Problems with deleting / disinfecting viruses
Hi there,
I've recently run the virus scanner and have noticed that the program keeps picking up the same viruses on my system and cannot seem to move or disinfect the files. How exactly do I get rid of these viruses?
The following are the malware listed:
Adware.BHO
Adware.VB
Adware.Beav.Adware.A
trojan.spy.HTML.bankfraud.DQ
When I tried searching for these to look for removal solutions, they are not found.
I will change my setting to disinfect first and delete second, if that fails.
Any additional advice would help!
Cheers.
Comments
-
Hi!
Where are the viruses located? Please attach the scanning log in a new post.
Thanks.
Andrei0 -
Hello
First I would advise that you do not use home banking.
I suggest that you download this:
http://downloads2.superantispyware.com/dow...AntiSpyware.exe Install it perform an update. Reboot your pc into safe mode by just rebooting your pc and press several times on the F8 button and choose safe mode. Start superantispyware and perform a full scan and attach the scan report with the scan report of BitDefender. After that perform a deep scan with BitDefender.
Regards
Niels0 -
If you can identify the infected files from the log, please attach them to your next post. Don't delete the files yet; they may be false positives.
0 -
I was always told that if I have a virus, I should get rid of it. So, I set my "actions" to delete first, disinfect second. The only reason I tried this was because previously I had it set to disinfect first, quarantine second, and I would always get messages such as "could not disinfect... move failed".
Over the years, I've downloaded a ton of stuff - keygens, video, program files, etc. I thought I was being careful by having my virus software scan all files as they enter my system. Apparently, I did not do such a good job of protecting my system. I also run Adaware regularly.
At any rate, I've run Bitdefender numerous times since my original posting and it keeps finding different infected files. Why does this happen like this? Why doesn't it find these infected files in one scan? I'm afraid I just do not understand. I've also noticed that even though it says files are deleted, I keep getting reports on the same files. In other words, it does not appear to have been deleted, even though Bitdefender says it has been in earlier scans - the same files appear in more than one report even after Bitdefender reports they've been deleted. See 2 reports below .
Also, when Bitdefender deletes a file, it attempts an update on that file. What does that refer to? I've noticed that sometimes an update works, and sometimes updates fail.
See below for 2 recent logs:
//-----------------------------------------------------------------
//
// Product: BitDefender 9 Professional Plus
// Version: 9.5
//
// Created on: 20/06/2007 21:55:06
//
//-----------------------------------------------------------------
Virus Statistics
Scan path : C:\
\
Folders : 15785
Files : 983940
Archives : 44368
Packed files : 62466
Identified viruses : 8
Infected files : 11
Warnings : 0
Suspect files : 0
Disinfected files : 0
Deleted files : 11
Copied files : 0
Moved files : 0
Renamed files : 0
I/O errors : 64
Scan time : 02:32:10
Scan speed (files/sec) : 107
Spyware Statistics
Memory processes scanned : 47
Memory processes infected : 0
Registry keys scanned : 1748
Registry keys infected : 0
Cookies scanned : 99
Cookies infected : 0
Spyware files infected : 0
Spyware threats detected : 0
Virus definitions : 572790
Scan plugins : 16
Archive plugins : 41
Unpack plugins : 6
Mail plugins : 6
System plugins : 5
Virus scan options
Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email
File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;
Action
Infected objects
[ ] Ignore
[ ] Disinfect
[X] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user
Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user
Virus scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Program Files\Softwin\BitDefender9\Logs\vscan_1182398106.log
Spyware scan options
[X] Memory Processes
[X] Registry keys
[X] Cookies
Summary:
C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\default\7jum67tu.slt\Mail\pop.telus.net\Inbox=>(message 214) Infected: Trojan.Spy.HTML.Bankfraud.DQ
C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\default\7jum67tu.slt\Mail\pop.telus.net\Inbox=>(message 214) Deleted
C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\default\7jum67tu.slt\Mail\pop.telus.net\Inbox Update
C:\Documents and Settings\Steve\Application Data\Thunderbird\Profiles\brp4zi5x.default\Mail\pop.telus.net\Inbox=>(message 214) Infected: Trojan.Spy.HTML.Bankfraud.DQ
C:\Documents and Settings\Steve\Application Data\Thunderbird\Profiles\brp4zi5x.default\Mail\pop.telus.net\Inbox=>(message 214) Deleted
C:\Documents and Settings\Steve\Application Data\Thunderbird\Profiles\brp4zi5x.default\Mail\pop.telus.net\Inbox Update
C:\Documents and Settings\Steve\Desktop\mixcraft.exe=>(Embedded EXE o)=>wise0289 Detected: Adware.Admoke.CT
C:\Documents and Settings\Steve\Desktop\mixcraft.exe=>(Embedded EXE o)=>wise0289 Deleted
C:\Documents and Settings\Steve\Desktop\mixcraft.exe=>(Embedded EXE o) Update failed
C:\WINDOWS\Installer\85027.msi=>(Embedded EXE) Detected: Adware.Agent.KH
C:\WINDOWS\Installer\85027.msi=>(Embedded EXE) Deleted
C:\WINDOWS\Installer\85027.msi Update failed
C:\WINDOWS\Installer\{5783F2D7-6004-0409-0002-0060B0CE6BBA}\Acad162_icon.exe Detected: Adware.Agent.KH
C:\WINDOWS\Installer\{5783F2D7-6004-0409-0002-0060B0CE6BBA}\Acad162_icon.exe Deleted
C:\WINDOWS\system32\1160873000.exe=>(NSIS o)=>lzma_solid_nsis0002 Detected: Adware.Beav.Adware.A
C:\WINDOWS\system32\1160873000.exe=>(NSIS o)=>lzma_solid_nsis0002 Deleted
C:\WINDOWS\system32\1160873000.exe=>(NSIS o) Update failed
C:\WINDOWS\system32\1160873000.exe=>(NSIS o)=>lzma_solid_nsis0003 Detected: Adware.VB
C:\WINDOWS\system32\1160873000.exe=>(NSIS o)=>lzma_solid_nsis0003 Deleted
C:\WINDOWS\system32\1160873000.exe=>(NSIS o) Update failed
\Steve's Documents\My Downloads\Autodesk Architectural Desktop 2007\ADT2007CD1\zwtadt7a.bin=>Install/ADT.msi=>(Embedded EXE) Detected: Adware.Agent.KH
\Steve's Documents\My Downloads\Autodesk Architectural Desktop 2007\ADT2007CD1\zwtadt7a.bin=>Install/ADT.msi=>(Embedded EXE) Deleted
\Steve's Documents\My Downloads\Autodesk Architectural Desktop 2007\ADT2007CD1\zwtadt7a.bin=>Install/ADT.msi Update failed
\Steve's Documents\My Downloads\Autodesk Architectural Desktop 2007\CD1\Install\ADT.msi=>(Embedded EXE) Detected: Adware.Agent.KH
\Steve's Documents\My Downloads\Autodesk Architectural Desktop 2007\CD1\Install\ADT.msi=>(Embedded EXE) Deleted
\Steve's Documents\My Downloads\Autodesk Architectural Desktop 2007\CD1\Install\ADT.msi Update failed
\Steve's Documents\My Downloads\Mike's Toybox (F)\Programs\Turbo Torrent\turbo.exe=>(NSIS o)=>lzma_solid_nsis0007 Detected: Adware.BHO
\Steve's Documents\My Downloads\Mike's Toybox (F)\Programs\Turbo Torrent\turbo.exe=>(NSIS o)=>lzma_solid_nsis0007 Deleted
\Steve's Documents\My Downloads\Mike's Toybox (F)\Programs\Turbo Torrent\turbo.exe=>(NSIS o) Update failed
\Steve's Documents\My Downloads\Mike's Toybox (F)\Programs\Turbo Torrent\turbo.exe=>(NSIS o)=>lzma_solid_nsis0008 Detected: Adware.VB
\Steve's Documents\My Downloads\Mike's Toybox (F)\Programs\Turbo Torrent\turbo.exe=>(NSIS o)=>lzma_solid_nsis0008 Deleted
\Steve's Documents\My Downloads\Mike's Toybox (F)\Programs\Turbo Torrent\turbo.exe=>(NSIS o) Update failed
//-----------------------------------------------------------------
//
// Product: BitDefender 9 Professional Plus
// Version: 9.5
//
// Created on: 20/06/2007 21:55:06
//
//-----------------------------------------------------------------
Virus Statistics
Scan path : C:\
\
Folders : 15785
Files : 983940
Archives : 44368
Packed files : 62466
Identified viruses : 8
Infected files : 11
Warnings : 0
Suspect files : 0
Disinfected files : 0
Deleted files : 11
Copied files : 0
Moved files : 0
Renamed files : 0
I/O errors : 64
Scan time : 02:32:10
Scan speed (files/sec) : 107
Spyware Statistics
Memory processes scanned : 47
Memory processes infected : 0
Registry keys scanned : 1748
Registry keys infected : 0
Cookies scanned : 99
Cookies infected : 0
Spyware files infected : 0
Spyware threats detected : 0
Virus definitions : 572790
Scan plugins : 16
Archive plugins : 41
Unpack plugins : 6
Mail plugins : 6
System plugins : 5
Summary:
C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\default\7jum67tu.slt\Mail\pop.telus.net\Inbox=>(message 214) Infected: Trojan.Spy.HTML.Bankfraud.DQ
C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\default\7jum67tu.slt\Mail\pop.telus.net\Inbox=>(message 214) Deleted
C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\default\7jum67tu.slt\Mail\pop.telus.net\Inbox Update
C:\Documents and Settings\Steve\Application Data\Thunderbird\Profiles\brp4zi5x.default\Mail\pop.telus.net\Inbox=>(message 214) Infected: Trojan.Spy.HTML.Bankfraud.DQ
C:\Documents and Settings\Steve\Application Data\Thunderbird\Profiles\brp4zi5x.default\Mail\pop.telus.net\Inbox=>(message 214) Deleted
C:\Documents and Settings\Steve\Application Data\Thunderbird\Profiles\brp4zi5x.default\Mail\pop.telus.net\Inbox Update
C:\Documents and Settings\Steve\Desktop\mixcraft.exe=>(Embedded EXE o)=>wise0289 Detected: Adware.Admoke.CT
C:\Documents and Settings\Steve\Desktop\mixcraft.exe=>(Embedded EXE o)=>wise0289 Deleted
C:\Documents and Settings\Steve\Desktop\mixcraft.exe=>(Embedded EXE o) Update failed
C:\WINDOWS\Installer\85027.msi=>(Embedded EXE) Detected: Adware.Agent.KH
C:\WINDOWS\Installer\85027.msi=>(Embedded EXE) Deleted
C:\WINDOWS\Installer\85027.msi Update failed
C:\WINDOWS\Installer\{5783F2D7-6004-0409-0002-0060B0CE6BBA}\Acad162_icon.exe Detected: Adware.Agent.KH
C:\WINDOWS\Installer\{5783F2D7-6004-0409-0002-0060B0CE6BBA}\Acad162_icon.exe Deleted
C:\WINDOWS\system32\1160873000.exe=>(NSIS o)=>lzma_solid_nsis0002 Detected: Adware.Beav.Adware.A
C:\WINDOWS\system32\1160873000.exe=>(NSIS o)=>lzma_solid_nsis0002 Deleted
C:\WINDOWS\system32\1160873000.exe=>(NSIS o) Update failed
C:\WINDOWS\system32\1160873000.exe=>(NSIS o)=>lzma_solid_nsis0003 Detected: Adware.VB
C:\WINDOWS\system32\1160873000.exe=>(NSIS o)=>lzma_solid_nsis0003 Deleted
C:\WINDOWS\system32\1160873000.exe=>(NSIS o) Update failed
\Steve's Documents\My Downloads\Autodesk Architectural Desktop 2007\ADT2007CD1\zwtadt7a.bin=>Install/ADT.msi=>(Embedded EXE) Detected: Adware.Agent.KH
\Steve's Documents\My Downloads\Autodesk Architectural Desktop 2007\ADT2007CD1\zwtadt7a.bin=>Install/ADT.msi=>(Embedded EXE) Deleted
\Steve's Documents\My Downloads\Autodesk Architectural Desktop 2007\ADT2007CD1\zwtadt7a.bin=>Install/ADT.msi Update failed
\Steve's Documents\My Downloads\Autodesk Architectural Desktop 2007\CD1\Install\ADT.msi=>(Embedded EXE) Detected: Adware.Agent.KH
\Steve's Documents\My Downloads\Autodesk Architectural Desktop 2007\CD1\Install\ADT.msi=>(Embedded EXE) Deleted
\Steve's Documents\My Downloads\Autodesk Architectural Desktop 2007\CD1\Install\ADT.msi Update failed
\Steve's Documents\My Downloads\Mike's Toybox (F)\Programs\Turbo Torrent\turbo.exe=>(NSIS o)=>lzma_solid_nsis0007 Detected: Adware.BHO
\Steve's Documents\My Downloads\Mike's Toybox (F)\Programs\Turbo Torrent\turbo.exe=>(NSIS o)=>lzma_solid_nsis0007 Deleted
\Steve's Documents\My Downloads\Mike's Toybox (F)\Programs\Turbo Torrent\turbo.exe=>(NSIS o) Update failed
\Steve's Documents\My Downloads\Mike's Toybox (F)\Programs\Turbo Torrent\turbo.exe=>(NSIS o)=>lzma_solid_nsis0008 Detected: Adware.VB
\Steve's Documents\My Downloads\Mike's Toybox (F)\Programs\Turbo Torrent\turbo.exe=>(NSIS o)=>lzma_solid_nsis0008 Deleted
\Steve's Documents\My Downloads\Mike's Toybox (F)\Programs\Turbo Torrent\turbo.exe=>(NSIS o) Update failed0 -
When the path of the detected file contains a "=>" sign, it means an archive has been openend. Some archives can be repacked after disinfection (plain archive files: RAR, ZIP, etc.), and some others can not (installers, mail inboxes, etc., which are also regarded as archives), so for these latter ones, updating the archive usually fails.
New files may be detected because signatures are added all the time; also, you may have a trojan downloader somewhere, which downloads new malware files from the net.
Please attach the following files to your next post:
C:\Documents and Settings\Steve\Desktop\mixcraft.exe
C:\WINDOWS\Installer\85027.msi
C:\WINDOWS\Installer\{5783F2D7-6004-0409-0002-0060B0CE6BBA}\Acad162_icon.exe
C:\WINDOWS\system32\1160873000.exe
\Steve's Documents\My Downloads\Autodesk Architectural Desktop 2007\CD1\Install\ADT.msi
\Steve's Documents\My Downloads\Mike's Toybox (F)\Programs\Turbo Torrent\turbo.exe
(note: some of them may have already been deleted)0 -
Hi there, It appears I have the same problem, on both PC, a laptop and a desktop. On laptop only infected with
Backdoor.Ip.Protect.A that BiDefender seems unable to eliminate. On the Desktop alternative online scanners find 2 hacking tools and 187 (yes, onehundred and eighty seven) spywares thata apparently were not filtered by Bitdefender. Virus are the above mentioned plus Trojan.SwfDL.A.
I did not find any no trace of such viruses in Bitdefender encyclopedia.
Anybody can help?
THis is the message in the report
\BackUp Lacie\ZZ Lacie BackUp 2005 02 22\Copia Disco C Desktop\My Documents\Internet Downloads\icq99b.exe=>wise0023 Infecté avec: Backdoor.Ip.Protect.A
\BackUp Lacie\ZZ Lacie BackUp 2005 02 22\Copia Disco C Desktop\My Documents\Internet Downloads\icq99b.exe=>wise0023 Désinfection impossible
\BackUp Lacie\ZZ Lacie BackUp 2005 02 22\Copia Disco C Desktop\My Documents\Internet Downloads\icq99b.exe=>wise0023 Déplacement impossible
The infected files belong to a program which is not used since 2003 and that remained in a harddisk which contains backup data from previos PCs0 -
Hi ILGUFO
I suggest that you attach your logfile. Also make an archive with the infected files. You must protect it with this password: "infected" (without the quotes) and attach them at your next post. After that you have to wait till one of the virus researchers replies.
Upload icq99b.exe to this website: http://www.virustotal.com
Post the resultlink.
But when I take a look it seems a false positiv.
Regards
Niels0 -
Hi ILGUFO
I suggest that you attach your logfile. Also make an archive with the infected files. You must protect it with this password: "infected" (without the quotes) and attach them at your next post. After that you have to wait till one of the virus researchers replies.
Upload icq99b.exe to this website: http://www.virustotal.com
Post the resultlink.
But when I take a look it seems a false positiv.
Regards
Niels
Thanks Niels
just a very silly question (not a PC spet....). By posting you mean when sending the BitDefender report? I could not find the program any "posting" function. Or shall I send it through BirDefender internet site ?
Also how is possible that Pandasoftware active scan did find 6 "hacking tools and rootkits" and 216 spyware on mydesktop, whereas BitDefender finds only the virus and no spywares?
Regards
IL GUFO0 -
Hi ILGUFO
Sorry that I wasn't clear. With posting I mean add a new post to this topic. When you make a reply (post) on this forum when you press on more options there you will find a section called Attachments press on browse and locate to the archive and press on upload. That was what I wanted to say. Only virus researchers can download what you uploaded here.
The reason why panda active scan finds more is because it also marks cookies as infections. Which aren't real threats. If you never cleared your temporary internet folder that can increase the amount of cookies and also because panda counts each cookie as a different threat. That is also the case if there is an infection panda will count every part of the same infection instead of counting it once.
Because you can easily remove them in your browser. Can you please copy the scanreport of panda scan in your next post so I can take a look it? BitDefender detects spyware but you can't rely on it. You have to install other specific antispyware or antimalware tools. A very good and free one is superantispyware the link you will find also in this topic.
Regards
Niels0 -
"Posting"=writing a message here.
In ADDREPLY you have an option to upload a file( in the right corner use Browse button to attach the file)0 -
Thanks
I am unable to attach the Panda report now as I did the scan on the desktop, but I will do once logged in from there.
Icq99 is an archive file but its size exceed the 2 mb. (ard 5.5mb). I did not use it since 2003 as replaced by skype.
Any other way I can send it?
Regards
Marco0 -
Hello ILGUFO
What you can do is upload it to one of this websites: http://www.verzend.be , http://www.rapidshare.com add the downloadlinks into a textfile and attach them at your post than the virusresearchers can also download it.
Regards
Niels0 -
Hello,it looks like things are getting worse. I made another scan today and looks like the virus went into MS Outlook.
I am really concerned by the fact that viruses entered my PCs despite antivirus was active. I will try what you indicated, hoping that experts will be able to solve my problem.
Shall I add a specific email address? I can't find any on BitDefender site.
Will do the same from the other PC as well. Thankyou once more.
Today's message is :
C:\Documents and Settings\Marco Gastaldi\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst=>[subject: SCAN][From: Marco Gastaldi IT]=>icq99b.exe=>wise0023 Infecté avec: Backdoor.Ip.Protect.A
C:\Documents and Settings\Marco Gastaldi\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst=>[subject: SCAN][From: Marco Gastaldi IT]=>icq99b.exe=>wise0023 Désinfection impossible
C:\Documents and Settings\Marco Gastaldi\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst=>[subject: SCAN][From: Marco Gastaldi IT]=>icq99b.exe=>wise0023 Déplacement impossible
\System Volume Information\_restore{49798821-77F8-4402-A9AA-0F6C0860DD0D}\RP1202\A0090117.exe=>wise0023 Infecté avec: Backdoor.Ip.Protect.A
\System Volume Information\_restore{49798821-77F8-4402-A9AA-0F6C0860DD0D}\RP1202\A0090117.exe=>wise0023 Désinfection impossible
\System Volume Information\_restore{49798821-77F8-4402-A9AA-0F6C0860DD0D}\RP1202\A0090117.exe=>wise0023 Déplacement impossible
\BackUp Lacie\ZZ Lacie BackUp 2005 02 22\Copia Disco C Desktop\My Documents\Internet Downloads\icq99b.exe=>wise0023 Infecté avec: Backdoor.Ip.Protect.A
\BackUp Lacie\ZZ Lacie BackUp 2005 02 22\Copia Disco C Desktop\My Documents\Internet Downloads\icq99b.exe=>wise0023 Désinfection impossible
\BackUp Lacie\ZZ Lacie BackUp 2005 02 22\Copia Disco C Desktop\My Documents\Internet Downloads\icq99b.exe=>wise0023 Déplacement impossible0 -
Hi again,
this is the link to verzend.be for the virussearchers.
http://www.verzend.be/v/1601247/icq99b.exe.html
I will sleep with my fingers crossed.......
Nice evening Niels and thanks again.0 -
Hello ILGUFO
For your email problem try this: disable the realtime protection of BitDetender by rightclicking on the red BitDefender icon choose display(view) after that go to antivirus,shield and uncheck realtime protection is enabled. After you done that remove the mails that BitDefender detects. After you done that do this:
Empty your Deleted Items folder, then go to File -> Data File Management -> select the current mail archive -> Settings -> Compact Now. After you done that check the option again.
For your Backdoor.Ip.Protect.A problem I also recommend that you wait.
I recommend that you wait till someone examines de icq99b file before you delete them.
Also a nice evening for you.
Regards
Niels0 -
Some news :
I erased the infected files on my desktop (all icq99 related) and the subsequent scan did not show anything wrong. I will wait untril tomorrow to feel happy and proud.
As for the laptop, i guess that virussearchers do read forums and that they will be downloading the file early this week. I was unable to find the infected email, probably due to my ignorance in PCs.
I will wait for the response from Bitdefender (i also sent some msges to obtain a reply on reports and on my previous msges).
Nice week ahead0 -
Hello ILGUFO
The mails could also be located in archived folders. Take also a look there. Don't worry somebody of the virus reseachers will reply soon.
Regards
Niels0 -
This was a false positive and should be removed at the next update.
0 -
Many thanks,
there was also a virus warning for a file in the outlook.pst which I could not upload. I will make a new scan and let you know.
Regards0 -
Hello. The "outlook.pst" contains the e-mail messages from Outlook, so be very careful not to delete it! Most probably it is detected because it contains e-mail messages which have malicious attachments. To the following steps:
- Disable the real-time protection
- Delete the e-mails which have executable attachments and the source of which is unknown (be very careful not to execute the attachments)
- Empty the trash folder (in the e-mail client)
- Re-enable the real-time protection
0 -
hello
this is not a big problum
these kind of viruses which can restore itself after rebooting of copmuter can be disinfected by disabling the system restore points
these viruses r taking the advantages of fetcher of Windows XP of restore from which window can repair it auto when it restart.
go to my computer right click it and the select properties then
system restore
then check the box
turn off system restore on all drives and apply it
then scan ur all computer then restrt
virus will b removed
then on the system restore on all drives by the same procedure
regards
Sheikh Muddasar0 -
If you have problem with e-mails, try repair pst, this soft can recovering lost Microsoft Outlook data is a sequence of operations involving scanning, identifying and saving such Microsoft Outlook items as messages, contacts, notes, reminders, journals, meetings, etc, also repair data when a *.pst file completely or partially stops functioning, for example, it becomes completely or partially unreadable because of other applications, antivirus software or power failures.
0