EMAIL VIRUS NOT SUCCESSFULLY REMOVED

Hello,

:frowning: I just started using Avast today after finding my HDD was infected with Win32.HLLM.Beagle.based and Win32.HLLM.Netsky.35328.

I briefly ran a virus scan from eAnthology Stop Virus Scanner (scanned only 1898 of 102,000+ files) after running AVAST and here are just (2) lines from its report:

D:\Internet Data\Mozilla\Profiles\Test-3\42c6ufv6.slt\Mail\mail.etheric-broadband.info\Inbox:Document.pif - Wed, 10 Mar 2004 13:17:33 -0500 - Notify about using the e-mail account. is infected with Win32.HLLM.Beagle.based
D:\Internet Data\Mozilla\Profiles\Test-3\42c6ufv6.slt\Mail\mail.etheric-broadband.info\Inbox:message.scr - Sat, 3 Apr 2004 13:50:27 -0800 - Mail Delivery (failure 3d125d8d.9010401@biz-solutions.us) is infected with Win32.HLLM.Netsky.35328

Also STOP reported:
Possible Spyware Scan Details:
Stop-Sign has found files belonging to IPInsight, which has been independently identified as Spyware, or possible Spyware
Stop-Sign has found files belonging to CustomToolbar Software, which has been independently identified as Spyware, or possible Spyware

OS: W2K Pro
AVEST: 0404-0.04/02
VPS: 0404-0, 02/04/2004
CONFIG: Intel Pentium III 800 MHz, 512 MB SDRAM
INTERNET: Terrestrial Microwave - use Belkin F5D5231-4 v.1103 router
EMAIL CL: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Mozilla

Can anyone please recommend how to best proceed with AVAST to successfully clean-up this scourge?

Thank you in advance for a prompt response.

Alan

try stand-alone avast virus cleanerā€¦ :wink:

http://www.avast.com/i_idt_171.html

hope it helpsā€¦

shgoh,

Thank you, Iā€™ll immediately give Avast Virus Cleaner a tryā€¦ and report back.

Much appreciate your prompt response. :slight_smile:

Alan

abrandt,

The Avast Virus Cleaner should work for you but you can also download virus cleaners here:
www.nod32.ch/download/tools.stm

Then download and install both of these programs to scan for and remove spyware:
Spybot: www.safer-networking.org/index.php?page=download
Adaware: www.lavasoft.de

Lastly as a great defense, download and install these which work fantastically as a pair. They are ā€œset and forgetā€ utilities:
SpywareBlaster (make sure you get version 3.0, the latest) and SpywareGuard 2.2:
www.wilders.org, listed under Free Tools.

Any further difficulty, come back and let me know.

Techie101

no worries alanā€¦ :)ā€¦and also do what techie suggested for spywareā€¦ :wink:

welcome to avast forumsā€¦ awaiting your good newsā€¦ ;D

Hello,

Thank you all for the follow-ups.

  1. I did run Avast Virus Cleaner, however if found nothing:

4/3/2004, 10:48:02 PM
Memory scanning startedā€¦
No virus body found in memory.
Memory scanning finished (10.1s).

Files scanning startedā€¦
E:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.datā€¦ file could not be scanned!
E:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.datā€¦ file could not be scanned!
No virus body found.
Files scanning finished (55251 files, 0 infected, 586.0s).
Drives scanned: C: D: E: F: G: H: I: J: K: L: M: N: P:

NEXTā€¦ I sent an email to my domain registrar because this is how I was orginally informed that I was under virus attack and I just received this:

V I R U S A L E R T
Our viruschecker found the
W32/Bagle.n@MM

virus in your email to the following recipient:
ā†’ inforegistrydomains
Delivery of the email was stopped!

Please check your system for viruses, or ask your system administrator to do so.


So it appears that neither Avast Home or Virus Cleaner has managed to clean this virus up.

NEXT, I will follow Techie101ā€™s recommendations (Sunday afternoon, California time)

Thank you againā€¦ will get back.

Alan :slight_smile:

Whats your avast! version? Is it 4.1.357 ? Previous version had some problems with removing of attachements(at least on my machine),but 357 quarantined each and every infected attachement without a problem.

Hello RejZoR,

The version should be the latest since I downloaded it 4/2/04. For some reason, Avast is apparently not seeing the virus on my machine. Donā€™t know why.

As posted above

OS: W2K Pro
AVEST: 0404-0.04/02
VPS: 0404-0, 02/04/2004

CONFIG: Intel Pentium III 800 MHz, 512 MB SDRAM
INTERNET: Terrestrial Microwave - use Belkin F5D5231-4 v.1103 router
EMAIL CL: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Mozilla

Thank you,

Alan

hi alanā€¦

donā€™t worryā€¦we people here will try our very best to help you outā€¦ :slight_smile:

but then maybe you can confirm something if avast really miss the virus on your system by doing some online scanning to verifyā€¦ :wink:

try the site outā€¦

http://www.security-ops.tk/

courtesy of rezjorā€¦ ;D

awaiting your good newsā€¦

Hello all,

  1. shgoh - Thank you. I went to http://www.security-ops.tk/ as you recommended.

  2. Next I did a Google keyword search: ā€œW32/Bagle.n@MMā€ ā€œfreeā€
    and found the following:

McAfee Security - Security HQ ā€¦ March 13,2004 ā€“ Due to increasing prevalence the risk assessment for W32/Bagle.n@MM has been ā€¦ mail in these days you have to configure our free auto-forwarding ā€¦
http://hq.mcafeeasap.com/dispVirus.asp?virus_k=101095
http://vil.nai.com/vil/stinger/

I ran the McAfee Stinger program from above and here are its results:

McAfee AVERT Stinger Version 2.1.8 built on Mar 29 2004
Copyright (C) 2004 Networks Associates Technology, Inc. All Rights Reserved.
Virus data file v1000 created on Mar 29 2004.
Ready to scan for 42 viruses, trojans and variants.

Scan initiated on Sun Apr 04 03:18:39 2004
E:\WINNT\zip1.tmp\zip1.tmp

 Found the W32/Netsky.p@MM!zip virus !!!

E:\WINNT\zip1.tmp\zip1.tmp has been deleted.
E:\WINNT\zip2.tmp\zip2.tmp
Found the W32/Netsky.p@MM!zip virus !!!
E:\WINNT\zip2.tmp\zip2.tmp has been deleted.
E:\WINNT\zip3.tmp\zip3.tmp
Found the W32/Netsky.p@MM!zip virus !!!
E:\WINNT\zip3.tmp\zip3.tmp has been deleted.

Number of clean files: 167554
Number of infected files: 3
Number of files deleted: 3

For some reason, the Avast programs (Home or Virus Cleaner) did not find the above.

Itā€™s Sunday - 4/4/04 - 3:46 AM PST (Calfornia, U.S.A. time) and Iā€™ve worked on this virus issue all through Saturdayā€¦ so Iā€™m exhausted and ready to get some shut-eye (sleep!)ā€¦

Thank you for all your responsesā€¦ I will get back tomorrow after further 3rd party virus scan tests.

Thanks again!

Alan :slight_smile:

Hehe shgoh :wink:

@abrandt
To check avast! program version right click on ā€œaā€ ball next to the clock and select About avast!..

Search for the same text as the one highlighted on my picture.

Iā€™m not so sureā€¦ This is a common behavior: a virus ā€˜stoleā€™ your email information to be sent over the Internet. Your ISP catches you like the one who is spreading the virus but, in fact, you were innocent. See http://forum.avast.com/index.php?board=1;action=display;threadid=3676#bot

I wonā€™t worry too much about that. Itā€™s a virus trick. You were not infected and do not send that infected email.

Anyway, you can choose on-line scanning to be sure. :smiley:

abrandt,

Please check the settings of your On Access Protection Console/Internet Mail/SMTP.

Make sure that there is a check next to ā€œScan outbound mailā€ and more importantlyā€¦that there is NO check next to ā€œAllow sending of infected emailā€.

As Technical stated, a worm usually ā€œtrapsā€ your address book from your email client and resends an email containing the virus.

Sometimes a ā€œWarning: Virus foundā€ in the subject of an email could very well be an infected email!

It is a form of spoofing to fool users into opening up infected email and files.

Avast most certainly would have caught the viri, and the Cleaner would have easily removed themā€¦providing that you have the latest program and DB updates which you seem to have.

Run a full Avast scan with ā€œArchiveā€ and ā€œThoroughā€ scanning set. If nothing shows up, then I would relax.

Techie

I have Avast 4.1.369 French version and I just have one question :

  • several time Iā€™ve got e-mails with Natsky virus. Avast has detected it but it was impossible to repair the e-mail.

Solution : delete it or move it to quarantine.

Can someone tell me why it was impossible to repair ?

Thx for your help

Hello all,

  1. I have attached a .gif image of About avast!: 4.1 Home edition

  2. I went to http://www.security-ops.tk/ as recommended by RejZoR and used the BitDefender Online-Scan which found the following: Win32.Bagle.J@mm Win32.Bagle.M@mm Win32.Netsky.P@mm :cry: (See results in next response.)

  3. NEXTā€¦ I am going to follow Techie101ā€™s instructions re: AVAST configurationā€¦ and then Iā€™ll get back and report + Iā€™m going to run the Panda ActiveScan at http://www.security-ops.tk/

Your assistance is very much appreciated! :smiley:

(Please see page 2 for PART 2)

Iā€™ll be baaack!

Alan

PART-2 (Results were ā€œtoo longā€ā€¦ so hereā€™s an edited version:)

Infection appears to be centered in my email client: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Mozilla

Scanned Finished. Scanned Objects: 74272 Infected Objects: 121 Time: 06:39:52

D:\Internet Data\Mozilla\Profiles\Test-2\xez7f4km.slt\Mail\pop.biz-solutions.us\Sent=>(message 649) suspect: Exploit.Iframe.Vulnerability
D:\Internet Data\Mozilla\Profiles\Test-3\42c6ufv6.slt\Mail\mail.etheric-broadband.info\Inbox=>(message 42)=>[Subject: Notify about using the e-mail account.][Date: Wed, 10 Mar 2004 13:17:33 -0500]=>(MIME part)=>Document.pif infected: Win32.Bagle.J@mm
D:\Internet Data\Mozilla\Profiles\Test-3\42c6ufv6.slt\Mail\mail.etheric-broadband.info\Inbox=>(message 337)=>[Subject: E-mail technical support message.][Date: Fri, 02 Apr 2004 15:39:32 -0600]=>(MIME part)=>Attach.pif=>(Upx) infected: Win32.Bagle.M@mm
Apr 2004 17:23:02 -0500]=>(MIME part)=>(MIME part)=>(message body) suspect: Exploit.Iframe.Vulnerability
D:\Internet Data\Mozilla\Profiles\Test-3\42c6ufv6.slt\Mail\mail.etheric-broadband.info\Inbox=>(message 341)=>[Subject: Mail Delivery (failure peo_abrandt@biz][Date: Fri, 2 Apr 2004 17:23:02 -0500]=>(MIME part)=>message.scr infected: Win32.Netsky.P@mm

Hello,

So far everything has FAILED to remove Win32.Bagle.J@mm Win32.Bagle.M@mm Win32.Netsky.P@mm.

I have run AVAST Home or Virus Cleaner a total of 3 times each to find - 0 - viri:

Creating log file: H:\Downloads\Tests\Avast\aswclnr_1.0.178_build2.4.2004.log

4/4/2004, 1:32:15 PM
Memory scanning startedā€¦
No virus body found in memory.
Memory scanning finished (7.6s).

Files scanning startedā€¦
E:\Documents and Settings\Alan Brandt\Application Data\Powermarks\pm.cacheā€¦ file could not be scanned!
E:\WINNT\system32\Perflib_Perfdata_394.datā€¦ file could not be scanned!
L:\dllcache\tridkb.dllā€¦ file could not be scanned!
No virus body found.
Files scanning finished (55046 files, 0 infected, 612.5s).
Drives scanned: C: D: E: F: G: H: I: J: K: L: M: N: P:
ā€¦

NEXT I ran AdvancedForce DrWeb Anti-Virus Workstations a total of 3 times each to find - 0 - viri.

I have looked and it is LOADED with potterā€¦ britā€¦ how to hack newā€¦ harry potterā€¦ 1001 sex and more.rtfā€¦

McAfee Stinger has failed.

Iā€™m thinking about trying some of the individual tools available at www.nod32.ch/download/tools.stm recommended by Techie101.

Any further ideas would be greatly appreciatedā€¦ Iā€™ve been working on this virus attack for over 18 hours now!!! :-[

HELP!!!

Thank you so much!

Alan >:(

abrandt,

Keep at it. Weā€™ll get rid of the litlte buggers!

Have you disabled System Restore function?
If not, do so. Reboot and try the utilities I mentioned.

Sometimes, a removal tool from one vendor works and another doesnā€™t.

From the log info you provided, I do not see why the Avast Cleaner did not remove the virus UNLESS the files are password protected by Mozilla.
Also, from the paths quoted, it seems that the viri are contained in the body of the emails.
Have you tried deleting all the old mail? Rebooting.
If you do not remove the infected mail, the virus will continue to propagate.

Techie

Hello Techie101,

Thank you for your follow-up. :slight_smile:

This little virus attack went from bad to worse :cry: ā€¦ when W2Kā€™s winsocket2 and the printspooler became corruptedā€¦ at that point who knows what additional OS damage had been done.

PARTIAL SOLUTION: I used PowerQuest Drive Image 5.0 (now Symantec) to restore a previous image well before the virus attackā€¦ which of course has allowed me to have a clean registryā€¦ plus plenty of work to get things where they were. (I just ran a regedit for ā€œpotterā€ which came up empty.)

The Panda scan was the only scan that recognized the viri in my emailā€¦ however they are so many negative user reviews at CNET.com, I am relunctant to use Pandaā€¦ however I need to make a decision in the next several hours.

Bottom line is, the viri have not yet been either DISINFECTED or DELETED from my HDD. >:(

Any help would be appreciated!

Thank you,
Alan

Alan,

Ok, I know about the Panda user comments.

Try Housecall from Trend Micro:
http://housecall.trendmicro.com/housecall/start_corp.asp

Have you tried the individual tools that I recommended earlier?

Let me know. I will be online for the night either on the Avast Home/Pro; General boards or Moderating the Off Topic board.

Techie