Win32:Warezov-OY (Wrm).....

[gwerian]

Well, that is the name of something Avast picked up while scanning my computer today. Avast finds it, but can't remove it. It won't be put into the Chest either.

What is it, and what does it do?
I'm nearly computer illiterate. Is there a fix on the way or do I have to try and remove it myself? Is there any way someone can explain how to me, like I'm five years old?

I use Windows XP Media edition. I do have Spybot Search and Destroy but it picks up nothing that seems related to this thing.

Any help is appreciated and please don't laugh at the newbie that is me 

[Lisandro]

Can you schedule a boot-time scanning?

Click on the Menu button.
Choose Schedule Boot Time Scan.
Doing so displays a dialog allowing you to schedule virus scanning.
Check Archives, if you want scan all the archives.
Specify whether all the disks or just a specific folder should be scanned.
Select Advanced options for scheduling details.
Select how to automatically process infected files.
Choose how to automatically process infected system files.
Click the Schedule button to confirm the settings.

[DavidR]

What reason was given for not being able to do this.

Windows in its infinite wisdom protects files in use (even malware) or in system folders, so it is likely that avast! can't delete or move files in use. So schedule boot-time scan in avast's menu if you have XP, win2k or NT, otherwise boot into safe mode and run an avast scan. This should ensure that the file isn't in use and avast should be able to deal with it.

To enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, 'Schedule boot-time scan...'

[gwerian]

Thank you very much, both of you. I managed to start a boot-time scan and it's running right now on the infected computer. I hope that takes care of the problem.

The reason Avast gave for not being able to deal with the virus the first time was something along the lines of "Error occurred while moving file to chest. Not supported for that type of archive".

[DavidR]

If there is only a small part of and archive file that is infected but it isn't a file that avast can extract the infected part and put the archive back together. Whilst it may be able to detect infection in a file in that archive, it doesn't support manipulation of that archive format.

I suspect the same might be true in the boot-time scan.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

[gwerian]

Hi DavidR!

Two files with the virus came up when I ran the normal Avast scan earlier:

C:\hp\drivers\hpt2_1\hptunesaddin\INSTAL~1.MSI (and then lots of numbers)
and
C:\System Volume Information\_restore{ (and then lots of numbers again)

No infected files were found during the boot time scan. Before I started it, a somewhat more computer friendly friend helped me turn off system restore and manually delete the other infected file. Is this enough? Or is it still lurking in there somwehere?

"If there is only a small part of and archive file that is infected but it isn't a file that avast can extract the infected part and put the archive back together. Whilst it may be able to detect infection in a file in that archive, it doesn't support manipulation of that archive format.

I suspect the same might be true in the boot-time scan."

I have no idea what that means? That the boot-time scan might not be enough to make sure it's gone?

I really appreciate your patience.

[DavidR]

What I meant is if avast isn't able to handle a particular archive format, this won't change just because you use a boot-time scan.

Yes the .msi is a somewhat specialised archive file a Microsoft Installer file, based on the location it might not be a good detection, so it would be worth while checking.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.
Also see (Mini Sticky) False Positives, how to report and what to do to exclude them until the problem is corrected.

The other is in a protected area, thought avast might be able to deal with it during a boot-time scan as windows isn't running.

The c:\System Volume Information folder is a part of the system restore function and as such is protected by windows, the only way to clean infected _restore points is to disable system restore and reboot. This will clear ALL _restore points. Once you have disabled system restore, reboot, scan your PC again and if clear enable system restore.
Win XP-ME - How to disable System Restore

[gwerian]

Hi DavidR,
I'll look into all of those things tomorrow (it's getting late here  ).

Thank you once more for all the great info and your patience with this computer illiterate and non-native English speaker. 
This forum is great!

[DavidR]

No problem, welcome to the forums.

Until tomorrow, your English is good and this is something to get used to in the avast forums.

[Spiritsongs]

   Hi GWerian :

     Should consider installing 1 or 2 programs that have "specialized" programming
    for trojans, worms, etc ; The best 2 Good and FREE programs I know are :
    1) the FREE version of "SUPERantispyware" from www.superantispyware.com
    2) AVG antispyware/Ewido ; can pick your version at :
        www.filehippo.com/download_ewido/ .

[gwerian]

Avast was indeed able to deal with this virus during the boot-time scan!
Nothing shows up now, when I do a thorough scan. I've turned System Restore back on, and everything seems fine.

I've installed SUPERantispyware as well.

Thank you all for the kind help!