Just finished a fresh reinstall of XP and have been doing the usual malware and virus sweeps (I am running avast antivirus and AVG for malware plus Spybot and Ad-Aware occasionally). I had the usual few things which were taken care of and then I installed for the first time ever Norton Ghost 2003 off an old Norton CD that came free with an Iomega hard drive as I thought it would be a good idea to ghost my OS partition.
Long story short the Ghosting (which initiates in XP but then restarts in DOS) failed and trapped me in a loop where I could not come back to XP from DOS. I ended up deleting the virtual partition ghost had created and needing to boot from an XP bootdisk. Not planning on using Ghost again…
In any event, since more or less getting my system back I thought I would re-run avast and spyware checks. Avast is now reporting “Sign of Win32:Magistr” in 2 recycler bins on 2 of my 3 hard drives and in another location on my 3rd drive. I’ve downloaded virus removal tools from AVG and Symantec and scanning from MS-DOS in Safe Mode reports all 3 drives are clean and no indication of a Magistr infected file.
I am wondering if the “sign” of a magistr infection simply means a sign and I have no actual infection, or do people think I should be doing something else?
I suppose you’ve cleaned your recycle bin and the file reappears there…
Maybe scanning with AVG Antispyware; SUPERantispyware and/or Spyware Terminator can give us a clue about for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
the question is - what do you mean with a scan from MS DOS on Win XP?? and it would be good to mention the file names or copy a few of last lines from avast log
Tech - when avast finds Magistr it has been suggesting move to chest which I have tried in every case. However on closing the program report states “Error occured during move file to chest”. If I try delete I get an error message saying “The operation is not supported for this type of archive”.
Maxx - sorry if I wasn’t clear. What I meant by scan from DOS on XP is that both the AVG and Symantec removal tools for Magistr require booting in Safe Mode and running the execs from the command line. So this is what I did and have been referring to. Incidentally, the Symantec file always reported an error and crashed after scanning a third or so of the first drive. The AVG file ran fine and reported 0 files infected with Magistr.
However, after the above, rebooting into XP and running avast reports 3 files infected.
The relevant lines from Warning.log are:
02/12/2007 17:36:21 1196613381 David 3300 Sign of “Win32:Magistr” has been found in “C:\RECYCLER\S-1-5-21-1343024091-117609710-725345543-1003\Dc116.pst\Personal Folders\Top of Personal Folders\Inbox\It’ objectives are to: Improve access\quality.com” file.
02/12/2007 18:07:44 1196615264 David 3300 Sign of “Win32:Magistr” has been found in “D:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst\Personal Folders\Top of Personal Folders\Inbox\It’ objectives are to: Improve access\quality.com” file.
02/12/2007 21:57:21 1196629041 David 3300 Sign of “Win32:Magistr” has been found in “E:\RECYCLER\S-1-5-21-1343024091-117609710-725345543-1003\De120.pst\Personal Folders\Top of Personal Folders\Inbox\It’ objectives are to: Improve access\quality.com” file.
Interestingly, a boot scan that I scheduled reports 0 infected files…which leads me to ask a related question. I find the boot scan mode of avast preferable as it runs much faster and I can set it to automatically move infected files to chest (invoking from while the OS is running requires user input and the scan is suspended until this is given). Is the boot mode just as comprehensive a scan as the complete scan that one runs when invoking the program from a computer that has been started?
I still see this virus report when I scan now and have submitted a virus report to avast.
Magistr is a e-mail worm, so there’s a match with your report (virus inside a .pst files)… also the names/paths are strange enough… i think that this is not the case of false positive… i don’t know exactly what’s the reason of errors while deleting / moving to chest, but i can ask Igor
The virus is located as an attachment in your Outlook mailbox (“PST archive”).
avast! on-demand scanner doesn’t support actions on the content of PST files (i.e. it’s not able to delete a message or an attachment from there) - only the Outlook plugin, as a part of avast! resident protection, can do that. So, that’s why you get the errors when trying to move it to Chest.
The boot-time scanner doesn’t even unpack PST files, so it doesn’t report any virus.
So it sounds as if this is a genuine infection, although it may be from an email received long ago. As far as I know avast starts automatically when I start Outlook, so I have always assumed the resident Outlook protection is on.
How do I go about removing the infection from these PST archives?
First of all the plug in is enabled but I suspect this infection came before my installing avast.
Secondly using the non-advanced interface (I have only the home version) it does not seem that I can manually get the outlook plug in to scan and act within pst archives. This looks configurable under the tasks/packers routine but is only available on the advanced interface. The non advanced interface is a bit of a black box…supposedly the plug in is running but avast reports the errors I mentioned on any attempt to move, or delete the infected files.
Is there a way I can change the behaviour of the home version I have or do I need to upgrade to the professional version?
As for deleting the original files the recycler bin based file folder locations do not remain static - what I mean by that is the folder location referred to within avast is no longer valid when I try and re-find the file and location from within Windows Explorer.
Hope that makes sense…basically still looking for a little help here…
Hi all, I did run avast at boot time and it finds a clean scan - but it was pointed out earlier in this thread that the boot scan does not scan inside .pst files.
One question I have is how do I actually find and manually delete the files referred to in my recycler bins? When I try and find those locations in Windows Explorer they don’t appear to exist.
