Re: Ewido, Trojan Hunter Or Both?

From: Ann Speakman (aspeakman_at_homechoice.co.uk)
Date: 04/03/05 

Date: Sun, 03 Apr 2005 18:47:33 +0100

David H. Lipman wrote:
> From: "Ann Speakman" <aspeakman@homechoice.co.uk>
>
> | mrk wrote:
>
>>>"Ann Speakman":
>>>8<
>>>
>>>>I downloaded Clamwin and ran it and got the following report:
>>>>
>>>>:\Documents and Settings\Ann1\Application
>>>>Data\Thunderbird\Profiles\qw6nbw37.default\Mail\pop.homechoice.co.uk\Inbox:
>>>>Worm.Gibe.F FOUND
>>>>
>>>>C:\Documents and Settings\Ann1\Application
>>>>Data\Thunderbird\Profiles\qw6nbw37.default\Mail\pop.homechoice.co.uk\Junk:
>>>>Worm.Gibe.F FOUND
>>>>
>>>>C:\Documents and Settings\Ann1\Application
>>>>Data\Thunderbird\Profiles\qw6nbw37.default\Mail\pop.homechoice.co.uk\Trash:
>>>>Worm.Gibe.F FOUND
>>>
>>>8<
>>>
>>>>So now Clamwin has told me I have 3 infected files, but it does not tell
>>>>me how to get rid of the infection!!!
>>>
>>>These positives seem to be infected emails you have in the 'inbox', 'junk' and 'thrash'
>>>folders of your Thunderbird mail client. As long as they're sitting there they won't
>>>cause trouble. Besides that, the Gibe.F worm exploits a specific Outlook
>>>(Express) vulnerability. If you want to be clean, and I have a feeling you do, emptying
>>>your junk and thrash folder should get rid of two of the positives. You could manually
>>>search for the infected message in the inbox; probably a not so recent message with a
>>>weird subject and an attachment with a size of approx. 100 kB.
>>>
>>>8<
>>>
>>>>Help!!
>>>
>>>Relax :)
>>>
>>>Mark
>>>
>>>---
>>>avast! Antivirus: Inbound message clean.
>>>Virus Database (VPS): 0513-2, 04/01/2005
>>>Tested on: 4/3/2005 1:43:07 PM
>>>avast! - copyright (c) 1988-2005 ALWIL Software.
>>>http://www.avast.com
>>>
>
> | This post is to thank you all for your help and advice. I put all items
> | in quarantine in Clamwin and then went to bed. This AM I ran my AV in
> | safe mode, having disabled Sysytem Restore and did the most
> | comprehensive AV scan possible in Avast. It took literally hours.
> | Nothing suspicious was found.
> |
> | Having looked at the files in quarantine, which Mark quite rightly said
> | were in my Thunderbird stuff, I allowed Clamwin to remove them.
> | Incidentally, I do not leave stuff in my inbox that is at all suspicious
> | and junk and trash is emptied every day...so being ignorant I do not
> | understand how it was there. I have rerun Clamwin on my docs. and
> | settings and all is now clean.
> |
> | I am really anxious to stay clean. What I do not understand is why I got
> | infected, given the following facts:
> |
> | My ISP checks all mail incoming and warns of infected mail which I
> | always delete immediately.
> |
> | Avast also screens all email, both incoming and outgoing.
> |
> | One would think that the nasties could not get through both gates of safety.
> |
> | Any advice on how to tighten up my act?
> |
> | I was interested in the discussion about having Clamwin sitting in my
> | systray ready forscanning. I take it that the general advice is to
> | disable Avast before any scanning with Clamwin, although everything
> | seemed to go OK when I first scanned with Clamwin although Avast was
> | running in the background.
> |
> | I am glad that Clamwin picked up the worm even though it made me feel
> | very anxious.
> |
> | I am not happy that neither the ISP security( which is Kapersky) nor
> | Avast email scanner picked up the worm before it got into my system.
> | Should they have detected it?
> |
> | Hope all you experts do not mind my naivete; I hope my battles and
> | attempts to learn help others.
> |
> | Thanks once more..much appreciated.
> |
> | ---
> | avast! Antivirus: Outbound message clean.
> | Virus Database (VPS): 0513-2, 04/01/2005
> | Tested on: 4/3/2005 2:05:20 PM
> | avast! - copyright (c) 1988-2005 ALWIL Software.
> | http://www.avast.com
> |
>
> But you learned nothing. You still have bot ClamWin and AVAST running at the same time.
>
> Nor have you addressed other points.
>
David,

I really have learned a lot.

For one having read ALL the posts in the thread really carefully
today...please realise it was getting very late in UK when we were
having our discussion last night...I went to the websites you gave me
and read what they said about getting rid of worms, viruses etc. I
acknowledge that I should have gone there first. But I also admit that I
panicked about the worm that was found.

I also printed off what you had written in instructions on this site.

I then followed EVERYTHING you advised me to do. The Trend Sysclean
which was run in both safe mode and after restart came up clean.

I created a new restore point as instructed and I now have the printed
notes plus the sites saved in my bookmarks.

I do not have Clamwin and Avast running at the same time...I removed
Clamwin from my systray earlier today.

You must not despair of wayward pupils such as me....you slapped my
wrists and now I want you to know I acted and my system is clean for the
present.

I have also deleted Stinger, but I know where to look for it in the future.

Once again my thanks to everyone for their assistance and patience in my
time of need. 

---
avast! Antivirus: Outbound message clean.
Virus Database (VPS): 0513-2, 04/01/2005
Tested on: 4/3/2005 6:47:39 PM
avast! - copyright (c) 1988-2005 ALWIL Software.
http://www.avast.com
Quantcast