locked
How to remove virus in backup file? RRS feed

  • Question

  • OneCare has found a virus in a file on my wife's OneCare backup drive:

     

    **************

    10/11/2008 12:06 AM Windows Live OneCare found potentially harmful or unwanted software on your computer
    Threat Name: TrojanDownloader:HTML/Vidanj.A
    Detection Date and Time: 10/11/2008 12:00 AM
    File Name: F:\Windows OneCare Backup\HELEN\2007\Files\Part 94.ZIP
    Threat Severity: Severe
    Threat Category: Trojan Downloader
    Contained Object: C\Documents and Settings\Owner\Local Settings\Application Data\Identities\{4ECA6586-07AE-4A10-AE44-5012166651F7}\Microsoft\Outlook Express\Deleted Items.dbx->(Message.458: postmaster@juicetv.com - *** CACTUS SPAM *** Delivery Status Notification (Failure))
    Threat found by On Demand Scan: (ANTIVIRUS_ONDEMAND)
    Threat Status: Remove failed
     
     
    10/11/2008 12:06 AM Windows Live OneCare found potentially harmful or unwanted software on your computer
    Threat Name: TrojanDownloader:HTML/Vidanj.A
    Detection Date and Time: 10/11/2008 12:00 AM
    File Name: F:\Windows OneCare Backup\HELEN\2007\Files\Part 90.ZIP->C\Documents and Settings\Owner\Local Settings\Application Data\Identities\{4ECA6586-07AE-4A10-AE44-5012166651F7}\Microsoft\Outlook Express\Deleted Items.dbx->(Message.458: postmaster@juicetv.com - *** CACTUS SPAM *** Delivery Status Notification (Failure))
    Threat Severity: Severe
    Threat Category: Trojan Downloader
    Contained Object: C\Documents and Settings\Owner\Local Settings\Application Data\Identities\{4ECA6586-07AE-4A10-AE44-5012166651F7}\Microsoft\Outlook Express\Deleted Items.dbx->(Message.458: postmaster@juicetv.com - *** CACTUS SPAM *** Delivery Status Notification (Failure))
    Threat found by On Demand Scan: (ANTIVIRUS_ONDEMAND)
    Threat Status: Remove failed
     
     
    10/11/2008 12:06 AM Windows Live OneCare found potentially harmful or unwanted software on your computer
    Threat Name: TrojanDownloader:HTML/Vidanj.A
    Detection Date and Time: 10/11/2008 12:00 AM
    File Name: F:\Windows OneCare Backup\HELEN\2007\Files\Part 94.ZIP->C\Documents and Settings\Owner\Application Data\com.codeode\Cactus Spam Filter 2.13\training\6D607C778212656542036A6B1232643F5A67703D
    Threat Severity: Severe
    Threat Category: Trojan Downloader
    Contained Object: C\Documents and Settings\Owner\Application Data\com.codeode\Cactus Spam Filter 2.13\training\6D607C778212656542036A6B1232643F5A67703D
    Threat found by On Demand Scan: (ANTIVIRUS_ONDEMAND)
    Threat Status: Remove failed

    ************

     

    OneCare doesn't seem to be able to remove it. But it keeps coming up with warnings. How do I get rid of this virus?

     

    Thanks,

    RJ

    Saturday, October 11, 2008 11:48 AM

Answers

  • These infections are apparently in email attachments inside the deleted items folder of the backed up mailbox, so I would ignore the first two items. The 3rd entry appears to be a false positive from OneCare reading the database of your spam filtering software. OneCare won't remove infections from email message stores or from compressed files, so for the first two items, ignore the warnings or exclude the OneCare backups from being scanned.

    For the 3rd item, you can choose to exclude that location from being scanned or follow the instructions in this post, http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=662566&SiteID=2, to report a suspected false positive - a threat detected by OneCare in error.

    -steve

    Monday, October 13, 2008 5:16 PM
    Moderator

All replies

  • These infections are apparently in email attachments inside the deleted items folder of the backed up mailbox, so I would ignore the first two items. The 3rd entry appears to be a false positive from OneCare reading the database of your spam filtering software. OneCare won't remove infections from email message stores or from compressed files, so for the first two items, ignore the warnings or exclude the OneCare backups from being scanned.

    For the 3rd item, you can choose to exclude that location from being scanned or follow the instructions in this post, http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=662566&SiteID=2, to report a suspected false positive - a threat detected by OneCare in error.

    -steve

    Monday, October 13, 2008 5:16 PM
    Moderator
  • I know that the first two are backups of deleted emails. As far as ignoring them, OneCare pops up a warning every morning.

    The 3rd one is not a false postive. It is basically the same as the other two. Cactus Spam is a spam filter. It retains emails that can be used to train the filter. So apparently it is a backup of Cactus Spam's holding folder/database which probably contains one of the other emails that was deleted.

     

    Should I tell OneCare not to check any of the backups? This kind of seems like a one hand doesn't know what the other hand is doing...The OneCare backup part is not playing nice with the OneCare anti-virus part. Isn't the whole idea of OneCare, that the parts all fit together seamlessly? Why can't OneCare remove the virus from it's own backups? Can't it detect the viruses before it backs them up?

     

    A while back microsoft support helped me to delete virus from my own backup drive. It's involved using cacls and some other steps. Unfortunatly, I don't remember the details of this. Do you know how this is done?

     

    Thanks,

    RJ

    Monday, October 13, 2008 5:41 PM
  • I would exclude the backup files from being scanned and I'd also exclude the Cactus Spam filter folder that is holding copies of the found messages.

    It isn't a case of one hand vs. the other, it is one of two scenarios:

    a. the infection was not found until after the OneCare signatures were updated

    b. the infection was not found since the email was not opened or saved except in the mail store, until a full scan was performed. Now that OneCare knows about the infection, it checks to see if it still exists each time the quick scan runs (I'm speculating on this behavior, since I've not experienced what you encountered. I dump my spam and deleted items throughout the day and only save what I want to save.)

     

    If you prefer to delete the backups and start fresh, which isn't my suggestion, instructions for how to deleted the existing backups can be found here: http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=1698096&SiteID=2

    -steve

     

     

    Monday, October 13, 2008 7:27 PM
    Moderator
  • I have a similar problem, I installed OneCare and it says about  trojandownloader:HTML/Vidanj.A  I checked all of instructions but there is a little problem, it is in my old e-mail, right now I have a new one. I can't find the file because doesn't existe my old e-mail... How can I remove the trojan?
    Desiree
    Sunday, June 21, 2009 8:08 PM
  • If OneCare detected the trojan in your old email, that means that the old email is still on your PC. Open OneCare, click on change settings, Logging tab and create a support log. Scroll down to the virus and spyware section to see the exact location of the infection. You can then browse with Windows Explorer to delete the file that you no longer need.
    -steve
    Microsoft MVP Windows Live / Windows Live OneCare & Live Mesh Forum Moderator
    Monday, June 22, 2009 1:46 AM
    Moderator