trojan-Spy.HTML.Fraud.gen in Outlook Express

OK, thanks. I'm not sure what I'm attaching is going to be much help. The Kaspersky scan with IE came out the same as it did with Firefox. I've attached it. The Trojan-Spy.HTML.Fraud.gen is somewhere in the Sent folder and on my external backup drive, same folder, but I don't know which emails are involved. I'm also attaching the MBAM log, which as best I understand didn't find anything. Kaspersky is the only program that's identified this. I don't really understand what the combofix program may have done, but if it did disinfect any emails/files on the C drive, I need to know what they are so I can do the same thing to the backup drive. I was surprised to see that this program found Zone Alarm files. I've used ZA for years, but recently my computer's been crashing a lot (maybe since upgrading to IE7?) and I removed it in the Control Panel this morning and then rebooted. Now I see that there's still a folder on my hard drive. Should I delete tihs? Is there any reason to think that ZA was causing all the crashes? Windows hasn't crashed since.

Andrea

All look ok now except for the Kaspersky. Actually posted the wrong one, I wanted you to run Panda instead to see if it can locate the exact email in question:

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoftware.com/products/activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.

For ZoneAlarm, I still see it running at startup even. Can you double check the Add/Remove Programs to make sure it's gone? Also check C:\Program Files\ZoneAlarm to be sure and see if there is an uninstaller there.

I enabled popups and Panda's AcitveX controls loaded, but there wasn't an option for me to enter country, etc. or to state what I wanted scanned. Looking at the log, it looks like the C and E (external) drives were scanned, so My Computer must be the default. I'm attaching the file--lots of tracking cookies, although most if not all seem to be in backups. There were also a few worms--but not the same Trojan that Kaspersky found in my email. This is confusing. Also, now SeaMonkey won't work. I'll reboot after this and see if that helps. As for Zone Alarm, I don't see it checked off in the MSConfig utility, and it's not appearing in mysystray anymore. Where do you see it running at startup? There is an uninstall feature in the folder and I'll do that before I reboot. I would like to reinstall it at some point, assuming that the issue of Windows crashing can be resolved, but my primary problem is to get rid of the garbage on my computer and hopefully speed things up again. Thanks.

I forgot to add that that ZA isn't in the Add/Remove Programs. I had removed it from there, but I double-checked.

You're right. The ZoneAlarm entry was just listed in msconfig. It's not running now, but still shown as being there.

Run the F-Secure Online scan and see if it can narrow down the infected emails:

http://support.f-secure.com/enu/home/ols.shtml

Post the log here if possible, otherwise try to see if it tells you where the location of those infected emails are.

I want to say before I report the results that SeaMonkey is working again after a reboot. Also, one of those scans yesterday really caused some problems. My email time and date stamp were wrong, my clock needed to be reset, and worst of all, my email accounts needed to be reconfigured, which I wouldn't have minded if only we'd resolved the basic problem. This is totally confusing! Some scans don't indicate any problems, but each one that does, shows something different. I'm pasting the results of the F-Secure scan below. It only found a tracking cookie and as best I can tell removed it. I don't know where it was located. Still don't know about the emails and still don't understand about the worms that Panda found! What's next? Here are the F-Secure scan results:

Scanning type: Scan system for malware, rootkits
Target: C:\ E:\
--------------------------------------------------------------------------------
Result: 1 malware found
TrackingCookie.2o7 (spyware)
System
--------------------------------------------------------------------------------
Statistics
Scanned:
Files: 51370
System: 4299
Not scanned: 7
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 1
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Andrea

I realize that this is all confusing, but do you have any suggestions about where to go from here? Thanks.

The only tool here that would have touched the timestamp is ComboFix. It won't change the time itself, but will change the format to military time instead of the standard AM/PM.

I've seen the online scans reporting back the emails that were infected before. Not sure why these are not showing us the emails in questions. Did some more searching and TrendMicro's OfficeScan has a feature to incorporate into Outlook which will provide this scanning capability. See the below two lines for the download and instructions:

http://www.download.com/Trend-Micro-OfficeScan-Managed-Antivirus/3000-2653_4-10449957.html

http://antivirus.k-state.edu/OfficeScanHelp/osce_topics/scan_pop3_and_outlook_mail_messages.htm

See if the trial period version of the program will help you locate the infected email.

ComboFix seems to have changed the settings for time and date in my control panel, and there were also changes in the way my email accounts were configured, but I've straightened that all out now. I'm not concerned about it; I was just letting you know that the program does that. If I'd known in advance, I would have saved the details about how my accounts are configured.

The problem is in Outlook Express not Outlook. As best I can gather from the second link you posted, this will search Outlook files only. ( did already run a Trend-Micro online scan--although not the free trial--and it came up clean.) A few questions: (1) Aside from the trojan in the emails, what about the worms that the Panda scan found? Does it remove them as well? (2) Is it possible to save a copy of the .dbx file to somewhere else that one of the online scanners search and isolate the emails that way? Or if not isolate them, at least delete them? or (3) What next? Thanks again for your help.

Once ComboFix is removed, all the Windows settings changes it made should be reverted back.

1. Panda found mostly cookie files, but for the worms/virus files it found, one is ComboFix which is a false positive (ok to keep for now). The others are in your system restore point. We can fix that easily. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Go back to the System Restore tab and uncheck the same box to enable System Restore.

2. I'm not aware of any scanners that will scan a .dbx file directly and remove the infected email entries.

3. Two more things come to mind. One which is to run another online scan (BitDefender - http://www.bitdefender.com/scan8/ie.html). The second option is to install a antivirus program like AVG (http://free.avg.com) which provides incoming and outgoing email scans. The problem I see with this now is that you already have this email existing and I don't think ti will run a scan on those old sent emails.

Do you have a lot of emails in the sentbox with attachments? My guess is that these infected files will come with some sort of attachment and if you don't have a lot of emails like this, you can sort it by attachments and filter it from there. One other thing I can think of is to just work your way back up from the most recent dated emails in the sentbox to the older ones. You might just be infected recently so the emails may be current and won't require you to look through too many.

It occurred to me after you suggested getting a trial of Trend Micro-Office that maybe I could get a trial of Kaspersky. I began to search for that but wasn't sure which one would include scanning old emails in OE, so I began to look through their online forum--and to my surprise in the forum for virus-related issues, in the Read Before Posting information, it said that if you found malware with the online scan click here to get the removal tool. Well gee, I can't believe I didn't think of that in the first place! I did it and installed it and it scanned for a couple of hours and then said that it couldn't disinfect the 2 emails. It identified them at last! I opted to delete them. Nothing was found in my backup drive this time, which I don't understand, but tomorrow I'm going to scan both drives again with the online scan and see if I'm clean. If they're in the backup drive, I'm going to delete the entire .dbx folder and then backup again from my clean C drive. These emails were from 2004 and 2005, so I can't see how they'd be causing a slow-down now unless I clicked on the links, which I didn't, but I'm still glad to be rid of them, if I am.

I do have a lot of emails in the sent folder, but very few with attachments. I don't think this trojan is spread through the attachments but through html links.

After I scan again, I'll report back. I haven't removed comboFix yet and can do that. That's probably why the settings didn't correct themselves. I'll also do as you advised for system restore and then scan again with Panda. Are any of these possible causes for my computer running slowly (loading pages, moving from page to page, and loading the graphics in emails)?

I forgot to upload the file, and it's too big even after separating into files. I'm attaching the third part of the file, which contains the infected emails.

Sorry, another post. How do I uninstall combofix? It's not in Add and Remove Folders, and I don't see it in Program Files. I see a folder on my hard drive called Qoobox that has some combofix backups, but I'm not sure if that's what I'm supposed to delete. When I searched online, I saw a recommendation to go to Start, Run and type in combofix /u, but when I do that I get a message that Windows can't find it.

Yep, that's what I was looking for (the subjects and date on them). Glad the Kaspersky scan found them with the trial install.

Do you still have ComboFix on the desktop? If so, try to do this instead. Go to Start > Run and copy/paste the following in and hit OK:

"c:\documents and settings\akotula\Desktop\ComboFix.exe /u"

I didn't even have to get the trial. I just registered at one of the Kaspersky forums and there was an informational post about removing malware. It had a link for a removal tool for people using an online scan. I ran the Kaspersky online scan again today, and my C drive was clean, but the external backup drive still had the copies in the Sent folder. I deleted that folder and backed up my hard drive again, so that should be okay too. I'll probably scan it later to be sure. I still want to get rid of the worms found in the Panda scan, and you'd said that one was a false positive caused by Combofix. The only thing on my desktop is the combofix text file with the results. Where does that get installed and how do I remove it? Is that the Qoobox folder (see below), or should there be a combofix folder somewhere? I think that I've reconfigured everything that Combofix changed, so I'm not sure if I need to do anything, but there's no point in leaving it behind either.

In rereading the last few lines from the Panda scan (several posts above this one, the ActiveScan.txt file on March 1), I see that a worm is located in C:\Quarantine\combofix.exe.vir/ Is that the one that's a false positive? In that same folder, there's also a file called A006338.exe.vir/ There's also a separate folder, C:\Qoobox, that has 2 subfolders: BackEnv and Quarantine. BackEnv looks like backups of settings. The Quarantine subfolder goes down several levels: C/ Documents and Settings/All Users/Application Data/Microsoft/Network/Downloader. In the Downloader subfolder are 2 files: gmg0.dat.vir and gmg1.dat.vir/ Are all these virus files? I'll eventually run the Panda scan again, but I'd like to get rid of all that first. There's also a Registry Backups subfolder in the Quarantine folder.

I turned off System Restore and then turned it back on. Are you saying that worms are stored in the restore point? Could you explain?

And finally, I'm going to want to reinstall Zone Alarm so that I have a firewall again. I think that was responsible for all the computer crashes I was having, but it may be because I upgraded to IE7. Do you know of any conflict? Maybe I just downloaded a corrupted version of ZA.

Download ComboFix again from the link provided earlier. Just save it to your desktop and then run the command I provided to you one post above. That should remove ComboFix and also remove all your system restore points including those that were infected with the virus/worms. Most of the folders related to ComboFix should also be deleted after doing this. If not, feel free to remove them (including the Qoobox folder).

Yep, it looks like Panda flagged and removed ComboFix during that run. Which explains why you don't have it on your desktop anymore.

Regarding the qoobox folder, you will see the backups it made for the files that were removed. It will be in the folder format as you have seen.

Yes, they were in the restore points. By disabling system restore and enabling it back, you should have cleared it. Removing ComboFix will also do this.

The issue with ZoneAlarm might have to do with some Windows update. Was this a recent issue or something that happened some time last year? I remember seeing problems arising from a Windows update last year but it should be long fixed by now. You can download the latest version of ZA to be sure.

Thanks for bearing with me for so long. I reinstalled ComboFix on the desktop and uninstalled it. Interestingly, after the uninstall I saw that this time there was a C:\combfofix folder, and I deleted it. I also deleted the Quarantine folder that wasn't part of the qoobox folder. Windows wouldn't let me just delete the contents, so I deleted the entire folder. The Kaspersky online scan is now clean for both my C and external drive. I ran Panda again and there were a lot of tracking coolies on my external drive, so I deleted them. I'm not sure why they're there and not on my C drive because I had copied everything from the C drive to the external drive yesterday, but I ran Panda again and they're gone. There were two suspicious files. I've attached the log. If you can explain what these are and what I should do about them, I think we can finally wrap this up.

I should have checked those two files before I posted above. The C:\Program Files|Common Files one is an installer for software I used for my job. It's free, so I just deleted it for now. The C:\Windows\Installer one is more confusing because I can't find that in Windows using Windows Explorer, and none of my files are hidden. I searched for .msi files and a lot of Windows Installations came up, but none of them had that number. So that's the only one that's questionable at this time.

OK, thanks. That one was also an installer for the same software as the other suspicious file--and I just deleted it. Thank you so much for your help. Although I actually figured out that it was the Kaspersky removal tool that would isolate the 2 infected emails, you led me in that direction, and your other help has been invaluable. You spent a lot of time on this--and you were the only one who offered to help. It was much appreciated.

Note that although I'm accepting your last post as the solution, the solution was really a combination of several different posts.

Andrea

The solution was a combination of all of greyknight17's expert posts and not just the final one. He went out of his way to follow through on many posts until the problem was resolved--and he was the only one who posted. His help was very much appreciated.