Avast WEBforum
Other => General Topics => Topic started by: TOMTHUMB on December 05, 2006, 10:39:45 PM
-
Anyone know or seen this one before. they were in the windows "restore" file. there were two others, just the end was different. QJ and QV. How can I be sure I got rid of them.??
-
If they are in the system volume information\ folder, _restore point then:
The c:\System Volume Information folder is a part of the system restore function and as such is protected by windows, the only way to clean infected _restore points is to disable system restore and reboot. This will clear ALL _restore points. Once you have disabled system restore, reboot, scan your PC again and if clear enable system restore.
Win XP-ME - How to disable System Restore (http://www.pchell.com/virus/systemrestore.shtml)
-
Besides what David posted about disabling System Restore, I recommend:
1) Clean your temporary files.
2) Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
3) Use a-squared (http://www.emsisoft.com/en/software/free/), Free AVG Antispyware (http://www.ewido.net/en/), SUPERantispyware (http://www.superantispyware.com) or Spyware Terminator (http://www.spywareterminator.com/) (trojan removers).
-
:) Thanks a bunch, have done all that. I seem to be getting the Alarm going off 29 times this morning. Sorry two more times just then. What gives, is someone targeting me. ???
-
Thanks a bunch, have done all that.
Do you mean all? Disable system restore, clean temporary files, schedule avast and use antitrojans?
The last chance will be scanning at Safe Mode (press F8 while booting) and using antirootkits.
Check also http://www.sophos.com/support/disinfection/trojan.html
-
:) Thanks a bunch, have done all that. I seem to be getting the Alarm going off 29 times this morning. Sorry two more times just then. What gives, is someone targeting me. ???
Please give details of some of those alarms, is it the same warwzov_?? infected file name/s and location (e.g. (C:\windows\system32\infected-file-name.xxx or internet URL ) ?
Check the avast Log Viewer (right click the avast icon), Warning section.
Without information we can't say one way or another, though I doubt you are being specifically targeted.
Do you have a firewall, if so what is it ?
Did the other scans you did not find anything (even if run in safe mode) ?
-
YES I did,disable restore, reboot, then clean out the temp and cookies. and did a scan before windows started. what is the anti trogan and how do you start it. this was the log file warnings only half what it there.
urning error, 0000A413.
17/08/2006 1:32:02 PM SYSTEM 1760 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2204.TMP (C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2204.TMP) returning error, 0000A413.
17/08/2006 1:32:02 PM SYSTEM 1760 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2282.TMP (C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2282.TMP) returning error, 0000A413.
17/08/2006 1:32:02 PM SYSTEM 1760 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2329.TMP (C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2329.TMP) returning error, 0000A413.
17/08/2006 1:32:02 PM SYSTEM 1760 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2454.TMP (C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2454.TMP) returning error, 0000A413.
17/08/2006 1:32:02 PM SYSTEM 1760 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2563.TMP (C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2563.TMP) returning error, 0000A413.
17/08/2006 1:32:02 PM SYSTEM 1760 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2626.TMP (C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2626.TMP) returning error, 0000A413.
17/08/2006 1:32:02 PM SYSTEM 1760 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2688.TMP (C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2688.TMP) returning error, 0000A413.
17/08/2006 1:32:02 PM SYSTEM 1760 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2766.TMP (C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2766.TMP) returning error, 0000A413.
17/08/2006 1:32:02 PM SYSTEM 1760 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2813.TMP (C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2813.TMP) returning error, 0000A413.
17/08/2006 1:32:02 PM SYSTEM 1760 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\LookupValueItem.cdx (C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\LookupValueItem.cdx) returning error, 0000A413.
17/08/2006 1:32:02 PM SYSTEM 1760 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\FieldSetField.cdx (C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\FieldSetField.cdx) returning error, 0000A413.
17/08/2006 1:32:02 PM SYSTEM 1760 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\MetadataField.cdx (C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\MetadataField.cdx) returning error, 0000A413.
17/08/2006 1:32:02 PM SYSTEM 1760 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\MetadataClass.cdx (C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\MetadataClass.cdx) returning error, 0000A413.
17/08/2006 1:32:02 PM SYSTEM 1760 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\JoinFieldMetadata.cdx (C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\JoinFieldMetadata.cdx) returning error, 0000A413.
17/08/2006 1:32:02 PM SYSTEM 1760 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\LookupList.cdx (C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\LookupList.cdx) returning error, 0000A413.
17/08/2006 1:32:02 PM SYSTEM 1760 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\LookupListItem.cdx (C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\LookupListItem.cdx) returning error, 0000A413.
17/08/2006 1:32:02 PM SYSTEM 1760 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\JoinFieldDefn.cdx (C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\JoinFieldDefn.cdx) returning error, 0000A413.
17/08/2006 1:32:02 PM SYSTEM 1760 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\FieldSetDefn.cdx (C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\FieldSetDefn.cdx) returning error, 0000A413.
17/08/2006 1:32:02 PM SYSTEM 1760 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\JoinFieldSetFileType.cdx (C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\JoinFieldSetFileType.cdx) returning error, 0000A413.
-
Firewall, just the windows one, I hope you can help this PC is unusable as it is.
-
I'm thinking that you have a second antivirus in this computer... ::)
Did you install any antivirus? Even in the past? Which one?
-
@ TOMTHUMB
The entries you posted don't relate to the detections, did you open the avast Log Viewer, Warning section, which contains the avast virus alerts. If you can't see the Warning icon, ensure you have the Program Run tab selected, see image.
Or open the C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log file with a text editor, that contains the information used by the avast Log Viewer warning section.
Example of an enter relating to a detection in the warning section/warning.log
07/12/2006 12:55 1165496107 SYSTEM 1364 Sign of "EICAR Test-NOT virus!!" has been found in "http://www.eicar.org/download/eicar.com" file.
07/12/2006 13:04 1165496649 SYSTEM 1364 Sign of "Win32:Trojan-gen. {Other}" has been found in "D:\breakout.exe" file.
-
Hi, there was a copy of Norton, in but I uninstalled it. Yes the event log,warnings, Does not seem to be anything in there, ???
-
OK , some of the file.
found in "C:\WINDOWS\system32\strmwin8.dll" file.
6/12/2006 9:38:36 PM 1165401516 User1 5404 Sign of "Win32:Warezov-QU [Wrm]" has been found in "C:\System Volume Information\_restore{32D525DA-6AD5-4AB6-A492-3030F81BC8DE}\RP1\A0000043.dll" file.
6/12/2006 9:39:07 PM 1165401547 User1 5404 Sign of "Win32:Warezov-QV [Wrm]" has been found in "C:\System Volume Information\_restore{32D525DA-6AD5-4AB6-A492-3030F81BC8DE}\RP1\A0000058.dll" file.
6/12/2006 10:30:42 PM 1165404642 User1 1580 Sign of "Win32:Warezov-QV [Wrm]" has been
2/12/2006 6:42:16 AM 1165002136 SYSTEM 128 Sign of "Win32:Warezov-QP [Wrm]" has been found in "Incoming email 'Mail Transaction Failed' From: frank garcia <frank.garcia@telcan.com>, To: nimbus900au@yahoo.com.au\docs.zip#1842954763\docs.elm.pif\[UPX]" file.
2/12/2006 6:42:28 AM 1165002148 SYSTEM 128 Sign of "Win32:Warezov-QP [Wrm]" has been found in "Incoming email 'Mail server report.' From: secur@midmich.net, To: mho57144@bigpond.net.au\Update-KB2343-x86.exe#1553420733\[UPX]" file.
2/12/2006 8:57:32 AM 1165010252 User1 3160 Sign of "Win32:Warezov-QL [Wrm]" has been found in "C:\Documents and Settings\User1\Local Settings\Application Data\IM\Identities\{0A409B87-EF74-470D-BE41-C11A587A7E6E}\Message Store\Attachments\docs.zip\docs.log.exe\[UPX]" file.
2/12/2006 9:53:04 AM 1165013584 User1 3160 Sign of "Win32:Warezov-QP [Wrm]" has been found in "C:\Documents and Settings\User1\Local Settings\Application Data\IM\Identities\{0A409B87-EF74-470D-BE41-C11A587A7E6E}\Message Store\Attachments\Update-KB5226-x86.zip\Update-KB5226-x86.exe\[UPX]" file.
-
some more.
Files\Content.IE5\GHIFKLIN\2500474277558080_0[1].jpg (C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\GHIFKLIN\2500474277558080_0[1].jpg) returning error, 0000A474.
13/11/2006 10:35:20 PM 1163417720 User1 1772 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\GHIFKLIN\3200483349408080_0[1].jpg (C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\GHIFKLIN\3200483349408080_0[1].jpg) returning error, 0000A474.
13/11/2006 10:35:21 PM 1163417721 User1 1772 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\GHIFKLIN\2200476896118080_0[1].jpg (C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\GHIFKLIN\2200476896118080_0[1].jpg) returning error, 0000A474.
-
The c:\System Volume Information folder is a part of the system restore function and as such is protected by windows, the only way to clean infected _restore points is to disable system restore and reboot as I mentioned in my first post. If these are new then you can't have disabled system restore and rebooted. Until you are clean you should leave system restore disabled and only then enable it.
The ones relating to emails, should have been dealt with and either deleted or moved to the chest depending on what you chose and what your email program is.
The ones relating to Temp locations, Internet Files, etc. you should clean out all temp files, ClearProg - Temp File Cleaner (http://www.clearprog.de/) or CCleaner - Temp File Cleaner, etc. (http://www.filehippo.com/download_ccleaner/)
However, the ones you give for examples are from 2nd Dec and are not relating to the latest batch (29) you mentioned on 6 Dec and the last batch even earlier 13 Nov, we are trying to help with those you reported on 6 Dec. Information from those would be helpful.
Norton is notorious for leaving remnants:
A link worth looking at, which is a program removal tool that can remove the remnants of a number of different Norton Programs:
Removing your Norton program using SymNRT (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039?Open&src=&docid=2001092114452606&nsf=nav.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=)
You can also download SymNRT, a Norton uninstall tool (http://fileforum.betanews.com/detail/SymNRT/1125124391/1) that uninstalls all Norton 2004/2005/2006 products.
-
OK, Yes I did disable "System restore" and I did reboot. Have another "Firewall" installed as well. what can this "worm" do??
Some more recent "log"
044 Sign of "Win32:Warezov-QU [Wrm]" has been found in "C:\WINDOWS\system32\strmwin8.dll" file.
7/12/2006 7:47:10 PM 1165481230 User1 1792 Sign of "Win32:Warezov-QV [Wrm]" has been found in "C:\WINDOWS\system32\alrsbatt.dll" file.
7/12/2006 7:47:23 PM 1165481243 User1 1792 Sign of "Win32:Warezov-QU [Wrm]" has been found in "C:\WINDOWS\system32\strmwin8.dll" file.
7/12/2006 9:14:22 PM 1165486462 User1 1792 Sign of "Win32:Warezov-QV [Wrm]" has been found in "C:\WINDOWS\system32\alrsbatt.dll" file.
7/12/2006 9:14:26 PM 1165486466 User1 1792 Sign of "Win32:Warezov-QU [Wrm]" has been found in "C:\WINDOWS\system32\strmwin8.dll" file.
8/12/2006 5:45:51 AM 1165517151 SYSTEM 1788 Sign of "Win32:Warezov-QV [Wrm]" has been found in "C:\WINDOWS\system32\alrsbatt.dll" file.
8/12/2006 5:45:57 AM 1165517157 SYSTEM 1788 Sign of "Win32:Warezov-QU [Wrm]" has been found in "C:\WINDOWS\system32\strmwin8.dll" file.
8/12/2006 6:46:15 AM 1165520775 SYSTEM 1788 Sign of "Win32:Warezov-QV [Wrm]" has been found in "C:\WINDOWS\system32\alrsbatt.dll" file.
8/12/2006 6:46:18 AM 1165520778 SYSTEM 1788 Sign of "Win32:Warezov-QU [Wrm]" has been found in "C:\WINDOWS\system32\strmwin8.dll" file.
8/12/2006 7:45:07 AM 1165524307 User1 2020 Sign of "Win32:Warezov-QV [Wrm]" has been found in "C:\WINDOWS\system32\alrsbatt.dll" file.
8/12/2006 7:45:16 AM 1165524316 User1 2020 Sign of "Win32:Warezov-QU [Wrm]" has been found in "C:\WINDOWS\system32\strmwin8.dll" file.
-
A google search for win32:warezov returns many hits, this is just one, http://www.avast.com/eng/win32-warezov-family.html.
As you can see from this and others it is a mass mailer that sends out email to try and infect others from email addresses in your system, but for it to keep coming back there has to be a download element. A good firewall should stop or at least challenge unauthorised outbound connection to the internet, what is your firewall as this doesn't appear to be happening ?
What surprises me is that it is being detected on your HDD and not caught by the Web Shield before it gets to your HDD. Is the Web Shield provider running ?
Try a forums search for W32:Warezov and W32:Stration (an alias) as there have been several recent Topics on that and se what is suggested for removal.
You should also consider some proactive measures to try and prevent it getting re-established, as it needs permission to copy files to system folders and create registry entries, see DropMyRights in my signature.
-
The "Firewall" I just downloaded, was the Comodo one. and they have got through that as well. WEB SHIELD.??? could you explain this please.
Thanks Bob.
-
Check out the avast help file (right click the avast icon, select Start avast! Antivirus, Menu, Help or press F1), Resident Protection, Web Shield, but basically it monitors the traffic from the web to your system and if infected content is found it should alarm and effectively block it from being downloaded and stop it arriving on your HDD.
Comodo should do the job of checking outbound connections, but you have to read what it is telling you. You have to have some idea that it isn't something you are doing at that time that is trying to connect and not just say Yes to all questions or say No to all questions.
-
OK done that, will just see if that stops it.
Thanks bob.
-
Nope still no good, it comes up twice every time. could there be something that is in the PC, that is triggering it.
-
When you say it keeps coming up each time please restate the file name and location even if the same and also what were you doing when it returned ?
You could try DrWeb CureIT! http://download.drweb.com/drweb+cureit/
Have you tried a forum search as suggested
http://forum.avast.com/index.php?topic=24400.0
http://www3.ca.com/be/securityadvisor/virusinfo/virus.aspx?id=58375
Also useful as a diagnostic tool - Download HiJackThis.zip (http://www.spywareinfo.com/~merijn/files/hijackthis.zip) - HJT Information HiJackThis Tutorial 1 (http://www.bleepingcomputer.com/forums/tutorial42.html) or HiJackThis Tutorial 2 (http://www.tomcoyote.org/hjt/#introduction) or HiJackThis Tutorial 3 (http://hometown.aol.co.uk/jrmc137/hjttutorial/tutorial.htm)
On-line analysis - HiJackThis Log file - On-line Analysis (http://hijackthis.de/index.php) OR HiJackThis Log file - On-line Analysis 2 (http://hjt.iamnotageek.com/)
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
-
Thanks, I will try all you sugest. Well, the Alarm goes off, and it says it has found a Virus, in these two files.
9/12/2006 6:57:42 AM 1165607862 SYSTEM 1960 Sign of "Win32:Warezov-QV [Wrm]" has been found in "C:\WINDOWS\system32\alrsbatt.dll" file.
9/12/2006 6:57:48 AM 1165607868 SYSTEM 1960 Sign of "Win32:Warezov-QU [Wrm]" has been found in "C:\WINDOWS\system32\strmwin8.dll" file.
The Alarm goes off regulary, throughout the Day. Always twice. and puts them in the same files. I just put them in the chest.
-
Were you browsing or just working on the system ?
If browsing something is downloading and installing those files and the firewall isn't stopping this.
Check out CureIt and the other links, that doesn't work, you really need to download HJT and read the Tutorials and post (paste) the contents of the hijackthis.log file here.
-
Hi Dr Web cure it fixed it up, it did a quick scan and said to "Reboot" it would then fix the three files it found. Thanks no Worms for two Days now.
-
Thanks for the feed back, glad that it is now sorted.