanced Sound Recorder
2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-10 07:48 . 2009-05-10 07:40 139176 ----a-w- c:\windows\hpwins06.dat
2009-05-07 15:44 . 2004-08-04 12:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-06-13 07:50 . 2009-01-17 01:13 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-01-15 14:11 . 2008-10-30 06:34 61440 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2008-12-18 05:43 . 2008-11-26 08:38 36864 ----a-w- c:\program files\mozilla firefox\components\NsThunderLoader.dll
2008-12-18 05:43 . 2008-11-26 08:38 53248 ----a-w- c:\program files\mozilla firefox\components\ThunderComponent.dll
.

((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2009-02-19 1262888]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A0DDBD3-6641-40B9-873F-BBDD26D6C14E}]
2009-06-09 06:06 147928 ----a-w- c:\progra~1\easyMule\modules\IE2EM.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-02-04 23975720]
"Google Update"="c:\documents and settings\Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-15 133104]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-09 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"FixCamera"="c:\windows\FixCamera.exe" [2007-02-12 20480]
"tsnp2std"="c:\windows\tsnp2std.exe" [2007-02-13 262144]
"snp2std"="c:\windows\vsnp2std.exe" [2006-12-05 344064]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-20 185872]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-18 49152]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-12-30 18082304]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-11-20 1826816]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-11-15 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2006-10-04 53760]

c:\documents and settings\Jon\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
PhoneMidServerUI.lnk - c:\program files\voip\voip platform\Bin\PhoneMidServerUI.exe [2008-4-8 315497]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Family^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Family\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\easyMule\\emule.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Games\\r\\RCT.exe"=
"c:\\Games\\rFactor\\rFactor.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Games\\Copy of LFS\\LFS.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Documents and Settings\\Family\\My Documents\\Soldat\\Soldat.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3979:TCP"= 3979:TCP:ttd

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [16/07/2009 8:49 PM 114768]
R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODisk.sys [8/02/2009 12:24 PM 9600]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [16/07/2009 8:49 PM 20560]
R3 RTLWUSB;11g Wireless USB Adapter;c:\windows\system32\drivers\RTL8187.sys [27/06/2008 6:31 PM 178048]
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
‘计划任务’ 文件夹 里的内容

2009-07-19 c:\windows\Tasks\Auslogics Console Defragmentation.job
- c:\program files\Auslogics\AusLogics Disk Defrag\cdefrag.exe [2009-05-22 08:36]

2009-07-18 c:\windows\Tasks\easyMule.job
- c:\progra~1\easyMule\emule.exe [2009-05-15 05:28]

2009-07-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-1614895754-682003330-1003Core.job
- c:\documents and settings\Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-15 11:08]

2009-07-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-1614895754-682003330-1003UA.job
- c:\documents and settings\Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-15 11:08]
.
.
------- 而外的扫描 -------
.
uStart Page = about:blank
IE: &Winamp Search - c:\documents and settings\All Users.WINDOWS\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Download by easyMule - c:\progra~1\easyMule\IE2EM.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Family\Application Data\Mozilla\Firefox\Profiles\4hvrymjj.default\
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\Family\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-21 23:03
Windows 5.1.2600 Service Pack 2 NTFS

扫描被隐藏的进程 。。。

扫描被隐藏的启动组 。。。

扫描被隐藏的文件 。。。


c:\docume~1\Family\LOCALS~1\Temp\catchme.dll 53248 bytes executable

扫描完成
被隐藏的档案: 1

**************************************************************************
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll
.
完成时间: 2009-07-21 23:06
ComboFix-quarantined-files.txt 2009-07-21 13:06

Pre-Run: 11,437,117,440 bytes free
Post-Run: 19,515,355,136 bytes free

213 --- E O F --- 2009-07-15 14:28

[miekiemoes]

Hi,

This looks OK..

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[WSR]

I tried it...

I think I mistakenly started up avast again sorry.

This message came up with exclamation marks in Chinese about the avast on by accident.

Do I try again?

[miekiemoes]

Just disable Avast and run the command to uninstall Combofix

[WSR]

Okay, I disabled avast and tried it again and Windows said it couldn't find combofix.

I checked to see if the changes you said would happen happened. and they did.

Combofix is still sitting on my desktop.

[miekiemoes]

No worries then. Delete the Combofix.exe from your desktop and delete the C:\Qoobox folder

[WSR]

Thanks for all your help

I also seem to be running faster slightly, and there's 8GB more on my HDD.

[WSR]

Umm..

there's no C:\qoobox

Anything suspicious there?

[WSR]

There's now 24.2GB free...

And there's a C:\ComboFix folder with

CF25921.exe in it.

[miekiemoes]

If no Qoobox folder, then don't worry. Then it means that the uninstall was partially done.
Also delete the C:\Combofix folder.

[WSR]

Again, Thanks for your assistance in this matter.

just on a side note, Where did all the extra space come from?

(And I wasn't sure what the second prompt said (because it was in Chinese), but I pressed "no" to something that Combofix said in a message. I think it was the Recovery Console Installation)

[miekiemoes]

Quote

Where did all the extra space come from?

I guess that's because Combofix also flushes temp folders and clears previous system restore points.
The message may be indeed related with the Recovery console.

In anyway, Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.