locked
OneCare found a threat... but CANNOT remove it automaticaly.

    Question

  • Windows Live OneCare full system scan reported this

    "OneCare found and automatically stopped 1 potentially harmful program(s)

    (good news right?)

    i clicked "view details"

    OneCare has successfully cleaned or stopped the unwanted software:

    Program Name:
    Worm:Win32/Sobig.E@mm

    Action:
    Quarantine Failed


    Now here are my concerns:

    OneCare says it found and stopped the harmful program but, then it says the quarantine failed.. So exactly what does that mean? Does that mean the program was deleted instead of quarantined? If that is the case, the details should be a little clearer. And what was the infected program? Shouldn't "one care" tell me what it deleted? Those are details that should be revealed when i click "view details"

    My biggest concern right now is that the the problem hasn't been resolved and i'm still infected with something.







    Friday, 27 July, 2007 8:16 PM

Answers

  • Quarantine failed because the infection is in an Outlook Express file. You can locate that e-mail and delete it to remove the infection. There is more information here - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=1548384&SiteID=2

     

    Friday, 27 July, 2007 10:36 PM
  • The problem with cleaning an infection in Outlook Express is the way messages are stored. While OE mail is stored in .dbx files, one message can be stored in many files. One message does not become one .dbx file, but each message is stored in several .dbx files along with parts of other messages. The potential to corrupt the entire mail database is the reason most av products will block infected Outlook Express mail rather than remove the infection. 

     

    Monday, 6 August, 2007 2:02 PM

All replies

  •  

    The confirmation of such not deleted would be if you can run a scan again, if it tells you same thing that found the Sobig Worm within the system and or otherwise. First thing the instances of things being quarantined is if the an Anti-Virus Application cant removed it or delete it. What happened is it got instantly deleted upon attempt to enter the system.

     

    If its not much of a trouble of request to proceed with a scan once more just so to confirm. If its reoccuring

     

    Now to identify the issue:

     

    Open Windows Live Onecare Console>
    click on change Onecare settings>
    click one Logging Tab
    click the button create support log
    now an Internet Explorer would open up

    It is indicated on this window
    Support Log Created
    now click on the Virus and Spyware protection link all in blue
    now from there it would indicate what was missed / cleaned or so failed to quarantine

     

    Thanks

    Friday, 27 July, 2007 8:38 PM
  • i'm going to run a full system scan again.
    i'm not exactly sure what you're saying milo, its not really clear, but let me reiterate.

    1) onecare should tell me what the infected file was, including the filename and location
    2) if the file was deleted instead of quarantined, it should tell me so, not that it was merely resolved.
    3) i shouldn't have to look in the logs (which i assume is for beta users only) to see where and which file was infected.

    Friday, 27 July, 2007 8:49 PM
  • sure. it looks like the logs reveal the source of the infection/threat, but still doesnt tell me if it was resolved or not.
    the infected files should, in my opinion, be revealed after a system scan.


    Virus and spyware protection
    7/27/2007 5:50 AM
    Virus and spyware scan was completed
    Scanned Items: C:\
    I:\
    Scan Type: Custom Scan
    Scan StartTime: 7/27/2007 4:08 AM
    Scan EndTime: 7/27/2007 5:50 AM
    Total Number of Files Scanned: 568167
    Total Number of Files Not Scanned: 1719
    Total Number of Threats Found: 1
    Total Number of Threats Cleaned: 0
    Total Number of Threats Removed: 0
    Total Number of Threats Quarantined: 0
    Total Number of Threats Still Present But Suspended: 1
    7/27/2007 5:50 AM
    Windows Live OneCare found potentially harmful or unwanted software on your computer
    Threat Name: Worm:Win32/Sobig.E@mm
    Detection Date and Time: 7/27/2007 4:08 AM
    File Name: I:\Favian Files\New Folder\favian\My Documents\My Music\*** yeah\Desktop\GREYDELLBACKUP1\My Personal Things\Outlook Express\Inbox.dbx->(Message.103: scrap@lasioux.com - Application)->(part0002:your_details.zip)->details.pif
    Threat Severity: Severe
    Threat Category: Worm
    Contained Object: (Message.103: scrap@lasioux.com - Application)->(part0002:your_details.zip)->details.pif
    Threat found by On Demand Scan: (ANTIVIRUS_ONDEMAND)
    Threat Status: Quarantine failed

    Friday, 27 July, 2007 9:06 PM
  • Quarantine failed because the infection is in an Outlook Express file. You can locate that e-mail and delete it to remove the infection. There is more information here - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=1548384&SiteID=2

     

    Friday, 27 July, 2007 10:36 PM
  •  FavianGar wrote:
    i'm going to run a full system scan again.
    i'm not exactly sure what you're saying milo, its not really clear, but let me reiterate.

    1) onecare should tell me what the infected file was, including the filename and location
    2) if the file was deleted instead of quarantined, it should tell me so, not that it was merely resolved.
    3) i shouldn't have to look in the logs (which i assume is for beta users only) to see where and which file was infected.

     

    Good point you have in such matters sir, maybe the onecare dev team can accomodate the said instances as for consumer convinience and to have Onecare as a more user friendly Security Application

    Saturday, 28 July, 2007 1:56 PM
  • I am having the same problem. I am also infected with the 'smitfraud' virus. And nothing seems to get rid of it. Certainly not windows live care, so I haven't renewed. My computer is messed up unless I can find a way to get rid of it. Can anyone help?

    Sunday, 5 August, 2007 4:48 AM
  • Follow the instructions here to remove Smitfraud - http://www.bleepingcomputer.com/forums/topic17258.html

     

    Sunday, 5 August, 2007 1:57 PM
  • Shouldn't OC handle the smitfraud virus automatically?
    Are there other threats that OC can recognize but does not have the ability to remove?


    Monday, 6 August, 2007 7:40 AM
  •  JimR1 wrote:
    Quarantine failed because the infection is in an Outlook Express file. You can locate that e-mail and delete it to remove the infection. There is more information here - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=1548384&SiteID=2

     



    I ended up deleting the entire outlook express backup folder and all its subfolders, because there is no way for me to delete that specific email.

    the email is located inside a backup inbox.dbx file, which means i would have to restore that particular backup/inbox file, and delete the email, and then backup the inbox file again.

    surely one care 2.0 retail will be able to delete the email straight from outlook/windows live backup files?

    i read in the faq that the latest build can

    "I have been advised that the supportlog.html file that you can create using the instructions above will now show you the subject and date and time of the message when an infection is found within the Outlook .pst mail store"

    However, i never received that specific information concerning the email subject date and time of the infected message.. Maybe i have an older beta build?

    Here is hoping that onecare can delete an email within a .pst or .dbx file.
    Monday, 6 August, 2007 7:47 AM
  • The problem with cleaning an infection in Outlook Express is the way messages are stored. While OE mail is stored in .dbx files, one message can be stored in many files. One message does not become one .dbx file, but each message is stored in several .dbx files along with parts of other messages. The potential to corrupt the entire mail database is the reason most av products will block infected Outlook Express mail rather than remove the infection. 

     

    Monday, 6 August, 2007 2:02 PM
  • Note that the reference you quoted about the subject and date of a message that is infected refers to an Outlook PST file, not an Outlook Express dbx file.

    I see that Jim has already answered about why OneCare won't remove the infection itself. It does block the infection, but removal remains manual.

    -steve

     

    Tuesday, 7 August, 2007 5:06 PM
  • BTW, this does not appear to work anymore. Why doesn't OneCare handle this?
    Sunday, 30 December, 2007 12:56 AM
  •  dennisc369 wrote:
    BTW, this does not appear to work anymore. Why doesn't OneCare handle this?

    I assume that you mean that the manual instructions for removal don't work? OneCare should detect and block Smitfraud unless you have encountered a new variant or if the infection pre-existed the installation of OneCare.

    -steve

    Monday, 31 December, 2007 3:59 AM
  • Yes, the machine was infected prior to the installation of OneCare. However, shouldn't OneCare handle this? That's generally what virus removal software does.
    Monday, 31 December, 2007 4:24 AM
  •  dennisc369 wrote:
    Yes, the machine was infected prior to the installation of OneCare. However, shouldn't OneCare handle this? That's generally what virus removal software does.

    Yes, I would expect OneCare to detect and remove infections. If OneCare did not, please contact support to report it and to get help with removal.

    How to reach support - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=2421771&SiteID=2

    If it fails to validate your subscription, select the option that you are using a trial or beta copy and you can proceed to email support without validation once you've signed in.

    -steve
    Wednesday, 2 January, 2008 2:09 AM