Author Topic: Win32:Trojano-3239 Keeps reappearing in Temp  (Read 6953 times)

0 Members and 1 Guest are viewing this topic.

sanelson

  • Guest
Win32:Trojano-3239 Keeps reappearing in Temp
« on: January 12, 2006, 09:54:38 PM »
For the past two weeks, Avast keeps finding this virus Win32:Trojano-3239 every morning in a subdirectory of %TEMP%\AAWTMP\ in a file called WPA.exe.  The subdirectory always changes.  Each day I tell it to either delete it or move it to the chest, and each day it reappears.  I did a Google search and wound up at this Symantec page about the virus.  Symantec has a removal tool on the page, which I tried running.  It searched all my harddrives and found nothing (this was after I had moved it to the Avast chest).  I am at a loss here as to how to make this go away.  As a matter of fact, I'm really not even sure if it is an actual virus, or just a misidintified one.  The AAWTMP directory and the fact that it reappears every morning leads me to believe that it may have something to do with Ad-Aware, which is set to run a background scan every morning at 10:00 AM.  Does anybody have any ideas?

sanelson

  • Guest
Re: Win32:Trojano-3239 Keeps reappearing in Temp
« Reply #1 on: January 12, 2006, 09:56:46 PM »
Here is a copy of my log file:
Code: [Select]
12/29/2005 10:17:52 AM SYSTEM 1960 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C406968812\C3360\WPA.exe" file. 
12/30/2005 10:18:15 AM SYSTEM 1768 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C73199531\124D80\WPA.exe" file. 
12/31/2005 10:20:10 AM SYSTEM 1768 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C159596843\24DAAA\WPA.exe" file. 
1/1/2006 10:18:16 AM SYSTEM 1768 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C245996890\3211EC\WPA.exe" file. 
1/2/2006 10:18:18 AM SYSTEM 1768 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C332396046\1CBED\WPA.exe" file. 
1/3/2006 10:17:45 AM SYSTEM 1768 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C418796390\CD2CF\WPA.exe" file. 
1/4/2006 10:18:07 AM SYSTEM 1768 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C505204625\409CA1\WPA.exe" file. 
1/5/2006 10:18:27 AM SYSTEM 1768 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C591605343\115154\WPA.exe" file. 
1/6/2006 10:19:19 AM SYSTEM 1768 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C678005187\2B0B79\WPA.exe" file. 
1/7/2006 10:18:20 AM SYSTEM 1768 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C764405000\32033C\WPA.exe" file. 
1/8/2006 10:18:35 AM SYSTEM 1768 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C850803531\1D42DE\WPA.exe" file. 
1/8/2006 3:35:15 PM SYSTEM 1768 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C850803531\1D42DE\WPA.exe" file. 
1/9/2006 10:18:39 AM SYSTEM 1768 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C937217687\3340E4\WPA.exe" file. 
1/10/2006 10:18:27 AM Scott A. Nelson 1056 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C52776859\219C5D\WPA.exe" file. 
1/11/2006 10:18:35 AM Scott A. Nelson 300 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C54469000\3BE955\WPA.exe" file. 
1/12/2006 10:21:19 AM Scott A. Nelson 2036 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C51922812\148BC9\WPA.exe" file. 

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Win32:Trojano-3239 Keeps reappearing in Temp
« Reply #2 on: January 12, 2006, 10:52:29 PM »
From the Symantec link, we know this is the Esbot worm. As the removal tool doesn't find it, it could be a new variant. avast! will have problems removing the worm even during a boot time scan, as wpa runs as a service. The malware also injects itself into explorer.exe. (avast! has a problem dealing with process injecting malware.)

Quote
# Runs itself as a service:

Service Name: wpa
Display Name: Windows Product Activation
Path to executable: %System%\wpa.exe

# Injects itself to explorer.exe.

http://securityresponse.symantec.com/avcenter/venc/data/w32.esbot.b.html

Ewido anti-Trojan is good at removing malware which injects itself into other processes- you could try that:

http://www.ewido.net/en/

Here's a procedure for dealing with a malware running as a service, as described by doc_esb, who obviously knows what he's talking about:

http://forum.avast.com/index.php?topic=18381.msg156364#msg156364

My advice would be to kill the service and then run Ewido to deal with the process injecting malware, if still present.

Actually, my advice would be to try Trend Micro Sysclean, which seems to be a lot better at removing sophisticated malware:

Quote
If you are not a Trend Micro customer please download the following file.

http://uk.trendmicro-europe.com/enterprise/support/tsc.php

Quote
For the TSC package to be effective, you must download and use the latest pattern file. Place the pattern file in the same folder as the Trend Micro System Cleaner Package.

http://uk.trendmicro-europe.com/enterprise/support/pattern.php
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

sanelson

  • Guest
Re: Win32:Trojano-3239 Keeps reappearing in Temp
« Reply #3 on: January 13, 2006, 12:31:22 AM »
Well, the thing is, I don't think this file ever gets run.  It's a file in the temp directory, that keeps reappearing once a day, every day around 10:15 AM, which is just about the time the Ad-Aware scan should be finishing up.  It's not in the Windows or System32 folder, and any scans will reveal nothing.  I'm running the Trend-Micro program right now, and so far it hasn't found anything yet, however one interesting thing to note is that I had to disable Avast to run the program, because Avast thought that the removal program was itself, a virus! 
Code: [Select]
1/12/2006 6:23:38 PM Scott A. Nelson 2036 Sign of "VBS:Redlof" has been found in "C:\PROGRA~1\MOZILL~1\sysclean.exezz" file. 
1/12/2006 6:23:48 PM Scott A. Nelson 2036 Sign of "VBS:Redlof" has been found in "C:\Program Files\Mozilla Firefox\sysclean.exezz" file. 
I'm thinking that I don't actually have a virus at all, and Avast is just screwing up, but it's damn annoying.
« Last Edit: January 13, 2006, 12:35:54 AM by sanelson »

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Win32:Trojano-3239 Keeps reappearing in Temp
« Reply #4 on: January 13, 2006, 12:42:43 AM »
The avast! detection of a virus in Sysclean is a false alarm, don't worry.

Just search the forum for VBS:Redlof.

One AV can detect the virus definitions of another AV or anti-spyware program.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

sanelson

  • Guest
Re: Win32:Trojano-3239 Keeps reappearing in Temp
« Reply #5 on: January 13, 2006, 01:03:15 AM »
One AV can detect the virus definitions of another AV or anti-spyware program.
Exactly.  I'm thinking that's what's causing this WPA virus scare that Avast keeps notifying me about.  Like I said, it seems to happen just after an Ad-aware background scan, and at no other time, and no other virus removal tool can find any indication of this, or any other virus.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Win32:Trojano-3239 Keeps reappearing in Temp
« Reply #6 on: January 13, 2006, 01:25:06 AM »
Ooops! Yes, this is just avast! detecting Ad-Aware's definition files as they are temporarily un-encrypted during a scan.

AAWTMP is the Ad-Aware temp folder.

Just ignore my previous posts except this one:

Quote
One AV can detect the virus definitions of another AV or anti-spyware program.

I think that's what was happening.  :-[




     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

sanelson

  • Guest
Re: Win32:Trojano-3239 Keeps reappearing in Temp
« Reply #7 on: January 13, 2006, 08:34:31 AM »
OK, so is there any way to make this stop other than excluding the AAWTMP folder and all its subdirectories?  That doesn't sound like it's exactly safe.  Should the files in quarantine be sent somewhere so that the developers can fix the problem?

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Win32:Trojano-3239 Keeps reappearing in Temp
« Reply #8 on: January 13, 2006, 09:27:20 AM »
This is a known phenomenon- see here for example:

http://forum.avast.com/index.php?topic=12522.msg107124#msg107124

Quote
AAW: This the temporary folder of Ad-AWare, which it uses for unpacking/scanning of archives
usually exists only during a scan with ad-aware, unless adaware crashes and doesn't clean it up after scanning

It may be that you do have a copy of the worm in an archive somewhere on your disk but not in an active form. Have you done a scan with avast! with the scan archives box ticked? That might be worth doing.

Apart from that, you could temporarily disable avast!'s on-access scanning while scanning with Ad-Aware. This applies to other AV or anti-spyware scanners as well, as you found with Trend Micro. avast! can sometimes detect virus definitions as the virus itself.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Spiritsongs

  • Guest
Re: Win32:Trojano-3239 Keeps reappearing in Temp
« Reply #9 on: January 13, 2006, 07:02:21 PM »
 :)  Sanelson :

     If your problem involves Ad-Aware, I suggest you ask the Experts on the
     forums at www.landzdown.com ; this forum is staffed by ALL the Experts
     who used to provide advise on the now-defunct Lavsoft Ad-Aware
     Support forums .

sanelson

  • Guest
Re: Win32:Trojano-3239 Keeps reappearing in Temp
« Reply #10 on: January 14, 2006, 05:33:50 AM »
Why is this?  I added T:\Temp\AAWTMP\* to the exclusions list, and this morning, I still got a warning, that it had found the trojan in T:\Temp\AAWTMP\C22956343\B7388\WPA.exe.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67235
Re: Win32:Trojano-3239 Keeps reappearing in Temp
« Reply #11 on: January 14, 2006, 05:42:18 AM »
Why is this?  I added T:\Temp\AAWTMP\* to the exclusions list, and this morning, I still got a warning, that it had found the trojan in T:\Temp\AAWTMP\C22956343\B7388\WPA.exe.
There are in fact two exclusion lists: one in program settings, for the on-demand scanning.
And other in Standard Shield settings, for the on-access protection (residents).
Which one are you refering to?
The best things in life are free.

sanelson

  • Guest
Re: Win32:Trojano-3239 Keeps reappearing in Temp
« Reply #12 on: January 14, 2006, 05:54:30 AM »
The one in program settings.  I guess I should be using the other one?  Does the on-access exclusion list include subfolders, if I type "T:\TEMP\AAWTMP\*"?
« Last Edit: January 14, 2006, 05:57:34 AM by sanelson »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67235
Re: Win32:Trojano-3239 Keeps reappearing in Temp
« Reply #13 on: January 14, 2006, 12:15:47 PM »
The one in program settings.
So, the on-demmand exclusion list.

I guess I should be using the other one?  Does the on-access exclusion list include subfolders, if I type "T:\TEMP\AAWTMP\*"?
If you're not running a scanning and the message appears, it means the on access scanner is touching the files.
And yes, the exclusion list understand wildcards and include subfolders.
The best things in life are free.