Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Character(s) Malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Character(s) Malware

Unread postby chryssi2001 » August 3rd, 2008, 3:47 pm

Can you post a screenshot of what you see?

Here is a link which explains how to create a screenshot.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away
Advertisement
Register to Remove

Re: Character(s) Malware

Unread postby bottoson » August 4th, 2008, 11:17 am

OTMoveIt2 report

File/Folder C:\WINDOWS\system32\runtimeC:\WINDOWS\system32\runtime not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created o

-------------------------------------------------

JAVA Installaton accomplished

-----------------------------------------------

Kaspersky Online AV Scanner report

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, August 4, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 03, 2008 23:04:12
Records in database: 1049374
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 146202
Threat name: 5
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 08:55:18


File name / Threat name / Threats count
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\GFD1001_OnFlow2054.exe Infected: not-a-virus:AdWare.Win32.OnFlow 1
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\GFD_OnFlow2054.exe Infected: not-a-virus:AdWare.Win32.OnFlow 1
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\WINDOWS\Application Data\Identities\{0FD35220-06DF-11D7-90D4-C8C30FAA5864}\Microsoft\Outlook Express\Sent Items.dbx Infected: Email-Worm.Win32.Tanatos.a 1
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\WINDOWS\Application Data\Identities\{DEBCBEA0-C50B-11D3-AEE7-9AF2BF3F2E35}\Microsoft\Outlook Express\Sent Items.dbx Infected: Email-Worm.Win32.Tanatos.a 1
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old d\Downloads\dlwonder.exe Infected: not-a-virus:AdWare.Win32.Aureate 1
C:\Documents and Settings\Bill\Local Settings\Application Data\Identities\{B3BBEECA-C4E7-4F27-AEC7-653D17F405B9}\Microsoft\Outlook Express\Dan and Sue Franks.dbx Infected: Email-Worm.VBS.KakWorm 1
C:\WINDOWS\Downloaded Files\setupxv.exe Infected: not-a-virus:FraudTool.Win32.SpywareStop.bg 1

The selected area was scanned.

----------------------------------------------------------------

HijackThis Log report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:39 AM, on 8/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\PC Magazine Utilities\HD HeartBeat 2\HBSrvApp.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\WINDOWS\V0350Mon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\FREEME~1\fmempro.exe
C:\Program Files\PC Magazine Utilities\NoteWhen\NoteWhen.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\PC Magazine Utilities\SurfSpeed 2\SurfSpeed.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\PC Magazine Utilities\Desktoplet\Desktoplet.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ClipCache\clipc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: CallingID LinkAdvisor - {F67BEA7B-70D4-4417-9227-480B35DDD500} - C:\Program Files\CallingID\LinkAdvisor\CIDLinkAdvisor.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" -expressboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [V0350Mon.exe] C:\WINDOWS\V0350Mon.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRA~1\FREEME~1\fmempro.exe" autostart
O4 - HKCU\..\Run: [NoteWhen3] "C:\Program Files\PC Magazine Utilities\NoteWhen\NoteWhen.exe"
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PCMagSurfSpeed2] "C:\Program Files\PC Magazine Utilities\SurfSpeed 2\SurfSpeed.exe" /m
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: ClipCache Pro.lnk = C:\Program Files\ClipCache\clipc.exe
O4 - Global Startup: Desktoplet.lnk = C:\Program Files\PC Magazine Utilities\Desktoplet\Desktoplet.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 0351727296
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/ ... gh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/ ... /CTPID.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HBService - Ziff Davis Media, Inc - C:\Program Files\PC Magazine Utilities\HD HeartBeat 2\HBSrvApp.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 11932 bytes

----------------------------------------------

The computer seems to be running alright and perhaps even a little faster than usual.

The email requested and received from a friend showed the same worm-like characters

Bill Ottoson
bottoson
Regular Member
 
Posts: 38
Joined: July 24th, 2008, 6:24 pm

Re: Character(s) Malware

Unread postby chryssi2001 » August 4th, 2008, 12:56 pm

Hello bottoson,

The email requested and received from a friend showed the same worm-like characters

There is still infection there.

OTMoveIt2 report

File/Folder C:\WINDOWS\system32\runtimeC:\WINDOWS\system32\runtime not found.

Something went wrong with the file you copied into OTMoveIt2. It was copied twice, thus OTMoveIt2 couldn't remove it.

Please copy them carefully this time using your mouse, and straight into OTMoveIt2 window.
----------------------------------------------------
Run OTMoveIt2
  • Double-click OTMoveIt2.exe. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the lines in the codebox below.
C:\WINDOWS\system32\runtime
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\WINDOWS\Application Data\Identities\{0FD35220-06DF-11D7-90D4-C8C30FAA5864}\Microsoft\Outlook Express\Sent Items.dbx
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old d\Downloads\dlwonder.exe
C:\Documents and Settings\Bill\Local Settings\Application Data\Identities\{B3BBEECA-C4E7-4F27-AEC7-653D17F405B9}\Microsoft\Outlook Express\Dan and Sue Franks.dbx
C:\WINDOWS\Downloaded Files\setupxv.exe

  • Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt2

Post back:
OTMoveIt2 results.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Character(s) Malware

Unread postby bottoson » August 4th, 2008, 2:06 pm

Think we made do its thing... Here are the results.

--------------------------------------------------

File/Folder C:\WINDOWS\system32\runtime not found.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Scripts moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Data moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\Groups moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\9572.15 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\8066.32 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\8064.29 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\7898.2 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\6119.8 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15922.1 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15920.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15660.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15658.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15656.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15651.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15637.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15531.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15530.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15528.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15496.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15488.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15486.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15449.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15418.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15332.1 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15295.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15283.1 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15279.1 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15211.1 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15210.1 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15207.1 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15200.1 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15196.1 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15183.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15176.1 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15174.1 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15172.1 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15095.2 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15092.2 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\15090.2 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\14862.2 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\14712.3 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\14710.3 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\14693.5 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\14417.4 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\14372.3 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\14325.3 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\14301.5 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\14299.3 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\14298.5 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\13828.6 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\13826.7 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\13365.4 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\13165.1 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\13013.8 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\12972.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\12968.2 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\12959.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\12958.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\12906.1 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\12891.1 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\12761.1 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\12752.3 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\12722.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\12577.2 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\12558.4 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\12556.6 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\12549.3 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\12527.1 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\12526.2 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\12519.1 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\12503.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\11287.6 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\11278.3 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\11277.7 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\11218.11 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\11217.9 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\11216.10 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\11213.8 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\10930.1 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\10689.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\10452.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\10428.1 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\10427.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\10373.2 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\10372.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\10371.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\10369.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\10368.0 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\10079.9 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners\10078.10 moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\Banners moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\WINDOWS\Application Data\Identities\{0FD35220-06DF-11D7-90D4-C8C30FAA5864}\Microsoft\Outlook Express\Sent Items.dbx moved successfully.
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old d\Downloads\dlwonder.exe moved successfully.
File move failed. C:\Documents and Settings\Bill\Local Settings\Application Data\Identities\{B3BBEECA-C4E7-4F27-AEC7-653D17F405B9}\Microsoft\Outlook Express\Dan and Sue Franks.dbx scheduled to be moved on reboot.
C:\WINDOWS\Downloaded Files\setupxv.exe moved successfully.
File/Folder not found.
File/Folder not found.
File/Folder not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08042008_124236

Files moved on Reboot...
C:\Documents and Settings\Bill\Local Settings\Application Data\Identities\{B3BBEECA-C4E7-4F27-AEC7-653D17F405B9}\Microsoft\Outlook Express\Dan and Sue Franks.dbx moved successfully.
bottoson
Regular Member
 
Posts: 38
Joined: July 24th, 2008, 6:24 pm

Re: Character(s) Malware

Unread postby chryssi2001 » August 4th, 2008, 2:10 pm

Reboot your pc.

Can you try your email now?
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Character(s) Malware

Unread postby bottoson » August 4th, 2008, 2:12 pm

Just had a friend send me an email and the worm characters are in it so at this point the worm is still active I guess.

I had rebooted my machine.

Could reboot again if you want.

Bill Ottoson
bottoson
Regular Member
 
Posts: 38
Joined: July 24th, 2008, 6:24 pm

Re: Character(s) Malware

Unread postby chryssi2001 » August 4th, 2008, 2:19 pm

You rebooted your machine and then you received the email?
Is there any chance the email was send the time you was still using OTMoveIt?

Is it again that text you posted in your first post?
If not the same, please post it, or attach a screenshot.

Empty completely your received email folder (delete all emails) and try again.

Let me know.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Character(s) Malware

Unread postby bottoson » August 4th, 2008, 3:16 pm

You rebooted your machine and then you received the email?

Yes

Is there any chance the email was send the time you was still using OTMoveIt?

No

Is it again that text you posted in your first post?

Yes


Empty completely your received email folder (delete all emails) and try again.

I emptied the email folder

Rebooted the machine

and had an email sent to me

It also had the worm characters that have remained the same during our postings and as sent to you in a screen shot.

I await your reply.

Bill Ottoson
bottoson
Regular Member
 
Posts: 38
Joined: July 24th, 2008, 6:24 pm

Re: Character(s) Malware

Unread postby chryssi2001 » August 5th, 2008, 12:56 am

Hi bottoson,

Do you say each time to the same person to send you an email?
There might be a chance he/she is infected.

Can you tell someone else to email to you please?
----------------------------------------------
Please run DSS again.
This time you will get only main.txt

Deckard's System Scanner (DSS)
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.
----------------------------------------------
Run Kaspersky again.
----------------------------------------------
Post back:
DSS report.
Kaspersky report.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Character(s) Malware

Unread postby bottoson » August 5th, 2008, 10:06 pm

Here is the DSS report

The Kaspersky report disappeared. I will run it again or if I locate it I will send it on. It reported 5 and 7.

I had someone else send a email. Worm characters were in it.

Bill Ottoson

Deckard's System Scanner v20071014.68
Run by Bill on 2008-08-05 10:17:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 480 MiB (512 MiB recommended).


-- HijackThis (run as Bill.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:17:29 AM, on 8/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\PC Magazine Utilities\HD HeartBeat 2\HBSrvApp.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\WINDOWS\V0350Mon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\FREEME~1\fmempro.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\PC Magazine Utilities\NoteWhen\NoteWhen.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\PC Magazine Utilities\SurfSpeed 2\SurfSpeed.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\PC Magazine Utilities\Desktoplet\Desktoplet.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ClipCache\clipc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Downloaded Files\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Bill.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: CallingID LinkAdvisor - {F67BEA7B-70D4-4417-9227-480B35DDD500} - C:\Program Files\CallingID\LinkAdvisor\CIDLinkAdvisor.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" -expressboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [V0350Mon.exe] C:\WINDOWS\V0350Mon.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [FreeMem Pro] "C:\PROGRA~1\FREEME~1\fmempro.exe" autostart
O4 - HKCU\..\Run: [NoteWhen3] "C:\Program Files\PC Magazine Utilities\NoteWhen\NoteWhen.exe"
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PCMagSurfSpeed2] "C:\Program Files\PC Magazine Utilities\SurfSpeed 2\SurfSpeed.exe" /m
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: ClipCache Pro.lnk = C:\Program Files\ClipCache\clipc.exe
O4 - Global Startup: Desktoplet.lnk = C:\Program Files\PC Magazine Utilities\Desktoplet\Desktoplet.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 0351727296
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/ ... gh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/ ... /CTPID.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HBService - Ziff Davis Media, Inc - C:\Program Files\PC Magazine Utilities\HD HeartBeat 2\HBSrvApp.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 11935 bytes

-- Files created between 2008-07-05 and 2008-08-05 -----------------------------

2008-08-03 16:29:33 0 d-------- C:\WINDOWS\Sun
2008-08-03 16:29:33 0 d-------- C:\Documents and Settings\Bill\Application Data\Sun
2008-08-03 15:18:56 0 d-------- C:\Program Files\Sun
2008-08-03 15:16:14 0 d-------- C:\Program Files\Java
2008-08-03 15:14:38 0 d-------- C:\Program Files\Common Files\Java
2008-08-02 17:40:37 0 d-------- C:\Magic E-Books
2008-07-31 13:47:42 0 d-------- C:\Documents and Settings\Bill\Application Data\Malwarebytes
2008-07-31 13:47:31 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-31 13:47:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-31 13:09:08 0 d-------- C:\Program Files\Trend Micro
2008-07-28 14:55:10 0 d-------- C:\Program Files\IrfanView
2008-07-24 13:22:07 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-07-24 13:21:28 0 d-------- C:\Program Files\Webroot
2008-07-24 13:21:28 0 d-------- C:\Documents and Settings\Bill\Application Data\Webroot
2008-07-24 13:21:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-07-24 13:18:27 164 --a------ C:\install.dat
2008-07-23 16:48:30 0 d-------- C:\Program Files\Common Files\xing shared
2008-07-23 16:46:49 0 d-------- C:\Program Files\Real
2008-07-23 16:45:57 0 d-------- C:\Program Files\Common Files\Real
2008-07-23 16:40:19 0 d-------- C:\Documents and Settings\Bill\Application Data\Real
2008-07-23 16:20:45 0 d-------- C:\Program Files\Picasa2
2008-07-23 16:17:14 0 d-------- C:\Program Files\Norton Security Scan
2008-07-08 10:20:48 0 d-------- C:\WINDOWS\Fonts Temp APS Repair
2008-07-06 14:40:12 1843200 --a------ C:\WINDOWS\system32\acXMLParser.dll <Not Verified; Apache Software Foundation; Xerces-C Version 2.7.0>
2008-07-06 14:40:05 3497984 --a------ C:\WINDOWS\system32\cdintf300.dll <Not Verified; Amyuni Technologies
http://www.amyuni.com; Amyuni Common Driver Interface>
2008-07-06 10:47:21 0 d-------- C:\WINDOWS\FontsWhollyGenes
2008-07-06 09:16:22 0 d-------- C:\Program Files\CamVideo


-- Find3M Report ---------------------------------------------------------------

2008-08-05 09:46:20 0 d-------- C:\Documents and Settings\Bill\Application Data\Skype
2008-08-05 08:30:33 0 d-------- C:\Documents and Settings\Bill\Application Data\skypePM
2008-08-04 09:23:18 0 d-------- C:\Program Files\SnagIt 8
2008-08-03 15:14:38 0 d-------- C:\Program Files\Common Files
2008-07-31 10:11:49 0 d-------- C:\Program Files\ZipCentral
2008-07-25 12:57:57 0 d-------- C:\Program Files\Taskbar Shuffle
2008-07-24 11:00:32 0 d-------- C:\Program Files\PC Magazine Utilities
2008-07-23 22:24:23 0 d-------- C:\Program Files\Google
2008-07-23 11:25:53 0 d-------- C:\Documents and Settings\Bill\Application Data\The Master Genealogist v7
2008-07-11 12:28:15 0 d-------- C:\Documents and Settings\Bill\Application Data\PC Magazine Utilities
2008-07-09 14:30:25 134448 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2008-07-08 16:19:10 0 d-------- C:\Program Files\Ad-Aware
2008-07-06 14:40:02 0 d-------- C:\Program Files\Map my Family Tree
2008-07-06 09:19:26 0 d-------- C:\Program Files\Creative
2008-07-01 09:16:22 0 d-------- C:\Program Files\ClipCache
2008-06-30 16:42:15 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-30 16:40:44 0 d-------- C:\Documents and Settings\Bill\Application Data\Adobe
2008-06-30 16:00:04 0 d-------- C:\Program Files\The Master Genealogist v7
2008-06-20 15:55:27 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-20 15:52:52 0 d-------- C:\Program Files\Skype
2008-06-20 15:52:49 0 d-------- C:\Program Files\Common Files\Skype
2008-06-20 15:45:34 0 d-------- C:\Documents and Settings\Bill\Application Data\Creative
2008-06-20 15:32:22 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-20 15:29:22 0 d-------- C:\Program Files\SightSpeed
2008-06-20 12:27:26 0 d-------- C:\Program Files\PCPitstop
2008-06-19 10:09:35 0 d-------- C:\Program Files\The Master Genealogist
2008-06-10 12:12:30 0 d-------- C:\Documents and Settings\Bill\Application Data\Brother
2008-06-10 12:03:13 0 --a------ C:\WINDOWS\system32\Biport
2008-06-10 11:49:02 50 --a------ C:\WINDOWS\system32\bridf06a.dat
2008-06-06 11:31:31 41438 --ah----- C:\Program Files\UFTREE.GID
2008-06-06 11:14:25 0 d-------- C:\Program Files\Family Tree SuperTools
2008-05-14 10:56:58 1024 -r-h----- C:\WINDOWS\system32\NTIBUN4.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
07/03/2008 08:54 PM 2055960 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [07/03/2008 08:54 PM 2055960]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [01/27/2008 12:38 AM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [01/13/2006 07:36 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/03/2008 08:54 PM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [09/09/2005 01:18 AM]
"V0350Mon.exe"="C:\WINDOWS\V0350Mon.exe" [08/23/2007 01:03 AM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [07/23/2008 04:15 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07/23/2008 04:46 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 07:12 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [12/03/2007 11:29 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [11/13/2006 02:39 PM]
"FreeMem Pro"="C:\PROGRA~1\FREEME~1\fmempro.exe" [10/07/2004 01:29 AM]
"NoteWhen3"="C:\Program Files\PC Magazine Utilities\NoteWhen\NoteWhen.exe" [06/18/2008 04:55 PM]
"Creative Live! Cam Manager"="C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [06/07/2007 02:01 PM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [05/30/2008 03:54 PM]
"PCMagSurfSpeed2"="C:\Program Files\PC Magazine Utilities\SurfSpeed 2\SurfSpeed.exe" [05/23/2008 08:02 AM]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [05/31/2008 11:53 AM]

C:\Documents and Settings\Bill\Start Menu\Programs\Startup\
ClipCache Pro.lnk - C:\Program Files\ClipCache\clipc.exe [12/1/2007 7:40:42 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Desktoplet.lnk - C:\Program Files\PC Magazine Utilities\Desktoplet\Desktoplet.exe [7/24/2008 11:00:32 AM]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [12/3/2007 11:29:27 AM]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [12/17/2007 2:55:04 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1869181A-9F50-4FCF-8BFF-1B8588ECB85C}"= C:\Program Files\CallingID\LinkAdvisor\CIDLinkAdvisor.dll [12/14/2007 09:07 PM 562616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
C:\Program Files\Brother\Brmfl06b\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-08-05 10:18:04 ------------
bottoson
Regular Member
 
Posts: 38
Joined: July 24th, 2008, 6:24 pm

Re: Character(s) Malware

Unread postby bottoson » August 5th, 2008, 10:08 pm

Found the Kaspersky report which follows:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, August 5, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, August 05, 2008 13:04:28
Records in database: 1057279
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 146118
Threat name: 5
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 07:51:18


File name / Threat name / Threats count
C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\WINDOWS\Application Data\Identities\{DEBCBEA0-C50B-11D3-AEE7-9AF2BF3F2E35}\Microsoft\Outlook Express\Sent Items.dbx Infected: Email-Worm.Win32.Tanatos.a 1
C:\_OTMoveIt\MovedFiles\08042008_124236\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\GFD1001_OnFlow2054.exe Infected: not-a-virus:AdWare.Win32.OnFlow 1
C:\_OTMoveIt\MovedFiles\08042008_124236\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\GFD_OnFlow2054.exe Infected: not-a-virus:AdWare.Win32.OnFlow 1
C:\_OTMoveIt\MovedFiles\08042008_124236\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\WINDOWS\Application Data\Identities\{0FD35220-06DF-11D7-90D4-C8C30FAA5864}\Microsoft\Outlook Express\Sent Items.dbx Infected: Email-Worm.Win32.Tanatos.a 1
C:\_OTMoveIt\MovedFiles\08042008_124236\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old d\Downloads\dlwonder.exe Infected: not-a-virus:AdWare.Win32.Aureate 1
C:\_OTMoveIt\MovedFiles\08042008_124236\Documents and Settings\Bill\Local Settings\Application Data\Identities\{B3BBEECA-C4E7-4F27-AEC7-653D17F405B9}\Microsoft\Outlook Express\Dan and Sue Franks.dbx Infected: Email-Worm.VBS.KakWorm 1
C:\_OTMoveIt\MovedFiles\08042008_124236\WINDOWS\Downloaded Files\setupxv.exe Infected: not-a-virus:FraudTool.Win32.SpywareStop.bg 1

The selected area was scanned.

Bill Ottoson
bottoson
Regular Member
 
Posts: 38
Joined: July 24th, 2008, 6:24 pm

Re: Character(s) Malware

Unread postby chryssi2001 » August 6th, 2008, 1:09 am

Hi, i will need sometime to check your DSS report.

Your Kaspersky shows infected emails on your Z: drive.
Is this a separate partition, is Z drive empty? Is Z a portable Hard-Drive?
Can you get reports from Z drive?

C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\WINDOWS\Application Data\Identities\{DEBCBEA0-C50B-11D3-AEE7-9AF2BF3F2E35}\Microsoft\Outlook Express\Sent Items.dbx

I had that in OTMoveIt2 for deletion but it couldn't remove it.
Seems it can't find it.

I will be back as soon as i check your reports.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Character(s) Malware

Unread postby chryssi2001 » August 6th, 2008, 7:17 am

Hello bottoson,

Your reports are clean excepts what Kaspersky shows.
Most of the items are in OTMoveIt 2 and will go when we finish cleaning your pc and remove all tools we used.

The only item left is this:

C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\WINDOWS\Application Data\Identities\{DEBCBEA0-C50B-11D3-AEE7-9AF2BF3F2E35}\Microsoft\Outlook Express\Sent Items.dbx

It looks that all these infections were on your Old Disk Drive Z:

So here is what i want you to do:

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following Folder:

C:\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\WINDOWS\Application Data\Identities\{DEBCBEA0-C50B-11D3-AEE7-9AF2BF3F2E35}\Microsoft\Outlook Express\Sent Items.dbx

Right-click and delete it.

Now i want you to run a differenty Kaspersky scan.
----------------------------------------------
Run Kaspersky Online AV Scanner
Note: Internet Explorer should be used.

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Copy and paste the report into your next reply.
----------------------------------------------
After finishing with my instructions and Kaspesky scan, ask for an email again, and tell me if still the same problem.
Sorry i am asking for the emails, but i need to know where we stand.

There is a possibility something else on your Z drive is holding the infection, so we have to be sure that after we clean all the infected emails, there is no other infection in there.

If you have no important data on Z drive you can reformat it, if this continues.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Character(s) Malware

Unread postby bottoson » August 7th, 2008, 11:42 pm

The drive Z was just a backup of the harddrive from when the harddrive was formatted and re-loaded. I deleted all of the Z drive entries so they are gone.

A new email shows the worm characters still present.

Here is the log from the new Kaspesky scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, August 7, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, August 07, 2008 18:37:50
Records in database: 1067337
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 138262
Threat name: 5
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 07:53:02


File name / Threat name / Threats count
C:\RECYCLER\S-1-5-21-73586283-1965331169-839522115-1004\Dc9\WINDOWS\Application Data\Identities\{DEBCBEA0-C50B-11D3-AEE7-9AF2BF3F2E35}\Microsoft\Outlook Express\Sent Items.dbx Infected: Email-Worm.Win32.Tanatos.a 1
C:\_OTMoveIt\MovedFiles\08042008_124236\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\GFD1001_OnFlow2054.exe Infected: not-a-virus:AdWare.Win32.OnFlow 1
C:\_OTMoveIt\MovedFiles\08042008_124236\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\GFD_OnFlow2054.exe Infected: not-a-virus:AdWare.Win32.OnFlow 1
C:\_OTMoveIt\MovedFiles\08042008_124236\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\WINDOWS\Application Data\Identities\{0FD35220-06DF-11D7-90D4-C8C30FAA5864}\Microsoft\Outlook Express\Sent Items.dbx Infected: Email-Worm.Win32.Tanatos.a 1
C:\_OTMoveIt\MovedFiles\08042008_124236\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old d\Downloads\dlwonder.exe Infected: not-a-virus:AdWare.Win32.Aureate 1
C:\_OTMoveIt\MovedFiles\08042008_124236\Documents and Settings\Bill\Local Settings\Application Data\Identities\{B3BBEECA-C4E7-4F27-AEC7-653D17F405B9}\Microsoft\Outlook Express\Dan and Sue Franks.dbx Infected: Email-Worm.VBS.KakWorm 1
C:\_OTMoveIt\MovedFiles\08042008_124236\WINDOWS\Downloaded Files\setupxv.exe Infected: not-a-virus:FraudTool.Win32.SpywareStop.bg 1

The selected area was scanned.

Bill Ottoson
bottoson
Regular Member
 
Posts: 38
Joined: July 24th, 2008, 6:24 pm

Re: Character(s) Malware

Unread postby chryssi2001 » August 8th, 2008, 11:47 am

Hello Bottoson,

Open Notepad!
Copy and Paste everything from the Quote box into Notepad:
@echo off
attrib -s -h -r C:\RECYCLER
attrib -s -h -r
C:\RECYCLER\S-1-5-21-73586283-1965331169-839522115-1004\Dc9\WINDOWS\Application Data\Identities\{DEBCBEA0-C50B-11D3-AEE7-9AF2BF3F2E35}\Microsoft\Outlook Express\Sent Items.dbx
del /q
"C:\RECYCLER\S-1-5-21-73586283-1965331169-839522115-1004\Dc9\WINDOWS\Application Data\Identities\{DEBCBEA0-C50B-11D3-AEE7-9AF2BF3F2E35}\Microsoft\Outlook Express\Sent Items.dbx"
attrib +s +h +r C:\RECYCLER


Go to File > Save As
Save File name as fix.bat
Change Save as Type to All Files and save the file to your desktop.

Close Notepad, and double-click fix.bat on your Desktop.
Reboot the computer.
----------------------------------------------
Run Kaspersky again and post back the report please.
Check emai again, and give me some good news ;) .
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: pgmigg and 44 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware