Question

McAfee scan after removing infection reveals more trojan files

Asked by: b0lsc0tt

I will treat this as if it is a separate issue.  Right now I just have image files of screenshots to show the file names and detected infection name.  I can try to get more info or a log if that will help.  The detection names are:

Generic.dx!qd
Artemis!D{some number}
Downloader-BRF

There were 7 files total that were quarantined.  4 of those were in the _Restore folder so I think were either "backups" by Windows System Restore or a "copy" the virus/trojan put there.  The screenshots below show details for the files NOT in Restore.  I can provide the others if you want but the mention the same infections.

What does it look like I have?  Could it be related to the issue that was found and addressed in my previous question (see link below)?  Should McAfee have cleared it all or do I need to take further steps?  FYI:  ComboFix has been run and doesn't identify any issues (see previous question) so please don't just provide a generic or canned response for this.  Basically I am just trying to get info and working to get rid of the last of this but I am not a novice with computers, viruses, etc.

Thanks a lot for any help you can provide and your time looking at this!

bol

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-07-01 at 10:05:31ID24537089
Tags

McAfee

,

virus

,

trojan

,

Artemis

,

Generic

,

Downloader

,

quarantine

Topics

Anti-Virus

,

McAfee Anti-Virus Software

Participating Experts
5
Points
500
Comments
22

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Infection?
    InoculateIT_PE, my anti-virus program, notified me that I have a Trojan, actually two (2) of them. 1. C:\WINDOWS\PWRSVM.EXE is infected with Win32.SubSeven.21.D ldr Trojan 2. C:\WINDOWS\XIDUMSS.EXE is infected with Win32.SubSeven.21.D ldr Trojan The virus program deleted ...
  2. Mcafee Firewall
    Hi Experts I have Mcafee firewall installed in my Pc,the Mcafee firewall showing me that some clients in my network is trying to access my pc using port 445 , 1033, 1037,1040 ports, I need to stop this , does this mean they are infected with a virus ot trojen. and how to fix...
  3. Trojan has disabled McAfee Anti-Virus Software
    Hi Everyone: I want to help a friend who has a Trojan on her pc. This one is unique in that it disables her McAfee Anti-Virus software after the scan detects it. Also, the Trojan will not let her finish the scan either using McAfee Anti-Virus. At this point,...
  4. Trojan infection - Downloader.gen.a Mcafee can not fix …
    Trojan Infection in C:\WINDOWS\system32\opnkjgd.dll Windows XP, fully up to date. Hi. I am fully protected with McAfee Suite, but my computer is still infected with adware and trojans... McAfee appear to have zero customer support, so I must turn to you, my dear experts. ...
  5. how to repair a nexplorer.exe infected with Vundo trojan?
    Hello Experts. I'm using McAfee anti virus and he sometimes let me know that explorer.exe process is infected with Vundo.dr trojan. I have tried to remove it with vundofix and although it erased the corrupted files it doesnt seem to have taken care of explorer.exe which mcaf...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: awawadaPosted on 2009-07-01 at 10:12:01ID: 24756305

 

by: younghvPosted on 2009-07-01 at 10:17:17ID: 24756348

bol - As you know, 'rpg' is the source authority on this stuff, but the ComboFix run in your last computer should have cleared all of your 'Restore Points' and created a new one - AFTER - it was finished running.

One of the quirks of McAfee (in the old days) was that it would keep a report/record of infected files - even after they had been deleted.

Have you physically looked in those folders to see if the files actually exist? As you know, some folders in XP may have to be viewed through some kind of LINUX-type boot disk.

If they files are truly gone, you can clear your McAfee log files and get rid of the 'false positive' messages.

Also - is this your computer?
Is the user accessing files from a remote source (external device or network share)?
Is the user using an account on the Internet that has 'Admin' privs?

Post back when you can, I'll hold the fort until the A Team checks in.
Vic

 

by: younghvPosted on 2009-07-01 at 10:18:55ID: 24756359

@awawada -
It is great that you are trying to help other Members here, but your quickie 'cut & paste' posts just really have no validity.
Please start taking the time to read the actual questions that are posted - and then do yourself a real favor and look at the profile of the Asker.

 

by: JeremySBrownPosted on 2009-07-01 at 10:25:13ID: 24756394

Before you ran Combofix...did you temporarily disable McAfee?

 

by: b0lsc0ttPosted on 2009-07-01 at 11:46:15ID: 24757005

awawada,
Thanks for the effort but when I said "please don't just provide a generic or canned response for this" it was to avoid a post just like yours.  If this is an area where you can provide expertise then please show that in your comment.  Answer my questions and provide info with any links to let me know how they relate.  A group like that makes me suspect I will do more work looking into your response than I want or need to get a solution.  As I said, I am not a novice at this.  I will ignore your post but please feel free to post again if you can provide what I need.

younghv,
Thanks!  She (rpgamergirl) was very helpful in my previous question and I hope she joins this too.  I know that there are other experts who can help too so I welcome all who can (including you ;)).

Thanks for the info on how McAfee works.  If they were quarantined would they still be visible in the original folder, even to a Linux type boot?  I had thought quarantine would move the file from that location.  Sort like Delete but not quite the same.  Let me know if that is not correct or wrong for McAfee.  If the files are kept in the folders, even when quarantined, then I can have the user of that computer look to see if they find them.  At least those that aren't in the Restore subfolders.  I did help the user show the normally hidden files (the OS is XP Pro) so I am pretty sure we could look in the folders for at least those in the screenshots.  I just don't want to start that if the quarantine moved them.

I am not sure this would be a false positive.  At least I know the scan was run after what was done in the previous question.  The files were found during that scan.  Now the "restore" might be old but I thought the first three at least were current and legit.  Let me know if I am wrong or have misunderstood you on this point.

The computer isn't mind; it is my sister's and out of state.  There is no network involved but I can ask about the external drives, etc.  They might have one of those but it isn't connected normally as far as I know.  I will check to see if they use an admin user for normal computer use.  They probably do, like most people.  Even though I suggest and recommend otherwise it isn't always followed and sometimes can't be done when programs need those rights even to run.  Let me know if those questions are more for safe computer use (i.e. general, wise counsel) or are key for getting this fixed completely.

JeremySBrown,
I can double check this but to my knowledge McAfee was disabled before doing anything in the previous question.  In fact I believe the expert in that previous question saw some evidence of that because of the question she asked about "how McAfee was disabled."

ALL,
I will get the info you asked for but hopefully these responses will help you provide me with more too.  If there are any other questions or I missed something please let me know.  Thanks!

bol

 

by: b0lsc0ttPosted on 2009-07-01 at 11:55:09ID: 24757067

awawada,

By the way ... I notice you are new to EE.  Please don't take offense at my response to you or think I am trying to keep you (or anyone) out.  Quite the contrary and I wish you the best as a new expert here.  However I was clear in my post and your response doesn't really show you read it.  Also, as an expert, you should ALWAYS post more than just links.  Show your expertise in your response by including a comment and info.  Even in a case where the link you provide is a perfect, complete answer you can still add that as a comment.  In cases where viruses are involved it is my experience the "shotgun" or canned approach wastes time and can sometimes be more harmful.  The response you provide seemed to be that type of comment so, if it isn't, please improve the info you provide.  I will take time to provide details and info to you and I expect the same from the experts.

I hope the info above helps as you use this site and help here and in other questions.  It is meant as just friendly advise, one expert to another.  Good luck and welcome!

bol

 

by: younghvPosted on 2009-07-01 at 12:37:25ID: 24757407

bol - Have a computer in the workshop with McAfee loaded and I'm trying to figure out how to 'clear' the logs.
If you can either clear them or do a new scan to see if those infected files still show up.

"ComboFix" will flash a big warning if any AV process is still running and make you 'accept' it to keep running - so I doubt that McAfee was running during the scan.

I'll be back in a bit - prior commitment.

 

by: younghvPosted on 2009-07-01 at 15:46:04ID: 24758957

bol - sorry to piece-meal you on the responses.
I just re-read your response and it appears as though ComboFix did NOT clear your restore points, the computer has been re-infected already, or the McAfee logs are reflecting old information, (and maybe something else). :)

I was out in the workshop playing with that McAfee computer, trying to figure out how to clear or delete the files in quarantine. I didn't have any entries in the logs, but the Help link says that you can select either 'Restore' or 'Delete' for each of those files. Looking at your screen captures above, I see the Restore option right there, but not the Delete.

rpg should be coming on-line pretty soon, and I have asked the McAfee Man (legalsrl) to check in also.

Unless I think of something constructive, I'm just going to watch from here on out.

Vic
 

 

by: b0lsc0ttPosted on 2009-07-01 at 15:51:00ID: 24758984

Vic,

Thanks!  It will be a few days before I will be able to have anything tried on the computer anyways.  I can get some more details but the user won't be at the machine for a few days.

Thanks for letting me know about the ComboFix and restore points.  When you get a chance I would be curious to know what you saw in the log that showed that if you can share. :)  Parts of the log are easy to read but I definitely don't know some key things about those logs.  All of this help is invaluable but my curiousity also wishes I knew a little more. :)

bol

 

by: younghvPosted on 2009-07-01 at 16:40:16ID: 24759244

Geez!
It would sure be nice to have an 'edit' function - I couldn't figure out why you were asking that until I read the bone-headed sentence I wrote.

This part "...appears as though ComboFix did NOT clear your restore points,..." should read:
"appears as though either:
1. ComboFix did NOT clear your restore points,
2. the computer has been re-infected already,
3. the McAfee logs are reflecting old information, or
4. maybe something else.

To my knowledge, ComboFix ALWAYS resets the Restore Point - that is one of the basic functions.
I can't really imagine that it did not happen in this instance - but I suppose it could be a possibility.

 

by: rpggamergirlPosted on 2009-07-01 at 20:16:13ID: 24760181

I haven't read all the comments in this thread yet so pardon me if I say things that already been said.

I've looked at the images and those files are no longer in their original folders.
Based on those images.... it shows that Combofix hasn't been uninstalled from that system because Qoobox is Combofix own quarantine folder.... if Combofix has been uninstalled then that folder would have been deleted....
Combofix will reset System restore and create a new restore point also.

So what I need to verify is....did the user uninstall combofix and it didn't do what's it supposed to do? which is deleting all its files including the Qoobox folder and resetting the System Restore?

OR: the user did not uninstall Combofix (which is what I would assume looking at those images.

 

by: rpggamergirlPosted on 2009-07-01 at 21:21:13ID: 24760451

bol,

I looked in your other thread and those 3 files in those images are among the files that Combofix had deleted during its fifth run(last log you posted).


<<<"I will pass on the steps to uninstall. After posting the log I had the user run McAfee and it found some files which it quarantined. I don't know if it is this same issue">>>

It's clear to me now that Combofix hasn't been uninstalled yet....those 3 files and those from the System Restore folder that McAfee detected and quarantine are already harmless because those are already in Combofix quarantine folder while the others are in the System Restore.

When the user uninstalls Combofix, McAfee shouldn't be detecting any files from those locations anymore because the Qoobox folder will be deleted and the System Restore wil be reset(and CF creates one new restore point).

 

by: b0lsc0ttPosted on 2009-07-01 at 22:16:08ID: 24760610

rpggamergirl,

The user had not uninstalled ComboFix before McAfee scanned.  I had the user run it before the post about uninstalling and I didn't realize this would happen with it still installed.  I complete ignored or missed the fact the files were actually in a QOOBOX folder.  I just saw the rest and thought it was the normal Windows or User folders.

Would your recommendation then be to uninstall ComboFix, using the steps you provided in the other Q, and then run McAfee scan again after the uninstall?  It will be a few days until that can be done but it seems like that is what we should've done.

Vic,
Now I understand what you were saying better.  Thanks for the posts and info.

bol

 

by: rpggamergirlPosted on 2009-07-01 at 22:19:00ID: 24760626

younghv knows about any tools... and he sure knows Combofix too, good job Vic, :)


<<<"I had thought quarantine would move the file from that location.  Sort like Delete but not quite the same">>>

I don't know about McAfee, but when Combofix quarantines a file, it moves and renames that file with a .vir extension, and any files that CF quarantined can be restored at any time while Combofix is still installed.
 
And yes McAfee was disabled as shown in the CF logs at the other thread.

 

by: b0lsc0ttPosted on 2009-07-01 at 22:19:03ID: 24760627

rpg,

I just read your second post.  I will have them uninstall and then run McAfee again.  It sounds like all is clean but we just need to uninstall ComboFix.  With the command you provided it will be easy to uninstall.

Do you think the fact McAfee quarantined some files will cause a problem for the uninstall or the restore point reset?

bol

 

by: rpggamergirlPosted on 2009-07-01 at 22:24:42ID: 24760650

Sorry didn't see your posts.

I don't think McAfee's quarantining the files from Qoobox will cause any problem with the CF uninstallation nor will it affect the resetting of the System Restore points.

To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /u

 

by: b0lsc0ttPosted on 2009-07-01 at 22:29:22ID: 24760676

rpg,

Thanks!  It will be a few days but I will have them do that and post back here with the results.

>> To uninstall Combofix: <<
Those steps look easy.  A side question, if you know, can I run the command without any path because ComboFix "program folder" is added to the Path environment variable or is the program in one of WIndows "system" folders that are already in the path?  If you don't know then no worries but I was just curious.

bol

 

by: rpggamergirlPosted on 2009-07-01 at 23:56:19ID: 24760936

bol,

As far as I know, the full path is not required for any of the CF switches when ComboFix has already been run on the system.

ComboFix /u <-- is the only uninstall switch that sUBs had instructed Helpers to use.

~rpg

 

by: legalsrlPosted on 2009-07-02 at 00:20:28ID: 24761052

Morning all !

Vic - cheers for the link...

Bol, firstly, I've had a quick scan through this thread and although Combofix is mentioned as having been run, can you verify that you have turned off System Restore and removed all the old System Restore points ?

If you haven't, can you turn off System Restore please....

It would seem that Combofix is still installed from the screenshots, and that McAfee has detected those files in the Combofix quarantine (as McAfee will not know that the directory is a quarantine directory and will still scan them.

I would empty the McAfee quarantine with System Restore turned off and then reboot in to Safe Mode.....run another scan (should be clean, let me know if it's not) and then once you've verified it's clean, reboot in to  Windows (not Safe Mode) and then turn back on System Restore.

Let me know if you've got any questions
Cheers
Si

 

by: b0lsc0ttPosted on 2009-07-15 at 15:44:21ID: 31598853

Sorry this was delayed.  I had to wait for results.  Things seem fine now though.  Thanks for everything!

 

by: b0lsc0ttPosted on 2009-07-15 at 15:48:34ID: 24864905

Just as a follow up note ... the ComboFix program seemed to have been removed by some step.  i was told that running the uninstall command gave the message that the program couldn't be found.  I am going to have them check the quarantine area of McAfee, the hard drive for the Qoobox folder, and the status of System Restore but it seems all is good.  If you have any final thoughts on this info then please let me know.  Thanks for all the help and the patience while I got a response.

bol

 

by: rpggamergirlPosted on 2009-07-17 at 19:53:57ID: 24884586

<<<"the ComboFix program seemed to have been removed by some step.  i was told that running the uninstall command gave the message that the program couldn't be found">>>

If the Combofix uninstall command did not work it could be that Combofix.exe was deleted or the Qoobox folder was removed.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...