Hmm... ok, I'll take a look at the free software.

Boot youre pc in safemode (hit f8 when booting up).


Click Start>Run and type in: services.msc
Click OK
In the Services window find: BusinessC
Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK

Open HJT and click config > misc tools > ?delete an NT service?
Copy and past:BusinessContinuity
Click OK.

Then remove this entry with hjt:



And do you know what this is from?

O23 - Service: 83022 - Unknown owner - \\64.166.34.170\Admin$\eraseme_70210.exe

If not , please upload the file in bold to this site:

http://www.virustotal.com/flash/index_en.html


And can you also do an Panda AV scan online and post the resulting log file:

http://www.pandasoftware.com/products/activescan.htm

:laughing4

OK, now that you're done laughing at the n00b, here's what I've done...

I ran the free clam virus scanner (which, by the way, took 5 days to fully scan the server). Attached is the report. I also followed the instructions posted by joe5. However, I was unable to locate the file in question. From what I saw of the clam scan, the virus is only located in the old backups.

Nah , i wasn't laughing at you , but the Command AV app.

:o 5 days?!? How much storage space is on there? And what is the system resources usage of the server?

Do you regocnize this IP?

64.166.34.170 (SBC Internet Services )

Why is there a service with an file on that IP running on there?
Is it a pc related to youre company or anything?

I dont have a clue as to what that service/file is , but it looks highly suspisious to me..

It is probebly imbedded in old emails , any objections in deleting those backup files? (i dont know what else is in there)

If you dont want to delete them then try the Stinger tool (see link below in my sig) or one of the special bagle-h removal tools here:

http://secunia.com/virus_information/599/bagle-h/



Or you can delete the files with Killbox:

Download Pocket Killbox:
http://www.atribune.org/downloads/KillBox.exe

Start Killbox and place a tick next to [x]delete on reboot.
And press the "all files" button. (just above the yellow triangle)

Copy this list into the windows clipboard:


C:\Backups\B2D000005.bkf
C:\Backups\B2D000007.bkf
C:\Backups\B2D000013.bkf
C:\Backups\B2D000026.bkf
C:\Backups\B2D000027.bkf
C:\Backups\B2D000030.bkf
C:\Backups\B2D000036.bkf
C:\Backups\B2D000040.bkf
C:\Backups\B2D000041.bkf
C:\Backups\B2D000046.bkf
C:\Backups\B2D000053.bkf
C:\Backups\B2D000054.bkf
C:\Backups\B2D000056.bkf
C:\Backups\B2D000057.bkf
C:\Backups\B2D000059.bkf
C:\Backups\B2D000064.bkf
C:\Backups\B2D000069.bkf
C:\Backups\B2D000076.bkf
C:\Backups\B2D000079.bkf
C:\Backups\B2D000081.bkf
C:\Backups\B2D000086.bkf
C:\Backups\B2D000094.bkf
C:\Backups\B2D000096.bkf
C:\Backups\B2D000098.bkf
C:\Backups\B2D000099.bkf


Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the prompt, then click OK.
Exit Killbox and restart your PC.

64.166.34.170 is our IP address. We have a VPN running with remote users logging on and off.

I deleted those backups and found that to be the reason the virus scan took so long. Those backups took up over 80% of the space on our server! I don't even know where they came from because we use Acronis True Image and it backs up to an external HD.

Anyways, thanks for your help. I'm going to run another Clam scan and see what it finds this time (and see if it is quicker)

Looks like it are files from Windows backup utility set , and there is a change that they are automaticly scheduled and will keep filling the HD up again.

Have a look here for more info and instructions:

http://www.microsoft.com/windowsxp/u..._03july14.mspx


And do you still get the virus warning?