virus's imside Aquarius?

everytime I run a scheduled scan yjere are a large number of viruses found. Double clicking the history item reveals they all reside in the fsecure Aquarius folder. they only seem to activate during/after a scan; I have emailed support but after over a week have had no response. Getting really concerned...can anyone please tell me what is happening here?

 

 fsecure aquarius.JPG

 

 

 

Best Answer

  • NikKNikK Posts: 931
    Accepted Answer

    ok, it's an attachment type that you can't save to disk. It's either a reference, embedded item or an OLE object. Here's a quick fix.

    In the code, replace the yellow line from your screenshot with these lines:

        On Error Resume Next
        filename = Replace(folderpath, "\", "-") & " " & email.Subject & " - " & attachment.filename
        If Err.Number <> 0 Then
            filename = Replace(folderpath, "\", "-") & " " & email.Subject & Chr(10) & Chr(10) _
            & "Unhandled Attachment: " & attachment.DisplayName & Chr(10) _
            & "Type: " & attachment.Type
            MsgBox filename, vbExclamation
            Err = 0
            On Error GoTo 0
            Exit Sub
        End If
        On Error GoTo 0

     Now hopefully this error won't stop the code anymore, and give you a msgbox about which email the non-file attachment is in so you try investigate in manually if you want. Or simply drag-and-drop the email to windows explorer and scan it.

    Note: You can't edit the code while it's running.

«1

Comments

  • SimonSimon Posts: 2,584

    Does F-Secure attempt to remove the trojans after a scan?

  • Most are blocked, some removed...others none? I feel really concerned here! Why are all of these generated within the F-Secure folder suite? What exactly is this "Aquarius"? and could I delete the folder....as you may gather I am not particularly knowlagable in these matters...should I begin to consider wiping my PC? All of this seems to have eminated from viruses found in my PST files that, because of their size I have been unable to isolate which email is responsible. I continue to use the PC-am I in any danger to do so???

  • SimonSimon Posts: 2,584
    I think Aquarius is the anti-virus component of F-Secure. I also think you need more expert help than I can give with this, so if you don't get a quick response from someone else here, I would suggest giving Support a nudge.
  • NikKNikK Posts: 931

    Yes, Aquarius is a database for malware signatures, it's part of the core F-Secure product and receives updates on a daily basis:

    http://www.f-secure.com/dbtracker/Aquarius/index.html

     

    Until you get some more help I suggest you do a scan with this free tool:

    http://www.malwarebytes.org/products/malwarebytes_free/

     

    I'll get back with instructions on how to check PST files.

  • NikKNikK Posts: 931

    First I suggest you turn off any preview panes in Outlook. Then read this:

     

    http://community.f-secure.com/t5/Security/How-to-find-which-mailbox-is/td-p/30358

  • SimonSimon Posts: 2,584
    I'm just wondering what that screenshot actually implies. I doubt that the Aquarius folder itself has been infected. I wonder if those items are a list of the items that Aquarius has quarantined? Is there a similar list in the Quarantined items folder, viewable from the Comouter Security screen?
  • DmitriyDmitriy Posts: 212

    Firstly, looking at the file paths in the screenshot, this seems to be the problem with F-Secure Internet Security and has nothing to do with Business security solutions. Secondly, I would recommend you to get in touch with our technical support at your earliest convenience.

  • NikKNikK Posts: 931

    Well maybe a moderator can move this thread to the correct board?

     

    Archbishop, did you attach an FSDIAG file to your previous support request?

    If not, submit a new Support Request and attach an FSDIAG file. That will provide the support technicians with vital information and logs from your computer, so they can help you better and faster.

  • There is never anything in the quarantine folder....that I found strange since many of the reports said "Quarantined"?

  • fsdiag and screenshots sent to FS support 24  November 2013 and again on 29 Nov 2013. Other than auto reply giving ref SR ID:1-674799828 there has been no word since?

  • Also sorry if I have used the wrong board...where should it be posted please?

  • SimonSimon Posts: 2,584
    If it's relating to F-Secure Internet Security, it should have been posted in Home Security > Security. But hopefully a moderator, or somebody from F-Secure will move it. :)
  • NikKNikK Posts: 931

    Hmm, maybe you should try Online Chat or Call Support to get the current status of your support request.

     

    Regarding the PST file I suggest you disable the preview pane in Outlook, then delete all e-mails you don't feel you have to keep. Infections are usually in attachments.

    When you're done you need to compact the PST file (from the Outlook datafile properties)

    Then go to windows explorer and right click the PST file and chose "Scan xxxxx.pst for Viruses"

    If the PST is still infected, check out the link in previous post about how to find which mailbox is infected

  • ChrissyChrissy Posts: 439

    Hi Archbishop!

     

    I've moved your post to the correct board.

     

    Have you reached Support by the other means suggested, or are you still needing our help?

     

    // Chrissy

  • Thanks Crissy. Last few days of scans by Fsecure, Microsoft Security essentials and malware bytes have come out clean. I am worried at this since no action has been taken to remove anything? That previously the only time this multitude of viruses appeared was at the end of an fsecure scan...They were declared "quarantined" but nothing ever appeared in the quarantined folder. Over the past 6 months I have been splitting my pst file into smaller folders and losing a lot of them in the process...should hate to think this has all been caused by spurious notifications that have now inexplicably disappeared. Shall have to see what happens in future scans. BTW nothing has been heard in response to cases put to fsecure support and including the fsdiag file?

  • My sucess short lived, fsecure is now finding this virus elsewhere...virus scan removal comes back failed and still no response from FS support

     

     

  • NikKNikK Posts: 931

    Strange that you haven't heard from support yet considering you reported it a month ago now. And especially since your problem is of a more rare type with infections of F-Secure files also. Hopefully someone from F-Secure will see this tomorrow and get back to you!

     

    What do you mean with comes back failed? Failed to quarantine or delete?

     

    You mentioned a week ago that scans by Fsecure, Microsoft Security essentials and malware bytes have come out clean. Are you running realtime scanning with both Microsoft Security Essentials(MSE) + F-Secure? If so, that is not recommended as multiple real-times can clash with each other.

    It's better to only have F-Secure with real-time and then use Microsoft Safety Scanner as an on-demand scanner, or at least turn off real-time scanning in MSE.

     

    If you have been running MSE with real-time scanning the same time as F-Secure, have you checked the logs and quarantine of MSE? Maybe that has beat F-Secure in dealing with the infections?! I'm purely speculating now. 

  • Many thanks for your thoughtful response NikK

     

    Machine is now only running F-Secure....I uninstalled the MSE and Malwarebytes last week.

    Running a scheduled scan it has returned as follows; (The Quarantine folder remains empty) All viruses are contained in the fsecure aquarious folder.

    Fsecure virus history.JPG

     

  • SimonSimon Posts: 2,584

    Which version of Windows is this?  I'm just wondering if something is lodged in the System Restore folder?

  • NikKNikK Posts: 931

    Malwarebytes Anti-Malware won't clash with F-Secure since it's not a traditional anti-virus product. But good that MSE is gone.

     

    I tried searching for the infections you have and I'm a little confused.

    When searching for Trojan.GenericKD.1401359 on http://www.f-secure.com/en/web/labs_global/search it just takes you to a page that describes false positives.

    When searching for Trojan.Dropper.Agent.UYG no result is found. But I found this nasty thing which sounds like a match even though Agent.UYG isn't mentioned: http://www.f-secure.com/v-descs/trojan-dropper_w32_agent.shtml

    If this is what you have, it says that F-Secure anti-virus can disinfect it. But I don't know if perhaps Agent.UYG is something else.

     

    Did you try Microsoft Safety Scanner ?

  • NikKNikK Posts: 931

    You could also try the Malicious Software Removal Tool from Microsoft, although your infections doesn't seem to be in the list of the virus families that this tool handles. But you never know.

     

    This tool runs automatic with windows update each month, but only as a quick scan. When you use the above link you have an option to do a Full Scan of your computer.

  • Running Windows 7. 

    I have had a reply from Fsecure...no answers, after a lenghy description of the problem seems all this is brushed aside and they are just asking me to open another ticket-back to square one-I do not think I could take explaining it all again...perhaps like all large companies they deflect the akward questions with this MO to drain/drown the complainer? 

     

    Tried the  Malicious Software Removal ...full computer scan came up all clear...(thanks Nikki)

     

    I continue my quest in another vein-perhaps if I found a PST extractor program and did a security scan on results it might find the offending emails....any ideas?

  • RusliRusli Posts: 991

    Hi,

     

    Have you try HitMan Pro a cloud base antivirus scan.

     

    You give this a try.

     

    http://www.surfright.nl/en/downloads/

     

    And also you can try ...

     

    Dr Web Cure IT.

     

    http://www.freedrweb.com/cureit/?lng=en

     

    Or Bitdefender Online Scanner

     

    http://www.bitdefender.com/scanner/online/free.html

     

    You can also try ... which many people in the forum recommended...

     

    http://www.malwarebytes.org/mwb-download/

  • RusliRusli Posts: 991

    You can try and download a AVIRA Rescue Disc ISO version.

     

    You need to download AVIRA Rescue Disc and Burn to CD-R.

     

    And boot up from the CD-R from your DVD drive.

     

    And it will do the full scan.

     

    You can download the ISO version of AVIRA Rescue Disc here....

     

    http://www.avira.com/en/download/product/avira-rescue-system

     

    Or Kaspersky Rescue Disc

     

    http://support.kaspersky.com/viruses/rescuedisk#downloads

     

     

  • NikKNikK Posts: 931

    @Archbishop wrote:

    I continue my quest in another vein-perhaps if I found a PST extractor program and did a security scan on results it might find the offending emails....any ideas?


     

    You can use some different techniques to find:

    1. Folders with infections

    2. Infected e-mails

     

    Both are described here: http://community.f-secure.com/t5/Security/How-to-find-which-mailbox-is/td-p/30358

     

    If you have a lot of folders, the no 1 suggestion above can rule out all folders that don't have infections.

    That will make step 2 easier because step 2 can take some time to do: moving e-mails to different PST's, compact and re-scan, in order to isolate the infected e-mails.

     

    Starting instructions:

    First change the manual scan settings to the most aggressive ones: All file types + Archives + Advanced Heuristics

    Then in Outlook, disable the preview pane.
    To make it easier to find the infected emails, first delete any emails you don't need to keep!
    Empty the Junk email folder, and the Deleted items folder.
    Compact the mailbox (this is important to do after emails have been deleted or moved)
    In windows explorer go to the folder where you have the PST file(s)
    Right-click on the PST file and scan it.

    Just take notes on how many infections you have for each scan and follow the instructions in the link above.

    Archbishop
  • Thanks Nikki and everyone else for advices. I have indeed emptied all deleted, spam and junk folders. Virus scans are set to most aggressive.

     

    I have removed outlook the preview pane. (curious why this needs to be done??)

     

    I attempted to compact the PST file, but it was still running today from when I started it yesterday-so just cancelled that.

     

    Have spent many hours scanning through outlook emails last week and today...but there are so many!

     

    It has been suggested to me to use a PST extractor program and save as MSG....this folder could then be scanned by F-Secure and find the specific emails with virus. Finding a suitable pst extractor program is proving difficult, most of those previously suggested only scan the PST file and flag it up as containing a virus, much the same as f-secure does, I have tried some I found but blocked by fsecure as rare?  If anyone can recommend a PST extractor program it would be appreciated Smiley Surprised)

  • NikKNikK Posts: 931

    The Preview pane was just a precaution. And it will be easier to see and select more e-mails without it.

     

    If you have many emails and never compacted before, it can take some time to finish. If you delete emails and don't compact after, the emails aren't really deleted. They're still there in the PST but you just can't see them anymore. This is why it's important to compact. Once you've done the first long compact(and you should), it will be much faster for the following compacts.

    I remember it taking many hours to compact a 1 GB PST file a had once. Then every month or so I did a new compact and it only took a couple of minutes.

     

    Regarding PST extractor programs you should be careful about installing any "free" programs. If you want to try one, download and then scan the downloaded file on https://www.virustotal.com/  to be a little extra safe.

     

    But there may be an easier way that doesn't require any risky downloads:

    Try first in a folder with not so many emails.

    Open Windows Explorer and create a new folder somewhere

    In Outlook, select all emails in the folder, and drag-and-drop them to the folder you created in windows explorer.

    The emails will be copied one by one, now as individual files.

    Now you can right-click the folder in windows explorer and select "Scan foldername for Viruses"

    If any infection is found the filename will be equal to the email subject :)

     

    Note: I don't know what happens if you drag several thousands of emails at once. I haven't tried that many.

  • NikKNikK Posts: 931

    Edit: Replaced the code. The first version didn't work for multiple PST files or if there were other objects beside emails in a folder (meeting appointments, delivery receipts etc)

    @Archbishop  I tried searching for a PST extractor and instead found some code that I improved... a lot. Just because it's fun :)

    You just select any PST folder in Outlook, run the VBA macro and it will save all attachments from every email, including all subfolders if you want. This is better than my previous suggestion(drag-and-drop) because it will skip all emails that doesn't have any attachments. And the infections are most likely only in attachments.

     

    If you're not familiar with VBA(Visual Basic For Applications), follow these instructions:
    In Outlook press ALT+F11 to open the VBA Editor
    Insert a new Module (either from menu, or right click the project window at upper left corner)
    Paste all code in the module

    If using my example folder, create a folder in C:\ called attachments
    Then select an Outlook folder with not so many emails and attachments first, to see if everything is working
    Back in VBA Editor, set the cursor anywhere in Sub GetAttachments()
    Press F5 to start

     

    A log file will be created for every run, in the same folder where all attachments will be saved

    If everything seems OK and no errors occurred, change the value of variable testmode from True to False
    Next time you run the code all attachments will be saved in C:\attachments

    This code will not modify or delete anything from Outlook. It only saves copies of the attachments.

    Pretty nice I think Smiley Wink

     

    Click the spoiler below to see the code:

    Spoiler
    Option Explicit
    Dim saveToLocalFolder As String
    Dim includeSubFolders As Boolean
    Dim testmode As Boolean
    Dim logFile As String
    Sub GetAttachments()
    '-------------------------------------------------------------------------------------------------
        'ONLY THE 3 FOLLOWING LINES SHOULD BE CHANGED
        saveToLocalFolder = "C:\attachments\"   'should end with a \  and the folder must be created manually before running this
        includeSubFolders = True 'set to True will process all subfolders of the selected Outlook folder
        testmode = True 'true = only write to debug window and log (doesn't save the attachments to disk)
       
        'INSTRUCTIONS:
        'Make sure the values for the 3 variables above are set to what you want
        'Then in Outlook, select the folder you want to extract attachments from
        'Run with testmode = True first to test if everything works
        'Then change testmode from True to False and run again
        'To Run the code, click Run(Play icon in the toolbar). Or place the cursor here somewhere and press F5
       
        'When the attachments are stored to disk they will get the name:
        'Folder-Subfolder EmailSubject - attachmentname
        'Example: TestFolder-SubFolder-SubFolder2 Re TestMessage - Documentation.pdf
        'The file name will be simplified and shortened. For foldernames to 50 chars, and email subject to 50 chars
    '-------------------------------------------------------------------------------------------------
        Dim folder As Outlook.MAPIFolder
        On Error GoTo 0
        Dim reply
        reply = MsgBox("The folder: '" & Application.ActiveExplorer.CurrentFolder.folderpath & "' is selected in Outlook" _
            & Chr(10) & "Is this the folder you want to extract attachments from?" _
            & Chr(10) & Chr(10) & "TestMode: " & IIf(testmode, "True", "False") _
            & Chr(10) & "IncludeSubFolders: " & IIf(includeSubFolders, "True", "False"), vbYesNo)
        If reply = vbNo Then Exit Sub
        logFile = Replace(Application.ActiveExplorer.CurrentFolder.folderpath, "\\", "")
        logFile = Replace(logFile, "\", "-")
        logFile = saveToLocalFolder & "log_" & Left(GetSimpleName(logFile), 100) & " " & Format(Now(), "yyyy-MM-dd hh-mm-ss") & ".txt"
        WriteToLog "Folder selected in Outlook: " & Application.ActiveExplorer.CurrentFolder.folderpath
        WriteToLog "TestMode: " & IIf(testmode, "True", "False")
        WriteToLog "IncludeSubFolders: " & IIf(includeSubFolders, "True", "False")
        WriteToLog "Only names of folders and attachments will be printed below (not emails without attachments)"
        Set folder = Application.ActiveExplorer.CurrentFolder
        processFolder folder, folder.Name
        Exit Sub
    errH:
        MsgBox Err.Description
        End Sub
    Sub processFolder(ByRef inFolder As Outlook.MAPIFolder, folderpath As String)
        Dim subfolder As Outlook.MAPIFolder
        Dim email As Outlook.MailItem
        Dim attachment As Outlook.attachment
        Dim no As Long
        Dim info As String
       
        info = "Processing: " & folderpath & "  (" & inFolder.Items.Count & " items)"
        Debug.Print info
        WriteToLog (info)
        For no = 1 To inFolder.Items.Count
            If UCase(TypeName(inFolder.Items.Item(no))) = "MAILITEM" Then
                Set email = inFolder.Items.Item(no)
                For Each attachment In email.Attachments
                    SaveAttachment inFolder, email, attachment, folderpath
                Next
                DoEvents
            End If
        Next
       
        If Not includeSubFolders Then Exit Sub
       
        For Each subfolder In inFolder.folders
            processFolder subfolder, folderpath & "\" & subfolder.Name
        Next
    End Sub
    Sub SaveAttachment(ByRef folder As Outlook.MAPIFolder, ByRef email As Outlook.MailItem, ByRef attachment As Outlook.attachment, _
                       ByRef folderpath As String)
        Dim filename As String
        Dim info As String
        filename = Replace(folderpath, "\", "-") & " " & email.Subject & " - " & attachment.filename
        Debug.Print Chr(9) & filename
        WriteToLog Chr(9) & filename
        Dim filenameMod As String
        filenameMod = Left(GetSimpleName(Replace(folderpath, "\", "-")), 50) & " " & Left(GetSimpleName(email.Subject), 50) & " - " & attachment.filename
        If filename <> filenameMod Then
            filename = filenameMod
            info = "Filename changed to: " & filename
            Debug.Print Chr(9) & info
            WriteToLog Chr(9) & info
        End If
        If Not testmode Then
            attachment.SaveAsFile saveToLocalFolder & filename
        End If
    End Sub
    Function GetSimpleName(s As String) As String
        With CreateObject("vbscript.regexp")
            .Global = True
            .IgnoreCase = True
            .Pattern = "[^A-Z0-9-._\ ]"
            If .test(s) Then
                GetSimpleName = .Replace(s, "")
            Else
                GetSimpleName = s
            End If
        End With
    End Function
    Sub WriteToLog(ByRef txt As String)
        Dim fso As Object, stream As Object
        Set fso = CreateObject("Scripting.FileSystemObject")
        Set stream = fso.OpenTextFile(logFile, 8, True) '8=append, True=create if doesn't exist
        stream.WriteLine txt
        stream.Close
        Set stream = Nothing
        Set fso = Nothing
    End Sub

     

    Archbishop
  • NikKNikK Posts: 931

    Just a post to notify that I updated the code in my previous post :)

  • Wow! Cool is not the word...its Flipsin inspirational!

     

    I did try your other suggested routing of copying multiple emails to another folder and running an aggressive scan. Could only do 250 at a time, any more and it only copied 300 odd of them, and slowed down to less each time. Because my PST files were over the 2G recomended I was hesitant to proceed in case I caused more damage than solved. That was christmas eve used up when I got home...nothing found.

     

    Worth noting the viruses have migrated from the Aquarius folder (perhaps MSE and Malware bytes now removed were confusing it?) now to become resident in two PST files, one remains in archive 2010 as "Trojan.dropper.Agent.UYG" and the other is in the main Outlook PST folder as "Trojan.Agent.BAYD"

     

    I tried the VBA, that I am not the slightest familiar, I was OK with the Sinclair ZX81...but thats it! Smiley Surprised)

     

    Just finnished work so not as bright as usual, which then is nothing to write home about...

     

    "Modify the variable outlookFolderName" etc...bit confused where and what to change. my folders in question with virus's  are;

    C:\Users\Archbishop\AppData\Local\Microsoft\Outlook\archive older than 31-12-2010.pst

    and

    C:\Users\Archbishop\AppData\Local\Microsoft\Outlook\Outlook.pst

     

    I have created a folder c:\attachments. Now should I name the folder "attachments\"?

     

    I shall have another bash when I wake tommorow afternoon. I would say here I have a gut feeling the virus is in an HTML link within a message....I have opened most, but not all attachments already-but it would be "cool" to snatch all the blighters out to scan in one swoop....thanks NikK!

     

     

This discussion has been closed.