Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Suspect may have infection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Suspect may have infection

Unread postby wonderwill » October 28th, 2006, 6:09 am

Have had some fixes with Kimberly in the past.

My PC starts to shut down and a blue screen appears and a memory dump begins. The only way back into the pc is via another user and restoring to a previous clean point.
That was fine and things were ok for a week but it has happened again. I have also had a couple of suspect emails - one stating that emails from me were demonstrating signs of a worm - the other had a zip file (which I didn't open) with the following message :

The message contains Unicode characters and has been sent
as a binary attachment.

Also tried to run a Kaspersky online scanner (have avg free) and it would not download - said it was looking for some Active X file and when I pressed download, nothing happened?

Can you help please?

:(
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm
Top
Advertisement
Register to Remove

Unread postby ChrisRLG » October 30th, 2006, 7:00 pm

Hello wonderwill! :)

Please download HijackThis http://downloads.malwareremoval.com/hijackthis.zip and save it to your desktop.

To extract HijackThis:

1. Right-click your file HijackThis.zip and from the menu select "Extract All".
2. The Extraction Wizard Window will appear, Click "Next".
3. Click Browse and navigate to "C:\" or the "C:\Program Files" and click "Create A New Folder" and call it "HJT" or "HijackThis" or whatever that is easy to remember and then click OK.
4. Click the Extract button.
5. Close the HijackThis.zip dialogue box.

Run HijackThis and do a System Scan and save a log file. Then post that log into your next reply.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Top

Unread postby wonderwill » October 31st, 2006, 3:55 pm

Hijack file as requested.

I suspect that I may have an email worm virus. Kaspersky clean but 2 files locked and skipped within Outlook.

Logfile of HijackThis v1.99.1
Scan saved at 18:40:08, on 31/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\carpserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Willie Clemie\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.copernic.com/explorer17/?l=ENG&e=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.copernic.com/home17/?l=ENG
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by evesham.com
R3 - URLSearchHook: (no name) - {83B79436-C1A7-427B-B40D-689E9CC71FAE} - C:\PROGRA~1\COPERN~1\COPERN~3.DLL
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/229?bf612650fd3e45d8a2417e55949533ca
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1110\en-us\msntabres.dll/230?bf612650fd3e45d8a2417e55949533ca
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4918869890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8026252546
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GEARSecurity_BackUp - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm
Top

Unread postby ChrisRLG » October 31st, 2006, 7:44 pm

wonderwill

A trainee (who is studing your topic, as part of thier training) thinks you are clean - so do I.

But you do have the issues of not being able to run kaspersky etc which need to be solved.

Is also a program you have that needs to be updated (it is a security risk while it is not) - so I would like for you to wait for the trainee to see if they can work it out - If they have not by tomorrow I will post direct - but I would like them to have 'a go' first.

You may have seen that we are a 'training' forum (a University) - it is in such training that our students learn - safely under supervision - so I hope you will feel happy for this to take a little longer than it might have done otherwise.

They will NOT post direct to you - as they are not yet at that stage in thier training.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Top

Unread postby ChrisRLG » October 31st, 2006, 8:34 pm

yep - the trainee noticed it :)

==============


Hi,

Your log appears to be clean. Just do a few things for me.

Your java appears to be out-of-date.

Updating Java:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have next icon next to it: Image
    Select it and click Remove.
  • Then Download and install the newest version from here:

Also tried to run a Kaspersky online scanner (have avg free) and it would not download - said it was looking for some Active X file and when I pressed download, nothing happened?


Kaspersky Online Scanner only works for Internet Explorer. You were probably using Firefox which doesn't support ActiveX.


Let's a run a few programs just in case.

Please print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Ewido has now became AVG-AntiSpyware.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Don't run it yet.

Download CCleaner from here to clean temp files from your computer.
  • Double click on the file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location. Click Install then finish to complete installation.

    Don' run that yet too.

    Reboot your computer into Safe Mode. You can do this by restarting your computer and tap the F8 key just before Windows starts to load, and select Safe Mode.
  • Double click the CCleaner shortcut on the desktop to start the program.
  • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
  • Click on the "Options" icon at the left side of the window, then click on "Advanced."
    deselect "Only delete files in Windows Temp folders older than 48 hours."
  • Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
  • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
  • After CCleaner has completed its process, click Exit.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

Could you run Kaspersky scanner again with an updated Kaspersky log.

Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
  • In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
  • When you get the Windows dialog asking if you want to install this software, click the "Install" button.
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
  • Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.

When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

So here's the recap on what I want to see in your next reply:

AVG-AS log
kavscan.txt
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Top

Unread postby wonderwill » November 3rd, 2006, 5:23 pm

Sorry to take so long with this. The Z drive is my daughter's networked drive.

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 22:28:05 01/11/2006

+ Scan result:



:mozilla.10:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.10:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookiesnew.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.11:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.11:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookiesnew.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.14:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.14:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookiesnew.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.203:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.203:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookiesnew.txt -> TrackingCookie.Com : Cleaned.
:mozilla.162:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.162:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookiesnew.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.164:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.164:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookiesnew.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.165:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.165:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookiesnew.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.166:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.166:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookiesnew.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.167:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.167:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookiesnew.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.168:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.168:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookiesnew.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.114:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.114:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookiesnew.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.88:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.88:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookiesnew.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.129:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.129:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookiesnew.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.130:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.130:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookiesnew.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.131:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.131:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookiesnew.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.220:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.220:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookiesnew.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.221:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.221:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookiesnew.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.222:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.222:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookiesnew.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.218:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.218:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookiesnew.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.219:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.219:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookiesnew.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.116:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.116:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookiesnew.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.117:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.117:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookiesnew.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.137:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies-1.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.138:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies-1.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.139:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies-1.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.7:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.7:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookiesnew.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.8:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.8:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookiesnew.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.9:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.9:C:\Documents and Settings\Willie Clemie\Application Data\Mozilla\Firefox\Profiles\l7ou2y0u.default\cookiesnew.txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end

KASPERSKY ONLINE SCANNER REPORT
Friday, November 03, 2006 9:18:09 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 3/11/2006
Kaspersky Anti-Virus database records: 224389
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
Z:\

Scan Statistics:
Total number of scanned objects: 123938
Number of viruses found: 2
Number of infected objects: 5 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:04:16

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Willie Clemie\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Willie Clemie\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Archive Folders/Deleted Items/26 Oct 2006 14:51 from sec@elamex.com:Mail server report./Update-KB5812-x86.exe Infected: Email-Worm.Win32.Warezov.eu skipped
C:\Documents and Settings\Willie Clemie\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Archive Folders/Deleted Items/26 Oct 2006 14:42 from frank:test/test.zip/test.txt.scr Infected: Email-Worm.Win32.Warezov.eu skipped
C:\Documents and Settings\Willie Clemie\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Archive Folders/Deleted Items/26 Oct 2006 14:42 from frank:test/test.zip Infected: Email-Worm.Win32.Warezov.eu skipped
C:\Documents and Settings\Willie Clemie\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Mail MS Mail: infected - 3 skipped
C:\Documents and Settings\Willie Clemie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Willie Clemie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Willie Clemie\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Willie Clemie\Local Settings\History\History.IE5\MSHist012006110320061104\index.dat Object is locked skipped
C:\Documents and Settings\Willie Clemie\Local Settings\Temp\~DF987F.tmp Object is locked skipped
C:\Documents and Settings\Willie Clemie\Local Settings\Temp\~DFBC24.tmp Object is locked skipped
C:\Documents and Settings\Willie Clemie\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Willie Clemie\ntuser.dat Object is locked skipped
C:\Documents and Settings\Willie Clemie\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Willie Clemie\UserData\index.dat Object is locked skipped
C:\found.000\dir0000.chk\INDEX.MAP Object is locked skipped
C:\found.000\dir0000.chk\OBJECTS.MAP Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D40D92E9-54A8-4608-B946-55C301749436}\RP9\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\EVESHAM.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_fc.dat Object is locked skipped
C:\WINDOWS\Temp\ZLT02e34.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT02e4b.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Z:\AUTOEXEC.BAT Object is locked skipped
Z:\boot.ini Object is locked skipped
Z:\CONFIG.SYS Object is locked skipped
Z:\Incomplete\T-304178-_better version_ dosd a heartwell ending 57.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
Z:\My Downloads\No Adware 3.0 + Keygen.rar Object is locked skipped
Z:\NTDETECT.COM Object is locked skipped
Z:\ntldr Object is locked skipped

Scan process completed.
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm
Top

Unread postby ChrisRLG » November 4th, 2006, 4:21 pm

There is nothing serious from the AVG scan. As said, Kaspersky flagged entries of the worm infection.

Run Microsoft Outlook and delete any mail from your inbox's deleted items that is dated from Oct 26.

I also want to bring this to your attention: From the Kaspersky log, the scanner flagged some infections in your daughter's Z drive. You can have your daughter download HijackThis to her infected hard drive and have her produce a log for you. Then post that log in a new separate topic.

Since you have programs that will sufficiently protect you from malware, read Tony Klien's How did I get infected in the first place?

Stay clean and happy surfing!
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Top

Unread postby wonderwill » November 5th, 2006, 7:57 am

Thank you for this.

You will note that the emails have been deleted and are included in : Data\Microsoft\Outlook\outlook.pst/Archive Folders/Deleted Items/

Is it the outlook.pst folder that I should delete?

W
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm
Top

Unread postby ChrisRLG » November 5th, 2006, 3:30 pm

The .pst file is your whole email file - so deleting that would delete ALL your emails, contacts, todo list, etc.

Re-scan with the AV scanners to make sure you have deleted all the infected emails - but otherwise do not delete the .pst file if you have anything inside you need to keep.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Top

Unread postby Nellie2 » December 23rd, 2006, 6:53 pm

This topic is now closed due to inactivity. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Nellie2
Administrator Emeritus
 
Posts: 8737
Joined: December 16th, 2004, 5:01 pm
Location: UK
Top
Advertisement
Register to Remove
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 331 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index