Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware in MS OE sent items database: attention dan12

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Malware in MS OE sent items database: attention dan12

Unread postby stumpjumper » February 18th, 2009, 12:24 pm

Dan,
I had to shorten the title from what I said I would use in my last post. I'm attaching the HJT and Kaspersky logs.
John


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:54 AM, on 2/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\FaxTalk Messenger Pro 7.5\FTClCtrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\FaxTalk Messenger Pro 7.5\FAPIEXE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [FaxTalk Messenger Pro 7.5] "C:\Program Files\FaxTalk Messenger Pro 7.5\FTClCtrl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {413D6754-BFD4-47FE-9346-319559290BFA} (HTECtrl Class) - http://www.webpcfos.com/webpcfos/websabre/HTEweb.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

--
End of file - 5979 bytes

________________________________

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, February 17, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, February 17, 2009 23:19:37
Records in database: 1809883
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 128905
Threat name: 2
Infected objects: 3
Suspicious objects: 3
Duration of the scan: 02:18:12


File name / Threat name / Threats count
C:\Documents and Settings\John\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Sent Items.bak Infected: Email-Worm.VBS.KakWorm 1
C:\Documents and Settings\John\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Sent Items.bak Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Documents and Settings\John\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Sent Items.dbx Infected: Email-Worm.VBS.KakWorm 1
C:\Documents and Settings\John\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Sent Items.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Quantex\WINDOWS\Application Data\Identities\{AB73D2E0-9B28-11D6-8CAB-942B4005EC66}\Microsoft\Outlook Express\Sent Items.dbx Infected: Email-Worm.VBS.KakWorm 1
C:\Quantex\WINDOWS\Application Data\Identities\{AB73D2E0-9B28-11D6-8CAB-942B4005EC66}\Microsoft\Outlook Express\Sent Items.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1

The selected area was scanned.
stumpjumper
Regular Member
 
Posts: 48
Joined: February 12th, 2009, 11:47 pm
Advertisement
Register to Remove

Re: Malware in MS OE sent items database: attention dan12

Unread postby dan12 » February 18th, 2009, 12:30 pm

Hi, John, well you should be familiar now to the way we work.
I will look over your report shortly and we will take it from there.
Regards dan :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Malware in MS OE sent items database: attention dan12

Unread postby dan12 » February 18th, 2009, 12:36 pm

Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.


Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)


O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Malware in MS OE sent items database: attention dan12

Unread postby stumpjumper » February 18th, 2009, 12:45 pm

Dan,
Item in question deleted. Uninstall list from HJT follows:

2WIRE Wireless LAN - USB Driver
2Wire Wireless Manager
Adobe Flash Player 10 ActiveX
Banctec Service Agreement
Conexant D850 56K V.9x DFVc Modem
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Support 5.0.0 (630)
DeLorme Topo USA 6.0
DeLorme Topo USA 6.0 DVD Data
Earthmate Image Tagger
ESET NOD32 Antivirus
FaxTalk Communicator 4.5
FaxTalk Messenger Pro 7.5
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java(TM) 6 Update 11
LaCie Backup Software v1.5.2130
MailWasher
Malwarebytes' Anti-Malware
MapSource
MapSource - City Select North America v7
MapSource - Trip & Waypoint Manager v2
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Office Basic Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Streets and Trips 2004
Microsoft Visual C++ 2005 Redistributable
Modem Helper
Mozilla Firefox (3.0.6)
NetWaiting
Norton Ghost 9.0
Olympus Digital Wave Player
Pdf995
PdfEdit995
PowerDVD 5.3
QuickTime
REAP Version 3.6
S800
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Signature995
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Service Pack 3
stumpjumper
Regular Member
 
Posts: 48
Joined: February 12th, 2009, 11:47 pm

Re: Malware in MS OE sent items database: attention dan12

Unread postby dan12 » February 18th, 2009, 12:53 pm

John, the desktop is looking quite good I just need peace of mind that your all ok. :D

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Can you update your malwarebytes definitions and do me a full scan please,post the report. :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Malware in MS OE sent items database: attention dan12

Unread postby stumpjumper » February 18th, 2009, 1:17 pm

The ATF hung the first few times but I think there was quite a volume of data to delete. I had to "end task" as it was "not responding" when I pulled up Task Manager. I restarted ATF and it finally made it to the end without hanging.
Malwarebyte updated and currently scanning.
A separate question...what is the prefetch box indicate on the ATF checkbox list?
stumpjumper
Regular Member
 
Posts: 48
Joined: February 12th, 2009, 11:47 pm

Re: Malware in MS OE sent items database: attention dan12

Unread postby stumpjumper » February 18th, 2009, 2:02 pm

Here is the Malwarebyte log:

Malwarebytes' Anti-Malware 1.34
Database version: 1775
Windows 5.1.2600 Service Pack 3

2/18/2009 1:01:18 PM
mbam-log-2009-02-18 (13-01-18).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 158971
Time elapsed: 48 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
stumpjumper
Regular Member
 
Posts: 48
Joined: February 12th, 2009, 11:47 pm

Re: Malware in MS OE sent items database: attention dan12

Unread postby dan12 » February 18th, 2009, 2:18 pm

Ok,looking well so far John,
Before the scan delete the items in the outlook express sent folder

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

post also a fresh HJT
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Malware in MS OE sent items database: attention dan12

Unread postby stumpjumper » February 18th, 2009, 2:57 pm

Dan,
I was hoping to not have to delete the sent items. The only items Kaspersky located before were three areas. 1., sent items.dbx 2., sent items.bak and 3., a much older backup of...sent items.dbx. See the Kaspersky log below that I ran just before we started this thread.

If I have to delete the sent items, then I need to check with my wife first in case she needs to print something before the delete. Is there any software that can ferret out a malware/virus within a database without having to wipe out the whole database itself?

John

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, February 17, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, February 17, 2009 23:19:37
Records in database: 1809883
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 128905
Threat name: 2
Infected objects: 3
Suspicious objects: 3
Duration of the scan: 02:18:12


File name / Threat name / Threats count
C:\Documents and Settings\John\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Sent Items.bak Infected: Email-Worm.VBS.KakWorm 1
C:\Documents and Settings\John\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Sent Items.bak Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Documents and Settings\John\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Sent Items.dbx Infected: Email-Worm.VBS.KakWorm 1
C:\Documents and Settings\John\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Sent Items.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Quantex\WINDOWS\Application Data\Identities\{AB73D2E0-9B28-11D6-8CAB-942B4005EC66}\Microsoft\Outlook Express\Sent Items.dbx Infected: Email-Worm.VBS.KakWorm 1
C:\Quantex\WINDOWS\Application Data\Identities\{AB73D2E0-9B28-11D6-8CAB-942B4005EC66}\Microsoft\Outlook Express\Sent Items.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1

The selected area was scanned.
stumpjumper
Regular Member
 
Posts: 48
Joined: February 12th, 2009, 11:47 pm

Re: Malware in MS OE sent items database: attention dan12

Unread postby dan12 » February 18th, 2009, 6:01 pm

Hi, John, I may be able to get a little closer, let's see :)

BitDefender Online Scan

Please perform an online scan using Internet Explorer at this website - http://www.bitdefender.com/scan8/ie.html

Under SCANNING OPTIONS, use the following Settings:
  • Image
  • Action options - Report only
  • Second option - Report only
Once finished, click on "Click here to export the scan results"

Save the report to your desktop, then post those results in your next reply.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Malware in MS OE sent items database: attention dan12

Unread postby stumpjumper » February 18th, 2009, 6:35 pm

BitDefender is scanning now and I have to leave for the evening in about 15 minutes. If it doesn't complete before I leave, then I hope you had a good day and you'll probably see the report in the morning.
John
stumpjumper
Regular Member
 
Posts: 48
Joined: February 12th, 2009, 11:47 pm

Re: Malware in MS OE sent items database: attention dan12

Unread postby stumpjumper » February 19th, 2009, 12:59 am

How frustrating, I came home from being gone all evening with the Bitdefender scanning only to find it was locked up near the end of the scan(6+ hours scanning). I wasn't able to save any of the scan log as I had to "end task" because it was not responding.
I did see that even though you had me check "report only" in Bitdefender it looked as though it had deleted some items. I restarted the scan and hope it makes it this time. From what I saw, this program can delete individual emails from a very large "sent items" database. Just what I was hoping for.
I'll post as soon as I get it.
John
stumpjumper
Regular Member
 
Posts: 48
Joined: February 12th, 2009, 11:47 pm

Re: Malware in MS OE sent items database: attention dan12

Unread postby stumpjumper » February 19th, 2009, 8:16 am

The Bitdefender log follows. It found very little this time around compared to what I saw last night before I had restart the program. I think it must have done some deleting even though the boxes were checked "report only". I see it found new problems where Kaspersky did not. Kaspersky only found items in MS Outlook Express sent items databases. Bitdefender found items in my old Opera mail databases. Anyway here you are. Thanks, John

BitDefender Online Scanner -Scan ReportBitDefender Online Scanner
Scan report generated at: Thu, Feb 19, 2009 - 01:57:23

Scan path: C:\;D:\;

Statistics
Time02:06:36
Files510366
Folders5783
Boot Sectors0
Archives154083
Packed Files12611

Results
Identified Viruses 2
Infected Files 5
Suspect Files 3
Warnings0
Disinfected0
Deleted Files0

Engines Info
Virus Definitions2675132
Engine buildAVCORE v1.7 (build 8314.19) (i386) (Sep 29 2008
17:19:14)
Scan plugins17
Archive plugins45
Unpack plugins7
E-mail plugins6
System plugins4

Scan Settings
First ActionReport
Second ActionNone
HeuristicsYes
Enable WarningsYes
Scanned Extensions*;
Exclude Extensions
Scan EmailsYes
Scan ArchivesYes
Scan PackedYes
Scan FilesYes
Scan BootYes

Scanned File Status
C:\Documents and Settings\John\My
Documents\Backup\Opera\Mail\storage\mbox149.mbs=>(message
51)=>[Subject: Continue Online Configuration][Date: Fri, 03 May 2002
10:32:17 -0400 (EDT)]=>(MIME part)=>(message body)Suspected of:
Trojan.Exploit.Html.Iframe.Filedownload.GW
C:\Documents and Settings\John\My
Documents\Backup\Opera\Mail\storage\mbox149.mbs=>(message
51)=>[Subject: Continue Online Configuration][Date: Fri, 03 May 2002
10:32:17 -0400 (EDT)]=>(MIME part)=>class.zl9Infected with:
Win32.Klez.H@mm
C:\Documents and Settings\John\My
Documents\Backup\Opera\Mail\storage\mbox15.mbs=>(message
51)=>[Subject: Continue Online Configuration][Date: Fri, 03 May 2002
10:32:17 -0400 (EDT)]=>(MIME part)=>(message body)Suspected of:
Trojan.Exploit.Html.Iframe.Filedownload.GW
C:\Documents and Settings\John\My
Documents\Backup\Opera\Mail\storage\mbox15.mbs=>(message
51)=>[Subject: Continue Online Configuration][Date: Fri, 03 May 2002
10:32:17 -0400 (EDT)]=>(MIME part)=>class.zl9Infected with:
Win32.Klez.H@mm
C:\Documents and Settings\John\My
Documents\Backup\Opera\Mail\storage\mbox283.mbs=>(message
51)=>[Subject: Continue Online Configuration][Date: Fri, 03 May 2002
10:32:17 -0400 (EDT)]=>(MIME part)=>(message body)Suspected of:
Trojan.Exploit.Html.Iframe.Filedownload.GW
C:\Documents and Settings\John\My
Documents\Backup\Opera\Mail\storage\mbox283.mbs=>(message
51)=>[Subject: Continue Online Configuration][Date: Fri, 03 May 2002
10:32:17 -0400 (EDT)]=>(MIME part)=>class.zl9Infected with:
Win32.Klez.H@mm
C:\Quantex\sysfix\072003-1.dat=>(Embedded EXE g)Infected with:
Win95.Dupator.1503
C:\Quantex\sysfix\072003.dat=>(Embedded EXE g)Infected with:
Win95.Dupator.1503
stumpjumper
Regular Member
 
Posts: 48
Joined: February 12th, 2009, 11:47 pm

Re: Malware in MS OE sent items database: attention dan12

Unread postby dan12 » February 19th, 2009, 3:24 pm

Hi John just to make run the kaspersky scan again

Download and Run OTMoveIt3

Download OTMoveIt3 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt3.exe. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the lines in the codebox below.
Code: Select all
:files 
C:\Documents and Settings\John\My Documents\Backup\Opera\Mail\storage\mbox149.mbs
C:\Documents and Settings\John\My Documents\Backup\Opera\Mail\storage\mbox15.mbs
C:\Documents and Settings\John\My Documents\Backup\Opera\Mail\storage\mbox283.mbs
C:\Quantex\sysfix\072003-1.dat
C:\Quantex\sysfix\072003.dat

    

  • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3

dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Malware in MS OE sent items database: attention dan12

Unread postby stumpjumper » February 19th, 2009, 5:20 pm

Hi Dan,
Referencing the first line of your last post, what if anything should I do with Kaspersky?
Kaspersky only flagged items in the Outlook Express sent items databases. I reran it last night on specific files and it still flagged the OE database sent items as being infected.

Bitdefender only flagged items in the Opera databases.(found nothing in the Kaspersky flagged databases)
It looks like OTMoveIt3 only dealt with the Opera databases. Are we going to go after the OE databases later?

Here is the OTMoveIt3 log:

========== FILES ==========
C:\Documents and Settings\John\My Documents\Backup\Opera\Mail\storage\mbox149.mbs moved successfully.
C:\Documents and Settings\John\My Documents\Backup\Opera\Mail\storage\mbox15.mbs moved successfully.
C:\Documents and Settings\John\My Documents\Backup\Opera\Mail\storage\mbox283.mbs moved successfully.
C:\Quantex\sysfix\072003-1.dat moved successfully.
C:\Quantex\sysfix\072003.dat moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02192009_161257
stumpjumper
Regular Member
 
Posts: 48
Joined: February 12th, 2009, 11:47 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 494 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware