Trojan Downloader & Keylogger remnants

[Zhain]

Hello, due to a temporary lapse in judgement (basically me being an idiot and not checking the link thoroughly, it was close to an existing website with one letter changed) a few days ago I had been infected with what I determined to be Downloader.Swif.C. Of course, this got me pretty worried/upset, as it seems a load of crap was being put on my computer. Since then I have taken many precautions, including disabling System Restore and rebooting in Safe Mode to scan, scanning with a ton of programs including MBAM (Malware Bytes Anti Malware). I thought I had cleaned everything out, but apparently I was wrong. Unfortunately, this has me paranoid to log into any sort of online account.

I recently completed a Kapersky Online Scan, and here is the log.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, December 28, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, December 27, 2008 23:06:28
Records in database: 1522053
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 78926
Threat name: 5
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 01:55:20


File name / Threat name / Threats count
C:\data Infected: Trojan-Downloader.Win32.IstBar.ja 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\21A264D6.dll Infected: not-a-virus:AdWare.Win32.180Solutions.j 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\61524F3D.zip Infected: Trojan-Downloader.Java.OpenStream.w 1
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7E5B303A.tmp Infected: not-a-virus:AdWare.Win32.180Solutions.l 1

The selected area was scanned.




Any help in this matter is greatly appreciated, this thing has me very worried and afraid that my PWs will be logged. Thank you very much in advance for any help.

[Lisandro]

To correct avast working, fully remove Norton...

1) Remove NAV or Norton 360 through Add/Remove programs from Control Panel. Boot.
2) Use Norton Removal Tool for Windows 2000/XP/Vista or Norton Removal Tool for Windows 98/Me. Boot.
3) Install avast! (or repair the installation) and boot.

The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer.

[Zhain]

Ah, I apologize, I was not originally using Avast!.  Now I have downloaded and installed the free Avast home edition, as well as Zone Alarm.

What are the next steps I should take?

Thank you very much for your reply by the way.

[Zhain]

I went through a thorough scan of C with Avast, and it came up with 16 archived items that it declared unable to scan.  I don't think they are something to worry about though, as they are all in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy, and most of them ended with .reg or .ini   I might be wrong, but I assume those Spybot files being unable to be scanned is alright?

Avast Anti-Rootkit didn't seem to find anything.

[DavidR]

That looks like S&D quarantine back-ups or its own files which it is rightly protecting.

Many programs (usually security based ones) password protect their files for legitimate reasons such as AdAware and Spybot Search & Destroy, there are others (and avast doesn't know the password or have any way of using it even if it did know it).

When you run scans with the above programs and you delete harmful entries that they detect, a copy is kept (in quarantine/restore/backup) in case you need to reverse what you did. These are usually password protected, you should do some housekeeping and delete old backup/recovery/quarantine entries (older than two weeks or so), this will reduce the numbers of files that can't be scanned.

By examining 1) the reason given by avast! for not being able to scan the files, 2) the location of the files, you can get an idea of what program they relate to. You may need to expand the column headings to see all the text. If you can give some examples of those file names, the locations and reason given why it can't be scanned might help us further ?

Files that can't be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned.

[Zhain]

You are most likely right, I cannot remember the entire file path, but it began with

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery......

The reason listed as unable to be scanned was indeed something along the lines of "Archived file is password protected"

Thank you for taking care of my worry there.

Is there any reason for me not to just delete the C:\data file indicated in the Kapersky scan above?  I am having difficulty finding anything with other scanning programs, but I still tend to be paranoid that I am infected.

[DavidR]

You're welcome.

No the stuff related to kaspersky or others in your post is unrelated to the avast scan and it not being able to scan files.

This and the other one however, shows you have remnants of Norton and you should use the Tools suggested by Tech to remove them.
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\21A264D6.dll Infected: not-a-virus:AdWare.Win32.180Solutions.j 1

Although this is shown as not-a-virus, it should be checked at virustotal:
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1

This (the C:\data file you referred to) is adware and although it doesn't point to a specific file, it is a toolbar and should be removed, see below.
C:\data Infected: Trojan-Downloader.Win32.IstBar.ja 1

- ToolbarCop http://www.snapfiles.com/get/toolbarcop.html