[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Urgent! Ran Ewido anti-malware, have number of "high-risk" infections "quarantined". Please advise on removal.

Posted on 2006-05-22
31
Medium Priority
?
1,369 Views
Last Modified: 2010-04-11
Found "Backdoor.Rbot.oh"

and in HKLM\SOFTWARE\Classes|CLSID   Spyware.MiniBug, Spyware.MarketScore

in HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{number}Spyware MarketScore

and under HKU\S\1\long number\Software\Microsoft\Windows\CurrentVersion  Spyware.MarketScore and Spyware.ISTBar

They are "quarantined" in EWIDO (free version), but I don't know how I got them, if deleting them through Ewido is enough, or if I need to do more ( i.e. to the registry).

I also don't know what is safe to delete rather than quarantine.....I would assume all "tracking cookies" could be, but with the changes to the registry, I need advice. This is URGENT.
0
Comment
Question by:sheana11
  • 15
  • 11
  • 4
  • +1
31 Comments
 
LVL 32

Assisted Solution

by:r-k
r-k earned 400 total points
ID: 16734955
To get a better idea of what we are dealing with, can you please do the following:

Download and run HijackThis from http://www.hijackthis.de/
Copy-and-paste the resulting log back to that same web site (not here)
Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
Finally post a link here to the saved analyzed page.

0
 
LVL 4

Accepted Solution

by:
Purple_Sky earned 1600 total points
ID: 16734981
If you have a high speed connection Please go to at least two of these sites and run an online Virus Scan. This will help clear out a lot of the malware first so the Analyst's can then attack the main infections.

If you already have an Antivirus program make sure you have an updated database for it and run it as well. You need to do both as one scanner may pick up what the other missed.

Be sure to have the AutoFix box(es) checked if they are required.

http://www.pandasoftware.com/products/activescan.htm
http://housecall.trendmicro.com/
http://www.bitdefender.com/scan/license.php

Then so another scan with ewido. Then we can work on your hjt log.
0
 

Author Comment

by:sheana11
ID: 16736568
Hi r-k, did as you said, and here is the link:

http://www.hijackthis.de/#anl
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 4

Expert Comment

by:Purple_Sky
ID: 16736683
Panda active scan , bitdefender and kaspersky online scans should suffice in my opinion. Let us know if kaspersky finds any malware. Panda and Bitdefender scanners will delete the viruses kaspersky will only report it. Run the kaspersky the last. And let us know if it finds any infections. IMO your log looks clean. Second third opinions are more then welcome as some O16 items may be fixed.
0
 

Author Comment

by:sheana11
ID: 16736736
Purple Sky, I am running your scans now, and will let you know the results just as soon as I'm done.

What's an O16 item?
0
 
LVL 4

Expert Comment

by:Purple_Sky
ID: 16736789
O16 items are the active x controls. ActiveX objects are programs that are downloaded from web sites and are stored on your computer. These objects are stored in C:\windows\Downloaded Program Files.  If you delete them next time you want to use them they will be installed to your system. A pop up would appear and ask you if you would like to install the active x control to your system. Severe infections usually do not reside there. You have plenty of objects in there as i noticed. These online scans will install their objects in there too. Safe and legitemate.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16736855
The HJT does not show anything really bad going on. It is possible Ewido cleaned things up. Let us know if the online scans you're doing show anything of siginificance.

If you're not an Earthlink customer you should fix the following entry using HJT:

 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/channel/START 

And also fix this in any case:

 O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

All those O16 unknown entries are things you probably downloaded at one time from the Internet. If you don't recognize or need any of them you can have HJT fix those ones.
0
 

Author Comment

by:sheana11
ID: 16737384
Hi, still running panda, already found 29 spyware infections....
0
 
LVL 4

Expert Comment

by:Purple_Sky
ID: 16737464
Panda active scan will not remove the spyware entries but active scan pro does. It is also a scanner i use ( aSPRO and think its great - price is very reasonable too ) Even it desnt remove them for you atthe end of the scan it will give you a report so you can delete them manually. Prefer deleting those in safe mode ) trendmicro spyware scan and bitdefender removes whatever they find ( trendmicro asks you if you want to remove )

I wouldnt be concerned about these for now. Lets wait till you finish the scans and i would be concerned if kaspersky comes up with an infected entry. Run it the last.
0
 

Author Comment

by:sheana11
ID: 16737861
Results of Panda Scan


Incident                                                                        Status                        Location                                                                                                                                                                                                                                                        

Adware:adware/powerscan                                                         Not disinfected               c:\windows\system32\intrigue.dll                                                                                                                                                                                                                                
Adware:adware/ist.istbar                                                        Not disinfected               Windows Registry                                                                                                                                                                                                                                                
Adware:adware/ist.yoursitebar                                                   Not disinfected               Windows Registry                                                                                                                                                                                                                                                
Spyware:Cookie/2o7                                                              Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@2o7[1].txt                                                                                                                                                                                  
Spyware:Cookie/Atlas DMT                                                        Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@atdmt[2].txt                                                                                                                                                                                
Spyware:Cookie/bravenetA                                                        Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@bravenet[2].txt                                                                                                                                                                            
Spyware:Cookie/GoStats                                                          Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@c3.gostats[2].txt                                                                                                                                                                          
Spyware:Cookie/Cd Freaks                                                        Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@cdfreaks[2].txt                                                                                                                                                                            
Spyware:Cookie/Com.com                                                          Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@com[1].txt                                                                                                                                                                                  
Spyware:Cookie/360i                                                             Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ct.360i[1].txt                                                                                                                                                                              
Spyware:Cookie/did-it                                                           Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@did-it[2].txt                                                                                                                                                                              
Spyware:Cookie/Doubleclick                                                      Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@doubleclick[1].txt                                                                                                                                                                          
Spyware:Cookie/Hitbox                                                           Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ehg.hitbox[2].txt                                                                                                                                                                          
Spyware:Cookie/E-eliminator                                                     Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@evidence-eliminator[2].txt                                                                                                                                                                  
Spyware:Cookie/GoStats                                                          Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@gostats[1].txt                                                                                                                                                                              
Spyware:Cookie/Go                                                               Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@go[2].txt                                                                                                                                                                                  
Spyware:Cookie/Hitbox                                                           Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@hitbox[2].txt                                                                                                                                                                              
Spyware:Cookie/2o7                                                              Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@microsofteup.112.2o7[1].txt                                                                                                                                                                
Spyware:Cookie/Hitbox                                                           Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@phg.hitbox[2].txt                                                                                                                                                                          
Spyware:Cookie/Searchportal                                                     Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@searchportal.information[1].txt                                                                                                                                                            
Spyware:Cookie/Statcounter                                                      Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@statcounter[1].txt                                                                                                                                                                          
Spyware:Cookie/Target                                                           Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@target[2].txt                                                                                                                                                                              
Spyware:Cookie/Toplist                                                          Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@toplist[2].txt                                                                                                                                                                              
Spyware:Cookie/Traffic Marketplace                                              Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@trafficmp[1].txt                                                                                                                                                                            
Spyware:Cookie/Tucows                                                           Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@tucows[1].txt                                                                                                                                                                              
Spyware:Cookie/Buydomains                                                       Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@www47.buydomains[1].txt                                                                                                                                                                    
Spyware:Cookie/Seeq                                                             Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@www48.seeq[1].txt                                                                                                                                                                          
Spyware:Cookie/Xiti                                                             Not disinfected               C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@xiti[1].txt                                                                                                                                                                                
Adware:Adware/ActiveSearch                                                      Not disinfected               C:\Documents and Settings\HP_Administrator\Desktop\POWER_RATINGS\powerratings.exe[powerratings.dll]                                                                                                                                                            
Potentially unwanted tool:Application/KillApp.B                                 Not disinfected               C:\hp\bin\KillIt.exe                                                                                                                                                                                                                                            
Virus:W32/Bobax.AV.worm                                                         Disinfected                   [Pictures.zip][pics.scr]                                                                                                                                                                                                                                        
Virus:Trj/Mitglieder.EK                                                         Disinfected                   [The_reporting_of_taxes.rar][Taxes.exe]                                                                                                                                                                                                                        
0
 
LVL 4

Expert Comment

by:Purple_Sky
ID: 16737903
delete this file -----> c:\windows\system32\intrigue.dll

and run the other scans. Seems like two viruses are disinfected already.
0
 

Author Comment

by:sheana11
ID: 16738445
Having trouble with trendmicro housecall scan....installed java update (was already updated) and trying again. After I click the scan button, it just hangs trying to load the scanning page.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16738495
I would fix these:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.superwebsearch.com/ie/   
Safe.  
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.superwebsearch.com/ie/   
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.superwebsearch.com/ie/         
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.superwebsearch.com/ie/   
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.superwebsearch.com/ie/ 

With those 016 entries, you're better off fixing them unless you visit those sites everyday. All 016 entries also loads everytime IE is open.
0
 
LVL 4

Expert Comment

by:Purple_Sky
ID: 16738502
Did you install the active x control ? is there a yellow bar under the adress bar ?
http://www.trendmicro.com/spyware-scan/free_spyware_scan.asp

Try the bitdefender one. They are long scans so lets dont waste your time.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16738503
If you want to try more online scans, I recommend this one from Microsoft:

 http://safety.live.com/site/en-US/default.htm

However, I don't think there anything bad still active on your system. What you are finding is traces of a trojan left behind by Ewido and other programs you may have already run. In other words, while not a bad idea to run a few scans, it probably won't make much difference.
0
 

Author Comment

by:sheana11
ID: 16738552
Purple Sky, I went to your link and now it's scanning.(no yellow bar under the address bar). Will get back as soon as have results.

Will post results as soon as I get them, and will also do all other recommended scans from r-k and will fix "intrigue.." and "superwebsearch.com"
0
 

Author Comment

by:sheana11
ID: 16738656
Trend Micro Results:
Adware: Istware, IbIS.WebSearch, YourSiteBar, 2020Search
Spyware_TRAK_PWStealer
Spyware_KEYL_Astlog
Freeloader_WinFixer

1 Trackware
6 Adware
20 Tracking Cookies
1 Keylogger
1 Trojan
1 Parasite

Should I use the TrendMicro's option to "Clean Threats Now" ?
0
 
LVL 4

Expert Comment

by:Purple_Sky
ID: 16738694
definetely yes. and do the bitdefender and kaspersky scan. I am sure we have removed the nasties already. There may be remains.
0
 

Author Comment

by:sheana11
ID: 16738845
Scanning with Bitdefender now, and already found Win32.Worm.Bobic.E and Trojan.Downloader.Bagle.BU.

This looks like a very LONG scan timewise.
0
 

Author Comment

by:sheana11
ID: 16741590
BitDefender Online Scanner
 
 
 
Scan report generated at: Mon, May 22, 2006 - 22:41:09
 
 
 
 
 
Scan path: C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;
 
 
 
 
 
 
 
Statistics
 
Time
 03:19:27
 
Files
 1585003
 
Folders
 10124
 
Boot Sectors
 3
 
Archives
 365442
 
Packed Files
 106854
 
 
 
 
Results
 
Identified Viruses
 4
 
Infected Files
 12
 
Suspect Files
 0
 
Warnings
 0
 
Disinfected
 0
 
Deleted Files
 16
 
 
 
 
Engines Info
 
Virus Definitions
 376146
 
Engine build
 AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)
 
Scan plugins
 13
 
Archive plugins
 40
 
Unpack plugins
 4
 
E-mail plugins
 6
 
System plugins
 1
 
 
 
 
Scan Settings
 
First Action
 Disinfect
 
Second Action
 Delete
 
Heuristics
 Yes
 
Enable Warnings
 Yes
 
Scanned Extensions
 *;
 
Exclude Extensions
 
 
Scan Emails
 Yes
 
Scan Archives
 Yes
 
Scan Packed
 Yes
 
Scan Files
 Yes
 
Scan Boot
 Yes
 
 
 
 
  Scanned File
  Status
 
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{750E1D98-9771-4A1C-98CC-EBFF26E4B9A2}\Microsoft\Outlook Express\AUGUST 2005.dbx=>(message 2265)=>[Subject: ][Date: Fri, 12 Aug 2005 16:03:39 +0100]=>(MIME part)=>The_reporting_of_taxes.rar=>Taxes.exe
 Infected with: Trojan.Downloader.Bagle.BU
 
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{750E1D98-9771-4A1C-98CC-EBFF26E4B9A2}\Microsoft\Outlook Express\AUGUST 2005.dbx=>(message 2265)=>[Subject: ][Date: Fri, 12 Aug 2005 16:03:39 +0100]=>(MIME part)=>The_reporting_of_taxes.rar=>Taxes.exe
 Disinfection failed
 
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{750E1D98-9771-4A1C-98CC-EBFF26E4B9A2}\Microsoft\Outlook Express\AUGUST 2005.dbx=>(message 2265)=>[Subject: ][Date: Fri, 12 Aug 2005 16:03:39 +0100]=>(MIME part)=>The_reporting_of_taxes.rar=>Taxes.exe
 Deleted
 
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{750E1D98-9771-4A1C-98CC-EBFF26E4B9A2}\Microsoft\Outlook Express\AUGUST 2005.dbx=>(message 2265)=>[Subject: ][Date: Fri, 12 Aug 2005 16:03:39 +0100]=>(MIME part)=>The_reporting_of_taxes.rar
 Updated
 
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{750E1D98-9771-4A1C-98CC-EBFF26E4B9A2}\Microsoft\Outlook Express\AUGUST 2005.dbx=>(message 2265)=>[Subject: ][Date: Fri, 12 Aug 2005 16:03:39 +0100]=>(MIME part)
 Updated
 
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{750E1D98-9771-4A1C-98CC-EBFF26E4B9A2}\Microsoft\Outlook Express\AUGUST 2005.dbx=>(message 2265)
 Updated
Partial Report of BitDefender...took over 3 hours!  
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{750E1D98-9771-4A1C-98CC-EBFF26E4B9A2}\Microsoft\Outlook Express\AUGUST 2005.dbx
 Update failed
 
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{750E1D98-9771-4A1C-98CC-EBFF26E4B9A2}\Microsoft\Outlook Express\SEPTEMBER 2005.dbx=>(message 6746)=>[Subject: Finally! Captured!][Date: Sun, 31 Jul 2005 05:33:55 -0400]=>(MIME part)=>Pictures.zip=>pics.scr
 Infected with: Win32.Worm.Bobic.E
 
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{750E1D98-9771-4A1C-98CC-EBFF26E4B9A2}\Microsoft\Outlook Express\SEPTEMBER 2005.dbx=>(message 6746)=>[Subject: Finally! Captured!][Date: Sun, 31 Jul 2005 05:33:55 -0400]=>(MIME part)=>Pictures.zip=>pics.scr
 Deleted
 
 
0
 

Author Comment

by:sheana11
ID: 16741601
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\6B2918A5=>(Quarantine-2)
 Infected with: Trojan.Downloader.IstBar.NX
 
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\6B2918A5=>(Quarantine-2)
 Disinfection failed
 
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\6B2918A5=>(Quarantine-2)
 Deleted
 
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\6B2C42A2=>(Quarantine-2)
 Infected with: Trojan.Downloader.IstBar.NZ
 
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\6B2C42A2=>(Quarantine-2)
 Disinfection failed
 
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\6B2C42A2=>(Quarantine-2)
 Deleted
 
C:\RECYCLER\NPROTECT\00179995=>(Quarantine-2)
 Infected with: Trojan.Downloader.IstBar.NX
 
C:\RECYCLER\NPROTECT\00179995=>(Quarantine-2)
 Disinfection failed
 
C:\RECYCLER\NPROTECT\00179995=>(Quarantine-2)
 Deleted
 
I'm only posting the items that failed, not anything marked "clean"

C:\RECYCLER\NPROTECT\00179996=>(Quarantine-2)
 Infected with: Trojan.Downloader.IstBar.NZ
 
C:\RECYCLER\NPROTECT\00179996=>(Quarantine-2)
 Disinfection failed
 
C:\RECYCLER\NPROTECT\00179996=>(Quarantine-2)
 Deleted
 
 
 
 
 
 
0
 
LVL 4

Expert Comment

by:Purple_Sky
ID: 16741985
Empty C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\Quarantine\

Empty the recycle bin.
0
 

Author Comment

by:sheana11
ID: 16742353
There are only 2 files under Quarantine...Incoming and Portal, and both are already empty. Do I delete them?

For Recycle bin, when I try to empty "Norton Protected Recycle Bin" it says "there are 1500 protected files total on drive C:"
"You have 1393 protected files on drive C:"

The choices are "PURGE YOURS", "PURGE ALL" and "CANCEL" ....what happens with each choice?

Also, I re-ran the EWIDO scan:

ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:                  9:37:39 AM, 05/23/2006
 + Report-Checksum:            9E179231

 + Scan result:

      C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
      C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@americanexpress.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
      C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ehg-autodesk.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
      C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
      C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@phg.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
      C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@powellsbooks.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
      C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
      C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup


::Report End
0
 
LVL 4

Expert Comment

by:Purple_Sky
ID: 16742652
right click on the recycle bin and pick empty recycle bin or pick explore and delete everything that way. you can but dont need to delete the folders incoming and portal.

you dont have to worry about cookies that ewido found. But if you have weatherbug installed in your system uninstall it via add/remove programs.

Lets run a kaspersky online scan to tap this off lets run the kaspersky online scan. www.kaspersky.com 

After all I ll give you tips for prevention.
0
 

Author Comment

by:sheana11
ID: 16742710
Running Kapersky scan right now. Hit "explore" on recycle bin....completely empty.
0
 

Author Comment

by:sheana11
ID: 16743837
-------------------------------------------------------------------------------
Results of  KASPERSKY ON-LINE SCANNER REPORT
 Tuesday, May 23, 2006 12:17:51 PM
 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
 Kaspersky On-line Scanner version: 5.0.78.0
 Kaspersky Anti-Virus database last update: 23/05/2006
 Kaspersky Anti-Virus database records: 184016
-------------------------------------------------------------------------------

Scan Settings:
      Scan using the following antivirus database: standard
      Scan Archives: true
      Scan Mail Bases: true

Scan Target - My Computer:
      C:\
      D:\
      E:\
      F:\
      G:\
      H:\
      I:\
      J:\

Scan Statistics:
      Total number of scanned objects: 147505
      Number of viruses found: 3
      Number of infected objects: 18
      Number of suspicious objects: 0
      Duration of the scan process: 01:29:00

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{750E1D98-9771-4A1C-98CC-EBFF26E4B9A2}\Microsoft\Outlook Express\BACKUP_INBOX.dbx/[From "eBay Support" <aw-confirm@ebay.com>][Date Sat, 4 Jun 2005 16:49:57 -0400]/html      Infected: Trojan-Spy.HTML.Bayfraud.ev      skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{750E1D98-9771-4A1C-98CC-EBFF26E4B9A2}\Microsoft\Outlook Express\BACKUP_INBOX.dbx      Mail MS Outlook 5: infected - 1      skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{9C48F25F-237F-4ACA-908B-D0D2F354F6DF}\Microsoft\Outlook Express\BACKUP_INBOX.dbx/[From "eBay Support" <aw-confirm@ebay.com>][Date Sat, 4 Jun 2005 16:49:57 -0400]/html      Infected: Trojan-Spy.HTML.Bayfraud.ev      skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Identities\{9C48F25F-237F-4ACA-908B-D0D2F354F6DF}\Microsoft\Outlook Express\BACKUP_INBOX.dbx      Mail MS Outlook 5: infected - 1      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\A_EMAILBACKUP_7_18_2005\Norton AntiSpam Folder.dbx/[From "PayPal" <billing@paypal.com>][Date Sat, 16 Jul 2005 20:17:39 -0800]/UNNAMED/html      Infected: Trojan-Spy.HTML.Paylap.ev      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\A_EMAILBACKUP_7_18_2005\Norton AntiSpam Folder.dbx/[From "PayPal" <billing@paypal.com>][Date Sat, 16 Jul 2005 20:17:39 -0800]/UNNAMED      Infected: Trojan-Spy.HTML.Paylap.ev      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\A_EMAILBACKUP_7_18_2005\Norton AntiSpam Folder.dbx/[From "PayPal" <billing@paypal.com>][Date Sat, 16 Jul 2005 20:17:52 -0800]/UNNAMED/html      Infected: Trojan-Spy.HTML.Paylap.ev      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\A_EMAILBACKUP_7_18_2005\Norton AntiSpam Folder.dbx/[From "PayPal" <billing@paypal.com>][Date Sat, 16 Jul 2005 20:17:52 -0800]/UNNAMED      Infected: Trojan-Spy.HTML.Paylap.ev      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\A_EMAILBACKUP_7_18_2005\Norton AntiSpam Folder.dbx/[From "eBay Support" <aw-confirm@ebay.com>][Date Sun, 17 Jul 2005 22:31:44 +0900]/UNNAMED/html      Infected: Trojan-Spy.HTML.Bayfraud.ev      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\A_EMAILBACKUP_7_18_2005\Norton AntiSpam Folder.dbx/[From "eBay Support" <aw-confirm@ebay.com>][Date Sun, 17 Jul 2005 22:31:44 +0900]/UNNAMED      Infected: Trojan-Spy.HTML.Bayfraud.ev      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\A_EMAILBACKUP_7_18_2005\Norton AntiSpam Folder.dbx      Mail MS Outlook 5: infected - 6      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\A_EMAILBACKUP_9_15_2005\AUGUST 2005.dbx/[From =?iso-8859-1?B?c2VydmljZXNAcGF5cGFsLmNvbQ==?= <services@paypal.com>][Date Wed, 03 Aug 2005 05:16:29 +0000]/UNNAMED/UNNAMED/html      Infected: Trojan-Spy.HTML.Bankfraud.iz      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\A_EMAILBACKUP_9_15_2005\AUGUST 2005.dbx/[From =?iso-8859-1?B?c2VydmljZXNAcGF5cGFsLmNvbQ==?= <services@paypal.com>][Date Wed, 03 Aug 2005 05:16:29 +0000]/UNNAMED/UNNAMED      Infected: Trojan-Spy.HTML.Bankfraud.iz      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\A_EMAILBACKUP_9_15_2005\AUGUST 2005.dbx/[From =?iso-8859-1?B?c2VydmljZXNAcGF5cGFsLmNvbQ==?= <services@paypal.com>][Date Wed, 03 Aug 2005 05:16:29 +0000]/UNNAMED      Infected: Trojan-Spy.HTML.Bankfraud.iz      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\A_EMAILBACKUP_9_15_2005\AUGUST 2005.dbx      Mail MS Outlook 5: infected - 3      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\DOUG_BENCH_FREE_WEBINAR\0A_EMAILBACKUP_10_11_05\BACKUP_INBOX.dbx/[From "eBay Support" <aw-confirm@ebay.com>][Date Sat, 4 Jun 2005 16:49:57 -0400]/UNNAMED/html      Infected: Trojan-Spy.HTML.Bayfraud.ev      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\DOUG_BENCH_FREE_WEBINAR\0A_EMAILBACKUP_10_11_05\BACKUP_INBOX.dbx/[From "eBay Support" <aw-confirm@ebay.com>][Date Sat, 4 Jun 2005 16:49:57 -0400]/UNNAMED      Infected: Trojan-Spy.HTML.Bayfraud.ev      skipped
C:\Documents and Settings\HP_Administrator\My Documents\00_JANS_BACKUP_FOLDER_10_13_2005\DOUG_BENCH_FREE_WEBINAR\0A_EMAILBACKUP_10_11_05\BACKUP_INBOX.dbx      Mail MS Outlook 5: infected - 2      skipped

Scan process completed.
0
 
LVL 4

Expert Comment

by:Purple_Sky
ID: 16744645
these are all in your backups. You may delete them if you wish. Norton spam filter semms to pick them up.

Besides this minor issue your system can be declared clean. Congratulations.

Prevention :

This is a good time to set up protection against further attacks. Read TonyKlein's How Did I Get Infected In The First Place? http://castlecops.com/postlite7736-.html and Kevin's tutorial http://www.greyknight17.com/spyware.php . You need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard, to prevent spyware intrusions. IE-Spyad is another excellent program that places over 4000 websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. All of the above have good free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

System restore :  

To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

Turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

This will create a new Restore Point.

Good Luck. :)

Microsoft Updates :

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsofts Windows update site and download all the critical updates to help prevent possible re-infection.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16744758
Yes, all good points. The number one way in which computers get infected these days is if you're careless about what you click on. This is mainly in three places - email attachments, links within emails, and dubious web sites, esp. web pop-ups. Remember that just something "looks" legitmate, or seems to have the return address of someone you know, is no guarantee of anything. If you were not expecting it, don't click on it. The safe way to close web pop-ups is by right-clicking in their title bar and selecting "Close", or by using the ALT-F4 key.

Good luck.

0
 
LVL 4

Expert Comment

by:Purple_Sky
ID: 16748012
Let us know if you have any problems.
0
 

Author Comment

by:sheana11
ID: 16750497
Thanks for your superior help!  Experts-Exchange is awesome!
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question