Computer infected with AntivirusPro 2010

I uninstalled Sypbot and rebooted.
Computer was disconnected from network and internet during reboot.

Using Windows Explorer to see if Spybot directory was deleted before a re-install. It wasn't. The only file in the folder was TeaTimer.exe.
Attempting to delete the folder and error message came up.
Cannot delete SpybotSD.exe:Access is denied.
Make sure the disk is not full or write-protected and that the file is not currently in use.

Checking in TaskManager & Process Explorer, SpybotSD.exe is not running.
 
The file SpybotSD.exe is in the Spybot Directory.
Its attribute are archive, system & read-only.
Unable to change attribute.
Message says 'Not resetting system file', when I try to change the 'system' attribute. Similar for changing the other attributes.

Tried to force the deletion using the 'Del /F' switch, but to no avail.
Unable to change to the directory.
Also unable to delete directory.

Never seen anything like this before.

Is this attack against Spybot or against Spybot because it was the sypware installed on the computer?
 
File
c:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
Directory
c:\Program Files\Spybot - Search & Destroy\

Both directory and file attibutes couldn't be changed.
A message was only given for the exe file.

At the DOS prompt, I was unable to change directories to c:\Program Files\Spybot - Search & Destroy
I could change to 'C:\Program Files', but that was it.
 
Holy Sh..

Just installed McAfee and during the subsequent install reboot,
I am at a start-up screen, getting a DOS like prompt,

'DISK BOOT FAILURE, INSERT SYSTEM DISK AND PRESS ENTER.'

What is going on?
 
FlaCajun said:
Holy Sh..

Just installed McAfee and during the subsequent install reboot,
I am at a start-up screen, getting a DOS like prompt,

'DISK BOOT FAILURE, INSERT SYSTEM DISK AND PRESS ENTER.'

What is going on?
Click to expand...
That's a potential hardware issue. After all is said and done here (if we ever get to that point), you should run some diagnostics on your drive(s). At the minimum run chkdsk on them.
 
Here is the scan log from McAfee.
If there are any typo errors, it is because I had to type it from the logs.
Unable to copy and paste.

Also, after the scan was run, I attempted to delete Spybot directory and SpybotSD.exe, but unable.

Could this file be a hidden virus/trojan?

McAfee has been run. Results below.

Files Detected - 21
Critical PC Files Detected - 6

c:\QOOBOX\QUARANTINE\[4]-SUBMIT_2009-10-05_14.49.19.ZIP
Type:Trojan
Name:Generic Drooper!bcv, Generic Drooper!bcv

HKEY_USERS\S-1-5-21-3455111477-815822944-398594984-3985949846-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced|SHOWSUPERHIDDEN
Type:Trojan
Name:Vundo.gen.bg

SHOWSUPERHIDDEN
Type:Trojan
Name:Vundo.gen.bg

HKEY_USERS\S-1-5-21-3455111477-815822944-3985949846-21005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced|HIDDEN
Type:Trojan
Name:Vundo.gen.bg

HIDDEN
Type:Trojan
Name:Vundo.gen.bg

HKEY_USERS\S-1-5-21-3455111477-815822944-3985949846-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced|SUPERHIDDEN
Type:Trojan
Name:Vundo.gen.bg

SUPERHIDDEN
Type:Trojan
Name:Vundo.gen.bg

c:\qoobox\quarantine\[4]-submit_2009-10-05_14.49.19.zip
Type:Trojan
Name:Vundo.gen.bg, Vundo.gen.bg, Vundo.gen.bg, Generic.dx!fob, Generic.dx!fob, Generic.dx!fmr, Generic.dx!fmr, Artemis!D09014A416E8, Artemis!D09014A416E8

C:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Application Data\liskavd.exe.vir
Type:Trojan
Name:FakeAlert-XPSecCenter

C:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Application Data\seres.exe.vir
Type:Trojan
Name:FakeAlert-XPSecCenter

C:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Application Data\svcst.exe.vir
Type:Trojan
Name:FakeAlert-XPSecCenter

C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe.vir
Type:Trojan
Name:FakeAlert-XPSecCenter

C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir
Type:Trojan
Name:Generic.dx!fmz

C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir
Type:Trojan
Name:Artemis!723624C33998

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gasfkyebwupqoy.sys.vir
Type:Trojan
Name:Artemis!SF1E85A7B08A

C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir
Type:Trojan
Name:Artemis!C2010E473528

c:\system volume information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\A0023918.exe
Type:Trojan
Name:FakeAlert-XPSecCenter

c:\system volume information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\A0023923.exe
Type:Trojan
Name:FakeAlert-XPSecCenter

c:\system volume information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\A0023924.exe
Type:Trojan
Name:FakeAlert-XPSecCenter

c:\system volume information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\A0023936.exe
Type:Trojan
Name:FakeAlert-XPSecCenter

c:\system volume information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\A0023968.exe
Type:Trojan
Name:Artemis!C2010E473528

c:\system volume information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\A0023974.dll
Type:Trojan
Name:Generic.dx!fmz

f:\document and settings\raymond\local settings\temporary internet files\content.ie5\bt0si9my\cyijjxb[1].htm
Type:Trojan
Name:Vundo.gen.bg, Vundo.gen.bg, Vundo.gen.bg

F:\DOCUMENT AND SETTINGS\RAYMOND\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\BTt0SI9my\KDQRRJ[1].HTM
Type:Trojan
Name:Generic.dx!fmr, Generic.dx!fmr

F:\DOCUMENT AND SETTINGS\RAYMOND\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\K0V11MDU\INST32A[1].HTM
Type:Trojan
Name:Artemis!723624C33998, Artemis!723624C33998

F:\DOCUMENT AND SETTINGS\RAYMOND\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\K0V11MDU\PZIWJXB[1].HTM
Type:Trojan
Name:Artemis!2bbb8C20252C, Artemis!2bbb8C20252C

F:\DOCUMENT AND SETTINGS\RAYMOND\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\NCYZ3AV9\FOLZM[1].HTM
Type:Trojan
Name:Artemis!D584F8DFAF60, Artemis!D584F8DFAF60
 
We've gone around in circles here a bit so I'm not sure what you've actually done or not....

qoobox folder (from combofix) is still there - I had advised to delete earlier - we'll move it with OTM
system restore points are still infected - did you clear out your old restore points?

Not sure if you still have OTM or not. If you do, ignore download part of instructions.

Please download OTM by OldTimer.
  • Save it to your desktop.
  • Please double-click OTM.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    :processes
explorer.exe

:files
c:\qoobox
c:\Program Files\Spybot - Search & Destroy

:commands
[purity]
[emptytemp]
[start explorer]
[reboot]

    Was McAfee able to deal with any of those Vundo registry entries? Why don't you run it again after doing the above steps with OTM and hopefully wee will be closer.
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
 
No I didn't do the deletion nor the clearing of the system restore points.
When the computer 'bizarrely' got hung up, I wasn't sure what to do.

Do you want me to take care of the restore points before OTM?
 
FlaCajun said:
No I didn't do the deletion nor the clearing of the system restore points.
When the computer 'bizarrely' got hung up, I wasn't sure what to do.

Do you want me to take care of the restore points before OTM?
Click to expand...

Okay no problem. With all the "happenings" going on here it's hard to keep track.

Doesn't matter if you do the restore points before or after OTM, either way.
 
The restore point has been made and the others have been cleaned up.

Regarding the Vundo registries, McAfee has quarentined everything.
Also, the spybot directory with SpybotSD.exe in it is gone.

There is a Spybot.exe in c:\_OTM\MovedFiles\...\Program Files\Spybot ...\ directory.



All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
c:\Qoobox\Quarantine\Registry_backups moved successfully.
c:\Qoobox\Quarantine\C\WINDOWS\system32\wbem moved successfully.
c:\Qoobox\Quarantine\C\WINDOWS\system32\drivers moved successfully.
c:\Qoobox\Quarantine\C\WINDOWS\system32 moved successfully.
c:\Qoobox\Quarantine\C\WINDOWS moved successfully.
c:\Qoobox\Quarantine\C\Program Files\Common Files moved successfully.
c:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010 moved successfully.
c:\Qoobox\Quarantine\C\Program Files moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Start Menu\Programs\AntivirusPro_2010 moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Start Menu\Programs moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Start Menu moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Local Settings\Temporary Internet Files moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Local Settings\Application Data moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Local Settings moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Cookies moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Application Data\Microsoft\Internet Explorer\Quick Launch moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Application Data\Microsoft\Internet Explorer moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Application Data\Microsoft moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Application Data moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\All Users\Documents moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\All Users moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings moved successfully.
c:\Qoobox\Quarantine\C moved successfully.
c:\Qoobox\Quarantine moved successfully.
c:\Qoobox\BackEnv moved successfully.
c:\Qoobox moved successfully.
c:\Program Files\Spybot - Search & Destroy moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: Raymond
->Temp folder emptied: 89540458 bytes
->Temporary Internet Files folder emptied: 48595615 bytes
->Java cache emptied: 25621446 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 17891 bytes
RecycleBin emptied: 7101106 bytes

Total Files Cleaned = 163.09 mb


OTM by OldTimer - Version 3.0.0.6 log created on 10082009_125831

Files moved on Reboot...

Registry entries deleted on Reboot...
 
The scan is complete. Mostly cookies found.
However, there were 2 files, Virtumonde.sdn & Win32TDSS.rtk.

Looks like one of them is one of the tools used during the cleanup.
These are all going to be eliminated.

Computer seems to be running well.

Part of the Spybot Log pertaining to the detected files.

--- Search result list ---
Virtumonde.sdn: [SBI $70056CE6] Data (File, nothing done)
C:\WINDOWS\system32\mababaza
Properties.size=1744
Properties.md5=74F78EC148A72FD7D55B94EFACEDFC7F
Properties.filedate=1246418982
Properties.filedatetext=2009-06-30 23:29:42

Win32.TDSS.rtk: [SBI $085B493C] Data (File, nothing done)
C:\Documents and Settings\All Users\Documents\ijujal._sy
Properties.size=17915
Properties.md5=9C4A58FF5F656A976BA2B3A6F9E998E0
Properties.filedate=1254402689
Properties.filedatetext=2009-10-01 09:11:29

MediaPlex: Tracking cookie (Internet Explorer: Raymond) (Cookie, nothing done)


HitBox: Tracking cookie (Internet Explorer: Raymond) (Cookie, nothing done)


DoubleClick: Tracking cookie (Internet Explorer: Raymond) (Cookie, nothing done)


Right Media: Tracking cookie (Internet Explorer: Raymond) (Cookie, nothing done)


WebTrends live: Tracking cookie (Internet Explorer: Raymond) (Cookie, nothing done)


FastClick: Tracking cookie (Internet Explorer: Raymond) (Cookie, nothing done)
 
Looks like Spybot didn't get those malware traces. You can have OTM take care of them. Just feed the following script into OTM and run it as you did before.

Code: 
:processes
explorer.exe

:files
C:\WINDOWS\system32\mababaza
C:\Documents and Settings\All Users\Documents\ijujal._sy

:commands
[emptytemp]
[start explorer]
[reboot]
Post the log back so we can see if OTM took care of them.
 
You must log in or register to reply here.
Back
Top