Avast WEBforum
Other => Viruses and worms => Topic started by: Bellzemos on June 13, 2008, 03:25:15 PM
-
Hello!
Avast! just found this virus on my PC (Windows XP SP2).
Win32:Otwycal-Z [Wrm] was in two files:
C:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
C:\System Volume Information\_restore{376ED84E-0008-4FF4-BB6F-CD438FAC6925}\RP41\A0036162.exe
When Avast! found it, I clicked on "Delete" both times, and these two files are gone now. Is that ok? Or is IKernel.exe needed for the system to work?
Should I run another Avast! scan in safe mode now? Or what should I do?
Thank you a lot!
-
Should I run Hijackthis and post the results here maybe?
Is it possible that this virus came from some blog site? Because I really don't know how I got it...
Thank you!
-
C:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
C:\System Volume Information\_restore{376ED84E-0008-4FF4-BB6F-CD438FAC6925}\RP41\A0036162.exe
When Avast! found it, I clicked on "Delete" both times, and these two files are gone now. Is that ok? Or is IKernel.exe needed for the system to work?
It's safer and wiser send the file to Chest. Then you could analyze it and check if it is not a false positive, if the file is needed to the system... now the files are gone... you can't recover them.
Should I run another Avast! scan in safe mode now? Or what should I do?
You can run avast at boot time and be careful to not mess with system files. Report first.
Should I run Hijackthis and post the results here maybe?
Go ahead... hope someone that knows more about cleaning could help you.
-
I had the very same thing on my latest scan this morning. Only I had 3 places, one on the c drive and two on the d drive. I placed all in the chest. The c drive one can be restored, but the two on the d drive can't. I believe this is a part of my HP nVidia driver and is perhaps a false positive by avast???
-
I had the very same thing on my latest scan this morning. Only I had 3 places, one on the c drive and two on the d drive. I placed all in the chest. The c drive one can be restored, but the two on the d drive can't. I believe this is a part of my HP nVidia driver and is perhaps a false positive by avast???
What's the error message while trying to restore?
-
I never tried, the avast file says non restorable and doesn't give that option as it does for the file from the c drive. My d drive is my restoration drive. I restored the main file on the c drive and took a look at it. I'm sure this is a false positive my avast. The folder is on C:\HP\drivers\video_nVidia It contains 118 files and is 28.3mg in size created in 2005 when I first got my pc. Wonder why avast doesn't give the option to restore those to the d drive??? Maybe I should just go and do a restore point back to yesterday???
-
Maybe I should just go and do a restore point back to yesterday???
It won't be a bad idea.
Anyway, check the workaround to avoid avast detection for a while.
-
I had the very same thing on my latest scan this morning. Only I had 3 places, one on the c drive and two on the d drive. I placed all in the chest. The c drive one can be restored, but the two on the d drive can't. I believe this is a part of my HP nVidia driver and is perhaps a false positive by avast???
What? I have a nVidia graphic card too! And I bought my PC in 2005 too. I hope I havent't do something wrong with deleting of IKernel.exe - but how could be this file connected to nVidia files?
@Tech: How do I run a boot scan?
-
@Tech: How do I run a boot scan?
Click on the Menu button.
Choose Schedule Boot Time Scan.
Doing so displays a dialog allowing you to schedule virus scanning.
Check Archives, if you want scan all the archives.
Specify whether all the disks or just a specific folder should be scanned.
Select Advanced options for scheduling details.
Select how to automatically process infected files (suggestion: send to Chest)
Choose how to automatically process infected system files (suggestion: ignore/do nothing)
Click the Schedule button to confirm the settings.
-
Personally I would confirm the detection is good or not first.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here.
You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
-
I had this same worm turn up on my very old Nvidia driver in ikernal.ex_. I quarantined the worm in the virus chest and sent in for analysis. I suspect a false positive.
-
I would suggest confirming by submission to the VT link above. If confirmed an FP then you can exclude it form scans and restore it pending a correction by avast.
-
Finally back with good news and bad news. I did system restore back 2 days. Then had to redo all the program updates that I've done since that time. Ran a new avast scan and just ignored the indication on the c drive. The scan completed but "no indications of the two files on the d drive!" In other words, the restore does not rebuild the recovery drive as it does the c drive. Now the big question is "why does avast allow you to move items to the chest from that drive, but doesn't provide the option of returning them?? I'm not at all happy with this and if I ever have to do a complete system recovery, I'll be dead in the water! What I've done now is to exclude from scanning c:\hp\drivers\video_aVidia so at least that won't show up in future scans. I'm convinced beyond a shadow of a doubt that this is a "false positive" by avast and could cause a lot of problems for many customers. I think the moral here is to "never" let avast move anything from your recovery drive to the chest!
-
It does and it is called Restore, see image.
Open the chest, select the Infected files if it was a detection by avast and you select the file you want to restore, right click and select Restore.
It would have been better to have asked this question before jumping in with a system restore.
-
I am also having this same error. However, when I goto move to chest I get this error:
Access is denied:
Cannot process "C:\Program Fiels (x86)\Common Files\Install Shield\Engine\6\Intel 32\Kernel.exe" file
It is an endless loop.
-
Personally I would confirm the detection is good or not first.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here.
You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
I've done this. Here is the link: http://www.virustotal.com/analisis/14eedbe1be86cb0c4185b436d41f3bc6
Also, why does a "Google" only yield 2 links, and both to Avast's forum's? Is this a 'worm' that I and others should be worried about? I'm so confused.
-
My Avast just alerted me to the same worm. The program says it infected... wmplayer.exe (yes, the Windows Media Player main file).
Is this a real threat or another false positive by Avast?
-
It does and it is called Restore, see image.
Open the chest, select the Infected files if it was a detection by avast and you select the file you want to restore, right click and select Restore.
It would have been better to have asked this question before jumping in with a system restore.
David, If you would read and understand my post, avast gave "no" option to restore those two files on the recovery drive. That option was greyed out on both. The one for the file from the c drive was there, but none for the d drive!
-
Hi all,
Today I received the same alert during download 'SIM Manager' from the official Website in Australia : http://www.simmanager.com.au/
;D
-
It does and it is called Restore, see image.
Open the chest, select the Infected files if it was a detection by avast and you select the file you want to restore, right click and select Restore.
It would have been better to have asked this question before jumping in with a system restore.
David, If you would read and understand my post, avast gave "no" option to restore those two files on the recovery drive. That option was greyed out on both. The one for the file from the c drive was there, but none for the d drive!
Now it seems that it was indeed a false positive and has been fixed my avast. But too late, the damage has already been done in my case. I did exactly what I was supposed to do and moved 3 infected files into the chest for further inspection. I returned the one file off the c drive with no problem. But the two files that came from the d (recovery) drive, avast gave me "no" option of restoring them. Even on right clicking those files while in the chest and choosing properties, It said those files were unrestorable. Now they are lost forever and my recovery drive has been corrupted, no thanks to avast!! I will never trust avast again.
-
I did a boot scan and there was no virus found. But one file is corrupted:
File C:\WINDOWS\Driver Cache\i386\driver.cab\kdh00001.ppd Error 42127 {CAB archive is corrupted.}
Why is that so? Thank you!
-
Nothing to worry about even if the file is corrupt there is nothing that you as a user can do about it. However, it is possibly that avast can't fully unpack it to scan it and the error message is reporting corruption as the cause which may not be 100% correct.
The main thing to remember it is just unable to be scanned, nothing else, not infected, etc.