Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

how to read windows live mail store folder


  • Please log in to reply
7 replies to this topic

#1 somae

somae

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 01 May 2014 - 04:14 PM

AVG reported that we have l-worm/swen in an email. I want to find which email it's in so I was thinking to scan individual emails in the windows live mail store folder. Not sure how to read files in it.

 

Help appreciated.


Edited by hamluis, 01 May 2014 - 06:16 PM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 wing987

wing987

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Payette, ID
  • Local time:03:22 AM

Posted 01 May 2014 - 05:14 PM

see if this helps:

 

http://www.pcworld.com/article/189238/win_live_mail_store.html


-- Windows 7 Ultimate on custom built system, Windows 10 on under powered laptop. Sophos UTM 9, Ubuntu Server and Windows Server 2008 R2. HyperV Virtualization --

 

"The hottest places in hell are reserved for those who in a period of moral crisis maintain their neutrality," John F. Kennedy


#3 somae

somae
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 01 May 2014 - 07:05 PM

Thanks. I already knew where the folder was - I'm trying to find out which email it is. It's listed as 28337874-000001B5.eml and I don't want to open it cause it's got  l-worm/swen.a  in it.



#4 scotty_ncc1701

scotty_ncc1701

  • Members
  • 520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:22 AM

Posted 02 May 2014 - 08:40 AM

An eml file is usually formatted like this (or real close to this):

============
Subject: Re: Sample EML
From: RS <E-Mail Address>
Reply-To: <E-Mail Address>
Date: 5/2/2014 7:17 PM
To: Mailing List <E-Mail Address>
User-Agent: (edited for post)

Text of message
============
In WINDOWS LIVE MAIL, if I recall correctly the text is encrypted.  I looked at WINDOWS LIVE MAIL some time back.  For other programs other than WINDOWS LIVE MAIL, the EML files are normally plain text, which can be opened with any TEXT EDITOR.

No offense, but I experimented with AVG previously, and in my opinion, it's on the bottom of the list of programs a person would want to use.  I've been virus free since the fall of 1995.  I tried two programs, Norton AV and McAfee.  McAfee found half of what Norton did.  I saved the viruses to floppies (showing my age).  Later, I tried to scan the floppy with AVG, and it found only about 12 out of 600.  I've tested AVG quite a few times since then, and the results where the same.

Since then, I've abandoned Norton.  I now use AVAST, and it's saved my bacon quite a few times.  I suggest that you use AVAST instead of AVG.

Presuming that AVG is your choice, you want to stay with it, and you trust it, and that "28337874-000001B5.eml" is the actual file name, then:

1.  Open a Admin level command prompt.
2.  Go to the folder where "28337874-000001B5.eml" is at.
3.  Enter the command (no quotes): "type 28337874-000001B5.eml | more"
4.  Yes, at the end is a space, vertical bar, space and the word more.

The above will display the file, a screen (command prompt screen) full at a time, and display "-- More --".  Press the space bar to see another screen full.

However, although the above will allow you to see the above, without opening it in a program, I recommend that you just delete it, securely.  Go to fileshredder.org, download it, and install it.  Then drag and drop the file into it, and use the DoD method to securely erase all tracks of the file (again I don't trust AVG).

Best of Luck.



#5 somae

somae
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 02 May 2014 - 09:37 AM

Thanks for your response.

 

I had been using avast but when I upgraded to windows vista, it conflicted with online armor. The symptom was that I was unable to switch between users and had to reboot before I could switch.



#6 somae

somae
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 02 May 2014 - 09:54 AM

I tried opening the file as an admin at the dos prompt but got "access is denied".

 

I also tried changing the ownership of <username> and all subfolders and files to the admin user. The permissions for all folders and files under <username> were still dimmed and unchangable although the admin had full control. I still got "access is denied" when trying to run the "type" command.

 

(I'm familiar with dos.)


Edited by somae, 02 May 2014 - 03:17 PM.


#7 scotty_ncc1701

scotty_ncc1701

  • Members
  • 520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:22 AM

Posted 02 May 2014 - 03:15 PM

Consider using TAKEOWN against the folder, and trying it again:

 

c:\temp02>takeown /?

TAKEOWN [/S system [/U username [/P [password]]]]
        /F filename [/A] [/R [/D prompt]]

Description:
    This tool allows an administrator to recover access to a file that
    was denied by re-assigning file ownership.

Parameter List:
    /S           system          Specifies the remote system to
                                 connect to.

    /U           [domain\]user   Specifies the user context under
                                 which the command should execute.

    /P           [password]      Specifies the password for the
                                 given user context.
                                 Prompts for input if omitted.

    /F           filename        Specifies the filename or directory
                                 name pattern. Wildcard "*" can be used
                                 to specify the pattern. Allows
                                 sharename\filename.

    /A                           Gives ownership to the administrators
                                 group instead of the current user.

    /R                           Recurse: instructs tool to operate on
                                 files in specified directory and all
                                 subdirectories.

    /D           prompt          Default answer used when the current user
                                 does not have the "list folder" permission
                                 on a directory.  This occurs while operating
                                 recursively (/R) on sub-directories. Valid
                                 values "Y" to take ownership or "N" to skip.

    /SKIPSL                      Do not follow symbolic links.
                                 Only applicable with /R.

    /?                           Displays this help message.

    NOTE: 1) If /A is not specified, file ownership will be given to the
             current logged on user.

          2) Mixed patterns using "?" and "*" are not supported.

          3) /D is used to suppress the confirmation prompt.

Examples:
    TAKEOWN /?
    TAKEOWN /F lostfile
    TAKEOWN /F \\system\share\lostfile /A
    TAKEOWN /F directory /R /D N
    TAKEOWN /F directory /R /A
    TAKEOWN /F *
    TAKEOWN /F C:\Windows\System32\acme.exe
    TAKEOWN /F %windir%\*.txt
    TAKEOWN /S system /F MyShare\Acme*.doc
    TAKEOWN /S system /U user /F MyShare\MyBinary.dll
    TAKEOWN /S system /U domain\user /P password /F share\filename
    TAKEOWN /S system /U user /P password /F Doc\Report.doc /A
    TAKEOWN /S system /U user /P password /F Myshare\*
    TAKEOWN /S system /U user /P password /F Home\Logon /R
    TAKEOWN /S system /U user /P password /F Myshare\directory /R /A

c:\temp02>



#8 somae

somae
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 03 May 2014 - 01:46 AM

Thanks.

 

After using "Takeown" I was able to see who the email was from. I don't know if the worm would just use someone's computer to make it look like microsoft was sending something - but it didn't have anyone known to me in the "From: " line.

 

Guess I'll use "fileshredder" on it. (AVG didn't seem to be able to remove it - it was still there after using AVG's specific removal tool from safe mode and after clicking on "remove" in the normal mode detection box.)

 

Thanks again.


Edited by somae, 03 May 2014 - 01:50 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users