I just got a pop up from AVG saying that it found a virus in my e-mail, there was an 'ok' button which I clicked, expecting it to tell me where the virus wa and what it had done about it, but nothing.

I have about 10 unopened e-mails in outlook (several from this forum)

I have run AVG on my 'C' partition but again nothing.

any advice please?

Right click on the AVG icon in the taskbar and choose "Run AVG..." Then click on E-mail scanner ansd see what it says. I don't have a virus in my e-mail, or so it appears, so I'm not sure if this will help.

Do NOT open your e-mail if you have a preview pane enabled.

Others may be along to help shortly.

Also check in the Virus Vault....I just checked mine and found that it still had the eicars test program in it, from back in January...if it caught it, which I think it did, then it should show up there.

E-mail scanner.....

"this feature is currently in operation automatically protecting your computer against viru infection.

No action is required on your part."


In mail Options

"Incoming mail is certified virus free"

Outgoing mail is certified virus free"

Virus Vault shows...,

File Name = q216309.exe / Time = 03/07/02 18:39:52 / Path q216309.exe

-------------------------------
so it's in there, can I be sure that it is not anywhere else before I open my e-mails?

and what to do with it? obviously AVG can't 'heal' it. so should I just delete it?

& would AVG have deleted the infected e-mail? or just 'vaulted' the attachment (if that's what it was)

If it was in the body of the email it would have put the whole thing in the vault, if in the attachment just that.

And yes, you can go ahead and delete it.

Looks like AVG is just doing its job....

I have found the e-mail, disguised as a microsoft security update bulletin. (which is still in my inbox)


see http://www.sophos.com/virusinfo/analyses/w32gibea.html

QUOTE:-


X-From_: steve@moonshine33.freeserve.co.uk Wed Jul 03 18:30:21 2002
Return-path: <steve@moonshine33.freeserve.co.uk>
Envelope-to: vic@revi.fsnet.co.uk
Delivery-date: Wed, 03 Jul 2002 18:30:21 +0100
Received: from [128.242.207.107] (helo=linux1587.dn.net)
by imailg2b.svr.pol.co.uk with esmtp (Exim 3.35 #1)
id 17PnxM-0003nM-00
for vic@revi.fsnet.co.uk; Wed, 03 Jul 2002 18:30:21 +0100
Received: from [195.92.195.176] (helo=cmailg6.svr.pol.co.uk)
by linux1587.dn.net with esmtp (Exim 3.22 #2)
id 17Pncm-0006sF-00
for vic@revi.co.uk; Wed, 03 Jul 2002 13:09:04 -0400
Received: from modem-96.celebrimbor.dialup.pol.co.uk ([62.136.146.224] helo=pfxxxie)
by cmailg6.svr.pol.co.uk with smtp (Exim 3.35 #1)
id 17PmeR-00012Y-00; Wed, 03 Jul 2002 17:06:45 +0100
From: "Microsoft Corporation Security Center" <rdquest12@microsoft.com>
To: "Microsoft Customer" <'customer@yourdomain.com'>
Subject: Internet Security Update
Reply-To: <rdquest12@microsoft.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="NextPart_000235"
Message-Id: <E17PmeR-00012Y-00.2002-07-03-17-06-45@cmailg6.svr.pol.co.uk>
Date: Wed, 03 Jul 2002 17:06:45 +0100

UN-QUOTE

Don't know if this info is useful to anyone, but I post just in case.

I have checked registry and there are no entries there, so I will isolate the e-mail for time being. with a view to deleting both the e-mail and attachment.

The best thing I can think of is to report this virus to the ISP it came from. They can notify their customer of the infection, and may stop all mail being sent from that machine until it is resolved, since most ISPs don't want people sending viruses from their servers.

Take the first Received: from IP Address, which is 128.242.207.107 and enter it into one of the whois boxes at UXN Spam Combat (http://combat.uxn.com/) and you should get the name of the ISP that IP address is assigned to, and possibly contact info, usually an abuse@ address. Then you can enter the ISP name (whatever.isp.com) into the Abuse Net Contact Database (http://www.abuse.net/lookup.phtml) and find out who to notify.

Make your virus notice short and concise, and make sure it is NOT a rant...Network administrators at ISPs are very busy and usually swamped with spam/virus/trojan/hack attempt complaints, the more polite you are the better your chances of getting results. Rant and rave and all you get is the Delete button...

EDIT: Be sure to include a copy of the full headers in your complaint, and NEVER send an attachment to the ISP unless specifically requested to do so.

Hi Pete,

got as far as...,

Verio, Inc. (NET-VRIO-128-242)
8005 South Chester Street
Englewood, CO 80112
US


but no further, should an e-mail be sent to the sender.

ie: steve@moonshine33.freeserve.co.uk

as they may be unaware that their pc is infected ?

This is what spamcop says:


Parsing header:

Received: from [128.242.207.107] (helo=linux1587.dn.net) by imailg2b.svr.pol.co.uk with esmtp (Exim 3.35 #1) id 17PnxM-0003nM-00 for x; Wed, 03 Jul 2002 18:30:21 +0100
no from
no auth from
Possible spammer: 128.242.207.107
Taking name from IP...
host 128.242.207.107 (getting name) no name
Received line partially untrusted

Received: from [195.92.195.176] (helo=cmailg6.svr.pol.co.uk) by linux1587.dn.net with esmtp (Exim 3.22 #2) id 17Pncm-0006sF-00 for x; Wed, 03 Jul 2002 13:09:04 -0400
no from
no auth from
host 128.242.207.107 (getting name) no name
Possible spammer: 195.92.195.176
Taking name from IP...
host 195.92.195.176 (getting name) 195.92.195.176 = cmailg6.svr.pol.co.uk.
host cmailg6.svr.pol.co.uk. (checking ip) ip = 195.92.195.176
Chain test:linux1587.dn.net =? 128.242.207.107
host linux1587.dn.net (checking ip) ip = 128.242.207.107
ips are identical
linux1587.dn.net and 128.242.207.107 have close IP addresses - chain verified
Possible relay: 128.242.207.107
128.242.207.107 not listed in relays.ordb.org.
128.242.207.107 has already been sent to relay testers
Received line accepted

Received: from modem-96.celebrimbor.dialup.pol.co.uk ([62.136.146.224] helo=pfxxxie) by cmailg6.svr.pol.co.uk with smtp (Exim 3.35 #1) id 17PmeR-00012Y-00; Wed, 03 Jul 2002 17:06:45 +0100
host 195.92.195.176 (getting name) 195.92.195.176 = cmailg6.svr.pol.co.uk.
Possible spammer: 62.136.146.224
host modem-96.celebrimbor.dialup.pol.co.uk (checking ip) ip = 62.136.146.224
Taking name from IP...
host 62.136.146.224 (getting name) 62.136.146.224 = modem-96.celebrimbor.dialup.pol.co.uk.
host modem-96.celebrimbor.dialup.pol.co.uk. (checking ip) ip = 62.136.146.224
Chain test:cmailg6.svr.pol.co.uk =? cmailg6.svr.pol.co.uk.
cmailg6.svr.pol.co.uk and cmailg6.svr.pol.co.uk. have same hostname - chain verified
Possible relay: 195.92.195.176
195.92.195.176 not listed in relays.ordb.org.
195.92.195.176 has already been sent to relay testers
Received line accepted


Tracking message source:62.136.146.224:
host 62.136.146.224 (getting name) 62.136.146.224 = modem-96.celebrimbor.dialup.pol.co.uk.
host modem-96.celebrimbor.dialup.pol.co.uk. (checking ip) ip = 62.136.146.224
Paranoid reverse DNS passes
abuse.net celebrimbor.dialup.pol.co.uk = abuse@energis-squared.com
abuse@energis-squared.com = abuse@energis-squared.com bounces (10059 sent : 5030 bounces) (-3)
Routing details for 62.136.146.224
Using smaller IP block (/ 18 vs. / 8 )
Removing 1 larger (> / 18 ) route(s) from cache
[refresh/show] Cached whois for 62.136.146.224 : pedro.jones@energis-squared.com, abuse@planet.net.uk
abuse@planet.net.uk: abuse.net net.uk = postmaster@net.uk
abuse.net planet.net.uk = abuse@energis-squared.com
Using best contacts abuse@energis-squared.com
abuse@energis-squared.com bounces (10059 sent : 5030 bounces)
Using abuse#energis-squared.com@devnull.spamcop.net for statistical tracking.
Whois found: abuse#energis-squared.com@devnull.spamcop.net
62.136.146.224 not listed in formmail.relays.monkeys.com
62.136.146.224 not listed in proxies.relays.monkeys.com
62.136.146.224 not listed in relays.ordb.org.


Would send message source reports to:


Re:62.136.146.224 (Administrator of network where email originates)

abuse#energis-squared.com@devnull.spamcop.net

**********************************************






like your new Avatar Pete.

;)

This is an Auto-responder sent automatically in response to your email.


************************************************** *****************************
*** IMPORTANT INFORMATION PLEASE READ ***

************************************************** *****************************
PLEASE NOTE WE ARE CURRENTLY DEALING WITH A 2 WEEK BACK LOG.


This mail is being sent to you because the Energis Squared Network Abuse
Reporting system received a mail which had your email address as the sender.

Energis Squared is a backbone ISP. We host a number of virtual ISP’s
including Freeserve, Greatxscape, Jungle. This means that we own the network
space on which the accounts of our customers' end users are hosted. For this
reason we deal with abuse issues relating to our network.

Mail sent to any of the following addresses will have generated this
response:

abuse@energis-squared.com, abuse@energis.com,abuse@theplanet.net,
abuse@pol.co.uk, abuse@planet.net.uk, abuse@theplanet.net.uk,
abuse@freeserve.net, abuse@greatxscape.com, abuse@swinternet.net,
abuse@tpnet.co.uk, abuse@internetprimus.net, abuse@sageconnect.co.uk,
abuse@academics.net, abuse@wwwatt.net, abuse@junglelink.net, abuse@ision.net.uk


The reference ID for your message is

ENERGIS SQUARED ABUSE TICKET 265277

Please quote the reference id in the subject line or the body of any replies
you send to this or subsequent messages from us - For example, having read the
rest of this message, you may need to send us further information; do this, by
replying to the mail and ensuring the ticket reference ID remains in the subject
line of the email.

Please ensure that all reports are sent in **Plain Text** format (not HTML)
and please do not send attachments to our system. (cut and paste logs etc into
main email). Virus attachments should be removed, but please include the
attachment name in the main email.

We investigate all allegations of network abuse which has originated on our
network.

We are not able to trace abuse which does not originate from our network. If
you are an Energis-Squared end-user with a complaint about abuse from another
network, please redirect your report to the originating Internet Service
Provider (ISP).

For search tools and guidance on how to identify the originating ISP and for
further information on reporting abuse and other network abuse issues, please
see our web site:

http://www.abuse.energis-squared.com (click on 'Internet Abuse' from the
roll-over menu on the left-hand side)

We attempt to reply (in addition to this auto reply) to all abuse reports
sent to us. In accordance with the Data Protection Act 1998, we are not able to
release details of any accounts that may be responsible for the abuse. We may
also be prevented from making comment, due to possible legal proceedings.

If you require a response, please make this clear in your message (or follow
up) to us. Please include a **brief summary of the complaint**, identifying the
relevant parts of the offending email or newsgroup posting where necessary.

Please be aware that reports sent to us, which are abusive in tone or
language will be forwarded to your hosting ISP.


************************************************** ******************************
PLEASE SEE BELOW FOR DETAILS ON THE INFORMATION WE REQUIRE TO DEAL WITH YOUR
ABUSE REPORT

************************************************** ******************************
Email & News Abuse
------------------

When reporting mail or news abuse it is imperative that you give us as much
information as possible to allow us to effectively investigate the complaint.

For email abuse including email spam and virus emails, we need the *FULL*
email headers (also know as internet headers, or message source) from emails or
news postings. The headers must contain all the "Received: from..." headers
(these headers are normally multi-line - we need all the lines of the headers).
We also require the full content of the offending email (i.e. the text in the
message body) but please remove any attachment.

For news abuse we need the full news posting headers, which should include
the Path, Newsgroup, Subject, Message-Id and most importantly the 'X-Trace'
line. We also require the full content of the offending newsgroup posting. If
the posting is not obviously abusive (i.e. it breaches rules specific to the
newsgroup), please include a copy the newsgroup charter or a url for where it
can be found.

If you are complaining about multiple messages (such as in the case of a
'mail bomb' or 'spoof attack' then please send us the headers from a
representative set of the messages (for example at least the earliest and the
latest allows us to get a good time frame within which to check).

Should your original message not give sufficient tracking information, please
reply to this message giving all the header information from the original
messages.


Port Scanning or Hack Reports
-----------------------------

We use dynamic IP addresses for our dial-up customers, which means that a
user is allocated a different IP address each time they log onto the network. We
require the following information in order to trace the user(s) concerned:

* IP address(es)
* Accurate time/date information, to include hours, minutes and
seconds (e.g. 14:15:59 GMT)
* The time zone of your logs (i.e. GMT, BST, UTC)

Please do not send us any whois/ traceroute information as this takes up
unnecessary space.

If you need to report several attacks, please send each report of an attack
from a different IP, in a separate email, to allow us to track each incident
individually.

Should your original message not give sufficient tracking information, please
reply to this message giving all the information required.

Please ensure that all reports are sent in **Plain Text** format (not HTML)
and please do not send attachments to our system. (cut and paste logs etc into
main email). Virus attachments should be removed, but please include the
attachment name in the main email.

Other Network Abuse (such as chat, website or messageboard abuse)
-----------------------------------------------------------------

If you are reporting other network abuse, please supply as much detail as
possible. Chat, website and messageboard abuse reports should be marked
'Urgent'.

We use dynamic IP addresses for our dial-up customers, which means that a
user is allocated a different IP address each time they log onto the network. We
require the following information in order to trace the user(s) concerned:

* IP address(es)
* Accurate time/date information, to include hours, minutes and
seconds (e.g. 14:15:59 GMT)
* The time zone of your logs (i.e. GMT, BST, UTC)
* The exact url (web address) of the site connected to (i.e. the
site where the abuse took place)
* The offending posting or the relevant chat logs
* It is a good idea to keep a screen shot of the abuse. Please
*don't* send the screenshot but save it as we may ask
for it at a later date

Please note that if one of our IP addresses looks up to a 'webcache' (as
opposed to a modem) we have a *maximum* of 48 hours to trace the user
responsible for the abuse.

Please ensure that all reports are sent in **Plain Text** format (not HTML)
and please do not send attachments to our system. (cut and paste logs etc into
main email). Virus attachments should be removed, but please include the
attachment name in the main email.

Support Issues
--------------

For non-abuse issues please contact the support email address/help line for
your Virtual ISP. Details can be found on the Home Page.

Urgent Reports
--------------

The Energis Network Integrity Team business hours are Monday to Friday
between 8.30am and 5.30pm (4.30pm on Fridays).

If you have an *urgent* abuse issue, please leave a message on our
messageline
answerphone:

0113 207 6239

Please note that your call will *not* be answered personally. You can leave
a
message 24 hours a day. During business hours, a member of the team will
contact you back within one hour. If a message is left our of hours, you will
be contacted the next working day.

If the abuse is an *emergency*, occurs out of hours and cannot wait until the
next working day, or occurs after 16.30 on a Friday, please telephone our 24
hour Network Management Centre on:

+44(0)845 078 8888



results of my email^



;)

thanks sea,

did you send them the headers? or, is there anything more to do?

here is their second:

Dear Sir/Madam,

Re: Your Abuse Report - Full Headers & Content Required - Instructions Below
----------------------------------------------------------------------------

Thank you for your email to abuse.

Unfortunately, the information that you have supplied is not sufficient for us
to trace the user.

When reporting email (or news) abuse, it is imperative that you give us as much
information as possible, to allow us to effectively investigate the problem. The
information we need is the FULL headers from emails (or news postings). For
email, the headers must contain all the 'Received: from…' headers. These are
normally multi-line, it is important to include all lines. For News we need the
Path, Message-Id and Newsgroups headers, and most importantly, 'X-Trace' line of
the headers.

The basic From/To headers are not sufficient, since they can easily be forged.

To View Full Headers:
---------------------

OUTLOOK 2000
Click on the email (do not double click on the mail to open it and do not open
the attachment), right mouse click while the mail is highlighted in your inbox,
select options; a window will open; highlight the 'internet headers' section
from the indented box at the bottom of the window; right mouse click and then
copy and paste the headers into a new email.

OUTLOOK EXPRESS
Open the message first. Select 'FILE' from the options menu. Listed as an
option is: 'PROPERTIES'. Another window should open showing two tabs. Choose the
one titled 'DETAILS'. Cut and paste the headers into the message you want to
send (back to us).

PEGASUS MAIL
Open the mail. Select view from the top toolbar menu. Click 'Page source'.

NETSCAPE MAIL
Open the mail. Select 'OPTIONS' from the options menu. There is an option :
'Show Headers', then select full headers.

EUDORA MAIL
Open the message first. Under the title bar there are four options. Click on
the second box from the left and all the headers should be shown.

PINE
Type S for set-up ( or scroll down main menu)
Type C for configuration
Scroll down to: [advanced Command Preferences]
Put X in the [ ] next to enable-full-header-cmd
Type E to exit and save
To forward the headers answer yes to 'send mail as an attachment query'.

HOTMAIL Go to options, preferences and tick full or advanced under message
headers.

If you have problems obtaining headers or instructions for your email client/
operating system are not included above,you may find the following URL helpful:

http://help.mindspring.com/features/emailheaders/extended.htm

If you are still having problems obtaining email headers, please consult your
email client manual or contact your email client provider.

We also need full content of the abusive mails / postings in order to take the
appropriate action. In the case of a suspected virus, please either include the
name of the virus, the name of the attachment or a copy of the text.
Unfortunately we cannot take any action without this information. We would ask
that you provide as much information as possible so that we are in a position to
resolve your complaint.

Please note that we can only trace users on our network. If the headers
indicate that the email originates from another ISP, please do not send the
headers to us. For further advice on reporting abuse, please refer to our
website which includes FAQs and a flowchart:

http://www.abuse.energis-squared.com (click on Internet Abuse).

Please send in plain text (as opposed to HTML) and cut and paste the
information into the actual report.

************************************************** *****************************
N.B.
Please note that the use of the account is the responsibility of the account
holder. Any actions taken by an end user, or on the end user's behalf, are done
so at the end user's own risk and we will not be held liable for any results of
that action.
************************************************** *****************************

Regards,

Network Integrity Team
Energis
abuse@energis.com
www.energis.com/abuse (click on 'Internet Abuse')



you need to read where it says what to do and then do it!!

hehe

;)

thanks sea,

whew !!!! done, :)