Author Topic: System (WinMe) Files Corrupted: Worm Suspected!  (Read 11301 times)

0 Members and 1 Guest are viewing this topic.

AceFlyer

  • Guest
System (WinMe) Files Corrupted: Worm Suspected!
« on: April 03, 2005, 04:44:55 PM »
Hi!  I'm new to this forum.  A few days ago, I fired-up Avast 4 Home Edition for the first time.  Prior to its installation, I gave Norton the ol' heave-ho...good riddance...I say!  From the program description on Download.com, I was led to infer that Avast has an on-board, lightweight firewall (known as the Web Shield).  For this reason, I thought it was prudent to take my time in researching a new (bigger-n-better) firewall.  Holy crap...was I ever wrong...and uninformed!  As it turns out, the so-called Web Shield is only operational if it is properly configured.  In the connections window of the IE browser, the proxy server button must be checked and the host and port parameters specified as per Avast Help documentation.  During the download of my new firewall, I received an alert from Avast: "We have detected the presence of a worm on your system--not to worry though--we'll just put it in the (virus) chest for you, shall we?" After checking "yes", I went on my merry way, thinking that the worm was in a better place (for me, that is).  Wrong again!  When I finally got around to checking the chest, the little bugger was nowhere to be found!  Subsequently, my operating system (Windows Mellenium) started acting a lot more "squirrelly" than usual.  For instance, almost all of my Windows folders were empty of text and icons, including control panels and program files!  I've thoroughly scanned for this worm, but to no avail.  Aside from panicing (which, incidentally, I'm getting pretty good at), I'm running out of ideas.  If anyone out there has ANY suggestions concerning how to dig up this worm and/or restore my system files, I'm all ears.  Thank you fer lettin' me bend yer ear and, in advance, for your assistance.  Take care...

Culpeper

  • Guest
Re: System (WinMe) Files Corrupted: Worm Suspected!
« Reply #1 on: April 03, 2005, 04:53:27 PM »
Can you still get online?  If so, try using TrendMicro's Housecall online scanner.  It's hard to determine what exactly is your WinME problem.    Do I understand you correctly that your system may have been acting up prior to the current difficulties?  Also, the Avast logs should at least register the detection of the worm when first discovered by Avast.  That may give the Avast! folks a better idea on what your looking for.

Also, what firewall were you installing after your installed Avast?

AceFlyer

  • Guest
Re: System (WinMe) Files Corrupted: Worm Suspected!
« Reply #2 on: April 03, 2005, 06:00:27 PM »
Avast matey!  (sorry...couldn't resist)  Ace is still on-line and hangin' on to the gunnels!  Prior system problems have been small potatoes in comparison.  The Avast log viewer did show a warning re application #4294799745...sign of "Win32:Trojan-gen.{other}  Translation????  The file I was downloading when I got the worm alert was Sygate Personal Firewall.  I'll check-out TrendMicro's scanner as you advised.  Thanks for the quick reply...really 'preciate it

whocares

  • Guest
Re: System (WinMe) Files Corrupted: Worm Suspected!
« Reply #3 on: April 03, 2005, 06:55:57 PM »
you might also want to work through the link "VirusRemoval" below in my sig, and then come back here and post a hijackthis-Log for diagnosis

- Were all Windowsupdates applied ?
- During this AV-switching: were you ever online without a firewall or without a resident AV-Shield active ?


AceFlyer

  • Guest
Re: System (WinMe) Files Corrupted: Worm Suspected!
« Reply #4 on: April 05, 2005, 05:00:10 PM »
Hi!  I perused your virus removal notes (Thanks).  Is a system reinstallation the only and/or best remedy for  corrupted system files?  Any chance the system will rebound after the offending varmint (trojan) is exterminated? Re your questions: 1) Yes...all critical updates were current.  2) Yes...I was on-line for several days w/o firewall or web shield! (The shield was activated but not enabled, since I hadn't yet read about the necessity to configure it in the IE window as a proxy server.)  Shame on me for not RTFI FIRST and double-shame on Avast for not highlighting that very important requirement in their installation notes!  I was a sitting duck...The Bismark!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: System (WinMe) Files Corrupted: Worm Suspected!
« Reply #5 on: April 05, 2005, 05:48:50 PM »
Is a system reinstallation the only and/or best remedy for  corrupted system files?
Overinstallation won't clean your system (most probably).
I suggest you get clean first and, if necessary, overinstall Windows.

It's a pity that Web Shield was not enabled... For the other users, well, it's time to learn the importance of this provider  :)
The best things in life are free.

whocares

  • Guest
Re: System (WinMe) Files Corrupted: Worm Suspected!
« Reply #6 on: April 05, 2005, 06:10:48 PM »
I wouldn't give up so fast..

I haven't seen evidence of a really dangerous malware here, and imho if you've got your system & browser secured, you don't really need neither webshield, netshield nor firewall. Having all Windowsupdates in place  is a good step towards a secure system; I doubt about the security of your browser, though, but anyway:

@Ace,

- why not post that hijackthis-log here ?
- what are the exact results of Trendmicro ?
- what does a complete scan with ESCAN say ? (see my link)
- why don't you just go back in time with Win-ME's RESTORE-function ?

Some details and facts would be helpful for a diagnosis, eg. the EXACT & COMPLETE message of the previous malware/worm findings:
malware name, location (path/folder/filename), and which provider reported it and what was done with it..
-> browse the avast reports/logs throroughly

 ;)

if you have evidence for an ACTIVE&installed worm/backdoor, then of course it'd be wise to flatten the system

But it could also be just Windows acting strange after some over-enthusiasm after the ...-alert

« Last Edit: April 05, 2005, 06:16:26 PM by whocares »

whocares

  • Guest
Re: System (WinMe) Files Corrupted: Worm Suspected!
« Reply #7 on: April 05, 2005, 06:13:44 PM »
-
« Last Edit: April 05, 2005, 06:17:43 PM by whocares »

Newton

  • Guest
Re: System (WinMe) Files Corrupted: Worm Suspected!
« Reply #8 on: April 06, 2005, 01:05:17 AM »
I would suggest this, of course if you believe you want to do it and think you have everything needed to do it, including the Win ME installation CD-ROM, all your hardware drivers and install disks (sound card, printer, etc.) and some good patience ;) :

1 - In Windows mode, do a complete scan of your disks and take note of all the corrupted files infected by your virus or worm. Which means also write down their complete paths if needed.

2 - Restart Win ME in DOS mode using the boot-up diskette. Choose the start option which take your CD-ROM drive into consideration.

3 - Delete those (earlier found) corrupted files one by one in DOS mode.

4 - Still in DOS, insert your Win ME install CD-ROM and start the installation.

5 - Reinstall Win ME. This will overwrite all corrupted system files for good and clear all your problems, withtout destroying any other non-system-related software you might already have on your disks (like games, sound editors, multimedia programs, etc.).

6 - Go back on the Net to complete all those Windows Updates.

7 - Reinstall your peripheral drivers and other things if needed.

It's certainly less drastic than a format everything slash unconditional. :)

 8)
« Last Edit: April 06, 2005, 01:18:11 AM by Newton »

whocares

  • Guest
Re: System (WinMe) Files Corrupted: Worm Suspected!
« Reply #9 on: April 07, 2005, 05:52:24 PM »
Hi Newton,

imho
@1) :
a) difficult to see which files are infected, which are corrupted, and where it's just a problem of Win's settings being corrupted
b) why not just over-install right away, if you're not getting a guaranteed clean system anyway ?

 ;)

AceFlyer

  • Guest
Re: System (WinMe) Files Corrupted: Worm Suspected!
« Reply #10 on: April 08, 2005, 01:14:40 PM »
The results of the TrendMicro scan were negative, as were those of Spyware Doctor, XoftSpy, AdAware, and Avast itself.  The log results from Avast's trojan alert are appended.  In order to use WinMe's system restore, isn't it necessary to have specified some temporal set-points in advance?  Since I didn't have the foresight to enter any, restoring the system may be a bit problematic.  I'll be offline for the next couple of weeks, but all inputs are certainly welcome and appreciated. Please bear with me on the delayed responses. Thanx...

Newton

  • Guest
Re: System (WinMe) Files Corrupted: Worm Suspected!
« Reply #11 on: April 08, 2005, 06:36:49 PM »
In order to use WinMe's system restore, isn't it necessary to have specified some temporal set-points in advance?  Since I didn't have the foresight to enter any, restoring the system may be a bit problematic.

Hi AceFlyer,

No, it should not be necessary at all to manually enter the restore points in Win ME. This problem is generated by the Avast antivirus. I did everything I could to mention this bug here (see this thread --> http://forum.avast.com/index.php?topic=12121.0) but for some reason nobody at the Avast technical staff here is taking note of it or even acknowledging... So you become the fourth person I know that uses Win Me and have the same bug, which only confirms the source of the problem.

It's too late now to manually enter a restore point, you would have to use one that's previous to your problems, and of course, the only earlier restore point you'll possibly find will be one that existed on the date you installed Avast on your system.

 :)

AceFlyer

  • Guest
Re: System (WinMe) Files Corrupted: Worm Suspected!
« Reply #12 on: April 09, 2005, 07:40:28 AM »
Hi Newton...thanx fer the reply.  In the way of a generic question, is WinMe (sans bugs) set up to automatically create set-points by default or does one have to enable that through user preferences?  Secondly, concerning the suspected Avast bug that you referenced in the link, do you think that it could be the genesis of my OS corruption, rather than the trojan that Avast has identified onboard?  BTW...I still can't confirm its existence!  I'm appending my Avast log for it, maybe it's something that you or someone else will recognize. Thank you in advance...

Newton

  • Guest
Re: System (WinMe) Files Corrupted: Worm Suspected!
« Reply #13 on: April 09, 2005, 09:01:55 PM »
Hi Newton...thanx fer the reply.  In the way of a generic question, is WinMe (sans bugs) set up to automatically create set-points by default or does one have to enable that through user preferences?  Secondly, concerning the suspected Avast bug that you referenced in the link, do you think that it could be the genesis of my OS corruption, rather than the trojan that Avast has identified onboard?  BTW...I still can't confirm its existence!  I'm appending my Avast log for it, maybe it's something that you or someone else will recognize. Thank you in advance...

Hello again,

1 - A new installation of Windows ME always sets up the automatic restore points by default. So you should not have to do anything and the restore points should be created automatically, at least one a day every time you open your PC.

2 - The Avast bug that prevents Win ME to create automatic restore points is certainly not responsible for your infection by a virus. But this bug now prevents you to try to restore your system when it used to work okay before the corruption happened. Of course, maybe the OS wouldn't be able to restore the system if it's in very bad shape, but it would have been interesting to try. That's the very reason why they invented the system restore. :)

3- The log report you attached shows a corrupted file in your temp directory. Unless you know for certain that you absolutely need the "AAWTMP" sub-directory in there, I would definitely get rid of that sub-directory (just delete it through the file Explorer and empty your recycle bin). In other words, only keep this sub-directory if you know that it's linked to the "whatever" application you have on your system that creates this temp sub-directory.

For example, the sub-directory called _Avast4_ in the C:\WINDOWS\TEMP directory is created and needed by Avast and should not be deleted. In your case, the AAWTMP may belong to some application beginning with the letters AAW (although it may be anything too). Otherwise, it's just a file not needed at all anymore and it can certainly be deleted.

A good trick here would be to simply move the subdirectory and all its content in another place. For example, create a directory on your disk called blabla, at the root (C:\blabla). Then move this AAWTMP sub-directory in the blabla one. Then restart the PC. If all your software and OS works fine, then delete the whole C:\blabla thing. No infected file anymore. Otherwise, if something stops working, you can always move back the thing through DOS with the Win ME boot-up diskette. If you don't have the boot-up diskette, you can create one through control panel/add or delete programs/boot-up diskette tab.

But usually, and I can tell you this from 11 years of experience with computers, 95% of the files gathering in the C:\WINDOWS\TEMP can be deleted without any problem.

In conclusion, you may have been infected, but if the antivirus don't see anymore viruses after a thorough scan, it may be simply that your OS is messed up. And believe me, you don't even need a virus for any version of Windows to start acting weird or get messed up. ;) So without any sign of infection, if I were you, I would re-install it as I mentioned earlier here on this thread. You have 95% of chances to solve the problem.

AceFlyer

  • Guest
Trojan Apparently Invisible to Explorer...
« Reply #14 on: April 10, 2005, 03:12:28 PM »
Hi again Newton...(and ty)  It's funny that you suggested tracking down the WinMe32 Trojan file with Explorer.  I tried that the other day, but it was not to be found!  Then I pasted the file-path into the search function and ran it.  It came back with the following:  "The file refers to a location that is unavailable...". An additional system message claimed that the suspect file is not a valid folder. I'm  drawing at straws, but appreciate the assistance...
« Last Edit: April 10, 2005, 03:22:06 PM by AceFlyer »