Removing old Mozilla email

Trying to help someone get rid of all sorts of infected email showing up as the following in a Kaspersky online virus scan:

C:\Documents and Settings\User_Name\Application Data\Mozilla\Profiles\default\kdtdne6k.slt\Mail\mail.teleweb.net\INBOX/[From darwin_sorjonen@hotmail.com][Date Sat, 2 Nov 2002 18:38:35 UT]/html/[From kkuzia <kkuzia@hotmail.com>][Date Date header was inserted by mtaout01.icomcast.net]/0,2557,59~11~channel,00[1].bat Infected: Email-Worm.Win32.Klez.h skipped

Gave the user instructions to enable the viewing of hidden files, look for and remove the files.

The response was the following:
"…looked at the Inbox through Netscape after changing hidden file properties and can't find those infected files. "

Not sure that the person is looking in the right location, and have never used either Netscape nor Mozilla email, so do not know.

Does this user need to remove kdtdne6k.slt, or, in the .slt folder, is there a Mail folder containing accounts, and an account needs removed....

Or, does Inbox.msf need removed?

As you can tell, have no clue!!

Your help is certainly appreciated.

 

Welcome to the Forum, Echo1234!

Echo1234,

If the user runs Symantic/Norton AV, there is a tool to be downloaded here, in addition to some useful information on this virus:
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html

The Netscape Mail Account folder location for Windows XP below:
C:\Documents and Settings\user_name\Application Data\Mozilla\Profiles\profilename\*.slt\Mail\
pop.ispname.net

There is also instruction for removing the virus manually, so hopefully this is all the information the user will need...

 

Thanks for the info, Ramona.

We realize there is a tool to remove Klez, etc. but the issue is that this individual has all sorts of email like the ones below, that are not necessarily infected with it.

C:\Documents and Settings\User_Name\Application Data\Mozilla\Profiles\default\kdtdne6k.slt\Mail\mail.teleweb.net\INBOX/[From "Tracy Dove" <joxbmjrdq51@yahoo.ca>][Date Sat, 03 May 03 14:49:37 GMT]/UNNAMED Suspicious: Exploit.HTML.CodeBaseExec skipped

C:\Documents and Settings\User_Name\Application Data\Mozilla\Profiles\default\kdtdne6k.slt\Mail\mail.teleweb.net\INBOX/[From "Lose Weight" <loseweight@discountcertificates.com>][Date Wed, 14 May 2003 21:51:23 -0700]/UNNAMED/[From "Sam Lugo" <cjb657bsvb6@lfcg.com>][Date Wed, 14 May 03 18:27:57 GMT]/UNNAMED/[From eCredit Repair <05150322ecreditoffers@branddirections.dbhits.com>][Date Thu, 15 May 2003 09:22:03 UT]/UNNAMED/[From " " <go7@earthlink.net>][Date Thu, 15 May 03 15:28:44 GMT]/UNNAMED/[From War Opponents ... /[From "Kristina Gibbs" <y4agcz2uyvb9@yahoo.com>][Date Fri, 16 May 03 18:50:12 ... /1714.exe Infected: not-a-virus:****-Dialer.Win32.RTSMini skipped

What we would like to do is remove all these old emails, but he cannot find them.

Any ideas on how to remove these? They date back to 2002 and 2003.

 

Echo,

Did the user send you the below information:

C:\Documents and Settings\User_Name\Application Data\Mozilla\Profiles\default\xxxxxxxx.slt\Mail\ma il.isp.net\INBOX/[From "Tracy Dove" <xxxxxxxx@yahoo.ca>][Date Sat, 03 May 03 14:49:37 GMT]/UNNAMED Suspicious: Exploit.HTML.CodeBaseExec skipped

If so, then I am confused. It appears he did find the Inbox for his Mail Account: C:\Documents and Settings\User_Name\Application Data\Mozilla\Profiles\default\xxxxxxxx.slt\Mail\ma il.isp.net\INBOX

It's late and maybe I need to sleep on this!

If he wants to select specific Mail, and can't open the Mail Account using Netscape, then he can open the Inbox file (with Netscape closed). It is a text file, and the separate messages can be removed and placed in another "Inbox" file.

E.G., in the Mail Account folder, rename the Inbox, "OLDInbox ". Create a new "Inbox" file. Then copy the messages he wishes to keep from the "OLDInbox" file to the newly created "Inbox" file. I would stress that a backup of the Profile folder is imperative, before doing any editing.

The messages start with:

From - Sun Oct 30 12:30:17 2005
X-UIDL: 2005103007222701200ndlrae00003l
X-Mozilla-Status: 0009
X-Mozilla-Status2: 00000000
Received: from mxsf08.cluster1.isp.net ([123.456.78.910])
by isp.net (mtiwmxc12) with ABCDEF
id <200510300123456789a6b23g>; Sun, 30 Oct 2005 07:22:27 +0000

I've not had to deal with viruses, but I would think if the Symantic tool is used, would it not delete the infected files, and leave those which aren't infected?

Something else to consider, and it could be why the user can't find his Mail. Norton AntiVirus detects an infected email, and if the options are set to quarantine infected files, then NAV puts the Netscape Inbox into Quarantine. Another Symantic KB article on the subj.:
http://service1.symantec.com/SUPPORT/ent-security.nsf/pfdocs/2000051809560948

If this has happened, then here is another KB Article which explains how to prevent it from happening again:
http://service1.symantec.com/SUPPORT/ent-security.nsf/pfdocs/2002092413394848?Open

 

Thank you for the reply, Ramona.

He did not send me the informatin above. He did an online virus scan, and all these emails are showing up on it. He wants to get rid of them. He does not know how to find the Inbox, or wherever it is that these old email files are located.

What does he need to do to find these old email files and get rid of them. Can you provide some instructions as to how to find where they are, and get rid of them?

Thanks!!

 

It is difficult to find specific e-mails, if you don't know where they are. You should see them. If they are not seen, and, let's say that they were deleted (you mention old mail, after all), they will not be seen, and if the user never compacted his/her folders, they would still be associated with the Inbox, although the mail was deleted. I might have missed it, but I did not see any mention of compacting folders. That should be done before anything else.
Spammers, with or without viruses have been making it difficult to remove such stuff, and the ISP website should be checked. But, if an e-mail is detected by the AV, in the Inbox, it means that it was downloaded. Now, where is it?
Just FYI, the Inbox is a single file, with messages back to back.
So, Compact folders, and check the ISP webmail, although I never see anything older than two weeks there.

 

Thanks for clarifying, and Westside's advice to Compact folders is solid.

As for instructions for finding the infected messages, or where they are located, if the user did unhide the system files as described below, and searched for the infected messages, or the Inbox:

To see hidden files:
1. On the Tools menu in Windows Explorer, click Folder Options
2. Click the View tab
3. Under Hidden files and folders, click Show hidden files and folders
4. Disable "Hide File Extensions for Known Files. "
5. Click OK.

To search for files in the Application Data folder, go to Start | Search.
Under More Advanced Options select Search system folders, Search
Hidden Files and folders, and Search subfolders.
---

and the messages, and/or Inbox wasn't found, and --- if the user followed the instructions in the Symantic KB Article on how to restore the Inbox (if it was quarantined), then that's the extent of my knowledge as to how to find the messages or Inbox.

 

Ramona and Westside, thank you once again.

We'll try to absorb all this and see if we can figure out how to get rid of those pesky items.

Certainly appreciate all your help!!