Hi, I’m running Windows Vista and use Thunderbird 2.0.0.17 as an email client. However I had forgotten to enable the option in Thunderbird under the antivirus options which according to the description makes it easier for antivirus to quarantine individual emails.

My concern is that avast recently detected a virus attachment (I’m fairly certain it was correct, the email subject was highly suspicious) and asked me what action to take. I selected delete which followed with a window where I selected permenantly delete. However when I checked the emails in my client the email was still there (albeit with the subject changed by avast to alert me) and the attachment icon was still there. As such I’m not certain if avast actually deleted the virus attachment and the email ended up stored locally. Is it possible avast just deleted the attachment and the email remained? Or did perhaps Vista’s UAC (though I received no notification) or the unchecked option in Thunderbird caused Avast to fail to delete the virus and it was stored locally? I did then delete the email in the client without opening either the email or the attachment.

If the latter is the case is there any danger (though this is a stupid question really but best to be certain) that in failing to delete the virus it was somehow executed? A further virus scan of the system by Spybot -Search and Destroy, Windows Defender and avast antivirus (admittedly with definitions from the 26th at the time) found nothing but I was paranoid that it had somehow run and hidden from detection or something. I also checked using the windows task manager (which found nothing new) and the Autoruns utility from Sysinternals (which identified no new third party items, i.e. non microsoft, running on startup.) I believe avast described the virus as Win32-Download-CBA:Trj.

I just wanted to add, I updated Avast to version 4.8.1296 and the updater program in avast was a little different than usual in that it retrieved the files it normally did before updating, opened a window to fetch the update packages, hung on saving the last package for a little while and then opened another window to fetch more update packages (this appeared to be the program update package rather than VPS.) The hanging of the window was probably because I had just started the computer and it was still loading things in the background which probably slowed it down but the two separate windows for fetching updates seemed a little unusual. I thought it normally fetched them all in one then opened an installation window but I could be mistaken. Was one perhaps for fetching VPS/setup update packages and the other for the program update? If anyone could confirm for my ease of mind I’d be grateful.

Hey guys, the solution is here I got rid of the whole thing by just downloading GMER and checking hte modules section, then it showed something like C:\Windows\System32\spoolv… as red, killed it and it was goner

Interesting, because the avast anti-rootkit is based on the GMER one but now trying to be somewhat more user friendly that the GMER anti-rootkit which requires a little more experience of what is going on in your system or it could be curtains. As C:\Windows\System32\spoolsv.exe is a legit file in that folder, whilst it is common for malware to use names very close to the legit one in the same folder or the same file name but in a different folder.

I would certainly hope that GMER got it right a false detection on a legit file in the system32 could ruin your whole day.