virus's imside Aquarius?

Advocate

Re: virus's imside Aquarius?

Malwarebytes Anti-Malware won't clash with F-Secure since it's not a traditional anti-virus product. But good that MSE is gone.

 

I tried searching for the infections you have and I'm a little confused.

When searching for Trojan.GenericKD.1401359 on http://www.f-secure.com/en/web/labs_global/search it just takes you to a page that describes false positives.

When searching for Trojan.Dropper.Agent.UYG no result is found. But I found this nasty thing which sounds like a match even though Agent.UYG isn't mentioned: http://www.f-secure.com/v-descs/trojan-dropper_w32_agent.shtml

If this is what you have, it says that F-Secure anti-virus can disinfect it. But I don't know if perhaps Agent.UYG is something else.

 

Did you try Microsoft Safety Scanner ?

Advocate

Re: virus's imside Aquarius?

You could also try the Malicious Software Removal Tool from Microsoft, although your infections doesn't seem to be in the list of the virus families that this tool handles. But you never know.

 

This tool runs automatic with windows update each month, but only as a quick scan. When you use the above link you have an option to do a Full Scan of your computer.

Aspirant

Re: virus's inside Aquarius?

Running Windows 7. 

I have had a reply from Fsecure...no answers, after a lenghy description of the problem seems all this is brushed aside and they are just asking me to open another ticket-back to square one-I do not think I could take explaining it all again...perhaps like all large companies they deflect the akward questions with this MO to drain/drown the complainer? 

 

Tried the  Malicious Software Removal ...full computer scan came up all clear...(thanks Nikki)

 

I continue my quest in another vein-perhaps if I found a PST extractor program and did a security scan on results it might find the offending emails....any ideas?

Senior Advisor

Re: virus's inside Aquarius?

Hi,

 

Have you try HitMan Pro a cloud base antivirus scan.

 

You give this a try.

 

http://www.surfright.nl/en/downloads/

 

And also you can try ...

 

Dr Web Cure IT.

 

http://www.freedrweb.com/cureit/?lng=en

 

Or Bitdefender Online Scanner

 

http://www.bitdefender.com/scanner/online/free.html

 

You can also try ... which many people in the forum recommended...

 

http://www.malwarebytes.org/mwb-download/

Senior Advisor

Re: virus's inside Aquarius?

You can try and download a AVIRA Rescue Disc ISO version.

 

You need to download AVIRA Rescue Disc and Burn to CD-R.

 

And boot up from the CD-R from your DVD drive.

 

And it will do the full scan.

 

You can download the ISO version of AVIRA Rescue Disc here....

 

http://www.avira.com/en/download/product/avira-rescue-system

 

Or Kaspersky Rescue Disc

 

http://support.kaspersky.com/viruses/rescuedisk#downloads

 

 

Advocate

Re: virus's inside Aquarius?


@Archbishop wrote:

I continue my quest in another vein-perhaps if I found a PST extractor program and did a security scan on results it might find the offending emails....any ideas?


 

You can use some different techniques to find:

1. Folders with infections

2. Infected e-mails

 

Both are described here: http://community.f-secure.com/t5/Security/How-to-find-which-mailbox-is/td-p/30358

 

If you have a lot of folders, the no 1 suggestion above can rule out all folders that don't have infections.

That will make step 2 easier because step 2 can take some time to do: moving e-mails to different PST's, compact and re-scan, in order to isolate the infected e-mails.

 

Starting instructions:

First change the manual scan settings to the most aggressive ones: All file types + Archives + Advanced Heuristics

Then in Outlook, disable the preview pane.
To make it easier to find the infected emails, first delete any emails you don't need to keep!
Empty the Junk email folder, and the Deleted items folder.
Compact the mailbox (this is important to do after emails have been deleted or moved)
In windows explorer go to the folder where you have the PST file(s)
Right-click on the PST file and scan it.

Just take notes on how many infections you have for each scan and follow the instructions in the link above.

Aspirant

Re: virus's inside Aquarius?

Thanks Nikki and everyone else for advices. I have indeed emptied all deleted, spam and junk folders. Virus scans are set to most aggressive.

 

I have removed outlook the preview pane. (curious why this needs to be done??)

 

I attempted to compact the PST file, but it was still running today from when I started it yesterday-so just cancelled that.

 

Have spent many hours scanning through outlook emails last week and today...but there are so many!

 

It has been suggested to me to use a PST extractor program and save as MSG....this folder could then be scanned by F-Secure and find the specific emails with virus. Finding a suitable pst extractor program is proving difficult, most of those previously suggested only scan the PST file and flag it up as containing a virus, much the same as f-secure does, I have tried some I found but blocked by fsecure as rare?  If anyone can recommend a PST extractor program it would be appreciated Smiley Surprised)

Advocate

Re: virus's inside Aquarius?

The Preview pane was just a precaution. And it will be easier to see and select more e-mails without it.

 

If you have many emails and never compacted before, it can take some time to finish. If you delete emails and don't compact after, the emails aren't really deleted. They're still there in the PST but you just can't see them anymore. This is why it's important to compact. Once you've done the first long compact(and you should), it will be much faster for the following compacts.

I remember it taking many hours to compact a 1 GB PST file a had once. Then every month or so I did a new compact and it only took a couple of minutes.

 

Regarding PST extractor programs you should be careful about installing any "free" programs. If you want to try one, download and then scan the downloaded file on https://www.virustotal.com/  to be a little extra safe.

 

But there may be an easier way that doesn't require any risky downloads:

Try first in a folder with not so many emails.

Open Windows Explorer and create a new folder somewhere

In Outlook, select all emails in the folder, and drag-and-drop them to the folder you created in windows explorer.

The emails will be copied one by one, now as individual files.

Now you can right-click the folder in windows explorer and select "Scan foldername for Viruses"

If any infection is found the filename will be equal to the email subject :)

 

Note: I don't know what happens if you drag several thousands of emails at once. I haven't tried that many.

Advocate

Re: virus's inside Aquarius?

Edit: Replaced the code. The first version didn't work for multiple PST files or if there were other objects beside emails in a folder (meeting appointments, delivery receipts etc)

@Archbishop  I tried searching for a PST extractor and instead found some code that I improved... a lot. Just because it's fun :)

You just select any PST folder in Outlook, run the VBA macro and it will save all attachments from every email, including all subfolders if you want. This is better than my previous suggestion(drag-and-drop) because it will skip all emails that doesn't have any attachments. And the infections are most likely only in attachments.

 

If you're not familiar with VBA(Visual Basic For Applications), follow these instructions:
In Outlook press ALT+F11 to open the VBA Editor
Insert a new Module (either from menu, or right click the project window at upper left corner)
Paste all code in the module

If using my example folder, create a folder in C:\ called attachments
Then select an Outlook folder with not so many emails and attachments first, to see if everything is working
Back in VBA Editor, set the cursor anywhere in Sub GetAttachments()
Press F5 to start

 

A log file will be created for every run, in the same folder where all attachments will be saved

If everything seems OK and no errors occurred, change the value of variable testmode from True to False
Next time you run the code all attachments will be saved in C:\attachments

This code will not modify or delete anything from Outlook. It only saves copies of the attachments.

Pretty nice I think Smiley Wink

 

Click the spoiler below to see the code:

Spoiler
Option Explicit
Dim saveToLocalFolder As String
Dim includeSubFolders As Boolean
Dim testmode As Boolean
Dim logFile As String
Sub GetAttachments()
'-------------------------------------------------------------------------------------------------
    'ONLY THE 3 FOLLOWING LINES SHOULD BE CHANGED
    saveToLocalFolder = "C:\attachments\"   'should end with a \  and the folder must be created manually before running this
    includeSubFolders = True 'set to True will process all subfolders of the selected Outlook folder
    testmode = True 'true = only write to debug window and log (doesn't save the attachments to disk)
   
    'INSTRUCTIONS:
    'Make sure the values for the 3 variables above are set to what you want
    'Then in Outlook, select the folder you want to extract attachments from
    'Run with testmode = True first to test if everything works
    'Then change testmode from True to False and run again
    'To Run the code, click Run(Play icon in the toolbar). Or place the cursor here somewhere and press F5
   
    'When the attachments are stored to disk they will get the name:
    'Folder-Subfolder EmailSubject - attachmentname
    'Example: TestFolder-SubFolder-SubFolder2 Re TestMessage - Documentation.pdf
    'The file name will be simplified and shortened. For foldernames to 50 chars, and email subject to 50 chars
'-------------------------------------------------------------------------------------------------
    Dim folder As Outlook.MAPIFolder
    On Error GoTo 0
    Dim reply
    reply = MsgBox("The folder: '" & Application.ActiveExplorer.CurrentFolder.folderpath & "' is selected in Outlook" _
        & Chr(10) & "Is this the folder you want to extract attachments from?" _
        & Chr(10) & Chr(10) & "TestMode: " & IIf(testmode, "True", "False") _
        & Chr(10) & "IncludeSubFolders: " & IIf(includeSubFolders, "True", "False"), vbYesNo)
    If reply = vbNo Then Exit Sub
    logFile = Replace(Application.ActiveExplorer.CurrentFolder.folderpath, "\\", "")
    logFile = Replace(logFile, "\", "-")
    logFile = saveToLocalFolder & "log_" & Left(GetSimpleName(logFile), 100) & " " & Format(Now(), "yyyy-MM-dd hh-mm-ss") & ".txt"
    WriteToLog "Folder selected in Outlook: " & Application.ActiveExplorer.CurrentFolder.folderpath
    WriteToLog "TestMode: " & IIf(testmode, "True", "False")
    WriteToLog "IncludeSubFolders: " & IIf(includeSubFolders, "True", "False")
    WriteToLog "Only names of folders and attachments will be printed below (not emails without attachments)"
    Set folder = Application.ActiveExplorer.CurrentFolder
    processFolder folder, folder.Name
    Exit Sub
errH:
    MsgBox Err.Description
    End Sub
Sub processFolder(ByRef inFolder As Outlook.MAPIFolder, folderpath As String)
    Dim subfolder As Outlook.MAPIFolder
    Dim email As Outlook.MailItem
    Dim attachment As Outlook.attachment
    Dim no As Long
    Dim info As String
   
    info = "Processing: " & folderpath & "  (" & inFolder.Items.Count & " items)"
    Debug.Print info
    WriteToLog (info)
    For no = 1 To inFolder.Items.Count
        If UCase(TypeName(inFolder.Items.Item(no))) = "MAILITEM" Then
            Set email = inFolder.Items.Item(no)
            For Each attachment In email.Attachments
                SaveAttachment inFolder, email, attachment, folderpath
            Next
            DoEvents
        End If
    Next
   
    If Not includeSubFolders Then Exit Sub
   
    For Each subfolder In inFolder.folders
        processFolder subfolder, folderpath & "\" & subfolder.Name
    Next
End Sub
Sub SaveAttachment(ByRef folder As Outlook.MAPIFolder, ByRef email As Outlook.MailItem, ByRef attachment As Outlook.attachment, _
                   ByRef folderpath As String)
    Dim filename As String
    Dim info As String
    filename = Replace(folderpath, "\", "-") & " " & email.Subject & " - " & attachment.filename
    Debug.Print Chr(9) & filename
    WriteToLog Chr(9) & filename
    Dim filenameMod As String
    filenameMod = Left(GetSimpleName(Replace(folderpath, "\", "-")), 50) & " " & Left(GetSimpleName(email.Subject), 50) & " - " & attachment.filename
    If filename <> filenameMod Then
        filename = filenameMod
        info = "Filename changed to: " & filename
        Debug.Print Chr(9) & info
        WriteToLog Chr(9) & info
    End If
    If Not testmode Then
        attachment.SaveAsFile saveToLocalFolder & filename
    End If
End Sub
Function GetSimpleName(s As String) As String
    With CreateObject("vbscript.regexp")
        .Global = True
        .IgnoreCase = True
        .Pattern = "[^A-Z0-9-._\ ]"
        If .test(s) Then
            GetSimpleName = .Replace(s, "")
        Else
            GetSimpleName = s
        End If
    End With
End Function
Sub WriteToLog(ByRef txt As String)
    Dim fso As Object, stream As Object
    Set fso = CreateObject("Scripting.FileSystemObject")
    Set stream = fso.OpenTextFile(logFile, 8, True) '8=append, True=create if doesn't exist
    stream.WriteLine txt
    stream.Close
    Set stream = Nothing
    Set fso = Nothing
End Sub

 

Highlighted
Advocate

Re: virus's inside Aquarius?

Just a post to notify that I updated the code in my previous post :)