Haven't read all the replies yet, but I had a workstation that was
behaving oddly last week, with Symantec windows popping up about
messages not being delivered, etc. I tried AV scans, with Clam, AVG and
Symantec. I tried adware scans with Ad-Aware. Nothing was found by any
of those. I
None of the processes, services, or registry entries that Hijack
This outputs looks untowards on the server. Can the tool be used centrally
to analyse numerous hosts, or does this need to be done on a host by host
basis.
Really what I want to do is see where these messages are originating as they
My thinking is that the from is probably spoofed, so changing that
user's password isn't going to accomplish anything.
On Jan 21, 2008 10:36 AM, Clayton Doige [EMAIL PROTECTED] wrote:
None of the processes, services, or registry entries that Hijack This
outputs looks untowards on the server.
15:36
To: MS-Exchange Admin Issues
Subject: Re: Virus Hunt (PLEASE HELP)
None of the processes, services, or registry entries that Hijack This outputs
looks untowards on the server. Can the tool be used centrally to analyse
numerous hosts, or does this need to be done on a host by host
.
From: Clayton Doige [mailto:[EMAIL PROTECTED]
Sent: 21 January 2008 15:36
To: MS-Exchange Admin Issues
Subject: Re: Virus Hunt (PLEASE HELP)
None of the processes, services, or registry entries that Hijack This
outputs looks untowards on the server. Can
Central Standard Time
To: MS-Exchange Admin Issues
Subject:RE: Virus Hunt (PLEASE HELP)
The first thing I would do is disable authenticated relaying.
It may cause some problems for some users, but it needs to be done.
Very unusual for a specific user account to be targeted
From: Campbell, Rob [mailto:[EMAIL PROTECTED]
Sent: 21 January 2008 16:01
To: MS-Exchange Admin Issues
Subject: RE: Virus Hunt (PLEASE HELP)
They'll only be in sent items if Outlook was leveraged to send them.
Most viruses come with their own smtp client.
Sent from my GoodLink
and see when it stops. A bit severe, but you will
get an idea of where the problem lies.
John
From: Campbell, Rob [mailto:[EMAIL PROTECTED]
Sent: 21 January 2008 16:01
To: MS-Exchange Admin Issues
Subject: RE: Virus Hunt (PLEASE HELP
-Exchange Admin Issues
*Subject:* Re: Virus Hunt (PLEASE HELP)
None of the processes, services, or registry entries that Hijack
This outputs looks untowards on the server. Can the tool be used centrally
to analyse numerous hosts, or does this need to be done on a host by host
basis
I'll assume for the moment that you're NATing everything through a
single IP address, but will make some suggestions if that isn't the
case.
A properly deployed NTOP is your friend in this case. It can be set
(using the BPF filters) to monitor only port 25, and only outbound if
you want, and
I've been forwarded them for weeks, Tom. Get over it. ;)
-Original Message-
From: Tom Meunier [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 25, 2002 11:29 AM
To: MS-Exchange Admin Issues
Subject: FW: Virus Detected
-Original Message-
From: [EMAIL PROTECTED]
Was there a question in there somewhere?
- Original Message -
From: William Lefkovics [EMAIL PROTECTED]
To: MS-Exchange Admin Issues [EMAIL PROTECTED]
Sent: Thursday, July 25, 2002 2:07 PM
Subject: RE: Virus Detected
I've been forwarded them for weeks, Tom. Get over
that I hit send before
I could get them written down. Lost forever, like the remnants of
Coleridge's Kublai Khan...
-Original Message-
From: William Lefkovics [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 25, 2002 02:08 PM
To: MS-Exchange Admin Issues
Subject: RE: Virus
If you insist.
How does Martey fix his BAS [1]?
[1] Ask Don.
-Original Message-
From: Matthew Carpenter [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 25, 2002 12:11 PM
To: MS-Exchange Admin Issues
Subject: Re: Virus Detected
Was there a question in there somewhere
The question was implied. I scored big on the subtlety points. Matthew
got minus twenty on perception.
-Original Message-
From: William Lefkovics [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 25, 2002 02:13 PM
To: MS-Exchange Admin Issues
Subject: RE: Virus Detected
The question was obvious. However, it's rate of recurrence might soon
warrant FAQ addition.
-Original Message-
From: Tom Meunier [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 25, 2002 12:15 PM
To: MS-Exchange Admin Issues
Subject: RE: Virus Detected
The question
What I want to know is why we have to clean the file and resend?
Or does Mcafee simply know its limitations?
-Original Message-
From: William Lefkovics [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 25, 2002 3:19 PM
To: MS-Exchange Admin Issues
Subject: RE: Virus Detected
Title: RE: Virus Detected
I just got one as well..
Sounds like [EMAIL PROTECTED] needs to correct something on it's MFAV settings.
-Rick
-Original Message-
From: Andy David [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 25, 2002 12:24 PM
To: MS-Exchange Admin Issues
Or something... I got the same thing...
-Original Message-
From: William Lefkovics [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 11, 2002 12:25 AM
To: MS-Exchange Admin Issues
Subject: FW: Virus Detected
Please clean McAfee.
-Original Message-
From: [EMAIL
Its most likely Klez. When a computer is infected, it will grab an email
addy out of the infected machines address book, then send the virus with
that persons addy in the from field.
So it looks like it came from somewhere else. The headers tell the truth
though.
We get a couple of complaints
Thanks Martin. How about the To field? Will the virus grab the address
from the same address book (randomly) and puts it in the To field?? That
is what I am curios to know. I already asked the user to send me the email
if it has not been deleted.
Sui
Its most likely Klez. When a computer is
yes
-Original Message-
From: sui seto [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 18, 2002 9:41 AM
To: MS-Exchange Admin Issues
Subject: RE: Virus - Mass Mailing
Thanks Martin. How about the To field? Will the virus grab the address
from the same address book (randomly) and puts
Title: RE: Virus - Mass Mailing
Klex grabs from Abs and Temp Internet Files
-Original Message-
From: William Lefkovics [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 18, 2002 01:05
To: MS-Exchange Admin Issues
Subject: RE: Virus - Mass Mailing
Could be a few things. Some
Yep. I then sends to everyone in the users contacts folder.
-Original Message-
From: sui seto [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 18, 2002 6:41 AM
To: MS-Exchange Admin Issues
Subject: RE: Virus - Mass Mailing
Thanks Martin. How about the To field? Will the virus grab
One... ignore the Outlook client and use Outlook Web Access to get at the
mailbox.
Two... use the Windows Messaging client from the Exchange disk. No Preview
Pane to worry about.
Three... use an IMAP client to connect to the mailbox... preferably one
without support for active content.
Title: RE: VIRUS HELL ...help?
Q193282
To use a command line switch, follow these steps:
1. Click Start, and click Run.
2. In the Open box, type the complete path,
including the filename. Press the SPACEBAR
once and then type the forward slash (/)
followed by the command-line
IIRC, you can delete the message rather than quarantining it and sending the
alert. I might be wrong, don't have Groupshield any more.
-Original Message-
From: Jan Wilson [mailto:[EMAIL PROTECTED]]
Sent: Saturday, June 15, 2002 10:57 AM
To: MS-Exchange Admin Issues
Subject: RE: VIRUS
We were able to do that is previous versions of GroupShield - But I
believe they removed that option in V4.5 - why I have no idea.
Subject: RE: VIRUS HELL ...help?
IIRC, you can delete the message rather than quarantining it and sending
the alert. I might be wrong, don't have
Groupshield does send an alert.txt if you've configured it to do so.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 14, 2002 7:40 PM
To: MS-Exchange Admin Issues
Subject: RE: VIRUS HELL ...help?
I think that you are missing something here
How about de-selecting Preview Pane in the View Menu?
-Original Message-
From: aci [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 14, 2002 2:24 PM
To: MS-Exchange Admin Issues
Subject: VIRUS HELL ...help?
TIA---
I am looking for a bit of help on the antivirus problems I am having
Unfortunately, as soon as you click on the inbox, you get a Dr. Watson
error and then Outlook closes!
How about de-selecting Preview Pane in the View Menu?
-Original Message-
From: aci [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 14, 2002 2:24 PM
To: MS-Exchange Admin Issues
: RE: VIRUS HELL ...help?
Unfortunately, as soon as you click on the inbox, you get a Dr. Watson error
and then Outlook closes!
How about de-selecting Preview Pane in the View Menu?
-Original Message-
From: aci [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 14, 2002 2:24 PM
[mailto:[EMAIL PROTECTED]]
Sent: Friday, June 14, 2002 3:43 PM
To: MS-Exchange Admin Issues
Subject: RE: VIRUS HELL ...help?
Unfortunately, as soon as you click on the inbox, you get a Dr. Watson error
and then Outlook closes!
How about de-selecting Preview Pane in the View
- Sunbelt
Subject: RE: VIRUS HELL ...help?
As this was cross-posted on the sysadmin list, here's my response from that
list - only thing I could find on technet -
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q195712
On an interesting side note, I also found this little
Subject: RE: VIRUS HELL ...help?
I think that you are missing something here. You say that the message is
being blocked at the gateway but the alert.txt is still coming in. Then
it
ain't getting' blocked Blocked means that it stops at the gateway and
nothing goes further.
By the mention
Someone may have suggested this - If you have access to an NT box run
the exchange32 client in the \program files\windows messaging folder -
nuke the message(s) there.
List Charter and FAQ at:
http://www.sunbelt-software.com/exchange_list_charter.htm
Nai
Sarc
Just about all of them have it
Steve Clark
Clark Systems Support, LLC
AVIEN Charter Member
Who's watching your network?
www.clarksupport.com
301-610-9584 voice
240-465-0323 Efax
The data furnished in connection with this document is deemed by Clark
Systems Support,
Don't most Antivirus vendors have searchable virus libraries?
I think you can search:
Trend - www.antivirus.com and
CompAss - www.cai.com
Using text from the body or subject of a suspected infected email.
William
-Original Message-
From: Majetic, John RAME [mailto:[EMAIL PROTECTED]]
messages.
I was just wondering if there is a better library out there, or I am just
doing something stupid at the search sites?
John
-Original Message-
From: William Lefkovics [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 24, 2002 12:29 PM
To: MS-Exchange Admin Issues
Subject: RE: Virus
24, 2002 3:12 PM
To: MS-Exchange Admin Issues
Subject: RE: Virus List
Why are your users sending each other exe and com files? I never allow such
files in through email. I return them to sender. Users who exchange such
files really should zip or rar them
-Original Message-
From
www.about.com
List Charter and FAQ at:
http://www.sunbelt-software.com/exchange_list_charter.htm
Title: RE: Virus List
I hear you. We get voted down really quickly with the phrase:
Shut up you nonrevenue producing department!
-Original Message-
From: Majetic, John RAME [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 24, 2002 2:11 PM
To: MS-Exchange Admin Issues
Subject: RE
Title: RE: Virus
Thanks for the info.
Mark
-Original Message-
From: Tom Buoniello
[mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 12, 2002 2:32
PM
To: MS-Exchange Admin Issues
Subject: RE: Virus
All,
EXCEEDINGLYINFECTED is not a
Sybari Antigen false alarm
Sybari say [1] in [2]
Sophos say [3]
[1] Q: I read that attacks can be carried out against Anti-virus software by
nesting a large number of zipped files. Does Antigen allow the Administrator
to decide how many nested compressed files will be scanned?
A: Yes. If the number of nested attachments
Thanks. I did a search but it is early and I have not had my coffee yet and
must have misspelled.
Mark
-Original Message-
From: Ryan Gorman [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 12, 2002 8:52 AM
To: MS-Exchange Admin Issues
Subject: RE: Virus
Sybari say [1] in [2]
Sophos
I received the same type of warning last week. It also involved a zip file.
I did not call Antigen.
Nelson
-Original Message-
From: Mark Kelsay [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 12, 2002 5:06 AM
To: MS-Exchange Admin Issues
Subject:Virus
I received this
This should answer your concern.
http://www.sophos.com/virusinfo/analyses/exceedinglyinfected.html
Mal
-Original Message-
From: Nelson Aguillon [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 12, 2002 9:13 AM
To: MS-Exchange Admin Issues
Subject:RE: Virus
I
Title: RE: Virus
All,
EXCEEDINGLYINFECTED is not a Sybari Antigen false alarm as described in the link given below. This statement indicates that Antigen found more than 5 infected or file filtered documents in a ZIP file attachment. The value 5 can be changed via a registry key. I have
I've had this with Groupshield, it's a feature. You need to configure the on
demand scan to not block the attachment '_??' Also, you'll need hotfix 7 and
need to configure the options regarding macros - don't select 'enable macro
heuristics' and 'find all macros'. I can't remember the article off
Admin Issues
Subject: RE: virus scan
I've had this with Groupshield, it's a feature. You need to configure the on
demand scan to not block the attachment '_??' Also, you'll need hotfix 7 and
need to configure the options regarding macros - don't select 'enable macro
heuristics' and 'find all macros
Another reason this message shows up is if you have the checkmark made for
Find all macros and the word document has a macro in it.
-Original Message-
From: Neil Ferguson [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 18, 2002 4:33 AM
To: MS-Exchange Admin Issues
Subject: RE: virus
Thanks for the great info, but i'm still having a problem with doc files.
I did ask you stated and made sure that 'enable macro heuristics' and
'find all macros' were unchecked, I did not have on demand scan to scan
'_??' but it was scanning '??_'. Is the later one the one you were
speaking
Try scanning the file with another Antivirus product. I would suggest
connecting to the trendmicro site (www.antivirus.com) and using their
housecall? product for a quick check if you don't have access to another
vendor's antivirus product.
cheers
Wayne Hanks
Systems Administrator
Personally, if it says it a virus, I don't take a chance. I also do
quarantine. If its important, the sender can fix the file and resend it. In
any case, I would delete this file and get a fresh copy.
-Original Message-
From: aci [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 17,
Excellent tool.
-Original Message-
From: Wayne Hanks [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 17, 2002 7:23 PM
To: MS-Exchange Admin Issues
Subject: RE: virus scan
Try scanning the file with another Antivirus product. I would suggest
connecting to the trendmicro site
Oops, DO NOT quarantine
-Original Message-
From: Martin Blackstone
Sent: Thursday, January 17, 2002 7:26 PM
To: MS-Exchange Admin Issues
Subject: RE: virus scan
Personally, if it says it a virus, I don't take a chance. I also do
quarantine. If its important, the sender can fix
, 2001
7:37 PMTo: MS-Exchange Admin IssuesSubject: RE: [virus]
For those of you who dont see the big picture
It
is on there machines. no need to reopen it.. : But yes you can
still kill it with ISscann. I am doing that right now on a
server.
--
Kevinm M WLKMMAS,
UCC+WCA
Title: Message
Excellent point, but regardless you can still use ISSCAN to remove
attachments from your IS right? That way after your done rebuilding all of
your machines, someone can't re-open it ;-)
-Original Message-From: Kevin Miller
[mailto:[EMAIL PROTECTED]]Sent: Tuesday,
, December 04, 2001
4:34 PMTo: MS-Exchange Admin IssuesSubject: RE: [virus]
For those of you who dont see the big picture
Excellent point, but regardless you can still use ISSCAN to remove
attachments from your IS right? That way after your done rebuilding all
of your machines, someone
: *ExchangeAdmin
[mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 04,
2001 4:34 PMTo: MS-Exchange Admin IssuesSubject: RE:
[virus] For those of you who dont see the big picture
Excellent point, but regardless you can still use ISSCAN to remove
attachments from your IS right
Title: Message
you
got it..
--
Kevinm M WLKMMAS, UCC+WCA,
CKWSE CKST
-Original Message-From: Zangara, Jim
[mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 04,
2001 4:53 PMTo: MS-Exchange Admin IssuesSubject: RE:
[virus] For those of you who dont see the big picture
if
there's a (fake) zip attachment instead of the actual lines in the
message body ;)
-Oorspronkelijk bericht-
Van: Simon Taylor [mailto:[EMAIL PROTECTED]]
Verzonden: donderdag 29 november 2001 16:46
Aan: MS-Exchange Admin Issues
Onderwerp: RE: Virus attachment to Exchange List server
it
-Oorspronkelijk bericht-
Van: Bob t. Berge
Verzonden: vrijdag 30 november 2001 09:48
Aan: MS-Exchange Admin Issues
Onderwerp: RE: Virus attachment to Exchange List server message
It's easy tho ;)
Here's an example:
List Charter and FAQ at:
http://www.sunbelt
Hehe that was bob's mail making Antigen think it has an attachment which
it does not...
I would put in the text, btu I would then be blasted by antigen :)
-Original Message-
From: Orval Marlow [mailto:[EMAIL PROTECTED]]
Sent: 29 November 2001 15:33
To: MS-Exchange Admin Issues
Subject:
64 matches
Mail list logo