have you tried a reinstall ?
uninstall with this and reinstall http://www.avast.com/en-eu/uninstall-utility
I have 7 threats ("infected" files) in the virus chest and I don't know what happens to the virus chest if I uninstal?they will end up in virus heaven....or maybe it is virus hell ;D
QuoteI have 7 threats ("infected" files) in the virus chest and I don't know what happens to the virus chest if I uninstal?they will end up in virus heaven....or maybe it is virus hell ;D
The index.xml in the chest isn't infected it is there for information on the contents of the chest as files sent there are a) encrypted and b) have the name changed. These measures are to prevent outside access to infected files in the chest.I am trying to be EXTRA cautious;
Why is it that you are trying to access/save this file, essentially there shouldn't be a need to access it. Saving it would be pointless if you did a clean install there would be no contents in the chest, so the index.xml saved would not match the new installation.A clean instal of what?
The point is I couldn't see the purpose in saving index.xml at all, the the avast clean install was my best guess as to why you might want to save that file (which wouldn't be of use in those circumstances).Just for my records (as mentioned about the boot scan finding the same threat and knowing it was the from the same source (by viewing the data in the virus chest index file)
Sorry I really don't know about the email folder thing, as in the first instance if avast detected this email it was doing it in isolation. It would depend on several things, files shield settings,I'll review the settings
how it was moved if in archive form the file system shield wouldn't scan that by default; if doing an on-demand scan, again it depends on what one and if archives are selected; archives are by nature inert and not an immediate threat.It only detected the threat in the backup files from MozBackUp not in the email form....
Scanning an email folder could be very dangerous as there may be no way of extracting an infected email from an email folder (which is essentially an archive file), now some AV would delete the whole email folder, treating it as one file and not a collection of emails in a file.That is why I made the new folder - so if Avast! had found something it would have only found it in the new folder and not in the entire inbox....
So scanning in the process of moving/backing it up if your AV scanned it and found an infected email within the email folder, the possibility for loss of all emails and not just the infected email is something to consider.
Personally if I were to receive a suspicious message I would tend to delete it. However, it would depend on what was found suspicious as these are heuristic based suspicions and not totally a virus detection.Thanks again!
It was a zipped file: ... dhl.zip#3651267798
Win32:Hostil [Wrm]QuoteIn using MozBackup, I don't know if you are using thunderbird or mozilla seamonkey ?On the system with Avast! I have TB version 2.0.0.24
For me it is thunderbird and all the emails are saved in .eml format within .msf files (database files) containing the contents of one email folder. The loss of a single .msf file would result the loss of multiple emails.
I cannot find *.eml (and cannot open the .msf files)
I thought the *.msf files are indexes for the folders? (e.g. inbox (size = 9.96 MB) and inbox.msf size: 165 KB))
and that they "rebuild" themselves if deleted? (like Netscape's *.snm files?)QuoteThere were 4 files from MozBackUp and 1 from a .msf file - (The MozBackUp files are *.pcv)
So I always backup my thunderbird profile folder with all of the .msf files just in case. I don't know if it is just the way mozbackup is compressing these which may be the problem, you didn't say what the alert malware name was from the AV scan and that would possibly give an idea of what it thought it found.
Here is the index.xml which shows the 5 files (all related to the same email...)
(the first 4 are from the *.pcv (MozBackUp) *.pcv files and the last is from the *.msf file - I don't know if this is compressed)
The scan had only stated the "threat notification" (in red) (IIRC) and there were the options on the bottom of the window: 1 of which was virus chest (chose that one for all)*** START OF PASTE ***INDEX.XML
<?xml version="1.0" encoding="UTF-8" ?>
- <aswObject>
<NewId>00000010</NewId>
<Size>38000</Size>
- <ChestEntry>
<ChestId>00000007</ChestId>
<FileTime>1306536238</FileTime>
<OrigFileName>dhl.zip#3651267798</OrigFileName>
<OrigFolder>C:\Documents and Settings\Owner\My Documents\Thunderbird 2.0.0.24 (en-US) - 2011-05-27.pcv|>Mail\popa.attglobal.net\virus check 4 2011</OrigFolder>
<Comment />
<Virus>Win32:Hostil [Wrm]</Virus>
<Category>Vir</Category>
<Restore>no</Restore>
<TransferTime>1306521873</TransferTime>
<FileSize>6643</FileSize>
</ChestEntry>
- <ChestEntry>
<ChestId>00000008</ChestId>
<FileTime>1306544347</FileTime>
<OrigFileName>dhl.zip#3651267798</OrigFileName>
<OrigFolder>C:\Documents and Settings\Owner\My Documents\Thunderbird 2.0.0.24 (en-US) - 2011-04-26.pcv|>Mail\popa.attglobal.net\virus check 4 2011</OrigFolder>
<Comment />
<Virus>Win32:Hostil [Wrm]</Virus>
<Category>Vir</Category>
<Restore>no</Restore>
<TransferTime>1306529990</TransferTime>
<FileSize>6643</FileSize>
</ChestEntry>
- <ChestEntry>
<ChestId>00000009</ChestId>
<FileTime>1306545154</FileTime>
<OrigFileName>dhl.zip#3651267798</OrigFileName>
<OrigFolder>C:\Documents and Settings\Owner\My Documents\Thunderbird 2.0.0.24 (en-US) - 2011-04-23.pcv|>Mail\popa.attglobal.net\virus check 4 2011</OrigFolder>
<Comment />
<Virus>Win32:Hostil [Wrm]</Virus>
<Category>Vir</Category>
<Restore>no</Restore>
<TransferTime>1306530770</TransferTime>
<FileSize>6643</FileSize>
</ChestEntry>
- <ChestEntry>
<ChestId>0000000A</ChestId>
<FileTime>1307218982</FileTime>
<OrigFileName>dhl.zip#3651267798</OrigFileName>
<OrigFolder>C:\Documents and Settings\Owner\My Documents\Thunderbird 2.0.0.24 (en-US) - 2011-04-07.pcv|>Mail\popa.attglobal.net\virus check 4 2011</OrigFolder>
<Comment />
<Virus>Win32:Hostil [Wrm]</Virus>
<Category>Vir</Category>
<Restore>no</Restore>
<TransferTime>1307204598</TransferTime>
<FileSize>6643</FileSize>
</ChestEntry>
- <ChestEntry>
<ChestId>0000000C</ChestId>
[...]
</ChestEntry>
- <ChestEntry>
<ChestId>0000000D</ChestId>
[...]
</ChestEntry>
- <ChestEntry>
<ChestId>0000000E</ChestId>
[...]
- <ChestEntry>
<ChestId>0000000B</ChestId>
[...]
</ChestEntry>
- <ChestEntry>
<ChestId>0000000F</ChestId>
<FileTime>1308458291</FileTime>
<OrigFileName>dhl.zip#3651267798</OrigFileName>
<OrigFolder>C:\JIC\Trash from att msf 5.27.11\virus check 4 2011</OrigFolder>
<Comment />
<Virus>Win32:Hostil [Wrm]</Virus>
<Category>Vir</Category>
<Restore>no</Restore>
<TransferTime>1308458291</TransferTime>
<FileSize>6643</FileSize>
</ChestEntry>
</aswObject>
*** END OF PASTE ***
If you receive a suspicious file, by all means move it to a different folder, but immediately afterwards check it (I'm trying an add-on for tbird Mailsleuth 2.2.2) out and if necessary delete it there and then (empty your deleted emails folder and compress your folders), don't hang on to them. Or some time in the future they could come back to bite you in the rear when scanning folders.
Some emails can be crafted to have remote iframes (something which would be considered suspicious) and other external links, but I don't think there are many instances of a mouseover function being used in an html email. I don't know if thunderbird would have basic protection against that.
If you save a file from within tbird to your hard disk it is saved as a .eml file, otherwise they remain archived together inside a .msf file (for each different email account/folder within that account. So it is these which if deleted because it might be seen as a single file, unlike an .eml file if saved to your hard disk is only one single email.
You can get that information from within the virus chest by right clicking on the file and selecting properties.But I cannot copy the contents from properties...
I'm not familiar with early versions of tbird as it is only in the last 6 months or so that I started using it. And I have zero experience of mozbackup, so I really am unsure of what has actually been sent to the chest and extracted email attachment (as in the dhl.zip#3651267798) or the backup archive C:\Documents and Settings\Owner\My Documents\Thunderbird 2.0.0.24 (en-US) - 2011-04-07.pcv.Under: "Scan Computer | Scan Now | FULL SYSTEM SCAN | SETTINGS | PACKERS" - there is a long list of archived file types
However, what it looks like is first off you are scanning archive files in whatever scan it was that you did, personally this is a wast of time as they are inert
and in the case of scanning email archived potentially dangerous.Thanks for this info!
that these were detection on incoming email as it appears to have only sent the attachment to the chest
~~~~
Whilst the inbox folder would be rebuilt if deleted the contents wouldn't be, that's the problem when you store lots of emails in your inbox folder, that should be like an intray, the letters/email should only be in there pending reading and storing in an appropriate emails folder.
The inbox is the one most prone to corruption and or deletion and with 9mb of emails in it if deleted and rebuilt I don't believe TB would recover these emails when the inbox is recreated.
I have just had a look at my TB profile in windows explorer for all the different file types, and .sbd Folders, .msf what would appear to be database files of the sub-folders containing information on the contents, this whilst looking like a text file viewing it has lots of deciferable characters and plain English also.Not mine:
For each .msf file there appears to be a corresponding file of the same name with no file type assigned; that is the contents of all your emails lumped together in one file and without that .msf file would be pretty useless (I believe).I thank you again for the replies!
####
That's me for the night my brain is turning to mush, after 3:30am here.
By default in the Packers only the first three are selected (and ntfs streams), the All packers check box is empty. However that said the thunderbird files certainly the msf files don't appear to be packed just that it uses a lot of special characters (and code), so might well be scanned by default (not because of as I though they were archive files).
Most backup software will be compressing the content, in its compressed state it is benign. Only when the backup is restored would it be uncompressed and even then if it is an infected email attachment, that would have to be run.Didn't know that. So if I try to open a compressed file and it is infected, Avast! will activate?
I don't know what MS Security window that might be (not something I'm familiar with in XP), but this type of thing is often related to scam/fake security alerts. So it entirely depends on what security software (MS) that you have installed and if the pop-up window is legit for that application.It was legit: Maybe related to Windows firewall? It was not helpful - Avast! warns before the fact: This windows application informed after the fact (and since the text "Documents and settings" flashed across the screen (despite a negative Avast! full scan) I scanned D and S and found the threats). Plus the date and time of when they "came" was accurate.
I personally wouldn't be looking at exclusion, if as you say this is only scanned/found on a boot-time scan as the boot-time scan isn't something that is run on a regular basis.Someone suggested a boot scan: I have to find out more about them. But it was certainly more helpful than running combofix.
I don't know who suggested combofix, but this is a powerful tool and one I would say has to be run under guidance. As can be seen from the dell drivers. Normally it would follow using a number of other analysis tools first to get an idea what is on the system and cleaning with targeted fixes and or other tools before breaking out the bigger guns as run on their own it is possible that they could actually make the situation worse.I was trying to get an answer as to how worried one should be about 4 threats at that time in virus chests (trend and Avast! different systems) and was instructed by a well known message board to run a number of log-generating software. All I wanted to know is whether I could / should use the system. I know the email had not been opened, and AFAIK all infected code was localized.
Whilst I don't specifically use mosbackup or any other email backup function, my tbird profile folder and stuff are on a manual mirror.exe tool that I use. I also do weekly drive image backup and these are pretty big up to 3GB or so, so I don't feel the need to scan then as I do my avast Quick scan before running my drive image backup. Those G:\Drive-Images\*.v2i I have excluded.I am not familiar with the above software: MozBackUp has been a help (especially with TBird)