I know, I know. Never open attachments you’re not expecting. I guess my usual good judgment took a backseat to the initial “my package is finally here!” response. Sorry, laptop. Anyway. Onto the gritty details.

So I foolishly downloaded and unzipped an attached file from a fake UPS e-mail. Then I took the stupidity to a whole 'nother level by double-clicking the unzipped file, which of course wasn’t actually a Word document (I have since made all file extensions visible). The icon for the file disappeared, which is when I started going “oh crud what have I done.” I began to research possible fixes but then my computer shut down on its own.

I went to my more tech-savvy brother for help and he scheduled a boot-time scan with avast! antivirus. An hour or two later, I glanced at the laptop and it showed the usual start up screen, asking me to log-in. I decided to shut down. I have since turned it back on in order to follow the advice detailed here: http://www.nyu.edu/its/security/virus/.

This is where I run out of ideas. What did the innocuous start-up screen mean? Did avast! detect and repair the problem, or did it miss something? What can I do to make sure my system is completely clean? Googling “UPS virus” has yielded a lot of different results from 2008, none of which I’d like to try without some solid, up-to-date advice. Also, research seems to indicate that the malware makes your computer go haywire (crashing your system, preventing you from logging on, etc etc). So far, everything seems to be running smoothly on my laptop. Again, what does this mean? I’d like to think that I caught the problem in time, but am too paranoid to be optimistic. How can I tell that the problem is definitely fixed? Or if the problem even still exists?

Sorry for this long post, and thanks in advance for any help you may be able to give. Any advice would be greatly appreciated, as I’d like to fix this before tomorrow (I use my laptop for a lot of schoolwork, including taking notes).

Welcome to the forum.

What is the operating system, including service pack, and is it 32 or 64bit?
Start Avast, and when the memory test screen finishes, open the chest, look under infected files, and please report if there are any recent additions.
Try downloading the free version of MBAM. Install it, update it, and run a quick scan. Post the scan report, please.

Thanks (for the welcome as well as the help).

I’m running 32-bit Windows XP Pro SP3

The latest entry in Avast’s chest is “JF:FakeAV-CG [Trj],” which was last changed on 10/31/2009 and transferred on 1/24/2010.

Here’s the log from the MBAM quick scan (which I haven’t closed yet):

Malwarebytes' Anti-Malware 1.44 Database version: 3817 Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 7.0.5730.13

3/2/2010 10:00:23 PM
mbam-log-2010-03-02 (22-00-18).txt

Scan type: Quick Scan
Objects scanned: 148220
Time elapsed: 5 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\mspdb27.dll (Trojan.Agent) → No action taken.
C:\WINDOWS\system32\nynw.wmo (Backdoor.Bot) → No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) → No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) → Bad: (Explorer.exe rundll32.exe nynw.wmo mynleeq) Good: (Explorer.exe) → No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\mspdb27.dll (Trojan.Agent) → No action taken.
C:\WINDOWS\system32\nynw.wmo (Backdoor.Bot) → No action taken.
C:\Documents and Settings\Angela Tan\Local Settings\Temp\167.tmp (Backdoor.Bot) → No action taken.
C:\Documents and Settings\Angela Tan\Local Settings\Temp\SystemRequirementsLabx.exe (Spyware.Zbot) → No action taken.

Should I take any action, like “remove selected”?

That probably sounds like a stupid question, but right now I’m wary of any action not specifically spelled out for me. Nothing like some malware to up the paranoia meter.

In the same vein, I feel like terrible things are happening the longer I leave my laptop on. Is this true? Would it be better if I used it as little as possible?

I apologize for asking so many questions, but I’d like to learn more about this so I’m less clueless/helpless in the future in case something like this (god forbid) happens again.

Right. Those five are bad.
Place a tick beside them in the results(log) page, and click “remove selected”. That will send them to the MBAM quarantine. If MBAM prompts for a reboot to complete removal, please do so promptly.

Please download ATF cleaner, from MajorGeeks to your desktop, and select all (except cookies, if there are site preferences you want to retain), then “empty selected”.

Run another quick scan with MBAM, and if any results are found, post the log again. If all is clean, please mention that.

At some stage run a scan with Avast, which is likely to take a while, and I would like to see if the boot scan is available. If you could schedule one, and then watch as the computer restarts and starts the boot scan, that would be good. It will take a while afterward before completing.

Definitly take action.

Let Malwarebytes Remove selected and the infection will be removed into its Quarantine area.

By the way, IE8 is much better and safer than IE7.

I recommend purchasing Malwarebytes for the resident protection for a one time cost of $24.95US
https://store.malwarebytes.org/342/?scope=checkout&cart=29945 <== it will convert to your currency

I’ve deleted the things listed in the MBAM scan, used ATF cleaner, and scanned with MBAM again. It came up clean. I’m now scheduling a boot scan with Avast.

I have IE installed, but I actually use Firefox most of the time (and occasionally Google Chrome).

Sounding OK. You should still update IE. It’s embedded deep into the operating system. Quite a few system files (such as Explorer.exe) use it, so if it is vulnerable, so is your computer, (I think) even if IE isn’t actually open.

Ah, okay. Thanks for the tip. I’ll do that now, since the Avast boot scan ran without encountering any problems.

(Although the clean scan doesn’t really reassure me. I mean, it did miss those things MBAM picked up.)

No one scanner gets them all, every time, every day. On another day, Avast might stop one that other scanners will miss. This is the nature of blacklist-based scanners, and the malware scene today, where new variants are being released at a ridiculously high rate.

That said, there doesn’t seem to be much that gets past MBAM, it has an extremely good reputation, and is often recommended at many forums, this included.

Others that are recommended included Superantispyware, and DrWeb Cureit. Wouldn’t hurt to run another scan using Superantispyware if you want to be as sure as you can be, short of having diagnostics run. (There are people - or one user here, anyway - that can do that for you if you want, but in the absence of other symptoms you’re probably ok.)

You know what caused this. You know how to prevent it in the future. If you keep MBAM updated from time to time, and right-click any attachment for scanning before running it, that will help with prevention. Doesn’t apply for brand new malware, however. That happens, but you have to be a bit unlucky.