Regular posters here at VDR know how security conscious I am. Well, appartently my computer is infected but I have not yet determined how this has occurred.
I have been getting more and more of these messages, asking if I want to debug an undefined object. Sometimes, I get 20-30 of these popups per webpage. So a couple of days ago, I decided to start doing some research to find a solution. Here is what has occurred so far.
For the first time in over 5 years, one of my computers has become infected with a worm and a couple of trojans. I am very security conscious, so I am currently researching how this happened and what I need to do to remove these trouble makers.
4 days ago, I ran ad-aware and it discovered 43 tracking (data-miners) & items on an MRU List. I had Ad-Aware remove all of those. Then I ran SpyBot and it came up clean. BTW, I updated both programs before running the programs.
The next day, I started getting more of these debug messages, so I ran Ad-Aware and it found 4, which I deleted. Then yesterday, I started having problems big time, so I ran Ad-Aware and this time there were more. I have attached this last Ad-Aware report.
So, I decided to run the Kaspersky online scanner. It took over 8 hours for it to run but the results are that my computer is infected. I have attached this report.
I decided to see if have my Panda Platinum do a complete scan to see if this malware could be detected and removed. Twice, I tried to run a Panda scan on my two hard drives and both times it stopped at 25% on the c:\ hard drive. It probably encountered one of the trojans or worms and didn't know what to do.
I am now going to download TrojanHunter 4.6 and see if it can identify these varmits and remove them. Unfortunately, I had downloaded an eval copy a couple of years ago, so this was not an option.
Does anyone have any suggestions as to a freeware program that I could use to remove this malware.
TIA,
Linda
Last edited by LindaHewitt; April 1st, 2007 at 04:55 AM.
Linda: My first thought would be to go on over to the Hijack This! forum, run the list of items they give in the locked thread at the top and then post a log. It's probably the quickest thing to do at this point.
After you're clean, you might consider adding BOClean to your arsenal. It has been a paid anti-trojan from it's inception but Comodo bought it last week and in a week or so, it will become a freebie. One of BOClean's slogans was (paraphrased) "No Hijack This! logs from their users". I have it running on both my PCs at home and on everything at the office. Check out my post about the changes over at the Security News/Warnings/Updates forum.
Paths for all malware according to Kaspersky online scan. Unlike other online scanners, I was able to save the reports in several different formats, which I have attached. Both reports are in html format, which for some reason VDR will not accept, so I am not able to attach either report.
Linda
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\QNUZET2V\wbk1922.tmp
Infected: Trojan-Spy.HTML.Bankfraud.ra
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\QNUZET2V\wbk1924.tmp
Infected: Trojan-Spy.HTML.Bankfraud.ri
C:\WINNT\SYSTEM32\ActiveScan\qrvkrn.ini
Infected: Trojan.BAT.FormatC
D:\Data Files\Backups before Re-install of OS\OE Local Folders Archive 10-29\2005 Email thru 12-31-05.dbx/[From "Returned mail" ][Date Fri, 28 Oct 2005 17:21:42 -0700]/UNNAMED/document.zip/[email protected]
Infected: Net-Worm.Win32.Mytob.ck
D:\Data Files\Backups before Re-install of OS\OE Local Folders Archive 10-29\2005 Email thru 12-31-05.dbx/[From "Returned mail" ][Date Fri, 28 Oct 2005 17:21:42 -0700]/UNNAMED/document.zip
Infected: Net-Worm.Win32.Mytob.ck
D:\Data Files\Backups before Re-install of OS\OE Local Folders Archive 10-29\2005 Email thru 12-31-05.dbx/[From "Returned mail" ][Date Fri, 28 Oct 2005 17:21:42 -0700]/UNNAMED
Infected: Net-Worm.Win32.Mytob.ck
D:\Data Files\Backups before Re-install of OS\OE Local Folders Archive 10-29\2005 Email thru 12-31-05.dbx
Mail MS Outlook 5: infected - 3
D:\Data Files\Backups before Re-install of OS\OE Local Folders Archive 10-29\InboxBK1.dbx 634,894 KB\Output for InboxBK1.dbx\spam score 4 10pobox warning.eml/[From [email protected]][Date Wed, 18 Feb 2004 22:44:39 +0000]/mails.txt.com.b9
Infected: Email-Worm.Win32.NetSky.b
D:\Data Files\Backups before Re-install of OS\OE Local Folders Archive 10-29\InboxBK1.dbx 634,894 KB\Output for InboxBK1.dbx\spam score 4 10pobox warning.eml
Does the instruction mean that I need to unzip the HijackThisLog software into the c:\hjt\ folder, which I created?
Yes, it does.
From the exact results you posted it looks like you could manually delete most or possibly all of the infections.
Clear your browsers cache (manually and/or in safe mode if necessary and have a look directly in those temp int folders to see if they're empty) then it looks like your own backup emails are being flagged. You may want to either delete them whole or extract them from whatever archive they're stored in (if it's a zip file as it appears) and individually remove the culprits... that may not be possible if the emails are stored as contigious encrypted files like PST (outlook) or DBX(outlook express) etc. Worth noting is that those D: drive infections are for the time being inert due to the fact they're stored in those archives... so it's not an empending danger unless you import them back into the email client and open them. I'd still get rid of them though.
The only one that I'm not sure about is ActiveScan\qrvkrn.ini ... submit that ini file here..
I have been trying to go through the steps that are listed on the HJT forum. This is my to do list:
1. Download and run AVG anti-spyware
2. Run two additional online scanners with Auto Clean (probably BitDefender and Panda
3. Run Trojan Scanner
I decided to run Trojan Scanner but this is what is occurring.
I have a W2K Pro computer and all of the Windows updates have been applied. I am using the latest version of IE 6.0.2800.1106.
I have changed the settings in IE to comply. I am trying to run this test using FireFox 1.5.0.11.
Twice, I have set the IE settings from scratch per your instructions. Both times I have gotten this error message.
ERROR: It appears that your system does not meet the requirements needed to run this test:
Windows 98, ME, 2000, XP or 2003
Internet Explorer 5.0 or later with ActiveX enabled How to check/set your IE settings
So, I decided that maybe I needed to run this test from my IE browser but that didn't help. I am still being directed to this webpage.
It does need to be run on IEX... try temporarily bypassing your a/v and put windowsecurity.com into your internet trusted zone list. Did you try what I suggested above yet?
Linda: Trojan Scanner is licensed from a-squared, which explains the a-squared ActiveX error you have. I've never ran a-squared via the web. I always used the installed version. Since the control is ActiveX, Firefox doesn't support it at all. So that explains that issue. But you would think that IE would work... But apparently something is still not meshing quite right.
That said, if I was in your shoes, I don't believe I'd be spin my wheels too much with that specific test. Granted, it would be great if it would work but at this stage I think that the best route is to continue on with HJT and crunchie...
Yes, I deleted the temporary files in IE, Java, and FireFox.
Han,
I have created a thread in the HJT conference and posted the HJT log. Chrunchie is now looking at it. She has had me run the combofix.exe program and post the log, which I have done.
I really appreciate all the helpful suggestions from both of you.
Reply With Quote
