[skydog]

Gary...may be later today before I can get to this...what exactly do you do? Are computers a hobby or your job...your knowledge/experience amazes me...

[skydog]

C:\WINDOWS\system32\qtijcbnr.dat moved successfully.
C:\WINDOWS\system32\plqiiten.dat moved successfully.
C:\WINDOWS\system32\ocuygllh.dat moved successfully.
C:\WINDOWS\system32\wowwmiqt.dat moved successfully.
C:\WINDOWS\system32\yxanswll.dat moved successfully.
C:\WINDOWS\system32\qhxosowh.dat moved successfully.
C:\WINDOWS\system32\dsauthg.dll.bak moved successfully.

Created on 12/22/2007 11:48:20

[skydog]

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, December 22, 2007 1:36:23 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/12/2007
Kaspersky Anti-Virus database records: 491787
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 114551
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 01:24:51

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sony Corporation\SonicStage\Packages\MtData.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sony Corporation\SonicStage\Packages\MtData.mdb Object is locked skipped
C:\Documents and Settings\Dad\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temp\~DF5510.tmp Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temp\~DF5544.tmp Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dad\ntuser.dat Object is locked skipped
C:\Documents and Settings\Dad\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Sony\Photo Server\db\vpdb.ldb Object is locked skipped
C:\Program Files\Sony\Photo Server\db\vpdb.mdb Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\rhhaiofb.dat.vir Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{543848E5-A971-4387-BA47-9852573A650F}\RP19\change.log Object is locked skipped
C:\System Volume Information\_restore{543848E5-A971-4387-BA47-9852573A650F}\RP9\A0000068.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\PerfomanceOptimizerPre_Installer.exe Infected: not-a-virus:FraudTool.Win32.PerfomanceOptimizer.a skipped
C:\WINDOWS\Internet Logs\APPLE.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JETDC85.tmp Object is locked skipped
C:\WINDOWS\Temp\JETDDAE.tmp Object is locked skipped
C:\WINDOWS\Temp\ZLT019ca.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT019cd.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{543848E5-A971-4387-BA47-9852573A650F}\RP19\change.log Object is locked skipped

Scan process completed.

[plugsnpixels]

Skydog, I run Windows on my Macs as needed, and it works just fine. Actually, it's extremely easy to keep drag-and-drop backups (the Windows environment is just a set of files whether you're using Boot Camp or Parallels), so if a virus ever did come to visit (which I haven't had happen yet), you simply replace your files with the most recent backup and continue on your way in the time it takes to copy them.

Then as time goes by, you can migrate your apps as you're able and leave this Windows virus nonsense behind!

[Gary Richardson]

Hi skydog,

Quote:

Originally Posted by skydog

what exactly do you do? Are computers a hobby or your job...your knowledge/experience amazes me...

I assist at a couple of Malware Removal forums where I help people clear infections from their computers. With the increasing prevalance of Malware on the web these days we feel it's necessary for people to have somewhere to go when they need help. All helpers are volunteers, so yes, this is a kind of hobby for me. I've been doing it for about 3 years or so now.

http://malwareremoval.com
http://spywarewarrior.com
http://forums.whatthetech.com/forums.html

I was trained at the first of the sites listed above, which has a dedicated school for that kind of thing, I teach there now a little. I also moderate at the second forum. The third is just one I help out at.

OK, as far as I can see your computer looks pretty much clear now, just one more removal to make.

• Double click OTMoveIt.exe to launch it.
• Copy/Paste the contents of the box below into the left hand pane of OTMoveIt.

Quote:

C:\WINDOWS\Downloaded Program Files\PerfomanceOptimizerPre_Installer.exe

• Click the Move It button.
• The list will be processed and the results will appear in the right hand pane.
• If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
• When finished click Exit to exit the programme.
• A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).

No need to send me the log, have a look at the log, if the file moves OK, then do the following.

• Double click OTMoveIt.exe to launch the programme.
• Click on the CleanUp! button.
• OTMoveIt will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
• You will be prompted to allow the clean up procedure, click Yes
• When finished exit out of OTMoveIt
• Now delete OTMoveIt.exe (if present).

This will clean out the programmes we've installed for the Vundo removal, and all associated files.

If PerfomanceOptimizerPre_Installer.exe fails to be moved, let me know.

[Gary Richardson]

Quote:

Originally Posted by plugsnpixels

Skydog, I run Windows on my Macs as needed, and it works just fine. Actually, it's extremely easy to keep drag-and-drop backups (the Windows environment is just a set of files whether you're using Boot Camp or Parallels), so if a virus ever did come to visit (which I haven't had happen yet), you simply replace your files with the most recent backup and continue on your way in the time it takes to copy them.

Then as time goes by, you can migrate your apps as you're able and leave this Windows virus nonsense behind!

What do you do if your System Files have been Rooted? Not all infections announce their presence, so you may have been infected for some time without your knowledge, and therefore your backups too will be tainted.

By the way, Macs are no more difficult to infect than a Windows system, it's just that nobody has really bothered to try yet as the returns aren't big enough. When/if they become so, you'll find the help available for you is very, very limited.

Personally I hope that Macs remain as an untargeted system, we've got more than enough work to do as is, but don't make the mistake of thinking that Macs are somehow uninfectable, because that just is not the case.

[skydog]

Gary...thanks...everything worked fine.
Now to maintain what I have what do you recommend? I currently use AVG, Zone Alarm, Cleanup and Superantispyware, but all of that didn't keep me from being infected.

How often should I run "highjack this" and submit the finding?

thanks again...maybe Swamp has no idea what's lurking on her computer?

[Gary Richardson]

OK, basically the programmes you have are fine, but they're only half the picture. The biggest defensive system you've got is the squidgy grey matter keeping your ears apart.

Most people browse the web blythely unaware of the basic mechanisms of infection and as a result it doesn't come as too much of a surprise when they pick one up.

Most modern infections get onto your machine by you installing them, and because of this your defensive systems are usually not effective. In effect you're telling your systems "this is OK because I'm installing it" and therefore to a large extent they'll ignore things until the infection "activates" by which time it's too late.

How do you install them, basically you're conned into doing so. There's a whole number of ways this is done, but the following are just a few.

1. You receive an e-mail from a friend which has an attachment with it. Being as it's from a friend, and because your anti-virus hasn't flagged it you open the attachment and you're infected. Turns out your friends computer was infected and it was the infection that sent the e-mail and attachment to you. The attachment is an installer. Once it's installed on your box, the first thing it does is e-mail everyone in your address book, and the propogation of the infection progresses. Never open attachments even if from a friend unless you've checked with the friend that he/she has sent you one.

2. You're surfing the web and you see a great new utility you must have, so you download and install it. Turns out it comes "packaged" with other extra functions you didn't expect and you're infected. Another variation on this is you land on a website which tells you that to view the content you need to download and install a codec, and you guessed it the codec comes with "friends" and once again you're infected.

3. You get hit by a worm. Someone has crafted a specific infection which can bypass your defences by means of an "exploit", usually some form of buffer overrun. Once through your defences the worm's payload activates and you're infected. Best way to defeat these is by keeping your Windows updates current. Also consider this, once a "patch" for an exploit comes out in the form of a windows update, the bad guys will create a bug specifically for the exploit that patch fixes. They know that not everyone will update, so there will be a window of opportunity foe them, in effect Microsoft by creating the fix are telling them how to infect people. That's why it's essential you keep Windows updated.

4. You land on an infected website. The owner of the website may or may not be be aware that sections of his/her webpage have been replaced with malicious code. Again like a worm an exploit is usually used as the vector for infection.

5. P2P (Peer to Peer) file sharing programmes. These are one of the most used methods for infection spreading. Even if you've got one of the "clean" programmes you can't be sure that the stuff you're downloading is clean. By using P2P you bypass your defensive systems and the in built protections of the programme are relatively easy to circumvent, most of the major malware peddlers love to use P2P. One other thing about them, if you've not configured them correctly you're likely broadcasting a whole lot more about your computer than you'd like others to know. Passwords, credit card numbers and bank account details have all been stolen from users computers by a badly configured P2P programme.

As I said there's a whole lot more, but they're generally variations on the basic methods described above.

By being aware of the above, you can be a deal more cautious in your browsing habits and what programmes you "allow" on your machine.


There are a few things I can recommend that will beef up your defences a bit, but it's getting a bit late here (nearly midnight) so I'll post them in the morning.

[Gary Richardson]

Hi skydog,

OK, before I get into giving you a few hints on bolstering your defences, I just want to mak a comment on a couple of entries in your HJT log.

O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL


These came with the latest version of Zone Alarm, and indicate you also installed Zone Alarm Spy Blocker this is really nothing more than a thinly disguised version of the Ask Toolbar (Ask Jeeves), I don't know why ZA have included this with their install, but many in the Security forums see this as a really negative step, aimed only at getting money from the manufacturers of that useless search add on.

http://www.castlecops.com/modules.ph...4-DFEE4931A4AA

Quote:

ZoneAlarm Spy Blocker BHO {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} O BHO SPYBLOCK.DLL ZoneAlarm Spy Blocker Toolbar, now installed as an optional with Zonealarm. Uses the Ask.com searchengine. More info here - also see this_note

Please read

http://www.benedelman.org/spyware/in...jeeves-banner/

I don't know quite how tied into ZA it is, so if you wish to remove it, do the following.

• Uninstall Zone Alarm.
• Reboot your computer.
• Re-install Zone Alarm, but when you do so, then uncheck the option for Zone Alarm Spy Blocker which is checked by default.

There have also been a number of reports of problems with the latest version of ZA causing crashes on people's computers, but if you've had no problems with your install you should not be unduly concerned. But it's as well to be aware that others have had problems, so if you do start to have unexplained issues with your computer it may be ZA that is the cause.

Right, now to get down to a few additions to your defences.

Updating Windows and Internet Explorer
It is essential you keep your Operating System up to date with all the latest patches. The bad guys watch for the latest exploits, as soon as Microsoft brings out a patch, the bad guys will bring out an infection to exploit that vulnerability. If you don't have all the latest patches your computer is vulnerable. Please go to the windows update site and get the critical updates.

Use a "secure" browser
Install Internet Explorer 7 or an alternative browser like Firefox or Opera for more secure surfing.
Please remember that there is no such thing as a totally secure browser. Your browsing habits will be the major factor in determining just how safe you are online. If you visit, Crack/Warez sites, Porn sites, or other sites of a questionable nature, you still run a severe risk of getting infected.

IE Spyad
It puts many bad webpages on your restricted zones LIST. This means that you can still view the "bad" webpages, but the webpages can't do certain things (such as use javascripts and cookies). Use IE Spyad for single account computers, and IE Spyad 2 for multi account computers.

Hosts file:
Make sure you read the instructions on how to install the hosts file, here.

• Every version of windows has a hosts file as part of them.
• In a very basic sense, they are used to locate webpages.
• We can customize a hosts file so that it blocks certain webpages.
• However, it can slow down certain computers.

If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:

• Click the start button (at the lower left hand corner of your screen)
• Click run
• In the dialog box, type services.msc
• hit enter, then locate dns client
• Highlight it, then double-click it.
• On the dropdown box, change the setting from automatic to manual.
• Click ok

Site Advisor This is a utility that can be downloaded and installed. It loads an icon to the taskbar of your browser (versions for IE and Firefox), indicating the trustworthiness of the site you are on. Green for safe, Red for suspicious. Click on the icon to access details that SiteAdvisor has about the site.

[Old Canoeist]

Gary:

I updated free Zonealarm and unknowingly got the Spyblocker but I found that it is listed separately in the WinXPHome Add/Remove list.

When I clicked Uninstall it was removed after a restart. Zonealarm was still present & OK.

[Gary Richardson]

Thanks for the info Old Canoeist, nice to know it can be removed easily.

It's only the latest version of ZA that has this "addition", and as I don't have it I wasn't entirely sure quite how it was integrated into things.

[skydog]

swamp..just read this at another site:
"Posted: 2:08 PM on 12.22.07
->> I just had "Mac Sweeper detect" a bunch of viruses on my mac powerbook. It popped up automatically in my web browser window and asked if I wanted to download the program to clear out the cookies. When I clicked ignore, it started downloading something. Obviously, I stopped it, but it took me four times to close the window. Once I was able to get out of the window, I trashed everything in my downloads folder and shut my computer down.
I just spoke with a few friends, who did a cursory google search and found a few "legitimate mac sweeper pages" and a few message board postings with stories similar to mine. Unfortunately, no one replied to these postings. Additionally, there is a two hour wait for Apple tech support...happy holidays.
So, I'm wondering if anyone has heard of this. Or perhaps, folks have some general thoughts on this matter.
Thanks for the help. "

[Swampy]

Skydog... I've seen the popup window you have referred to and from what I can tell, it's a java script that if you touch it, it downloads an .exe file to the desktop. I don't know what the resulting .exe file does, but obviously it can't be run on the Mac (unless you are running XP/Vista under Bootcamp, Paralells, or Fusion).

[plugsnpixels]

Gary, thanks for the info (obviously you know your Windows security!), though I must say in all my years of using Macs and traveling all over the internet's main roads and back alleys (plus running 4 higher-ed computer labs full of Macs with no virus protection for nearly a decade), I have yet to be affected negatively by a virus. Back around 1998/9 I saw the AutoStart virus appear, but it did no real harm was literally the last Mac virus I saw.

I'm not saying it can't happen, but perhaps the Mac OS is a bit better than Windows at protecting itself, besides being the smaller target. It's almost sad that Windows users need all the add-on security products. The OS should be handling that itself. Maybe it does with Vista (?).

But thankfully my Parallels Windows seems safe thus far--I do have protection running (MacAfee) and try to keep Windows itself updated.

My main point is, I just can't imagine having to hassle with everything you describe--I'd toss the computer first.

Swampy, an .exe downloaded to the Mac desktop can only get into Parallels/Boot Camp if you dragged it into the Windows environment and double-clicked it, or *possibly* if you double-clicked it on the Mac desktop and indirectly activated Windows in that manner (I'd have to test to see if that would even work). In either case, the user would have to purposely interact with such a mystery file, and if they did, they get what they deserve!

[Alison]

Quote:

Originally Posted by skydog

Gary...it appears the virus is gone. What exactly did combo fix do and what did it correct?

Swampy..you have an Apple...thank God I have Gary!

Actually, I need to replace my computer. It is ~ 5 years old and I'm concerned of a complete failure at some point. My concern with the apple is the cost of converting all of my software to the apple environment and how many of my applications will work in this environment. Any thoughts?

For those of you that use windows, what is the lastest on vista? Initially it received a lot of bad press like the recent launch of the Canon Mark III. Can most applications now run in this environment? Most of my friends say stick with XP.

Hi Skydog,

From what I've been told, you will need at least 2gig of ram on your computer just for vista - add a couple of extra for photoshop etc., Apparently this is one of the main reasons why some folks ran into trouble with vista. Next upgrade will see me install vista, although I have been more than happy with XP.