F-secure didn´t delete virus though I have "Delete automatically"

I got a virus-message from F-secure when I went to a site that got me virus called trojandownloader.win32 something in my temporary internet files. Even though I have "Delete automatically" set on Real-time Protection it didn´t delete it - it just said action: none. But later when I right clicked on my Temporary Internet Files folder and virusscanned it with F-secure and it found the virus I could with the help of F-secure delete it. So why didn´t it delete it in the first place?

 

It may have been in use at the time.

Cheers

 

I have had the same problem recently. I think it´s because Windows doesn´t allow deletion of new temp. files. F-secure quarantines the file, but it doesn´t tell you about it, so you are safe . I have it set to "ask", so it is possible to decide if you want to clean it, or delete it. You can also choose "no action", and secure delete it yourself. I do that sometimes.

 

Thanks. I don´t know if I dare to have anything else but "Delete automatically" since my whole family use the computer and what they do with this computer only God knows But if F-secure quarantine the file anyway it´s not so big problem?

 

please rescan your system, this time set it to ask.
post the scan report here, as well as a hijackthis log(just to see if the virus is running on your system..)

 

In that case I click back and again try to delete it. In second try it delete it.

Which version of F-secure do you use?

 

I made a virus scan on all targets and nothing was found. Here´s the HJT-log. BTW do you know if I can delete the things I write i bold in this log:

Logfile of HijackThis v1.98.0
Scan saved at 14:01:29, on 2004-07-26
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\F-Secure\Common\FSMA32.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program\F-Secure\Common\FCH32.EXE
C:\Program\F-Secure\Common\FAMEH32.EXE
C:\Program\F-Secure\Common\FSGK32.EXE
C:\Program\F-Secure\Common\FNRB32.EXE
C:\Program\F-Secure\Common\FIH32.EXE
C:\Program\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\Explorer.EXE
C:\Program\F-Secure\Common\FSM32.EXE
C:\Program\D-Tools\daemon.exe
C:\program\Quicktime\qttask.exe
D:\Program\Real\RealPlayer\RealPlay.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\verktyg\telia\LFConnectionKeeper.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] "D:\Program\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\program\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] D:\Program\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [LF Connection Keeper] C:\verktyg\telia\LFConnectionKeeper.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/sikes/se/win/QuickTimeInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab


I have two of the icons on the bottom right of my screen you know that I would like to get rid of if possible. It´s a Quicktime icon and a Real Player icon. Is there someway to get them deleted from there, but they will still work after that? I mean like if I delete them and then still be possible to go to Start->Program->Quicktime and start it from there if I want to use Quicktime some times?


kloshar
Well I had delete automatically set so it wasn´t possible to go back. But I have had problem before with not being able to delete, I´ll try to go back next time I have this problem, thanks!

 

normally when f-secure is not able to delete a virus it is scheduled for renaming/deletion at next reboot.. it's just that this is not always possible to complete..
this procedure is the same in all versions of f-secure..
the failure happens most often with dll trojans etc..

you can safely fix those items in bold

now your log shows no windows service pack, no IE service pack... immediately go to windows update and get all patches...

 

If it wouldn´t bother you to much, could you just explain what each of these mean.
I know what it is about like Quicktime etc, but what do they do, I mean like does it mean the Quicktime icon on the bottom right of the screen will disappear or will the whole Quicktime program be removed?

O4 - HKLM\..\Run: [QuickTime Task] "C:\program\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] D:\Program\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)


O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

I don´t know what live365 is, I never have used or installed such program and when I do a filesearch on my computer I only found 1 file called live365 in "C:\WINDOWS\Downloaded Program Files" called "Live365Player Class".

 

Why do you devote so attention to that?

 

O4 - HKLM\..\Run: [QuickTime Task] "C:\program\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] D:\Program\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

those are media players, some say real player is spyware

the dpf things are something you get from web pages, like the quick time thing. you obviously went to a page that had things in quick time format, so the plugin was downloaded.

sun jav console is legit but unnecessary

 

It is important to know what's on your system, if you suspect something nasty, then keep pushing the point until you have the answers you need.

Cheers