Bit Defender has found Outlook PST file with virus: JS.Kak.Gen@mm

Hi, While using Bit Defender's Online scan it picked up the following Viruus (JS Kak.Gen@MM) and was unable to delete it from 35 files in F:\Documents and Settings\Arnold\Local\Settings\Application\Data\Microsoft\Outlook\Personal Folders(1) Pst... Bit Defender responds that it is unable to disinfect or delete.

I've tried going into Outlook and deleting the individual message folders that contained the RTF docs that it referred to but still am unable to delete the virus. So that is why I've tried to get some support on ridding it. These are the steps I've done on my own as well- I'm pasting my MGlogs.zip file that contains the batch files that were run to determine the status of my drives and hopefully you can use them as well.

I've done his self help for Windows XP by doing the followoing:
1- Used ATF Cleaner- first in Safe mode so that I could get each seperate account cleaned out. Then mine again in normal startup.
2- Used the most up to date Spybot V 1.5.2, installed the updates and scanned (with no problems found)
3- Checked through the "self-help"(both pages) on Spy/malware removal - none of them addressed the virus that was found.
4-Made sure that I have only one anti-virus program used- Current AVG Anti-Spyware 7.5, most current definitions.
5-Uninstalled previous versions Microsoft's Java and installed Sun Java.
6-Went into MSConfig and setup for Normal startup mode
7-Emptied Recycle Bin-(no quarantined items from spybot or AVG were found
8-Enabled viewing of all hidden files and file extensions
9-Installed and ran "Combofix" (installed on desktop) and MGTools (Root of F-this is my "C drive" (runs runkeyes. newfiles, and Getunkey batch files). I'll attach my MGtools file for your review. Thanks

 

Hi,
Sorry about just getting back to you, but I've had all kinds of problems with this system over the last week and will need to format my drive since everything is coming up on my F drive and will need to get everything back to my C drive. In the interim, I'll delete the folders in my outlook showing the virus's and try and back it up after compacting it as you've requested. I will then redo format, and get a clean drive. I will contact you to see about starting off with a clean system prior to reinstalling and importing the outlook file since (.pst file) that is where this virus is coming from.

 

Hi Chaslang- I owe you!
Well, I'm not 'exactly' sure, but possibly your 'compacting' solution helped (" Compact the .pst files by clicking Properties > Advanced > Compact File. If you don't do that, they are not really gone, and the scans will still pick them up. ".) I've gone ahead and deleted the specific files shown in my outlook pst files (and deleted a bunch of folders as well that contained those virus) and then deleted a ton of dups that showed up. As your aware, I wasn't able to delete (at least at my level) the stuff showing up in Documents and Settings but after reinstalling the Windows XP OS and taking your suggestion from below, I went ahead and just to make sure went ahead and made sure that my backup PST for outlook was clean per Bit Defender and it showed everything was fine. I then did a Ghost backup prior to reinstalling and importing my PST back file into the clean outlook and prayed ;-)- Went ahead after the import rebooted and did another scan, and again things are fine. I've done this all on my old system and now am running clean. It may not seem like you've done much, but your grasp of what the issues were enough to clean this problem up. I've done all ten of the items from below's link (save the a-squared - this is an old system I've tried this on) and feel confident enough to go ahead and wipe my 'newer' system clean. This was quite time consuming, but didn't want to throw the baby out with the bathwater which I was almost going to do in order to get a clean un-infected system. I had this virus ("VBS.KakWorm) from 1999. I'm not sure why NONE of my virus protection programs NEVER got it until I did an online scan. If there's any lesson I've learned that is to perform an online scan periodically to make sure that I'm clean. I'm baffled as to why none of them worked- and I've tried some really good ones (ESET'S) and again, until I did an online scan I would of never known. Thanks again for all the info your site provides and I'm fortunate that I didn't take a lot of your time and resources to get this done (I'm thinking I didn't based on the size of this thread compared to some I've read).

Regards-
Surf1Div1

 

Well, I thought I had a clean system- was unable to run a scan with Bit Defender(unable to download virus definitions on the online scan) so ran Kapersky and this is what I got: 2 virus's. Well, just when I thought I was clear, they come back....

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, February 21, 2008 1:08:37 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/02/2008
Kaspersky Anti-Virus database records: 574609
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 61969
Number of viruses found: 2
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 00:59:47

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\comodo\Firewall Pro\cfplogdb.sdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\dfe8ffb2f2043fdbb21fc3d0e38111ce_2e71834d-3212-4723-bef4-d5ece7c2c52d Object is locked skipped
C:\Documents and Settings\Arnold Levin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Arnold Levin\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Object is locked skipped
C:\Documents and Settings\Arnold Levin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Arnold Levin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Arnold Levin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Arnold Levin\Local Settings\Temp\~DF88DC.tmp Object is locked skipped
C:\Documents and Settings\Arnold Levin\Local Settings\Temp\~DF88FB.tmp Object is locked skipped
C:\Documents and Settings\Arnold Levin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Arnold Levin\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Arnold Levin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{8AA54BC8-D18E-4FD9-BB96-8DA7BBFE35C0}\RP23\change.log Object is locked skipped
C:\WINDOWS\$_hpcst$.hpc Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{07AC5181-6A02-4780-8DBF-9FDA36C0F9A0}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{DA6F8050-10AF-4878-99AA-6AA6F977B13B}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
G:\Downloads\mirc631.exe/stream/data0001/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
G:\Downloads\mirc631.exe/stream/data0001/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
G:\Downloads\mirc631.exe/stream/data0001 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
G:\Downloads\mirc631.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
G:\Downloads\mirc631.exe NSIS: infected - 4 skipped
G:\Downloads\Nero Downloads\Nero-8.2.8.0_eng_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
G:\Downloads\Nero Downloads\Nero-8.2.8.0_eng_trial.exe 7-Zip: infected - 1 skipped
G:\System Volume Information\_restore{8AA54BC8-D18E-4FD9-BB96-8DA7BBFE35C0}\RP23\change.log Object is locked skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\System Volume Information\_restore{8AA54BC8-D18E-4FD9-BB96-8DA7BBFE35C0}\RP23\change.log Object is locked skipped

Scan process completed.