I Think I Made A Bad Mistake

zeico

I just purchased and installed BitDefender Anti-virus 2008 today, and had it do a scan. In the process, BD indicated there was a trojan in my Thunderbird emails - specifically from my son whom I hadn't spoken to or located for over 20 years. He was 6 when we lost contact. (Long story.) I found him about 10 uears ago, and over the last 10 years we have gotten to know each other pretty well and have been emailing each other back and forth since 1999. Losing these emails from him would be heartbreaking, but BD has evidently done just that. It refuses to let me view ANY of his emails (it blocks the entire "Dave" folder) because there apparently was a trojan in ONE of the emails. (Message #162 - whatever that means.)

BD also found a trojan in my Inbox, that has many more emails in it, but I am able to view emails in the Inbox. So why would BD block ALL of his emails?

Can this be reversed? Will uninstalling BD correct this? Or has today been one of the worst days of my life? Please tell me how to fix this.

alexcrist

Hello Zeico,

The explanation is simple: BitDefender detects a threat in an e-mail. But it cannot block that e-mail, because that's just a simple file in an archive (all e-mails from one folder are archived in one file), so BitDefender just blocks the archive (in this case, the hole file that contains the "Dave" folder).

BitDefender only blocks that file. Nothing has been deleted from it, so everything can be recovered just the way they were.

To be able to access that file (file = e-mail folder), you only have to disable the realtime protection.

However, this is not a safe solution (as you might already know). You have to find the reported e-mail. So try these steps:

1. Disconnect the computer from the internet
2. Disable BD Realtime Protection
3. Open Thunderbird and go to that folder
4. The reported e-mail should have an attachment (most of the times, infections are not in the e-mail itself, but it's an attachment)
5. Save all atachments from that folder into a secure location (an empty folder on your HDD). Be careful not to open the attachments while BD is disabled! Just save them
   
6. Make a manual scan of the folder where you saved the attachments and see which one is reported as infected. Please set BD not to remove/quarantine the detected threats. You might need the file, for the following steps
7. If the file is a real infection, go to the "Dave" folder, in Thunderbird, and delete the e-mail that has that reported attachment. After that, Compact the e-mail folders (Thunderbird has this option in one of it's menus...I don't know where exactly, cos I don't use it, but I know it has it). Keep BD disabled all this time, or it will block the e-mail and you won't be able to delete it.
8. If you suspect that the file is clean, please put the file (the one that was attached) into a ZIP archive, with the password infected and attach the file in the Malware section. Please don't upload the file here, or other users might download it. The file will be checked by a Virus Analyst and detection will be removed if necessary.
9. Don't forget to re-enable BD Realtime protection after you are finished with these operations.

If you have questions about any of the above steps, just ask.

Cris.

pcbugfixer

G’Day “Zeico”,

What “cris” said in the above post is correct with regard to the explanation of email storage methods and handling.

However the recommended procedure suggested is dependent on your degree of knowledge and experience and maybe slightly difficult for you. If not proceed and only follow one persons task list and not someone else’s, “as too many cooks spoil the broth“

The only part of the procedure I do not like is item 8 ! in that it has privacy implications, where all your messages are being sent to a 3rd party. Virus Analyst maybe a fair reason, however you need to be aware that the emails contained in the file that is being requested, I am not suggested that this would occur, can all be read by whoever you send it to, and you might not want to do that !

My approach is much the same however is different in the action and cleaning procedure that need to be considered.

So this is an alternative.

The scenario of your infected PC system is not good to work with, as the infection is a serious one which is indicated by the Trojan warning. – Please proceed with caution, although at this point if your email are more important then proceed with the following.

READ ALL OF THIS BEFORE YOU START !

Yup, correctly uninstalling should fix the problem, but is not necessary, and other solutions are dependent on the action you took after the Virus scan and if you deleted any of the emails or attachments?!

Steps 1 to 3 are similar to what “cris” said!

1. First lets see if the emails are still in tact, by disabling the BDAV. Do this by right mouse clicking on the TSR BD icon (right side of Start Bar) and then click on “Exit” and say Yes to shutting the BDAV down.

2. Now open the Thunderbird email program and have a look at the email folders you refer to and see if you can access them and still read the emails.

3. Your explanation suggests that the infected file(s) are still present and have not been removed. This is common as some Trojan(s) and Worms infections cannot be removed by some Virus scanners actions due to the nature (method) of the infection and also the fact of the email messages method of storage on your hard drive, which uses an archive file method (all messages in one file) which BDAV and most other cannot clean, therefore all of the messages should be intact and the infected files are still present. This is not true with all AV programs, however - This is the reason why BDAV is blocking access to these Folders and files (messages) while it is active and attempts to protect you from spreading the infection further.

Viruses normally attach themselves to email messages and are usually not contained in the actual text of the message that was sent.

- Disabling BDAV obviously then allow access.

The situation changes if you may have used another AV program or other Cleaners like AdAware or SpyBot Search and Destroy.

Other point to consider before uninstalling, is if since installing the BDAV, you have downloaded other infected files that may then have been quarantined. If so, then they need to be restored before you uninstall BDAV. As most AV programs can also delete incoming infected files (depending on the program settings) you need to take note of this if newer incoming emails may have been deleted rather than cleaned.

The normal procedure action is, attempt to clean , if that cannot be done, then quarantine or Delete should be the settings in the AV options after a virus is detected in an email.

Having said all that- you might have to read it again to ensure that you understand the logic.

If we have succeeded in verifying that the email are still present and or we do not need to perform any recovery actions, then all is well, EXCEPT we still have an badly infected system.

4. As these messages were sent to you, then the sender of these messages also has an infected PC system. Now as to who was infected 1st, I will not get into that argument, except to make sure that tell your Son about your problem and make sure that he also performs a Virus Scan on his PC system to detect the degree and type of infection, i.e. the names of the viruses, etc that the system is infected with.

The action to now clean the email messages and also clean your PC system and your Son’s PC system, is not an easy task.

5. We would now attempt to make a copy of the emails and put them on a CD (if you have a CD or DVD burner) or on another Hard Drive (not a partition of, or on the infected Hard Drive) to do this we need to copy the folder that Thunderbird stores the master files in containing all your email messages.

- To make copies to any other location, the BDAV still needs to be disables as when an infected file is accessed, it will prevent any movement or copy action while it is active.

Also at this time we would copy any documents and other files that are crucial to you, like accounting , etc files.

6. We would then re-activate the BDAV and perform another scan to;

A.) determine what your PC system is infected with, and B.) attempt to have BDAV Delete all the infections it find, as your email messages will not be the only files that are infected.

.

This unfortunately is easier said than done. As you have Trojan infections which are only the tip of what might me an Iceberg!

As you do not want to loose any email messages it is obvious that you would not want to delete any of them!

Cleaning the email messages is a spet task, however is not necessary if we only want to look at them and not use them. (More on that later and cleaning methods)

The other option is, if your Son can clean his PC system and if he has kept the messages he sends , in the “Sent Items” folder, then they can be resent.

Ok this is roughly what aught to happen and you need to tell us which way you want to proceed !

pcbugfixer

zeico

You folks have been very, very helpful, and I appreciate that. Please give me some time to absorb all your information and make some decisions.

Thanks for your help!

Zeico

zeico

The Trojans BDAV found were:

Generic.Peed.Eml.D8677A9F, and Generic.Peed.Eml.3F5DEC5E

Inbox - Message 153

Inbox - Message 1393

Dave - Message 162

Am I correct in assuming that since I can't access ANY emails in the Dave folder, but CAN access virtually ALL emails in the Inbox, that BDAV has only blocked emails that were sent from my son Dave? That it will open emails in the Inbox that were NOT from my son? (That, apparently, is the situation.) Does this make sense? I think it does.

I should also mention that there are no attachments in the Dave folder that would contain a Trojan. (A pic of him and his new wife, and a picture of my RV.)

alexcrist

The only part of the procedure I do not like is item 8 ! in that it has privacy implications, where all your messages are being sent to a 3rd party. Virus Analyst maybe a fair reason, however you need to be aware that the emails contained in the file that is being requested, I am not suggested that this would occur, can all be read by whoever you send it to, and you might not want to do that !

I have to disagree with this. Submitting files for analysis does not endanger anyone's privacy. The files posted on the Malware Talk section can only be downloaded by Virus Analysts and Moderators of this forum. Nobody else, under any circumstances, cannot get access to those files.

The files attached on that section are purely used for analysis and testing. They will not be published anywhere (as part, complete files, anonymous, nor otherwise). That is the reason why I said the file has to be posted on the Malware Talk section (besides the fact that nobody else can get infected using the samples).

Do this by right mouse clicking on the TSR BD icon (right side of Start Bar) and then click on "Exit" and say Yes to shutting the BDAV down.

By doing this, you will only close the bdagent module, which is only responsible for the interface. The protection itself remains active (Antivirus, Firewall, Privacy Control and whatever other modules you have enabled)!

bdagent has absolutely nothing to do with the actual security of the system. To disable the AV protection, open Security Center -> Settings -> Antivirus and disable the Realtime Protection by un-checking the checkbox. bdagent doesn't need to be closed. Un-checking that checkbox is enough.

2. Now open the Thunderbird email program and have a look at the email folders you refer to and see if you can access them and still read the emails.

By closing bdagent, the emails will still be blocked. By disabling the Realtime Protection, they will be accessible.

Other point to consider before uninstalling[...]

BD doesn't have to be uninstalled. It's enough to disable it's protection, and access to the blocked files will be granted.

The normal procedure action is, attempt to clean , if that cannot be done, then quarantine or Delete should be the settings in the AV options after a virus is detected in an email.

This is only user's choice. Personally, I have set my AV (and also recommend other to do the same) not to take any automated actions (besides disinfection). This is because sometimes False Positives appear (this is inevitable, due to heuristic scans), so you might end up with deleted legit files. I prefer to see the infected files and to manually take necessary actions on every situation.

This is the safest way. But, as I said, it's user's choice.

4. As these messages were sent to you, then the sender of these messages also has an infected PC system. Now as to who was infected 1st, I will not get into that argument, except to make sure that tell your Son about your problem and make sure that he also performs a Virus Scan on his PC system to detect the degree and type of infection, i.e. the names of the viruses, etc that the system is infected with.

Not necessarily. There is somehow a high chance that this is a false positive. I'll explain below why I say this.

5. We would now attempt to make a copy of the emails and put them on a CD (if you have a CD or DVD burner) or on another Hard Drive (not a partition of, or on the infected Hard Drive) to do this we need to copy the folder that Thunderbird stores the master files in containing all your email messages.

As an additional advice, for Zeico: from time to time, you should backup all your emails (and other sensitive data) to a safe location. This will keep them safe from:

- infections

- data loss or corruption in case of system/HDD failure

The Trojans BDAV found were:

Generic.Peed.Eml.D8677A9F, and Generic.Peed.Eml.3F5DEC5E

Cd-Man is a Virus Analyst for BitDefender. In another topic, he said:

Generic.Peed.EML is the generic detection for e-mails sent by Peed. They usually contain a link with an IP, like http://10.10.0.201/... and can have a wide variety of subjects. The reason why it BD can not "clean" these infections is because we only have read-only support for inboxes of mail programs (where these emails were probably found). Adding read-write support is complicated, dangerous (since there is no "official" documentation for many of these inbox formats and relying purely on reverse engineering contains a high danger of data corruption) and some times illegal. You can clean them manually, by disabling the real-time protection, deleting the identified mails from you mail client, emptying the trash in your mail client and re-enabling the realtime protection.

In other words... the reported e-mails don't necessarily have attachments. As I said, most of the times, the infections are in the attached files, but there are also situations when the e-mail itself can contain the malware.

Peed is one of these cases. I'm not a very big expert on viruses, but as I understand, Peed doesn't really harm your computer. It only contains a link to an infected site, which the user is invited to visit. That site contains the actual malware, which is downloaded automatically the moment the user accesses it.

So this alert could be a false positive. Maybe an e-mail from your son contains a link to an IP, which makes BD "believe" that it points to Peed. In this situation, the situation can be corrected by submitting the e-mail, or the IP that triggers the alert.

So:

- to find the reported file, look in the e-mails for the ones that have links to an IP. Export all of them to a secure location (an empty folder on your HDD), then scan them with BD to see which one is flagged. Disable BD Realtime Protection before doing this, so it won't block your actions

- after you find the e-mail(s), you can submit them. Either put the hole e-mail (the one that you exported) in a ZIP archive (with the password infected) and attach it to this forum (or send it to me through PM). Keep in mind what I've said at the beginning of this post.

- Either submit only the link. Put it in a TXT file, and attach the file to a post (or send it through PM). Don't post it directly in your post (for the same reasons why you should attached reported files only on the Malware Section).

You can just ignore these alerts, but it will be very much hassle for you to open the emails. I strongly recommend that you submit the reported files, to see if there is really something wrong with them.

Cris.

P.S.: I'll move this topic to the Malware Talk section. You can attach any files to this topic.

zeico

My decision is to "eat" the money I just spent yesterday purchasing BDAV for $24.95 through Herman Street.

I've used BDAV throughout the years with pretty good success, and I assumed (bad word) the new version would be a suitable replacement for the ESET NOD32 AV I've been using this past year. So, for $24.95, I jumped on it, and downloaded BDAV from them and installed it.

An AV program should not have these problems. This topic concerns only ONE of the problems I have encountered in just the first day of use. There are numerous ones, and the most critical is the way BDAV has, literally, brought my system to a crawl. I'm used to clicking on an email in T-Bird and having the email opening instantly. With BDAV, it takes almost 5 seconds for it to open - if it opens at all based upon my original post in this topic.

Secondly, immediately upon installation, I ran a complete scan of my system which - according to the review of AV's I saw on anti-virus-software-review.toptenreviews" .com/ - it took 20 minutes to scan an 80GB hard drive. It took BDAV 2 hours and 41 minutes to scan my 50GB hard drive. NOD32 can do the same thing in a third that time, and it too is a highly-rated AV program. I should know because I have used it for almost a year.

In the past, I have viewed all of my son Dave's emails countless times, and never had a problem with a Trojan virus causing a problem with my computer.

The sad part, too, is that I called Herman Street today and asked them if there was a chance I could get a refund of my $24.95, and they told me that only BitDefender handles the refunds. She gave me BD's support phone number, and I called you all. I was told that BD doesn't handle the refunds - that I should call Herman Street.

The ironic part is that I trusted BD to produce an AV product that was the pinnacle of perfection amongst other AV products on the market, and so - I purchased it and downloaded it from Herman Street without even thinking that I could have NOT purchased it and simply tried it for 30 days from BD directly.

That hurts. No one at Herman Street or BitDefender seems to care, and neither will help. I am very disappointed.

Like I said, my $24.95 is gone - for nothing!

alexcrist

I'm sorry if you think that way. I wouldn't say that nobody cares, as long as I'm here and I'm trying to help you.

But, frankly, I don't understand your logic. You want an AV that doesn't show warnings, or you want an AV that shows alerts? A virus in your system is not the problem of the AV product! BitDefender found an infection, and blocked it. I'd say it's the normal behavior that you would expect from a security solution. Correct me if I'm wrong, but it seems you want an AV that just sits in it's corner, quite, and not disturbing you about alerts...

NOD32 was a very good product. But lately, it's detection rates dropped down. Six months ago, NOD32 and BD had approximately equal detection rates (according to August 2007 av-comparatives.org test). Since then, I wouldn't be surprised to see that BD went a lot above NOD32 (there were other test since August, which showed NOD32 many places below BitDefender).

My advice? Whatever product you choose, you should clarify this Peed warning.

Cris.

alexcrist

This alert was a false positive, related to an e-mail that contained some text which resembled the one that PEED sends.

zeico

Thank you, Chris (especially), for your assistance in this situation. Your advice proved to be extremely valuable, and my concerns have abated. The Trojan mentioned, indeed, turned out to be a false-positive, and the problem is now solved. Thanks again for your persistence in seeing me through this initially mind-boggling experience. You are a credit to your profession!

Zeico

glegon@gmail.com

I too have the PEED problem but the location it gives is already empty. It was never compacted or made not visible. It's really empty. It's shows it in the log, in the same location as it seems everyone has it. The inbox or the junk. Junk is empty. Inbox I don't want to empty if not necessary.

Here's an example from the log:

C:\Documents and Settings\Sarah Legon\Application Data\Thunderbird\Profiles\c3jvutyk.default\Mail\Local Folders\Inbox=](message 16798)

and

C:\Documents and Settings\Sarah Legon\Application Data\Thunderbird\Profiles\c3jvutyk.default\Mail\Local Folders\Junk=](message 9713)

There's a dozen or so of both plus a few of these:

C:\Documents and Settings\Sarah Legon\Application Data\Thunderbird\Profiles\c3jvutyk.default\Mail\Local Folders\Junk=](message 2050)=][subject: Margaret][Date: Wed, 23 Nov 2005 21:58:03 -0500]=](MIME part)=]Andrew.zip=]12.exe Trojan.Bagle.BK

and a few other infections:

C:\Documents and Settings\Sarah Legon\Application Data\Thunderbird\Profiles\c3jvutyk.default\Mail\Local Folders\Junk=](message 6663)=][subject: Russian missle shot down USA satellite][Date: Fri, 19 Jan 2007 19:15:56 -0800]=](MIME part)=]Full Clip.exe

C:\Documents and Settings\Sarah Legon\Application Data\Thunderbird\Profiles\c3jvutyk.default\Mail\Local Folders\Junk=](message 14) Trojan.Spy.HTML.Bankfraud.DQ

C:\Documents and Settings\Sarah Legon\Application Data\Thunderbird\Profiles\c3jvutyk.default\Mail\Local Folders\Junk=](message 3605)=][subject: Judithe][Date: Wed, 21 Jun 2006 10:42:25 +0100]=](MIME part)=]Mychaell.zip=]jxjtigcwh.exe Win32.Bagle.ET@mm

C:\Documents and Settings\Sarah Legon\Application Data\Thunderbird\Profiles\c3jvutyk.default\Mail\Local Folders\Junk=](message 6905)=][subject: For You][Date: Sun, 28 Jan 2007 07:15:21 -0500]=](MIME part)=]greeting postcard.exe Win32.Zhelatin.H@mm

Last but not least, there are some pw protected ones that are not of our doing and we didn't pw them:

C:\Documents and Settings\Sarah Legon\Application Data\Thunderbird\Profiles\c3jvutyk.default\Mail\Local Folders\Inbox=](message 7647)=][subject: Edward][Date: Wed, 21 Jun 2006 06:51:55 +0100]=](MIME part)=]Bennett.zip=]eppxugiwnfjm\voyvukuo.dll Password-Protected No action was possible

C:\Documents and Settings\Sarah Legon\Application Data\Thunderbird\Profiles\c3jvutyk.default\Mail\Local Folders\Inbox=](message 7649)=][subject: Judithe][Date: Wed, 21 Jun 2006 10:42:25 +0100]=](MIME part)=]Mychaell.zip=]iekjnvnvovvm\qoemwndpzmaa.dll

Again, these folders show up as empty, plus I did a folder scan and it found nothing in the folder, but the scanner log says what I've put above.

I have clicked on the box to scan archives but that didn't help get rid of any.

On one hand it is heartening that BT found them as I had AVG pro for 4 years and up to today never found any. On the other hand it is very frustrating to not have a way to deal with them.

I see others with the same problem so am concerned.

What is the way to end it.

alexcrist

Hello getgar,

As I said: e-mails are not fully removed when you delete them. Even if the folder seems empty, the actual file that contains that folder is NOT empty. To make one thing clear: BitDefender does NOT invent files. If a file is detected, then that file IS present on your HDD.

Disable BitDefender realtime protection, compact your e-mail folders (using Thunderbird), re-enable BD and remake the scan. If you need details about how to compact the folders, I'll send you a little video, through PM. Just ask.

Cris.