6 replies to this topic

[houston911]

Hello,
I had some rogue malware on my computer including Police pro. I followed some of the threads and got combofix to run. Immediately after this, I ran malwarbytes in quick scan. It removed a bunch of viruses.
The problem now, is if I launch malwarebytes, it does not run. If I try installing it again it goes through the installation but comes up with an error below:

---------------------------
Setup
---------------------------
Unable to execute file:

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe


CreateProcess failed; code 2.

The system cannot find the file specified.
---------------------------
OK
---------------------------


If reboot and install it installs gets updates and I can quick scan. I find a virus:
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

After I uninstall, reboot and after a short while I run malwarebytes, I cannot execute. Go through the same cycle reboot, install, clean and after a while cannot run malwarebytes.

Any help is appreciated.

Maistran

[sUBs]

Delete your existing copy of ComboFix and then visit this webpage for instructions for downloading a fresh:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix when you've accomplished that.

[houston911]

Hello,
Thank you for your help. Please find attached the Combofix log.

Maistran

Attached Files

•  combofix_log_101309_houston911.txt   16.95K   21 downloads

[sUBs]

That looks very good. You appear to have weathered the storm.


ESET Online Scanner

• Please go to the following link ESET Online Scanner Link
  
• Tick the box YES, I accept the Terms Of Use
  
• Click the Start button
  
• Now click the Install button
  
• Click Start
  
  The scanner engine will initialise and update
  
  
• Do Not tick the box Remove found threats
  
• Click the Scan button
  
  The scan will now run, please be patient
  
  
• When the scan finishes click the Details tab
  
• Copy and paste the contents of the C:\Program Files\EsetOnlineScanner\log.txt back here.

[houston911]

Hello sUBs,

Please find attached my log file from ESET scan.

Thanks for all the help.

Maistran

C:\Qoobox\Quarantine\C\WINDOWS\system32\birokugi.dll.vir a variant of Win32/AntiAV.NCZ trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\bumujuna.dll.vir a variant of Win32/Adware.SuperJuan.F application
C:\Qoobox\Quarantine\C\WINDOWS\system32\dafirulo.dll.vir a variant of Win32/AntiAV.NCZ trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\gejuzifa.dll.vir Win32/KillAV.NFO trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\gulotema.dll.vir a variant of Win32/AntiAV.NCZ trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\hotalobu.dll.vir a variant of Win32/Adware.SuperJuan.F application
C:\Qoobox\Quarantine\C\WINDOWS\system32\hoyuvuki.dll.vir a variant of Win32/Adware.SuperJuan.F application
C:\Qoobox\Quarantine\C\WINDOWS\system32\moturofa.dll.vir a variant of Win32/Adware.SuperJuan.F application
C:\Qoobox\Quarantine\C\WINDOWS\system32\nuhogubo.dll.vir a variant of Win32/Adware.SuperJuan.F application
C:\Qoobox\Quarantine\C\WINDOWS\system32\robovoji.dll.vir a variant of Win32/Adware.SuperJuan.F application
C:\Qoobox\Quarantine\C\WINDOWS\system32\sinizamu.dll.vir a variant of Win32/AntiAV.NCZ trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\vowevega.dll.vir a variant of Win32/Adware.SuperJuan.F application
C:\Qoobox\Quarantine\C\WINDOWS\system32\yoguyutu.dll.vir a variant of Win32/AntiAV.NCZ trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\schtml\dbsinit.exe.vir Win32/Adware.WinAntiVirus application
C:\Qoobox\Quarantine\C\WINDOWS\system32\schtml\wispex.html.vir Win32/Adware.WinAntiVirus application

[sUBs]

Of the stuff found, C:\QooBox is ComboFix's quarantine folder. We'll take care of it when we uninstall ComboFix

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

• Uninstall ComboFix ... do not skip this step
  This process will perform some post cleanup measures.
  Do this by going to to Start > Run & typing in ComboFix /u
  
  
  
  
• ANTIVIRUS SOFTWARE
  It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
  
  
  
• Microsoft Windows Update → http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
  
• http://www.mozilla.o...oducts/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
  
• http://www.aumha.org...erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://www.spywarein...showtopic=60955

After doing all these, your system will be optimised against future threats.
.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

[houston911]

sUBs,

Seems like problems are all resolved. Thanks for all the help, this is an awesome forum.

Maistran