E-mail scanner settings

Discussion in 'NOD32 version 2 Forum' started by Ianez, Dec 2, 2004.

Thread Status:
Not open for further replies.
  1. Ianez

    Ianez Guest

    Hi there all,
    When scanning emails nod always add .aq extension to word attached files.....
    I receive many documents attached and changing the extension is really boring

    there's a way to stop this via Imon setup or else?

    thanx

    Ian
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Ian, can you please post a screen shot of what you are seeing.

    Cheers :D
     
  3. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
  4. Ianez

    Ianez Guest

    I think my problem is slightly different
    cause it seems I've problem only with .class videos
    anyway we'll see.

    Ian
     
  5. Ianez

    Ianez Registered Member

    Joined:
    Dec 2, 2004
    Posts:
    5
    Here the image of modified word document

    Setting the compatibility mode in the middle solved the problem....
    I was expecting a full compatibiltyi with Outlook express... o_O

    ps Nod is also causing problem with E-mule (no connecting)
    do you have some troubleshoot about?

    ciao

    ian
     

    Attached Files:

  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I have just sent an email to Eset requesting assistance with this issue, because as far as I know Nod32 can not do what you are seeing.

    Can you please check with the sender of that email as to what format extension was given to that document when they sent it to you.

    Cheers :D
     
    Last edited: Dec 2, 2004
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hi Ianez,
    please post a Hijackthis log from that machine here, there must be another program checking email running on that machine. NOD32 alters the extensions of infected files by adding "v" at the beggining of an extension. Hijackthis is found, for instance, at http://files.webattack.com/localdl834/HijackThis.exe
     
  8. Ianez

    Ianez Registered Member

    Joined:
    Dec 2, 2004
    Posts:
    5
    I'lll post the log in a few...
    I've to say that the extension is added only when I put the comapatibility slider of Imon on Maximum efficency.
    The document is Micrsoft Word 2000 format.
     
  9. aptisman

    aptisman Registered Member

    Joined:
    Nov 28, 2003
    Posts:
    80
    I've just seen this thread.

    I am getting .aq appended to Excel files received as attachments too
     
  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    What language are you seeing this with?

    Cheers :D
     
  11. Ianez

    Ianez Registered Member

    Joined:
    Dec 2, 2004
    Posts:
    5
    Here the Hi jack log....
    (It was impossible to download an updated version (1.98.2) from anywhere is always 1.97.7 version)
    \\\\\\\\\\\\\\\\\\\\\\\\\\\\\

    Logfile of HijackThis v1.97.7
    Scan saved at 13.39.55, on 03/12/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
    C:\Programmi\Eset\nod32krn.exe
    C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Programmi\Eset\nod32kui.exe
    C:\Programmi\Java\j2re1.4.2_06\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Programmi\mozilla.org\Mozilla\mozilla.exe
    C:\Programmi\Outlook Express\msimn.exe
    C:\Documents and Settings\Pippo\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.it/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [Outpost Firewall] C:\Programmi\Agnitum\Outpost Firewall\outpost.exe /waitservice
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Ricerche (HKLM)
    O9 - Extra button: Messenger Addon (HKLM)
    O9 - Extra 'Tools' menuitem: &Messenger Addon (HKLM)
    O9 - Extra button: Trashcan (HKCU)
    O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{56F0F564-2892-45A3-A6E1-B14192A7883F}: NameServer = 217.141.105.205 151.99.125.1

    >>ps my nod is localaized in italian

    ciao

    Ian
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I know that Zonealarm changes the extensions of potentially dangerous files to zl6 or something like that. Doesn't Outpost do the same?
     
  13. Ianez

    Ianez Registered Member

    Joined:
    Dec 2, 2004
    Posts:
    5
    yes it does but I've disabled it
    extension stop when I change the compatibility slider in Imon...
     
  14. aptisman

    aptisman Registered Member

    Joined:
    Nov 28, 2003
    Posts:
    80
    English.

    I see futher down the thread Outpost is mentyioned, I also use Outpost.
     
  15. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Can you try having that same email sent to you again and bring it in through Outlook Express. You can also have the person send an original to me if you like, I have Outlook Express set up on my machine for the moment, and I will see what extension it arrives with.

    Just a thought, does this happen if you send an email to yourself?

    My email is in my profile at the BOTTOM LEFT corner, just replace AT with @ and DOT with . and don't forget to take out the spaces to turn it into an email address ;) :D

    Cheers :D
     
  16. aptisman

    aptisman Registered Member

    Joined:
    Nov 28, 2003
    Posts:
    80
    Yes, it does. I have sent you an e-mail with the attachment!

    This is what I got with the mail sent to me. I also notice it does not have the NOD cert showing.
     

    Attached Files:

  17. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Email has been received and replied to, it arrived in with the correct attachment as per the attached screen shot, however it did not have the Nod32 TAG appended to the bottom of the email. Your reply to my reply did have the TAG.

    Not sure what is going on, will have to wait for the ever so knowledgeable Marcos to pop back in and take another look at this issue. I've sent him a message.

    Cheers :D
     

    Attached Files:

  18. aptisman

    aptisman Registered Member

    Joined:
    Nov 28, 2003
    Posts:
    80
    Thanks, I'll await developments!
     
  19. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Is there anything associated with Applix Data installed on your pc?
     
  20. aptisman

    aptisman Registered Member

    Joined:
    Nov 28, 2003
    Posts:
    80
    Not that I know about, I've never heard of it.
     
  21. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    That's very odd. I've NOD in 4 PCs without such problem. Maybe is a new worm or spyware that is changing the extensions. Have you analyzed your hard disk using Advanced Heuristic and others options? Maybe you can try to scan your disk using Spy Sweeper too (It's better than Ad-Aware and Spybot Search & Destroy). Spy sweeper page: http://www.webroot.com/products/spysweeper/
    You can try TDS-3 www.diamondcs.com.au
    I hope this can help you. There're much malware in Internet that no aplicattion can detect all.
     
  22. aptisman

    aptisman Registered Member

    Joined:
    Nov 28, 2003
    Posts:
    80
    Scanned with SpyBot, AdAware, Spy Sweeper and Ewido. Nothing found!
     
  23. CyGho

    CyGho Registered Member

    Joined:
    Sep 11, 2004
    Posts:
    35
    Location:
    The Netherlands
    The .aq extension is added by Outposts Attachments Quarantaine plugin for sure. It depents on the settings in the plugin if it wil rename the attachment or not. The settings are per extension (.bat, .xsl and so on), so you can deside if you want to rename an incoming e.g. test.xls attachment to test.xls.aq or leave it allone. Or you can just stop the Attachments Quarantaine Plugin totaly so that it will not rename any attachment anymore.

    I send myself a file named test.xls twice. First time with the Attachments Quarantaine Plugin stopped (not active) en the second time it was active.
    The first time I received the file just as I send it (so test.xls). The second time it was renamed to test.xls.aq (like it should).
    Double clicking on a attachment with an .aq extension triggers Outpost, witch popups a dialog and asks if you want te rename the file and open it (and some text about danger witch attachments).
     
  24. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Many thanks CyGho for your input.

    Cheers :D
     
  25. aptisman

    aptisman Registered Member

    Joined:
    Nov 28, 2003
    Posts:
    80
    Likewise!
     
Thread Status:
Not open for further replies.