Recurrent worm RRS feed

  • Question


    How do I remove Backdoor:Win32/Rbot.gen!A? The scan finds it and removes it. It is back soon afterwards.
    Wednesday, December 10, 2008 12:55 AM


All replies

  • It appears that OneCare is not completely removing the malware.

    If you are using Windows Live OneCare and you have been infected, but OneCare did not detect or cannot remove the malware, please contact support to report this and for help with removal.

    How to reach support (FAQ) - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=2421771&SiteID=2


    If you are in North America, you can call 866-727-2338 for help with virus and spyware infections. See http://www.microsoft.com/protect/support/default.mspx  for details.  For international information, see your local subsidiary Support site.



    Wednesday, December 10, 2008 1:32 PM
  • After 3 days of waiting for the painfully slow scans to complete, I've yet to find a virus or worm that OneCare CAN remove.  It's been repeatedly identifying an old worm whose signature is very well known (so it's easy to find).  It reports the worm removed and asks for a reboot, and the worm re-appears by recopying the infected copy of user32.dll the scanner found in the first place.  3 days of research has turned up volumes of identical reports from users who see issues detected but are never removed.  I am convinced that One Care is more Microsoft vaporware, just like the "tell me more" link for Windows Event Log issues that never produces anything more than a "sorry, no more information is available about this problem but thank you for reporting it as it helps us identify... etc. etc. etc." 


    Scanning this forum I don't see much more than a "please contact us for help" response to anything, even threats that have been known for almost a year.  I suppose at some point all the information collected will be put to use in a scanner that removes problems rather than just identify them and offer an apology.  After wasting 3 days on One Care, I finally did what One Care was unable to do, which was replace the infected file and remove a reference to an infected backup from the registry.  One would hope not to have to do something as dangerous as a registry edit since the solution for this virus was so well known.  One Care has proven to be an absolute waste of time.

    Wednesday, December 10, 2008 4:21 PM
  • OneCare is pretty effective at preventing many infections and can remove many others. Unfortunately, as I've witnessed myself (I had to remove a Vundo variant from my wife's PC), it also fails to detect or fully remove some infections.

    The reason you see so many "answers" advising people to contact support is because that is the appropriate path for dealing with the problem. Support can obtain samples of the infection to be given to the antimalware team when needed and can attempt removal of infections using an arsenal of 3rd party tools and manual methods. This forum is not manned by Microsoft, just hosted by Microsoft. The moderators are volunteers (not Microsoft employees) and providing detailed instructions for manual infection removal or reviewing logs for traces of infections is outside of the scope of the forum.

    Wednesday, December 10, 2008 5:51 PM
  • I'll also just add that OneCare is not a malware removal toolkit, it's a protection suite. The difference is that virtually no software which is installed after an infection has occured can remove everything, since many of these malware use rootkit or other hiding techniques as well as permissions modification and other tricks to make automated removal nearly impossible.


    What appears to be a 'simple' process when done manually has the benefit of occuring 'out of band'. In other words, the malware is unaware of what you are doing, so it can't or won't even try to stop it. For exapmle, the simple trick of changing the contents of a file can easily be detected when performed by a program, but is less easily monitored when a user does it. Special tools might be able to perform the removal, but this is more difficult to do within a protection suite, since the process can be examined and defeated by modifications to the malware itself.


    This is why all manual cleaning forums will tell you to avoid changing or installing any protection software during the clean-up process and even sometimes to turn portions of it off. Then once the malware is removed the protection programs are re-enabled or re-installed as necessary, since prevention is the key.


    In fact, most professional secuirty people will tell you that you should simply wipe a PC and start over once it's actually become so deeply infected. The reason is that you can never really know that you've removed everything, so there's always a question whether something remains hidden on the system. The simple flagging of malware while it's in process of downloading is less of a concern, but once it's been launched and installed all bets are off and the risk of embedded malware can never be confirmed with 100% certainty. This is why the detection of the malware is still critical even if it can't be removed, because otherwise it's possible you might never realize it's still present on the system.



    Wednesday, December 10, 2008 9:52 PM
    OneCareBear said:

    I'll also just add that OneCare is not a malware removal toolkit, it's a protection suite.

    While I agree with what you've discussed regarding the difficulty of removing infections, it must be pointed out that OneCare is touted as a malware removal tool.  It's clearly being marketed as such and malware removal is one of the (supposed) functions of the tool;  saddest of all, it not only makes claims to be in the process of malware removal, it reports that it has removed malware when it fact it has not.

    It touts itself as a protection suite, but it does not protect.  The infection in my case, Mariofev.A, was discovered in May 2008 and has an unmistakeable signature and well-documented removal procedure.  As of Tuesday, the OneCare description of this Malware was horribly inaccurate, claiming it has been recently discovered and that Microsoft is working hard on a solution.  The solution was discovered 7 months ago.   It's posted in the malware dictionaries on the web sites of every major pc security product vendor.

    OneCare correctly recognizes the signature of this worm in user32.dll but does not take simple, common-sense, mind-numbingly obvious steps such as scanning the remainder of the files in the system folder looking for additional infected files.  This is unforgivable -- the worm drops an identical copy of the infected file in 2 obvious locations within the same folder and OneCare does not even bother to scan them! 

    In summary:
    1. OneCare is marketed as a malware detection and removal tool.
    2. It is incapable of removing well known viruses with well documented removal procedures
    3. It makes false claims to have removed infections that it has not removed
    4. OneCare can (and has) damaged systems so badly in the attempted cleanup process that the average user has no choice but to rebuild the entire system from the start
    5. In a week of searching, I've yet to come across a single OneCare user who says OneCare was able to remove any infection.

    To add insult to injury, Microsoft is charging $49 for OneCare.  It's bad enough people are forced to pay for an operating system (XP, Vista) with gaping security holes (no operating system should EVER allow an unpriv'd process to overwrite a system file such as user32.dll -- EVER).  Now they're being asked to pay $49 more for a malware scanner that does not scan and a malware remover that does not remove.  For no additional cost, they get a corrupted Windows installation when, during reboot, the dll copy set up by OneCare fails.
    Wednesday, December 17, 2008 3:18 PM
  • Marc, you don't need to repeat your story in another thread.

    I understand your frustration with OneCare's handling of the infection you encountered. I agree that OneCare's malware detection and removal needs to be improved. The fact of the matter is that it is always being improved. The problem is that malware authors are constantly improving their wares, too. I am concerned about some infections that other products are easily able to detect, isolate, and remove that OneCare fails on. However, I'll add that there are planty of examples for any other security software available where they failed to properly detect, isolate, and/or remove malware that OneCare can deal with.

    Having just read your post again, I'll agree with points 1 through 4, but feel free to substitute the name of just about any other security product in them and they will still be correct.

    As for number 5, you are not searching hard enough. I'm not going to do the search for you, but having moderated this forum for several years I can tell you that there are many posts with thanks from happy users of OneCare. Don't expect too many of them, though, since people don't come to forums to sing the praises of the product, they come to get help and to complain in the majority of cases.

    Microsoft MVP Windows Live / Windows Live OneCare Forum Moderator
    Wednesday, December 17, 2008 3:45 PM