Author Topic: EMAIL VIRUS NOT SUCCESSFULLY REMOVED  (Read 14805 times)

0 Members and 1 Guest are viewing this topic.

Offline abrandt

  • Newbie
  • *
  • Posts: 9
EMAIL VIRUS NOT SUCCESSFULLY REMOVED
« on: April 04, 2004, 08:02:31 AM »
Hello,

 >:(  I just started using Avast today after finding my HDD was infected with Win32.HLLM.Beagle.based and Win32.HLLM.Netsky.35328.

I briefly ran a virus scan from eAnthology Stop Virus Scanner (scanned only 1898 of 102,000+ files) after running AVAST and here are just (2) lines from its report:

D:\Internet Data\Mozilla\Profiles\Test-3\42c6ufv6.slt\Mail\mail.etheric-broadband.info\Inbox:Document.pif - Wed, 10 Mar 2004 13:17:33 -0500 - Notify about using the e-mail account. is infected with Win32.HLLM.Beagle.based
D:\Internet Data\Mozilla\Profiles\Test-3\42c6ufv6.slt\Mail\mail.etheric-broadband.info\Inbox:message.scr - Sat, 3 Apr 2004 13:50:27 -0800 - Mail Delivery (failure 3d125d8d.9010401@biz-solutions.us) is infected with Win32.HLLM.Netsky.35328

Also STOP reported:
Possible Spyware Scan Details:
Stop-Sign has found files belonging to IPInsight, which has been independently identified as Spyware, or possible Spyware
Stop-Sign has found files belonging to CustomToolbar Software, which has been independently identified as Spyware, or possible Spyware

OS:            W2K Pro    
AVEST:       0404-0.04/02
VPS:           0404-0, 02/04/2004
CONFIG:     Intel Pentium III 800 MHz, 512 MB SDRAM
INTERNET:  Terrestrial Microwave - use Belkin F5D5231-4 v.1103 router
EMAIL CL:   Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Mozilla


Can anyone please recommend how to best proceed with AVAST to successfully clean-up this scourge?

Thank you in advance for a prompt response.

Alan
« Last Edit: April 04, 2004, 08:36:35 AM by abrandt »

Offline shgoh

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 977
Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
« Reply #1 on: April 04, 2004, 08:30:17 AM »
try stand-alone avast virus cleaner... ;)

http://www.avast.com/i_idt_171.html

hope it helps..
lIfE iS sAd...yOu NeVeR kNoW wHaT yOu GoNnA gEt... :'(

Offline abrandt

  • Newbie
  • *
  • Posts: 9
Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
« Reply #2 on: April 04, 2004, 08:45:51 AM »
shgoh,

Thank you, I'll immediately give Avast Virus Cleaner a try... and report back.

Much appreciate your prompt response.  :)

Alan

Offline techie101returns

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1900
Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
« Reply #3 on: April 04, 2004, 08:55:32 AM »
abrandt,

The Avast Virus Cleaner should work for you but you can also download virus cleaners here:
www.nod32.ch/download/tools.stm

Then download and install both of these programs to scan for and remove spyware:
Spybot: www.safer-networking.org/index.php?page=download
Adaware:  www.lavasoft.de

Lastly as a great defense, download and install these which work fantastically as a pair.  They are "set and forget" utilities:
SpywareBlaster (make sure you get version 3.0, the latest) and SpywareGuard 2.2:
www.wilders.org, listed under Free Tools.

Any further difficulty, come back and let me know.


Techie101
« Last Edit: April 04, 2004, 09:07:17 AM by Techie101 »

Offline shgoh

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 977
Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
« Reply #4 on: April 04, 2004, 09:06:41 AM »
shgoh,

Thank you, I'll immediately give Avast Virus Cleaner a try... and report back.

Much appreciate your prompt response.  :)

Alan

no worries alan... :)...and also do what techie suggested for spyware.... ;)

welcome to avast forums.... awaiting your good news... ;D
lIfE iS sAd...yOu NeVeR kNoW wHaT yOu GoNnA gEt... :'(

Offline abrandt

  • Newbie
  • *
  • Posts: 9
Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
« Reply #5 on: April 04, 2004, 11:38:29 AM »
Hello,

Thank you all for the follow-ups.

1. I did run Avast Virus Cleaner, however if found nothing:

4/3/2004, 10:48:02 PM
Memory scanning started...
No virus body found in memory.
Memory scanning finished (10.1s).
----------
Files scanning started...
E:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat... file could not be scanned!
E:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat... file could not be scanned!
No virus body found.
Files scanning finished  (55251 files, 0 infected, 586.0s).
Drives scanned: C: D: E: F: G: H: I: J: K: L: M: N: P:

----------

NEXT... I sent an email to my domain registrar because this is how I was orginally informed that I was under virus attack and I just received this:

  V I R U S  A L E R T
Our viruschecker found the
W32/Bagle.n@MM

virus in your email to the following recipient:
-> inforegistrydomains
Delivery of the email was stopped!

Please check your system for viruses, or ask your system administrator to do so.


---------------------------------

So it appears that neither Avast Home or Virus Cleaner has managed to clean this virus up.

NEXT, I will follow Techie101's recommendations (Sunday afternoon, California time)

Thank you again... will get back.

Alan   :)
« Last Edit: April 04, 2004, 11:43:30 AM by abrandt »

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9362
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
« Reply #6 on: April 04, 2004, 11:47:01 AM »
Whats your avast! version? Is it 4.1.357 ? Previous version had some problems with removing of attachements(at least on my machine),but 357 quarantined each and every infected attachement without a problem.
Visit my webpage Angry Sheep Blog

Offline abrandt

  • Newbie
  • *
  • Posts: 9
Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
« Reply #7 on: April 04, 2004, 12:02:05 PM »
Hello RejZoR,

The version should be the latest since I downloaded it 4/2/04. For some reason, Avast is apparently not seeing the virus on my machine. Don't know why.

As posted above

OS:               W2K Pro  
AVEST:            0404-0.04/02
VPS:                0404-0, 02/04/2004

CONFIG:        Intel Pentium III 800 MHz, 512 MB SDRAM
INTERNET:      Terrestrial Microwave - use Belkin F5D5231-4 v.1103 router
EMAIL CL:      Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Mozilla


Thank you,

Alan

Offline shgoh

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 977
Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
« Reply #8 on: April 04, 2004, 12:17:33 PM »
hi alan..

don't worry...we people here will try our very best to help you out... :)

but then maybe you can confirm something if avast really miss the virus on your system by doing some online scanning to verify... ;)

try the site out..

http://www.security-ops.tk/

courtesy of rezjor.... ;D

awaiting your good news...
lIfE iS sAd...yOu NeVeR kNoW wHaT yOu GoNnA gEt... :'(

Offline abrandt

  • Newbie
  • *
  • Posts: 9
Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
« Reply #9 on: April 04, 2004, 12:55:13 PM »
Hello all,

1.  shgoh - Thank you. I went to http://www.security-ops.tk/ as you recommended.

2.  Next I did a  Google keyword search:  "W32/Bagle.n@MM" "free"
and found the following:

McAfee Security - Security HQ ... March 13,2004 -- Due to increasing prevalence the risk assessment for W32/Bagle.n@MM has been ... mail in these days you have to configure our free auto-forwarding ...
http://hq.mcafeeasap.com/dispVirus.asp?virus_k=101095
http://vil.nai.com/vil/stinger/

I ran the McAfee Stinger program from above and here are its results:

McAfee AVERT Stinger Version 2.1.8 built on Mar 29 2004
Copyright (C) 2004 Networks Associates Technology, Inc. All Rights Reserved.
Virus data file v1000 created on Mar 29 2004.
Ready to scan for 42 viruses, trojans and variants.

Scan initiated on Sun Apr 04 03:18:39 2004
E:\WINNT\zip1.tmp\zip1.tmp

    Found the W32/Netsky.p@MM!zip virus !!!
E:\WINNT\zip1.tmp\zip1.tmp has been deleted.
E:\WINNT\zip2.tmp\zip2.tmp
     Found the W32/Netsky.p@MM!zip virus !!!
E:\WINNT\zip2.tmp\zip2.tmp has been deleted.
E:\WINNT\zip3.tmp\zip3.tmp
     Found the W32/Netsky.p@MM!zip virus !!!
E:\WINNT\zip3.tmp\zip3.tmp has been deleted.


  Number of clean files: 167554
  Number of infected files: 3
  Number of files deleted: 3


For some reason, the Avast programs (Home or Virus Cleaner) did not find the above.


It's Sunday - 4/4/04 - 3:46 AM PST (Calfornia, U.S.A. time) and I've worked on this virus issue all through Saturday... so I'm exhausted and ready to get some shut-eye (sleep!)...

Thank you for all your responses... I will get back tomorrow after further 3rd party virus scan tests.

Thanks again!

Alan   :)

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9362
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
« Reply #10 on: April 04, 2004, 12:58:13 PM »
Hehe shgoh ;)

@abrandt
To check avast! program version right click on "a" ball next to the clock and select About avast!...

Search for the same text as the one highlighted on my picture.
Visit my webpage Angry Sheep Blog

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
« Reply #11 on: April 04, 2004, 04:14:20 PM »
I sent an email to my domain registrar because this is how I was orginally informed that I was under virus attack and I just received this:

V I R U S  A L E R T
Our viruschecker found the
W32/Bagle.n@MM

virus in your email to the following recipient:
-> inforegistrydomains
Delivery of the email was stopped!

Please check your system for viruses, or ask your system administrator to do so.


---------------------------------

So it appears that neither Avast Home or Virus Cleaner has managed to clean this virus up.

I'm not so sure... This is a common behavior: a virus 'stole' your email information to be sent over the Internet. Your ISP catches you like the one who is spreading the virus but, in fact, you were innocent. See http://forum.avast.com/index.php?board=1;action=display;threadid=3676#bot

I won't worry too much about that. It's a virus trick. You were not infected and do not send that infected email.

Anyway, you can choose on-line scanning to be sure.  :D
The best things in life are free.

Offline techie101returns

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1900
Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
« Reply #12 on: April 04, 2004, 05:43:31 PM »
abrandt,

Please check the settings of your On Access Protection Console/Internet Mail/SMTP.

Make sure that there is a check next to "Scan outbound mail" and more importantly.....that there is NO check next to "Allow sending of infected email".

As Technical stated, a worm usually "traps" your address book from your email client and resends an email containing the virus.

Sometimes a "Warning: Virus found" in the subject of an email could very well be an infected email!

It is a form of spoofing to fool users into opening up infected email and files.

Avast most certainly would have caught the viri, and the Cleaner would have easily removed them......providing that you have the latest program and DB updates which you seem to have.

Run a full Avast scan with "Archive" and "Thorough" scanning set.  If nothing shows up, then I would relax.

Techie
« Last Edit: April 04, 2004, 05:44:43 PM by Techie101 »

Offline gtaillandier

  • Full Member
  • ***
  • Posts: 167
  • I'm a llama!
Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
« Reply #13 on: April 04, 2004, 08:36:56 PM »
I have Avast 4.1.369 French version and I just have one question :

- several time I've got e-mails with Natsky virus. Avast has detected it but it was impossible to repair the e-mail.

Solution : delete it or move it to quarantine.

Can someone tell me why it was impossible to repair ?

Thx for your help

Offline abrandt

  • Newbie
  • *
  • Posts: 9
Re:EMAIL VIRUS NOT SUCCESSFULLY REMOVED
« Reply #14 on: April 04, 2004, 08:53:36 PM »
Hello all,

1.  I have attached a .gif image of About avast!:  4.1 Home edition

2.  I went to  http://www.security-ops.tk/ as recommended by RejZoR and used the BitDefender Online-Scan which found the following:   Win32.Bagle.J@mm  Win32.Bagle.M@mm   Win32.Netsky.P@mm  :'(  (See results in next response.)

3.  NEXT... I am going to follow Techie101's instructions re: AVAST configuration... and then I'll get back and report + I'm going to run the Panda ActiveScan at http://www.security-ops.tk/

Your assistance is very much appreciated!  :D

(Please see page 2 for PART 2)

I'll be baaack!

Alan
« Last Edit: April 04, 2004, 09:09:39 PM by abrandt »