My first email virus - please help!

Hi,

After I logged on this morning avast! notified me that a virus had been found in an email and I selected the ‘delete’ option.

When I looked at the email in Outlook Express there was a text insert saying:

avast! Antivirus: Inbound message INFECTED:
\message.scr (Win32:Netsky-P [Wrm]) was deleted from the message.

This was my first alarm (other than iframe warnings) and I was very pleased at how avast! had performed!

About 20 minutes later Outlook Express began downloading emails again while I was using Opera. A yellow and red box appeared at the bottom of the screen, but because I was barely awake, I didn’t have time to read it before it disappeared.

I went to Outlook Express and the exact same email as before had been downloaded only this time the avast! insert said:

avast! Antivirus: Inbound message INFECTED:
\message.scr (Win32:Netsky-P [Wrm]) was (BEWARE!!!) left intact in the message.

(the email came from MSN via avast! to spamihilator to OE)

I tried to look at the log but my log viewer doesn’t work so I ‘manually’ went to:

C:\Program Files\Alwil Software\Avast4\DATA\log

and clicked on the ‘warning’ text document which has this entry:

14/08/2004 05:34:51 1092458091 NT AUTHORITY\SYSTEM 1376 Sign of “Win32:Netsky-P [Wrm]” has been found in “C:\DOCUME~1\JOHNRO~1\LOCALS~1\Temp_avast4_\unp126663452\PartNo_2\message.scr” file.

I eventually found my way to

C:\Documents and Settings\John Robert\Local Settings\Temp_avast4_

and though there are two 1k files there, neither of them is ‘unp126663452’!

Also, after finding my way to

C:\Documents and Settings\John Robert\Local Settings\Temp

and before clicking on the avast4 folder, I noticed an icon saying ‘avclear4’ which apparently is an ‘MFC Application’ - can anyone tell me what it’s doing there, what it does, and when should I use it please?

I would be grateful if anyone could help me dispel my confusion over any of the above :slight_smile:

I’m now off for a cycle ride around town (Dover, UK) and along the seafront to try and clear the cobwebs away!

John Latter

Hi John,

I went to Outlook Express and the exact same email as before had been downloaded only this time the avast! insert said:

avast! Antivirus: Inbound message INFECTED:
\message.scr (Win32:Netsky-P [Wrm]) was (BEWARE!!!) left intact in the message.


It would appear that you clicked the wrong button, instead of clicking the delete option, that would be why avast has branded it with the BEWARE text.

If you know what email it is/was delete it within your email program and clear the deleted items folder in your email program after you have done that. Clear your temporary internet files.

I eventually found my way to C:\Documents and Settings\John Robert\Local Settings\Temp\_avast4_ and though there are two 1k files there, neither of them is 'unp126663452'!

Also, after finding my way to
C:\Documents and Settings\John Robert\Local Settings\Temp

and before clicking on the avast4 folder, I noticed an icon saying ‘avclear4’ which apparently is an ‘MFC Application’ - can anyone tell me what it’s doing there, what it does, and when should I use it please?

  1. The files in the \Temp_avast4_ folder are temporary and can be deleted.

  2. The log file records actual findings and actions taken, if that message related to the one you deleted, then that file and the unp126663452 temporary file with it.

If things go ok the unp (unpacked files) in that temporary folder should be deleted, although there are times that they are left behind.

  1. The avclear4.exe (there should be an avast icon on display also) file is I believe transfered there when you schedule a boot scan using RejZor’s Avast External Control tool ot the avast programs ‘schedule boot scan’ option. The avclear4.exe is sitting in my \Local Settings\Temp folder as well a lot of files beginning with the ~ these can be deleted also (the only exception to that is for the ones created on today’s date, as they may be in use.

I thnk you have little to worry about, but for peace of mind I would suggest you schedule a boot scan to confirm you are clear.

HTH David

Thanks David - your post is both clear and informative! :slight_smile:

I’ve deleted the temporary files & scheduled the scan, hopefully all will go well ('s amazingly difficult to type with crossed gerfins…)

John