• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 439
  • Last Modified:

Exploit-mime.gen infection in XP Pro with Eudora

I am currently unable to download emails from my ISP as my virus checker (Macafee VirusScan Enterprise 7.1.0, running Windows XP Pro) brings up a VirusScan Alert message saying that a virus file (RCVn.tmp, n changes each time) has been deleted from the spool folder of my Eudora email program. The same message keeps appearing every time I try to download emails. Would be very grateful for help in sorting out this problem as I desperately need to get at the subsequent emails waiting on the ISP server.
Have uninstalled and reinstalled Eudora to no effect.
Many thanks for any help.
Mick Munns
0
mickmunns
Asked:
mickmunns
3 Solutions
 
rpggamergirlCommented:
Hi,
Have you tried running Stinger.
http://vil.nai.com/vil/stinger


And make sure you are patched as mentioned here:
http://72.14.203.104/search?q=cache:eL2Ym-O2rRUJ:vil.mcafee.com/dispVirus.asp%3Fvirus_k%3D99273++Exploit-mime.gen+&hl=en&gl=au&ct=clnk&cd=1&lr=lang_en


Can we also look at your hijackthis log?
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything.
Notepad will also open, copy its contents and paste it to either these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.
0
 
mickmunnsAuthor Commented:
Hi,

Firstly, thanks for your prompt assistance.

I ran Stinger, but it got stuck in a scanning loop in C:\Documents abd settings\ Administrator\Local Settings\Temporary, scanning the same files over and over again without moving on - so stopped it after about 5 minutes of looping. Was that right?

Ran the HijackThis analysis and it can be found at:
http://www.hijackthis.de/logfiles/e3cc046da97faab64e47f8bb1349f2a7.html

Hope it all helps, and thanks again,

Mick
0
 
mickmunnsAuthor Commented:
Should also mention that the patch seemed as if it should already be incorporated in IE6, so didn't try to download it.
Mick
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
phototropicCommented:
There is a known bug with McAfee changing POP3 server addresses in Outlook/Outlook Express to the default ip 127.0.0.1. Don't know about Eudora, but you might want to check your server addresses all the same.
This is usually an issue with McAfee Spam Filter, and the only workaround I'm aware of is to uninstall McAfee and use something else.
McAfee claims this behaviour is by design, but I have dealt with a number of clients who could only get OE or Outlook
to work properly by removing or disabling McAfee.
0
 
mickmunnsAuthor Commented:
Thanks phototropic - I haven't managed to find the actual server address details within Eudora, but as it has been working fine for several months I would guess that it's more likely to be virus induced. Also, when trying to log on to the server it appears to connect OK and tells me how many messages there are waiting to be read, but then when trying to download them it dips out with the VirusScan error message, so it would seem that the address probably is correct. ?
0
 
war1Commented:
Greetings, mickmunns !

Your HijackThis log looks OK.  Does the emal download stop at the same message all the time?  If so, then the message where download stops likely contains the virus.  Delete the first message in webmail, and try downloading again.

If you need to deperately download the emails, you can disable McAfee Virus Scan and download the emails. Be careful with the the emails, as one may contain the virus. Don't open any attachment.  Save the attachment and scan it with antivirus.

Best wishes!
0
 
r-kCommented:
Yes, war1 is correct. Eudora gets stuck sometimes if you download a mail with an infected attachment. (It only happens with some infected emails, not all).

In addition to war1's suggestion for fixing the immediate problem, you should do the following to avoid this happening in the future:

 Go into the McAfee AV settings, and EXCLUDE the Eudora spool folder from being scanned. The default location for this folder is "C:\Program Files\Qualcomm\Eudora\spool" but it could be elsewhere if your Eudora email is being stored some other place on your drive. Just do a search for a folder named "spool" on your drive if not sure.

 By doing this, you eliminate this problem for the future. Eudora gets stuck if the AV program tried to scan and detects an infected e-mail during the mail download process. By excluding the spool folder from being scanned, this cannot happen. This does not increase your risk of catching a virus, because the AV program will still scan the infected email when you try to open it from the Inbox. (Plus, you are very careful about clicking on attachments, aren't you :))

 
0
 
mickmunnsAuthor Commented:
OK Guys,

I'm certainly making progress, although it's a bit slow! Many thanks for the suggestions.

Firstly war1 - I went into my webmail, opened the inbox OK and deleted any messages which looked suspicious (2 had attachments, but not the next message due to be downloaded, which I deleted anyway as most likely to be the problem).

Logged out and went back to Eudora, but it said mailbox was locked and couldn't download. Restarted computer, tried all sorts, and eventually (apparently just a matter of time) it reverted so I could get emails. It downloaded 3 (of 15) and gave the same virus alert again. Went back into webmail and deleted the next waiting message, which incidentally did not appear to be suspicious, but was similar to the previous first waiting message in that it was an 'Undeliverable' from a small mailing I had sent out yesterday. Could it be that I have been sending a virus from my computer without knowing that I had it (even though I have VirusScan), and it is coming back to haunt me?!

I feel like ditching McAfee and going back to AVG which I had on my previous computers!

And r-k - thanks for that too - I have done as you suggest. Between you I am now able to get my emails from Eudora OK. Interestingly a further 2 messages were returned as undelivered but both could be opened without any virus message appearing.

I'll split the points accordingly. If you think I should worry about the virus possibly coming from my machine then please post again. Otherwise grateful thanks to all.

Mick
0
 
r-kCommented:
Great to know things are better. I am pretty sure that your system is not infected. You can a full disk scan with McAfee just in case, but I doubt if you'll find any active infection.

I found the following link relating to this problem, which pretty much says what you've already done:

 http://eudora.com/techsupport/kb/2507hq.html

As for AVG vs McAfee, I am not sure whether AVG will cause the same problem or not. I know Symantec/Norton has the same problem. I think it is mainly a poor design on the part of Eudora, it happens with Netscape Mail and Outlook Express as well, so don't know who to blame.

Excluding the Eudora Spool folder from being scanned is a safe thing.

As an aside, you should never set the AV settings to "automatically delete infected files". It should always be "Quarantine infected files". Otherwise you run the risk of having your Inbox getting deleted even if one infected attachment is found.

Good luck.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now