Malware, Bitdefender, Eudora

It all started when bitdefender came back with positive results on my two notebooks. Bitdefender could not take any action on these infected files because they are "archive files" and only tells you the file name where the email message is and the "message number". There is no way that I know of to search for messages by "number" in Eudora, and when you have a lot of viruses and lots of messages that is a problem.

[I finally found a program that does exactly this, number each eudora email message, which members who use eudora and bitdefender will find helpful: http://www.softpedia.com/get/Internet/E-mail/Mail-Utilities/MBX-Viewer.shtml ]

The newer notebook is about 1.5 years old. The older notebook still has my old eudora mailbox files (every year I create a new file for "in" and "out" messages) and my newer notebook contains the old eudora files as well as the current files.
I have been using your site to try to clean the old notebook first before tackling the newer notebook. My bitdefender year was up so I bought two licenses for the notebooks, to make a long story short, I could only download a real up-to-date version on the new notebook.
I followed your steps for malware except that my online scan with bitdefender was a failure because it never stopped scanning ( I had to do it in normal startup mode) but it kept going for hours and then automatically restart for hours - and I could not stop it. Subsequently, i do not have the scan report....although it did show a bunch of viruses etc. in the status window and it did say it "deleted" something like 90 thousand files....
After this failed I did go into my attachment files and deleted a lot of suspect files and generally cleaned up a lot of unwanted files.
Question: is the virus in the email message or in the attached file? The tech guy at bitdefender told me the virus must be in the attachment but could not answer the obvious question: if it is the attached file, why doesn't bitdefender simply name the attachment with the virus (in its folder)?

I still cannot type the letter "w" or "@" and sometime the letter "s" on the older notebook (I am obviously typing this from the new one)
I ran ccleaner (cleaned about 1 gb) and spybot, I will attach the other scan reports except for bitdefender scan. [i know there is not much to show in these scan reports, but I still cannot type certain letters and I beleive it is related to the viruses/malware that are/were on my notebook. I did have a trial version of bitdefender (the new key did not take so that is what I was stuck with) and the reports were lengthy with viruses. that has all been deleted because I uninstalled that version to run the online scan...I do have the bitdefender report from my new notebook which I will attach because they are/were similar...).

I will upload the other reports in another window...
thank you for a helpful web site.

 

Hi bushdoctor!

Are you posting the logs for one computer or two? If two, please run them in separate threads, one at a time so we don't get them mixed up.

Do you know what this is? Lame ACM MP3 Codec

Are you sure the keyboard is working? Is there a way for you to determine for sure that it's not a hardware problem, like by using an external keyboard?

abri

 

here are the rest of the scans. I could not upload the bitdefender log from the new notebook, i'll try again later.

 

I could not upload the bitdefender log from the new computer, when I begin work on the new notebook I will start a new thread.
I do not know what Lame ACP MP3 Codec is...perhaps this is a file to do with my archos mp3 player?
I am 99% sure it is not the hardware...good idea about the external keyboard, but the extra keyboard I have from an old desktop has no where to plug into the notebook...

 

Hi bushdoctor!
I need to make sure I understand correctly. Are all these logs from the old computer, including the BitDefender log which you haven't been able to upload?

If you can't upload that one log, it would be helpful for us if you look at it yourself. It will have the name bdscan.txt. Please find that file wherever it's stored, right click on it and change the name so the extension is no longer .txt but rather .html. Then open it and look at it. I'm looking for a couple of pieces of information. Are there many things that were infected? Did it successfully delete what it found or were there instances where the update failed? Do you see any registry numbers towards the bottom of the scan which have the letters RP over towards the right side followed by a longer number? They would look something like this:

abri

 

Hi Abri,
all the logs are from the old notebook (the computer I am trying to clean first which is in worse condition than the new notebook).
The bitdefender log I was going to upload was from the new notebook, but I am not going to do that. I am speaking with bitdefender to fix the problem of installing my new version of bitdefender (long story).
I scanned "my computer" for files bdscan but no luck. I had to hit the "s" key about 6 times before the s was typed. After scanning, the number "1" is repeated ad infinitum in any window I open that has a cursor. This was happening a couple of weeks ago but when I ran ccleaner and the other stuff the repeating "1" stopped, until now. for example, when I click intot the address bar in internet explorer, the number "1" automatically just types away....so weird.
There were something like 20 viruses but since the online scan kept going and going it said that there were over 90 thousand files, could not disinfect, so they were "deleted" which is obviously not the case. When I ran the online scan again this a.m. I got the same messages. So, no success in deleting the files.
I am going to install bitdefender, then I am going to rename my infected archive mailboxes/folders one at a time to make them the current folder and run bitdefender to see if it can then delete those files.
But I do not think it is going to resolve the repeating "1", I can only operate the notebook by clicking, typing is going to be difficult.
By the way, I do not remember if I saw registry numbers or not...sorry.
I will hopefully be able to post a bitdefender log in a few hours or tomorrow sometime.

 

Hi bushdoctor!

I know you want to install BitDefender, but would it be possible for our purposes here to try their online scan and see if you have more luck with that? It might not be any better, but it's worth a try if you can get the address in. There's a link in step 6A of the READ & RUN ME FIRST See if by linking, you can get around the cursor turning to 1's problem.

abri

 

Hi Abri:
thanks for your reply.
I have tried online scan probably 4 times and every time the scan does not complete. Meaning that it just keeps going ( I think it repeats because the countdown might show 2 hours left and then in two hours it show something crazy like 5 hours left) I left it running overnight and it was still going. I tried to stop by clicking "stop" but it still kept going. Everytime I have had to use ctrl-alt-delete to stop.
Anyway, I have succesfully installed bitdefender (tricky because of the keys) and the log is attached. I hope this helps shed light on what is going on with this computer.

 

bushdoctor,

I don't think that the archived viruses in your old e-mails will be behind what you're experiencing with your computer, unless you only recently added the older Eudora archives to your current ones. The reason I think this is the simple logic that the viruses are located in old e-mails which seem to have been on your machine for awhile. However, if you had BitDefender on this computer previously, it should have found the viruses before.

I would like to know if the program you mentioned in your first post (MBX Viewer 1.0) allows you to delete the viruses found and listed by BitDefender in your most recent post. Since BitDefender lists the files by number, they must be using either an existing numbering system created by Eudora or they have assigned numbers themselves.

Does your MBX Viewer 1.0 allow you to find them by number and delete them? If so, please find them and delete them. I struggled with this same problem with dbx files and never did find a solution. It would be useful to ask BitDefender how you should convert their information into useful information for yourself that would allow you to delete what their own program finds but is unable to delete. They should be able to tell you this, because I expect this comes up fairly frequently. If you find out, I would appreciate knowing this.

My somewhat random thoughts as I go through your logs looking for anything we might have missed is first of all to point out that you are using XP SP1. There is no point in updating to SP2 until your computer is clean. I'm curious, though, why there are a few Windows updates, but relatively few really?

If I go through your first post pretty carefully:

When was this? Was this the first time you used BitDefender that it came back with these positive results? Or had you been using it and suddenly it came back with viruses that hadn't been there in previous scans?

Was this because the new version of BitDefender had trouble installing on an older computer?

I don't know. I've wondered the same thing.

If our keyboards are similiar, the w, @, and s are all in one corner of the keyboard. I'm still not entirely convinced this or the thing with the 1111111111's in the address bar (also in the same corner of the keyboard) is not a hardware problem. It might be possible to borrow a docking station so you can plug in an external keyboard and see what happens.

Counterspy found nothing. Panda found one cookie. There was nothing of interest in your newfiles or runkey logs or your HJT log. The main thing I found was that you are running SP1 instead of SP2 and you're missing a ton of Windows updates.

Except for the problems you're having with your keys on the keyboard, you haven't mentioned any specific symptoms like the browser redirecting, pop-ups plaguing you or the computer having blue screens of death. You've only mentioned so far that BitDefender found viruses in archived data in your old e-mails. The thing I can help you with at this point are standard things we do to make the computer less vulnerable:


1) Please go to add/remove programs and uninstall:

- Counterspy <--- we're finished with this now

Also, if you do not use Microsoft Works, while you're in add/remove programs, please go to add/remove Windows Components and turn Microsoft Works off.

2) Please go to Windows Explorer, find the following folders and delete them.

3) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


4) To make progress with the viruses in the e-mails, I need your help as stated above. If you are able to contact BitDefender, please do. I'm certain this question has come to them before and they must have an answer.

5) Finally I would like for you to download ATF Cleaner by Atribune. This will clear out your Temp files. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


6) After you have completed the above please post a fresh newfiles.txt log from the ShowNew scan.
[*]ShowNew Log
[/list]
abri

 

Hey Abri:
I will try to answer all questions, if I miss anything let me know.
Yes, the viruses have probably been on this computer for a while (and they are on my newer notebook as well since I copied those old email files).

RE: MBX viewer
Eudora does not list email messages by number. I went to a bitdefender forum and they told me about mbx viewer. I have now used it succesfully on the old notebook and I could search for the emails by number (I guess sorting by date is the default) and find out the date and the sender and subject line etc. BUT I could not delete (only view with this program). Still a very good program that at least numbers the messages - and bitdefender support does not know about it....
I was forced to use eudora to open the mailboxes and locate the files by "date" and "from" and delete the emails. I did O.K. until my mailbox named "in_May_2001_to_Dec_2001" which only contained 2 infected messages. When I tried to delete Bitdefender window popped open stating:
d:\data eudora\trash.mbx=>(IFRAME)
infected with
Exploit.Html.Filedownload.D
and then again with the following:
Exploit.Ifram.Vulnerability
Simultaneously eudora window popped open and stated:
"Could not open the file D:\Data Eudora\Trash.mbx for writing
Cause: Access permission denied. File may be marked as read only or locked (13)"
I had to click 10-12 times on the bitdefender window as it toggled between the two messages until it closed.
I tried many different things to get around this including re-naming trash.mbx, using different mailboxes, etc. even putting my cursor over the trash.mbx in windows explorer, but the bitdefender window keeps popping up. When I open trash it contains no messages, but I can see that it has 65k in the trash.mbx file (and also on the small bar beneath the window of the open mailbox).
So, I could not delete the 2 email messages with viruses in the 2001 mailbox nor the 9 messages in the in.mbx.002 mailbox (this has to be renamed to mbx to view and delete in eudora since it is a backup). So at this point, I cannot delete any email messages from any mailbox. I then continued with your list of things to do in your post.

RE: Windows Updates
I don't remember ever doing them. Perhaps some vaio updates but I stayed away from windows...why? a combination of many things including ignorance in not wanting to download/update meaningless stuff that will bloat the notebook.

RE: Bitdefender
I had been using bitdedefender a little over a year. Before that Norton. Bitdefender found viruses but I did not know or spend much time interpreting the results. I would see "37000 infected files" etc. and sometimes they were deleted and sometimes not. I have been using my new notebook for the past year and a half and did not pay much attention to the old notebook. I have the same problems with the new one which I will tackle after we clean up and fix the old one. So, you are correct, these viruses seem to have always (maybe for a year?) been there, it is just now this repeating "11111111..." that got be to do something about fixing the notebook.

RE: Bitdefender on the on the old notebook
Yes, there was a problem with the license key which has been fixed now.

RE: Viruses in the email text body and/or in the attachment
This to me seems so fundamental. Why doesn't bitdefender find the virus in the email attachment? I am no techie but is it because bitdefender can't know what is "in" the attached file and can only go by clues such as file extensions or file names in the email message??? The email messages I deleted did not have attachments. A few "had" attachments but since I moved all of the attachments into different folders a long while ago there is not longer an association between the messages and the files. So these messages just showed the name of the attachment with an "X" through it.

RE: Keyboard
Yes, our keyboards are qwerty. I have opened a window doc and tried typing. I cannot type q,w,s,@, 1, 2,z and the space bar does not work.....
I will try to find another keyboard to use but not so easy right now....
The repeating "1111111..." is very strange. This would start when I clicked my cursor into the window bar in internet explorer or in the window bar in skype. I did not even attempt to type anything and it would take off repeating number 1. And this condition comes and goes. Right now it is not doing it.

RE: other symptoms
There are no other symptoms, no pop-ups no redirection or blue screens.

RE: Your suggestions
I completed everything however there was an error message when using the windows messenger removal and then later it said that it was removed. I also removed some other programs I was not using (including works which took a long time to remove), I removed the programs and then re-booted and on the re-boot a windows message "system recovered from a serious error" showed up but computer seems to be working except for the keyboard problem.
I used ATF cleaner and cleaned everything.
Attached is the newfiles log.

I am going to run bitdefender again to see if the email messages I deleted have an effect on the results.

Thank you for your time spent on this.
best regards

 

Here is the latest bitdefender scan

 

Hi bushdoctor!
Thank you for assisting us with your information and experiences. Is it correct that the BitDefender number for the e-mails agrees with the MBX Viewer number for the e-mails? I don't know why this is such a difficult problem. I decided to run BitDefender on my own computer yesterday and it found a bunch of viruses in the e-mail folder that I transferred from my old harddrive to my new one but haven't ever used. I think they were all in the trash, which I find quite interesting, because I religiously emptied my trash, and to my knowledge, there was nothing visible whatsoever in the trash at all. I deleted e-mails which went into the trash, then I emptied the trash and then I ran CCleaner, specifically so I could make sure I was getting rid of any possible viruses. This means that the e-mail programs (I'm using Thunderbird) are archiving even those things that have been thrown away. Since I've never yet found a good solution to this problem, I'm feeling more motivated to find one. For the meantime, a practical solution might be to store your old e-mails on a separate piece of hardware, a harddrive, a flashdrive or a dvd, so you can keep your current harddrive clean.

I'm sorry in terms of your Microsoft Works, if I was not clear. Any Microsoft programs which you are not using can usually simply be turned off in Add/Remove Windows Components which is one of the buttons in Add/Remove programs. It's an easier way of getting unneeded Windows components out of the way and there's less risk of doing damage.

Why BitDefender doesn't find the virus in the e-mail body or attachment? I don't know, but it's possible BitDefender isn't seeing the data in those terms. They are one of the few programs which has the ability to view inside of archived files. The reason why the e-mails can't be clearly identified and eliminated almost seems to me to be a legal or a political problem more than a technical one. I will try to find out more about this.

With your keyboard, the repeating 1111's thing is weird, because of it happening in a specific type of window, but not, say, in Notepad. Simply due to the location of the keys, I feel there is a hardware problem involved. I'm not as familiar with notebooks as with external keyboards. With a regular external keyboard, it's possible to actually remove the keys and clean beneath them. I think built-in keyboards are more tricky in that respect and also, it won't help you if it's a problem in the electronics. Also, it would not explain why the one is attaching itself to your cursor. I will try to get another opinion about this.

Windows Updates, especially the Service Packs, close a lot of security holes which are discovered and exploited after a Windows release. For almost everyone, SP2 was a really good thing. In order to install it without problems, your computer needs to be clean and there is a Microsoft article which deals specifically with preparing your computer for Service Pack 2 here: Get Your PC Ready for Windows XP SP2
With regard to the rest of the updates, I have always read them and decided whether I wanted them or not. It takes a lot of time and it seems that computers with all the security updates run fine so I'm not sure it's worth the time. As long as you're on the internet, they're a good idea.

It's possible you had trouble with the Windows Messenger Removal Tool because of a conflict with an antivirus or anti-spyware program. Windows doesn't like to have its parts removed.

I feel like we haven't helped you that much. I will get back to you with another opinion about the cursor and ones problem and see if there are any other ideas about the e-mail viruses.

abri

 

Hi bushdoctor,

An additional note: I got some useful information which I completely forgot about from Steve_East9.

I believe this will apply to Eudora as well, at least for those e-mails which you've deleted.
Here's the website he mentiones for Eudora: http://www.eudora.com/techsupport/kb/1712hq.html
abri

 

Dear Abri, it has been a while but I still have the virus problem.
The good news is that I am down to 5 detected viruses, the bad news is that I have tried to delete them at least 6 times and they keep coming back (in different email messages).
the viruses are:
Exploit.Iframe.Vulnerability (3 times)
Generic.Peed.Eml.49304E4A
Generic.Peed.Eml.5457C242

I am able to view email messages - that show the email message number - using mbx viewer. Therefore I can find out the date and subject line and who from in order to delete the email message. I cannot delete or alter anything in mbx viewer so I have to open eudora for that.

A bitdefender forum member confirmed that the viruses are indeed in the email messages "in the script".

My keyboard is still not working properly (I am using a different computer for this communication) and I believe you are correct that it is a hardware problem. I have not had time to take off the keys and try to clean underneath. Other than that I do not know what to do. I have not found an external keyboard to test with yet, but working on it.

What would you say the next steps are? Do I download the Windows updates? or clean the viruses...?

Looking forward to your reply, thank you.

 

Dear Abri, it has been a while but I still have the virus problem.
The good news is that I am down to 5 detected viruses, the bad news is that I have tried to delete them at least 6 times and they keep coming back (in different email messages).
the viruses are:
Exploit.Iframe.Vulnerability (3 times)
Generic.Peed.Eml.49304E4A
Generic.Peed.Eml.5457C242

I am able to view email messages - that show the email message number - using mbx viewer. Therefore I can find out the date and subject line and who from in order to delete the email message. I cannot delete or alter anything in mbx viewer so I have to open eudora for that.

A bitdefender forum member confirmed that the viruses are indeed in the email messages "in the script".

My keyboard is still not working properly (I am using a different computer for this communication) and I believe you are correct that it is a hardware problem. I have not had time to take off the keys and try to clean underneath. Other than that I do not know what to do. I have not found an external keyboard to test with yet, but working on it.

What would you say the next steps are? Do I download the Windows updates? or clean the viruses...?

Looking forward to your reply, thank you.

 

Hi bushdoctor!

Go to start / run and type in regedit and tell me if you find this:

abri

 

I looked in regedit and did not find the reference to norton.

 

Hi bushdoctor!
I've been reading more about this, because it's a general problem. One person suggested that it is possible to make a separate folder and place one e-mail in that folder and scan it. If the e-mail is infected, the contents of the folder should be compressed and the entire folder deleted. This is an incredibly tedious way to look for viruses, but it may be possible to get around the problem of the virus changing positions, and if you have found a way to identify the actual email, I would like to ask you to try this.

Let me know if this helps.
abri

 

Abri,

I do not know of any way to put "one" email into a separate folder otherwise I would give it a try.

thanks

 

I was thinking if you could identify the e-mails on the basis of their reference lines and the date, that you could then find it in the normal Eudora interface itself, rather than via the Windows Explorer folder.
This is a frustrating problem. One other person posted again about it this week. Your efforts have reawakened my interest in looking into it again.

abri

 

Abri, actually reading or deleting the email messages using the eudora interface what I am currently doing (after I identify the "infected" email message using mbx viewer), but I still do not know how to take that one email message and put it into another folder (i can cut and paste it into word but I do not think that is what you want).
Looking forward to your reply, thank you

 

What I mean is, once you've identified an e-mail with a virus, to then go to the Eudora interface, create a new folder and move it in there within the interface. Rescan Eudora and if the virus is then the same one with the same e-mail, to then compress that one folder in the interface and then delete it. What I understand about this particular virus PEED is that it jumps from one e-mail to the next when you try to delete it. I had this in my trash. It was probably in a forwarded e-mail or spam that snuck in. I threw them away, emptied the trash and thought they were gone. They weren't. So when BitDefender deleted them, the virus seems to have jumped from one e-mail to the next in the trash and the report I got back from BitDefender was that it had deleted 18,000 files all with the same virus. (I'm glad they were the ones in the trash and not my whole e-mail files!) Also, I haven't had time to check, but it's possible that BitDefender claims to have deleted them without having done so. This is the case when they delete infected restore points is that they haven't actually deleted them but they report them as having been deleted.
I'm working with Thunderbird and Outlook Express, but I expect the mechanisms at work are similar. Although this is a malware issue, this forum is restricted for other posters, so while there may be other people who have advice about this particular issue, they can't post it to you. I would suggest that you open a new thread in the software forum, as the additional input would be useful and the topic interests me as well because it's not a simple one..

abri