Solved

McAfee scan after removing infection reveals more trojan files

Posted on 2009-07-01
22
1,772 Views
Last Modified: 2013-12-09
I will treat this as if it is a separate issue.  Right now I just have image files of screenshots to show the file names and detected infection name.  I can try to get more info or a log if that will help.  The detection names are:

Generic.dx!qd
Artemis!D{some number}
Downloader-BRF

There were 7 files total that were quarantined.  4 of those were in the _Restore folder so I think were either "backups" by Windows System Restore or a "copy" the virus/trojan put there.  The screenshots below show details for the files NOT in Restore.  I can provide the others if you want but the mention the same infections.

What does it look like I have?  Could it be related to the issue that was found and addressed in my previous question (see link below)?  Should McAfee have cleared it all or do I need to take further steps?  FYI:  ComboFix has been run and doesn't identify any issues (see previous question) so please don't just provide a generic or canned response for this.  Basically I am just trying to get info and working to get rid of the last of this but I am not a novice with computers, viruses, etc.

Thanks a lot for any help you can provide and your time looking at this!

bol
McAfeeQuarantineScreen1.png
McAfeeQuarantineScreen2.png
McAfeeQuarantineScreen3.png
0
Comment
Question by:b0lsc0tt
  • 8
  • 6
  • 5
  • +3
22 Comments
 
LVL 18

Expert Comment

by:awawada
ID: 24756305
0
 
LVL 38

Expert Comment

by:younghv
ID: 24756348
bol - As you know, 'rpg' is the source authority on this stuff, but the ComboFix run in your last computer should have cleared all of your 'Restore Points' and created a new one - AFTER - it was finished running.

One of the quirks of McAfee (in the old days) was that it would keep a report/record of infected files - even after they had been deleted.

Have you physically looked in those folders to see if the files actually exist? As you know, some folders in XP may have to be viewed through some kind of LINUX-type boot disk.

If they files are truly gone, you can clear your McAfee log files and get rid of the 'false positive' messages.

Also - is this your computer?
Is the user accessing files from a remote source (external device or network share)?
Is the user using an account on the Internet that has 'Admin' privs?

Post back when you can, I'll hold the fort until the A Team checks in.
Vic
0
 
LVL 38

Expert Comment

by:younghv
ID: 24756359
@awawada -
It is great that you are trying to help other Members here, but your quickie 'cut & paste' posts just really have no validity.
Please start taking the time to read the actual questions that are posted - and then do yourself a real favor and look at the profile of the Asker.
0
 
LVL 13

Expert Comment

by:JeremySBrown
ID: 24756394
Before you ran Combofix...did you temporarily disable McAfee?
0
 
LVL 54

Author Comment

by:b0lsc0tt
ID: 24757005
awawada,
Thanks for the effort but when I said "please don't just provide a generic or canned response for this" it was to avoid a post just like yours.  If this is an area where you can provide expertise then please show that in your comment.  Answer my questions and provide info with any links to let me know how they relate.  A group like that makes me suspect I will do more work looking into your response than I want or need to get a solution.  As I said, I am not a novice at this.  I will ignore your post but please feel free to post again if you can provide what I need.
younghv,
Thanks!  She (rpgamergirl) was very helpful in my previous question and I hope she joins this too.  I know that there are other experts who can help too so I welcome all who can (including you ;)).
Thanks for the info on how McAfee works.  If they were quarantined would they still be visible in the original folder, even to a Linux type boot?  I had thought quarantine would move the file from that location.  Sort like Delete but not quite the same.  Let me know if that is not correct or wrong for McAfee.  If the files are kept in the folders, even when quarantined, then I can have the user of that computer look to see if they find them.  At least those that aren't in the Restore subfolders.  I did help the user show the normally hidden files (the OS is XP Pro) so I am pretty sure we could look in the folders for at least those in the screenshots.  I just don't want to start that if the quarantine moved them.
I am not sure this would be a false positive.  At least I know the scan was run after what was done in the previous question.  The files were found during that scan.  Now the "restore" might be old but I thought the first three at least were current and legit.  Let me know if I am wrong or have misunderstood you on this point.
The computer isn't mind; it is my sister's and out of state.  There is no network involved but I can ask about the external drives, etc.  They might have one of those but it isn't connected normally as far as I know.  I will check to see if they use an admin user for normal computer use.  They probably do, like most people.  Even though I suggest and recommend otherwise it isn't always followed and sometimes can't be done when programs need those rights even to run.  Let me know if those questions are more for safe computer use (i.e. general, wise counsel) or are key for getting this fixed completely.
JeremySBrown,
I can double check this but to my knowledge McAfee was disabled before doing anything in the previous question.  In fact I believe the expert in that previous question saw some evidence of that because of the question she asked about "how McAfee was disabled."
ALL,
I will get the info you asked for but hopefully these responses will help you provide me with more too.  If there are any other questions or I missed something please let me know.  Thanks!
bol
0
 
LVL 54

Author Comment

by:b0lsc0tt
ID: 24757067
awawada,
By the way ... I notice you are new to EE.  Please don't take offense at my response to you or think I am trying to keep you (or anyone) out.  Quite the contrary and I wish you the best as a new expert here.  However I was clear in my post and your response doesn't really show you read it.  Also, as an expert, you should ALWAYS post more than just links.  Show your expertise in your response by including a comment and info.  Even in a case where the link you provide is a perfect, complete answer you can still add that as a comment.  In cases where viruses are involved it is my experience the "shotgun" or canned approach wastes time and can sometimes be more harmful.  The response you provide seemed to be that type of comment so, if it isn't, please improve the info you provide.  I will take time to provide details and info to you and I expect the same from the experts.
I hope the info above helps as you use this site and help here and in other questions.  It is meant as just friendly advise, one expert to another.  Good luck and welcome!
bol
0
 
LVL 38

Expert Comment

by:younghv
ID: 24757407
bol - Have a computer in the workshop with McAfee loaded and I'm trying to figure out how to 'clear' the logs.
If you can either clear them or do a new scan to see if those infected files still show up.

"ComboFix" will flash a big warning if any AV process is still running and make you 'accept' it to keep running - so I doubt that McAfee was running during the scan.

I'll be back in a bit - prior commitment.
0
 
LVL 38

Expert Comment

by:younghv
ID: 24758957
bol - sorry to piece-meal you on the responses.
I just re-read your response and it appears as though ComboFix did NOT clear your restore points, the computer has been re-infected already, or the McAfee logs are reflecting old information, (and maybe something else). :)

I was out in the workshop playing with that McAfee computer, trying to figure out how to clear or delete the files in quarantine. I didn't have any entries in the logs, but the Help link says that you can select either 'Restore' or 'Delete' for each of those files. Looking at your screen captures above, I see the Restore option right there, but not the Delete.

rpg should be coming on-line pretty soon, and I have asked the McAfee Man (legalsrl) to check in also.

Unless I think of something constructive, I'm just going to watch from here on out.

Vic
 
0
 
LVL 54

Author Comment

by:b0lsc0tt
ID: 24758984
Vic,
Thanks!  It will be a few days before I will be able to have anything tried on the computer anyways.  I can get some more details but the user won't be at the machine for a few days.
Thanks for letting me know about the ComboFix and restore points.  When you get a chance I would be curious to know what you saw in the log that showed that if you can share. :)  Parts of the log are easy to read but I definitely don't know some key things about those logs.  All of this help is invaluable but my curiousity also wishes I knew a little more. :)
bol
0
 
LVL 38

Accepted Solution

by:
younghv earned 225 total points
ID: 24759244
Geez!
It would sure be nice to have an 'edit' function - I couldn't figure out why you were asking that until I read the bone-headed sentence I wrote.

This part "...appears as though ComboFix did NOT clear your restore points,..." should read:
"appears as though either:
1. ComboFix did NOT clear your restore points,
2. the computer has been re-infected already,
3. the McAfee logs are reflecting old information, or
4. maybe something else.

To my knowledge, ComboFix ALWAYS resets the Restore Point - that is one of the basic functions.
I can't really imagine that it did not happen in this instance - but I suppose it could be a possibility.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24760181
I haven't read all the comments in this thread yet so pardon me if I say things that already been said.

I've looked at the images and those files are no longer in their original folders.
Based on those images.... it shows that Combofix hasn't been uninstalled from that system because Qoobox is Combofix own quarantine folder.... if Combofix has been uninstalled then that folder would have been deleted....
Combofix will reset System restore and create a new restore point also.
So what I need to verify is....did the user uninstall combofix and it didn't do what's it supposed to do? which is deleting all its files including the Qoobox folder and resetting the System Restore?

OR: the user did not uninstall Combofix (which is what I would assume looking at those images.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 200 total points
ID: 24760451
bol,

I looked in your other thread and those 3 files in those images are among the files that Combofix had deleted during its fifth run(last log you posted).


<<<"I will pass on the steps to uninstall. After posting the log I had the user run McAfee and it found some files which it quarantined. I don't know if it is this same issue">>>

It's clear to me now that Combofix hasn't been uninstalled yet....those 3 files and those from the System Restore folder that McAfee detected and quarantine are already harmless because those are already in Combofix quarantine folder while the others are in the System Restore.

When the user uninstalls Combofix, McAfee shouldn't be detecting any files from those locations anymore because the Qoobox folder will be deleted and the System Restore wil be reset(and CF creates one new restore point).
0
 
LVL 54

Author Comment

by:b0lsc0tt
ID: 24760610
rpggamergirl,
The user had not uninstalled ComboFix before McAfee scanned.  I had the user run it before the post about uninstalling and I didn't realize this would happen with it still installed.  I complete ignored or missed the fact the files were actually in a QOOBOX folder.  I just saw the rest and thought it was the normal Windows or User folders.
Would your recommendation then be to uninstall ComboFix, using the steps you provided in the other Q, and then run McAfee scan again after the uninstall?  It will be a few days until that can be done but it seems like that is what we should've done.
Vic,
Now I understand what you were saying better.  Thanks for the posts and info.
bol
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24760626
younghv knows about any tools... and he sure knows Combofix too, good job Vic, :)


<<<"I had thought quarantine would move the file from that location.  Sort like Delete but not quite the same">>>

I don't know about McAfee, but when Combofix quarantines a file, it moves and renames that file with a .vir extension, and any files that CF quarantined can be restored at any time while Combofix is still installed.
 
And yes McAfee was disabled as shown in the CF logs at the other thread.
0
 
LVL 54

Author Comment

by:b0lsc0tt
ID: 24760627
rpg,
I just read your second post.  I will have them uninstall and then run McAfee again.  It sounds like all is clean but we just need to uninstall ComboFix.  With the command you provided it will be easy to uninstall.
Do you think the fact McAfee quarantined some files will cause a problem for the uninstall or the restore point reset?
bol
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24760650
Sorry didn't see your posts.

I don't think McAfee's quarantining the files from Qoobox will cause any problem with the CF uninstallation nor will it affect the resetting of the System Restore points.

To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /u
0
 
LVL 54

Author Comment

by:b0lsc0tt
ID: 24760676
rpg,
Thanks!  It will be a few days but I will have them do that and post back here with the results.
>> To uninstall Combofix: <<
Those steps look easy.  A side question, if you know, can I run the command without any path because ComboFix "program folder" is added to the Path environment variable or is the program in one of WIndows "system" folders that are already in the path?  If you don't know then no worries but I was just curious.
bol
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24760936
bol,

As far as I know, the full path is not required for any of the CF switches when ComboFix has already been run on the system.

ComboFix /u <-- is the only uninstall switch that sUBs had instructed Helpers to use.

~rpg
0
 
LVL 16

Assisted Solution

by:legalsrl
legalsrl earned 75 total points
ID: 24761052
Morning all !

Vic - cheers for the link...

Bol, firstly, I've had a quick scan through this thread and although Combofix is mentioned as having been run, can you verify that you have turned off System Restore and removed all the old System Restore points ?

If you haven't, can you turn off System Restore please....

It would seem that Combofix is still installed from the screenshots, and that McAfee has detected those files in the Combofix quarantine (as McAfee will not know that the directory is a quarantine directory and will still scan them.

I would empty the McAfee quarantine with System Restore turned off and then reboot in to Safe Mode.....run another scan (should be clean, let me know if it's not) and then once you've verified it's clean, reboot in to  Windows (not Safe Mode) and then turn back on System Restore.

Let me know if you've got any questions
Cheers
Si
0
 
LVL 54

Author Closing Comment

by:b0lsc0tt
ID: 31598853
Sorry this was delayed.  I had to wait for results.  Things seem fine now though.  Thanks for everything!
0
 
LVL 54

Author Comment

by:b0lsc0tt
ID: 24864905
Just as a follow up note ... the ComboFix program seemed to have been removed by some step.  i was told that running the uninstall command gave the message that the program couldn't be found.  I am going to have them check the quarantine area of McAfee, the hard drive for the Qoobox folder, and the status of System Restore but it seems all is good.  If you have any final thoughts on this info then please let me know.  Thanks for all the help and the patience while I got a response.
bol
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24884586
<<<"the ComboFix program seemed to have been removed by some step.  i was told that running the uninstall command gave the message that the program couldn't be found">>>

If the Combofix uninstall command did not work it could be that Combofix.exe was deleted or the Qoobox folder was removed.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

PREFACE The purpose of this guide is to provide information to successfully install the MS SQL client tools for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technology…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now