36hrs ago I had a message from my ISP blocking my emails as they said my computer was infected with the Sircam virus. I understand the necessity of this BUT the computer is definitely not infected. The ISP was adamant at first that a chain of infection had been traced back to my computer but once I had run one of their suggested on-line virus checks which proved negative they were satisfied but puzzled and reinstated my email facility. I have run another, different check this evening and the result is still the same NEGATIVE! So can anyone enlighten me as to why they were apparently able to trace a virus back to my computer when it never had it in the first place. They couldn't explain it but I feel their tracing system / method is at fault. Any ideas? (I have anti-virus software which runs every time I start up the computer) :confused: :confused: :confused:

Do you have a firewall on your PC?, the reason that I ask is that it is posible that your firewall is acting as a mail relay and passing mail from somewhere else, but looks like its coming from your machine / account.

If no firewall, I dont know, but if anyone else does I would be interested in the reason as well

Ask them if they have a copy of the email/emails in question?

On the original email they have quoted two email addressas which they say are the infected headers. Neither of these addresses is known to me and certainly didn't come from my address book. I will send them an email and ask if they have copies as you suggest. I have been meaning to ask for some time about the "firewall" I keep seing mentioned. Would someone be kind enough to explain what it is, how it works etc. I still have much to learn about computers and don't want to harm anyone else's in the meantime. I'll let you know what happens withthe request for the email copies. :)

www.firewallguide.com (http://www.firewallguide.com) gives a lot of good info and is not too techie, would give you all the info you need on firewalls for basics to reasonably detailed.

Try this site.

Zone Alarm works well, is trouble free and is free for personal use.
http://www.zonelabs.com/zap26_za_grid.html

I don't know who your ISP is or their level of knowledge, but it is quite possible for email to appear to be coming from an uninfected source. Many viri work that way. All that's needed is for your address to be in someone else's address book (.wab), which the virus then 'harvests'. Ever wonder where those people trying to sell '1 million email addresses' get them ?

Sending an email masquerading as someone else is simple, but shouldn't fool a good sysadmin. It will fool most automated mail monitors, so if you've been hijacked one of the first signs is a bunch of 'undelivered mail' responses from domains you've never heard of.

On we go! They are still adamant that my computer was infected at the time it was sent but have any of you heard of a computer being infected with a virus for about 7 mins without a warning occuring and then cleaning itself, again without any notification? It turns out that the anti-virus software was probably not recent enough to recognise the virus (so how could it then remove it?) but I now have the latest McAfee - installed yesterday. I got a good deal as it included their firewall software, 2 for less than the price another shop was charging just for the anti-virus! It didn't find any trace of the virus either! The mystery deepens. :confused: Thanks for all the help and advice so far. :) :)

Not my area of expertise, but I've heard of no self-cleaning viri - that would be a real b*tch. I don't think an executable file can delete just itself leaving everything else.
Ask your ISP if they traced it to your IP address or just your e-mail address. The latter proves nothing, as I said before.

There are some (like TROJ_MTX) which block anti-virus sites access, and this is also one of the most effective harvesters. It permits a website to access the infected computer at will. And the infected computer can be any one which has you in its address book. You do not have to have opened the attachment yourself, although I think you would have received the infected mail. Did you ? http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_MTX.A.DLL

I had exactly the same problem, I use thefreeinternet.co.uk as my provider and they cut me off for the very same reason. I was using "command.com" anti virus and it didn't work with the sircam virus which my computer was infected with. I installed McAfee and cleared the sircam virus together wih the remains of a previous virus Magistr.A

Good luck!!

"false posotives" a very common problem in the world of Internet Security" IDS systems and e-mail "sweepers" can be triggered by innocent content, It is the human interpretation of the alert that requires skill, which is sometimes lacking from busy and overworked administrators.

Suggest strongly that you check if they traced you using your IP address or your e-mail address.

If it was using your e-mail address, then it is easy to "spoof" such an address - ie send an e-mail as if it has come from your address. Only the originating IP address will prove it wasn't you.

If they traced you using IP address, and if you have a static address, such as always on cable connection, then your ISP could be right and you did send the e-mail. If you have an open SMTP mail relay port (which is installed by default with certain software packages) then you could be acting as a relay agent for e-mails. Worse still, most Anti Virus progs won't pick up infected e-mails as they pass through the relay, so you are not infected but you are still relaying infected e-mails.

stickb

Always on cable does not mean a static address. Cable is usually dhcp for the residential customers.

Pied Piper - sure, that can be the case. But my point still stands - If you have an open relay server running on your machine, you could be the source of spam and virus carrying e-mails without knowing it.
To give an example; if you install Microsoft Exchange Server to run your own mail network, and configure an outbound internet mail feed (which nearly everyone would do), then you have by default created an open relay server. There are many port scanners going round compiling a list of such open relays, and the lists change hands over the internet for certain considerations.
If you have an address of an open relay, it is so easy to configure Outlook express or one of the other mail programs to send mail, which will look at fist glance as if it has come from whatever address you like (could be [email protected] doesn't have to be valid) but which a trace will reveal came from the machine hosting the open relay server.
There are also several organistaions in the anti-spam business that try and keep a list of open relays, and block mail from them as a service to others.

Cheers

Thanks everyone. I'm not ignoring you, the computer doesn't seem to like McAfee. Will get back when it's sorted. :) :)

StickyB

Point taken ;)

Cable companies scan for open relays (I think)becaus it is against the AUP (acceptable use policy) in most single ip cases.

:)