Fail to remove

[Guest]

The installed beta program identifies a 'Severe Alert' item on the system (XP
Home).
Despite recommending removal action the Defender program is unable to remove
the offending file.
The Defender program generates an error message and the offending file
remains on the system to be detected on the next programmed scan.

The detected file is:Transponder.ZServ

Location of file:
C\DocumentsandSettings\First\LocalSettings\Temp\zserv.cab->zserv.inf

Error Code generated: 0x80501001

The system has Windows Updates automatically.

 

[Bill Sanderson]

This error is caused by the detected item, the INF file, being contained in
an archive file--in this case a .CAB file.

I'd recommend going to that location at a command prompt and renaming, or
simply deleting, the .cab file--and perhaps everything else in the TEMP
folder.

Local Settings is a hidden folder--but you can CD to it .

 

[Guest]

I've run into this problem too. I'll try your solution, but this seems like
a bug; the average user shouldn't be expected to go hunt down CAB files (in
hidden folders, no less) and delete them.

 

[Bill Sanderson MVP]

I don't believe that we are seeing the final behavior for this. Currently,
Microsoft is bending over backwards to avoid data loss, but other approaches
are possible. I think that we'll see some change before release.

--

 

[Guest]

I ran into this nasty little spyware/virus about a month ago and I still
don't have it cleaned off my system. I'm running XP SP1 but keep it up to
date with autoupdate. This thing will just not die and I either have multiple
infections or some type of mutating strain. I figured out it is transponder
but it looks like it changes into one of the multiple variations it has every
time I reboot. I guess I don’t really have defender but I am using it’s
predecessor and it, Ad-Aware, Spybot, and every other thing I have tried has
not killed this infection. I have to run each program several times after a
reboot to get all of the variations off. I have to dig into the system32
folder to delete random .exe files, delete registry entries, and change my
home page. This thing has completely blocked me from doing a restore from a
date previous to the infection and I’m really not sure what this thing is
sending. The only option I can see is to completely wipe out my system and
start with a fresh install but that takes tons of time and I don’t have some
files backed up on a date just before infection. If there is any advice for
killing these I will gladly take it.

 

[Bill Sanderson MVP]

One lesson I've learned is that using a tool which is designed for rootkit
removal may help with some spyware these days--Sysinternal's Rootkit
Revealer, F-secure's blacklight, and others.

--