locked
Virus in Live Mesh AppData folder RRS feed

  • Question

  • Hello,

    I seem to have contracted a virus that is residing in my user's AppData folder, specifically:

    %APPDATA%\Local\Microsoft\Live Mesh\GacBase\Assembler

    in many of the .prt files.  Symantec AV identified it as "W32.Virut.CF".  I have attempted to clean, quarentine, and delete the infected files, but symantec reports that it is unable to do any of these, possibly because the file no longer exists.  When I check that directory, I only find *.mtd files.

    Questions:

    1) How can I get rid of this virus?
    2) What are the *.mtd and *.part files in that directory, and is it safe to delete them (ie will there be any data loss of my live mesh files)
    3) How do I ensure that my Live Desktop and other synced Live Mesh computers are also free of this virus so as not to continually reinfect myself?


    My system is running Vista x86.

    Thanks,

    Jon
    Thursday, March 26, 2009 7:57 PM

Answers

  • Ok checked the all mighty documents and spec's:

    .prt files are partially downloaded files (files that aren't fully sync'd but are in progress)
    .mtd files are the metadata files telling what parts that come in go where in the .prt file while it's being sync'd.

    If your seeing a positive result on either of these files, I strongly recommend you scan the source file that you are sync'ing from to ensure there is no virus in that file.

    If that doesn't return a positive result, more then likely at that point it's a false positive on the files in the \assembler directory.  If the virus program is still flaging them, here's what I recommend:

    1)  Stop the Mesh program.  (systray, right click, exit)
    2)  As soon as Mesh is fully closed down let the virus program try and quarantine/delete the files.
    3)  If it won't, go ahead and manually delete them.
    4)  If you can't as the files are in use, stop your Virus program as it may have them locked, and try again.

    -Ken

    • Marked as answer by kensm [msft] Friday, March 27, 2009 5:07 PM
    Friday, March 27, 2009 5:07 PM

All replies

  • Hey 86smopuiM checking a few things here soon as I have a 100% answer I'll let you know if they're safe to manually delete.

    -ken

    Friday, March 27, 2009 3:49 AM
  • It is possible that Syantec is tagging a false positive. I recommend that you scan the folder on the PC in question with one of the free online scanners and perhaps do the same on your other PCs.
    I also suspect that Symantec was not able to deal with the files as they in process of being synchronized, so they were locked.
    Here are some of the free web based scanners:
     

    http://www.eset.com/onlinescan/

     

    http://www.ewido.net/en/onlinescan/

     

    http://onecare.live.com/site/en-us/default.htm

     

    http://www.kaspersky.com/virusscanner

     
    -steve


    Microsoft MVP Windows Live / Windows Live OneCare & Live Mesh Forum Moderator
    Friday, March 27, 2009 2:13 PM
    Moderator
  • Ok checked the all mighty documents and spec's:

    .prt files are partially downloaded files (files that aren't fully sync'd but are in progress)
    .mtd files are the metadata files telling what parts that come in go where in the .prt file while it's being sync'd.

    If your seeing a positive result on either of these files, I strongly recommend you scan the source file that you are sync'ing from to ensure there is no virus in that file.

    If that doesn't return a positive result, more then likely at that point it's a false positive on the files in the \assembler directory.  If the virus program is still flaging them, here's what I recommend:

    1)  Stop the Mesh program.  (systray, right click, exit)
    2)  As soon as Mesh is fully closed down let the virus program try and quarantine/delete the files.
    3)  If it won't, go ahead and manually delete them.
    4)  If you can't as the files are in use, stop your Virus program as it may have them locked, and try again.

    -Ken

    • Marked as answer by kensm [msft] Friday, March 27, 2009 5:07 PM
    Friday, March 27, 2009 5:07 PM