Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware in MS OE sent items database: attention dan12

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Malware in MS OE sent items database: attention dan12

Unread postby dan12 » February 19th, 2009, 5:31 pm

Hi, John,yes ,sorry brain going quicker than I can type :(
I was going to suggest we run kaspersky again but as you said you had done so. It's a little difficult to pinpoint these in outlook John, kaspersky used to detail them and I thought maybe bitdefender would do so better for me. :?
All we know at this stage is there in the sent items folder,I have no idea how big this folder is and sounds as though you have some important mails which is why your hesitant to delete as I can appreciate.
I will have a think and get back to you :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Advertisement
Register to Remove

Re: Malware in MS OE sent items database: attention dan12

Unread postby stumpjumper » February 19th, 2009, 5:40 pm

The first time that Bitdefender ran and locked up near the end, I saw in the right box of actions it took that it flagged and (I believe) deleted specific items in the OE databases(it was a long list). I was unable to copy and paste it because I had to end the program with task manager. When it ran again and didn't lock it only showed what you just had me delete...items in the Opera mail databases.
I will prep my wife for the deletion of the sent items in the OE databases if we have to do that. Alternatively, do these viruses pose a problem if the database is not opened and gone thru?
John
stumpjumper
Regular Member
 
Posts: 48
Joined: February 12th, 2009, 11:47 pm

Re: Malware in MS OE sent items database: attention dan12

Unread postby dan12 » February 19th, 2009, 5:54 pm

When you get time on your hands it may well be a good idea to run bitdefender once more to see what it flags
In reply to your question john, It depends if they are active/dormant I would be happier to see them dealt with.
Possible mails would be those with attachments, look through and thin as many down as you can that are not required, then rerun kaspersky. :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Malware in MS OE sent items database: attention dan12

Unread postby stumpjumper » February 19th, 2009, 6:09 pm

Bitdefender is already 26 minutes into a full scan with only reporting: no disinfecting or deleting. I guess I was reading your mind.
I'll talk to my wife tonight about the paring of unneeded emails and post the Bitdefender log once complete.
John
stumpjumper
Regular Member
 
Posts: 48
Joined: February 12th, 2009, 11:47 pm

Re: Malware in MS OE sent items database: attention dan12

Unread postby stumpjumper » February 20th, 2009, 3:26 pm

Hi Dan,
Here is the latest Bitdefender scan log:

BitDefender Online Scanner -Scan ReportBitDefender Online Scanner
Scan report generated at: Thu, Feb 19, 2009 - 18:58:29

Scan path: C:\;D:\;

Statistics
Time02:09:24
Files515910
Folders5861
Boot Sectors0
Archives154110
Packed Files12777

Results
Identified Viruses 2
Infected Files 5
Suspect Files 3
Warnings0
Disinfected0
Deleted Files0

Engines Info
Virus Definitions2676313
Engine buildAVCORE v1.7 (build 8314.19) (i386) (Sep 29 2008
17:19:14)
Scan plugins17
Archive plugins45
Unpack plugins7
E-mail plugins6
System plugins4

Scan Settings
First ActionReport
Second ActionNone
HeuristicsYes
Enable WarningsYes
Scanned Extensions*;
Exclude Extensions
Scan EmailsYes
Scan ArchivesYes
Scan PackedYes
Scan FilesYes
Scan BootYes

Scanned File Status
C:\_OTMoveIt\MovedFiles\02192009_161257\Documents and
Settings\John\My
Documents\Backup\Opera\Mail\storage\mbox149.mbs=>(message
51)=>[Subject: Continue Online Configuration][Date: Fri, 03 May 2002
10:32:17 -0400 (EDT)]=>(MIME part)=>(message body)Suspected of:
Trojan.Exploit.Html.Iframe.Filedownload.GW
C:\_OTMoveIt\MovedFiles\02192009_161257\Documents and
Settings\John\My
Documents\Backup\Opera\Mail\storage\mbox149.mbs=>(message
51)=>[Subject: Continue Online Configuration][Date: Fri, 03 May 2002
10:32:17 -0400 (EDT)]=>(MIME part)=>class.zl9Infected with:
Win32.Klez.H@mm
C:\_OTMoveIt\MovedFiles\02192009_161257\Documents and
Settings\John\My
Documents\Backup\Opera\Mail\storage\mbox15.mbs=>(message
51)=>[Subject: Continue Online Configuration][Date: Fri, 03 May 2002
10:32:17 -0400 (EDT)]=>(MIME part)=>(message body)Suspected of:
Trojan.Exploit.Html.Iframe.Filedownload.GW
C:\_OTMoveIt\MovedFiles\02192009_161257\Documents and
Settings\John\My
Documents\Backup\Opera\Mail\storage\mbox15.mbs=>(message
51)=>[Subject: Continue Online Configuration][Date: Fri, 03 May 2002
10:32:17 -0400 (EDT)]=>(MIME part)=>class.zl9Infected with:
Win32.Klez.H@mm
C:\_OTMoveIt\MovedFiles\02192009_161257\Documents and
Settings\John\My
Documents\Backup\Opera\Mail\storage\mbox283.mbs=>(message
51)=>[Subject: Continue Online Configuration][Date: Fri, 03 May 2002
10:32:17 -0400 (EDT)]=>(MIME part)=>(message body)Suspected of:
Trojan.Exploit.Html.Iframe.Filedownload.GW
C:\_OTMoveIt\MovedFiles\02192009_161257\Documents and
Settings\John\My
Documents\Backup\Opera\Mail\storage\mbox283.mbs=>(message
51)=>[Subject: Continue Online Configuration][Date: Fri, 03 May 2002
10:32:17 -0400 (EDT)]=>(MIME part)=>class.zl9Infected with:
Win32.Klez.H@mm
C:\_OTMoveIt\MovedFiles\02192009_161257\Quantex\sysfix\072003-1.dat=>(Embedded
EXE g)Infected with: Win95.Dupator.1503
C:\_OTMoveIt\MovedFiles\02192009_161257\Quantex\sysfix\072003.dat=>(Embedded
EXE g)Infected with: Win95.Dupator.1503
stumpjumper
Regular Member
 
Posts: 48
Joined: February 12th, 2009, 11:47 pm

Re: Malware in MS OE sent items database: attention dan12

Unread postby dan12 » February 20th, 2009, 3:54 pm

Ok, John, will look it over later :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Malware in MS OE sent items database: attention dan12

Unread postby stumpjumper » February 20th, 2009, 4:15 pm

I've started the cleaning out of any MS OE sent items that have file attachments. I don't care about any of the Opera mail items OTMoveIT3 moved and am ready to uninstall it(OT3) to get rid of them.
Thanks,
John
stumpjumper
Regular Member
 
Posts: 48
Joined: February 12th, 2009, 11:47 pm

Re: Malware in MS OE sent items database: attention dan12

Unread postby dan12 » February 20th, 2009, 4:33 pm

I will give instruction soon,just tied up at the moment, when you have had the clear out John,run kaspersky again :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Malware in MS OE sent items database: attention dan12

Unread postby dan12 » February 20th, 2009, 5:20 pm

CLEAN UP

  • Double-click OTMoveIt3.exe. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Will await the kaspersky scan, also post a fresh HJT report.
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Malware in MS OE sent items database: attention dan12

Unread postby stumpjumper » February 20th, 2009, 9:19 pm

OT3 removed along with the files moved after the reboot. Just got the go ahead from my wife to delete the whole sent items file, its "bak" and two other occurrences of them in a another area of her hard drive.
I'll do a full run of Kaspersky and get the lines of code so you can set up their deletion in the program of your choice. I should have this to you by your morning.
John
stumpjumper
Regular Member
 
Posts: 48
Joined: February 12th, 2009, 11:47 pm

Re: Malware in MS OE sent items database: attention dan12

Unread postby stumpjumper » February 23rd, 2009, 12:28 am

Hi Dan,
It was a busy weekend. Here are the latest Kaspersky and HJT logs:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, February 21, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, February 21, 2009 03:21:18
Records in database: 1824070
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 99389
Threat name: 1
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:59:14


File name / Threat name / Threats count
C:\Documents and Settings\John\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Sent Items.bak Infected: Email-Worm.VBS.KakWorm 1
C:\Documents and Settings\John\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Sent Items.dbx Infected: Email-Worm.VBS.KakWorm 1
C:\Quantex\WINDOWS\Application Data\Identities\{AB73D2E0-9B28-11D6-8CAB-942B4005EC66}\Microsoft\Outlook Express\Sent Items.dbx Infected: Email-Worm.VBS.KakWorm 1

The selected area was scanned.


_________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:31 PM, on 2/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\FaxTalk Messenger Pro 7.5\FTClCtrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\FaxTalk Messenger Pro 7.5\FAPIEXE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [FaxTalk Messenger Pro 7.5] "C:\Program Files\FaxTalk Messenger Pro 7.5\FTClCtrl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {413D6754-BFD4-47FE-9346-319559290BFA} (HTECtrl Class) - http://www.webpcfos.com/webpcfos/websabre/HTEweb.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

--
End of file - 6619 bytes
stumpjumper
Regular Member
 
Posts: 48
Joined: February 12th, 2009, 11:47 pm

Re: Malware in MS OE sent items database: attention dan12

Unread postby dan12 » February 23rd, 2009, 12:34 am

As you can see you still have items in sent folder :( that need deleting.
I thought you were going to delete items in that folder from your last post? :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Malware in MS OE sent items database: attention dan12

Unread postby stumpjumper » February 23rd, 2009, 8:12 am

I can't parse the emails within the sent items database. I was going to selectively delete emails with attachments like you suggested and then when I asked my wife about deleting the sent items folder, she said don't waste time picking thru them, its ok to delete all sent items.
I reran Kaspersky so you could build the lines of code to have me paste into OTMoveIT3(I think) to remove them that way instead of me just deleting the sent items thru MS OE.
Do you want to do it that way? I will be out for the next 12 hours or so.
Thanks,
John
stumpjumper
Regular Member
 
Posts: 48
Joined: February 12th, 2009, 11:47 pm

Re: Malware in MS OE sent items database: attention dan12

Unread postby dan12 » February 23rd, 2009, 8:32 am

John,Just delete items in the "sent folder" it will be a lot easier.
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Malware in MS OE sent items database: attention dan12

Unread postby stumpjumper » February 27th, 2009, 4:32 pm

Hi Dan,
I left town for three days and was away from my wife's computer. I deleted the sent items affected files with Windows Explorer. Will that deletion method be good enough to get rid of the problems or do these deleted files need to be located and further erased with one of your specialized programs?
Thanks,
John
stumpjumper
Regular Member
 
Posts: 48
Joined: February 12th, 2009, 11:47 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 304 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware