3 Replies Latest reply on Jul 5, 2010 12:56 PM by Peter M

    Followed malware troubleshooting, still need assistance

      Here is our story...

      July 1 - our aol.ca webmail account was compromised and sent an e-mail to all of our Contacts

      - the e-mail contained a link to a bogus prescription ordering site called Canadian Neighbor Pharmacy, where folks are being duped into providing personal information

      - the scam is documented at http://spamtrackers.eu/wiki/index.php/Canadian_Neighbor_Pharmacy

       

      We deleted all of our Contacts, changed our e-mail password and security question, BUT are still concerned that something is lurking on one of our computers.

      Does anyone have experience with this situation? Should we be concerned that one of our computers has been infected with malware?

       

      We have a 3 user license for McAfee Total Protection. It is automatically updated and is current.

      Laptop is running Windows Vista Service Pack 2. Desktop is running Windows XP Service Pack 3. Both are on automatic updates.

       

      We used various tools as documented below, but have not been able to identify the malware or how to remove it. We  do not know what the virus is called so we cannot research it on  McAfee's VirusInfo web site.

       

      Ran full McAfee scans on our laptop and desktop computers and came up with nothing.

      LOG

      Full McAfee scan in regular mode
      01/07/2010    7:28:25 PM    Scan Started: 07/01/2010 07:28:25 PM
      01/07/2010    8:01:56 PM    Total objects scanned: 222431
      01/07/2010    8:01:56 PM    Objects detected: 0
      01/07/2010    8:01:56 PM    Scan Done: 07/01/2010 08:01:56 PM

       

      So we moved on to following the instructions in http://community.mcafee.com/docs/DOC-1294

       

      The following was done from the laptop.

       

      Ran scan in Safe Mode with Networking

       

      While the scan was still in progress got a window that said it was from McAfee stating

      Computer is at risk (RED)

      - make sure real time scanning and firewall are on and subscription is active and up to date

      - please check status

      Checked status and message stated that Real Time Scanning was OFF! (RED)

             Tried to select button to Turn it ON, but only flashed to other McAfee window briefly that said Your Computer is Secure (GREEN)

      Window would flip back to message saying Real Timing Scanning id OFF! (RED)

      Scan ended with 0 objects detected

      Window stating that Real Time Scanning was OFF! (RED) was still on screen so tried to set to ON, but the Apply button was greyed out.

       

      LOG

      scan in safe mode from laptop Computer (in Vista)
      04/07/2010    1:20:27 PM    Scan Started: 07/04/2010 01:20:27 PM
      04/07/2010    2:46:58 PM    Total objects scanned: 225388
      04/07/2010    2:46:58 PM    Objects detected: 0
      04/07/2010    2:46:58 PM    Scan Done: 07/04/2010 02:46:58 PM

       

      Downloaded and Ran Stinger

       

      Left computer in Safe mode to run Stinger

      sensitivity "Very High" and "Report Only"

      3 Artemis trojans found, but don't feel that these are likely false positives

      the two files in $Recycle.Bin cannot be accessed (get message Location is not available)

      the one TOSAPIN file is available and could be sent by WIN ZIP - file dated 7/12/2006

       

      LOG

       

      McAfee® Stinger Version 10.0.1.934 built on Jul  2 2010

       

      Copyright © 2010 McAfee, Inc. All Rights Reserved.

       

      Virus data file v1000 created on Jul 2 2010.

       

      Ready to scan for 3659 viruses, trojans and variants.

       

      Scan initiated on Sun Jul 04 19:58:06 2010

       

      C:\$Recycle.Bin\S-1-5-18\$RYB90V3.zip\Data1.cab\_128D234DF61700B369E578A8F954402 8

       

           Found the Artemis!BEC8351B88F9 trojan !!!

       

      C:\$Recycle.Bin\S-1-5-18\$RYNEEN2.exe

       

           Found the Artemis!F00498EC9FC7 trojan !!!

       

      C:\TOSAPINS\TOSHIBA-Value-Added-Package\Data1.cab\_128D234DF61700B369E578A8F9544 028

       

           Found the Artemis!BEC8351B88F9 trojan !!!

       

        Number of clean files: 406469

       

        Number of Trojans: 3

       

       

      Ran Stinger again

       

      sensitivity "Medium" and "Repair"

      no problems found

       

      LOG

       

      McAfee® Stinger Version 10.0.1.934 built on Jul  2 2010

       

      Copyright © 2010 McAfee, Inc. All Rights Reserved.

       

      Virus data file v1000 created on Jul 2 2010.

       

      Ready to scan for 3659 viruses, trojans and variants.

       

      Scan initiated on Sun Jul 04 22:30:27 2010

       

        Number of clean files: 406474

       

       

      Ran Malwarebyte's Anti-Malware

       

      nothing found in Quick Scan

       

      LOG

       

      Malwarebytes' Anti-Malware 1.46

      www.malwarebytes.org

       

      Database version: 4276

       

      Windows 6.0.6002 Service Pack 2 (Safe Mode)
      Internet Explorer 8.0.6001.18928

       

      04/07/2010 11:52:35 PM
      mbam-log-2010-07-04 (23-52-35).txt

       

      Scan type: Quick scan
      Objects scanned: 124104
      Time elapsed: 5 minute(s), 19 second(s)

       

      Memory Processes Infected: 0
      Memory Modules Infected: 0
      Registry Keys Infected: 0
      Registry Values Infected: 0
      Registry Data Items Infected: 0
      Folders Infected: 0
      Files Infected: 0

       

      Memory Processes Infected:
      (No malicious items detected)

       

      Memory Modules Infected:
      (No malicious items detected)

       

      Registry Keys Infected:
      (No malicious items detected)

       

      Registry Values Infected:
      (No malicious items detected)

       

      Registry Data Items Infected:
      (No malicious items detected)

       

      Folders Infected:
      (No malicious items detected)

       

      Files Infected:
      (No malicious items detected)