Recurring Email - Virus??

[Izzyflip]

I have an email message that keeps coming back into my inbox and freezing up the receipt of other mail.
It is not on the server. Somehow it keeps regenerating itself from within my email program or my computer.

I tried blocking the message, deleting it, etc and it keeps coming back. Sometimes everyday, sometimes after a few days.

It is from supprefnum174@citibank.com, no subject line, nothing in the body, no attachments.

I have emailed citibank and my ISP about it and they have not provided any valid answers.

I have searched "supprefnum", etc and have found no helpful information.

Avast found the following in a virus scan:
A0056375.ocx & brix6ie.ocx infected with the virus Win32: Adan-053 [Adw]

I have been unable to find any information on that virus and what to do about it. Avast suggested I put those files in the virus chest, which I did. I am still getting the recurring email message.
Did another scan last night and it found this:
C:\Documents & Settings\Application Data\Mozilla\Profiles\Default\tvdy7amh.slt\Cache\AOEA5AC6dO1\[UPX]
Unable to scan, UPX archive is corrupted.

I emptied the cache.

Still getting the email.

I am using  mozilla suite 1.6 for browser and email.
Help!! Please and thank you.

[Lisandro]

I tried blocking the message, deleting it, etc and it keeps coming back. Sometimes everyday, sometimes after a few days.

Did another scan last night and it found this:
C:\Documents & Settings\Application Data\Mozilla\Profiles\Default\tvdy7amh.slt\Cache\AOEA5AC6dO1\[UPX]
Unable to scan, UPX archive is corrupted.

You should try to delete the Mozilla temporary files.

Also, it should be useful disable the System Restore. If you find a virus keeps coming back after you delete it, it's most probably infected the System Restore folder, the best way to solve this is to disable System Restore, reboot your machine and then enable it again. After all, run a full avast! scanning. System Restore cannot be disabled on Windows 9x. Enable/Disable System restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405

Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning
Select for scanning archives.
Boot.

[DavidR]

The fact that it keeps coming back doesn't mean it is the same virus, just that it keeps getting sent to you and avast keeps detecting it. I shouldn't be on your computer if you kept deleting it (but if you let it through once, that may be why it has been detected on a scan), follow Tech's suggestions.

The from address is undoubtedly forged and trying to block individual emails is like trying to hit a moving target, you could block the domain citibank.com (unless you are a citibank customer and would expect to get email from them).

They are likely to be speculative email phishing attempts in the hope that some gullible citibank customer will visit the link and enter their username, password and account details leaving their account open to fraud.

Your email address looks like it has been harvested in some way and ended up on a spam list, so aside from the virus emails you are probably getting some spam too. I suggest that you get an anti-spam tool, I use MailWasher Pro which allows me to monitor and delete spam from my ISP's mail server so it doesn't get downloaded, this can also be use to delete suspicious/infected emails. There is a freeware version of MailWasher however, it only allows monitoring of one email account.

[Izzyflip]

Thank you everyone for the help.
I am going to try the reboot and scheduled boot scan as suggested. Will post my results.
I do get a lot of spam and have some filtering through my ISP.
Will look into the Mailwasher program, it sounds like it would be useful.

[Izzyflip]

I turned off system restore function.
Did a bootscan with avast.
Did a full can with avast.
Shutdown. Robooted, etc, etc.
Turned sytem restore back on and back it came.
So I think that it is in the sytem restore files but avast not finding it??
How do I check for it in the stytem restore files?
Is there not a removable tool for Win32: Adan-053 [Adw]
I haven't been able to find any info on this virus/worm or how to remove it.
I am leaving sytem restore off for this week to see if the email comes back again.
Any other help anyone can provide will be greatly appreciated.
Thanks.

[Lisandro]

Turned sytem restore back on and back it came.
So I think that it is in the sytem restore files but avast not finding it??

The files 'appeared' there only after you've enabled System Restore.
When you disable it, all files are deleted (including the infected ones there).

How do I check for it in the stytem restore files?

Just run a normal full scanning (all drivers and check for archive files scanning too).

I haven't been able to find any info on this virus/worm or how to remove it.

You're clean now as far we can notice... 

[Izzyflip]

I thought it was gone. But it's not!!
I had system restore off for a few days and the email didn't show up, until today!!
I went to trend.com and did an online scan there and it found nothing.
Just about to do another avast scan right now, see what it finds.
Will post my results.
Thanks again for the help.

[Lisandro]

Try other antispyware applications (freeware): download, install, update and run it.
Ad-Aware
Spybot Search and Destroy
Spywareblaster
A-squared
Ewido

[Izzyflip]

I have Ad Aware and Spybot.
I just Ad Aware and did a scan a few days ago and it just found tracking cookies and they are in quarantine.
I ran Spybot a few days ago, too and it did not find anything. It hadn't been updated in a while so I just did that and ran another scan. It said no immediate threats were found.
What next??
Thanks again.

[DavidR]

I thought it was gone. But it's not!!
I had system restore off for a few days and the email didn't show up, until today!!

Sorry to keep harping on but:

The fact that it keeps coming back doesn't mean it is the same virus, just that it keeps getting sent to you and avast keeps detecting it.

It is simply another infected email, yes it may have the same infection, that happens as the virus may be curently the one doing the rounds and these phishing emails are very prolific.

Either someone you know has an infected system and it is sending out infected emails to those in their addressbook or your name is on a list.

Be thankful that avast detects these emails and if your response was to delete them, once deleted they aren't on your system, so a scan will return nothing relating to that email detection.

[Izzyflip]

I am pretty sure it is not being sent to me again.
It is in my system somewhere and regenerating itself as I have gone online several times and checked my email on my ISP before downloading it from my email program and the email is not on the server. But when I then download email to my computer, it shows up.
It is dated Nov 23, 2004 2:39am and it always has that date and time everytime it shows up.

[DavidR]

I am pretty sure it is not being sent to me again.

How have you arrived at that opinion?

Which provider is picking it up the infected email, Internet Mail or Standard Shield?

I then download email to my computer, it shows up.

Which leads me to believe it is a received email.

I suggest that you download the freeware MailWasher program and use that to monitor the email account that this is coming in on. This should confirm/deny that it is being received and not regenerated.

The date and time like the from address can be forged.

[Izzyflip]

I believe it is not being sent to me again as I go to uniserve.com which is my ISP and check my email there and the message is not there. I then logoff from there. Open my email program (which is mozilla) and download my messages from the server and the email in question shows up.
If it is not in my inbox online but shows up in my email program, then would that not suggest that it is coming from within my system not be remailed to me?
I am not that prolific at these things so hey I could very well be wrong.
I will try the mailwasher for sure.

[Izzyflip]

I installed mailwasher and it did not catch the recurring email.
I opened mailwasher today, reviewed emails and marked unwanted ones for deletion - the recurring email was not there, then had mailwasher process and open my mail program and download the messages I wanted to my inbox. The recurring email showed up in my inbox even though it was not in the mailwasher list I had just reviewed.
I am stumped.
Any other ideas out there??!!

[whocares]

empty trash in Mozilla, then COMPACT/COMPRESS/Clean all Folders from within mozilla
Also clean out similarly any intervening mailwashers/spamkillers etc etc..
Empty Mozilla Cache including offline-files (if any) for ALL users
(maybe avast shield needs to be paused for the above)

Also post a Hijackthis-Log for Diagnosis (see link "VirusRemoval" below in my sig)