Happy Birthday to me: A clean computer?

[JohnS]

RiP,

Here is the Kaspersky log you asked to see. Looks yucky to me...but hope I'm wrong! Note that the first item on the list is flagged: the file contains a plain text javascript code snippet that I copied to try to explore how the script worked. I guess the scan found/matched the code structure? Should I delete that plain text file?

Best regards,
John

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, December 21, 2007 1:06:21 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/12/2007
Kaspersky Anti-Virus database records: 490570
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 112171
Number of viruses found: 9
Number of infected objects: 19
Number of suspicious objects: 6
Duration of the scan process: 02:01:13

Infected Object Name / Virus Name / Last Action
C:\Data - John\GLORY\UnixSite\Transition\JS_virus_code.txt Infected: Trojan-Downloader.JS.Psyme.hz skipped <--- Note: This file is a virus code snippet that I copied as PLAIN TEXT in an attempt to analyze what it was all about.
C:\Data - John\OldMail\mailbox.pst/Personal Folders/Deleted Items/08 Nov 2002 19:00 from inet/MESSAGE.TXT/[From inet <inet@microsoft.com>][Date Fri, 8 Nov 2002 13:51:26 -0500 (EST)]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Data - John\OldMail\mailbox.pst/Personal Folders/Deleted Items/08 Nov 2002 19:00 from inet/MESSAGE.TXT Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Data - John\OldMail\mailbox.pst Mail MS Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\John\Application Data\GTek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\John\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\John\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\John\Local Settings\History\History.IE5\MSHist012007122120071222\index.dat Object is locked skipped
C:\Documents and Settings\John\Local Settings\Temp\~DF619C.tmp Object is locked skipped
C:\Documents and Settings\John\Local Settings\Temp\~DFBA70.tmp Object is locked skipped
C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\John\My Documents\status.eml/[From The Post Office <noreply@thealliancefci.com>][Date Tue, 27 Jul 2004 15:45:38 -0400]/thealliancefci.com Infected: Email-Worm.Win32.Mydoom.m.log skipped
C:\Documents and Settings\John\My Documents\status.eml Mail: infected - 1 skipped
C:\Documents and Settings\John\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\John\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\df87173.exe.vir Infected: Trojan-Clicker.Win32.VB.vx skipped
C:\qoobox\Quarantine\C\WINDOWS\hg173.exe.vir Infected: Trojan-Clicker.Win32.VB.vx skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\coswkeyy.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.af skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\cwclljvx.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\fevsiyhl.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\ukkpkxlu.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ae skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\vtcadgen.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ak skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420\A0014724.exe Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP421\A0014740.exe Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP421\A0014753.exe Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP422\A0014787.exe Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP422\A0014925.exe Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP422\A0014943.exe Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP423\A0015003.exe Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP426\A0015110.exe Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP426\A0015119.exe Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP426\A0015137.exe Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP426\A0015145.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ac skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP427\A0015166.exe Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP428\A0015227.exe Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP428\A0015248.exe Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP429\A0015319.exe Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP430\A0015386.exe Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP430\A0015431.exe Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP430\A0015529.exe Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP430\A0015536.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ac skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP430\A0015537.dll Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP430\A0015538.exe Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP430\A0015541.dll Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP430\A0015624.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.af skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP430\A0015628.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ae skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP430\A0015629.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ak skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP430\A0015634.exe Infected: Trojan-Clicker.Win32.VB.vx skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP430\A0015715.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ac skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP430\A0015716.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ac skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP435\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\outlook.pst/Personal Folders/Deleted Items/08 Nov 2002 19:00 from inet:/MESSAGE.TXT/[From inet <inet@microsoft.com>][Date Fri, 8 Nov 2002 13:51:26 -0500 (EST)]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\WINDOWS\outlook.pst/Personal Folders/Deleted Items/08 Nov 2002 19:00 from inet:/MESSAGE.TXT Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\WINDOWS\outlook.pst Mail MS Mail: suspicious - 2 skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{9FBBB8C6-DA3D-4901-9625-78C6897FD558}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\TEMP\mcafee_YiGU1ZkcTRinuzh Object is locked skipped
C:\WINDOWS\TEMP\mcmsc_9HU0lDIxS8sl5YV Object is locked skipped
C:\WINDOWS\TEMP\mcmsc_IhzuNTBokN7BezL Object is locked skipped
C:\WINDOWS\TEMP\mcmsc_tvedced6ztxtF7d Object is locked skipped
C:\WINDOWS\TEMP\mcmsc_yWfWpJaHVHWuacm Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\WINDOWS\io43mvuiw4kj.exe Infected: Trojan-Clicker.Win32.VB.vx skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

[__RiP_ChAiN_]

Hello JohnS,

I guess the scan found/matched the code structure?

Sounds about right, you can probably leave the text file alone, as long as it is never turned into an executable file you should be fine with it.

The rest of the flagged entries point to this one email:

/[From The Post Office <noreply@thealliancefci.com>][Date Tue, 27 Jul 2004 15:45:38 -0400]/thealliancefci.com

Do you think you can find and permanently delete this message? If you can do that, the rest of the scan turned up fine with nothing to worry about.

That being said, how is your computer currently running?

[JohnS]

Hi RiP,

I deleted that email that you mentioned.

After reboot, things seemed to be working better than they have for quite some time. No popup windows. No warnings coming from my McAfee. Of course, I'm not cruising around and doing much at this point...

Guess I'm kind of afraid of getting reinfected before following the steps here in Safer Networking about making my computer safer (updating to SP2, newer version of JavaVM, upgrading to IE7, etc).

At the time of this post, I'm running another Spybot S&D to be safe. After that, I'm going to run a full system scan with my McAfee AV. I'll post back the results I get from those two procedures when they finish up.

I really do appreciate all the help so far.

Assuming that my reports come back clean, is there a definitive thread here that I can follow with all the steps needed to get myself as close to safe as possible so that I don't have to bother you guys again?

Best regards,
John

[__RiP_ChAiN_]

Hello JohnS,

At the time of this post, I'm running another Spybot S&D to be safe. After that, I'm going to run a full system scan with my McAfee AV. I'll post back the results I get from those two procedures when they finish up.

Sounds like a plan, let me know how it goes

Assuming that my reports come back clean, is there a definitive thread here that I can follow with all the steps needed to get myself as close to safe as possible so that I don't have to bother you guys again?

There is indeed some last advice I post, once the computer has been fully cleaned and is working well again.

[JohnS]

RiP,

Ran a final S&D...showed a couple of minor cookies from the Kaspersky site. Wiped them out.

On McAfee AV, my first scan showed a few infected items linked to that MoveIt program and something in a "QOOBOX/QUARANTINE" path. McAfee removed both of those on its own. It asked me about removing something called "Spruce Soft" that was showing up in a couple of "SYSTEM VOLUME INFORMATION\-RESTORE{xxxxx}" paths. I clicked the remove link for that.

Did another McAfee scan. Just one of those "SYSTEM - RESTORE" items showed up this time. Removed it.

Final McAfee scan showed nothing. Completely clean. Yay!

I haven't really been surfing with the (formerly) infected computer during these last couple of weeks while you were helping me. But I did download some mail and it came in a LOT quicker than what it had been. The few programs that I've been working with seem to be peppier. Also, I have had a Windows warning window opening during my start-ups for the past year or so...something about an "ibm.dll file not found" or something like that. I would just click closed that window and go on with my business. That window does NOT display on start-up now.

Don't know how much that info matters, but wanted to let you know the full story.

Best regards,
John

PS: How do I get a donation to you guys for all the great help you've provided here?

[__RiP_ChAiN_]

Hello JohnS,

PS: How do I get a donation to you guys for all the great help you've provided here?

There really is no need for a donation, what we do here is free of charge for everyone, please do tell your friends about us though. If you really do want to donate let me know though, and I'll get you a link for the sites donation page.

Go ahead and delete the following folder:

C:\Qoobox

Go ahead and remove any tools we used during your fix now, as they will no longer be needed.

Congratulations, your computer is now clean of malware!

Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Then go to Start > Run and type: Cleanmgr
• Click "OK".
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

1. Make your Internet Explorer more secure - This can be done by following these simple instructions:
   1. From within Internet Explorer click on the Tools menu and then click on Options.
   2. Click once on the Security tab
   3. Click once on the Internet icon so it becomes highlighted.
   4. Click once on the Custom Level button.
      1. Change the Download signed ActiveX controls to Prompt
      2. Change the Download unsigned ActiveX controls to Disable
      3. Change the Initialize and script ActiveX controls not marked as safe to Disable
      4. Change the Installation of desktop items to Prompt
      5. Change the Launching programs and files in an IFRAME to Prompt
      6. Change the Navigate sub-frames across different domains to Prompt
      7. When all these settings have been made, click on the OK button.
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
   5. Next press the Apply button and then the OK to exit the Internet Properties page.
2. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
3. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
4. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
   
   For a tutorial on Firewalls and a listing of some available ones see the link below:
   
   Understanding and Using Firewalls
   
5. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
6. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
   
   A tutorial on installing & using this product can be found here:
   
   Using SpywareBlaster to protect your computer from Spyware and Malware
   
7. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

[tashi]

PS: How do I get a donation to you guys for all the great help you've provided here?

For those who request such, Donate

Cheers.