I just started using Avast today after finding my HDD was infected with Win32.HLLM.Beagle.based and Win32.HLLM.Netsky.35328.
I briefly ran a virus scan from eAnthology Stop Virus Scanner (scanned only 1898 of 102,000+ files) after running AVAST and here are just (2) lines from its report:
D:\Internet Data\Mozilla\Profiles\Test-3\42c6ufv6.slt\Mail\mail.etheric-broadband.info\Inbox:Document.pif - Wed, 10 Mar 2004 13:17:33 -0500 - Notify about using the e-mail account. is infected with Win32.HLLM.Beagle.based
D:\Internet Data\Mozilla\Profiles\Test-3\42c6ufv6.slt\Mail\mail.etheric-broadband.info\Inbox:message.scr - Sat, 3 Apr 2004 13:50:27 -0800 - Mail Delivery (failure 3d125d8d.9010401@biz-solutions.us) is infected with Win32.HLLM.Netsky.35328
Also STOP reported:
Possible Spyware Scan Details:
Stop-Sign has found files belonging to IPInsight, which has been independently identified as Spyware, or possible Spyware
Stop-Sign has found files belonging to CustomToolbar Software, which has been independently identified as Spyware, or possible Spyware
OS: W2K Pro
AVEST: 0404-0.04/02
VPS: 0404-0, 02/04/2004
CONFIG: Intel Pentium III 800 MHz, 512 MB SDRAM
INTERNET: Terrestrial Microwave - use Belkin F5D5231-4 v.1103 router
EMAIL CL: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Mozilla
Can anyone please recommend how to best proceed with AVAST to successfully clean-up this scourge?
Lastly as a great defense, download and install these which work fantastically as a pair. They are āset and forgetā utilities:
SpywareBlaster (make sure you get version 3.0, the latest) and SpywareGuard 2.2: www.wilders.org, listed under Free Tools.
Any further difficulty, come back and let me know.
I did run Avast Virus Cleaner, however if found nothing:
4/3/2004, 10:48:02 PM
Memory scanning startedā¦
No virus body found in memory.
Memory scanning finished (10.1s).
Files scanning startedā¦
E:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.datā¦ file could not be scanned!
E:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.datā¦ file could not be scanned! No virus body found.
Files scanning finished (55251 files, 0 infected, 586.0s).
Drives scanned: C: D: E: F: G: H: I: J: K: L: M: N: P:
NEXTā¦ I sent an email to my domain registrar because this is how I was orginally informed that I was under virus attack and I just received this:
V I R U S A L E R T
Our viruschecker found the
W32/Bagle.n@MM
virus in your email to the following recipient:
ā inforegistrydomains
Delivery of the email was stopped!
Please check your system for viruses, or ask your system administrator to do so.
So it appears that neither Avast Home or Virus Cleaner has managed to clean this virus up.
NEXT, I will follow Techie101ās recommendations (Sunday afternoon, California time)
Whats your avast! version? Is it 4.1.357 ? Previous version had some problems with removing of attachements(at least on my machine),but 357 quarantined each and every infected attachement without a problem.
The version should be the latest since I downloaded it 4/2/04. For some reason, Avast is apparently not seeing the virus on my machine. Donāt know why.
As posted above
OS: W2K Pro AVEST: 0404-0.04/02
VPS: 0404-0, 02/04/2004
CONFIG: Intel Pentium III 800 MHz, 512 MB SDRAM
INTERNET: Terrestrial Microwave - use Belkin F5D5231-4 v.1103 router
EMAIL CL: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Mozilla
I ran the McAfee Stinger program from above and here are its results:
McAfee AVERT Stinger Version 2.1.8 built on Mar 29 2004
Copyright (C) 2004 Networks Associates Technology, Inc. All Rights Reserved.
Virus data file v1000 created on Mar 29 2004.
Ready to scan for 42 viruses, trojans and variants.
Scan initiated on Sun Apr 04 03:18:39 2004
E:\WINNT\zip1.tmp\zip1.tmp
Found the W32/Netsky.p@MM!zip virus !!!
E:\WINNT\zip1.tmp\zip1.tmp has been deleted.
E:\WINNT\zip2.tmp\zip2.tmp
Found the W32/Netsky.p@MM!zip virus !!!
E:\WINNT\zip2.tmp\zip2.tmp has been deleted.
E:\WINNT\zip3.tmp\zip3.tmp
Found the W32/Netsky.p@MM!zip virus !!!
E:\WINNT\zip3.tmp\zip3.tmp has been deleted.
Number of clean files: 167554
Number of infected files: 3
Number of files deleted: 3
For some reason, the Avast programs (Home or Virus Cleaner) did not find the above.
Itās Sunday - 4/4/04 - 3:46 AM PST (Calfornia, U.S.A. time) and Iāve worked on this virus issue all through Saturdayā¦ so Iām exhausted and ready to get some shut-eye (sleep!)ā¦
Thank you for all your responsesā¦ I will get back tomorrow after further 3rd party virus scan tests.
Iām not so sureā¦ This is a common behavior: a virus āstoleā your email information to be sent over the Internet. Your ISP catches you like the one who is spreading the virus but, in fact, you were innocent. See http://forum.avast.com/index.php?board=1;action=display;threadid=3676#bot
I wonāt worry too much about that. Itās a virus trick. You were not infected and do not send that infected email.
Anyway, you can choose on-line scanning to be sure.
Please check the settings of your On Access Protection Console/Internet Mail/SMTP.
Make sure that there is a check next to āScan outbound mailā and more importantlyā¦that there is NO check next to āAllow sending of infected emailā.
As Technical stated, a worm usually ātrapsā your address book from your email client and resends an email containing the virus.
Sometimes a āWarning: Virus foundā in the subject of an email could very well be an infected email!
It is a form of spoofing to fool users into opening up infected email and files.
Avast most certainly would have caught the viri, and the Cleaner would have easily removed themā¦providing that you have the latest program and DB updates which you seem to have.
Run a full Avast scan with āArchiveā and āThoroughā scanning set. If nothing shows up, then I would relax.
I have attached a .gif image of About avast!: 4.1 Home edition
I went to http://www.security-ops.tk/ as recommended by RejZoR and used the BitDefender Online-Scan which found the following: Win32.Bagle.J@mm Win32.Bagle.M@mm Win32.Netsky.P@mm (See results in next response.)
NEXTā¦ I am going to follow Techie101ās instructions re: AVAST configurationā¦ and then Iāll get back and report + Iām going to run the Panda ActiveScan at http://www.security-ops.tk/
4/4/2004, 1:32:15 PM
Memory scanning startedā¦
No virus body found in memory.
Memory scanning finished (7.6s).
Files scanning startedā¦
E:\Documents and Settings\Alan Brandt\Application Data\Powermarks\pm.cacheā¦ file could not be scanned!
E:\WINNT\system32\Perflib_Perfdata_394.datā¦ file could not be scanned!
L:\dllcache\tridkb.dllā¦ file could not be scanned!
No virus body found.
Files scanning finished (55046 files, 0 infected, 612.5s).
Drives scanned: C: D: E: F: G: H: I: J: K: L: M: N: P:
ā¦
NEXT I ran AdvancedForce DrWeb Anti-Virus Workstations a total of 3 times each to find - 0 - viri.
I have looked and it is LOADED with potterā¦ britā¦ how to hack newā¦ harry potterā¦ 1001 sex and more.rtfā¦
McAfee Stinger has failed.
Iām thinking about trying some of the individual tools available at www.nod32.ch/download/tools.stm recommended by Techie101.
Any further ideas would be greatly appreciatedā¦ Iāve been working on this virus attack for over 18 hours now!!! :-[
Keep at it. Weāll get rid of the litlte buggers!
Have you disabled System Restore function?
If not, do so. Reboot and try the utilities I mentioned.
Sometimes, a removal tool from one vendor works and another doesnāt.
From the log info you provided, I do not see why the Avast Cleaner did not remove the virus UNLESS the files are password protected by Mozilla.
Also, from the paths quoted, it seems that the viri are contained in the body of the emails.
Have you tried deleting all the old mail? Rebooting.
If you do not remove the infected mail, the virus will continue to propagate.
This little virus attack went from bad to worse ā¦ when W2Kās winsocket2 and the printspooler became corruptedā¦ at that point who knows what additional OS damage had been done.
PARTIAL SOLUTION: I used PowerQuest Drive Image 5.0 (now Symantec) to restore a previous image well before the virus attackā¦ which of course has allowed me to have a clean registryā¦ plus plenty of work to get things where they were. (I just ran a regedit for āpotterā which came up empty.)
The Panda scan was the only scan that recognized the viri in my emailā¦ however they are so many negative user reviews at CNET.com, I am relunctant to use Pandaā¦ however I need to make a decision in the next several hours.
Bottom line is, the viri have not yet been either DISINFECTED or DELETED from my HDD. >:(