Glad it came back. Let me know how you make out.Originally Posted by FlaCajun
Glad it came back. Let me know how you make out.
Here is the scan log from McAfee.
If there are any typo errors, it is because I had to type it from the logs.
Unable to copy and paste.
Also, after the scan was run, I attempted to delete Spybot directory and SpybotSD.exe, but unable.
Could this file be a hidden virus/trojan?
McAfee has been run. Results below.
Files Detected - 21
Critical PC Files Detected - 6
c:\QOOBOX\QUARANTINE\[4]-SUBMIT_2009-10-05_14.49.19.ZIP
Type:Trojan
Name:Generic Drooper!bcv, Generic Drooper!bcv
HKEY_USERS\S-1-5-21-3455111477-815822944-398594984-3985949846-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced|SHOWSUPERHIDDEN
Type:Trojan
Name:Vundo.gen.bg
SHOWSUPERHIDDEN
Type:Trojan
Name:Vundo.gen.bg
HKEY_USERS\S-1-5-21-3455111477-815822944-3985949846-21005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced|HIDDEN
Type:Trojan
Name:Vundo.gen.bg
HIDDEN
Type:Trojan
Name:Vundo.gen.bg
HKEY_USERS\S-1-5-21-3455111477-815822944-3985949846-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced|SUPERHIDDEN
Type:Trojan
Name:Vundo.gen.bg
SUPERHIDDEN
Type:Trojan
Name:Vundo.gen.bg
c:\qoobox\quarantine\[4]-submit_2009-10-05_14.49.19.zip
Type:Trojan
Name:Vundo.gen.bg, Vundo.gen.bg, Vundo.gen.bg, Generic.dx!fob, Generic.dx!fob, Generic.dx!fmr, Generic.dx!fmr, Artemis!D09014A416E8, Artemis!D09014A416E8
C:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Application Data\liskavd.exe.vir
Type:Trojan
Name:FakeAlert-XPSecCenter
C:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Application Data\seres.exe.vir
Type:Trojan
Name:FakeAlert-XPSecCenter
C:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Application Data\svcst.exe.vir
Type:Trojan
Name:FakeAlert-XPSecCenter
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe.vir
Type:Trojan
Name:FakeAlert-XPSecCenter
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir
Type:Trojan
Name:Generic.dx!fmz
C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir
Type:Trojan
Name:Artemis!723624C33998
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gasfkyebwupqoy.sys.vir
Type:Trojan
Name:Artemis!SF1E85A7B08A
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir
Type:Trojan
Name:Artemis!C2010E473528
c:\system volume information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\A0023918.exe
Type:Trojan
Name:FakeAlert-XPSecCenter
c:\system volume information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\A0023923.exe
Type:Trojan
Name:FakeAlert-XPSecCenter
c:\system volume information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\A0023924.exe
Type:Trojan
Name:FakeAlert-XPSecCenter
c:\system volume information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\A0023936.exe
Type:Trojan
Name:FakeAlert-XPSecCenter
c:\system volume information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\A0023968.exe
Type:Trojan
Name:Artemis!C2010E473528
c:\system volume information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\A0023974.dll
Type:Trojan
Name:Generic.dx!fmz
f:\document and settings\raymond\local settings\temporary internet files\content.ie5\bt0si9my\cyijjxb[1].htm
Type:Trojan
Name:Vundo.gen.bg, Vundo.gen.bg, Vundo.gen.bg
F:\DOCUMENT AND SETTINGS\RAYMOND\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\BTt0SI9my\KDQRRJ[1].HTM
Type:Trojan
Name:Generic.dx!fmr, Generic.dx!fmr
F:\DOCUMENT AND SETTINGS\RAYMOND\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\K0V11MDU\INST32A[1].HTM
Type:Trojan
Name:Artemis!723624C33998, Artemis!723624C33998
F:\DOCUMENT AND SETTINGS\RAYMOND\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\K0V11MDU\PZIWJXB[1].HTM
Type:Trojan
Name:Artemis!2bbb8C20252C, Artemis!2bbb8C20252C
F:\DOCUMENT AND SETTINGS\RAYMOND\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\NCYZ3AV9\FOLZM[1].HTM
Type:Trojan
Name:Artemis!D584F8DFAF60, Artemis!D584F8DFAF60
We've gone around in circles here a bit so I'm not sure what you've actually done or not....
qoobox folder (from combofix) is still there - I had advised to delete earlier - we'll move it with OTM
system restore points are still infected - did you clear out your old restore points?
Not sure if you still have OTM or not. If you do, ignore download part of instructions.
Please download OTM by OldTimer.
- Save it to your desktop.
- Please double-click OTM.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Was McAfee able to deal with any of those Vundo registry entries? Why don't you run it again after doing the above steps with OTM and hopefully wee will be closer.Code::processes explorer.exe :files c:\qoobox c:\Program Files\Spybot - Search & Destroy :commands [purity] [emptytemp] [start explorer] [reboot]- Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
- Close OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
No I didn't do the deletion nor the clearing of the system restore points.
When the computer 'bizarrely' got hung up, I wasn't sure what to do.
Do you want me to take care of the restore points before OTM?
Okay no problem. With all the "happenings" going on here it's hard to keep track.
Doesn't matter if you do the restore points before or after OTM, either way.
The restore point has been made and the others have been cleaned up.
Regarding the Vundo registries, McAfee has quarentined everything.
Also, the spybot directory with SpybotSD.exe in it is gone.
There is a Spybot.exe in c:\_OTM\MovedFiles\...\Program Files\Spybot ...\ directory.
All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
c:\Qoobox\Quarantine\Registry_backups moved successfully.
c:\Qoobox\Quarantine\C\WINDOWS\system32\wbem moved successfully.
c:\Qoobox\Quarantine\C\WINDOWS\system32\drivers moved successfully.
c:\Qoobox\Quarantine\C\WINDOWS\system32 moved successfully.
c:\Qoobox\Quarantine\C\WINDOWS moved successfully.
c:\Qoobox\Quarantine\C\Program Files\Common Files moved successfully.
c:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010 moved successfully.
c:\Qoobox\Quarantine\C\Program Files moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Start Menu\Programs\AntivirusPro_2010 moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Start Menu\Programs moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Start Menu moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Local Settings\Temporary Internet Files moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Local Settings\Application Data moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Local Settings moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Cookies moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Application Data\Microsoft\Internet Explorer\Quick Launch moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Application Data\Microsoft\Internet Explorer moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Application Data\Microsoft moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Application Data moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\All Users\Documents moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\All Users moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings moved successfully.
c:\Qoobox\Quarantine\C moved successfully.
c:\Qoobox\Quarantine moved successfully.
c:\Qoobox\BackEnv moved successfully.
c:\Qoobox moved successfully.
c:\Program Files\Spybot - Search & Destroy moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: LocalService
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes
User: Raymond
->Temp folder emptied: 89540458 bytes
->Temporary Internet Files folder emptied: 48595615 bytes
->Java cache emptied: 25621446 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 17891 bytes
RecycleBin emptied: 7101106 bytes
Total Files Cleaned = 163.09 mb
OTM by OldTimer - Version 3.0.0.6 log created on 10082009_125831
Files moved on Reboot...
Registry entries deleted on Reboot...
Spybot has been successfully installed.
It is now starting a system scan after immunization.
Great, sounds like some progress.
How's everything else running?
The scan is complete. Mostly cookies found.
However, there were 2 files, Virtumonde.sdn & Win32TDSS.rtk.
Looks like one of them is one of the tools used during the cleanup.
These are all going to be eliminated.
Computer seems to be running well.
Part of the Spybot Log pertaining to the detected files.
--- Search result list ---
Virtumonde.sdn: [SBI $70056CE6] Data (File, nothing done)
C:\WINDOWS\system32\mababaza
Properties.size=1744
Properties.md5=74F78EC148A72FD7D55B94EFACEDFC7F
Properties.filedate=1246418982
Properties.filedatetext=2009-06-30 23:29:42
Win32.TDSS.rtk: [SBI $085B493C] Data (File, nothing done)
C:\Documents and Settings\All Users\Documents\ijujal._sy
Properties.size=17915
Properties.md5=9C4A58FF5F656A976BA2B3A6F9E998E0
Properties.filedate=1254402689
Properties.filedatetext=2009-10-01 09:11:29
MediaPlex: Tracking cookie (Internet Explorer: Raymond) (Cookie, nothing done)
HitBox: Tracking cookie (Internet Explorer: Raymond) (Cookie, nothing done)
DoubleClick: Tracking cookie (Internet Explorer: Raymond) (Cookie, nothing done)
Right Media: Tracking cookie (Internet Explorer: Raymond) (Cookie, nothing done)
WebTrends live: Tracking cookie (Internet Explorer: Raymond) (Cookie, nothing done)
FastClick: Tracking cookie (Internet Explorer: Raymond) (Cookie, nothing done)
Looks like Spybot didn't get those malware traces. You can have OTM take care of them. Just feed the following script into OTM and run it as you did before.
Post the log back so we can see if OTM took care of them.Code::processes explorer.exe :files C:\WINDOWS\system32\mababaza C:\Documents and Settings\All Users\Documents\ijujal._sy :commands [emptytemp] [start explorer] [reboot]
Posting Permissions
