virus's imside Aquarius?
everytime I run a scheduled scan yjere are a large number of viruses found. Double clicking the history item reveals they all reside in the fsecure Aquarius folder. they only seem to activate during/after a scan; I have emailed support but after over a week have had no response. Getting really concerned...can anyone please tell me what is happening here?
Comments
-
Most are blocked, some removed...others none? I feel really concerned here! Why are all of these generated within the F-Secure folder suite? What exactly is this "Aquarius"? and could I delete the folder....as you may gather I am not particularly knowlagable in these matters...should I begin to consider wiping my PC? All of this seems to have eminated from viruses found in my PST files that, because of their size I have been unable to isolate which email is responsible. I continue to use the PC-am I in any danger to do so???
-
Yes, Aquarius is a database for malware signatures, it's part of the core F-Secure product and receives updates on a daily basis:
http://www.f-secure.com/dbtracker/Aquarius/index.html
Until you get some more help I suggest you do a scan with this free tool:
http://www.malwarebytes.org/products/malwarebytes_free/
I'll get back with instructions on how to check PST files.
-
First I suggest you turn off any preview panes in Outlook. Then read this:
http://community.f-secure.com/t5/Security/How-to-find-which-mailbox-is/td-p/30358
-
I'm just wondering what that screenshot actually implies. I doubt that the Aquarius folder itself has been infected. I wonder if those items are a list of the items that Aquarius has quarantined? Is there a similar list in the Quarantined items folder, viewable from the Comouter Security screen?
-
-
Well maybe a moderator can move this thread to the correct board?
Archbishop, did you attach an FSDIAG file to your previous support request?
If not, submit a new Support Request and attach an FSDIAG file. That will provide the support technicians with vital information and logs from your computer, so they can help you better and faster.
-
-
-
-
Hmm, maybe you should try Online Chat or Call Support to get the current status of your support request.
Regarding the PST file I suggest you disable the preview pane in Outlook, then delete all e-mails you don't feel you have to keep. Infections are usually in attachments.
When you're done you need to compact the PST file (from the Outlook datafile properties)
Then go to windows explorer and right click the PST file and chose "Scan xxxxx.pst for Viruses"
If the PST is still infected, check out the link in previous post about how to find which mailbox is infected
-
-
Thanks Crissy. Last few days of scans by Fsecure, Microsoft Security essentials and malware bytes have come out clean. I am worried at this since no action has been taken to remove anything? That previously the only time this multitude of viruses appeared was at the end of an fsecure scan...They were declared "quarantined" but nothing ever appeared in the quarantined folder. Over the past 6 months I have been splitting my pst file into smaller folders and losing a lot of them in the process...should hate to think this has all been caused by spurious notifications that have now inexplicably disappeared. Shall have to see what happens in future scans. BTW nothing has been heard in response to cases put to fsecure support and including the fsdiag file?
-
-
Strange that you haven't heard from support yet considering you reported it a month ago now. And especially since your problem is of a more rare type with infections of F-Secure files also. Hopefully someone from F-Secure will see this tomorrow and get back to you!
What do you mean with comes back failed? Failed to quarantine or delete?
You mentioned a week ago that scans by Fsecure, Microsoft Security essentials and malware bytes have come out clean. Are you running realtime scanning with both Microsoft Security Essentials(MSE) + F-Secure? If so, that is not recommended as multiple real-times can clash with each other.
It's better to only have F-Secure with real-time and then use Microsoft Safety Scanner as an on-demand scanner, or at least turn off real-time scanning in MSE.
If you have been running MSE with real-time scanning the same time as F-Secure, have you checked the logs and quarantine of MSE? Maybe that has beat F-Secure in dealing with the infections?! I'm purely speculating now.
-
-
Malwarebytes Anti-Malware won't clash with F-Secure since it's not a traditional anti-virus product. But good that MSE is gone.
I tried searching for the infections you have and I'm a little confused.
When searching for Trojan.GenericKD.1401359 on http://www.f-secure.com/en/web/labs_global/search it just takes you to a page that describes false positives.
When searching for Trojan.Dropper.Agent.UYG no result is found. But I found this nasty thing which sounds like a match even though Agent.UYG isn't mentioned: http://www.f-secure.com/v-descs/trojan-dropper_w32_agent.shtml
If this is what you have, it says that F-Secure anti-virus can disinfect it. But I don't know if perhaps Agent.UYG is something else.
Did you try Microsoft Safety Scanner ?
-
You could also try the Malicious Software Removal Tool from Microsoft, although your infections doesn't seem to be in the list of the virus families that this tool handles. But you never know.
This tool runs automatic with windows update each month, but only as a quick scan. When you use the above link you have an option to do a Full Scan of your computer.
-
Running Windows 7.
I have had a reply from Fsecure...no answers, after a lenghy description of the problem seems all this is brushed aside and they are just asking me to open another ticket-back to square one-I do not think I could take explaining it all again...perhaps like all large companies they deflect the akward questions with this MO to drain/drown the complainer?
Tried the Malicious Software Removal ...full computer scan came up all clear...(thanks Nikki)
I continue my quest in another vein-perhaps if I found a PST extractor program and did a security scan on results it might find the offending emails....any ideas?
-
Hi,
Have you try HitMan Pro a cloud base antivirus scan.
You give this a try.
http://www.surfright.nl/en/downloads/
And also you can try ...
Dr Web Cure IT.
http://www.freedrweb.com/cureit/?lng=en
Or Bitdefender Online Scanner
http://www.bitdefender.com/scanner/online/free.html
You can also try ... which many people in the forum recommended...
-
You can try and download a AVIRA Rescue Disc ISO version.
You need to download AVIRA Rescue Disc and Burn to CD-R.
And boot up from the CD-R from your DVD drive.
And it will do the full scan.
You can download the ISO version of AVIRA Rescue Disc here....
http://www.avira.com/en/download/product/avira-rescue-system
Or Kaspersky Rescue Disc
http://support.kaspersky.com/viruses/rescuedisk#downloads
-
@Archbishop wrote:I continue my quest in another vein-perhaps if I found a PST extractor program and did a security scan on results it might find the offending emails....any ideas?
You can use some different techniques to find:
1. Folders with infections
2. Infected e-mails
Both are described here: http://community.f-secure.com/t5/Security/How-to-find-which-mailbox-is/td-p/30358
If you have a lot of folders, the no 1 suggestion above can rule out all folders that don't have infections.
That will make step 2 easier because step 2 can take some time to do: moving e-mails to different PST's, compact and re-scan, in order to isolate the infected e-mails.
Starting instructions:
First change the manual scan settings to the most aggressive ones: All file types + Archives + Advanced Heuristics
Then in Outlook, disable the preview pane.
To make it easier to find the infected emails, first delete any emails you don't need to keep!
Empty the Junk email folder, and the Deleted items folder.
Compact the mailbox (this is important to do after emails have been deleted or moved)
In windows explorer go to the folder where you have the PST file(s)
Right-click on the PST file and scan it.Just take notes on how many infections you have for each scan and follow the instructions in the link above.
-
Thanks Nikki and everyone else for advices. I have indeed emptied all deleted, spam and junk folders. Virus scans are set to most aggressive.
I have removed outlook the preview pane. (curious why this needs to be done??)
I attempted to compact the PST file, but it was still running today from when I started it yesterday-so just cancelled that.
Have spent many hours scanning through outlook emails last week and today...but there are so many!
It has been suggested to me to use a PST extractor program and save as MSG....this folder could then be scanned by F-Secure and find the specific emails with virus. Finding a suitable pst extractor program is proving difficult, most of those previously suggested only scan the PST file and flag it up as containing a virus, much the same as f-secure does, I have tried some I found but blocked by fsecure as rare? If anyone can recommend a PST extractor program it would be appreciated )
-
The Preview pane was just a precaution. And it will be easier to see and select more e-mails without it.
If you have many emails and never compacted before, it can take some time to finish. If you delete emails and don't compact after, the emails aren't really deleted. They're still there in the PST but you just can't see them anymore. This is why it's important to compact. Once you've done the first long compact(and you should), it will be much faster for the following compacts.
I remember it taking many hours to compact a 1 GB PST file a had once. Then every month or so I did a new compact and it only took a couple of minutes.
Regarding PST extractor programs you should be careful about installing any "free" programs. If you want to try one, download and then scan the downloaded file on https://www.virustotal.com/ to be a little extra safe.
But there may be an easier way that doesn't require any risky downloads:
Try first in a folder with not so many emails.
Open Windows Explorer and create a new folder somewhere
In Outlook, select all emails in the folder, and drag-and-drop them to the folder you created in windows explorer.
The emails will be copied one by one, now as individual files.
Now you can right-click the folder in windows explorer and select "Scan foldername for Viruses"
If any infection is found the filename will be equal to the email subject
Note: I don't know what happens if you drag several thousands of emails at once. I haven't tried that many.
-
Edit: Replaced the code. The first version didn't work for multiple PST files or if there were other objects beside emails in a folder (meeting appointments, delivery receipts etc)
@Archbishop I tried searching for a PST extractor and instead found some code that I improved... a lot. Just because it's funYou just select any PST folder in Outlook, run the VBA macro and it will save all attachments from every email, including all subfolders if you want. This is better than my previous suggestion(drag-and-drop) because it will skip all emails that doesn't have any attachments. And the infections are most likely only in attachments.
If you're not familiar with VBA(Visual Basic For Applications), follow these instructions:
In Outlook press ALT+F11 to open the VBA Editor
Insert a new Module (either from menu, or right click the project window at upper left corner)
Paste all code in the moduleIf using my example folder, create a folder in C:\ called attachments
Then select an Outlook folder with not so many emails and attachments first, to see if everything is working
Back in VBA Editor, set the cursor anywhere in Sub GetAttachments()
Press F5 to startA log file will be created for every run, in the same folder where all attachments will be saved
If everything seems OK and no errors occurred, change the value of variable testmode from True to False
Next time you run the code all attachments will be saved in C:\attachmentsThis code will not modify or delete anything from Outlook. It only saves copies of the attachments.
Pretty nice I think
Click the spoiler below to see the code:
SpoilerOption Explicit
Dim saveToLocalFolder As String
Dim includeSubFolders As Boolean
Dim testmode As Boolean
Dim logFile As String
Sub GetAttachments()
'-------------------------------------------------------------------------------------------------
'ONLY THE 3 FOLLOWING LINES SHOULD BE CHANGED
saveToLocalFolder = "C:\attachments\" 'should end with a \ and the folder must be created manually before running this
includeSubFolders = True 'set to True will process all subfolders of the selected Outlook folder
testmode = True 'true = only write to debug window and log (doesn't save the attachments to disk)
'INSTRUCTIONS:
'Make sure the values for the 3 variables above are set to what you want
'Then in Outlook, select the folder you want to extract attachments from
'Run with testmode = True first to test if everything works
'Then change testmode from True to False and run again
'To Run the code, click Run(Play icon in the toolbar). Or place the cursor here somewhere and press F5
'When the attachments are stored to disk they will get the name:
'Folder-Subfolder EmailSubject - attachmentname
'Example: TestFolder-SubFolder-SubFolder2 Re TestMessage - Documentation.pdf
'The file name will be simplified and shortened. For foldernames to 50 chars, and email subject to 50 chars
'-------------------------------------------------------------------------------------------------
Dim folder As Outlook.MAPIFolder
On Error GoTo 0
Dim reply
reply = MsgBox("The folder: '" & Application.ActiveExplorer.CurrentFolder.folderpath & "' is selected in Outlook" _
& Chr(10) & "Is this the folder you want to extract attachments from?" _
& Chr(10) & Chr(10) & "TestMode: " & IIf(testmode, "True", "False") _
& Chr(10) & "IncludeSubFolders: " & IIf(includeSubFolders, "True", "False"), vbYesNo)
If reply = vbNo Then Exit Sub
logFile = Replace(Application.ActiveExplorer.CurrentFolder.folderpath, "\\", "")
logFile = Replace(logFile, "\", "-")
logFile = saveToLocalFolder & "log_" & Left(GetSimpleName(logFile), 100) & " " & Format(Now(), "yyyy-MM-dd hh-mm-ss") & ".txt"
WriteToLog "Folder selected in Outlook: " & Application.ActiveExplorer.CurrentFolder.folderpath
WriteToLog "TestMode: " & IIf(testmode, "True", "False")
WriteToLog "IncludeSubFolders: " & IIf(includeSubFolders, "True", "False")
WriteToLog "Only names of folders and attachments will be printed below (not emails without attachments)"
Set folder = Application.ActiveExplorer.CurrentFolder
processFolder folder, folder.Name
Exit Sub
errH:
MsgBox Err.Description
End Sub
Sub processFolder(ByRef inFolder As Outlook.MAPIFolder, folderpath As String)
Dim subfolder As Outlook.MAPIFolder
Dim email As Outlook.MailItem
Dim attachment As Outlook.attachment
Dim no As Long
Dim info As String
info = "Processing: " & folderpath & " (" & inFolder.Items.Count & " items)"
Debug.Print info
WriteToLog (info)
For no = 1 To inFolder.Items.Count
If UCase(TypeName(inFolder.Items.Item(no))) = "MAILITEM" Then
Set email = inFolder.Items.Item(no)
For Each attachment In email.Attachments
SaveAttachment inFolder, email, attachment, folderpath
Next
DoEvents
End If
Next
If Not includeSubFolders Then Exit Sub
For Each subfolder In inFolder.folders
processFolder subfolder, folderpath & "\" & subfolder.Name
Next
End Sub
Sub SaveAttachment(ByRef folder As Outlook.MAPIFolder, ByRef email As Outlook.MailItem, ByRef attachment As Outlook.attachment, _
ByRef folderpath As String)
Dim filename As String
Dim info As String
filename = Replace(folderpath, "\", "-") & " " & email.Subject & " - " & attachment.filename
Debug.Print Chr(9) & filename
WriteToLog Chr(9) & filename
Dim filenameMod As String
filenameMod = Left(GetSimpleName(Replace(folderpath, "\", "-")), 50) & " " & Left(GetSimpleName(email.Subject), 50) & " - " & attachment.filename
If filename <> filenameMod Then
filename = filenameMod
info = "Filename changed to: " & filename
Debug.Print Chr(9) & info
WriteToLog Chr(9) & info
End If
If Not testmode Then
attachment.SaveAsFile saveToLocalFolder & filename
End If
End Sub
Function GetSimpleName(s As String) As String
With CreateObject("vbscript.regexp")
.Global = True
.IgnoreCase = True
.Pattern = "[^A-Z0-9-._\ ]"
If .test(s) Then
GetSimpleName = .Replace(s, "")
Else
GetSimpleName = s
End If
End With
End Function
Sub WriteToLog(ByRef txt As String)
Dim fso As Object, stream As Object
Set fso = CreateObject("Scripting.FileSystemObject")
Set stream = fso.OpenTextFile(logFile, 8, True) '8=append, True=create if doesn't exist
stream.WriteLine txt
stream.Close
Set stream = Nothing
Set fso = Nothing
End Sub -
Wow! Cool is not the word...its Flipsin inspirational!
I did try your other suggested routing of copying multiple emails to another folder and running an aggressive scan. Could only do 250 at a time, any more and it only copied 300 odd of them, and slowed down to less each time. Because my PST files were over the 2G recomended I was hesitant to proceed in case I caused more damage than solved. That was christmas eve used up when I got home...nothing found.
Worth noting the viruses have migrated from the Aquarius folder (perhaps MSE and Malware bytes now removed were confusing it?) now to become resident in two PST files, one remains in archive 2010 as "Trojan.dropper.Agent.UYG" and the other is in the main Outlook PST folder as "Trojan.Agent.BAYD"
I tried the VBA, that I am not the slightest familiar, I was OK with the Sinclair ZX81...but thats it! )
Just finnished work so not as bright as usual, which then is nothing to write home about...
"Modify the variable outlookFolderName" etc...bit confused where and what to change. my folders in question with virus's are;
C:\Users\Archbishop\AppData\Local\Microsoft\Outlook\archive older than 31-12-2010.pst
and
C:\Users\Archbishop\AppData\Local\Microsoft\Outlook\Outlook.pst
I have created a folder c:\attachments. Now should I name the folder "attachments\"?
I shall have another bash when I wake tommorow afternoon. I would say here I have a gut feeling the virus is in an HTML link within a message....I have opened most, but not all attachments already-but it would be "cool" to snatch all the blighters out to scan in one swoop....thanks NikK!