Many of my old(not using) Outlook express files show virus or worm

Many of my old OE files are showing virus or worms. I scaned with AVG and it shows nothing. Are these false positives?

Since you provide no information it is impossible to say.

I assume this was using the simple user interface, on-demand scan ?
Can you give some examples of the detections, malware name, email subject and attachment, etc. ?
Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

How did you check them with AVG (anti-virus or anti-spyware) I don’t know how AVG deep avg might go in scanning .dbx files as they can easily be corrupted or the whole dbx file deleted. avast should be able to extract infected emails from within the dbx files of OE without a problem. However you would always be advised to back-up your email files (.dbx).

This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838
or http://forum.avast.com/index.php?topic=7779.msg62586#msg62586

Actually there are different kinds of results. At first it was one file called pray for and then a whole folder showed up as being contaminated with I frame exploit. Could not find the file that was exactly contaminated. Not everything is Iframe exploit. I am doing the free Avast general scan, no special scanning except scan everything. It could be just the deteriorization of the files on a WD hard drive.

If it was important would it not spread to Windows files and other important areas like the registry or the system32 files?

Jim

I can’t be sure it won’t spread…
If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

  1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3.

  2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

  3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

  4. It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
    If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

  5. If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.

  6. Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

  7. After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

  8. Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

These were sent to Avast. Could not find Win32:BadTrans-II-MIME [Wrm] information on the internet.

:CHEST_ANALYZE:<<

Virus name: HTML:Iframe Exploit
Original file location: C:\Documents and Settings\jhmac\Local Settings\Application Data\Identities{E77FFDA9-B148-4C74-A1C4-5EC0ABCF56F4}\Microsoft\Outlook Express\Sent Items (1).dbx\Domain Names.eml#35456012
Computer name: JHMAC77-46E4C43
Transfer time: 25.07.2007 12:31:28
Modification time: 25.07.2007 16:31:30
Total size: 256697
Comment:

File ID: 45
Category: 1

OS:
Microsoft Windows XP Personal (Build 2600) Service Pack 2
Are these False Positives

:CHEST_ANALYZE:<<

Virus name: Win32:BadTrans-II-MIME [Wrm]
Original file location: C:\OE\Main Identity\OLD MAIL.dbx\Please pray-.eml#265040
Computer name: JHMAC77-46E4C43
Transfer time: 30.03.2007 15:46:18
Modification time: 30.03.2007 19:46:20
Total size: 41204
Comment:

File ID: 6
Category: 1

OS:
Microsoft Windows XP Personal (Build 2600) Service Pack 2

:CHEST_ANALYZE:<<

Virus name: Win32:Badtransii [Wrm]
Original file location: C:\d&c\Identities\old{D9522F1F-5F44-4AFA-8579-9925B7060DE1}\Microsoft\Outlook Express\OLD MAIL.dbx\Please pray-.eml#265040\PICS.DOC.scr#3686348149
Computer name: JHMAC77-46E4C43
Transfer time: 31.03.2007 16:46:23
Modification time: 31.03.2007 20:46:24
Total size: 29020
Comment:

File ID: 9
Category: 1

OS:
Microsoft Windows XP Personal (Build 2600) Service Pack 2
Is this a False Positive

:CHEST_ANALYZE:<<

Virus name: HTML:Iframe Exploit
Original file location: C:\Documents and Settings\jhmac\Local Settings\Application Data\Identities{D64F3534-CECD-4FB0-9660-88B432BDFDF2}\Microsoft\Outlook Express\Welcome and STW Training.dbx\Domain Names.eml#65396
Computer name: JHMAC77-46E4C43
Transfer time: 25.07.2007 12:28:46
Modification time: 25.07.2007 16:28:48
Total size: 256697
Comment:

File ID: 44
Category: 1

OS:
Microsoft Windows XP Personal (Build 2600) Service Pack 2
Are these False Positives

:CHEST_ANALYZE:<<

Virus name: Win32:Badtransii [Wrm]
Original file location: C:\Documents and Settings\jhmac77\Local Settings\Temporary Internet Files\Content.IE5\531JI7PV\PICS.DOC.scr
Computer name: JHMAC77-46E4C43
Transfer time: 23.07.2007 16:38:33
Modification time: 23.07.2007 20:37:46
Total size: 29020
Comment:

File ID: 40
Category: 1

OS:
Microsoft Windows XP Personal (Build 2600) Service Pack 2
False Positve?

Strange email name… But it is just a guess.

Strange double extension file name, indeed.

You won’t find the files as you mentioned in your previous post primarily because you have sent them to the chest. Even if they hadn’t been sent to the chest they are infected emails within an email folder (a special .dbx database file), for example:

C:\Documents and Settings\jhmac\Local Settings\Application Data\Identities{E77FFDA9-B148-4C74-A1C4-5EC0ABCF56F4}\Microsoft\Outlook Express\Sent Items (1).dbx\Domain Names.eml#35456012

Don’t look for it in explorer, open your email program and find the infected email, look in the email folder indicated (Red text). Once in that folder look for (or use the search function in OE to find the email with a subject (Blue Text). Once you have found that manually delete it and then clear the deleted items folder to remove it completely.

In the example above there is an anomaly the (1) in Sent Items(1).dbx to me that indicates that you have 2 .dbx files for Sent Items, Sent Items(1).dbx and possibly Sent Items.dbx, only one will be active.

You can do an explorer search for *.dbx and that will show were all your OE .dbx files are stored, you will be able to see which Sent Items (.dbx) file is in use by the last modified date, the one not in use is effectively redundant.

The badtrans infected file you couldn’t find PICS.DOC.scr is in the Temporary Internet Files folder and if you moved it to the chest there should be no way it is still there as it is in the chest. Also if you deleted the Temporary Internet Files from within IE then that would also clear the files infected or otherwise.