Urgent! Ran Ewido anti-malware, have number of "high-risk" infections "quarantined". Please advise on removal.

Found "Backdoor.Rbot.oh"

and in HKLM\SOFTWARE\Classes|CLSID   Spyware.MiniBug, Spyware.MarketScore

in HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{number}Spyware MarketScore

and under HKU\S\1\long number\Software\Microsoft\Windows\CurrentVersion  Spyware.MarketScore and Spyware.ISTBar

They are "quarantined" in EWIDO (free version), but I don't know how I got them, if deleting them through Ewido is enough, or if I need to do more ( i.e. to the registry).

I also don't know what is safe to delete rather than quarantine.....I would assume all "tracking cookies" could be, but with the changes to the registry, I need advice. This is URGENT.
sheana11Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
r-kCommented:
To get a better idea of what we are dealing with, can you please do the following:

Download and run HijackThis from http://www.hijackthis.de/
Copy-and-paste the resulting log back to that same web site (not here)
Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
Finally post a link here to the saved analyzed page.

0
 
Purple_SkyCommented:
If you have a high speed connection Please go to at least two of these sites and run an online Virus Scan. This will help clear out a lot of the malware first so the Analyst's can then attack the main infections.

If you already have an Antivirus program make sure you have an updated database for it and run it as well. You need to do both as one scanner may pick up what the other missed.

Be sure to have the AutoFix box(es) checked if they are required.

http://www.pandasoftware.com/products/activescan.htm
http://housecall.trendmicro.com/
http://www.bitdefender.com/scan/license.php

Then so another scan with ewido. Then we can work on your hjt log.
0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
 
sheana11Author Commented:
Hi r-k, did as you said, and here is the link:

http://www.hijackthis.de/#anl
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
Purple_SkyCommented:
Panda active scan , bitdefender and kaspersky online scans should suffice in my opinion. Let us know if kaspersky finds any malware. Panda and Bitdefender scanners will delete the viruses kaspersky will only report it. Run the kaspersky the last. And let us know if it finds any infections. IMO your log looks clean. Second third opinions are more then welcome as some O16 items may be fixed.
0
 
sheana11Author Commented:
Purple Sky, I am running your scans now, and will let you know the results just as soon as I'm done.

What's an O16 item?
0
 
Purple_SkyCommented:
O16 items are the active x controls. ActiveX objects are programs that are downloaded from web sites and are stored on your computer. These objects are stored in C:\windows\Downloaded Program Files.  If you delete them next time you want to use them they will be installed to your system. A pop up would appear and ask you if you would like to install the active x control to your system. Severe infections usually do not reside there. You have plenty of objects in there as i noticed. These online scans will install their objects in there too. Safe and legitemate.
0
 
r-kCommented:
The HJT does not show anything really bad going on. It is possible Ewido cleaned things up. Let us know if the online scans you're doing show anything of siginificance.

If you're not an Earthlink customer you should fix the following entry using HJT:

 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/channel/START 

And also fix this in any case:

 O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

All those O16 unknown entries are things you probably downloaded at one time from the Internet. If you don't recognize or need any of them you can have HJT fix those ones.
0
 
sheana11Author Commented:
Hi, still running panda, already found 29 spyware infections....
0
 
Purple_SkyCommented:
Panda active scan will not remove the spyware entries but active scan pro does. It is also a scanner i use ( aSPRO and think its great - price is very reasonable too ) Even it desnt remove them for you atthe end of the scan it will give you a report so you can delete them manually. Prefer deleting those in safe mode ) trendmicro spyware scan and bitdefender removes whatever they find ( trendmicro asks you if you want to remove )

I wouldnt be concerned about these for now. Lets wait till you finish the scans and i would be concerned if kaspersky comes up with an infected entry. Run it the last.
0
 
sheana11Author Commented:
Results of Panda Scan


Incident                                                                        Status                        Location                                                                                                                                                                                                                                                        

Adware:adware/powerscan                                                         Not disinfected               c:\windows\system32\intrigue.dll                                                                                                                                                                                                                                
Adware:adware/ist.istbar                                                        Not disinfected               Windows Registry                                                                                                                                                                                                                                                
Adware:adware/ist.yoursitebar                                                   Not disinfected               Windows Registry                                                                                                                                                                                                                                                
Spyware:Cookie/2o7                                                              Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@2o7[1].txt                                                                                                                                                                                  
Spyware:Cookie/Atlas DMT                                                        Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@atdmt[2].txt                                                                                                                                                                                
Spyware:Cookie/bravenetA                                                        Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@bravenet[2].txt                                                                                                                                                                            
Spyware:Cookie/GoStats                                                          Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@c3.gostats[2].txt                                                                                                                                                                          
Spyware:Cookie/Cd Freaks                                                        Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@cdfreaks[2].txt                                                                                                                                                                            
Spyware:Cookie/Com.com                                                          Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@com[1].txt                                                                                                                                                                                  
Spyware:Cookie/360i                                                             Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ct.360i[1].txt                                                                                                                                                                              
Spyware:Cookie/did-it                                                           Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@did-it[2].txt                                                                                                                                                                              
Spyware:Cookie/Doubleclick                                                      Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@doubleclick[1].txt                                                                                                                                                                          
Spyware:Cookie/Hitbox                                                           Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ehg.hitbox[2].txt                                                                                                                                                                          
Spyware:Cookie/E-eliminator                                                     Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@evidence-eliminator[2].txt                                                                                                                                                                  
Spyware:Cookie/GoStats                                                          Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@gostats[1].txt                                                                                                                                                                              
Spyware:Cookie/Go                                                               Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@go[2].txt                                                                                                                                                                                  
Spyware:Cookie/Hitbox                                                           Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@hitbox[2].txt                                                                                                                                                                              
Spyware:Cookie/2o7                                                              Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@microsofteup.112.2o7[1].txt                                                                                                                                                                
Spyware:Cookie/Hitbox                                                           Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@phg.hitbox[2].txt                                                                                                                                                                          
Spyware:Cookie/Searchportal                                                     Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@searchportal.information[1].txt                                                                                                                                                            
Spyware:Cookie/Statcounter                                                      Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@statcounter[1].txt                                                                                                                                                                          
Spyware:Cookie/Target                                                           Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@target[2].txt                                                                                                                                                                              
Spyware:Cookie/Toplist                                                          Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@toplist[2].txt                                                                                                                                                                              
Spyware:Cookie/Traffic Marketplace                                              Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@trafficmp[1].txt                                                                                                                                                                            
Spyware:Cookie/Tucows                                                           Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@tucows[1].txt                                                                                                                                                                              
Spyware:Cookie/Buydomains                                                       Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@www47.buydomains[1].txt                                                                                                                                                                    
Spyware:Cookie/Seeq                                                             Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@www48.seeq[1].txt                                                                                                                                                                          
Spyware:Cookie/Xiti                                                             Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@xiti[1].txt                                                                                                                                                                                
Adware:Adware/ActiveSearch                                                      Not disinfected               C:\Documents and Settings\HP_Administrator\Desktop\POWER_RATINGS\powerratings.exe[powerratings.dll]                                                                                                                                                            
Potentially unwanted tool:Application/KillApp.B                                 Not disinfected               C:\hp\bin\KillIt.exe                                                                                                                                                                                                                                            
Virus:W32/Bobax.AV.worm                                                         Disinfected                   [Pictures.zip][pics.scr]                                                                                                                                                                                                                                        
Virus:Trj/Mitglieder.EK                                                         Disinfected                   [The_reporting_of_taxes.rar][Taxes.exe]                                                                                                                                                                                                                        
0
 
Purple_SkyCommented:
delete this file -----> c:\windows\system32\intrigue.dll

and run the other scans. Seems like two viruses are disinfected already.
0
 
sheana11Author Commented:
Having trouble with trendmicro housecall scan....installed java update (was already updated) and trying again. After I click the scan button, it just hangs trying to load the scanning page.
0
 
rpggamergirlCommented:
I would fix these:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.superwebsearch.com/ie/   
Safe.  
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.superwebsearch.com/ie/   
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.superwebsearch.com/ie/         
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.superwebsearch.com/ie/   
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.superwebsearch.com/ie/ 

With those 016 entries, you're better off fixing them unless you visit those sites everyday. All 016 entries also loads everytime IE is open.
0
 
Purple_SkyCommented:
Did you install the active x control ? is there a yellow bar under the adress bar ?
http://www.trendmicro.com/spyware-scan/free_spyware_scan.asp

Try the bitdefender one. They are long scans so lets dont waste your time.
0
 
r-kCommented:
If you want to try more online scans, I recommend this one from Microsoft:

 http://safety.live.com/site/en-US/default.htm

However, I don't think there anything bad still active on your system. What you are finding is traces of a trojan left behind by Ewido and other programs you may have already run. In other words, while not a bad idea to run a few scans, it probably won't make much difference.
0
 
sheana11Author Commented:
Purple Sky, I went to your link and now it's scanning.(no yellow bar under the address bar). Will get back as soon as have results.

Will post results as soon as I get them, and will also do all other recommended scans from r-k and will fix "intrigue.." and "superwebsearch.com"
0
 
sheana11Author Commented:
Trend Micro Results:
Adware: Istware, IbIS.WebSearch, YourSiteBar, 2020Search
Spyware_TRAK_PWStealer
Spyware_KEYL_Astlog
Freeloader_WinFixer

1 Trackware
6 Adware
20 Tracking Cookies
1 Keylogger
1 Trojan
1 Parasite

Should I use the TrendMicro's option to "Clean Threats Now" ?
0
 
Purple_SkyCommented:
definetely yes. and do the bitdefender and kaspersky scan. I am sure we have removed the nasties already. There may be remains.
0
 
sheana11Author Commented:
Scanning with Bitdefender now, and already found Win32.Worm.Bobic.E and Trojan.Downloader.Bagle.BU.

This looks like a very LONG scan timewise.
0
 
sheana11Author Commented:
BitDefender Online Scanner
 
 
 
Scan report generated at: Mon, May 22, 2006 - 22:41:09
 
 
 
 
 
Scan path: C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;
 
 
 
 
 
 
 
Statistics
 
Time
 03:19:27
 
Files
 1585003
 
Folders
 10124
 
Boot Sectors
 3
 
Archives
 365442
 
Packed Files
 106854
 
 
 
 
Results
 
Identified Viruses
 4
 
Infected Files
 12
 
Suspect Files
 0
 
Warnings
 0
 
Disinfected
 0
 
Deleted Files
 16
 
 
 
 
Engines Info
 
Virus Definitions
 376146
 
Engine build
 AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)
 
Scan plugins
 13
 
Archive plugins
 40
 
Unpack plugins
 4
 
E-mail plugins
 6
 
System plugins
 1
 
 
 
 
Scan Settings
 
First Action
 Disinfect
 
Second Action
 Delete
 
Heuristics
 Yes
 
Enable Warnings
 Yes
 
Scanned Extensions
 *;
 
Exclude Extensions
 
 
Scan Emails
 Yes
 
Scan Archives
 Yes
 
Scan Packed
 Yes
 
Scan Files
 Yes
 
Scan Boot
 Yes
 
 
 
 
  Scanned File
  Status
 
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{750E1D98-9771-4A1C-98CC-EBFF26E4B9A2}\Microsoft\Outlook Express\AUGUST 2005.dbx=>(message 2265)=>[Subject: ][Date: Fri, 12 Aug 2005 16:03:39 +0100]=>(MIME part)=>The_reporting_of_taxes.rar=>Taxes.exe
 Infected with: Trojan.Downloader.Bagle.BU
 
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{750E1D98-9771-4A1C-98CC-EBFF26E4B9A2}\Microsoft\Outlook Express\AUGUST 2005.dbx=>(message 2265)=>[Subject: ][Date: Fri, 12 Aug 2005 16:03:39 +0100]=>(MIME part)=>The_reporting_of_taxes.rar=>Taxes.exe
 Disinfection failed
 
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{750E1D98-9771-4A1C-98CC-EBFF26E4B9A2}\Microsoft\Outlook Express\AUGUST 2005.dbx=>(message 2265)=>[Subject: ][Date: Fri, 12 Aug 2005 16:03:39 +0100]=>(MIME part)=>The_reporting_of_taxes.rar=>Taxes.exe
 Deleted
 
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{750E1D98-9771-4A1C-98CC-EBFF26E4B9A2}\Microsoft\Outlook Express\AUGUST 2005.dbx=>(message 2265)=>[Subject: ][Date: Fri, 12 Aug 2005 16:03:39 +0100]=>(MIME part)=>The_reporting_of_taxes.rar
 Updated
 
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{750E1D98-9771-4A1C-98CC-EBFF26E4B9A2}\Microsoft\Outlook Express\AUGUST 2005.dbx=>(message 2265)=>[Subject: ][Date: Fri, 12 Aug 2005 16:03:39 +0100]=>(MIME part)
 Updated
 
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{750E1D98-9771-4A1C-98CC-EBFF26E4B9A2}\Microsoft\Outlook Express\AUGUST 2005.dbx=>(message 2265)
 Updated
Partial Report of BitDefender...took over 3 hours!  
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{750E1D98-9771-4A1C-98CC-EBFF26E4B9A2}\Microsoft\Outlook Express\AUGUST 2005.dbx
 Update failed
 
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{750E1D98-9771-4A1C-98CC-EBFF26E4B9A2}\Microsoft\Outlook Express\SEPTEMBER 2005.dbx=>(message 6746)=>[Subject: Finally! Captured!][Date: Sun, 31 Jul 2005 05:33:55 -0400]=>(MIME part)=>Pictures.zip=>pics.scr
 Infected with: Win32.Worm.Bobic.E
 
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{750E1D98-9771-4A1C-98CC-EBFF26E4B9A2}\Microsoft\Outlook Express\SEPTEMBER 2005.dbx=>(message 6746)=>[Subject: Finally! Captured!][Date: Sun, 31 Jul 2005 05:33:55 -0400]=>(MIME part)=>Pictures.zip=>pics.scr
 Deleted
 
 
0
 
sheana11Author Commented:
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\6B2918A5=>(Quarantine-2)
 Infected with: Trojan.Downloader.IstBar.NX
 
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\6B2918A5=>(Quarantine-2)
 Disinfection failed
 
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\6B2918A5=>(Quarantine-2)
 Deleted
 
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\6B2C42A2=>(Quarantine-2)
 Infected with: Trojan.Downloader.IstBar.NZ
 
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\6B2C42A2=>(Quarantine-2)
 Disinfection failed
 
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\6B2C42A2=>(Quarantine-2)
 Deleted
 
C:\RECYCLER\NPROTECT\00179995=>(Quarantine-2)
 Infected with: Trojan.Downloader.IstBar.NX
 
C:\RECYCLER\NPROTECT\00179995=>(Quarantine-2)
 Disinfection failed
 
C:\RECYCLER\NPROTECT\00179995=>(Quarantine-2)
 Deleted
 
I'm only posting the items that failed, not anything marked "clean"

C:\RECYCLER\NPROTECT\00179996=>(Quarantine-2)
 Infected with: Trojan.Downloader.IstBar.NZ
 
C:\RECYCLER\NPROTECT\00179996=>(Quarantine-2)
 Disinfection failed
 
C:\RECYCLER\NPROTECT\00179996=>(Quarantine-2)
 Deleted
 
 
 
 
 
 
0
 
Purple_SkyCommented:
Empty C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\

Empty the recycle bin.
0
 
sheana11Author Commented:
There are only 2 files under Quarantine...Incoming and Portal, and both are already empty. Do I delete them?

For Recycle bin, when I try to empty "Norton Protected Recycle Bin" it says "there are 1500 protected files total on drive C:"
"You have 1393 protected files on drive C:"

The choices are "PURGE YOURS", "PURGE ALL" and "CANCEL" ....what happens with each choice?

Also, I re-ran the EWIDO scan:

ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:                  9:37:39 AM, 05/23/2006
 + Report-Checksum:            9E179231

 + Scan result:

      C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
      C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@americanexpress.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
      C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ehg-autodesk.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
      C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
      C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@phg.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
      C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@powellsbooks.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
      C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
      C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup


::Report End
0
 
Purple_SkyCommented:
right click on the recycle bin and pick empty recycle bin or pick explore and delete everything that way. you can but dont need to delete the folders incoming and portal.

you dont have to worry about cookies that ewido found. But if you have weatherbug installed in your system uninstall it via add/remove programs.

Lets run a kaspersky online scan to tap this off lets run the kaspersky online scan. www.kaspersky.com 

After all I ll give you tips for prevention.
0
 
sheana11Author Commented:
Running Kapersky scan right now. Hit "explore" on recycle bin....completely empty.
0
 
sheana11Author Commented:
-------------------------------------------------------------------------------
Results of  KASPERSKY ON-LINE SCANNER REPORT
 Tuesday, May 23, 2006 12:17:51 PM
 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
 Kaspersky On-line Scanner version: 5.0.78.0
 Kaspersky Anti-Virus database last update: 23/05/2006
 Kaspersky Anti-Virus database records: 184016
-------------------------------------------------------------------------------

Scan Settings:
      Scan using the following antivirus database: standard
      Scan Archives: true
      Scan Mail Bases: true

Scan Target - My Computer:
      C:\
      D:\
      E:\
      F:\
      G:\
      H:\
      I:\
      J:\

Scan Statistics:
      Total number of scanned objects: 147505
      Number of viruses found: 3
      Number of infected objects: 18
      Number of suspicious objects: 0
      Duration of the scan process: 01:29:00

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{750E1D98-9771-4A1C-98CC-EBFF26E4B9A2}\Microsoft\Outlook Express\BACKUP_INBOX.dbx/[From "eBay Support" <aw-confirm@ebay.com>][Date Sat, 4 Jun 2005 16:49:57 -0400]/html      Infected: Trojan-Spy.HTML.Bayfraud.ev      skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{750E1D98-9771-4A1C-98CC-EBFF26E4B9A2}\Microsoft\Outlook Express\BACKUP_INBOX.dbx      Mail MS Outlook 5: infected - 1      skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{9C48F25F-237F-4ACA-908B-D0D2F354F6DF}\Microsoft\Outlook Express\BACKUP_INBOX.dbx/[From "eBay Support" <aw-confirm@ebay.com>][Date Sat, 4 Jun 2005 16:49:57 -0400]/html      Infected: Trojan-Spy.HTML.Bayfraud.ev      skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{9C48F25F-237F-4ACA-908B-D0D2F354F6DF}\Microsoft\Outlook Express\BACKUP_INBOX.dbx      Mail MS Outlook 5: infected - 1      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\A_EMAILBACKUP_7_18_2005\Norton AntiSpam Folder.dbx/[From "PayPal" <billing@paypal.com>][Date Sat, 16 Jul 2005 20:17:39 -0800]/UNNAMED/html      Infected: Trojan-Spy.HTML.Paylap.ev      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\A_EMAILBACKUP_7_18_2005\Norton AntiSpam Folder.dbx/[From "PayPal" <billing@paypal.com>][Date Sat, 16 Jul 2005 20:17:39 -0800]/UNNAMED      Infected: Trojan-Spy.HTML.Paylap.ev      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\A_EMAILBACKUP_7_18_2005\Norton AntiSpam Folder.dbx/[From "PayPal" <billing@paypal.com>][Date Sat, 16 Jul 2005 20:17:52 -0800]/UNNAMED/html      Infected: Trojan-Spy.HTML.Paylap.ev      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\A_EMAILBACKUP_7_18_2005\Norton AntiSpam Folder.dbx/[From "PayPal" <billing@paypal.com>][Date Sat, 16 Jul 2005 20:17:52 -0800]/UNNAMED      Infected: Trojan-Spy.HTML.Paylap.ev      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\A_EMAILBACKUP_7_18_2005\Norton AntiSpam Folder.dbx/[From "eBay Support" <aw-confirm@ebay.com>][Date Sun, 17 Jul 2005 22:31:44 +0900]/UNNAMED/html      Infected: Trojan-Spy.HTML.Bayfraud.ev      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\A_EMAILBACKUP_7_18_2005\Norton AntiSpam Folder.dbx/[From "eBay Support" <aw-confirm@ebay.com>][Date Sun, 17 Jul 2005 22:31:44 +0900]/UNNAMED      Infected: Trojan-Spy.HTML.Bayfraud.ev      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\A_EMAILBACKUP_7_18_2005\Norton AntiSpam Folder.dbx      Mail MS Outlook 5: infected - 6      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\A_EMAILBACKUP_9_15_2005\AUGUST 2005.dbx/[From =?iso-8859-1?B?c2VydmljZXNAcGF5cGFsLmNvbQ==?= <services@paypal.com>][Date Wed, 03 Aug 2005 05:16:29 +0000]/UNNAMED/UNNAMED/html      Infected: Trojan-Spy.HTML.Bankfraud.iz      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\A_EMAILBACKUP_9_15_2005\AUGUST 2005.dbx/[From =?iso-8859-1?B?c2VydmljZXNAcGF5cGFsLmNvbQ==?= <services@paypal.com>][Date Wed, 03 Aug 2005 05:16:29 +0000]/UNNAMED/UNNAMED      Infected: Trojan-Spy.HTML.Bankfraud.iz      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\A_EMAILBACKUP_9_15_2005\AUGUST 2005.dbx/[From =?iso-8859-1?B?c2VydmljZXNAcGF5cGFsLmNvbQ==?= <services@paypal.com>][Date Wed, 03 Aug 2005 05:16:29 +0000]/UNNAMED      Infected: Trojan-Spy.HTML.Bankfraud.iz      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\A_EMAILBACKUP_9_15_2005\AUGUST 2005.dbx      Mail MS Outlook 5: infected - 3      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\DOUG_BENCH_FREE_WEBINAR\0A_EMAILBACKUP_10_11_05\BACKUP_INBOX.dbx/[From "eBay Support" <aw-confirm@ebay.com>][Date Sat, 4 Jun 2005 16:49:57 -0400]/UNNAMED/html      Infected: Trojan-Spy.HTML.Bayfraud.ev      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\DOUG_BENCH_FREE_WEBINAR\0A_EMAILBACKUP_10_11_05\BACKUP_INBOX.dbx/[From "eBay Support" <aw-confirm@ebay.com>][Date Sat, 4 Jun 2005 16:49:57 -0400]/UNNAMED      Infected: Trojan-Spy.HTML.Bayfraud.ev      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\DOUG_BENCH_FREE_WEBINAR\0A_EMAILBACKUP_10_11_05\BACKUP_INBOX.dbx      Mail MS Outlook 5: infected - 2      skipped

Scan process completed.
0
 
Purple_SkyCommented:
these are all in your backups. You may delete them if you wish. Norton spam filter semms to pick them up.

Besides this minor issue your system can be declared clean. Congratulations.

Prevention :

This is a good time to set up protection against further attacks. Read TonyKlein's How Did I Get Infected In The First Place? http://castlecops.com/postlite7736-.html and Kevin's tutorial http://www.greyknight17.com/spyware.php . You need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard, to prevent spyware intrusions. IE-Spyad is another excellent program that places over 4000 websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. All of the above have good free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

System restore :  

To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

Turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

This will create a new Restore Point.

Good Luck. :)

Microsoft Updates :

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsofts Windows update site and download all the critical updates to help prevent possible re-infection.
0
 
r-kCommented:
Yes, all good points. The number one way in which computers get infected these days is if you're careless about what you click on. This is mainly in three places - email attachments, links within emails, and dubious web sites, esp. web pop-ups. Remember that just something "looks" legitmate, or seems to have the return address of someone you know, is no guarantee of anything. If you were not expecting it, don't click on it. The safe way to close web pop-ups is by right-clicking in their title bar and selecting "Close", or by using the ALT-F4 key.

Good luck.

0
 
Purple_SkyCommented:
Let us know if you have any problems.
0
 
sheana11Author Commented:
Thanks for your superior help!  Experts-Exchange is awesome!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.