Author Topic: Win32:warezov_qu  (Read 9477 times)

0 Members and 1 Guest are viewing this topic.

TOMTHUMB

  • Guest
Win32:warezov_qu
« on: December 05, 2006, 10:39:45 PM »
Anyone know or seen this one before. they were in the windows "restore" file. there were two others, just the end was different.  QJ and QV. How can I be sure I got rid of them.??

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89216
  • No support PMs thanks
Re: Win32:warezov_qu
« Reply #1 on: December 05, 2006, 10:46:02 PM »
If they are in the system volume information\ folder, _restore point then:

The c:\System Volume Information folder is a part of the system restore function and as such is protected by windows, the only way to clean infected _restore points is to disable system restore and reboot. This will clear ALL _restore points. Once you have disabled system restore, reboot, scan your PC again and if clear enable system restore.

Win XP-ME - How to disable System Restore
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Win32:warezov_qu
« Reply #2 on: December 06, 2006, 12:57:11 AM »
Besides what David posted about disabling System Restore, I recommend:

1) Clean your temporary files.
2) Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
3) Use a-squared, Free AVG Antispyware, SUPERantispyware or Spyware Terminator (trojan removers).
The best things in life are free.

TOMTHUMB

  • Guest
Re: Win32:warezov_qu
« Reply #3 on: December 06, 2006, 03:29:17 AM »
 :) Thanks a bunch, have done all that. I seem to be getting the Alarm going off 29 times this morning. Sorry two more times just then. What gives, is someone targeting me. ???

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Win32:warezov_qu
« Reply #4 on: December 06, 2006, 01:40:20 PM »
Thanks a bunch, have done all that.
Do you mean all? Disable system restore, clean temporary files, schedule avast and use antitrojans?
The last chance will be scanning at Safe Mode (press F8 while booting) and using antirootkits.
Check also http://www.sophos.com/support/disinfection/trojan.html
The best things in life are free.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89216
  • No support PMs thanks
Re: Win32:warezov_qu
« Reply #5 on: December 06, 2006, 01:56:48 PM »
:) Thanks a bunch, have done all that. I seem to be getting the Alarm going off 29 times this morning. Sorry two more times just then. What gives, is someone targeting me. ???

Please give details of some of those alarms, is it the same warwzov_?? infected file name/s and location (e.g. (C:\windows\system32\infected-file-name.xxx or internet URL ) ?
Check the avast Log Viewer (right click the avast icon), Warning section.

Without information we can't say one way or another, though I doubt you are being specifically targeted.

Do you have a firewall, if so what is it ?
Did the other scans you did not find anything (even if run in safe mode) ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

TOMTHUMB

  • Guest
Re: Win32:warezov_qu
« Reply #6 on: December 07, 2006, 04:25:02 AM »
YES I did,disable restore, reboot, then clean out the temp and cookies. and did a scan before windows started. what is the anti trogan and how do you start it. this was the log file warnings only half what it there.
urning error, 0000A413. 
17/08/2006 1:32:02 PM   SYSTEM   1760   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2204.TMP (C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2204.TMP) returning error, 0000A413. 
17/08/2006 1:32:02 PM   SYSTEM   1760   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2282.TMP (C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2282.TMP) returning error, 0000A413. 
17/08/2006 1:32:02 PM   SYSTEM   1760   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2329.TMP (C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2329.TMP) returning error, 0000A413. 
17/08/2006 1:32:02 PM   SYSTEM   1760   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2454.TMP (C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2454.TMP) returning error, 0000A413. 
17/08/2006 1:32:02 PM   SYSTEM   1760   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2563.TMP (C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2563.TMP) returning error, 0000A413. 
17/08/2006 1:32:02 PM   SYSTEM   1760   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2626.TMP (C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2626.TMP) returning error, 0000A413. 
17/08/2006 1:32:02 PM   SYSTEM   1760   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2688.TMP (C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2688.TMP) returning error, 0000A413. 
17/08/2006 1:32:02 PM   SYSTEM   1760   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2766.TMP (C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2766.TMP) returning error, 0000A413. 
17/08/2006 1:32:02 PM   SYSTEM   1760   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2813.TMP (C:\DOCUME~1\User1\LOCALS~1\Temp\TEMP2813.TMP) returning error, 0000A413. 
17/08/2006 1:32:02 PM   SYSTEM   1760   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\LookupValueItem.cdx (C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\LookupValueItem.cdx) returning error, 0000A413. 
17/08/2006 1:32:02 PM   SYSTEM   1760   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\FieldSetField.cdx (C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\FieldSetField.cdx) returning error, 0000A413. 
17/08/2006 1:32:02 PM   SYSTEM   1760   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\MetadataField.cdx (C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\MetadataField.cdx) returning error, 0000A413. 
17/08/2006 1:32:02 PM   SYSTEM   1760   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\MetadataClass.cdx (C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\MetadataClass.cdx) returning error, 0000A413. 
17/08/2006 1:32:02 PM   SYSTEM   1760   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\JoinFieldMetadata.cdx (C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\JoinFieldMetadata.cdx) returning error, 0000A413. 
17/08/2006 1:32:02 PM   SYSTEM   1760   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\LookupList.cdx (C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\LookupList.cdx) returning error, 0000A413. 
17/08/2006 1:32:02 PM   SYSTEM   1760   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\LookupListItem.cdx (C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\LookupListItem.cdx) returning error, 0000A413. 
17/08/2006 1:32:02 PM   SYSTEM   1760   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\JoinFieldDefn.cdx (C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\JoinFieldDefn.cdx) returning error, 0000A413. 
17/08/2006 1:32:02 PM   SYSTEM   1760   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\FieldSetDefn.cdx (C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\FieldSetDefn.cdx) returning error, 0000A413. 
17/08/2006 1:32:02 PM   SYSTEM   1760   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\JoinFieldSetFileType.cdx (C:\Documents and Settings\User1\Application Data\ACD Systems\Catalogs\Default\JoinFieldSetFileType.cdx) returning error, 0000A413.
« Last Edit: December 07, 2006, 04:27:13 AM by TOMTHUMB »

TOMTHUMB

  • Guest
Re: Win32:warezov_qu
« Reply #7 on: December 07, 2006, 04:28:33 AM »
Firewall, just the windows one, I hope you can help this PC is unusable as it is.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Win32:warezov_qu
« Reply #8 on: December 07, 2006, 12:16:13 PM »
I'm thinking that you have a second antivirus in this computer...  ::)
Did you install any antivirus? Even in the past? Which one?
The best things in life are free.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89216
  • No support PMs thanks
Re: Win32:warezov_qu
« Reply #9 on: December 07, 2006, 02:06:16 PM »
@ TOMTHUMB
The entries you posted don't relate to the detections, did you open the avast Log Viewer, Warning section, which contains the avast virus alerts. If you can't see the Warning icon, ensure you have the Program Run tab selected, see image.

Or open the C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log file with a text editor, that contains the information used by the avast Log Viewer warning section.

Example of an enter relating to a detection in the warning section/warning.log
Quote
07/12/2006   12:55   1165496107   SYSTEM   1364   Sign of "EICAR Test-NOT virus!!" has been found in "http://www.eicar.org/download/eicar.com" file. 
07/12/2006   13:04   1165496649   SYSTEM   1364   Sign of "Win32:Trojan-gen. {Other}" has been found in "D:\breakout.exe" file. 
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

TOMTHUMB

  • Guest
Re: Win32:warezov_qu
« Reply #10 on: December 07, 2006, 09:00:05 PM »
Hi, there was a copy of Norton, in but I uninstalled it. Yes the event log,warnings, Does not seem to be anything in there, ???

TOMTHUMB

  • Guest
Re: Win32:warezov_qu
« Reply #11 on: December 07, 2006, 09:07:09 PM »
OK , some of the file.
found in "C:\WINDOWS\system32\strmwin8.dll" file. 
6/12/2006   9:38:36 PM   1165401516   User1   5404   Sign of "Win32:Warezov-QU [Wrm]" has been found in "C:\System Volume Information\_restore{32D525DA-6AD5-4AB6-A492-3030F81BC8DE}\RP1\A0000043.dll" file. 
6/12/2006   9:39:07 PM   1165401547   User1   5404   Sign of "Win32:Warezov-QV [Wrm]" has been found in "C:\System Volume Information\_restore{32D525DA-6AD5-4AB6-A492-3030F81BC8DE}\RP1\A0000058.dll" file. 
6/12/2006   10:30:42 PM   1165404642   User1   1580   Sign of "Win32:Warezov-QV [Wrm]" has been




2/12/2006   6:42:16 AM   1165002136   SYSTEM   128   Sign of "Win32:Warezov-QP [Wrm]" has been found in "Incoming email 'Mail Transaction Failed' From: frank garcia <frank.garcia@telcan.com>, To: nimbus900au@yahoo.com.au\docs.zip#1842954763\docs.elm.pif\[UPX]" file. 
2/12/2006   6:42:28 AM   1165002148   SYSTEM   128   Sign of "Win32:Warezov-QP [Wrm]" has been found in "Incoming email 'Mail server report.' From: secur@midmich.net, To: mho57144@bigpond.net.au\Update-KB2343-x86.exe#1553420733\[UPX]" file. 
2/12/2006   8:57:32 AM   1165010252   User1   3160   Sign of "Win32:Warezov-QL [Wrm]" has been found in "C:\Documents and Settings\User1\Local Settings\Application Data\IM\Identities\{0A409B87-EF74-470D-BE41-C11A587A7E6E}\Message Store\Attachments\docs.zip\docs.log.exe\[UPX]" file. 
2/12/2006   9:53:04 AM   1165013584   User1   3160   Sign of "Win32:Warezov-QP [Wrm]" has been found in "C:\Documents and Settings\User1\Local Settings\Application Data\IM\Identities\{0A409B87-EF74-470D-BE41-C11A587A7E6E}\Message Store\Attachments\Update-KB5226-x86.zip\Update-KB5226-x86.exe\[UPX]" file.

TOMTHUMB

  • Guest
Re: Win32:warezov_qu
« Reply #12 on: December 07, 2006, 09:21:42 PM »
some more.

Files\Content.IE5\GHIFKLIN\2500474277558080_0[1].jpg (C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\GHIFKLIN\2500474277558080_0[1].jpg) returning error, 0000A474. 
13/11/2006   10:35:20 PM   1163417720   User1   1772   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\GHIFKLIN\3200483349408080_0[1].jpg (C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\GHIFKLIN\3200483349408080_0[1].jpg) returning error, 0000A474. 
13/11/2006   10:35:21 PM   1163417721   User1   1772   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\GHIFKLIN\2200476896118080_0[1].jpg (C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\GHIFKLIN\2200476896118080_0[1].jpg) returning error, 0000A474.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89216
  • No support PMs thanks
Re: Win32:warezov_qu
« Reply #13 on: December 07, 2006, 09:43:42 PM »
The c:\System Volume Information folder is a part of the system restore function and as such is protected by windows, the only way to clean infected _restore points is to disable system restore and reboot as I mentioned in my first post. If these are new then you can't have disabled system restore and rebooted. Until you are clean you should leave system restore disabled and only then enable it.

The ones relating to emails, should have been dealt with and either deleted or moved to the chest depending on what you chose and what your email program is.

The ones relating to Temp locations, Internet Files, etc. you should clean out all temp files, ClearProg - Temp File Cleaner or CCleaner - Temp File Cleaner, etc.

However, the ones you give for examples are from 2nd Dec and are not relating to the latest batch (29) you mentioned on 6 Dec and the last batch even earlier 13 Nov, we are trying to help with those you reported on 6 Dec. Information from those would be helpful.

Norton is notorious for leaving remnants:
A link worth looking at, which is a program removal tool that can remove the remnants of a number of different Norton Programs:
Removing your Norton program using SymNRT
You can also download SymNRT, a Norton uninstall tool that uninstalls all Norton 2004/2005/2006 products.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

TOMTHUMB

  • Guest
Re: Win32:warezov_qu
« Reply #14 on: December 07, 2006, 10:14:29 PM »
OK, Yes I did disable "System restore" and I did reboot. Have another "Firewall" installed as well. what can this "worm" do??

Some more recent "log"

044   Sign of "Win32:Warezov-QU [Wrm]" has been found in "C:\WINDOWS\system32\strmwin8.dll" file. 
7/12/2006   7:47:10 PM   1165481230   User1   1792   Sign of "Win32:Warezov-QV [Wrm]" has been found in "C:\WINDOWS\system32\alrsbatt.dll" file. 
7/12/2006   7:47:23 PM   1165481243   User1   1792   Sign of "Win32:Warezov-QU [Wrm]" has been found in "C:\WINDOWS\system32\strmwin8.dll" file. 
7/12/2006   9:14:22 PM   1165486462   User1   1792   Sign of "Win32:Warezov-QV [Wrm]" has been found in "C:\WINDOWS\system32\alrsbatt.dll" file. 
7/12/2006   9:14:26 PM   1165486466   User1   1792   Sign of "Win32:Warezov-QU [Wrm]" has been found in "C:\WINDOWS\system32\strmwin8.dll" file. 
8/12/2006   5:45:51 AM   1165517151   SYSTEM   1788   Sign of "Win32:Warezov-QV [Wrm]" has been found in "C:\WINDOWS\system32\alrsbatt.dll" file. 
8/12/2006   5:45:57 AM   1165517157   SYSTEM   1788   Sign of "Win32:Warezov-QU [Wrm]" has been found in "C:\WINDOWS\system32\strmwin8.dll" file. 
8/12/2006   6:46:15 AM   1165520775   SYSTEM   1788   Sign of "Win32:Warezov-QV [Wrm]" has been found in "C:\WINDOWS\system32\alrsbatt.dll" file. 
8/12/2006   6:46:18 AM   1165520778   SYSTEM   1788   Sign of "Win32:Warezov-QU [Wrm]" has been found in "C:\WINDOWS\system32\strmwin8.dll" file. 
8/12/2006   7:45:07 AM   1165524307   User1   2020   Sign of "Win32:Warezov-QV [Wrm]" has been found in "C:\WINDOWS\system32\alrsbatt.dll" file. 
8/12/2006   7:45:16 AM   1165524316   User1   2020   Sign of "Win32:Warezov-QU [Wrm]" has been found in "C:\WINDOWS\system32\strmwin8.dll" file.