Author Topic: EMAIL VIRUS NOT SUCCESSFULLY REMOVED  (Read 16610 times)

0 Members and 1 Guest are viewing this topic.

abrandt

  • Guest
Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
« Reply #15 on: April 04, 2004, 09:00:18 PM »
PART-2   (Results were "too long"... so here's an edited version:)

Infection appears to be centered in my email client:  Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Mozilla

Scanned Finished. Scanned Objects: 74272    Infected Objects: 121    Time: 06:39:52

D:\Internet Data\Mozilla\Profiles\Test-2\xez7f4km.slt\Mail\pop.biz-solutions.us\Sent=>(message 649) suspect: Exploit.Iframe.Vulnerability
D:\Internet Data\Mozilla\Profiles\Test-3\42c6ufv6.slt\Mail\mail.etheric-broadband.info\Inbox=>(message 42)=>[Subject: Notify about using the e-mail account.][Date: Wed, 10 Mar 2004 13:17:33 -0500]=>(MIME part)=>Document.pif infected: Win32.Bagle.J@mm
D:\Internet Data\Mozilla\Profiles\Test-3\42c6ufv6.slt\Mail\mail.etheric-broadband.info\Inbox=>(message 337)=>[Subject: E-mail technical support message.][Date: Fri, 02 Apr 2004 15:39:32 -0600]=>(MIME part)=>Attach.pif=>(Upx) infected: Win32.Bagle.M@mm
Apr 2004 17:23:02 -0500]=>(MIME part)=>(MIME part)=>(message body) suspect: Exploit.Iframe.Vulnerability
D:\Internet Data\Mozilla\Profiles\Test-3\42c6ufv6.slt\Mail\mail.etheric-broadband.info\Inbox=>(message 341)=>[Subject: Mail Delivery (failure peo_abrandt@biz][Date: Fri, 2 Apr 2004 17:23:02 -0500]=>(MIME part)=>message.scr infected: Win32.Netsky.P@mm

abrandt

  • Guest
Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
« Reply #16 on: April 05, 2004, 03:17:23 AM »
Hello,

So far everything has FAILED to remove Win32.Bagle.J@mm  Win32.Bagle.M@mm  Win32.Netsky.P@mm.

I have run AVAST Home or Virus Cleaner a total of 3 times each to find - 0 - viri:

Creating log file: H:\Downloads\Tests\Avast\aswclnr_1.0.178_build2.4.2004.log

4/4/2004, 1:32:15 PM
Memory scanning started...
No virus body found in memory.
Memory scanning finished (7.6s).
----------
Files scanning started...
E:\Documents and Settings\Alan Brandt\Application Data\Powermarks\pm.cache... file could not be scanned!
E:\WINNT\system32\Perflib_Perfdata_394.dat... file could not be scanned!
L:\dllcache\tridkb.dll... file could not be scanned!
No virus body found.
Files scanning finished  (55046 files, 0 infected, 612.5s).
Drives scanned: C: D: E: F: G: H: I: J: K: L: M: N: P:
......................................................................................

NEXT I ran AdvancedForce DrWeb Anti-Virus Workstations  a total of 3 times each to find - 0 - viri.

I have looked and it is LOADED with potter... brit... how to hack new... harry potter... 1001 sex and more.rtf...

McAfee Stinger has failed.

I'm thinking about trying some of the individual tools available at www.nod32.ch/download/tools.stm recommended by Techie101.

Any further ideas would be greatly appreciated... I've been working on this virus attack for over 18 hours now!!!  :-[

HELP!!!

Thank you so much!

Alan  >:(

techie101

  • Guest
Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
« Reply #17 on: April 05, 2004, 05:41:02 PM »
abrandt,

Keep at it.  We'll get rid of the litlte buggers!

Have you disabled System Restore function?
If not, do so.  Reboot and try the utilities I mentioned.

Sometimes, a removal tool from one vendor works and another doesn't.

From the log info you provided, I do not see why the Avast Cleaner did not remove the virus UNLESS the files are password protected by Mozilla.
Also, from the paths quoted, it seems that the viri are contained in the body of the emails.
Have you tried deleting all the old mail?  Rebooting.
If you do not remove the infected mail, the virus will continue to propagate.

Techie

abrandt

  • Guest
Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
« Reply #18 on: April 06, 2004, 12:38:48 AM »
Hello Techie101,

Thank you for your follow-up. :)

This little virus attack went from bad to worse :'( ... when W2K's winsocket2 and the printspooler became corrupted... at that point who knows what additional OS damage had been done.

PARTIAL SOLUTION:  I used PowerQuest Drive Image 5.0 (now Symantec) to restore a previous image well before the virus attack... which of course has allowed me to have a clean registry... plus plenty of work to get things where they were. (I just ran a regedit for "potter" which came up empty.)

The Panda scan was the only scan that recognized the viri in my email... however they are so many negative user reviews at CNET.com, I am relunctant to use Panda... however I need to make a decision in the next several hours.

Bottom line is, the viri have not yet been either DISINFECTED or DELETED from my HDD. >:(

Any help would be appreciated!

Thank you,
Alan

techie101

  • Guest
Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
« Reply #19 on: April 06, 2004, 12:55:16 AM »
Alan,

Ok, I know about the Panda user comments.

Try Housecall from Trend Micro:
http://housecall.trendmicro.com/housecall/start_corp.asp

Have you tried the individual tools that I recommended earlier?

Let me know.  I will be online for the night either on the Avast Home/Pro; General boards or Moderating the Off Topic board.

Techie

honyak122

  • Guest
Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
« Reply #20 on: April 09, 2004, 01:59:02 AM »
I have been reading this thread with interest. I have been using Avast 4 Home for about 4 months with no virus problems, out of curiosity today, I tried Bitdefender just for a second opinion and got an infection notice of some bagle variant, I don't remember the one for certain, that showed up in about the same location as it showed on you.
I received an email on last friday that supposedly was from my ISP but it had a zip file attached with a code, I was suspicious and deleted it as I am very careful with email. So I know why Avast did not find it in the zip file.
Now after Bitdefender found this I went to Panda online and it found nothing, by the way Bitdefender only let me choose to ignore it, I then went to trend micro and again nothing so I am not sure what is going on but all seems okay.
I was just interested to find this thread and thought I would share my experience.
Good luck with getting your issue settled. :o

techie101

  • Guest
Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
« Reply #21 on: April 09, 2004, 03:43:32 AM »
hony,

BitDefender may have registered a false positive which can happen to any AV.  It is important to provide the exact error message and the name of the virus reported so we can determine its' status.

Trend Micro is pretty reliable as a backup check.  I do not much care for Panda.

Anyway, thank you for sharing with us.

Techie

honyak122

  • Guest
Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
« Reply #22 on: April 09, 2004, 04:14:32 PM »
Techie101
I too felt it was a false positive because I am certain that I have not opened an email with a virus, that is why I did not pay it that much attention and trend micro did not find anything either.
Avast has worked well for me and I have only praise for it.
I was just curious about the online scanner and being fairly new to Avast got a second opinion,
I am satisfied that it was a false positive and thought the member might be interested to know that. :D

techie101

  • Guest
Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
« Reply #23 on: April 09, 2004, 05:46:58 PM »
honyakk,

An online scanner is always a good idea.  I do use them occasionally myself, but Avast is my main line of defense.

Techie