VBS_GEDZA virus adds spurious attachment

I have had the VBS_GEDZA_A virus, picked up by Norton but not before doing a
lot of evil stuff. Now Outlook Express adds an attachment to each e-mail I
send, unseen unless I turn off html. I've noteiced the same attachments
coming in on other e-mails - including people not in my address book so I
can't have infected them myself. The attachment is a file in the form
ATT00003.html(484bytes) though the number after the ATT and the file size
vary.

Questions is, how can I clean up Outlook Express? My system disks don't give
me the option of re-installing just Outlook Express, and in any case I wonder
what hapens to all the updates since I originally got my computer if I did
re-install.

"Sebastian" <Sebastian@discussions.microsoft.com> wrote in message
news:D15CB59C-9840-4C75-82AD-FB279043DD0B@microsoft.com...
>I have had the VBS_GEDZA_A virus, picked up by Norton but not before doing
>a
> lot of evil stuff. Now Outlook Express adds an attachment to each e-mail
> I
> send, unseen unless I turn off html. I've noteiced the same attachments
> coming in on other e-mails - including people not in my address book so I
> can't have infected them myself. The attachment is a file in the form
> ATT00003.html(484bytes) though the number after the ATT and the file size
> vary.
>
> Questions is, how can I clean up Outlook Express? My system disks don't
> give
> me the option of re-installing just Outlook Express, and in any case I
> wonder
> what hapens to all the updates since I originally got my computer if I did
> re-install.
>

See for information:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=VBS_GEDZA.A&VSect=T

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=VBS%5FGEDZA%2EA&VSect=Sn

Follow the instructions for prevention:

http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm
http://www.mvps.org/sramesh2k/Malware_Defence.htm

From: "Sebastian" <Sebastian@discussions.microsoft.com>

| I have had the VBS_GEDZA_A virus, picked up by Norton but not before doing a
| lot of evil stuff. Now Outlook Express adds an attachment to each e-mail I
| send, unseen unless I turn off html. I've noteiced the same attachments
| coming in on other e-mails - including people not in my address book so I
| can't have infected them myself. The attachment is a file in the form
| ATT00003.html(484bytes) though the number after the ATT and the file size
| vary.
|
| Questions is, how can I clean up Outlook Express? My system disks don't give
| me the option of re-installing just Outlook Express, and in any case I wonder
| what hapens to all the updates since I originally got my computer if I did
| re-install.

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.scripting.virus.discussion
microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear


Download CLEAN.EXE from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter
{ http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
(.lnk) files and a PDF instruction file.

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
Scanner. You may have to disable your FireWall or allow FTP.EXE to go through your FireWall
to allow the FTP utility to download the needed files

CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
http://www.bootdisk.com/bootdisk.htm

I need you to perform the following...

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }

Reboot the PC into Safe Mode [F8 key during boot]

Shutdown as many applications as possible !
It would also help for you to read - "How to perform a clean boot in Windows XP"
http://support.microsoft.com/kb/310353

Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Sebastian wrote:
> I have had the VBS_GEDZA_A virus, picked up by Norton but not before
> doing a lot of evil stuff. Now Outlook Express adds an attachment to
> each e-mail I send, unseen unless I turn off html. I've noteiced the
> same attachments coming in on other e-mails - including people not in
> my address book so I can't have infected them myself. The attachment
> is a file in the form ATT00003.html(484bytes) though the number after
> the ATT and the file size vary.
>
> Questions is, how can I clean up Outlook Express? My system disks
> don't give me the option of re-installing just Outlook Express, and
> in any case I wonder what hapens to all the updates since I
> originally got my computer if I did re-install.

If you are reading in plain text and the person sending is using HTML,
then the message will look as though it has an attachment. If you look
at the attachment, it will just be another copy of the email.

--
Kath Adams
MS MVP - Windows (IE/OE)

It might not be related to the infection. Try deleting Temporary Internet
Files:

Outlook Express message appears blank and has an ATT000XX.txt or an
ATT000XX.htm attachment:
http://support.microsoft.com/?kbid=312351

As part of cleaning up after a Trojan, it's generally best to delete
Temporary Internet Files, contents of all TEMP folders (after rebooting) and
Recycle Bin(s), and "flush" System Restore (disable, reboot & re-enable).
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE) & Security


Sebastian wrote:
> I have had the VBS_GEDZA_A virus, picked up by Norton but not before
> doing a lot of evil stuff. Now Outlook Express adds an attachment to
> each e-mail I send, unseen unless I turn off html. I've noteiced the
> same attachments coming in on other e-mails - including people not in my
> address book so I can't have infected them myself. The attachment is a
> file in the form ATT00003.html(484bytes) though the number after the ATT
> and the file size vary.
>
> Questions is, how can I clean up Outlook Express? My system disks don't
> give me the option of re-installing just Outlook Express, and in any case
> I wonder what hapens to all the updates since I originally got my
> computer if I did re-install.