Yesterday I deleted VERY SERIOUS AND DISABLING virus ...

During Browsing with System Monitor running, it seemed to me that alot of Data was going back & forth on my Modem -- and I was just sitting there, starting at the same page! I said "I know what to do!", looked around on the "C:\Windows" Directory, found a "Suspicious" File, Deleted it and Removed it from the Registry (Regedit.exe). The I did "Start Menu > Restart", and I found myself in "Safe Mode" - WITH NO MOUSE !! (Disabled - it did not work at all)

I noticed that ALSO Disabled was the system "Find" function - both on my Start Menu AND inside RegEdit!

This was to me a most unexpected and difficult issue!

So I took "Extremely Drastic Measures" - I Deleted ALL Suspicious Files in the "C:\Windows" and "C:\Windows\System" Directories, Deleted the Registry Files "System.dat" and "User.dat", and Re-Booted.
After a few Safe Modes (and quite few more "Delete"s in the "C:\Windows\System" Directory), I got my Computer back.

My First Hijack! (I feel so proud!)

Well today that was something I didn't want to go through again!

So I decided to do a THOROUGH scan for viruses in ALL files on my hard disk.

I started with a "Google Search" for "virus scan free". The first Site listed is:
    "Trend Micro - Free online virus Scan
     ... A security vulnerability may have impacted prior versions of
     the Housecall online virus scanning service. ... Scan Now. It's Free! ...
     Description: Free online virus scanner. By Trend Micro, Incorporated.
     http://housecall.antivirus.com/ - 41k - Cached - Similar pages

So I clicked it, and that Web Page says:
"HouseCall ... Scan Now. It's Free!"

"... (anyone) may use Housecall, Trend Micro’s free online virus scanner."

I clicked on the "Scan Now" link, and on the next page I had to select "USA" (so they know what viruses to expect),
and the Scan download started!

This "HouseCall" Virus-Scanning Program downloaded on my standard 56K modem in ~10 minutes.

Then this "HouseCall" Virus-Scan Program found the following Viruses on my Hard Disk:
   JS NOCLOSE.E        C:\Windows\Local Settings\Temporary Internet Files\Content.IE5\S5AJWDUB\hidden[1].htm
   TROJ MSCACHE.A   C:\Windows\gypgtjfo.exe
   TROJ WINFAVS.A    C:\Windows\winfavorites.exe
   TROJ WINFAVS.A    C:\Program Files\WinFavorites.exe

For these Viruses, I've Summarized and Listed the following Descriptions and Solutions from Trend Micro's Web Site.
I'm OK with Copying & Posting "their" info because:
I SERIOUSLY RECOMMEND THAT YOU (EVERYONE WHO READS THIS PAGE)
SHOULD GO TODAY TO THEIR SITE AND RUN THEIR FREE VIRUS SCAN.
And of course support them by buying their virus-removal services / programs if you find any viruses!

PLEASE - DO THIS TODAY! Even - Right Now!

It only takes 15 minutes, and you may have a virus program RIGHT NOW on your disk that you don't know about, that's IN YOUR BEST INTEREST to find out about right away!

Unless you want to do like me, and wait until your system crashes...

JS NOCLOSE.E (on my disk: C:\Windows\Local Settings\Temporary Internet Files\Content.IE5\S5AJWDUB\hidden[1].htm)

Virus type: Trojan Destructive: No Payload: Opens several invisible browser windows
Size of virus: 7,630 - 7,650 Bytes Date of origin: May. 1, 2002 Place of origin: Philippines

This non-destructive, non-memory resident JavaScript malware opens and hides one or more Internet browser windows and prevents users from controlling these browser windows.

This script malware, which is usually embedded in certain Web sites, opens browser windows to connect to a pre-defined list of URLs contained in its body. Infected users may encounter difficulties in viewing, maximizing, and closing these windows while unknowingly running this malware's hidden functions.

Similar to earlier variants, this non-destructive and non-memory resident JavaScript malware, usually embedded in certain Web sites, opens browser windows to perform its hidden functions.

Upon execution, it opens several Internet browser windows to pre-defined URLs that are listed in its body. The URL can be executed in a separate browser window or inside its own window. This way, it could execute several malicious script files in a user’s system without the user's knowledge.

It is not dangerous and destructive by itself, but its behavior can causes delays and can become annoying to users because of the traffic it produces. It also performs certain hidden functions and makes opened browser windows difficult to control or close.

This JavaScript malware ... usually hides its browser window by resizing it to 1 pixel, and moving its location on the display at coordinates 10000, 10000. This is already beyond visible screen resolutions, which is usually set at lower values. In HTML form, this malware minimizes its browser windows and prevents users from easily maximizing and closing them.

While active, some variants of this malware could send cookies to remote users who can then monitor for browsing behavior. It gathers information such as frequently visited Web sites or how often a user visits certain sites.

SOLUTION:
Close each of its browser windows found at the taskbar to terminate HTML files infected with this malware.
Scan your system with Trend Micro antivirus and delete all files detected as JS_NOCLOSE.E. T

TROJ MSCACHE.A (on my disk: C:\Windows\gypgtjfo.exe)

Virus type: Trojan Destructive: No Aliases: Downloader.MSCache, Trojan.Win32.TalkStocks

This Trojan attempts to connect to a Web site (usually http://www2.sko<BLOCKED>idoo.com/softwares/) to download its components. It can also download other applications from the Internet that may be malicious, and affect the system settings of an infected system.
Typical are the following components:

RANDOMISER.EXE (7,680 bytes)
This is the main downloader program, which downloads the files, MSCACHE2.EXE and MSCACHE2.DLL, and saves them in the Windows directory using random file names.

MSCACHE2.EXE (114,688 bytes)
This component attempts to download and execute other applications from a specific Web site (i.e. http://www.geocities.com/assas<BLOCKED>lover_server/index.html).

MSCACHE2.DLL (12,2880 bytes)
This component is installed as a browser helper object that is used to download and install updates of the malware or its components.

The malware can download other applications from the Internet that may be malicious and affect the system settings.

REPAIR
Scan your system with Trend Micro antivirus and delete all files detected as TROJ_MSCACHE.

TROJ WINFAVS.A (on my disk: C:\Windows\winfavorites.exe, C:\Program Files\WinFavorites.exe)
Virus type: Trojan Destructive: No Aliases: TrojanDownloader.Win32.WinFavori, Downloader-FL

This memory-resident Trojan creates a folder named WINFAVORITES in the Program files folder of a target system. It also downloads a file from a specific URL, and drops the said file in the root directory of the infected host.

SOLUTION
To remove this malware, first identify the malware program:
Scan your system with your Trend Micro antivirus product; NOTE all files detected as TROJ_WINFAVS.A.

Search the ENTIRE hard disk for the following Files, and Delete them:
WINFAVORITES.EXE URL.TXT
(If it won't delete, it's still running - use Task Manager (ctrl+alt+delete) & Terminate any TROJ WINFAVS.A processes)

Run Regedit, and Delete the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run:
        WinFavorites = C:\Program Files\WinFavorites\WinFavorites.exe1            (or equiv. - delete only this Entry)
    HKEY_CURRENT_USER>Software>WinFavorites                                             (delete this entire Key)

For Full Information on Detection and Removal of the Above Viruses
- and Many Many Others -
Please Do go to the Trend Micro Web Site:
http://housecall.antivirus.com

Again, I STRONGLY recommend that you do visit this site - today!

"The Best Way to Fix a Problem, Is to Stop It Before It Happens!" - Philip C. Dybel

Philip C. Dybel December 23, 2003