Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Character(s) Malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Character(s) Malware

Unread postby bottoson » August 8th, 2008, 1:26 pm

We have a problem

Pasted your box contents into NotePad

saved as fix.bat to desktop

double clicked on it and it came on for just a flash but it looked like the contents had been changed to worm characters

Anyway, came on with error messages

What created the file etc.

I am pretty sure that it did not do what you wanted it to.

Waiting for instructions as to how to proceed with the box contents "fix.bat"

Bill Ottoson
bottoson
Regular Member
 
Posts: 38
Joined: July 24th, 2008, 6:24 pm
Advertisement
Register to Remove

Re: Character(s) Malware

Unread postby chryssi2001 » August 8th, 2008, 1:57 pm

Ok let's try this:
---------------------------------------
Empty your recycle bin.
---------------------------------------
  • Double-click OTMoveIt2.exe. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the lines in the codebox below.
Code: Select all
C:\RECYCLER\S-1-5-21-73586283-1965331169-839522115-1004\Dc9\WINDOWS\Application Data\Identities\{DEBCBEA0-C50B-11D3-AEE7-9AF2BF3F2E35}\Microsoft\Outlook Express\Sent Items.dbx

  • Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt2
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Character(s) Malware

Unread postby bottoson » August 8th, 2008, 2:34 pm

Following are the results from OTMoveIt:

File/Folder C:\RECYCLER\S-1-5-21-73586283-1965331169-839522115-1004\Dc9\WINDOWS\Application Data\Identities\{DEBCBEA0-C50B-11D3-AEE7-9AF2BF3F2E35}\Microsoft\Outlook Express\Sent Items.dbx not found.
File/Folder not found.
File/Folder not found.
File/Folder not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08082008_132813

I might add that I looked to see if I could find the file and got as far as \Dc9\ and was stopped for it was not available to click on.

I just got an email with the Worm Characters so it is evidently still active.
bottoson
Regular Member
 
Posts: 38
Joined: July 24th, 2008, 6:24 pm

Re: Character(s) Malware

Unread postby bottoson » August 8th, 2008, 3:07 pm

Do you still want a Kaspersky scan done?

Bill Ottoson
bottoson
Regular Member
 
Posts: 38
Joined: July 24th, 2008, 6:24 pm

Re: Character(s) Malware

Unread postby chryssi2001 » August 8th, 2008, 3:51 pm

No, not yet. Please try this.
----------------------------------------------
Open Notepad!
Copy and Paste everything from the Quote box into Notepad:

@echo off
attrib -h -s -r c:\RECYCLER
rd /s /q c:\RECYCLER
md c:\RECYCLER
attrib +h +s +r c:\RECYCLER


Go to File > Save As
Save File name as fix.bat
Change Save as Type to All Files and save the file to your desktop.

Close Notepad, and double-click fix.bat on your Desktop.Reboot the computer and let me know if it worked
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Character(s) Malware

Unread postby bottoson » August 8th, 2008, 6:20 pm

Did as you suggested.

Just got email with worm characters.

Bill Ottoson
bottoson
Regular Member
 
Posts: 38
Joined: July 24th, 2008, 6:24 pm

Re: Character(s) Malware

Unread postby chryssi2001 » August 9th, 2008, 3:12 am

Please run Kaspersky again. Do not ask for email now.

Also run another scan.
----------------------------------------------
PANDA ONLINE SCAN

Please go >here< to run Panda's ActiveScan
  • Once you are on the Panda site, click the Scan your PC now button
  • A new window will open...click the Scan Now button
  • Allow the ActiveX control to be installed. It will start downloading the files it requires for the scan. Note: This may take a couple of minutes
  • Run the ActiveX control, if requested. The screen will then show the scanning progress - the scan will take a while to finish. Please be patient.
  • When the scan has finished, click on Export To
  • Save the file as Activescan.txt to your Desktop
  • Close the Activescan window then go to your Desktop
  • Double-click on Activescan.txt and it will open in Notepad
  • In Notepad, click Edit > Select all, then Edit > Copy
  • Reply to this thread and click Ctrl+V to paste the log in your reply
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Character(s) Malware

Unread postby bottoson » August 9th, 2008, 10:10 pm

Hopefully it is understood that as you recommended the OLD DISK DRIVE\Zoldc\ ---is no longer on the computer hard drive. They have all been deleted.

I have not checked a new email yet... will wait instructions from you.

Bill Ottoson

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, August 9, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, August 09, 2008 17:07:53
Records in database: 1075318
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 90376
Threat name: 5
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 03:00:41


File name / Threat name / Threats count
C:\_OTMoveIt\MovedFiles\08042008_124236\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\GFD1001_OnFlow2054.exe Infected: not-a-virus:AdWare.Win32.OnFlow 1
C:\_OTMoveIt\MovedFiles\08042008_124236\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\Program Files\Common Files\GMT\GFD_OnFlow2054.exe Infected: not-a-virus:AdWare.Win32.OnFlow 1
C:\_OTMoveIt\MovedFiles\08042008_124236\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old c\WINDOWS\Application Data\Identities\{0FD35220-06DF-11D7-90D4-C8C30FAA5864}\Microsoft\Outlook Express\Sent Items.dbx Infected: Email-Worm.Win32.Tanatos.a 1
C:\_OTMoveIt\MovedFiles\08042008_124236\Documents and Settings\Bill\Desktop\Misc\UTILITIES\Old Disk Drive\Z old d\Downloads\dlwonder.exe Infected: not-a-virus:AdWare.Win32.Aureate 1
C:\_OTMoveIt\MovedFiles\08042008_124236\Documents and Settings\Bill\Local Settings\Application Data\Identities\{B3BBEECA-C4E7-4F27-AEC7-653D17F405B9}\Microsoft\Outlook Express\Dan and Sue Franks.dbx Infected: Email-Worm.VBS.KakWorm 1
C:\_OTMoveIt\MovedFiles\08042008_124236\WINDOWS\Downloaded Files\setupxv.exe Infected: not-a-virus:FraudTool.Win32.SpywareStop.bg 1

The selected area was scanned.


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-08-09 20:56:13
PROTECTIONS: 1
MALWARE: 19
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG Anti-Virus Free 8.0 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Bill\Cookies\bill@casalemedia[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Bill\Cookies\bill@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Bill\Cookies\bill@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Bill\Cookies\bill@atdmt[3].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Bill\Cookies\bill@fastclick[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Bill\Cookies\bill@tribalfusion[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Bill\Cookies\bill@tribalfusion[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Bill\Cookies\bill@mediaplex[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Bill\Cookies\bill@ad.yieldmanager[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Bill\Cookies\bill@apmebf[2].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Bill\Cookies\bill@burstnet[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Bill\Cookies\bill@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Bill\Cookies\bill@bs.serving-sys[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Bill\Cookies\bill@advertising[2].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Bill\Cookies\bill@media.adrevolver[3].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Bill\Cookies\bill@statse.webtrendslive[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Bill\Cookies\bill@ads.pointroll[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Bill\Cookies\bill@questionmarket[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Bill\Cookies\bill@zedo[2].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Bill\Cookies\bill@adrevolver[1].txt
03460115 Application/SpywareStop HackTools No 0 Yes No C:\_OTMoveIt\MovedFiles\08042008_124236\WINDOWS\Downloaded Files\setupxv.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location ;q
;===================================================================================================================================================================================
No C:\_OTMoveIt\MovedFiles\08022008_112948\Program Files\AskSBar\bar\1.bin\A2PLUGIN.DLL ;q
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description ;q
;===================================================================================================================================================================================
;===================================================================================================================================================================================
bottoson
Regular Member
 
Posts: 38
Joined: July 24th, 2008, 6:24 pm

Re: Character(s) Malware

Unread postby chryssi2001 » August 10th, 2008, 1:18 am

Hello bottonson,

Hopefully it is understood that as you recommended the OLD DISK DRIVE\Zoldc\ ---is no longer on the computer hard drive. They have all been deleted.

Yes that was the source of the infected emails which create this problem.

I thought you did this some time ago, did you do it now?

Both reports look ok.

Just minor cookies.

Use ATF Cleaner, as explained here.

Did you reboot after you followed my instructions here?

I just need to know.

Please ask for an email.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Character(s) Malware

Unread postby bottoson » August 10th, 2008, 5:16 pm

No, I did the deleting of the "Old Disk Zc, d, etc." immediately after you recommended it.

Yes I rebooted after following your instructions on the ATF Cleaner.

You need to know that I followed your instructions exactly as
you stated them, each and every time without variation or deviation.

The email was received 3:51pm my time (Central) and it contained Worm Characters.

Bill Ottoson
bottoson
Regular Member
 
Posts: 38
Joined: July 24th, 2008, 6:24 pm

Re: Character(s) Malware

Unread postby chryssi2001 » August 11th, 2008, 1:01 am

Hello bottoson,

I suppose you asked emails from 2 persons during all this time?

The infected emails have gone away.
I can't find any reason you should continue having this text in your received emails.

May i ask which email do you use? Outlook express, or yahoo email etc?
Can you put spam filter on?

Meanwhile i would like you to create a new email account, and ask for a new email.

The possibility your email address is being spammed is big, so we'll check it out, with the new email address.

Is the text still the same?
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Character(s) Malware

Unread postby bottoson » August 11th, 2008, 1:11 pm

First replies to your questions:

I have received emails from numerous sources.

I use Outlook Express

I have spam filters at both my provider (I think McAfee) and on my email (AVG).

I have created a new account.

-------------------------------------------------------

I asked a friend who has a MAC and a PC to send me emails to the new account in first html and second in plain text

On the MAC both messages were clear

Later messages in html and plain text showed the Worm Characters

A message just now came through without any WC's showing in the body text.

Now I hope I can explain what I did and what I observed in a clear fashion.

I went back to the two clear MAC messages that were received in html and plain text each.

Clicked on the message entry in outlook express for each message (one at a time), went to properties, details, message source, went to full screen, and worms were in both messages though nothing showed in the message proper.

Checked in other messages and found the same result.

Would have copied results for your observation but do not want to reveal friends address. Now all of these messages were received to a brand new address.

I'm sure you have a lot of questions at this point and I will do my best to answer them.

Bill Ottoson
bottoson
Regular Member
 
Posts: 38
Joined: July 24th, 2008, 6:24 pm

Re: Character(s) Malware

Unread postby chryssi2001 » August 11th, 2008, 1:46 pm

Hello bottoson,

Firstly i would like a screenshoot.
Copy all the contents of an email in Notepad, remove your friends address, and post back here a screenshot.

Does your friend receive that text when you email to them?

Do you have a signature set at your emails?

If you change your Outlook Express settings to Rich Format text you still get the same text? Is there a link hiding in the text?

I asked a friend who has a MAC and a PC to send me emails to the new account in first html and second in plain text

What about having him set his settings in Plain text, do the same for your OE, and check a new email?

That text you are getting is a part of a joke.
If you google it, you will find all the joke.
Did you post any time at a Jokes site, or are you a member in such a site?

Clicked on the message entry in outlook express for each message (one at a time), went to properties, details, message source, went to full screen, and worms were in both messages though nothing showed in the message proper.

Checked in other messages and found the same result.

So that text can be seen only in the message source?
Can you copy here what you see there, except of your friends email address again?
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Character(s) Malware

Unread postby bottoson » August 11th, 2008, 4:35 pm

Here is the screen shot as a .jpg file. Hope the Worm Characters will hold. They seem to change at will. If this is not satisfactory let me know and I will try something else.

------------------------------------------------------------

I don't think my friend sees the WC's

I do not have a signature set for my emails

I have been getting mixed signals on what happens to the emails. Some of the txt emails have been showing with as WC's as well as the html emails. Like nailing jello to a wall to get a consistent format now.

I percive no link hiding in the text.

Also I have not seen the joke... will try to conjure that up when I get a moment.
You do not have the required permissions to view the files attached to this post.
bottoson
Regular Member
 
Posts: 38
Joined: July 24th, 2008, 6:24 pm

Re: Character(s) Malware

Unread postby bottoson » August 11th, 2008, 4:37 pm

sorry about that pjg it is the wrong one. Will try again.
bottoson
Regular Member
 
Posts: 38
Joined: July 24th, 2008, 6:24 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 17 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware