My computer icon has changed? Originally, trojan-downloader.win32.agent.mkjreplaced assumer.exe 1.

My computer icon has changed? Originally, trojan-downloader.win32.agent.mkjreplaced assumer.exe 1.

Original endurer
Version 1st

A colleague said that he had a virus in his computer, avast! No virus was reported. 360 of the guards did not respond. The malicious programs were always detected by the malicious software cleaning Assistant (roguecleaner), but they could not be cleared. The "my computer" icon on the desktop has also changed. Please help clean up.

Because avast! The pop-up dialog box does not stop reporting viruses, affecting operations. So stop avast first! Real-time Monitoring,

Using a malicious software cleanup Assistant (roguecleaner) scan, we found that:
Pcibus. sys
Pcidisk. sys
Pcihdd. sys
Phy. sys
Puid. sys
Usb32k. sys
Msaclue. sys

Is it a robot dog?

Download pe_xscan to scan logs and analyze the logs. The following suspicious items are found:

/=
Pe_xscan 08-03-27 by Purple endurer
9:45:41
Windows XP Service Pack 2 (5.1.2600)
Administrator user group
Normal Mode
 
C:/Windows/ctfmon.exe * 1672 |
C:/Windows/ctfmon.exe * 3688 |
C:/Windows/ctfmon.exe * 3716 |
C:/Windows/system32/explorer. EXE * 3740 | MICROSOFT (r) Windows (r) Operating System | 6.00.2900.2180 | Windows Explorer | (c) Microsoft Corporation. all rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Explorer | EXPLORER. EXE
O23-service: mhfp (mhfp)-C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/tmp14.tmp (automatic)
O24-shlexechook: [0]-{D7B21266-AA85-44b8-B516-3B1A69827400} = 0
HKLM/showall type non-DWORD
===/

No reports of malware cleanup assistants were found.

Because the "my computer" icon on the desktop has changed, and the pe_xscan log does not find the windows "shell" process: C:/Windows/assumer.exe, but C: /Windows/system32/explorer. EXE. The computer is suspected of being infected with viruses.

Download fileinfo and bat_do to the http://PurpleEndurer.ys168.com.

Use fileinfo to extract C:/Windows/EXPLORER. EXE information as follows:

File Description: C:/Windows/EXPLORER. EXE
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 976896 bytes, 954.0 KB
MD5: 3d1ac1ae5b34d01e2b7743568180eac0
Sha1: d147634c91030f36e4c3c8f0280b46aa55489ed0
CRC32: 2abccd63

There is no version information, which is obviously incorrect.

C:/Windows/explorer. EXE and C:/Windows/system32/dllcache/explorer. EXE is the same as C:/Windows/system32/explorer. EXE is different.

Download drweb cureit! Scan. Some results are as follows:
========================================================== ==============
Dr. Web (r) anti-virus scanner v4.44.5 (4.44.5.03270)
Log generation time:, 09:49:39 [administrator]
========================================================== ==============
Engine version: 4.44 (4.44.0.09170)
Engine API version: 2.02

[Memory detection] No viruses found

C:/Windows/ctfmon.exe has been shelled. Method: upack
> C:/Windows/ctfmon.exe has been shelled. Method: binaryres
> C:/Windows/ctfmon.exe has been shelled. Method: upack
>>> C:/Windows/ctfmon.exe may have been infected with dloader. Trojan.

C:/Windows/assumer.exe has been shelled. Method: upack
> C:/Windows/assumer.exe has been shelled. Method: binaryres
> C:/Windows/assumer.exe has been shelled. Method: upack
>>> C:/Windows/assumer.exe may have been infected with: dloader. Trojan

C:/Windows/system32/e0.exe shelled. Method: upack
> C:/Windows/system32/e0.exe may have been infected with backdoor. Trojan.

C:/Windows/system32/e1.exe shelled. Method: binaryres
> C:/Windows/system32/e1.exe shelled. Method: upack
> C:/Windows/system32/e1.exe infected with Trojan. PWS. gamania.9135-Deleted

C:/Windows/system32/e7.exe shelled. Method: upack
> C:/Windows/system32/e7.exe shelled. Method: binaryres
> C:/Windows/system32/e7.exe virus infected: Trojan. PWS. wsgame.4365-Deleted

As expected, C:/Windows/assumer.exe is infected/replaced ~

(To be continued)