Hi!
I’m running windows XP, and a few days ago my avast scan show 2 files infected with Win32:Zbot-BEJ [troj]. These files cannot be deleted or put in quarantine. I’ve downloaded some malware programs, (Malwarebytes, Superantispyware) and they don’t find any “malware”. Trojanhunter also comes up clean. I’m I’ve tried scanning with avast in safe mode, still can’t delete or quarantine. Enclosed are some logs that might help. Thanks
Why can’t they be put in quarantine, what errors are displayed, file in use, etc. ?
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe - Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log
If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php.
So no need to get tired scanning in safe mode, schedule a boot-time scan.
Thanks for your response!
I found the culprit- an unopened email with an attachment in outlook. I have deleted the unopened email. I get no error message when I try to delete/quarantine the files, just nothing happens. I’ve attached a hijack this log file if that would be of any help. I had a boot scan last night, but went to bed before it finished and there’s no sign of it in the log so perhaps my sons didn’t let if finish so I’ll five it another go.
You’re welcome.
By Outlook I take it you mean MS Outlook (not express) ?
In either case it would depend on if this happened during an on-demand or on-access (by the relevant email scanner {Internet Mail or Outlook/Exchange}).
I believe if this were on an on-demand scan avast would air on the side of caution as deletion of an infected email within either a .pst or .bdx file could result in the corruption of the database file with the potential loss of ‘all’ emails in that .pst or .dbx file.
If it were with the on-access email scanner you should not only had an alert but it should have placed an entry in the avast log viewer. If you use MS Outlook and the Outlook/Exchange provider, you can be much more flexible with how this is processed, in which case you would have to look to any changes you made. Such as move to a specific folder, etc. see image.
Unfortunately, I don’t use MS Outlook (Outlook/Exchange), so I can’t be much practical help in that regard.
If you deleted it manually within Outlook then I wouldn’t expect avast to find anything on a boot-time scan, I’m not sure if a boot-time scan would actually scan .pst or .dbx files. I would however suggest that you empty your deleted items folder to ensure that the item has gone from there also and then compact the folder (not sure if that is the correct term for Outlook).
I wouldn’t expect an infected email attachment would have any impact unless you actually ran it. I have had a quick look at your log and didn’t see anything obvious.
Hi :
The only Item I spotted was the unnecessary “Bonjour Service”, also known
as “Bonjour\mDNSResponder” .
Regarding ITunes/Bonjour-mDNSResponder : according to the Info at
www.liutilities.com/products/wintaskspro/processlibrary/mdnsresponder , this
is a NON-ESSENTIAL process/NOT a critical component as related to ITunes .
Should consider the Info at www.raymond.cc/blog/archives/2008/02/10/how-to-uninstall-or-remove-bonjour-mdnsresponderexe/ and seriously
consider uninstalling it by using the “Removal Instructions” there .
Info on the raymond.cc Site says an unnecessary “port” is opened on
your computer that malware could come through and AFTER Bonjour is
completely removed, that “port” is closed .
As a fellow Sygate User, I hope you have set it up according to the Advice at
www.kotiposti.net/string/SPF_eng/SPFGuide.html !?
Thanks so much for your help!
I have microsoft office outlook. I deleted the email, then emptied the deleted items bin and ran Avast and it no longer shows the Win32:Zbot-BEJ. Can you get an infection from an unopened email? Anyway I will keep a close eye on things and follow your advise about Bonjour. You guys rock!
Hello badgerdog,
Yes it can come via an e-mail,
http://www.malwarelist.org/startup/scheda.asp?num=4287
Il trojan arriva con un email relativo ad una spedizione UPS con oggetto “You Tracking # 827527185” con allegato il UPSINVOICE_866182.ZIP.
Il file file zip contiene il seguente file eseguibile: UPSINVOICE_866182.exe, se eseguito instalerà il file Twext.exe
The trojan comes with an email for a postal package from UPS with the subject “You Tracking # 827527185” with the attached UPSINVOICE_866182.ZIP.
The file zip file contains the following executable file: UPSINVOICE_866182.exe, if executed installs Twext.exe
It is a malicious tracking number spam e-mail with the UPS tracking number trojan attached,
polonus
Short answer:
Anything is possible.
Longer answer:
Don’t have the Preview pane open in youe Outlook as that would effectively be enough for things in the email to be opened (not attachments)
Most email infections come by attachment and you would have to open that attachment, what ever you do never open an attachment directly from an email even if you think it is OK (bad habit to get into). Always save the attachment to you hard disk, that way avast should have a crack at scanning new files.
There are some emails that have iframes in them and they can be very powerful, commonly in emails this is used by some to load adverts, but they can also run malicious scripts from the internet. Thankfully if you receive an email with an iFrame in it avast normally alerts, calling it suspicious, mainly because the iFrame is more used on web pages but can be used in HTML emails too and they are very powerful.