Unauthorized Emails Need Help

[bonsaimax]

As soon as I connect to the internet, my Norton Antivirus scans an outgoing email and later on pops up a message saying that my email was not sent successfully because it contained a virus. I run Norton Virus Scan, but it says my computer is CLEAN. I also run Spybot Search and Destroy, still, it comes out clean. The fact is, I have never sent any emails, nor have I ever used Outlook to sent emails. I stopped using hotmail, and have since stuck to yahoo. Is my PC infected? if so, by what? Or has it been hacked into. I have already downloaded all windows updates, and my Norton virus definitions are up to date.

If someone can shed some light on this matter, I'd be very appreciative. Thanks!

[simon43]

Just a comment - I used to use Norton antivirus products but found them notoriously bad at identifying viruses on my PC. I swapped to Mcafee products (www.mcafee.com), and found them far more reliable and successful.

Simon

PS - And I don't work for Mcafee! Just want to get good protection fror my PC

[phuket Mike]

Sounds to me your system has been hacked !!

Instead of testing Norton with the LiveUpdate feature check your virus definition date and make sure it says either today's date or one very near. It is possible that once your system has compromised that Norton has also been changed so that LiveUpdate alway says everything is upto date.

I have had a machine with exactly the same problem you have described. Try the following.

From a different machine download the latest virus definition files Symantec Website and manually install them on your machine (it normally very easy just an executable file).

Rerun a full virus check.

There is one worm virus which I can't remember the name that Norton cannot get rid of, but you can download a special program from their website that will get rid of it. If the updated Norton reports this it will also tell you where to get the removal tool.

If you are running Windows 2000 or XP Pro check the users and groups and make sure only the account you are using and the Administrator account are enabled. One of the main hacking tools creates a new account called admin, if its there disable it.

Check your SERVICES for a service called ntservice, this is a hacking service, if its there stop it and disable it.

Check your windows system is upto date, this won't stop the hacker if he is already in, but it will bolt the stable door and stop anyone else.

If none of the above makes any difference, I would remove your antivirus package completely and re-install either a later copy or a different AV product to see whether it can detect a problem. There are a few free ones around on the internet.

There is often no definitive fix for some of the problems often multiple viruses and hacks can make it difficult to identify the culprit. Its just a matter of trial and error.

Hope this helps. I would be interested in knowing which version of Norton you are running and version of Windows.

You may also want to consider installing some firewall software to stop people getting into your system in the future. There are some free ones around if you go to www.download.com and search for firewall.

I actually use Norton Internet Security which is not that much more expensive that the AV package and includes a Firewall, AV, ad blocking and site blocking.

Good luck and if I can help any further please PM me.

phuket Mike

[Guest IT Manager]

In spite of votes to the contrary, the best Virus Manager I have ever had access to is VET from www.vet.com.au.

You can d/l the same product from Computer Associates for half the price or less, set update daily, automatically.

Install in safe mode. Run it.

The worms spoken about earlier are probably klez H and/or Poz A. They need to be cleaned in DOS mode. Easy on a Win98 machine, dog in anything else. They do work in a window, but not as well.

After downloading them from any of the virus sites, start the machine, using a Win98 Boot Disk. Select "command prompt". At the "c" prompt, type the name of the fix file (clnklez or clnpoza), and use the command -v (clnpoza -v) or (clnklez -v).

Open a bottle of beer Chang. Sit back. Watch.

When finished, take out the boot disk, restart. Open another beer Chang.

Open a PM to me. Ask for my bank details. Send me 750 baht.

I will send an invoice/receipt.

[p1p]

I find Sophos is also very good. www.sophos.com

If you are sending money, can I have some too

Please

[geroreilly]

Aha,

All these IT people think they know everything, eh?

I'm not sure what level of computer knowledge you have but here are 2 quick checks that may help:

1. Check that system restore is turned off. Right click on My Computer and select properties. Why? Cause even though your anti virus has removed the virus, windoze puts it back with system restore...... figure that out!!?? Its a nice feature from them - but ................

2. Stinger.exe...... i think its a McAfee product........ google it and download.

If all else fails then u can go for the beer chang option and end up with a mad headache.....

I think ###### knows what im talkking about!

[phuket Mike]

First of all you are assumming that bonsaimax is using Windows XP because System Restore is a feature of XP only.

Secondly as far as I'm aware system restore doesn't work like that. All it does when enabled (which it should be) is create Checkpoints i.e. system copies that you can go back to should something fail.

So if you install a new driver or make a significant change you can roll back if it causes a problem. So the only thing it does automatically is make the back ups not restore anything.

Hey I maybe wrong, because fortunately I have never had to use it but all I go by is some testing I have done and the Microsoft documentation (which I admit is poor).

So maybe the next step would be to tell us all what version of Windows you are running and which version of Norton.

Good Luck

phuket Mike

[phuket Mike]

Actually the worm I was talking about was BAT.Mumu.A.Worm, no wonder I couldn't remember its name.

Anyway more information can be found at BAT.Mumu.A.Worm Info

It is very common in Asia and especially here in Thailand. I have seem it in 3 different offices infecting about 30 machines in total. Once installed on your system it not only degrades performance but also installed a load of batch files, services and user accounts to allow hackers into your machine.

They then can install an email utility that will use your machine to email the virus to other people.

phuket Mike

[geroreilly]

Phuket Mike,

And how to fix? Does Norton do the job? Or McAfee? Or do you recommend some other way to fix.

[phuket Mike]

geroreilly,

Well if we are talking about the BAT.Mumu.A.Worm virus, which we are not sure yet if this is the problem, as far as I am aware none of the mainstream virus packages will get rid of it (although I am sure someone will prove me wrong on this one). A fully up to date version of Norton will detect it but thats all.

Anyway, Norton have produced a specific removal tool which can be downloaded from their website for free. If you follow the link from my previous post, down at the bottom is a link to the removal tool.

I don't think this is a new virus it just seems fairly prevalent here.

Cheers,

phuket Mike

[bonsaimax]

to all the GURU's -- thanks for all the advice. As a newbie, I'm still groping in the dark when it comes to PCs. BTW, Mike, You're right. My machine is running on Win XP Pro, Norton Anti Virus 2003, 256 RAM, Pentium 1.7G.

I am due to reformat my HD anyway, will this eliminate the problem? I'll try following your suggestions, BUT before I even start, An ice cold beer Chang would be nice. Again THANKS!

bonzi

[phuket Mike]

Reformatting your hard disk will certainly get rid of the problem, but it is a bit drastic, its like burning your bed to kill a flea.

One thing that doesn't seem to make a lot of sense is that Norton is picking up the virus when it tries to email itself out but not when you scan your disk. Are you sure you initiating a full scan of your hard drive ? This should take about 2-3 beers depending how many files you have and of course how many many beers you can drink in 30 mins.

Norton doesn't constantly scan for viruses but it does scan outgoing emails. Check the options in Norton and make sure it set scan everything.

Anyway if you do reformat your disk don't forget to install all those microsoft patches for Windows XP Pro.

Good Luck

phuket Mike

[bonsaimax]

After downloading the latest Norton AV definitions and running a full system scan, Norton has detected PWSteal.Trojan in my system. Norton couldn't repair it, so I tried deleting it manually at c:\WINDOWS\system32\explorer1.exe. I couldn't delete it saying the file is not accessible or is write protected. I tried visiting Symantecs tech support website, but the only removal tools they have are for Win95 and Win98.

Any ideas on how to get rid of this little booger??? Thanks

[phuket Mike]

I found some information on symantecs web site on how to remove this virus, they are very long winded to say the least, the url is below.

Virus removal instructions

The first thing to check is that Norton is set to delete or quarantine infected or virus files, it may be just set to detect. I'm saying this because the notes on the Symantec site seem to suggest that Norton will get rid of it.

If that fails, its down to the instruction in the url I'm afraid.

Good Luck

mike

[george]

I have used Norman Virus Control over a long period, and are very happy with the program. It is much lighter than for example Norton, doesn't take so much system resources, and updates itself every day as a default option

http://www.norman.com/products_nvc.shtml

You can download a 30 days trial version here:

Norman Virus Control

http://einstein.norman.no/scripts/cwisapi.dll?Service=Trial

[Pink Mist]

just downloaded George hope it's ok

[bonsaimax]

Thanks Mike. Got rid of it. A bit tricky though. Norton was set to quarantine & delete, but couldn't do it on it's own. PWsteal comes in different file names. Mine came as explore1.exe.

Now where was I? OH, right. beeeeer. I almost forgot.

Cheers!

Bonzi

[monty]

I use Avast antivirus, seems to work pretty good, is free for home use...

I like the update section, it downloads only new definitions. Only a few kilobytes every two or three days...

Avast homepage

You get 60 days trial, afterwards you have to register online to get a key (free)