Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: abrandt on April 04, 2004, 08:02:31 AM

Title: EMAIL VIRUS NOT SUCCESSFULLY REMOVED
Post by: abrandt on April 04, 2004, 08:02:31 AM
Hello,

 >:(  I just started using Avast today after finding my HDD was infected with Win32.HLLM.Beagle.based and Win32.HLLM.Netsky.35328.

I briefly ran a virus scan from eAnthology Stop Virus Scanner (scanned only 1898 of 102,000+ files) after running AVAST and here are just (2) lines from its report:

D:\Internet Data\Mozilla\Profiles\Test-3\42c6ufv6.slt\Mail\mail.etheric-broadband.info\Inbox:Document.pif - Wed, 10 Mar 2004 13:17:33 -0500 - Notify about using the e-mail account. is infected with Win32.HLLM.Beagle.based
D:\Internet Data\Mozilla\Profiles\Test-3\42c6ufv6.slt\Mail\mail.etheric-broadband.info\Inbox:message.scr - Sat, 3 Apr 2004 13:50:27 -0800 - Mail Delivery (failure 3d125d8d.9010401@biz-solutions.us) is infected with Win32.HLLM.Netsky.35328

Also STOP reported:
Possible Spyware Scan Details:
Stop-Sign has found files belonging to IPInsight, which has been independently identified as Spyware, or possible Spyware
Stop-Sign has found files belonging to CustomToolbar Software, which has been independently identified as Spyware, or possible Spyware

OS:            W2K Pro    
AVEST:       0404-0.04/02
VPS:           0404-0, 02/04/2004
CONFIG:     Intel Pentium III 800 MHz, 512 MB SDRAM
INTERNET:  Terrestrial Microwave - use Belkin F5D5231-4 v.1103 router
EMAIL CL:   Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Mozilla


Can anyone please recommend how to best proceed with AVAST to successfully clean-up this scourge?

Thank you in advance for a prompt response.

Alan
Title: Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
Post by: shgoh on April 04, 2004, 08:30:17 AM
try stand-alone avast virus cleaner... ;)

http://www.avast.com/i_idt_171.html

hope it helps..
Title: Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
Post by: abrandt on April 04, 2004, 08:45:51 AM
shgoh,

Thank you, I'll immediately give Avast Virus Cleaner a try... and report back.

Much appreciate your prompt response.  :)

Alan
Title: Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
Post by: techie101 on April 04, 2004, 08:55:32 AM
abrandt,

The Avast Virus Cleaner should work for you but you can also download virus cleaners here:
www.nod32.ch/download/tools.stm (http://www.nod32.ch/download/tools.stm)

Then download and install both of these programs to scan for and remove spyware:
Spybot: www.safer-networking.org/index.php?page=download (http://www.safer-networking.org/index.php?page=download)
Adaware:  www.lavasoft.de (http://www.lavasoft.de)

Lastly as a great defense, download and install these which work fantastically as a pair.  They are "set and forget" utilities:
SpywareBlaster (make sure you get version 3.0, the latest) and SpywareGuard 2.2:
www.wilders.org (http://www.wilders.org), listed under Free Tools.

Any further difficulty, come back and let me know.


Techie101
Title: Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
Post by: shgoh on April 04, 2004, 09:06:41 AM
shgoh,

Thank you, I'll immediately give Avast Virus Cleaner a try... and report back.

Much appreciate your prompt response.  :)

Alan

no worries alan... :)...and also do what techie suggested for spyware.... ;)

welcome to avast forums.... awaiting your good news... ;D
Title: Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
Post by: abrandt on April 04, 2004, 11:38:29 AM
Hello,

Thank you all for the follow-ups.

1. I did run Avast Virus Cleaner, however if found nothing:

4/3/2004, 10:48:02 PM
Memory scanning started...
No virus body found in memory.
Memory scanning finished (10.1s).
----------
Files scanning started...
E:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat... file could not be scanned!
E:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat... file could not be scanned!
No virus body found.
Files scanning finished  (55251 files, 0 infected, 586.0s).
Drives scanned: C: D: E: F: G: H: I: J: K: L: M: N: P:
----------

NEXT... I sent an email to my domain registrar because this is how I was orginally informed that I was under virus attack and I just received this:

  V I R U S  A L E R T
Our viruschecker found the
W32/Bagle.n@MM

virus in your email to the following recipient:
-> inforegistrydomains
Delivery of the email was stopped!

Please check your system for viruses, or ask your system administrator to do so.

---------------------------------

So it appears that neither Avast Home or Virus Cleaner has managed to clean this virus up.

NEXT, I will follow Techie101's recommendations (Sunday afternoon, California time)

Thank you again... will get back.

Alan   :)
Title: Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
Post by: RejZoR on April 04, 2004, 11:47:01 AM
Whats your avast! version? Is it 4.1.357 ? Previous version had some problems with removing of attachements(at least on my machine),but 357 quarantined each and every infected attachement without a problem.
Title: Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
Post by: abrandt on April 04, 2004, 12:02:05 PM
Hello RejZoR,

The version should be the latest since I downloaded it 4/2/04. For some reason, Avast is apparently not seeing the virus on my machine. Don't know why.

As posted above

OS:               W2K Pro  
AVEST:            0404-0.04/02
VPS:                0404-0, 02/04/2004

CONFIG:        Intel Pentium III 800 MHz, 512 MB SDRAM
INTERNET:      Terrestrial Microwave - use Belkin F5D5231-4 v.1103 router
EMAIL CL:      Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Mozilla

Thank you,

Alan
Title: Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
Post by: shgoh on April 04, 2004, 12:17:33 PM
hi alan..

don't worry...we people here will try our very best to help you out... :)

but then maybe you can confirm something if avast really miss the virus on your system by doing some online scanning to verify... ;)

try the site out..

http://www.security-ops.tk/

courtesy of rezjor.... ;D

awaiting your good news...
Title: Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
Post by: abrandt on April 04, 2004, 12:55:13 PM
Hello all,

1.  shgoh - Thank you. I went to http://www.security-ops.tk/ as you recommended.

2.  Next I did a  Google keyword search:  "W32/Bagle.n@MM" "free"
and found the following:

McAfee Security - Security HQ ... March 13,2004 -- Due to increasing prevalence the risk assessment for W32/Bagle.n@MM has been ... mail in these days you have to configure our free auto-forwarding ...
http://hq.mcafeeasap.com/dispVirus.asp?virus_k=101095
http://vil.nai.com/vil/stinger/

I ran the McAfee Stinger program from above and here are its results:

McAfee AVERT Stinger Version 2.1.8 built on Mar 29 2004
Copyright (C) 2004 Networks Associates Technology, Inc. All Rights Reserved.
Virus data file v1000 created on Mar 29 2004.
Ready to scan for 42 viruses, trojans and variants.

Scan initiated on Sun Apr 04 03:18:39 2004
E:\WINNT\zip1.tmp\zip1.tmp

     Found the W32/Netsky.p@MM!zip virus !!!
E:\WINNT\zip1.tmp\zip1.tmp has been deleted.
E:\WINNT\zip2.tmp\zip2.tmp
     Found the W32/Netsky.p@MM!zip virus !!!
E:\WINNT\zip2.tmp\zip2.tmp has been deleted.
E:\WINNT\zip3.tmp\zip3.tmp
     Found the W32/Netsky.p@MM!zip virus !!!
E:\WINNT\zip3.tmp\zip3.tmp has been deleted.

  Number of clean files: 167554
  Number of infected files: 3
  Number of files deleted: 3


For some reason, the Avast programs (Home or Virus Cleaner) did not find the above.


It's Sunday - 4/4/04 - 3:46 AM PST (Calfornia, U.S.A. time) and I've worked on this virus issue all through Saturday... so I'm exhausted and ready to get some shut-eye (sleep!)...

Thank you for all your responses... I will get back tomorrow after further 3rd party virus scan tests.

Thanks again!

Alan   :)
Title: Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
Post by: RejZoR on April 04, 2004, 12:58:13 PM
Hehe shgoh ;)

@abrandt
To check avast! program version right click on "a" ball next to the clock and select About avast!...

Search for the same text as the one highlighted on my picture.
Title: Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
Post by: Lisandro on April 04, 2004, 04:14:20 PM
I sent an email to my domain registrar because this is how I was orginally informed that I was under virus attack and I just received this:

 V I R U S  A L E R T
Our viruschecker found the
W32/Bagle.n@MM

virus in your email to the following recipient:
-> inforegistrydomains
Delivery of the email was stopped!

Please check your system for viruses, or ask your system administrator to do so.

---------------------------------

So it appears that neither Avast Home or Virus Cleaner has managed to clean this virus up.

I'm not so sure... This is a common behavior: a virus 'stole' your email information to be sent over the Internet. Your ISP catches you like the one who is spreading the virus but, in fact, you were innocent. See http://forum.avast.com/index.php?board=1;action=display;threadid=3676#bot

I won't worry too much about that. It's a virus trick. You were not infected and do not send that infected email.

Anyway, you can choose on-line scanning to be sure.  :D
Title: Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
Post by: techie101 on April 04, 2004, 05:43:31 PM
abrandt,

Please check the settings of your On Access Protection Console/Internet Mail/SMTP.

Make sure that there is a check next to "Scan outbound mail" and more importantly.....that there is NO check next to "Allow sending of infected email".

As Technical stated, a worm usually "traps" your address book from your email client and resends an email containing the virus.

Sometimes a "Warning: Virus found" in the subject of an email could very well be an infected email!

It is a form of spoofing to fool users into opening up infected email and files.

Avast most certainly would have caught the viri, and the Cleaner would have easily removed them......providing that you have the latest program and DB updates which you seem to have.

Run a full Avast scan with "Archive" and "Thorough" scanning set.  If nothing shows up, then I would relax.

Techie
Title: Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
Post by: gtaillandier on April 04, 2004, 08:36:56 PM
I have Avast 4.1.369 French version and I just have one question :

- several time I've got e-mails with Natsky virus. Avast has detected it but it was impossible to repair the e-mail.

Solution : delete it or move it to quarantine.

Can someone tell me why it was impossible to repair ?

Thx for your help
Title: Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
Post by: abrandt on April 04, 2004, 08:53:36 PM
Hello all,

1.  I have attached a .gif image of About avast!:  4.1 Home edition

2.  I went to  http://www.security-ops.tk/ as recommended by RejZoR and used the BitDefender Online-Scan which found the following:   Win32.Bagle.J@mm  Win32.Bagle.M@mm   Win32.Netsky.P@mm  :'(  (See results in next response.)

3.  NEXT... I am going to follow Techie101's instructions re: AVAST configuration... and then I'll get back and report + I'm going to run the Panda ActiveScan at http://www.security-ops.tk/

Your assistance is very much appreciated!  :D

(Please see page 2 for PART 2)

I'll be baaack!

Alan
Title: Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
Post by: abrandt on April 04, 2004, 09:00:18 PM
PART-2   (Results were "too long"... so here's an edited version:)

Infection appears to be centered in my email client:  Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Mozilla

Scanned Finished. Scanned Objects: 74272    Infected Objects: 121    Time: 06:39:52

D:\Internet Data\Mozilla\Profiles\Test-2\xez7f4km.slt\Mail\pop.biz-solutions.us\Sent=>(message 649) suspect: Exploit.Iframe.Vulnerability
D:\Internet Data\Mozilla\Profiles\Test-3\42c6ufv6.slt\Mail\mail.etheric-broadband.info\Inbox=>(message 42)=>[Subject: Notify about using the e-mail account.][Date: Wed, 10 Mar 2004 13:17:33 -0500]=>(MIME part)=>Document.pif infected: Win32.Bagle.J@mm
D:\Internet Data\Mozilla\Profiles\Test-3\42c6ufv6.slt\Mail\mail.etheric-broadband.info\Inbox=>(message 337)=>[Subject: E-mail technical support message.][Date: Fri, 02 Apr 2004 15:39:32 -0600]=>(MIME part)=>Attach.pif=>(Upx) infected: Win32.Bagle.M@mm
Apr 2004 17:23:02 -0500]=>(MIME part)=>(MIME part)=>(message body) suspect: Exploit.Iframe.Vulnerability
D:\Internet Data\Mozilla\Profiles\Test-3\42c6ufv6.slt\Mail\mail.etheric-broadband.info\Inbox=>(message 341)=>[Subject: Mail Delivery (failure peo_abrandt@biz][Date: Fri, 2 Apr 2004 17:23:02 -0500]=>(MIME part)=>message.scr infected: Win32.Netsky.P@mm
Title: Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
Post by: abrandt on April 05, 2004, 03:17:23 AM
Hello,

So far everything has FAILED to remove Win32.Bagle.J@mm  Win32.Bagle.M@mm  Win32.Netsky.P@mm.

I have run AVAST Home or Virus Cleaner a total of 3 times each to find - 0 - viri:

Creating log file: H:\Downloads\Tests\Avast\aswclnr_1.0.178_build2.4.2004.log

4/4/2004, 1:32:15 PM
Memory scanning started...
No virus body found in memory.
Memory scanning finished (7.6s).
----------
Files scanning started...
E:\Documents and Settings\Alan Brandt\Application Data\Powermarks\pm.cache... file could not be scanned!
E:\WINNT\system32\Perflib_Perfdata_394.dat... file could not be scanned!
L:\dllcache\tridkb.dll... file could not be scanned!
No virus body found.
Files scanning finished  (55046 files, 0 infected, 612.5s).
Drives scanned: C: D: E: F: G: H: I: J: K: L: M: N: P:
......................................................................................

NEXT I ran AdvancedForce DrWeb Anti-Virus Workstations  a total of 3 times each to find - 0 - viri.

I have looked and it is LOADED with potter... brit... how to hack new... harry potter... 1001 sex and more.rtf...

McAfee Stinger has failed.

I'm thinking about trying some of the individual tools available at www.nod32.ch/download/tools.stm recommended by Techie101.

Any further ideas would be greatly appreciated... I've been working on this virus attack for over 18 hours now!!!  :-[

HELP!!!

Thank you so much!

Alan  >:(
Title: Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
Post by: techie101 on April 05, 2004, 05:41:02 PM
abrandt,

Keep at it.  We'll get rid of the litlte buggers!

Have you disabled System Restore function?
If not, do so.  Reboot and try the utilities I mentioned.

Sometimes, a removal tool from one vendor works and another doesn't.

From the log info you provided, I do not see why the Avast Cleaner did not remove the virus UNLESS the files are password protected by Mozilla.
Also, from the paths quoted, it seems that the viri are contained in the body of the emails.
Have you tried deleting all the old mail?  Rebooting.
If you do not remove the infected mail, the virus will continue to propagate.

Techie
Title: Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
Post by: abrandt on April 06, 2004, 12:38:48 AM
Hello Techie101,

Thank you for your follow-up. :)

This little virus attack went from bad to worse :'( ... when W2K's winsocket2 and the printspooler became corrupted... at that point who knows what additional OS damage had been done.

PARTIAL SOLUTION:  I used PowerQuest Drive Image 5.0 (now Symantec) to restore a previous image well before the virus attack... which of course has allowed me to have a clean registry... plus plenty of work to get things where they were. (I just ran a regedit for "potter" which came up empty.)

The Panda scan was the only scan that recognized the viri in my email... however they are so many negative user reviews at CNET.com, I am relunctant to use Panda... however I need to make a decision in the next several hours.

Bottom line is, the viri have not yet been either DISINFECTED or DELETED from my HDD. >:(

Any help would be appreciated!

Thank you,
Alan
Title: Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
Post by: techie101 on April 06, 2004, 12:55:16 AM
Alan,

Ok, I know about the Panda user comments.

Try Housecall from Trend Micro:
http://housecall.trendmicro.com/housecall/start_corp.asp (http://housecall.trendmicro.com/housecall/start_corp.asp)

Have you tried the individual tools that I recommended earlier?

Let me know.  I will be online for the night either on the Avast Home/Pro; General boards or Moderating the Off Topic board.

Techie
Title: Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
Post by: honyak122 on April 09, 2004, 01:59:02 AM
I have been reading this thread with interest. I have been using Avast 4 Home for about 4 months with no virus problems, out of curiosity today, I tried Bitdefender just for a second opinion and got an infection notice of some bagle variant, I don't remember the one for certain, that showed up in about the same location as it showed on you.
I received an email on last friday that supposedly was from my ISP but it had a zip file attached with a code, I was suspicious and deleted it as I am very careful with email. So I know why Avast did not find it in the zip file.
Now after Bitdefender found this I went to Panda online and it found nothing, by the way Bitdefender only let me choose to ignore it, I then went to trend micro and again nothing so I am not sure what is going on but all seems okay.
I was just interested to find this thread and thought I would share my experience.
Good luck with getting your issue settled. :o
Title: Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
Post by: techie101 on April 09, 2004, 03:43:32 AM
hony,

BitDefender may have registered a false positive which can happen to any AV.  It is important to provide the exact error message and the name of the virus reported so we can determine its' status.

Trend Micro is pretty reliable as a backup check.  I do not much care for Panda.

Anyway, thank you for sharing with us.

Techie
Title: Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
Post by: honyak122 on April 09, 2004, 04:14:32 PM
Techie101
I too felt it was a false positive because I am certain that I have not opened an email with a virus, that is why I did not pay it that much attention and trend micro did not find anything either.
Avast has worked well for me and I have only praise for it.
I was just curious about the online scanner and being fairly new to Avast got a second opinion,
I am satisfied that it was a false positive and thought the member might be interested to know that. :D
Title: Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
Post by: techie101 on April 09, 2004, 05:46:58 PM
honyakk,

An online scanner is always a good idea.  I do use them occasionally myself, but Avast is my main line of defense.

Techie