New virus that eats e-mail accounts?

[Henry]

Interesting thing I ran into at work starting yesterday: A user complained that she could no longer receive e-mail. Checking her Outlook Express, I found that the account had been deleted. Figuring user error, I put it back in again. It was gone again a short while later.

A virus sweep (dec. 5th definitions) revealed some infected files (infected with the W32.Mytob.NM strain that's relatively new) but it was not running, and none of the regedit entries or host files were altered in the way this virus says on symantec's site; PLUS, deleting e-mail accounts are not listed with that or any version of the virus I saw. I rebooted in safe mode and ran a full scan again, with ZERO infections found.

This morning, her e-mail account is gone again. ZERO infections found. Now, a SECOND user had the same problem. I updated his virus def's, booted in safe mode, and (dec. 6th definitions) ZERO infections found. A second AV program, Spyware Doctor, found nothing, either.

Anyone have any info on this, or perhaps have had the same problem recently? If I can't find an answer tomorrow, I'm going to have to pony up for an incidence call with Symantec.

Man, new viruses tick me off. :\

 

[Eternalknight]

Never heard of it. You sure it's not a hacking problem rather than a virus? Have you checked the firewalls on the computer?

 

[Thanee]

Format and Reinstall.

Bye
Thanee

 

[TogaMario]

Maybee rolling back to a previous version of Outlook? Don't know, but I'll keep an eye out.

 

[Mercule]

User error. Shoot them.

 

[XCorvis]

You let your users use OE? They deserve to have their accounts deleted.

Seriously tho, you'll probaly just have to wait for the virus defs to catch up. If you only have a few users, maybe you can have them back things up, just in case.

You might also want to get prcview. http://www.teamcti.com/pview/prcview.htm
It's a process viewer that will show you everything that's running, not like the windows process viewer that hides a bunch of stuff.

Also, look for any strange services that start automatically when the computer boots up.

 

[Henry]

You let your users use OE? They deserve to have their accounts deleted.

It's still decent for the purpose, though. And it's one less package I have to update by hand, much less prepare on new PCs.

BTW, thanks for PrcView! I've been using Autoruns, but it only tells me the stuff that's in the startup locations. Apparently, this does those functions plus the module and process indicators.

 

[XCorvis]

BTW, thanks for PrcView! I've been using Autoruns, but it only tells me the stuff that's in the startup locations. Apparently, this does those functions plus the module and process indicators.

My pleasure. Also note that it will let you kill things that the Windows Process viewer won't, such as nasty viruses. It is possible to kill something important, so be a little careful.

 

[Henry]

After having killed lsass.exe once by accident during my early exposure to WInXP, I know what you mean.

 

[TogaMario]

Henry, I've done it too Now they have a nice site that describes all necessary and common background operations, so I don't do it again, lol. It certainly seemed malicious at the time