locked
Windows Live OneCare Cannot Quarantine or Remove Virus RRS feed

  • Question

  •  

    OneCare says it found a worm on my PC . First it said it found :Win32/Alureon.gen!O then a few Days later it said it found :Win32/Alureon./bb. These are on popup alerts. When I tell it to clean the infections it says it could not be cleaned or quaranteened! Then it says to click on the infection name for more info. When I do that it says "Not found". When I open Windows Live and check the latest scan log It says no infections found. However if I check the monthly report it lists 3 suspious infections, but "0" cleaned. Further when the popup showed the latest worm it said it could not clean, the location given was C:\users\steve\appdata\local\temp\tmpD70.tmp I can look in my pc up to C:\users\steve\appdata\local\temp\ but once I get there, there is no tmpD70.tmp? Any clue whats going on?
    Thursday, November 20, 2008 9:46 AM

Answers

All replies

  • I just had the same thing happen on my PC.  How do I get rid of this trojan?

    Thursday, November 20, 2008 1:59 PM
  • Same thing just happened to me. Any help removing this would be great!
    Thursday, November 20, 2008 4:52 PM
  • If you are using Windows Live OneCare and you have been infected, but OneCare did not detect or cannot remove the malware, please contact support to report this and for help with removal.

    How to reach support (FAQ) - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=2421771&SiteID=2

     

    If you are in North America, you can call 866-727-2338 for help with virus and spyware infections. See http://www.microsoft.com/protect/support/default.mspx  for details.  For international information, see your local subsidiary Support site.

     

    Thursday, November 20, 2008 5:50 PM
    Moderator
  • Hey 1Steve

     

    I will be needing  detailed log which can give more info about it. Below is how you can get the detailed log file which can be found at

     

    Vista

    1. c:\ProgramData\Microsoft\OneCare Protection\Support\MPLOG*(some file which starts with MPLOG)

     

    XP

    2.      c:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\Support\MPLOG*(some file which starts with MPLOG) (This is if you have win xp)

     

    Note : These are hidden so you have to make sure that you enable show hidden files and folders

     

    Let me know if you face any problem in the above steps

     You cna meial me logs at montyj@microsoft.com

     

    Thanks

    Monty[MSFT]

     

    Thursday, November 20, 2008 7:23 PM
  • Monty- I looked at the log on my PC and the last entry in today's log looks like it confirms the removal of this trojan.  Here is the text from my log:

     

    Beginning threat actions

    Start time:Thu Nov 20 2008 08:51:04

    Threat Name:Trojan:Win32/Alureon.BB

    Threat ID:2147616406

    Action:remove

    File cleaned/removed successfully

    File Name:C:\Documents and Settings\TEMP\Local Settings\Temp\TDSS8212.tmp

    Resource action complete:Removal

    Schema:file

    Path:\\?\C:\Documents and Settings\TEMP\Local Settings\Temp\TDSS8212.tmp

    Threat ID:2147616406

    Resource refcount:1

    Result:0

    Finished threat ID:2147616406

    Threat result:0

    Threat status flags:4

    Finished threat actions

    End time:Thu Nov 20 2008 08:51:05

    Result:0

     

    I also looked for the file Temp\TDSS8212.tmp on my drives and it could not be found

     

    Does this confirm that OneCare removed the trojan?

     

    Thanks,

    Jim

    Thursday, November 20, 2008 8:54 PM
  •  Monty Jain [MSFT] wrote:

    Hey 1Steve

     

    I will be needing  detailed log which can give more info about it. Below is how you can get the detailed log file which can be found at

     

    Vista

    1. c:\ProgramData\Microsoft\OneCare Protection\Support\MPLOG*(some file which starts with MPLOG)

     

    XP

    2.      c:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\Support\MPLOG*(some file which starts with MPLOG) (This is if you have win xp)

     

    Note : These are hidden so you have to make sure that you enable show hidden files and folders

     

    Let me know if you face any problem in the above steps

     You cna meial me logs at montyj@microsoft.com

     

    Thanks

    Monty[MSFT]

     

     

    Hi,

    I tried following your instructions but I don't seem to have the file you are talking about. I'm running Vista Ultimate. I have show hidden files checked. I can get to

     c:\ProgramData\Microsoft\ However once there the only folder concerning OneCare is  "Microsoft OneCare Live". The only file in that folder is "ent.dat"

     

    Thanks

    1Steve

    Thursday, November 20, 2008 9:50 PM
  • The path is: C:\ProgramData\Microsoft\OneCare Protection\Support <== you will need to provide admin credentials to access this if you have UAC enabled.

     

    I just checked my Vista machine and the file is there.

    -steve

     

     

     

    Friday, November 21, 2008 2:43 AM
    Moderator
  •  Stephen Boots wrote:

    The path is: C:\ProgramData\Microsoft\OneCare Protection\Support <== you will need to provide admin credentials to access this if you have UAC enabled.

     

    I just checked my Vista machine and the file is there.

    -steve

     

     

     

    Not sure why my Vista seems to be different. However Monty contacted me also and told me to go into OneCares settings and click on the create support log button. He said that should create the missing file. It did create a support log file. But in a different path and format than expected? What I ended up with was:

    C:\ProgramData\Microsoft\Microsoft Windows Live OneCare\Support Log.html
    Friday, November 21, 2008 6:46 AM
  • The file you got when creating the support log is as expected - an html report that open in your browser. It may also create the file that Monty wants. On my machines I have created the support logs often, so I can't say that the file only gets created after doing that step.

    -steve

     

    Friday, November 21, 2008 6:32 PM
    Moderator
  •  Stephen Boots wrote:

    The file you got when creating the support log is as expected - an html report that open in your browser. It may also create the file that Monty wants. On my machines I have created the support logs often, so I can't say that the file only gets created after doing that step.

    -steve

     

     

    I'm still a bit confused with the administrative rites thing in Vista. I am the only owner/user of this PC. I am listed as an administrator yet apparently I still can't access some things? I did a bit of research after your insistance that the file path you posted was valid and that I didn't have permission to see it. So far it looks like you are correct. However I don't understand the difference between not being allowed to see a file, VS being able to see it, but getting an access denied messsage? Anyway Steve that aside I googled up a supposed work around. Someone posted that to gain access to those hidden folders and files you could right click NOTEPAD and select run as administrator>select file open and paste in the path you gave. This worked part way, so I'm not sure if the file is still hidden or nonexistant. With this method I was able to get as far as the support folder, which previously Vista told me wasn't there. However it still told me the mplog file was not found. So I shortened my request to just the support file. Notepad opened it running in administrative mode but showed only one file called "OCExpensiveFiles.txt" in it. Any more ideas?

    Friday, November 21, 2008 8:45 PM
  • In Vista, with UAC on, you need to gain explicit permission, meaning that you need to temporarily elevate your rights to the Adminstrator account which is not the same as having Administrative rights on the PC. This is to protect the OS from attack or even accidental actions by a user.

    I'm not sure why you are seeing these files if you have the option to show hidden files and folders selected in Explorer settings.

    However, based on your review of the Support Log report in your browser, I do believe that the infection is at least blocked.

    If the infection is not gone, go ahead and contact Monty without the logs he asked for - using his email above *or* go the support route.

    -steve

     

    Saturday, November 22, 2008 3:09 AM
    Moderator
  • Hi all,

    I run also Windows OneCare and had the same problems with alureon trojans. I takes a lot of time to remove it by support of the OneCare crew so I looked further for another solution. After all it's quite simple to solve when using ComboFix. Just download combofix.exe here --> http://download.bleepingcomputer.com/sUBs/ComboFix.exe and run it.
    It worked for me!

    Greetz & good luck
    Wednesday, December 31, 2008 2:24 PM
  • Maloni,

    ComboFix is a dangerous tool intended to be run with the help of a malware removal expert. Though in some cases it may fix a specific problem it has also been known to cause damage when used with the wrong type or version of an infection.

    If you have experience removing infections manually, it may be a useful tool, but in the wrong hands it can just as easily destroy the operating system and loose all data stored there.

    Since those using OneCare tend to have little experience with such complex tools, it would be better if they simply contacted OneCare Support which they are already paying for.

    OneCareBear
    Windows OneCare Forum Moderator
    Wednesday, December 31, 2008 8:10 PM
    Moderator
  • This is really not a good answer.  Since I contacted support with this problem, there have been about 5 support techs from microsoft that have tackled the problem.  Do they read or listen to the previous support logs on the same case?  They always direct me to the same procedures, from one tech to the other, only to find out, from whatever scans have been run that I have the Auleron Trojan.  It goes like this:  They lead me to the scan, whether it is Live OneCare scan, or the scan on the MS Support website.  The answer is always the same, I have the Auleron Virus which cannot be removed.  Since the scan is very long, they generally tell me they will call the next day.  The next day someone calls me, always a different person, and the same process starts again.  The statement below is from an MS site.  I have received no useful help from the MS support techs.  If you can't remove the virus, obviously I need to go to another malware software, instead of using Live OneCare.   Since this is a common problem, research on the web will verify this, Microsoft must have an answer other than Live OneCare, since it does not do the job. Any suggestions from Microsoft as to which software really does the removal job????  Thank you. 


    If you are using Windows Live OneCare and you have been infected, but OneCare did not detect or cannot remove the malware, please contact support to report this and for help with removal.

    How to reach support (FAQ) - http://social.microsoft.com/Forums/en-US/onecareinstallandactivate/thread/30400b52-7f26-4ba0-bc18-17e305329d90

    Monday, August 10, 2009 12:08 AM
  • Mike, please provide your support case number here or via email to me at sboots@mvps.org . If you email me, include OneCare in the subject line, your LiveID for your subscription, and the country you are located in.
    Also paste this link in the email body.
    http://social.microsoft.com/Forums/en-US/onecareanti-virus/thread/f11a4425-3f44-4294-973c-7907bfb58ac8

    I'm sorry that you've had such difficulty with the removal process. As soon as I get your case ID, I'll escalate this to OneCare Support management for follow-up.
    -steve
    Microsoft MVP Windows Live / Windows Live OneCare, Live Mesh, & MS Security Essentials Forums Moderator
    Monday, August 10, 2009 12:05 PM
    Moderator