Exploit-mime.gen infection in XP Pro with Eudora

Posted on 2006-06-03
Last Modified: 2013-12-04
I am currently unable to download emails from my ISP as my virus checker (Macafee VirusScan Enterprise 7.1.0, running Windows XP Pro) brings up a VirusScan Alert message saying that a virus file (RCVn.tmp, n changes each time) has been deleted from the spool folder of my Eudora email program. The same message keeps appearing every time I try to download emails. Would be very grateful for help in sorting out this problem as I desperately need to get at the subsequent emails waiting on the ISP server.
Have uninstalled and reinstalled Eudora to no effect.
Many thanks for any help.
Mick Munns
Question by:mickmunns
    LVL 47

    Assisted Solution

    Have you tried running Stinger.

    And make sure you are patched as mentioned here:

    Can we also look at your hijackthis log?
    Please download HijackThis 1.99.1
    Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything.
    Notepad will also open, copy its contents and paste it to either these sites:
    then at the bottom left corner click "paste"
    Copy the address/url and post it here:

    Or paste the log at -->
    and click "Analyse", click "Save".  Post the link to the saved list here.

    Author Comment


    Firstly, thanks for your prompt assistance.

    I ran Stinger, but it got stuck in a scanning loop in C:\Documents abd settings\ Administrator\Local Settings\Temporary, scanning the same files over and over again without moving on - so stopped it after about 5 minutes of looping. Was that right?

    Ran the HijackThis analysis and it can be found at:

    Hope it all helps, and thanks again,


    Author Comment

    Should also mention that the patch seemed as if it should already be incorporated in IE6, so didn't try to download it.
    LVL 23

    Expert Comment

    There is a known bug with McAfee changing POP3 server addresses in Outlook/Outlook Express to the default ip Don't know about Eudora, but you might want to check your server addresses all the same.
    This is usually an issue with McAfee Spam Filter, and the only workaround I'm aware of is to uninstall McAfee and use something else.
    McAfee claims this behaviour is by design, but I have dealt with a number of clients who could only get OE or Outlook
    to work properly by removing or disabling McAfee.

    Author Comment

    Thanks phototropic - I haven't managed to find the actual server address details within Eudora, but as it has been working fine for several months I would guess that it's more likely to be virus induced. Also, when trying to log on to the server it appears to connect OK and tells me how many messages there are waiting to be read, but then when trying to download them it dips out with the VirusScan error message, so it would seem that the address probably is correct. ?
    LVL 97

    Accepted Solution

    Greetings, mickmunns !

    Your HijackThis log looks OK.  Does the emal download stop at the same message all the time?  If so, then the message where download stops likely contains the virus.  Delete the first message in webmail, and try downloading again.

    If you need to deperately download the emails, you can disable McAfee Virus Scan and download the emails. Be careful with the the emails, as one may contain the virus. Don't open any attachment.  Save the attachment and scan it with antivirus.

    Best wishes!
    LVL 32

    Assisted Solution

    Yes, war1 is correct. Eudora gets stuck sometimes if you download a mail with an infected attachment. (It only happens with some infected emails, not all).

    In addition to war1's suggestion for fixing the immediate problem, you should do the following to avoid this happening in the future:

     Go into the McAfee AV settings, and EXCLUDE the Eudora spool folder from being scanned. The default location for this folder is "C:\Program Files\Qualcomm\Eudora\spool" but it could be elsewhere if your Eudora email is being stored some other place on your drive. Just do a search for a folder named "spool" on your drive if not sure.

     By doing this, you eliminate this problem for the future. Eudora gets stuck if the AV program tried to scan and detects an infected e-mail during the mail download process. By excluding the spool folder from being scanned, this cannot happen. This does not increase your risk of catching a virus, because the AV program will still scan the infected email when you try to open it from the Inbox. (Plus, you are very careful about clicking on attachments, aren't you :))


    Author Comment

    OK Guys,

    I'm certainly making progress, although it's a bit slow! Many thanks for the suggestions.

    Firstly war1 - I went into my webmail, opened the inbox OK and deleted any messages which looked suspicious (2 had attachments, but not the next message due to be downloaded, which I deleted anyway as most likely to be the problem).

    Logged out and went back to Eudora, but it said mailbox was locked and couldn't download. Restarted computer, tried all sorts, and eventually (apparently just a matter of time) it reverted so I could get emails. It downloaded 3 (of 15) and gave the same virus alert again. Went back into webmail and deleted the next waiting message, which incidentally did not appear to be suspicious, but was similar to the previous first waiting message in that it was an 'Undeliverable' from a small mailing I had sent out yesterday. Could it be that I have been sending a virus from my computer without knowing that I had it (even though I have VirusScan), and it is coming back to haunt me?!

    I feel like ditching McAfee and going back to AVG which I had on my previous computers!

    And r-k - thanks for that too - I have done as you suggest. Between you I am now able to get my emails from Eudora OK. Interestingly a further 2 messages were returned as undelivered but both could be opened without any virus message appearing.

    I'll split the points accordingly. If you think I should worry about the virus possibly coming from my machine then please post again. Otherwise grateful thanks to all.

    LVL 32

    Expert Comment

    Great to know things are better. I am pretty sure that your system is not infected. You can a full disk scan with McAfee just in case, but I doubt if you'll find any active infection.

    I found the following link relating to this problem, which pretty much says what you've already done:

    As for AVG vs McAfee, I am not sure whether AVG will cause the same problem or not. I know Symantec/Norton has the same problem. I think it is mainly a poor design on the part of Eudora, it happens with Netscape Mail and Outlook Express as well, so don't know who to blame.

    Excluding the Eudora Spool folder from being scanned is a safe thing.

    As an aside, you should never set the AV settings to "automatically delete infected files". It should always be "Quarantine infected files". Otherwise you run the risk of having your Inbox getting deleted even if one infected attachment is found.

    Good luck.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    As a Mac user and former AppleCare AHA & Senior Advisor, I'm constantly bombarded with questions about Macs and if they need Antivirus. This short article is my response to those questions.
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now