Problems with deleting / disinfecting viruses

stelorone

Hi there,

I've recently run the virus scanner and have noticed that the program keeps picking up the same viruses on my system and cannot seem to move or disinfect the files. How exactly do I get rid of these viruses?

The following are the malware listed:

Adware.BHO

Adware.VB

Adware.Beav.Adware.A

trojan.spy.HTML.bankfraud.DQ

When I tried searching for these to look for removal solutions, they are not found.

I will change my setting to disinfect first and delete second, if that fails.

Any additional advice would help!

Cheers.

AndreiASM

Hi!

Where are the viruses located? Please attach the scanning log in a new post.

Thanks.

Andrei

Niels

Hello

First I would advise that you do not use home banking.

I suggest that you download this:

http://downloads2.superantispyware.com/dow...AntiSpyware.exe Install it perform an update. Reboot your pc into safe mode by just rebooting your pc and press several times on the F8 button and choose safe mode. Start superantispyware and perform a full scan and attach the scan report with the scan report of BitDefender. After that perform a deep scan with BitDefender.

Regards

Niels

vlad

If you can identify the infected files from the log, please attach them to your next post. Don't delete the files yet; they may be false positives.

stelorone

I was always told that if I have a virus, I should get rid of it. So, I set my "actions" to delete first, disinfect second. The only reason I tried this was because previously I had it set to disinfect first, quarantine second, and I would always get messages such as "could not disinfect... move failed".

Over the years, I've downloaded a ton of stuff - keygens, video, program files, etc. I thought I was being careful by having my virus software scan all files as they enter my system. Apparently, I did not do such a good job of protecting my system. I also run Adaware regularly.

At any rate, I've run Bitdefender numerous times since my original posting and it keeps finding different infected files. Why does this happen like this? Why doesn't it find these infected files in one scan? I'm afraid I just do not understand. I've also noticed that even though it says files are deleted, I keep getting reports on the same files. In other words, it does not appear to have been deleted, even though Bitdefender says it has been in earlier scans - the same files appear in more than one report even after Bitdefender reports they've been deleted. See 2 reports below .

Also, when Bitdefender deletes a file, it attempts an update on that file. What does that refer to? I've noticed that sometimes an update works, and sometimes updates fail.

See below for 2 recent logs:

//-----------------------------------------------------------------

//

// Product: BitDefender 9 Professional Plus

// Version: 9.5

//

// Created on: 20/06/2007 21:55:06

//

//-----------------------------------------------------------------

Virus Statistics

Scan path : C:\

\

Folders : 15785

Files : 983940

Archives : 44368

Packed files : 62466

Identified viruses : 8

Infected files : 11

Warnings : 0

Suspect files : 0

Disinfected files : 0

Deleted files : 11

Copied files : 0

Moved files : 0

Renamed files : 0

I/O errors : 64

Scan time : 02:32:10

Scan speed (files/sec) : 107

Spyware Statistics

Memory processes scanned : 47

Memory processes infected : 0

Registry keys scanned : 1748

Registry keys infected : 0

Cookies scanned : 99

Cookies infected : 0

Spyware files infected : 0

Spyware threats detected : 0

Virus definitions : 572790

Scan plugins : 16

Archive plugins : 41

Unpack plugins : 6

Mail plugins : 6

System plugins : 5

Virus scan options

Detection

[X] Scan boot sectors

[X] Scan archives

[X] Scan packed files

[X] Scan email

File mask

[ ] Programs

[X] All files

[ ] User defined extensions:

[ ] Exclude extensions: ;

Action

Infected objects

[ ] Ignore

[ ] Disinfect

[X] Delete

[ ] Copy to quarantine

[ ] Move to quarantine

[ ] Rename

[ ] Prompt user

Second action

[ ] Ignore

[ ] Delete

[ ] Copy to quarantine

[ ] Move to quarantine

[ ] Rename

[ ] Prompt user

Virus scan options

[X] Enable warnings

[X] Enable heuristics

[ ] Show all files in log

[X] Report file: C:\Program Files\Softwin\BitDefender9\Logs\vscan_1182398106.log

Spyware scan options

[X] Memory Processes

[X] Registry keys

[X] Cookies

Summary:

C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\default\7jum67tu.slt\Mail\pop.telus.net\Inbox=>(message 214) Infected: Trojan.Spy.HTML.Bankfraud.DQ

C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\default\7jum67tu.slt\Mail\pop.telus.net\Inbox=>(message 214) Deleted

C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\default\7jum67tu.slt\Mail\pop.telus.net\Inbox Update

C:\Documents and Settings\Steve\Application Data\Thunderbird\Profiles\brp4zi5x.default\Mail\pop.telus.net\Inbox=>(message 214) Infected: Trojan.Spy.HTML.Bankfraud.DQ

C:\Documents and Settings\Steve\Application Data\Thunderbird\Profiles\brp4zi5x.default\Mail\pop.telus.net\Inbox=>(message 214) Deleted

C:\Documents and Settings\Steve\Application Data\Thunderbird\Profiles\brp4zi5x.default\Mail\pop.telus.net\Inbox Update

C:\Documents and Settings\Steve\Desktop\mixcraft.exe=>(Embedded EXE o)=>wise0289 Detected: Adware.Admoke.CT

C:\Documents and Settings\Steve\Desktop\mixcraft.exe=>(Embedded EXE o)=>wise0289 Deleted

C:\Documents and Settings\Steve\Desktop\mixcraft.exe=>(Embedded EXE o) Update failed

C:\WINDOWS\Installer\85027.msi=>(Embedded EXE) Detected: Adware.Agent.KH

C:\WINDOWS\Installer\85027.msi=>(Embedded EXE) Deleted

C:\WINDOWS\Installer\85027.msi Update failed

C:\WINDOWS\Installer\{5783F2D7-6004-0409-0002-0060B0CE6BBA}\Acad162_icon.exe Detected: Adware.Agent.KH

C:\WINDOWS\Installer\{5783F2D7-6004-0409-0002-0060B0CE6BBA}\Acad162_icon.exe Deleted

C:\WINDOWS\system32\1160873000.exe=>(NSIS o)=>lzma_solid_nsis0002 Detected: Adware.Beav.Adware.A

C:\WINDOWS\system32\1160873000.exe=>(NSIS o)=>lzma_solid_nsis0002 Deleted

C:\WINDOWS\system32\1160873000.exe=>(NSIS o) Update failed

C:\WINDOWS\system32\1160873000.exe=>(NSIS o)=>lzma_solid_nsis0003 Detected: Adware.VB

C:\WINDOWS\system32\1160873000.exe=>(NSIS o)=>lzma_solid_nsis0003 Deleted

C:\WINDOWS\system32\1160873000.exe=>(NSIS o) Update failed

\Steve's Documents\My Downloads\Autodesk Architectural Desktop 2007\ADT2007CD1\zwtadt7a.bin=>Install/ADT.msi=>(Embedded EXE) Detected: Adware.Agent.KH

\Steve's Documents\My Downloads\Autodesk Architectural Desktop 2007\ADT2007CD1\zwtadt7a.bin=>Install/ADT.msi=>(Embedded EXE) Deleted

\Steve's Documents\My Downloads\Autodesk Architectural Desktop 2007\ADT2007CD1\zwtadt7a.bin=>Install/ADT.msi Update failed

\Steve's Documents\My Downloads\Autodesk Architectural Desktop 2007\CD1\Install\ADT.msi=>(Embedded EXE) Detected: Adware.Agent.KH

\Steve's Documents\My Downloads\Autodesk Architectural Desktop 2007\CD1\Install\ADT.msi=>(Embedded EXE) Deleted

\Steve's Documents\My Downloads\Autodesk Architectural Desktop 2007\CD1\Install\ADT.msi Update failed

\Steve's Documents\My Downloads\Mike's Toybox (F)\Programs\Turbo Torrent\turbo.exe=>(NSIS o)=>lzma_solid_nsis0007 Detected: Adware.BHO

\Steve's Documents\My Downloads\Mike's Toybox (F)\Programs\Turbo Torrent\turbo.exe=>(NSIS o)=>lzma_solid_nsis0007 Deleted

\Steve's Documents\My Downloads\Mike's Toybox (F)\Programs\Turbo Torrent\turbo.exe=>(NSIS o) Update failed

\Steve's Documents\My Downloads\Mike's Toybox (F)\Programs\Turbo Torrent\turbo.exe=>(NSIS o)=>lzma_solid_nsis0008 Detected: Adware.VB

\Steve's Documents\My Downloads\Mike's Toybox (F)\Programs\Turbo Torrent\turbo.exe=>(NSIS o)=>lzma_solid_nsis0008 Deleted

\Steve's Documents\My Downloads\Mike's Toybox (F)\Programs\Turbo Torrent\turbo.exe=>(NSIS o) Update failed

//-----------------------------------------------------------------

//

// Product: BitDefender 9 Professional Plus

// Version: 9.5

//

// Created on: 20/06/2007 21:55:06

//

//-----------------------------------------------------------------

Virus Statistics

Scan path : C:\

\

Folders : 15785

Files : 983940

Archives : 44368

Packed files : 62466

Identified viruses : 8

Infected files : 11

Warnings : 0

Suspect files : 0

Disinfected files : 0

Deleted files : 11

Copied files : 0

Moved files : 0

Renamed files : 0

I/O errors : 64

Scan time : 02:32:10

Scan speed (files/sec) : 107

Spyware Statistics

Memory processes scanned : 47

Memory processes infected : 0

Registry keys scanned : 1748

Registry keys infected : 0

Cookies scanned : 99

Cookies infected : 0

Spyware files infected : 0

Spyware threats detected : 0

Virus definitions : 572790

Scan plugins : 16

Archive plugins : 41

Unpack plugins : 6

Mail plugins : 6

System plugins : 5

Summary:

C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\default\7jum67tu.slt\Mail\pop.telus.net\Inbox=>(message 214) Infected: Trojan.Spy.HTML.Bankfraud.DQ

C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\default\7jum67tu.slt\Mail\pop.telus.net\Inbox=>(message 214) Deleted

C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\default\7jum67tu.slt\Mail\pop.telus.net\Inbox Update

C:\Documents and Settings\Steve\Application Data\Thunderbird\Profiles\brp4zi5x.default\Mail\pop.telus.net\Inbox=>(message 214) Infected: Trojan.Spy.HTML.Bankfraud.DQ

C:\Documents and Settings\Steve\Application Data\Thunderbird\Profiles\brp4zi5x.default\Mail\pop.telus.net\Inbox=>(message 214) Deleted

C:\Documents and Settings\Steve\Application Data\Thunderbird\Profiles\brp4zi5x.default\Mail\pop.telus.net\Inbox Update

C:\Documents and Settings\Steve\Desktop\mixcraft.exe=>(Embedded EXE o)=>wise0289 Detected: Adware.Admoke.CT

C:\Documents and Settings\Steve\Desktop\mixcraft.exe=>(Embedded EXE o)=>wise0289 Deleted

C:\Documents and Settings\Steve\Desktop\mixcraft.exe=>(Embedded EXE o) Update failed

C:\WINDOWS\Installer\85027.msi=>(Embedded EXE) Detected: Adware.Agent.KH

C:\WINDOWS\Installer\85027.msi=>(Embedded EXE) Deleted

C:\WINDOWS\Installer\85027.msi Update failed

C:\WINDOWS\Installer\{5783F2D7-6004-0409-0002-0060B0CE6BBA}\Acad162_icon.exe Detected: Adware.Agent.KH

C:\WINDOWS\Installer\{5783F2D7-6004-0409-0002-0060B0CE6BBA}\Acad162_icon.exe Deleted

C:\WINDOWS\system32\1160873000.exe=>(NSIS o)=>lzma_solid_nsis0002 Detected: Adware.Beav.Adware.A

C:\WINDOWS\system32\1160873000.exe=>(NSIS o)=>lzma_solid_nsis0002 Deleted

C:\WINDOWS\system32\1160873000.exe=>(NSIS o) Update failed

C:\WINDOWS\system32\1160873000.exe=>(NSIS o)=>lzma_solid_nsis0003 Detected: Adware.VB

C:\WINDOWS\system32\1160873000.exe=>(NSIS o)=>lzma_solid_nsis0003 Deleted

C:\WINDOWS\system32\1160873000.exe=>(NSIS o) Update failed

\Steve's Documents\My Downloads\Autodesk Architectural Desktop 2007\ADT2007CD1\zwtadt7a.bin=>Install/ADT.msi=>(Embedded EXE) Detected: Adware.Agent.KH

\Steve's Documents\My Downloads\Autodesk Architectural Desktop 2007\ADT2007CD1\zwtadt7a.bin=>Install/ADT.msi=>(Embedded EXE) Deleted

\Steve's Documents\My Downloads\Autodesk Architectural Desktop 2007\ADT2007CD1\zwtadt7a.bin=>Install/ADT.msi Update failed

\Steve's Documents\My Downloads\Autodesk Architectural Desktop 2007\CD1\Install\ADT.msi=>(Embedded EXE) Detected: Adware.Agent.KH

\Steve's Documents\My Downloads\Autodesk Architectural Desktop 2007\CD1\Install\ADT.msi=>(Embedded EXE) Deleted

\Steve's Documents\My Downloads\Autodesk Architectural Desktop 2007\CD1\Install\ADT.msi Update failed

\Steve's Documents\My Downloads\Mike's Toybox (F)\Programs\Turbo Torrent\turbo.exe=>(NSIS o)=>lzma_solid_nsis0007 Detected: Adware.BHO

\Steve's Documents\My Downloads\Mike's Toybox (F)\Programs\Turbo Torrent\turbo.exe=>(NSIS o)=>lzma_solid_nsis0007 Deleted

\Steve's Documents\My Downloads\Mike's Toybox (F)\Programs\Turbo Torrent\turbo.exe=>(NSIS o) Update failed

\Steve's Documents\My Downloads\Mike's Toybox (F)\Programs\Turbo Torrent\turbo.exe=>(NSIS o)=>lzma_solid_nsis0008 Detected: Adware.VB

\Steve's Documents\My Downloads\Mike's Toybox (F)\Programs\Turbo Torrent\turbo.exe=>(NSIS o)=>lzma_solid_nsis0008 Deleted

\Steve's Documents\My Downloads\Mike's Toybox (F)\Programs\Turbo Torrent\turbo.exe=>(NSIS o) Update failed

vlad

When the path of the detected file contains a "=>" sign, it means an archive has been openend. Some archives can be repacked after disinfection (plain archive files: RAR, ZIP, etc.), and some others can not (installers, mail inboxes, etc., which are also regarded as archives), so for these latter ones, updating the archive usually fails.

New files may be detected because signatures are added all the time; also, you may have a trojan downloader somewhere, which downloads new malware files from the net.

Please attach the following files to your next post:

C:\Documents and Settings\Steve\Desktop\mixcraft.exe

C:\WINDOWS\Installer\85027.msi

C:\WINDOWS\Installer\{5783F2D7-6004-0409-0002-0060B0CE6BBA}\Acad162_icon.exe

C:\WINDOWS\system32\1160873000.exe

\Steve's Documents\My Downloads\Autodesk Architectural Desktop 2007\CD1\Install\ADT.msi

\Steve's Documents\My Downloads\Mike's Toybox (F)\Programs\Turbo Torrent\turbo.exe

(note: some of them may have already been deleted)

ILGUFO

Hi there, It appears I have the same problem, on both PC, a laptop and a desktop. On laptop only infected with

Backdoor.Ip.Protect.A that BiDefender seems unable to eliminate. On the Desktop alternative online scanners find 2 hacking tools and 187 (yes, onehundred and eighty seven) spywares thata apparently were not filtered by Bitdefender. Virus are the above mentioned plus Trojan.SwfDL.A.

I did not find any no trace of such viruses in Bitdefender encyclopedia.

Anybody can help?

THis is the message in the report

\BackUp Lacie\ZZ Lacie BackUp 2005 02 22\Copia Disco C Desktop\My Documents\Internet Downloads\icq99b.exe=>wise0023 Infecté avec: Backdoor.Ip.Protect.A

\BackUp Lacie\ZZ Lacie BackUp 2005 02 22\Copia Disco C Desktop\My Documents\Internet Downloads\icq99b.exe=>wise0023 Désinfection impossible

\BackUp Lacie\ZZ Lacie BackUp 2005 02 22\Copia Disco C Desktop\My Documents\Internet Downloads\icq99b.exe=>wise0023 Déplacement impossible

The infected files belong to a program which is not used since 2003 and that remained in a harddisk which contains backup data from previos PCs

Niels

Hi ILGUFO

I suggest that you attach your logfile. Also make an archive with the infected files. You must protect it with this password: "infected" (without the quotes) and attach them at your next post. After that you have to wait till one of the virus researchers replies.

Upload icq99b.exe to this website: http://www.virustotal.com

Post the resultlink.

But when I take a look it seems a false positiv.

Regards

Niels

ILGUFO

Hi ILGUFO

I suggest that you attach your logfile. Also make an archive with the infected files. You must protect it with this password: "infected" (without the quotes) and attach them at your next post. After that you have to wait till one of the virus researchers replies.

Upload icq99b.exe to this website: http://www.virustotal.com

Post the resultlink.

But when I take a look it seems a false positiv.

Regards

Niels

Thanks Niels

just a very silly question (not a PC spet....). By posting you mean when sending the BitDefender report? I could not find the program any "posting" function. Or shall I send it through BirDefender internet site ?

Also how is possible that Pandasoftware active scan did find 6 "hacking tools and rootkits" and 216 spyware on mydesktop, whereas BitDefender finds only the virus and no spywares?

Regards

IL GUFO

Niels

Hi ILGUFO

Sorry that I wasn't clear. With posting I mean add a new post to this topic. When you make a reply (post) on this forum when you press on more options there you will find a section called Attachments press on browse and locate to the archive and press on upload. That was what I wanted to say. Only virus researchers can download what you uploaded here.

The reason why panda active scan finds more is because it also marks cookies as infections. Which aren't real threats. If you never cleared your temporary internet folder that can increase the amount of cookies and also because panda counts each cookie as a different threat. That is also the case if there is an infection panda will count every part of the same infection instead of counting it once.

Because you can easily remove them in your browser. Can you please copy the scanreport of panda scan in your next post so I can take a look it? BitDefender detects spyware but you can't rely on it. You have to install other specific antispyware or antimalware tools. A very good and free one is superantispyware the link you will find also in this topic.

Regards

Niels

maximus

"Posting"=writing a message here.

In ADDREPLY you have an option to upload a file( in the right corner use Browse button to attach the file)

ILGUFO

Thanks

I am unable to attach the Panda report now as I did the scan on the desktop, but I will do once logged in from there.

Icq99 is an archive file but its size exceed the 2 mb. (ard 5.5mb). I did not use it since 2003 as replaced by skype.

Any other way I can send it?

Regards

Marco

Niels

Hello ILGUFO

What you can do is upload it to one of this websites: http://www.verzend.be , http://www.rapidshare.com add the downloadlinks into a textfile and attach them at your post than the virusresearchers can also download it.

Regards

Niels

ILGUFO

Hello,it looks like things are getting worse. I made another scan today and looks like the virus went into MS Outlook.

I am really concerned by the fact that viruses entered my PCs despite antivirus was active. I will try what you indicated, hoping that experts will be able to solve my problem.

Shall I add a specific email address? I can't find any on BitDefender site.

Will do the same from the other PC as well. Thankyou once more.

Today's message is :

C:\Documents and Settings\Marco Gastaldi\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst=>[subject: SCAN][From: Marco Gastaldi IT]=>icq99b.exe=>wise0023 Infecté avec: Backdoor.Ip.Protect.A

C:\Documents and Settings\Marco Gastaldi\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst=>[subject: SCAN][From: Marco Gastaldi IT]=>icq99b.exe=>wise0023 Désinfection impossible

C:\Documents and Settings\Marco Gastaldi\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst=>[subject: SCAN][From: Marco Gastaldi IT]=>icq99b.exe=>wise0023 Déplacement impossible

\System Volume Information\_restore{49798821-77F8-4402-A9AA-0F6C0860DD0D}\RP1202\A0090117.exe=>wise0023 Infecté avec: Backdoor.Ip.Protect.A

\System Volume Information\_restore{49798821-77F8-4402-A9AA-0F6C0860DD0D}\RP1202\A0090117.exe=>wise0023 Désinfection impossible

\System Volume Information\_restore{49798821-77F8-4402-A9AA-0F6C0860DD0D}\RP1202\A0090117.exe=>wise0023 Déplacement impossible

\BackUp Lacie\ZZ Lacie BackUp 2005 02 22\Copia Disco C Desktop\My Documents\Internet Downloads\icq99b.exe=>wise0023 Infecté avec: Backdoor.Ip.Protect.A

\BackUp Lacie\ZZ Lacie BackUp 2005 02 22\Copia Disco C Desktop\My Documents\Internet Downloads\icq99b.exe=>wise0023 Désinfection impossible

\BackUp Lacie\ZZ Lacie BackUp 2005 02 22\Copia Disco C Desktop\My Documents\Internet Downloads\icq99b.exe=>wise0023 Déplacement impossible

ILGUFO

Hi again,

this is the link to verzend.be for the virussearchers.

http://www.verzend.be/v/1601247/icq99b.exe.html

I will sleep with my fingers crossed.......

Nice evening Niels and thanks again.

Niels

Hello ILGUFO

For your email problem try this: disable the realtime protection of BitDetender by rightclicking on the red BitDefender icon choose display(view) after that go to antivirus,shield and uncheck realtime protection is enabled. After you done that remove the mails that BitDefender detects. After you done that do this:

Empty your Deleted Items folder, then go to File -> Data File Management -> select the current mail archive -> Settings -> Compact Now. After you done that check the option again.

For your Backdoor.Ip.Protect.A problem I also recommend that you wait.

I recommend that you wait till someone examines de icq99b file before you delete them.

Also a nice evening for you.

Regards

Niels

ILGUFO

Some news :

I erased the infected files on my desktop (all icq99 related) and the subsequent scan did not show anything wrong. I will wait untril tomorrow to feel happy and proud.

As for the laptop, i guess that virussearchers do read forums and that they will be downloading the file early this week. I was unable to find the infected email, probably due to my ignorance in PCs.

I will wait for the response from Bitdefender (i also sent some msges to obtain a reply on reports and on my previous msges).

Nice week ahead

Niels

Hello ILGUFO

The mails could also be located in archived folders. Take also a look there. Don't worry somebody of the virus reseachers will reply soon.

Regards

Niels

Cd-MaN

This was a false positive and should be removed at the next update.

ILGUFO

Many thanks,

there was also a virus warning for a file in the outlook.pst which I could not upload. I will make a new scan and let you know.

Regards

Cd-MaN

Hello. The "outlook.pst" contains the e-mail messages from Outlook, so be very careful not to delete it! Most probably it is detected because it contains e-mail messages which have malicious attachments. To the following steps:

• Disable the real-time protection
• Delete the e-mails which have executable attachments and the source of which is unknown (be very careful not to execute the attachments)
• Empty the trash folder (in the e-mail client)
• Re-enable the real-time protection

Muddasar

hello

this is not a big problum

these kind of viruses which can restore itself after rebooting of copmuter can be disinfected by disabling the system restore points

these viruses r taking the advantages of fetcher of Windows XP of restore from which window can repair it auto when it restart.

go to my computer right click it and the select properties then

system restore

then check the box

turn off system restore on all drives and apply it

then scan ur all computer then restrt

virus will b removed

then on the system restore on all drives by the same procedure

regards

Sheikh Muddasar

zlatan24

If you have problem with e-mails, try repair pst, this soft can recovering lost Microsoft Outlook data is a sequence of operations involving scanning, identifying and saving such Microsoft Outlook items as messages, contacts, notes, reminders, journals, meetings, etc, also repair data when a *.pst file completely or partially stops functioning, for example, it becomes completely or partially unreadable because of other applications, antivirus software or power failures.