I'm usually NOT this stupid...

[Janna]

Yesterday I clicked on a link sent me via MSN from a friend, without actually double-checking that it was a proper link... and then even after she said she didn't mean to send it, I opened the file that it put on my desktop.

I seriously do not usually do things like that.

Since then I've been getting weird error messages (like a box with "Shell" in the title bar and the message that "This program has performed an illegal operation and will be shut down."), the screen has been doing a lot of flickering, and it's jumpy/slow in responding to things.

I ran Housecall twice when I realized what I'd done - nothing either time.

I am currently running Spybot but I expect there'll be nothing then either.

I even rebooted using the Startup disk and did a complete scan of the HD.

I run on Windows 98 and recently updated the security patches, except for one for Outlook Express because I don't use that program at all (I use Thunderbird for e-mail and Firefox for most web browsing).

Should I post a Hijack This Log?

Any assistance = greatly appreciated.

Thanks!

-Janna

[diver203_98]

Janna,

Here is a link to another scanning program that I use. It is Pestpatrol, and it catches things that House Call doesn't. HERE is the link. Just click on scan now just down from the top of the frame on the right side. There will be two popups asking if you want to install. Just click YES to both and then do the scan. When it finishes, it will show you what it found. You can then, if you want, click on one item at a time and it will then give you manual instructions on how to remove the items.

Good luck, and I hope this helps.

[ghost2003]

Take a look at this thread, it has alot of tips to clean your pc before you post a hijackthis log. http://forum.pcmech.com/showthread.php?t=103171

[Janna]

Okay, I've tried all kinds of things at this point.

I looked at my HiJack This log and saw nothing, really, that was incorrect.

I've run The Cleaner and Housecall - neither found anything.

I even ran the Sober worm fix program suggested elsewhere, and it turned up nothing (I ran it in Safe Mode, just ot be safe, no less).

I tried to run the Spybot twice, but it seized up both times. Not sure what's going on there.

Has anyone got any more ideas as to what I can do?

Just as reference, here's the MSN log from the incident on Sunday:
5/8/05 11:50:03 PM My friend: rofl is this you?
5/8/05 11:50:03 PM My friend: http://link removed by moderator
5/8/05 11:50:20 PM My friend: sorry, didn't mean to send that to you
5/8/05 11:50:38 PM Me: Okay

Of course, by the time she sent the third message, I'd already (a) clicked on the link, and (b) opened the program on the desktop. Which icon immediately disappeared, and then I was pooched.

I got the same message from another friend on MSN yesterday, she's got the same virus and wants to fix it, too. I told her I was trying to figure it out. (She's not great with computers, so whatever I find works will end up being laid out for her step-by-step in an e-mail or over the phone.)

This seems to be something with MSN Messenger, but I haven't seen any alerts about it in my roamings. If anyone knows of a patch to correct the vulnerability (it's the newest version of Messenger), please do let me know! Also, of course... any ideas as to what this virus is and how to fix it would be greatly appreciated!

Thanks.

-Janna

[Panama Red]

If the link you posted is the one causing all the trouble, I don't think we need to expose others to it too! I removed it from you post.

---------------moderator---------------

[Janna]

Oops.

I was assuming, of course, that people would be intelligent enough not to click on the link.

Regardless - question still stands: anyone have any idea what this is and how to deal with it?

-Janna

[Janna]

I downloaded the trial version of eTrust EZ Antivirus, and it looks like it got everything! Hooray!

Thanks to whoever posted that link. I'll be purchasing the full version, for sure!

-Janna

[Janna]

Okay, there are still some minor issues.

Here's the scan log from eTrust EZ Antivirus. Anyone have any thoughts re: the infected-but-not-deleted files?

On-Demand Scanner

Started scanning at 5/10/05 1:20:56 PM. Engine Ver: 11.7.0. Sig Ver:9127. Sig Date: 5/10/05.
C:\WINDOWS\WIN386.SWP - scan failed.
C:\WINDOWS\SYSTEM\system.exe - Win32.Rbot.CLM worm. Deleted.
C:\WINDOWS\TEMP\installer.exe - scan failed.
C:\WINDOWS\Application Data\Mozilla\Profiles\default\4g25cam5.slt\Mail\shawmail-4\Junk - Win32.Swen.A worm.
C:\WINDOWS\Application Data\Thunderbird\Profiles\default\bv2yubll.slt\Mail\shawmail\Inbox - Win32.Swen.A worm.
C:\WINDOWS\Application Data\Thunderbird\Profiles\default\bv2yubll.slt\Mail\shawmail-2\Inbox - HTML.ObjectDataHTA trojan.
C:\WINDOWS\Application Data\Thunderbird\Profiles\default\bv2yubll.slt\Mail\shawmail-7\Inbox - Win32.Swen.A worm.
C:\WINDOWS\Temporary Internet Files\Content.IE5\QIA23M5O\js[1].htm - JS.SillyDlScript.C trojan. Deleted.
Finished scanning at 5/10/05 2:51:01 PM.

Started scanning at 5/10/05 7:20:39 PM. Engine Ver: 11.7.0. Sig Ver:9127. Sig Date: 5/10/05.
C:\WINDOWS\Application Data\Mozilla\Profiles\default\4g25cam5.slt\Mail\shawmail-4\Junk - Win32.Swen.A worm.
C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\z90n9hby.default\parent.lock - scan failed.
C:\WINDOWS\Application Data\Thunderbird\Profiles\default\bv2yubll.slt\parent.lock - scan failed.
C:\WINDOWS\Application Data\Thunderbird\Profiles\default\bv2yubll.slt\Mail\shawmail\Inbox - Win32.Swen.A worm.
C:\WINDOWS\Application Data\Thunderbird\Profiles\default\bv2yubll.slt\Mail\shawmail-2\Inbox - HTML.ObjectDataHTA trojan.
Finished scanning at 5/10/05 7:45:03 PM.

Real-time Scanner

2005/05/10 14:59:13.690 File infection: C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\MN6DK3AH\JS[1].HTM is JS.SillyDlScript.C trojan. Deleted
2005/05/10 14:59:19.400 File infection: C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\MN6DK3AH\JS[1].HTM is JS.SillyDlScript.C trojan.
2005/05/10 18:59:46.900 File infection: C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\68S9URGQ\JS[1].HTM is JS.SillyDlScript.C trojan. Deleted
2005/05/10 18:59:52.230 File infection: C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\68S9URGQ\JS[1].HTM is JS.SillyDlScript.C trojan.
2005/05/10 19:51:18.600 File infection: C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\UHYR6FOH\JS[1].HTM is JS.SillyDlScript.C trojan. Deleted
2005/05/10 19:51:28.710 File infection: C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\UHYR6FOH\JS[1].HTM is JS.SillyDlScript.C trojan.

Note that since this is a new program, it's got all the updates.

-Janna

[glc]

1. Control panel, Internet options - delete the temporary internet files, including offline files.

2. Clear your Mozilla and Firefox caches.

3. Try to figure out which messages in your Thunderbird and Mozilla mailboxes are infected and delete them.

4. Uninstall eTrust and install AVG Free, rescan. Use safe mode if necessary.

[Janna]

Okay, done.

Looks like it's all good - I'll post again if it's still having issues.

Thanks so much, everyone!

-Janna

[Janna]

Doesn't look like it's actually fixed yet.

I ran a search for the infected fileneames and found a couple of bits of information:

http://www.sophos.com/virusinfo/analyses/trojqlowf.html
Name Troj/Qlow-F
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Drops more malware
* Reduces system security
* Installs itself in the Registry
Aliases
* Trojan.Dropper.Purityscan.F
Troj/Qlow-F is a Trojan for the Windows platform that modifies internet security settings by changing security settings for the Internet Zone.
Troj/Qlow-F drops installer.exe and Mt-uninstaller.exe files to the Windows Temp and current folders correspondingly.
Troj/Qlow-F attempts to open predefined remote URLs.

http://securityresponse.symantec.com...loader.bo.html
Downloader.BO is a Trojan horse that downloads a backdoor Trojan from a predefined Web site.
NOTE: Virus definitions dated prior to November 12, 2002 may detect this Trojan as Downloader.Trojan.
Also Known As: TROJ_INOR.A [Trend], TROJ_INOR.B [Trend], Troj/Dloader-BO [Sophos], Downloader-BO [McAfee], Downloader-BO.b [McAfee], TrojanDownloader.Win32.Inor [AVP], Downloader.Trojan
Type: Trojan Horse
Infection Length: 4,096 bytes, 4,351bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux
When Downloader.BO runs, it does the following:
1. Creates the subkey, .inr
under the registry key:
HKEY_LOCAL_MACHINE\Software\CLASSES
2. Then, under the .inr subkey, it creates the subkey:
5Nzg1mOWKzFnuvu6
or:
pzeoMm6erZrondFQ
or:
utjRH2dTvd60MG5k
and adds the following value to this subkey:
Time
3. Then, attempts to download a file named Counter.c, Counter, or installer.exe from one of these predefined Web sites:
* masteraz.hypermart.net
* wind.prohosting.com/jimkre
* www.gabelotto.addr.com
* If the Trojan is successful in downloading the file, it locally saves the file as Output.exe. The Trojan will run the downloaded file.
The Trojan adds the value:
(Default) Done
to the registry key:
HKEY_LOCAL_MACHINE\Software\CLASSES\.inr\5Nzg1mOWKzFnuvu6
or:
HKEY_LOCAL_MACHINE\Software\CLASSES\.inr\pzeoMm6erZrondFQ
or:
HKEY_LOCAL_MACHINE\Software\CLASSES\.inr\utjRH2dTvd60MG5k
NOTE: Symantec antivirus products detect the downloaded file as Backdoor.Jeem.
* If the download fails, the Trojan adds the value:
.inr\5Nzg1mOWKzFnuvu6
or:
.inr\pzeoMm6erZrondFQ
or:
.inr\utjRH2dTvd60MG5k
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the Trojan runs when you restart Windows.

I'm also getting IE opening when Internet is active and going directly to http://server3.darkacidonline.us/sponsors.html - which seems to be one of the things this trojan does. As I said, I use Firefox to browse, not IE. I only use IE for things like Housecall, which doesn't work in Mozilla browsers.

*sigh*

My Internet connection is supposedly being severed at random moments, though the modem lights are *always* really active (which tells me that the virus is still there, since they're going even when I don't have any Internet applications running). Speaking of - I have cable Internet access; the modem is a CyberSURFER Wave, from Motorola.

I am about to attempt to fix the problem using the information given on the Symantec site; hopefully this will work, finally!

-Janna

[glc]

Try The Cleaner from Moosoft. You can download a time-limited fully functional trial.

[Janna]

Thanks, I did try that.

Wound up asking my friends, and one of them is going to clean it for me. Yesterday I changed up hard drives. The new one is smaller but works fine (came from my old computer, which I stopped using when the power source started to cause blue screening). Had some issues getting things working properly, but here I am!

Hopefully my friend will be able to get it cleaned up without a lot of trouble; he promised he'd back up my files if he had to wipe the drive. I'm hoping to get it to him this afternoon.

Anyway... good lesson learned and I think I'll purchase a good AntiVirus program once I have my usual drive back in place.

While I'm here - anyone have any idea how to get McAfee GONE? The win.ini file is apparently still referencing it. I used the disk to uninstall it and everything.

-Janna