W32.Stration.AC@mm

[pintaor]

I ve got infected by W32.Stration.AC@mm and Avast couldnt find and delete it.
I made a manual delete of all the files but I am not sure if I eliminate it completely. Also I think I delete something else, as each time I start my computer, I have this advice thata says that theres a problem with a file called hotkey or something like that. I still dont find in avast virus list this virus. W32.Stration.AC@mm

[DavidR]

What detected W32.Stration.AC@mm or makes you suspicious of this ?
Since this would appear to be a mass mailing worm, your firewall should be able to stop unauthorised internet connections, what is your firewall ?
What was the infected file name, where was it found e.g.

(C:\windows\system32\infected-file-name.xxx) ?
There is no standardisation of malware names so it could well be different, but if it wasn't detected, then the name is not the major concern.

If you are not getting a virus warning that you believe is a new, undetected virus then if you can zip and password protect ('virus', will do) the suspect file and send it to virus @ avast.com (no spaces), or send from the chest (after adding it to the User Files section of the chest).

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a new, undetected virus and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.

[GerryR]

We also have been infected on one or two machines in our office by a strain of the W32.Stration mass mailer. Avast was unable to detect it. To this point, we have identified a number of files associated with this bug:
msys9.exe
wuapx9tt.exe
ratendis.dll
daniwshb.dll
msv1nv4_.dll

also suspected:
diagndis.dll
ndisconf.dll

They spawn secondary threads that monitor the registry for deletions (and then replace them). They also return as running tasks, even in safe mode. The file wuapx9tt.exe even refuses to be deleted in Safe Mode Command Prompt Only.

This is a nasty one. It is partially documented (a couple of strains) at Symantec, but we are working to identify the processes. Any help from others would be appreciated here...

[GerryR]

After a few hours of battling with processes that magically return from the dead, we were able to delete the file that was causing the infection.

wuapx9tt.dll was loading, exen in Safe Mode, but I created an NTFS boot disk with NTFS4DOS, available from http://www.free-av.com/antivirus/allinonen.html.

With this bootable diskette, I was able to delete the file from the System32 folder. The machine now boots cleanly and HijackThis doesn't report any extra processes.

I am zipping copies of the files to send to Alwil for diagnosis.

[DavidR]

Thanks GerryR, that will no doubt help others if these are added to te VPS updates.

Welcome to the forums.

[GerryR]

You're welcome. Some of the files that we isolated were in fact the Warezov virus that Avast! already detects. The files relating to Stration seem to either be undetectable, or they actually diffuse Avast when you try to scan them manually.

We believe that Stration got into one system on September 11th and it opened the door to Warezov that got in on the 12th. The user of the infected system is not known as an "Internidiot". :-)

There's a good writeup on the files and registry keys created here: http://www.symantec.com/security_response/writeup.jsp?docid=2006-091012-5303-99&tabid=2

I have this advice thata says that theres a problem with a file called hotkey or something like that. I still dont find in avast virus list this virus. W32.Stration.AC@mm

Pintaur: I suspect you have deleted the file that loads drivers for your multimedia keyboard. Do you have hotkeys on your keyboard to access email and the Internet? You may have to reload this driver.

[DavidR]

@ Pintaur
Trojans detection and removal would be improved by tools that specialise in trojan detection and removal.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode Ewido anti-spyware If using winXP. or a-Squared free if using win98/ME.