Jump to content

I found wangzhisong in my Windows' users' folder. Am I infected?


Recommended Posts

Ok do the following:

 

We need to remove FRST,  first it is very important to deal with its own Quarantine folder by using FRST itself..

 

OK, we continue:

 

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

 

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). That will confirm the removal action, delete if successful.

 

Next,

 

Delete FRST.exe from your Desktop or the folder it was saved to, navigate to and delete its folder C:\FRST

 

Next,

 

 


  •  

     


  • Double-click OTM.exe to run it. Windows 7/8 or Vista accept UAC alert..

     

     


  • Click on the green CleanUp! button and it will populate a list of items to clean from your system that we used or may have used.

     

     


  • It should ask if you want to clean up, select Yes. You maybe asked to reboot, allow that to happen.

     

     



 

 

Next,

 

Download "Delfix by Xplode" and save it to your desktop.

 

"Delfix link mirror"

 

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

 

Make Sure the following items are checked:

 

 


  •  

       


  • Remove disinfection tools

     

       


  • Purge System Restore

     

       


  • Reset system settings

     

     



 

 

Now click on "Run" and wait patiently until the tool has completed.

 

The tool will create a log when it has completed.

 

Let me know if those steps complete, also if any remaining issues or concerns. If none are we ok to close out....

 

Read the following link to fully understand PC security and best practices, you may find it useful....

 

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629

 

Kevin...

fixlist.txt

Link to post
Share on other sites

Fix Log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2014
Ran by Kris at 2014-04-05 17:36:50 Run:2
Running from C:\Users\Kris\Downloads
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Start
S1 lsnfd; system32\drivers\lsnfd.sys [X]
C:\Users\Kris\AppData\Local\Temp\siinst.exe
C:\Users\Kris\AppData\Local\Temp\strings.dll
C:\Windows\System32\Drivers\lsnfd.sys
Task: {A72675B2-E1A4-43D8-92F5-15459DC9AE89} - System32\Tasks\UpdaterEX => C:\Users\Kris\AppData\Roaming\UpdaterEX\UpdateProc\UpdateTask.exe [2013-04-12] () <==== ATTENTION
Task: C:\Windows\Tasks\UpdaterEX.job => C:\Users\Kris\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
End
*****************

lsnfd => Service not found.
"C:\Users\Kris\AppData\Local\Temp\siinst.exe" => File/Directory not found.
"C:\Users\Kris\AppData\Local\Temp\strings.dll" => File/Directory not found.
"C:\Windows\System32\Drivers\lsnfd.sys" => File/Directory not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A72675B2-E1A4-43D8-92F5-15459DC9AE89} => Key not found.
C:\Windows\System32\Tasks\UpdaterEX not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UpdaterEX => Key not found.
C:\Windows\Tasks\UpdaterEX.job not found.

==== End of Fixlog ====

Link to post
Share on other sites

Did it delete something it wasn't supposed to?

 

Here is the DelFix log:

 

# DelFix v10.6 - Logfile created 05/04/2014 at 17:47:05
# Updated 11/11/2013 by Xplode
# Username : Kris - MYCOMPUTER
# Operating System : Windows 8  (64 bits)

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Users\Kris\Desktop\SecurityCheck.exe
Deleted : C:\Users\Kris\Downloads\Addition.txt
Deleted : C:\Users\Kris\Downloads\AdwCleaner.exe
Deleted : C:\Users\Kris\Downloads\Fixlog.txt
Deleted : C:\Users\Kris\Downloads\FRST.txt
Deleted : C:\Users\Kris\Downloads\SystemLook_x64.exe
Deleted : HKLM\SOFTWARE\AdwCleaner

~ Cleaning system restore ...

Deleted : RP #17 [Windows Update | 02/20/2014 18:46:53]
Deleted : RP #18 [Removed AVG 2014 | 03/11/2014 22:16:56]
Deleted : RP #19 [installed Theme Builder | 03/16/2014 19:30:27]
Deleted : RP #20 [Norton 360 Registry Clean | 04/04/2014 21:39:24]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########
 

Link to post
Share on other sites

The malware anti-malware is still on my desktop and the ESET Scan log is still on my desktop.

 

The delfix is still in my downloads, the fixlist log is still in my downloads, the malwarebytes anti-malware setup is still in my downloads - all in my download folder. Should those have been deleted?

Link to post
Share on other sites

If you used the file I attached with the following command:

Start
DeleteQuarantine:
End

 

There is absolutely no way it would produce a log as you posted...

 

Content of fixlist:
*****************
Start
S1 lsnfd; system32\drivers\lsnfd.sys [X]
C:\Users\Kris\AppData\Local\Temp\siinst.exe
C:\Users\Kris\AppData\Local\Temp\strings.dll
C:\Windows\System32\Drivers\lsnfd.sys
Task: {A72675B2-E1A4-43D8-92F5-15459DC9AE89} - System32\Tasks\UpdaterEX => C:\Users\Kris\AppData\Roaming\UpdaterEX\UpdateProc\UpdateTask.exe [2013-04-12] () <==== ATTENTION
Task: C:\Windows\Tasks\UpdaterEX.job => C:\Users\Kris\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
End
*****************

lsnfd => Service not found.
"C:\Users\Kris\AppData\Local\Temp\siinst.exe" => File/Directory not found.
"C:\Users\Kris\AppData\Local\Temp\strings.dll" => File/Directory not found.
"C:\Windows\System32\Drivers\lsnfd.sys" => File/Directory not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A72675B2-E1A4-43D8-92F5-15459DC9AE89} => Key not found.
C:\Windows\System32\Tasks\UpdaterEX not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UpdaterEX => Key not found.
C:\Windows\Tasks\UpdaterEX.job not found.

==== End of Fixlog ====

 

 

Any tools /logs left in your downloads folder or desktop can be simply deleted...

 

If you do not want to keep Malwarebytes simply uninstall it... It is a valuable tool to keep, even the free version..

 

Let me know if any more issues to remove..

 

Kevin

Link to post
Share on other sites

There was nothing deleted with the final run of FRST, if you look at the log you post in reply #29 you will see from the first half of the log what commands were used, It was not "DeleteQuarantine" It was exactly the same as the original run of fixlist as per the log in reply #5.

 

Where are we at with your system now, are there any remaining issues or concerns?

Link to post
Share on other sites

Using the same fixlist.txt file again is no big deal, the entries were removed initially as per reply #5. All I wanted was to be sure the Quarantine folder was deleted, Dellfix will also do that job when folder C:\FRST is deleted during its run.

 

Have I missed any tools/logs, is there anything left to shift or are there any remaining issues or concerns...

 

Thanks,

 

Kevin....

Link to post
Share on other sites

I used to have an "AppData" folder in my windows user folder but it doesn't seem to be there. I had some themes saved in there. I wrote down how to get to it so I wouldn't forget. I just tried to do it and I can't becase the "AppData" folder is missing. I used to click my name --> AppData --> Roaming --> Microsoft --> Templates --> LiveContent --> 15 --> User --> Document Themes --> 1033.

 

I did a search for "document themes" in Windows (C:) and a few options came up. I found it in the options....it is:  C:\Users\Kris\AppData\Roaming\Microsoft/Templates/LiveContent15\User\DocumentThemes/1033.

 

But if I try to go to computer --> windows(C:) --> Kris --> there is no "AppData" folder there?

Link to post
Share on other sites

The folder you mention, "Appdata" is hidden by default, it is used by programs etc that you have installed on your system. I do not see why you would copy anything to that folder unless you have changed the default setting for "hidden files/folders" in folder options...

 

If you click start, then type or copy/paste folder options into the search box, then hit the enter key. Those changes can be made to show the appdata folder by un-checking hidden files/folders from "don`t show" to "show" then click "apply" and then "OK"

post-3601-0-48328000-1396775352_thumb.jp

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.