Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

recommend me a good free email scanner?.


  • Please log in to reply
14 replies to this topic

#1 bluesjunior

bluesjunior

  • Members
  • 761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 AM

Posted 22 September 2009 - 08:54 AM

My PCs OS is Windows Home XP SP3 and for real time protection I use Comodo CIS and Spywareblaster and use SAS and MBAM as on demand scanners. It is a long time since I have had an infection but the other day I somehow got a virus which both Comodo and SAS picked up straight away. As my buddy in Australia had sent me an email that day with some photos, although i'm not certain I am thinking that is where the virus came from. My main email account is Hotmail and as I cannot see any email scanning function in my Security programs wondered what you others use for scanning your emails. Is there a program that is easy on resources which I can use to scan my emails or does Comodo do it for me behind the scenes so to speak?.
Motherboard: Gigabyte GA-MA770T-UD3, CPU: AMD Athlon II X3 450 Processor, Memory: OCZ 4GB (2x2GB) DDR3 1333MHz,Graphics: PowerColor HD 5750 1GB GDDR5,
PSU: Corsair 430W CX PSU 4x SATA 1x PCI-E, Hard Drive:Samsung SpinPoint F3 500GB Hard Drive SATAII 7200rpm 16MB Cache.

BC AdBot (Login to Remove)

 


#2 Eric RBA

Eric RBA

  • Members
  • 252 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:State College, PA
  • Local time:12:55 AM

Posted 22 September 2009 - 09:33 AM

I use AVG 8.5 (free) and couldn't be more satisfied with it. It has an integrated email scanner for Outlook and various other clients, but I'm not sure if it has a web based email scanner. However, it has link scanning and just yesterday it alerted me to a malicious script that was trying to run. I highly recommend getting it and keeping it up to date, especially since you can program updates and scanning to run automatically.

AVG Free 8.5
I would never ask a person to do something that I wouldn't do myself.

#3 bluesjunior

bluesjunior
  • Topic Starter

  • Members
  • 761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 AM

Posted 22 September 2009 - 10:15 AM

Thanks for the reply Eric RBA but I am happy with the Comodo AV and it would conflict having two. Isn't there a standalone Email scanner?.
Motherboard: Gigabyte GA-MA770T-UD3, CPU: AMD Athlon II X3 450 Processor, Memory: OCZ 4GB (2x2GB) DDR3 1333MHz,Graphics: PowerColor HD 5750 1GB GDDR5,
PSU: Corsair 430W CX PSU 4x SATA 1x PCI-E, Hard Drive:Samsung SpinPoint F3 500GB Hard Drive SATAII 7200rpm 16MB Cache.

#4 Eric RBA

Eric RBA

  • Members
  • 252 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:State College, PA
  • Local time:12:55 AM

Posted 22 September 2009 - 12:04 PM

Ah, right. Sorry, I thought you were looking to switch for some reason, seeing as Comodo didn't catch the virus. Those two programs definitely would conflict. In any case, I hope someone can give you more help than I did.
I would never ask a person to do something that I wouldn't do myself.

#5 Eric RBA

Eric RBA

  • Members
  • 252 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:State College, PA
  • Local time:12:55 AM

Posted 22 September 2009 - 12:07 PM

Although, here's a link that might help.
I would never ask a person to do something that I wouldn't do myself.

#6 bluesjunior

bluesjunior
  • Topic Starter

  • Members
  • 761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 AM

Posted 22 September 2009 - 01:31 PM

That looks interesting, thank you.
Motherboard: Gigabyte GA-MA770T-UD3, CPU: AMD Athlon II X3 450 Processor, Memory: OCZ 4GB (2x2GB) DDR3 1333MHz,Graphics: PowerColor HD 5750 1GB GDDR5,
PSU: Corsair 430W CX PSU 4x SATA 1x PCI-E, Hard Drive:Samsung SpinPoint F3 500GB Hard Drive SATAII 7200rpm 16MB Cache.

#7 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:55 AM

Posted 23 September 2009 - 12:58 PM

I have to disagree that those programs will be useful to you--I understand that they sure sound useful, but if you think about it they are designed for people using an email program like Outlook or Outlook Express, not webmail that you are asking about.

Plus, there is really no need for a special scanner for emails, whether web-based or those downloaded for a program. Your antivirus on access scanner should protect you, as whatever is a threat is going to be a file that won't hurt you unless you try to open it and so execute it, usually attachments that are using some sort of executable file extension. Even if it weren't an attachment, when you are using webmail, or just being on the internet, you are opening files, html or whatever. If your antivirus has definitions for the threat it won't allow you to open it (access), no matter what it is.

I learned this from a Microsoft MVP that I have great respect for--here are his own words:

There is no good reason for an email scanning module. It is driven from the marketing folks at AV vendors, not from the technical side of the House.

Antivirus acts as a kernel level file filter. That means that even if you remove the email filter module, the emails are scanned every time they are opened. It has proved the case for years under Win9x, ME and XP that the introduction of email modules to an antivirus product offers no additional protection, but is a serious cause of database corruption in Outlook Express, Outlook and now Windows Mail under Vista.

http://aumha.net/viewtopic.php?f=27&t=33234

And the source for how email scanners can cause problems:

Viral Irony: The Most Common Cause of Corruption

When encountering the symptoms of DBX corruption, many people immediately fear that their computer is infected with a virus. As surprising and ironic as it may seem though, the most common cause of DBX corruption is not a virus, but rather anti-virus programs that are configured to scan incoming or outgoing e-mail. Even the most well-known anti-virus programs have exhibited this problem from time to time. To lessen the risk of such corruption you should disable the e-mail scanning module in your anti-virus program. This is usually easy to do by looking at the user-configurable options in the anti-virus program. It is not at all necessary to scan e-mail for viruses to protect your computer.

Now before you dismiss me as mad, let me explain why e-mail scanning is unnecessary. Almost every anti-virus program for Windows installs by default a system scan that runs in the background every time Windows starts. This scan is necessary to protect your computer. If you receive a virus in an e-mail attachment, the virus cannot do anything at all until you actually open the attachment. At that time Outlook Express extracts the attachment from the message and saves it to the Temporary Internet Files folder on your hard disk and attempts to open the file. And it is precisely at that moment that a background system scan will detect the virus, provided it is able to do so, and stop the virus from executing. The system scan will usually delete the infected file from the Temporary Internet Files folder, or else move it to quarantine. To remove the infected e-mail message in Outlook Express, simply hold the Shift key while you press the Delete key. That's all it takes to keep your computer safe, both from e-mail viruses and e-mail anti-virus scanners. Scanning e-mail as it arrives therefore adds nothing to your level of protection. It might indeed make you feel more protected, but that feeling is an illusion. If the system scan is unable to detect the virus, the e-mail scan will fail to do so also.

http://www.microsoft.com/windows/IE/commun...tion.mspx#EOAAC

Scripts and other techniques are more worrisome on the internet. I'm pretty sure you've posted that you use No Script, but in any event whatever happened, it shoudln't have been because you didn't have an email scanner for webmail.

What did Comodo and SAS call it? Did they find it during a full system scan or sooner?

The thing about people

is they change

when they walk away.--Mipso


#8 bluesjunior

bluesjunior
  • Topic Starter

  • Members
  • 761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 AM

Posted 23 September 2009 - 01:51 PM

Comodo found it first Papakid, it was in my Windows System32 folder and called Client.exe. I googled it and found it was a virus and not a false positive. While it was in the Comodo quarantine SAS picked it up as well. I deleted both entries and scanned with the newest version of MBAM as well which works much better than the previous version but came up clean.
Next morning while checking for updates for Spywareblaster I noticed that there were 11 unprotected entries in the Restricted Sites column. I clicked on apply but could only get 10 to take, the 11th called Total Security4 (powerfullantivirusproduct.com) I could not apply, it remained unchecked using the apply button so I went down the list to find it manually but as soon as I ticked it it unticked itself again. I scanned with Comodo AV, SAS, MBAM and MRT all came up clean. Having never had a problem for over two years I began to think where these problems were coming from and remembered that my buddy in Australia had sent me some photos in an email a few days before, hence this post.

The only other thing of note I had done was install a media player called KM Player after a good review at Gizmos. I downloaded new versions of Spywareblaster and Avira Antivir for a second opinion. I used Revo uninstaller to uninstall Spywareblaster then manually uninstalled KM Player and rebooted and scanned my PC first with Comodo AV, then again with SAS and MBAM. I then switched off the Comodo AV and installed Avira let it update and scanned with it. All these scans came up clean. I also ran Rootkit Revealer which also was clean. I found the link here in regard to Total Security and ran a scan with Process Explorer which was also clean as were the various registry entries in regard to TS. I then uninstalled Avira and reinstalled the new copy of Spywareblaster and this time all the boxes remained ticked. I have checked it a couple of times today and it seems to be stable, I also ran quick scans with SAS and MBAM which also were clean. Still don't know where the problem came from as I tend to usethe same sites and don't bother with porn etc. I download tv and movie files from Alluc and QSS but only use zshare links and haven't ever had a problem so I don't know. My PC does seem to be clean though but I will keep an eye open over the next few days just to be sure.
Motherboard: Gigabyte GA-MA770T-UD3, CPU: AMD Athlon II X3 450 Processor, Memory: OCZ 4GB (2x2GB) DDR3 1333MHz,Graphics: PowerColor HD 5750 1GB GDDR5,
PSU: Corsair 430W CX PSU 4x SATA 1x PCI-E, Hard Drive:Samsung SpinPoint F3 500GB Hard Drive SATAII 7200rpm 16MB Cache.

#9 Eric RBA

Eric RBA

  • Members
  • 252 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:State College, PA
  • Local time:12:55 AM

Posted 23 September 2009 - 03:56 PM

Somehow I missed it that you stated this was Hotmail. My apologies, I see how unnecessary it was to go down the road I went thinking that you were using an email program or client.

Thanks Papakid for jumping in to resolve the issue and give some excellent input.
I would never ask a person to do something that I wouldn't do myself.

#10 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:55 AM

Posted 23 September 2009 - 07:32 PM

Well, first, I have been looking around and haven't yet found clear proof that client.exe in the System32 folder is malware, so if you could link me to where you saw that would be great. That is a pretty generic file name and so it can be, and in this case is, so common that many applications use it. You are probably right that it is not a false positive, but I'm from Missouri when it comes to passing judgement on files--which is one reason I'm on the HJT Team. Most of the legit files should be in a Program Files subfolder, but that isn't always the case. The only clear case of client.exe being documented as malware is here, but that one is in the Windows folder:
http://www.sophos.com/security/analyses/vi...ojbackdram.html

I was wondering what name Comodo gave to what it detected, even tho it may not really help much. For example, the threat linked to above was given this name by Sophos: Troj/Backdr-AM

I also was wondering if Comodo found the file during a scan--or if you got a popup warning when you tried to open the file. I don't think it was the photos from your friend--for the most part photo files are safe and even if they ere executable files disguised as jpeg (or whatever image extension), Comodo should have popped up a warning when you tried to open them. I also don't think the media player was infected either--Gizmo wouldn't give it a good review otherwise.

The most likely candidate are the movie sites you mentioned. They look dodgy to me. The first one wants to show popup ads and the second wants to install the Zango toolbar. I'm also not sure they are 100% legal, but could be wrong about that. Those sites might have been OK when you first started using them, but sites change.

A third possibility is that the media player installed the client.exe file and Comodo's detection was a false positive. Stranger things have happened. It would be easy to find out--reinstall it and see if the file reappears in system32.

The problem with SpywareBlaster I don't think was related. Sounds like a glitch that a reboot or reinstall would have solved, tho I certainly understand your caution.

So it's a mystery where it could have come from--the only other thing I can think of is an infected USB drive. But the bottom line is that you seem to have dealt with it. :thumbsup:

The thing about people

is they change

when they walk away.--Mipso


#11 bluesjunior

bluesjunior
  • Topic Starter

  • Members
  • 761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 AM

Posted 24 September 2009 - 03:31 AM

Thanks for your time Papakid. Here is the link which I acted on in regard to Client.exe, the path to mine was listed as Windows\System32\client.exe, according to the link below that made it 80% dangerous and a risk I was unwilling to take.

http://www.file.net/process/client.exe.html
Motherboard: Gigabyte GA-MA770T-UD3, CPU: AMD Athlon II X3 450 Processor, Memory: OCZ 4GB (2x2GB) DDR3 1333MHz,Graphics: PowerColor HD 5750 1GB GDDR5,
PSU: Corsair 430W CX PSU 4x SATA 1x PCI-E, Hard Drive:Samsung SpinPoint F3 500GB Hard Drive SATAII 7200rpm 16MB Cache.

#12 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:55 AM

Posted 24 September 2009 - 10:19 AM

OK. To say that a file is 80% likely to be malware is guesswork, not ironclad proof, so it is still possible that the file was a false positive. I don't care much for percentage ratings like that--it is a bit useful in confirming that there is reason to be suspicious of a file, but a file is either OK or not in actuallity, so that percentage rating is often misunderstood as you can see. It's what I don't like about file.net's database--they rarely, if ever, say that a file in a certain location is definitely good or bad even when it is known to be one or the other. On the positive side, they are one of the only sites that do give the location of files, which does help in making determinations.

For example, your file could just as well be this one, but no location is given:
http://www.bleepingcomputer.com/startups/C...T.EXE-1284.html

I would like to think that both Comodo and SAS detecting the file would confirm it's bad, but that would depend on what criteria they are judging the file by. This is why I was wondering what name was given to the detection by Comodo--and SAS as well. If the name indicated a heuristic or generic detection, then there is grounds for believing it could be a false positive. And sometimes files get flagged for their name and location alone.

Another reason to suspect a false positive is that you didn't mention the manifestation of any symptoms. Not all of them do, but the large majority of malware gives itself away--for example, if you had been infected with Total Security4 you would know it immediately as it will try to fake you into buying the program.

Anyway, as long as deleting client.exe hasn't ruined some other program you know is OK, better safe than sorry. I'm going to install that KMPlayer and see if it comes along with it--I need such a program anyway, so thanks for that. BTW, do you have a link to Gizmo's review? I don't hang around his site much, but I sure do miss his old newsletter. Windows Secrets is just not the same and I've canceled.

The thing about people

is they change

when they walk away.--Mipso


#13 bluesjunior

bluesjunior
  • Topic Starter

  • Members
  • 761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 AM

Posted 24 September 2009 - 01:31 PM

Here's the KM Player review at Gizmos Papakid. The client.exe was called either gen something or something gen I can't remember now and I unusually for me never wrote it down. Everything seems ok on my PC so I don't think I have deleted anything important if it was an FP, but I don't think so. I think you maybe correct that I got it while clicking on a download link site. KM Player was ok to use and had several interactive features which VLC doesn't, most of which I would never use anyway. I am just suspicious of programs which install onto a PC but do not show up in the ARP or All Programs list. You can only get rid of KMP from the uninstall icon in its folder in drive C: Program Files. I prefer them to be where I can either use the Windows uninstaller or preferably Revo. Now I am stuck with various remnants of KMP that I would rather not have and can't get rid of with my limited knowledge of PC systems. Thanks again for your input.

http://www.techsupportalert.com/best-free-...replacement.htm
Motherboard: Gigabyte GA-MA770T-UD3, CPU: AMD Athlon II X3 450 Processor, Memory: OCZ 4GB (2x2GB) DDR3 1333MHz,Graphics: PowerColor HD 5750 1GB GDDR5,
PSU: Corsair 430W CX PSU 4x SATA 1x PCI-E, Hard Drive:Samsung SpinPoint F3 500GB Hard Drive SATAII 7200rpm 16MB Cache.

#14 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:55 AM

Posted 25 September 2009 - 10:39 AM

OK, thanks for the link.

The client.exe was called either gen something or something gen I can't remember now and I unusually for me never wrote it down. Everything seems ok on my PC so I don't think I have deleted anything important if it was an FP, but I don't think so. I think you maybe correct that I got it while clicking on a download link site.

OK, a generic detection could be either--I won't know for sure without having a sample of the file to examine. I have installed the KMPlayer, monitoring it with ZSoft Uninstaller, and that file does not get added by it so it remains unknown exactly where it came from, tho we know what to suspect the most.

I am just suspicious of programs which install onto a PC but do not show up in the ARP or All Programs list. You can only get rid of KMP from the uninstall icon in its folder in drive C: Program Files. I prefer them to be where I can either use the Windows uninstaller or preferably Revo. Now I am stuck with various remnants of KMP that I would rather not have and can't get rid of with my limited knowledge of PC systems.

That's strange as I get shortcuts, including to an uninstaller, in the All Programs part of the Start menu. You're right that there is nothing in Add/Remove Programs, tho, which makes Revo less easy to use.

What casts a suspicious light on the program for me--maybe suspicious is too strong a word, call it a personal dislike if you will--is that, before seeing Gizmo's article, a home page for the program with things like description of features, version history, etc., was hard to find. The company behind it is now Pandora.tv and going to that Korean site is more about Videos themselves than the player. And again, I'm not sure if the videos there are legal and I've learned to be very cautious about Asian sites as most malware comes out of Asia and the former Soviet Union.

However, and I'm not much good with media players--VLC is like Greek to me--I've looked the program over this morning--mostly configuration options, and it feels OK. It does ask if you want to install the Ask Toolbar, which is a strike against it, otherwise I think it's OK.

If you are really worried about leftovers, try reinstalling it while monitoring the installation with ZSoft.
http://www.zsoft.dk/index/software_details/4
Revo is good, but it does not remove 100% of reg entires when uninstalling, and you have to use Hunter mode if the program doesn't show up in Add/Remove. ZSoft takes a snapshot of the registry and files on your system before a program is installed and then another snapshot afterwards, then compares the two to produce an install log. You can then use ZSoft to reverse any changes made when the monitored program was installed--you can't get a more complete uninstall than that. In fact this is one method used by malware removal specialists to give malware samples a test run while trying to figure out how to deal with them.

If you are interested, do as follows:

1. Install ZSoft then click the Analyze button.
2. Click Next on "Analyze an Installation".
3. Make sure the drive you are installing to is checked--if you are installing to a second drive and Windows is installed on C, leave C checked as well, since some files, like shortcuts to the start menu will be added to the Windows installation drive.
4. Click the Before Installation button. IMPORTANT--DO NOT USE YOUR COMPUTER WHILE THESE SNAPSHOTS ARE BEING MADE. Have patience, if you have a large number of files and/or more than one harddrive to monitor, the snapshot scan could take a few minutes. Unfortunately, there is no progress bar, so the only way to know that the snapshot scan is complete is when the "After Installation" button is no longer grayed out.
5. When the first snapshot is complete, install the program you want to monitor/uninstall.
6. Click the "After Installation" button and wait for it to complete. A dialog will popup asking for a name--I usually just type in the name of the program--and when that is entered, the comparison is made.
7. Now click on the Analyzed Programs tab.
8. Find the name of the program you just installed. Right click it and choose Uninstall and follow the prompts.

BTW, I learned of both ZSoft and Revo from one of Gizmo's newsletters. Revo is a lot quicker. I install a lot of programs, so I don't have time to monitor them all, but I will use ZSoft when I have any doubts and suspicions at all that uninstalling will be a problem.

The thing about people

is they change

when they walk away.--Mipso


#15 bluesjunior

bluesjunior
  • Topic Starter

  • Members
  • 761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 AM

Posted 25 September 2009 - 01:15 PM

Thanks Papakid, I will download that Zsoft program with a view to using in the future. I may have unticked the KMP shortcut during the install thinking it was adding to my start up list as I usually do. Either way I just prefer VLC, it does everything I need and like KMP you don't need a seperate codec program download. There are definitely more bells and buttons in KMP but I wouldn't have used them anyway. I just want it to plug and play I suppose and like I say VLC is ideal for my needs.
Motherboard: Gigabyte GA-MA770T-UD3, CPU: AMD Athlon II X3 450 Processor, Memory: OCZ 4GB (2x2GB) DDR3 1333MHz,Graphics: PowerColor HD 5750 1GB GDDR5,
PSU: Corsair 430W CX PSU 4x SATA 1x PCI-E, Hard Drive:Samsung SpinPoint F3 500GB Hard Drive SATAII 7200rpm 16MB Cache.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users