Hi,
Avast! Antivirus free version 6.0.1125
Windows XP home SP3 up-to-date
Multiple problems:
Questions in red
But most urgent is:
I used Combofix.exe on 6/14/11 (My fault for taking advice)
Since then:
Avast! will not start up with the computer.
Until yesterday I had version 5.0.545, now I have 6.0.1125.
How can I have Avast! autorun i.e. start with the PC?.
All its program options are checked.
BUT:
Msconfig → Start-up has no reference to Avast! (used to before combofix)
although
Msconfig → services has a reference to Avast! “running” on boot and after I activate it. I.E. it does not change.
“Avast! Antivirus | Unknown manufacturer | running”
Is there a registry key to edit (IIRC there are keys that have autorun options)?
I cannot recall where the Avast! logs are kept? - I want to access them to post or print
Thank you in advance
P.S.
If anyone knows:
Combofix has a restore option. Is anyone familiar with this? I would prefer to keep away from it but…
OR
Do you think restoring the Windows registry to before Combofix would be an idea?
(I made a lot of copies) (e.g. from 6/13/11)
ADDENDUM:
Since Avast! wasn’t running I got 4 threats (infections in the java\cache - Documents and settings)
They are in the virus chest and I rescanned today clean - will follow up …
Thank you… I don’t want to make too many changes before trying to restore using the windows registry or combofix’s resore option.
I am trying to find out which is better of the 2 but I thought the Windows registry has an autorun key(s)
(I did upgrade the program yesterday from 5.0.545 to 6.0.1125)
Do you know if I can manually add Avast! to start-up (so it shows up in Msconfig → start-up)?
I have 7 threats (“infected” files) in the virus chest and I don’t know what happens to the virus chest if I uninstal?
It was a missing registry key - (as can be seen from the post)
I followed the instructions given and Avast! is working properly again (starts with the computer)
Msconfig → start-up now shows: AvastUI (which was missing (since Combofix))
The index.xml in the chest isn’t infected it is there for information on the contents of the chest as files sent there are a) encrypted and b) have the name changed. These measures are to prevent outside access to infected files in the chest.
Why is it that you are trying to access/save this file, essentially there shouldn’t be a need to access it. Saving it would be pointless if you did a clean install there would be no contents in the chest, so the index.xml saved would not match the new installation.
also when I open the *.xml file I get a warning from MS I.E. re: the file “blocked from running scripts etc.” etc.
I have 9 items from definable sources in the chest:
I wanted to record details about the 9 items: what they were, where they were originally the dates etc.
E.G. I found 1 on a boot scan and I know it is the same as 4 other files in the chest.
Why is it that you are trying to access/save this file, essentially there shouldn't be a need to access it. Saving it would be pointless if you did a clean install there would be no contents in the chest, so the index.xml saved would not match the new installation.
A clean instal of what?
I installed the program (updated from 5.0.545 to 6.0.1125 and the chest contents are the same (I never UNinstalled 5.0.545)
Want me to post the index.xml?
I have a question for you: This all started as follows:
I got a suspicious email (IMO) (4/2011) and moved it from the inbox to a new folder I created for it. (I did NOT open it)
I ran it through Avast! (5.0.545) (folder | right click | Scan “Folder name”) and File | right click | scan “file name”: File (email) and folder (newly created for the email) were “clean”.
(I had also run folder / file through a free program from Trend’s Web site also negative)
I deleted the message at some point but not the folder.
Used MozBackUp to back up mail → The back up files (since the time the message came (4/2011)) were “infected” (the folder was). (Also found by “Trend” on another PC).
Why didn’t Avast! find the folder / message to be a potential threat initially?
Thanks!
The point is I couldn’t see the purpose in saving index.xml at all, the the avast clean install was my best guess as to why you might want to save that file (which wouldn’t be of use in those circumstances).
Sorry I really don’t know about the email folder thing, as in the first instance if avast detected this email it was doing it in isolation. It would depend on several things, files shield settings, how it was moved if in archive form the file system shield wouldn’t scan that by default; if doing an on-demand scan, again it depends on what one and if archives are selected; archives are by nature inert and not an immediate threat.
Scanning an email folder could be very dangerous as there may be no way of extracting an infected email from an email folder (which is essentially an archive file), now some AV would delete the whole email folder, treating it as one file and not a collection of emails in a file.
So scanning in the process of moving/backing it up if your AV scanned it and found an infected email within the email folder, the possibility for loss of all emails and not just the infected email is something to consider.
Hi DavidR,
Thank you for answering and for the information about the dangers of scanning emails…
Just for my records (as mentioned about the boot scan finding the same threat and knowing it was the from the same source (by viewing the data in the virus chest index file)
Sorry I really don't know about the email folder thing, as in the first instance if avast detected this email it was doing it in isolation. It would depend on several things, files shield settings,
I'll review the settings
how it was moved if in archive form the file system shield wouldn't scan that by default; if doing an on-demand scan, again it depends on what one and if archives are selected; archives are by nature inert and not an immediate threat.
It only detected the threat in the backup files from MozBackUp not in the email form....
Scanning an email folder could be very dangerous as there may be no way of extracting an infected email from an email folder (which is essentially an archive file), now some AV would delete the whole email folder, treating it as one file and not a collection of emails in a file.
So scanning in the process of moving/backing it up if your AV scanned it and found an infected email within the email folder, the possibility for loss of all emails and not just the infected email is something to consider.
That is why I made the new folder - so if Avast! had found something it would have only found it in the new folder and not in the entire inbox…
I did need to know whether the message was legit because I was expecting info from courier companies (It had DHL, and Fedex and I think UPS in the subject and / or body.)
If I receive another suspicious message, I should save it in text format maybe?
I am curious about something: I NEVER ran the file. But IIRC, one can make a file run with a mouseOver command, an open command etc. (JavaScript)
Personally if I were to receive a suspicious message I would tend to delete it. However, it would depend on what was found suspicious as these are heuristic based suspicions and not totally a virus detection.
In using MozBackup, I don’t know if you are using thunderbird or mozilla seamonkey ?
For me it is thunderbird and all the emails are saved in .eml format within .msf files (database files) containing the contents of one email folder. The loss of a single .msf file would result the loss of multiple emails.
So I always backup my thunderbird profile folder with all of the .msf files just in case. I don’t know if it is just the way mozbackup is compressing these which may be the problem, you didn’t say what the alert malware name was from the AV scan and that would possibly give an idea of what it thought it found.
If you receive a suspicious file, by all means move it to a different folder, but immediately afterwards check it (I’m trying an add-on for tbird Mailsleuth 2.2.2) out and if necessary delete it there and then (empty your deleted emails folder and compress your folders), don’t hang on to them. Or some time in the future they could come back to bite you in the rear when scanning folders.
Some emails can be crafted to have remote iframes (something which would be considered suspicious) and other external links, but I don’t think there are many instances of a mouseover function being used in an html email. I don’t know if thunderbird would have basic protection against that.
If you save a file from within tbird to your hard disk it is saved as a .eml file, otherwise they remain archived together inside a .msf file (for each different email account/folder within that account. So it is these which if deleted because it might be seen as a single file, unlike an .eml file if saved to your hard disk is only one single email.
You can get that information from within the virus chest by right clicking on the file and selecting properties.
I’m not familiar with early versions of tbird as it is only in the last 6 months or so that I started using it. And I have zero experience of mozbackup, so I really am unsure of what has actually been sent to the chest and extracted email attachment (as in the dhl.zip#3651267798) or the backup archive C:\Documents and Settings\Owner\My Documents[i]Thunderbird 2.0.0.24 (en-US) - 2011-04-07.pcv[/i].
However, what it looks like is first off you are scanning archive files in whatever scan it was that you did, personally this is a wast of time as they are inert and in the case of scanning email archived potentially dangerous.
that these were detection on incoming email as it appears to have only sent the attachment to the chest
Whilst the inbox folder would be rebuilt if deleted the contents wouldn't be, that's the problem when you store lots of emails in your inbox folder, that should be like an intray, the letters/email should only be in there pending reading and storing in an appropriate emails folder.
The inbox is the one most prone to corruption and or deletion and with 9mb of emails in it if deleted and rebuilt I don't believe TB would recover these emails when the inbox is recreated.
I have just had a look at my TB profile in windows explorer for all the different file types, and .sbd Folders, .msf what would appear to be database files of the sub-folders containing information on the contents, this whilst looking like a text file viewing it has lots of deciferable characters and plain English also. For each .msf file there appears to be a corresponding file of the same name with no file type assigned; that is the contents of all your emails lumped together in one file and without that .msf file would be pretty useless (I believe).
####
That's me for the night my brain is turning to mush, after 3:30am here.
I want to thank you for the info and explanations!
Greatly appreciated
Comments (Interest) in red
I see … for single emails → they are saved as *.eml files (as default))
You can get that information from within the virus chest by right clicking on the file and selecting properties.
But I cannot copy the contents from properties...
I'm not familiar with early versions of tbird as it is only in the last 6 months or so that I started using it. And I have zero experience of mozbackup, so I really am unsure of what has actually been sent to the chest and extracted email attachment (as in the dhl.zip#3651267798) or the backup archive C:\Documents and Settings\Owner\My Documents\[i]Thunderbird 2.0.0.24 (en-US) - 2011-04-07.pcv[/i].
However, what it looks like is first off you are scanning archive files in whatever scan it was that you did, personally this is a wast of time as they are inert
Under: “Scan Computer | Scan Now | FULL SYSTEM SCAN | SETTINGS | PACKERS” - there is a long list of archived file types
and in the case of scanning email archived potentially dangerous.
that these were detection on incoming email as it appears to have only sent the attachment to the chest
Whilst the inbox folder would be rebuilt if deleted the contents wouldn't be, that's the problem when you store lots of emails in your inbox folder, that should be like an intray, the letters/email should only be in there pending reading and storing in an appropriate emails folder.
The inbox is the one most prone to corruption and or deletion and with 9mb of emails in it if deleted and rebuilt I don't believe TB would recover these emails when the inbox is recreated.</blockquote>Thanks for this info!
<blockquote>I have just had a look at my TB profile in windows explorer for all the different file types, and .sbd Folders, .msf what would appear to be database files of the sub-folders containing information on the contents, this whilst looking like a text file viewing it has lots of deciferable characters and plain English also.</blockquote>
Not mine:
FYI:
[b]*** START OF .MSF FILE PASTE ***[/b]
[b]// <!-- <mdb:mork:z v="1.4"/> -->
< <(a=c)> // (f=iso-8859-1)
(80=ns:msg:db:row:scope:msgs:all)(81=subject)(82=sender)(83=message-id)
(84=references)(85=recipients)(86=date)(87=size)(88=flags)(89=priority)
(8A=label)(8B=statusOfset)(8C=numLines)(8D=ccList)(8E=msgThreadId)
(8F=threadId)(90=threadFlags)(91=threadNewestMsgDate)(92=children)
(93=unreadChildren)(94=threadSubject)(95=numRefs)(96=msgCharSet)
(97=ns:msg:db:table:kind:msgs)(98=ns:msg:db:table:kind:thread)
(99=ns:msg:db:table:kind:allthreads)
(9A=ns:msg:db:row:scope:threads:all)(9B=threadParent)(9C=threadRoot)
(9D=msgOffset)(9E=offlineMsgSize)
(9F=ns:msg:db:row:scope:dbfolderinfo:all)
(A0=ns:msg:db:table:kind:dbfolderinfo)(A1=numMsgs)(A2=numNewMsgs)
(A3=folderSize)(A4=expungedBytes)(A5=folderDate)(A6=highWaterKey)
(A7=mailboxName)(A8=UIDValidity)(A9=totPendingMsgs)
(AA=unreadPendingMsgs)(AB=expiredMark)(AC=version)
(AD=fixedBadRefThreading)(AE=folderName)(AF=charSet)>
{1:^80 {(k^97:c)(s=9)} }
{FFFFFFFD:^9A {(k^99:c)(s=9)} }
<(80=1)(81=400)>
{1:^9F {(k^A0:c)(s=9u)}
[1(^AC=1)(^AD=1)(^88^81)]}
@$${1{@
<(82=400400)>[1:^9F(^88^82)]
@$$}1}@
@$${2{@
@$$}2}@
@$${3{@
<(83=400600)>[1:^9F(^88^83)]
@$$}3}@
@$${4{@
@$$}4}@
@$${5{@
@$$}5}@
[/b]
[b]*** END OF .MSF FILE PASTE ***[/b]
<blockquote>For each .msf file there appears to be a corresponding file of the same name with no file type assigned; that is the contents of all your emails lumped together in one file and without that .msf file would be pretty useless (I believe).
####
That's me for the night my brain is turning to mush, after 3:30am here.</blockquote>
I thank you again for the replies!
By default in the Packers only the first three are selected (and ntfs streams), the All packers check box is empty. However that said the thunderbird files certainly the msf files don’t appear to be packed just that it uses a lot of special characters (and code), so might well be scanned by default (not because of as I though they were archive files).
Hi and thanks again,
Not sure if should start a new thread…
The .msf files were not scanned by default. I think I need to change settings because: only found the last threat (dhl.zip#3651267798) in the .msf file with a boot scan (not with the usual scan)
I found the 1st 4 (the dhl.zip#3651267798) files by right clicking the Documents and Settings | “My Documents” and each MozBackUP file for TB (not for Firefox) separately.
Does that mean the .pcv files were benign and not necessary to scan to begin with" (since they are compressed?
(although these were initially found on flash drives by “Trend”
When Avast! was inactivated (AvastUI.exe) after Combofix (a disaster) (I had to install the reg key) I’d forgotten to activate avast! and was on a Web site → some MS security window popped up with something about spyware, trojans etc. the words “Documents & settings” popped up too.
I ran before restarting the PC ran Avast! full system scan - nothing.
Then (still before a reboot) ran “Documents & settings” through Avast! (right click (D & S) and it found 4 java \ cache viruses (trojans?)) they are in the chest.
Should I change setting to include the above (.pcv, .msf) by default?
Should these questions belong in another thread?
BTW: I was “told” to run combofix.exe (after finding the first 4 files (dhl.zip#3651267798) in the .pcv files and it found nothing except 2 dell drivers which it removed (although in 2009 “virus total” had already determined the drivers to be benign.)
“Virus Total” http://www.virustotal.com/
Most backup software will be compressing the content, in its compressed state it is benign. Only when the backup is restored would it be uncompressed and even then if it is an infected email attachment, that would have to be run.
I don’t know what MS Security window that might be (not something I’m familiar with in XP), but this type of thing is often related to scam/fake security alerts. So it entirely depends on what security software (MS) that you have installed and if the pop-up window is legit for that application.
I personally wouldn’t be looking at exclusion, if as you say this is only scanned/found on a boot-time scan as the boot-time scan isn’t something that is run on a regular basis.
I don’t know who suggested combofix, but this is a powerful tool and one I would say has to be run under guidance. As can be seen from the dell drivers. Normally it would follow using a number of other analysis tools first to get an idea what is on the system and cleaning with targeted fixes and or other tools before breaking out the bigger guns as run on their own it is possible that they could actually make the situation worse.
Whilst I don’t specifically use mosbackup or any other email backup function, my tbird profile folder and stuff are on a manual mirror.exe tool that I use. I also do weekly drive image backup and these are pretty big up to 3GB or so, so I don’t feel the need to scan then as I do my avast Quick scan before running my drive image backup. Those G:\Drive-Images*.v2i I have excluded.
Didn’t know that. So if I try to open a compressed file and it is infected, Avast! will activate?
I don't know what MS Security window that might be (not something I'm familiar with in XP), but this type of thing is often related to scam/fake security alerts. So it entirely depends on what security software (MS) that you have installed and if the pop-up window is legit for that application.
It was legit: Maybe related to Windows firewall? It was [b][i]not[/i][/b] helpful - Avast! warns [i]before[/i] the fact: This windows application informed [i]after[/i] the fact (and since the text "Documents and settings" flashed across the screen (despite a negative Avast! full scan) I scanned D and S and found the threats). Plus the date and time of when they "came" was accurate.
I personally wouldn't be looking at exclusion, if as you say this is only scanned/found on a boot-time scan as the boot-time scan isn't something that is run on a regular basis.
Someone suggested a boot scan: I have to find out more about them. But it was certainly more helpful than running combofix.
I don't know who suggested combofix, but this is a powerful tool and one I would say has to be run under guidance. As can be seen from the dell drivers. Normally it would follow using a number of other analysis tools first to get an idea what is on the system and cleaning with targeted fixes and or other tools before breaking out the bigger guns as run on their own it is possible that they could actually make the situation worse.
I was trying to get an answer as to how worried one should be about 4 threats at that time in virus chests (trend and Avast! different systems) and was instructed by a well known message board to run a number of log-generating software. All I wanted to know is whether I could / should use the system. I know the email had not been opened, and AFAIK all infected code was localized.
I assume the positives (both Trend and Avast!) were code (heuristic) and not actual virus / worm... programs.
I was told by some people the only way to deal with the situation (before the 4 java\cache threats and the 5th email-related code) was to reinstall Windows…
I certainly have learned my lesson about combofix and following directions I am not completely familiar with…
Whilst I don't specifically use mosbackup or any other email backup function, my tbird profile folder and stuff are on a manual mirror.exe tool that I use. I also do weekly drive image backup and these are pretty big up to 3GB or so, so I don't feel the need to scan then as I do my avast Quick scan before running my drive image backup. Those G:\Drive-Images\*.v2i I have excluded.
I am not familiar with the above software: MozBackUp has been a help (especially with TBird)
Finally: I think I learned another lesson: Several days ago: received a 91 kb email: “from FedEx” - the sender and recipient were completely wrong and Fedex confirmed this: I truncate email on the server (download to 3 systems) so I never had the entire message.
I trashed it immediately on 2 systems and forwarded 1 kb (header info) (that had downloaded) to a center for malware. Then immediately deleted it from the server.
I am afraid to run the trash folder through Avast! and for that matter the inbox.
I guess I shouldn’t do anything…
I thank you very much for the help! You gave me a lot of information and I am very grateful!
[size=10pt]Thanks![/size]
If you try to just open a compressed file nothing happens - the files are still inside it, extract files and they become either newly created or modified (if over writing an existing file) at that point the avast file system shield would be scanning those files considered at risk of infection or are an immediate risk, e.g. executable files.
I haven’t used the windows firewall in a coons age and in all honesty I can’t recall it ever piping up and in relation to security alerts (when the default firewall has no antivirus capability). So I’m none the wiser and can’t really say what this was, but I still have suspicions when there is no clear evidence, I’m trusting like that NOT.
Generally the reason for running the boot-time scan is if a detection is found that can’t be dealt with when windows is running fully. Or when advices by avast! itself.
if the files are in the chest, they can do no harm there and nor can they be scanned by other tools (they are encrypted), so combofix wouldn’t have found them, whilst it may have found associated undetected elements if present.
A reinstall of the OS is the neuclear option and one of final resort and not that frequently needed; there are notable exceptions some mall file infectors, Virut, etc. really can rip through a system if they get established and cleansing of the files could leave some corrupt.
I bet you are more familiar with mozbackup than I am, as I have never used it ;D
There really are a hell of a lot of FedEx, UPS, etc. etc. fake emails doing the rounds, so I would treat every one with suspicion. Unfortunately you are in the position of expecting some legit emails from them makes your life harder.
For the most part checking the header info should be enough to confirm they are fake, often they contain basic spelling and grammatical errors and not least the greatest majority will have an attachment that they hope you will run.