Email Trojans and worms detected by Kaspersky Online scanner 7.0

Hi,

I have performed a scan with Kaspersky On-line scanner ver.7.0 yesterday,and it showed that both a.My email archives (the first four entries in the Kaspersky Online scanner log report attached below) and my current Email Store Folder (the last entry -F:\OutlookExpressMailsNew2008\Inbox.dbx in the log ) have been infected.


I had upgraded to Windows XP Sp 3 about a month ago,after which I noticed warnings from SpySweeper (one warning from Spysweeper) and Spbot S & D (multiple times) about changes in my Home page and Search page (using IE 7.0). I have turned off TeaTimer recently,because of the multiple warnings.Otherwise,my pc seems to be running fine.


Unfortunately,the Kaspersky log does not show refer to the exact email which has been infected,and refers to the general location of the infection.
( I have 4 drives on HDD,named as C,D,E & F).Also,I had performed a scan with Kaspersky On-line scanner ver. 5.0 about 10 days ago,and the email infections were not detected at that time.

I have tried to follow the instructions in the Malware removal guide,to the best of my ability,but may have commited some errors.
I am currently using SpySweeper in real-time,both for its Anti-Spyware,and
Anti-virus capabilities,and also using Spybot S&D and the ZoneAlarm Firewall.

Any suggestions on removing the infections are welcome- I was thinking of using a trial version of KAV 7.0,as I can buy the paid version at a greatly discounted price,from my Indian ISP.
But,I have read that KAV 7.0 and Zone Alarm are not compatible,as per :
http://support.kaspersky.com/faq/?qid=208279367 .
Also,I ran the Kaspersky GetSystemInfo tool and the results showed a potential incompaitibility between KAV products,SpySweeper,SUPERAntispyware and ZoneAlarm.

I tried to run Panda Active scan,but was unable to run it properly.(? since I was unable to uninstall the previous version of Panda Active scan )

Should I try to run another Anti-virus program ( other than KAV 7.0) ? either a Free or a Trial version.
Should I run any other On-line scan,from another vendor?

But,I am grateful to MajorGeeks,and their volunteers for their malware guide and other tips,including "Running Kaspersky Online Scanner",as in :
http://forums.majorgeeks.com/showthread.php?t=84939.

I am attaching SAS log,and Malwarebytes Antimalware log.The Malwarebytes log shows a false positive? - as per :
http://www.malwarebytes.org/forums/index.php?showtopic=4831

 

Hi,
I am attaching ComboFix.txt and MGLogs.zip.
Sorry for the long post.

 

Hi clayidus,
Welcome to Major Geeks!

Email worms are tricky because of some probably political reasons. The easiest way to get rid of them is to locate the file that's infected, put it into the email trash, empty the email trash, run CCleaner and then compress the trash folder in the Email program. The tricky part is identifying where it is. I want you to run a scan that's helpful, but I also want to tell you that you have more malware than just the email worm on your computer, so while I have you do a further scan, I will set up some instructions on the basis of the logs you've posted so far.

Please go to Running BitDefender Online Scan and follow the instructions carefully so that you will get a log we can use. This scan is lengthy (around 1-6 hours depending on how extensive your drives are and whether you use dialup or not) and you have to use Internet Explorer with Active X enabled for it. In addition to checking your archived files, it also gives a good report on your restore points. It also gives information that could be helpful in identifying which email is the problem.

The log you'll get will be in html, which is okay. You store the information as a .txt file and we revert it back to html so we can read it. This is clarified in the instructions.

Be sure that Spybot's Teatimer is disabled!!

Let me know how this goes.
abri

 

Hi clayidus,

Please continue as follows:


1) Go to add/remove programs and uninstall the below:

- Viewpoint Media Player

2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKCU\..\Run: [key2] C:\WINDOWS\system32\winlog.exe
O23 - Service: ASNPOEUJRCE - Unknown owner - C:\DOCUME~1\DRSANJ~1\LOCALS~1\Temp\ASNPOEUJRCE.exe (file missing)

Do you know about a program on your computer by omnovia? possibly to block ads in an online email account? If not, please fix this item as well.

O16 - DPF: {EFAB8D1F-794A-4C47-B834-53653E05A441} (VNCViewer Class) -


Do the following programs need to load at startup? If not, please fix them.

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"


Does the following program need to be in your trusted zone? If not, please fix it as well.

O15 - Trusted Zone: http://*.secunia.com

After you click fix, just close hijackthis.

4) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DRIVER::
ASNPOEUJRCE

FILE::
C:\DOCUME~1\DRSANJ~1\LOCALS~1\Temp\ASNPOEUJRCE.exe
C:\WINDOWS\system32\winlog.exe

REGISTRY::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"key2"=-

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


5) Now run CCleaner at the default setting with the Windows tab as the top one.


6)When you've completed the above, please download RegSrch.zip

Unzip the archive to your desktop and double click on the VBS file.
(If your AntiVirus alerts, allow the script to run.)

Now enter IPRIP and post back with the results in this thread (call it regsrch.txt).


7) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Avenger or Combofix log.


Let me know how things are running now?

abri

 

Hi,
Abri.

Wow,I am really impressed at the amount of work put in by you,in analysing my logs and suggesting remedial steps that I should take.
I wanted to ask you 2 more questions
1. I had performed a Google search for WzToolbar, ( I had noticed a file named winzip.log,in C:\ drive,about 5-6 days after I had uninstalled WinZip from my pc,and it had multiple entries referring to " WzToolBar::NotifyHandler()".)
Then,foolishly,I had clicked on the second result in the Google search for WzToolbar, and a file started automatically downloading to my pc(?about 150 Kb in size),from that website. I tried to stop the download,but was unable do so. A .txt file opened in Notepad,containing stuff I could not understand).

I tried to find the file later,but was unable to locate it,and ran CC cleaner to try to delete it,in temp files? But,I am not sure if I downloaded something else to my pc also.
Can you suggest to me about what should I do regarding the unknown file that I downloaded?

2. I had run an Online scan with Kaspersky On-line scanner ver. 5,about 2 months ago,and it had found suspicious emails ? infected with trojans,in locations other than the ones currently detected,by Kaspersky on-line scanner 7.0 (This old scan pinpointed the exact emails in D: partition, that are suspicious).But the current Kaspersky online scan, ver 7.0 gave a clean chit to the D: drive suspicious emails .(No infections in D: partition, problems found only in E: AND F: partitions,and exact infected emails are not pinpointed - by Kaspersky online scanner 7.0)

I am attaching a log of the older scan using Kaspersky Online scanner 5.0.
The file ssf-snr-a-setup4259_1861032175.exe/file13,in the log,refers to an older version of a trial version of SpySweeper, and has been deleted using File Shredder bundled with Spybot S & D.

The suspicious email files in D: drive,detected by the old Kaspersky on-line scan,are eml files and are accessible through Windows Explorer.I would find it difficult to follow the procedure that you have suggested-
put it into the email trash, empty the email trash, run CCleaner and then compress the trash folder in the Email program.

Can I just click on a particular file through Windows Explorer and press down Shift + delete,in order to delete those files securely,or use File Shredder, bundled with Spybot S &D,to delete them?

I am attaching the results of the BitDefender Online scan now.I will follow the rest of your instructions later,as it is pretty late time wise now.(It took about
6 hours to complete,but was well worth the time)

Do I need to run another on-line scan from another vendor?
Do I need to run any Rootkit scans? and can you recommend any such Rootkit scans?

Thank you,once again,for analysing my logs,in such great detail,and advising me.
Once again,this message has become unwieldy,and I apologise for the same.

Thanking You,
clayidus

 

Hi clayidus,

The information is what I was hoping for from BitDefender, although the log is difficult to read, because it didn't end up with its html format like it should have. Are you able to identify which emails are referred to, for instance those that were E-cards? If you know which emails these are in Windows Explorer, and they are regular files with .eml file extensions, then you can delete them. If they are part of a single file, like a dbx file, which keeps all of your emails for a certain folder of your email program, then it's more difficult to delete single emails.

After you've deleted them, for good measure, empty your email trash. Then close any open browser windows and run CCleaner.

Then go into Outlook Express and look in your menus for the option to compress your folders. You need to do this periodically anyway to avoid corruption of your emails.

Let me know how this goes?
abri

 

Hi,
abri,

Thanks for your reply.
The emails on my D : partition have an .eml extension and are accessible through Windows Explorer. (I can locate a single email in D : partition through windows Explorer)
However,the emails in E : and F: partitions ( BitDefender online scan found problems only in E: and F : partitions) are .dbx files,and I am unable to access them through Windows Explorer and also unable to find a particular email which was detected as being infected by BitDefender.eg I can't locate the E-card email,that you have referred to.
I tried to follow the instructions for performing the BitDefender scan,and on completion of the scan,when I selected Click here to export scan report,I was unable to save the report in .txt format - the Save as type box only allowed me to save the report in .html format.(unlike Kaspersky Online ,which allows the user to choose between saving the report directly in .txt format or .html format)
Later,I located the saved BitDefender report in .html format, through Windows Explorer,double clicked on it to open it,and when the report opened in Internet Explorer,I clicked on File --> Save As,and saved the report in .txt format,and finally I uploaded the .txt report to you'll as an attachment.
But "the log is difficult to read " . Can you suggest any other way of posting the log that I have saved ? Did I not follow instructions properly?

Also,I had disabled 1. Sweep for viruses and 2.Virus shield in SpySweeper while performing the scan.Should I disable these options in SpySweeper,whenever I perform an Online Virus scan.?
I have performed a partial repeat scan with BitDefender,and am attaching the
logs.Can you see if this more readable than the previous log.

I will fllow the rest of your instructions later
I want to thank you again,for looking into my logs,and for advising me.
Yours sincerely,
clayidus

 

Hi clayidus,

The BitDefender log the way you made the attachment is just right. For the work you did here, your files were set so that you could see file extensions, hidden files and system files. If these are all still visible, please do a search of your computer for YahooGroups.dbx and tell me if you find anything?

abri

 

Hi,
abri,

Thanks for your reply. I can find a Yahoogroups.dbx folder in E:\OutlookExpressMail2008.It is a 369 MB file,however,and I cannot access individual mails in that folder.
I have also developed a new problem.
I was trying to understand the entries in my HiJackThis logs.In doing so,I found that
Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) refers to SearchAdvisor from McAfee.
I wanted to be sure that I had uninstalled SearchAdvisor properly,(and Mcafee anti-virus also),and I tried to search for the uninstallation procedure on the service.mcafee website.Under Technical support,I found that they recommend a product called McAfee Virtual Technician,which can diagnose and fix many problems.
I tried to run the virtual technician,but while doing so, I got an error message from SpySweeper warning me that mcafee.com was trying to be added to my Trusted List.I clicked on Allow for that to happen.
Then,I got a warning from Counterspy that a file called " Internet " wanted to be added to my Trusted zone . I clicked on "Block",and then I got a warning from SpySweeper,that CounterSpy's server was trying to block an Action in the Trusted zone.I clicked on "Allow"this action,and my pc crashed.
Upon rebooting,I found that I had suffered a severe crash,and
I clicked yes to report it to MS, then clicked on the details link on the error reporting window,and automatically a page whose URL was wer.microsoft.com........................ opened.
It said " This problem was due to a device driver ........ etc.
However, at the top of the page there was a message "This website wants to run the following add-on ' Microsoft Data Access - Remote Data Services dat... ' from Microsoft Corporation.
I didn't click on it and instead, I tried to check up on the Security settings for Internet Explorer 7.0 .
I found that mcafee.com had been added to my Trusted Site list.I then clicked on Apply Default settings for Internet Zone ( I had tried to set Custom settings as per Major Geeks recommendations before).
I then closed IE 7.0,and restarted IE 7.0,and tried to do a Google search for "Microsoft Data Access - Remote data services dat.. and found out that the message may be spurious,as per
http://msmvps.com/blogs/hostsnews/archive/2007/09/13/can-you-spot-the-fake.aspx and other posts.

Then,the message Microsoft Data Access..... appeared again about 4 times,while opening different web sites.I tried to access the wer.microsoft.com ....................... site again,and it opened without the Microsoft Data Access ....... warning.Now,the warning has stopped??.
Also,after running the McAfee virtual technician,I got a warning from a program called "Hacker Eliminator" (a process and Registry monitor) that Hacker Eliminator had detected a Registry change and that Registry key:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current\Version\Run
Value:KernelFaultCheck
Data: %systemroot%\system32dumprep 0 -k
has been changed to : C:\WINDOWS\system32\dumprep 0 -k and whether I want to
Undo Changes or Ignore Changes.
I don't know what this means,but I would like your advice on this,and the
Microsoft Data Access ...... warning.
Sorry for the delay in following the rest of the instructions,but I was trying to understand what the HiJackThis and other entries meant,and also didn't have much time.
Thanking You,
clayidus

 

Hi clayidus,

First this. Do you have the txt file which you refer to in your question in the following box? If so could you upload it here?

Next: Can you go back to a restore point from before you started all these things with the McAfee entry in HijackThis? The restore point just prior to that? If so, please see if your computer runs better or worse at that point. If it runs better, leave it there. If it runs worse, return the restore point to the one it was at before. If you've never done this before, go to Start / All Programs / Accessories / System Tools / System Restore
check the box to Restore my computer to an earlier time and click on Next. You'll see a calendar with highlighted dates. Choose one of the dates just preceeding these problems and allow your system to return to that date. See if the problem goes away.


And now about the YahooGroups folder in Outlook Express 2008. Did you create this folder yourself? Can you see the folder in Outlook Express when you open Outlook Express? If you did not create it, and you can see it, please pull the contents of the folder into the trash and then pull empty the trash. Then empty the trash. Then run CCleaner and then go into Outlook Express and compress your trash folder. (Just click on the button for this which is probably in the menu under File)

If you did not create this folder yourself and you cannot see it either except in Windows Explorer, please move it to a different part of your computer. Then rescan the folder where your main emails are located with BitDefender (you can ask it to only scan a small part of your computer) and see if the scan still brings up that virus. If not, then check if you can still get into Outlook Express. If you can and there is no problem, then just throw the whole YahooGroups.dbx folder in the trash. Then run CCleaner. Then open Outlook Express and run the compress files/folders option.

Let me know if you have any success with the above and attach that one txt file if you still have it.
Thanks.
abri

 

Hi abri,
Thank you for your reply.
I cannot locate the automatically downloaded txt file,referred to before.
I tried to do a search for .txt files downloaded in the past month,and also a search for all .txt files,but was unable to find this particular file.However,
I have noted down the URL of the website,from which the file started dowloading.But,I didn't want to mention this URL,so that others who may be perusing the Majorgeeks forums,should not click on that URL erroneously.

I tried to implement your suggestion for System restore,but could find only one Restore point,and that was after my last "Microft Data Access " problem.Should more Restore points be present?

Luckily,the Microsoft Data Access - Remote Data Services dat... problem has stopped,on its own.

I uninstalled ViewPoint Media Player,and disabled Windows Mesenger.I fixed the O3,O4,O23,O16 and O4 Adobe reader entries in HiJackThis- also fixed the O 15 entry.
I tried to run ComboFix,with your instructions,but got a message that my current copy of ComboFix has expired. I then downloaded a new copy of ComboFix to my desktop,and tried to rename it to cf.exe and also to run the default "%userprofile%\desktop\cf.exe" /killall command (on the ComboFix Majorgeeks page),but got an error message saying that " You cannot rename ComboFix as cf. Please use another name,preferably made of alphanumeric characters.What should I do now?
Sorry for the great delay,but I had developed some hardware problems,and also developed problems with Spybot S & D's immunization process clashing with SpySweepers's shields viz.
I was continuously getting Alerts from Internet Communication Shield of SpySweeper saying that "Spysweeper has blocked Access to a potentially threatening website.The Internet Communication Shield has blocked Access to say 008K.COM.
Then,after some time (few mimutes),I would get another Alert from SpySweeper that SpySweeper has blocked Access to another website " 123TOPSEARCH.COM ".
Then,after a few seconds to a few minutes,I would get yet another alert about another Blocked Access to another website,and so on......
The websites thus blocked were in Alphabetical order,and the entire process was not only annoying but also caused my pc to crash and reboot twice.
Till yesterday,these Alerts were not popping up.But yesterday,I tried to use the Immunize Feature in SpyBot S & D 1.5.2. While the Immunization process was running,I got a warning from SpySweeper saying that " C:\Program Files\Spybot-Search&Destroy\SpbotSD.exe is attempting to change your Internet Explorer security settings for the internet site 007.guard.com,and whether I wanted to Block or Allow this.
I clicked on Block,and allowed the Immunization process of Spybot S & D
to continue.After some time,Alert mesages from Internet Communication Shield of SpySweeper warning me that "Spysweeper has blocked Access to a potentially threatening website ..... (as mentioned above),started to appear (during the Immunization process and later on also).

This problem is solved now. I had to undo the Immunization process of SpyBot S & D ,and these SpySweeper warnings disappeared.I asked SpySweeper Support about this problem and they replied
" The issue you are seeing is due to a conflict between Spy Sweeper and Spybot. Since both programs are trying to control this feature you are getting alerts often. The best thing to do will be to shutdown the security feature in one of the programs so the other can operate properly."

Regarding the emails, I had asked my tech savvy neighbour to back up my emails for me 2 years ago ( as I did not know how to do so).The Yahoogroups folder is located in those backups.I cannot see those folders when I open Outllook Express.I do not know how to access email archives ( there are at least 2 such archives on my pc).I will try to implement your suggestions,though.

I wanted to ask you about one more problem - In the Programs tab of the Program Control section of my ZoneAlarm Firewall,I find reference to a
file called Au_.exe,whose path is C:\Documents and Settings\Name\Local Settings\Temp\~nsu.tmp\Au_.exe. I can't find this file on my pc,nor can I find
~nsu.tmp. I tried to use CC cleaner to delete this file,and after using CC cleaner,I removed this entry from ZoneAlarm's list of programs.But,this file
re-enters ZoneAlarm's list of Programs,after I remove it from the list.
What should I do about this ?
I am attaching the original BitsDefender Online scan logs again,with ? HTML formatting retained,and the logs may be easier to read ? .Can you have a look at them?

Sorry for the lengthy message yet again

Thanking You,
clayidus

 

You can prevent people from accidently clicking on a bad link in a number of ways. One of the easiest is to replace the http with hxxp while you're posting it into the reply box. The website here won't pick it up as a url and it won't end up being a live link.

Usually there's more than one restore point. I'm not sure how you have yours set.

Use the new download without renaming it and see if it works.

good to know there's a known conflict between the two

Your first BitDefender Scan from Thursday includes the scan of your E drive whereas the scan you did on Friday doesn't. The one on Friday is clean. The easiest way to track down the file called YahooGroups.dbx is to do a search either for that file name specifically, or for *.dbx in your E drive in Windows Explorer. If E happens to be a cd and that cd is read-only, then you will not be able to delete it. See if you can locate it, not within the Outlook Express interface itself, but in Windows Explorer. If you find it and YahooGroups.dbx is in a whole list of other .dbx files, delete that file. Then use CCleaner to clear out the trash (the regular default setting) and then open up Outlook Express and compress all your folders.

Au_.exe is a temporary file associated with NSIS which usually has a valid function. See this link for more information about that: http://forums.majorgeeks.com/showthread.php?p=1073843


Let me know how you get on with all of the above.
Thanks.
abri

 

Hi,
abri

Sorry for the delay in replying.I didn't have Internet access for the last 3 days due to ISP problems.
I discovered System restore by reading about it on MajorGeeks,and have not set it up in any particular fashion.Even now,I can see only one restore point on my system,and previous restore points are not available.
The website from which the automatic download started is : cvs.uwc.ac.za/viewcvs/viewcvs.cgi/archive/webmanager/docs/Attic/winzip.log?rev=1.2
Somebody reading this should avoid visiting this website,as I had ? downloaded an unknown file from this website.
I am getting the message "This website wants to run the following add-on ' Microsoft Data Access - Remote Data Services dat... ' from Microsoft Corporation,intermittently,again,while perusing various different websites (including my ISP's website)."
I renamed ComboFix.exe as cf1.exe and followed your instructions.The log is attached.
I am also attaching regsrch.txt ,and fresh MGlogs.zip,as per your instructions.
Sorry about the previous Bitdefender log mixup.I have performed a new scan with BitDefender Online and also with KasperskyOnlinescanner.I am attaching both the logs.The Kaspersky Online scan refers to an infected email in Inbox.bak in an email archive in E: drive (C,D,E and F are all partitions on my HDD),and also an email in Inbox.dbx separarately.It also refers to an old SpySweeper installation file and infections in my current email store folder location in F: partition.
I can find Yahoogroups.dbx in my E: /OutlookExpressMail2008 folder, through Windows Explorer or doing a search,but it is a large folder (about 369 MB),and contains a lot of old emails.( which I do not know how to access individually).If I double click on this subfolder,I get a message "Windows cannot open this file.To open this file,Windows needs to know what program created it.Windows can go online to look it up automatically.or you can manually select it from a list of programs on your computer.What do you want to do? a.Use the webservice to find the appropriate program or b.Select the program from a list."
I am unsure about whether I should select Outlook Express,and ? try to open this folder,containing ? infected emails,as I remember having read that one should be careful of opening infected files.??I sure am confused !!!
I am sorry about my inability to deal with this problem,and also my inability to explain my problem to you properly.
I can delete the Yahoogroups folder from my E partition,through Windows Explorer,but am not sure about how to proceed with the new infections found by Kaspersky.
I also wanted your recommendation about Windows Defender.

And thanks again for everything.
Yours sincerely,
clayidus

 

Hi,
abri,
I am attaching the new BitDefenderOnline and Kasperskyonline logs.
I am also attaching an EsetOnline scan log. Echat in that log refers to a chat program.
Thanks,
clayidus

 

Hi clayidus,

I'm not so happy with what your scans turned up. The email infections seem contained for the moment. The IPRIP I will need to post you some instructions for. I need some time for this and won't get to it until tomorrow. The less you use the computer at the moment, the better. The problem with the dbx files is an old one that doesn't yet have a good solution, however, there's a thread which someone had going late last summer or fall and I may be able to find that. That user obtained a reader which allowed him enough information to identify the email that was infected and then cut it out of the dbx file. This is not a simple thing to do and if done incorrectly, can render the whole folder unusable. If the viruses are archived, they may not be dangerous, but it is an uncomfortable feeling to know they are there and would be better to get rid of them.

abri

 

Hi clayidus,

I would like for you to do a second registry search as follows:

When you've completed the above, please download RegSrch.zip

Unzip the archive to your desktop and double click on the VBS file.
(If your AntiVirus alerts, allow the script to run.)

Now enter netcn and post back with the results in this thread (call it regsrch.txt).

Then, please run Combofix to remove some entries:

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected )

Code:

KILLALL::

Driver::
iprip

File::
C:\windows\system32\ripserv.dll

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\IPRIP]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\Subcomponents]
"iprip"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\System\Iprip]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\System\IPRIP2]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\System\Iprip]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\System\IPRIP2]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\Iprip]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\IPRIP2]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\Iprip]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2]

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below


Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run CCleaner at the default setting with the Windows tab as the top one.

Attach the combofix log.

For the email problem, I wanted to refer you to the following thread by bushdoctor, who went into a lot of detail in trying to locate and remove infected emails. While there are different email programs with their own file extensions (outlook express uses dbx), the other systems use similar structures, so the principles apply to several different email clients. That thread is here:

http://forums.majorgeeks.com/showthread.php?t=139031


abri