Spyware, Viruses, & Security forum

General discussion

W32.mytob.EE@mm

This is regarding one of my colleague's computer. That computer has a "Email server" application installed, that receives and sends, to and from all the external email account in our company.

Nowadays, it always has a Norton Anti-virus message popping out, alerting her that one out of 4 attachments of an e-mail sent, contains the W32.Mytob.EE@mm virus. The sender and receiver are always strange (doesn't exist, and ending with our company's domain name).

So after she clicks the Quarantine button, and closes the message, the computer sends another e-mail automatically, and then the same message pops out again, alerting the same virus but with a different e-mail (different sender, title and etc). Then after quarantined and closed, the same message pops out again and again. Sometimes, in the morning, there can be so many emails that are said infected.

We scanned using norton anti-virus and housecall (trend micro), and it didn't detect any virus. And we also tried the symantec removal tool for that virus, and it also didn't find that virus.

Does anyone know what happen and what should I do?

Discussion is locked
You are posting a reply to: W32.mytob.EE@mm
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: W32.mytob.EE@mm
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Ask your friend to:

In reply to: W32.mytob.EE@mm

investigate the system. Look at the technical details in http://securityresponse.symantec.com/avcenter/venc/data/w32.mytob.ee@mm.html then one by one locate if the said entries exists:
1. ninfoie.exe in System32 or System directory
2. "WINDOWS SYSTEM" = "ninfoie.exe"
in the registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
3. so on..

Or do this:

Download Process Explorer http://www.sysinternals.com/Files/ProcessExplorerNt.zip
Extract the contents of the compressed (ZIP) file to a location of your choice.
Execute Process Explorer by double-clicking the following:
procexp.exe.
In the Process Explorer window, locate the process:

wincfg32.exe
Right-click the malware process, then click Kill Process Tree.
Close Process Explorer.

Follow the rest of the instructions from http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMYTOB%2EEE&VSect=Sn

NAV is alerting because it found something. Your friend should temporary stop the email service until it is "cleared".

Collapse -
Followed the Manual Removal instructions...

In reply to: Ask your friend to:

Thank you. I followed the manual removal instructions from the page you sent me. I couldn't find entries added by the risk to the hosts file when I'm doing step 2 (To remove all the entries that the risk added to the hosts file). When I followed Step 5, I didn't find the value "WINDOWS SYSTEM" = "ninfoie.exe". But, the "Start" value was 2 instead of 4. Should I change it to 4?

Other than the "Start" value, I can't find anything else to modify or delete when following the instructions.

Collapse -
No don't change it to 4 or else Shared Access

In reply to: Followed the Manual Removal instructions...

will be disabled.
If it is value 4, it means the worm may have changed it to 4. Leave the value 2 as is.

Is the HOSTS file has the entries listed in Symantec site? If yes, download Hoster from http://www.funkytoad.com/hoster.htm or get it now by clicking this link --> http://www.funkytoad.com/download/hoster.zip
Extract Hoster.exe in the desktop. Open it then select "Restore Original Hosts"

Next empty the temporary internet files
Start>Run then type %temp%
Click OK. Delete all files in the folder that will appear in the screen (make sure it is temp folder).

You've deleted the "ninfoie.exe" in the startup location and that's good. Run a full system scan with an up to date antivirus in normal and safe mode to be sure.

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GIVEAWAY

Enter to win* a free holiday tech gift!

CNET's giving five lucky winners the gift of their choice valued up to $250!