Results 1 to 12 of 12
  1. #1
    New Lounger
    Join Date
    Oct 2010
    Location
    Washington, DC
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Zone Alarm found 4 Trojans in MSOutlook folder: Outlook.pst & Archive1.pst

    They were consistently missed by MS Security Essentials, and my ISP runs McAfee on all traffic. I believe the reason the Trojans were found by Zone Alarm is that its anti-virus program permits the scanning of any size file, and my .pst files are over 500MB.

    The viruses occurred after changing from Zone Alarm to MS Security Essentials several months ago on the infected computer, and I achieved during this period. I discovered the problem when Outlook would no longer open and the bugs prevented the Restore function to work and they prevent a re-installation of Outlook. Pulling the hard drive and connecting it to another computer via a SATA/USB adaptor, I ran Zone Alarm Extreme on that drive and the following bugs found:

    Trojan-Apy.Win32.Zbot.wxa
    Trojan-Dropper.Win32.Agent.Agent.aarg
    Trojan.Win32.Agent.dmyq
    Trojan-Spy.HTML.Fraud.gen
    Backdoor.Win32.bredolab.aug

    Problem: I cannot get rid of the bugs without the quarantine of the pst file containing years of important data. Everything is backed up on a backup drive, but it contains the same contaminated .pst files?

    Is there a program or protocol for removing the mentioned Trojans?

  2. #2
    Uranium Lounger
    Join Date
    Dec 2000
    Location
    Salt Lake City, Utah, USA
    Posts
    9,508
    Thanks
    0
    Thanked 6 Times in 6 Posts
    Have you tried MalwareBytes or anything else?
    -John ... I float in liquid gardens
    UTC -7ąDS

  3. #3
    New Lounger
    Join Date
    Oct 2010
    Location
    Washington, DC
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks for taking the time to make a suggestion.

    That said, without fruitfulness, I have tried MalwareBytes, Spybot Search & Destroy, Avira Premium, Microsoft Security Essentials, and McAfee Internet Security Suite. None found the mentioned viruses, worms, Trojans, etc in the Outlook Folder. The problems are within the .pst files in the Outlook folders, and that includes on my backup hard drive. The registry is clean according to all of the mentioned programs and Kaspersky that Zone Alarm employs. Only when Zone Alarm's Scan Option is set to "not Skip if the object is greater than" does it find the bugs. Apparently, to run fast, most programs limit the size of files it searches. I believe that the default for Zoe Alarm is 8MB. I do not check that box, so all size files are read. A 300GB drive took over 18 hours to read, and it has 30 GB of free Space, and the only bugs found were in Outlook files.

    Again, via Zone Alarm/Kaspersky Anti-Virus, I know that the worms and Trojans are within the .pst files in Outlook folder, but any effort to repair of the file is to either have it quarantined or removed or just ignored. All efforts to repair the file ends up with those options, and I need the contacts, calendar, and good mail.

    Cheers,

  4. #4
    Uranium Lounger
    Join Date
    Dec 2000
    Location
    Salt Lake City, Utah, USA
    Posts
    9,508
    Thanks
    0
    Thanked 6 Times in 6 Posts
    Have you (if you can) run scanpst.exe on a copy of the PST file? (Make redundant backups to be sure you have the infected version for restoration if you need.) After that, can you open the scanned infected PST in Outlook at all?
    -John ... I float in liquid gardens
    UTC -7ąDS

  5. #5
    5 Star Lounger
    Join Date
    Dec 2003
    Location
    Burrton, KS, USA
    Posts
    833
    Thanks
    0
    Thanked 2 Times in 2 Posts
    It almost sounds like you have email with infected attachments within the PST file that have never run and never actually infected the machine.

    The first thing I would do is Delete all mail in the junkmail folder and then in the trash folder. I would sort all but my most important current mail into folders based on dates, importance, highest possibility of infections (those with attachments), etc. I would then archive off those folders one at a time and scan the PST file after each archive to see if the infection had moved.

    It is unlikely that contacts or calender events are infected unless you received them as attachments or vcards or have files attached to them.

  6. #6
    New Lounger
    Join Date
    Feb 2002
    Posts
    24
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Mercyh's suggestion requires running the Outlook e-mail program, doesn't it? But Lee said above that he now can't get Outlook to run, and it won't either uninstall (i presume) or do a repair installation overtop. The suggestion is that the malware Kaspersky found in the .pst is sophisticated enough to shut down Outlook, or that Outlook is sophisticated enough to shut down when there's been some interference with it from the malware.

    What might be useful or even necessary is a program that will allow Lee to read the contents of the database .pst files.**

    Yes, it would be good to read those with a different machine that has an AV anti-malware program running on it that automatically tests individual e-mails in the .pst database as they come out of that large file.

    Lee, do you have another machine with your AV anti-malware progs running on it, that you could use to read the .pst file that's on the target HDD? Maybe you can adjust the iteration of Outlook that's on that machine to read the file off the HDD docked on a USB or eSATA appliance.

    OR, you could set up an entirely separate iteration of Outlook, and instead of letting that installation look at the usual subfolder of Documents and Settings, you could "force" it to look at the docked drive instead. Still you have to have the anti-malware running and vigilant.

    And, of course, it's *possible* that the Kaspersky result is a series of 5 false positives. That's not all that likely, but ought to be in the backs of our minds.

    ** Some plugins to my favorite file manager Total Commander allow the user to get into e-mail database files.

  7. #7
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    Quote Originally Posted by Lee Brown View Post
    Zone Alarm found 4 Trojans in MSOutlook folder: Outlook.pst & Archive1.pst
    Most likely, the scanner is alerting on an attachment to a junk message, or a malicious script in an HTML message. File scanning tools cannot selectively trim out or clean individual mail messages, or even supply any useful information to identify it, so you may be a bit stuck rooting it out. The good news is that by default Outlook does not run scripts in messages, and you probably can tell when a message has a dangerous attachment. If it doubt, you can save it to disk and your on-access (real-time) scanner should check it at that point. So finding the message might not be that critical.

    To get Outlook back up and running, try creating a new profile (Mail control panel) and then after you launch Outlook with a blank data file, try to attach the older file and move your data into it (drag-and-drop).

  8. #8
    5 Star Lounger
    Join Date
    Dec 2003
    Location
    Burrton, KS, USA
    Posts
    833
    Thanks
    0
    Thanked 2 Times in 2 Posts
    Mercyh's suggestion requires running the Outlook e-mail program, doesn't it? But Lee said above that he now can't get Outlook to run, and it won't either uninstall (i presume) or do a repair installation overtop.
    You are correct. I read this post several times yesterday and did not read it again just before I posted that idea. I had the thought in my mind that this may not be an active infection and totally missed the information that outlook would not open the file. If outlook will not open the .PST file there is not way to try what I suggested. It is also probable that you are dealing with an active infection instead of just an infected attachment...

  9. #9
    New Lounger
    Join Date
    Oct 2010
    Location
    Washington, DC
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Your input is greatly appreciated. With the suggested use of scanpst.exe, I can open Outlook. Going through all the unopen mail -deleting unfamiliar or non-essential files will take about a week. Due to health issues, I have been away for weeks at a time on several separate occasions, so mail has mounted up and that which remains unopened is not important stuff that I did not delete. I thought that my mail anti-virus program would immediately detect a bug when downloaded. Silly me. Is there a software package that does that? My ISP advertises the use of McAfee, but either it missed the bugs or it really does not scan mail..

    Cheers,
    Lee

  10. #10
    New Lounger
    Join Date
    Oct 2010
    Location
    Washington, DC
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    One more point: Scanpst.exe was found with the MS Search function. It can be run from Search, but not copied and placed elsewhere because there is another file associated with it. Not all the problems have been solved, but at least Outlook will open. Lots of clean-up left to be done.

    Thanks again for your assistance.

    Lee

  11. #11
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    Quote Originally Posted by Lee Brown View Post
    I thought that my mail anti-virus program would immediately detect a bug when downloaded. Silly me. Is there a software package that does that? My ISP advertises the use of McAfee, but either it missed the bugs or it really does not scan mail.
    MSE scans at the file system level. When you retrieve a new message, it is incorporated into a PST's database structure and is not scanned in real time. Some AV software/suites include an additional program that intercepts incoming messages; these usually change your mail account settings to redirect requests for new mail to the program. That provides an additional layer of protection.

    Regarding what your ISP offers, I'd just be guessing since I don't know who it is. However, fast-moving malware might be delivered to you before McAfee's detection was updated, so that could explain how some malware got through, even if your ISP is scanning every message.

  12. #12
    Uranium Lounger
    Join Date
    Dec 2000
    Location
    Salt Lake City, Utah, USA
    Posts
    9,508
    Thanks
    0
    Thanked 6 Times in 6 Posts
    Quote Originally Posted by Lee Brown View Post
    With the suggested use of scanpst.exe, I can open Outlook. Going through all the unopen mail -deleting unfamiliar or non-essential files will take about a week.

    Is there a software package that does that? My ISP advertises the use of McAfee, but either it missed the bugs or it really does not scan mail.
    Lee, good to hear that scanpst.exe helped. You don't need to delete stuff the way you are planning. If the infection is at the PST file level rather than an individual item level, all you need to do is copy everything over to a new PST and set it as your default PST. (Admittedly not simple, but this way you don't lose history.)

    As JScher2000 mentioned, there are a number of antivirus programs that scan incoming (and outgoing) mail. I'm not familiar with MSE, but even free AV software such as Avast includes that specific capability.

    Quote Originally Posted by Lee Brown View Post
    Scanpst.exe was found with the MS Search function. It can be run from Search, but not copied and placed elsewhere because there is another file associated with it.
    Create a shortcut to it, add it to your menus.
    -John ... I float in liquid gardens
    UTC -7ąDS

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •