[Jimmy2012]

Hello ugrinwa,

I've also now installed Comodo but have the feeling that I should disable it until we resolve this issue since it is asking me during the checks if I want to continue...

If you would like, you can disable the Firewall while you are doing the fixes and then turn it on as soon as you are done.

just to mention a yellow shield was aking me to download updates on my pc (in the task bar) I selected yes since it looked authentic unlike the others, and when the status bar did not move I cancelled and was notified that the updates (Microsoftanti-virus protection) could not complete.

Are you still getting the yellow shield asking you to download updates?

And are you still having any errors or other problems with your computer?


STEP 1
Please do an online scan with Kaspersky WebScanner

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure the following is checked.
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

~~~~~~~~~~
In your next reply please have this log.
The Kaspersky log

[Advertisements]

No no more shields asking me to update.
The only thing I notice is that things are taking longer to open.
For example I click on firefox and it takes a good minute before it launches. Sometimes when I type the cursor also jumps to an arbritary location even in this message window.

The firewall I installed is working great. Almost to great. It keeps asking me for permissions normally when I start up pc. It tells me that the following .exe is safe or that a folder is being created. What is the best way of running this software (training mode?) Your recommendations would be appreciated.

Does the Kaspersky Scan take a long time?
It scanned My Computer till about 20% and even though the time is progressing, the number of scanned objects and progress of the scan is not moving. I am 01:23 h into it?

[ugrinwa]

No no more shields asking me to update.
The only thing I notice is that things are taking longer to open.
For example I click on firefox and it takes a good minute before it launches. Sometimes when I type the cursor also jumps to an arbritary location even in this message window.

The firewall I installed is working great. Almost to great. It keeps asking me for permissions normally when I start up pc. It tells me that the following .exe is safe or that a folder is being created. What is the best way of running this software (training mode?) Your recommendations would be appreciated.

Does the Kaspersky Scan take a long time?
It scanned My Computer till about 20% and even though the time is progressing, the number of scanned objects and progress of the scan is not moving. I am 01:23 h into it?

[Jimmy2012]

Hello ugrinwa,

What is the best way of running this software (training mode?)

Under the Firewall security level I think a good one for you to run would be Safe Mode. And for the Defence+ security level, run Safe Mode. Running both at these settings should limit the pop-ups you will get. To make the changes right click on the Comodo icon in your taskbar, you will see a few options open up there. Move your mouse on the Firewall security level and it will open up with a few more options, click on Safe Mode. Do the same for Defence+ security level as well.

Does the Kaspersky Scan take a long time?

Yes it can take a long time, it depends on the speed of your computer and how many files it needs to scan.

It scanned My Computer till about 20% and even though the time is progressing, the number of scanned objects and progress of the scan is not moving. I am 01:23 h into it?

When I have run the Kaspersky scan on my PC before, some of my lager files it did that. It was a few minutes that it did not update the scanned objects, how long has it done that on yours? If you could let it sit there for a little while and see if anything changes.

Edited by Jimmy2012, 11 July 2008 - 12:02 AM.

[ugrinwa]

When I have run the Kaspersky scan on my PC before, some of my lager files it did that. It was a few minutes that it did not update the scanned objects, how long has it done that on yours?

It was on that one file and sat at 20% for almost 2 hours!!!

It finally jumped to 21%

Still moving but taking forever... Sorry I haven't posted that log yet.

I think the PC is slower due to little room left over on my hard drive.
Can I get a larger hard drive for my laptop without loosing anything?
Only have 60G

How much more do you think we have until laptop is cleaned and ready?

Thank you

[Jimmy2012]

It was on that one file and sat at 20% for almost 2 hours!!!

It finally jumped to 21%

do you remember what the file was?

Still moving but taking forever... Sorry I haven't posted that log yet.

No problem, not your fault.

I think the PC is slower due to little room left over on my hard drive.
Can I get a larger hard drive for my laptop without loosing anything?
Only have 60G

If you got a new Hard Drive you would have to reinstall windows on it and to get your files and programs, etc you would have to move them to the new hard drive.

How much more do you think we have until laptop is cleaned and ready?

Things are looking better. Lets see what the Kaspersky scan finds

Edited by Jimmy2012, 11 July 2008 - 12:58 AM.

[ugrinwa]

do you remember what the file was?

Email folders - Inbox/Junk etc

Went to bed came back this am and did not see Kaspersky anymore?
No browser window was open, so I am re-running from begining.

This last step is killing me

Edited by ugrinwa, 11 July 2008 - 04:50 AM.

[Jimmy2012]

Hello ugrinwa,

Went to bed came back this am and did not see Kaspersky anymore?
No browser window was open, so I am re-running from begining.

Sorry to hear that, we will be done once you can get the Kaspersky scan done.

[ugrinwa]

Please don't think that I am a man with little patience. As long as this a) gets cleaned up and b) I can properly and better protect my PC the wait is well worth it.

Will you be making recommendations on what steps to take after we finalize the clean?
Just like the Firewall you recommended?

Also, once complete, can I or should I delete some of teh helper programs of my hard drive or should they be left where they are.
Will you be suggesting to create a restore point.

I know I know I am jumping ahead.

Sorry.

[Jimmy2012]

Hello ugrinwa,

Will you be making recommendations on what steps to take after we finalize the clean?
Just like the Firewall you recommended?

Yes, I will give you some links for tools that you may download if you want. That can help you from getting reinfected.

Also, once complete, can I or should I delete some of teh helper programs of my hard drive or should they be left where they are.

Just leave those there for now, once we make sure you are clean we will take care of them.

Will you be suggesting to create a restore point.

Once we make sure your clean I will have you remove the old restore points, and after that the computer will make new restore points for you by itself.

Edited by Jimmy2012, 11 July 2008 - 02:03 PM.

[ugrinwa]

Hi Jimmy 2012
Here is the Kaspersky Log.
Thanks

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, July 11, 2008 17:59:41
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/07/2008
Kaspersky Anti-Virus database records: 941430
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 31161
Number of viruses found: 5
Number of infected objects: 37
Number of suspicious objects: 0
Duration of the scan process: 06:30:46

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg8\emc\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgsched.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwdsvc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\commonpriv.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\comodo\Firewall Pro\cfplogdb.sdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1fa8a89c3df67e15e3bbf898a844c61f_e90da27d-1f77-49c6-b319-8960e03e61bb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Jack\Application Data\Mozilla\Firefox\Profiles\b1q94zt4.default\history.dat Object is locked skipped
C:\Documents and Settings\Jack\Application Data\Mozilla\Firefox\Profiles\b1q94zt4.default\parent.lock Object is locked skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED/[From "Flourished G. Being" <[email protected]>][Date Thu, 06 Apr 2006 10:57:25 -0700]/UNNAMED/[From "Chabad.org" <[email protected]>][Date Fri, 07 Apr 2006 17:55:43 -0400]/UNNAMED/[From "Jovana Frans ... ... /[From ... /[From Chase Bank <[email protected]>][Date Fri, 21 Apr 2006 17:52:09 - .. ... /html Infected: Trojan-Spy.HTML.Bankfraud.ou skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED/[From "Flourished G. Being" <[email protected]>][Date Thu, 06 Apr 2006 10:57:25 -0700]/UNNAMED/[From "Chabad.org" <[email protected]>][Date Fri, 07 Apr 2006 17:55:43 -0400]/UNNAMED/[From "Jovana Frans ... ... /[From ... /[From Chase Bank <[email protected]>][Date Fri, 21 Apr 2006 17:52:09 - ... /UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ou skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED/[From "Flourished G. Being" <[email protected]>][Date Thu, 06 Apr 2006 10:57:25 -0700]/UNNAMED/[From "Chabad.org" <[email protected]>][Date Fri, 07 Apr 2006 17:55:43 -0400]/UNNAMED/[From "Jovana Frans ... ... /[From ... /[From Chase Bank <[email protected]>][Date Fri, 21 Apr 2006 17:52:09 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ou skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED/[From "Flourished G. Being" <[email protected]>][Date Thu, 06 Apr 2006 10:57:25 -0700]/UNNAMED/[From "Chabad.org" <[email protected]>][Date Fri, 07 Apr 2006 17:55:43 -0400]/UNNAMED/[From "Jovan ... /[From "Honeycutt" <[email protected]>][Date Tue, 10 Oct 2006 14:19:08 -0400]/bracelet.gif Infected: Trojan-Spy.HTML.Bankfraud.qb skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED/[From "Flourished G. Being" <[email protected]>][Date Thu, 06 Apr 2006 10:57:25 -0700]/UNNAMED/[From "Chabad.org" <[email protected]>][Date Fri, 07 Apr 2006 17:55:43 -0400]/UNNAMED/[From "Jovana Frans ... /[From "Mictla ... /[From "Pate" <[email protected]>][Date Tue, 10 Oct 2006 02:55:31 +0200]/text Infected: Trojan-Spy.HTML.Bankfraud.qb skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED/[From "Flourished G. Being" <[email protected]>][Date Thu, 06 Apr 2006 10:57:25 -0700]/UNNAMED/[From "Chabad.org" <[email protected]>][Date Fri, 07 Apr 2006 17:55:43 -0400]/UNNAMED/[From "Jovana Frans ... /[From "Mictlantecuhtli Stephen" <[email protected]>][Date Tue, 3 Oct 2006 21:43:22 +0100]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.qb skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED/[From "Flourished G. Being" <[email protected]>][Date Thu, 06 Apr 2006 10:57:25 -0700]/UNNAMED/[From "Chabad.org" <[email protected]>][Date Fri, 07 Apr 2006 17:55:43 -0400]/UNNAMED/[From "Jovana Frans ... ... /[From "Millicent" <[email protected]>][Date Wed, 21 Jun 2006 16:14:29 +0100]/text Infected: Trojan-Spy.HTML.Bankfraud.qb skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED/[From "Flourished G. Being" <[email protected]>][Date Thu, 06 Apr 2006 10:57:25 -0700]/UNNAMED/[From "Chabad.org" <[email protected]>][Date Fri, 07 Apr 2006 17:55:43 -0400]/UNNAMED/[From "Jovana Frans ... ... ... /[From "eBay.ca" <[email protected]>][Date Mon, 19 Jun 2006 00:14:25 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.qb skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED/[From "Flourished G. Being" <[email protected]>][Date Thu, 06 Apr 2006 10:57:25 -0700]/UNNAMED/[From "Chabad.org" <[email protected]>][Date Fri, 07 Apr 2006 17:55:43 -0400]/UNNAMED/[From "Jovana Frans ... ... /[From "Clayton Hotz" <[email protected]>][Date Fri, 26 May 2006 07:29:30 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.qb skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED/[From "Flourished G. Being" <[email protected]>][Date Thu, 06 Apr 2006 10:57:25 -0700]/UNNAMED/[From "Chabad.org" <[email protected]>][Date Fri, 07 Apr 2006 17:55:43 -0400]/UNNAMED/[From "Jovana Frans ... ... /[From "A ... /[From "Vera" <[email protected]>][Date Tue, 23 May 2006 00:03:04 -0000]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.qb skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED/[From "Flourished G. Being" <[email protected]>][Date Thu, 06 Apr 2006 10:57:25 -0700]/UNNAMED/[From "Chabad.org" <[email protected]>][Date Fri, 07 Apr 2006 17:55:43 -0400]/UNNAMED/[From "Jovana Frans ... ... /[From "Aveline Jeanlouis" <[email protected]>][Date Sun, 21 May 2006 09:53:31 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.qb skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED/[From "Flourished G. Being" <[email protected]>][Date Thu, 06 Apr 2006 10:57:25 -0700]/UNNAMED/[From "Chabad.org" <[email protected]>][Date Fri, 07 Apr 2006 17:55:43 -0400]/UNNAMED/[From "Jovana Frans ... /[From "HonestReporting" <[email protected]>][Date Sun, 21 May 2006 11:24:39 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.qb skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED/[From "Flourished G. Being" <[email protected]>][Date Thu, 06 Apr 2006 10:57:25 -0700]/UNNAMED/[From "Chabad.org" <[email protected]>][Date Fri, 07 Apr 2006 17:55:43 -0400]/UNNAMED/[From "Jovana Frans ... /[ ... /[From "Franklin Frazier" <[email protected]>][Date Thu, 18 May 2006 22:25:03 +0300]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.qb skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED/[From "Flourished G. Being" <[email protected]>][Date Thu, 06 Apr 2006 10:57:25 -0700]/UNNAMED/[From "Chabad.org" <[email protected]>][Date Fri, 07 Apr 2006 17:55:43 -0400]/UNNAMED/[From "Jovana Frans ... /[F ... ... /[From "Naveen Deines" <[email protected]>][Date Thu, 18 May 2006 05:08:41 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.qb skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED/[From "Flourished G. Being" <[email protected]>][Date Thu, 06 Apr 2006 10:57:25 -0700]/UNNAMED/[From "Chabad.org" <[email protected]>][Date Fri, 07 Apr 2006 17:55:43 -0400]/UNNAMED/[From "Jovana Frans ... /[F ... /[From "Higini Ashbrook" <[email protected]>][Date Wed, 10 May 2006 23:41:09 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.qb skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED/[From "Flourished G. Being" <[email protected]>][Date Thu, 06 Apr 2006 10:57:25 -0700]/UNNAMED/[From "Chabad.org" <[email protected]>][Date Fri, 07 Apr 2006 17:55:43 -0400]/UNNAMED/[From "Jovana Frans ... /[F ... /[From "Duha Depaz" <[email protected]>][Date Tue, 9 May 2006 19:13:16 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.qb skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED/[From "Flourished G. Being" <[email protected]>][Date Thu, 06 Apr 2006 10:57:25 -0700]/UNNAMED/[From "Chabad.org" <[email protected]>][Date Fri, 07 Apr 2006 17:55:43 -0400]/UNNAMED/[From "Jovana Frans ... /[From "Mortimer Russell" <[email protected]>][Date Wed, 10 May 2006 09:29:29 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.qb skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED/[From "Flourished G. Being" <[email protected]>][Date Thu, 06 Apr 2006 10:57:25 -0700]/UNNAMED/[From "Chabad.org" <[email protected]>][Date Fri, 07 Apr 2006 17:55:43 -0400]/UNNAMED/[From "Jovana Frans . ... / ... /[From "Onyekachukwu Reck" <[email protected]>][Date Wed, 10 May 2006 08:13:47 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.qb skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED/[From "Flourished G. Being" <[email protected]>][Date Thu, 06 Apr 2006 10:57:25 -0700]/UNNAMED/[From "Chabad.org" <[email protected]>][Date Fri, 07 Apr 2006 17:55:43 -0400]/UNNAMED/[From "Jovana Frans . ... /[From "Orval Callihan" <[email protected]>][Date Tue, 9 May 2006 01:05:49 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.qb skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED/[From "Flourished G. Being" <[email protected]>][Date Thu, 06 Apr 2006 10:57:25 -0700]/UNNAMED/[From "Chabad.org" <[email protected]>][Date Fri, 07 Apr 2006 17:55:43 -0400]/UNNAMED/[From "Jovana Frans .. ... / ... /[From "Michael Moore" <[email protected]>][Date Tue, 09 May 2006 20:22:23 +0100]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.qb skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED/[From "Flourished G. Being" <[email protected]>][Date Thu, 06 Apr 2006 10:57:25 -0700]/UNNAMED/[From "Chabad.org" <[email protected]>][Date Fri, 07 Apr 2006 17:55:43 -0400]/UNNAMED/[From "Jovana Frans .. ... /[F ... /[From "Marvyn Overby" <[email protected]>][Date Sun, 23 Apr 2006 21:02:32 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.qb skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED/[From "Flourished G. Being" <[email protected]>][Date Thu, 06 Apr 2006 10:57:25 -0700]/UNNAMED/[From "Chabad.org" <[email protected]>][Date Fri, 07 Apr 2006 17:55:43 -0400]/UNNAMED/[From "Jovana Frans .. ... /[From "Intricacy L. Sanford" <[email protected]>][Date Sun, 23 Apr 2006 16:13:56 -0700]/text Infected: Trojan-Spy.HTML.Bankfraud.qb skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED/[From "Flourished G. Being" <[email protected]>][Date Thu, 06 Apr 2006 10:57:25 -0700]/UNNAMED/[From "Chabad.org" <[email protected]>][Date Fri, 07 Apr 2006 17:55:43 -0400]/UNNAMED/[From "Jovana Frans ... ... /[From "Demetrios Quayle" <[email protected]>][Date Tue, 18 Apr 2006 20:05:12 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.qb skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED/[From "Flourished G. Being" <[email protected]>][Date Thu, 06 Apr 2006 10:57:25 -0700]/UNNAMED/[From "Chabad.org" <[email protected]>][Date Fri, 07 Apr 2006 17:55:43 -0400]/UNNAMED/[From "Jovana Frans ... /[From "Amplify F. Stylistic" <[email protected]>][Date Wed, 12 Apr 2006 14:22:39 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.qb skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED/[From "Flourished G. Being" <[email protected]>][Date Thu, 06 Apr 2006 10:57:25 -0700]/UNNAMED/[From "Chabad.org" <[email protected]>][Date Fri, 07 Apr 2006 17:55:43 -0400]/UNNAMED/[From "Jovana Franson" <[email protected]>][Date Mon, 10 Apr 2006 07:36:10 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.qb skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED/[From "Flourished G. Being" <[email protected]>][Date Thu, 06 Apr 2006 10:57:25 -0700]/UNNAMED/[From "Chabad.org" <[email protected]>][Date Fri, 07 Apr 2006 17:55:43 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.qb skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED/[From "Flourished G. Being" <[email protected]>][Date Thu, 06 Apr 2006 10:57:25 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.qb skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED/[From Uri Grinwald <[email protected]>][Date Thu, 06 Apr 2006 10:53:07 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.qb skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk/[From "Ayelet Bercovich" <[email protected]>][Date Mon, 3 Apr 2006 19:51:24 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.qb skipped
C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk MailBerkeleymboxx: infected - 29 skipped
C:\Documents and Settings\Jack\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jack\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jack\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jack\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jack\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jack\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jack\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Selma\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\HJT\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\HJT\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\HJT\SmitfraudFix.exe RAR: infected - 1 skipped
C:\Program Files\IncrediMail\bin\IncrediMail_Install.exe Infected: not-a-virus:Downloader.Win32.ImLoader.e skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jack\Data\chandir.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jack\Data\chandir.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jack\Data\chn.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jack\Data\chn.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jack\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jack\Data\inuse.txt Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jack\Data\L0000003.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jack\Data\main.log Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jack\Data\prs.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jack\Data\prs.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jack\Data\prs_die.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jack\Data\prs_die.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jack\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jack\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jack\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jack\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jack\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jack\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jack\Data\storydb.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Jack\Data\storydb.idx Object is locked skipped
C:\SDFix\backups\backups.zip/backups/braviax.exe Infected: Trojan-Clicker.Win32.Delf.akw skipped
C:\SDFix\backups\backups.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1BC190AF-F451-4BA3-AAE3-06EE3F273483}\RP684\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

[Jimmy2012]

Hello ugrinwa,
The Kaspersky scan found a few things that will need to be deleted. This folder here..C:\Documents and Settings\Jack\Application Data\Thunderbird\Profiles\7850achi.default\Mail\Local Folders\Junk Kaspersky found alot of trojans there, it looks like they are older emails. Please delete those emails in that folder.

Also, how is your PC running now?

STEP 1

• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\Program Files\IncrediMail\bin\IncrediMail_Install.exe

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
~~~~~~~~~~
In your next reply please have this log.
The OTMoveIt2 log

Edited by Jimmy2012, 11 July 2008 - 05:17 PM.

[ugrinwa]

That's what I thought based on the results.
The item you just asked me to move is definitely something I have tried deleting in the past but it kept showing up. Not sure if it was harmful but always persistent.

In any case, now that I have a genius on my side it was no match

Here is my log.


C:\Program Files\IncrediMail\bin\IncrediMail_Install.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07112008_222101

Thanks Jimmy2012!
What's next?

[ugrinwa]

BTW.
System is running much better. No more security threats and speed has improved.
Really grateful thus far for all your help and knowledge.

[Jimmy2012]

Hello ugrinwa,
Your computer is clean.
Just a few more things to do before we are done.

• Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.

You are using a old version of Adobe Acrobat Reader, please update it here.

• Make sure you have an Internet Connection.
• Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Click on the CleanUp! button
• A list of tool components used in the Cleanup of malware will be downloaded.
• If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
• Click Yes to begin the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
  
  You can delete/uninstall any leftover tools we used to clean your computer.

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Restart your computer.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]
System Restore will now be active again.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

1. Spywareguard: Is realtime protection from spyware.

2. Spywareblaster: Helps protect against any bad ActiveX from installing on your computer.

3. SuperAntiSpyware: Use this program to remove any spyware that may have gotten on your computer.

4. FireFox: This is a great alternate browser over Internet Explorer. Firefox is much more secure then Internet Explorer and also has a bulilt in pop up blocker.

5. ATF Cleaner: This program cleans out your temporary files. This is a great tool that can help speed your computer up.

6. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

7. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.


To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

[ugrinwa]

Thank you, thank you a million times over.
You were courteous, knowledgable and positive throughout this experience.

I will seriously pay heed to your genius advice.