Win32:warezov_qu

[DavidR]

A google search for win32:warezov returns many hits, this is just one, http://www.avast.com/eng/win32-warezov-family.html.

As you can see from this and others it is a mass mailer that sends out email to try and infect others from email addresses in your system, but for it to keep coming back there has to be a download element. A good firewall should stop or at least challenge unauthorised outbound connection to the internet, what is your firewall as this doesn't appear to be happening ?

What surprises me is that it is being detected on your HDD and not caught by the Web Shield before it gets to your HDD. Is the Web Shield provider running ?

Try a forums search for W32:Warezov and W32:Stration (an alias) as there have been several recent Topics on that and se what is suggested for removal.

You should also consider some proactive measures to try and prevent it getting re-established, as it needs permission to copy files to system folders and create registry entries, see DropMyRights in my signature.

[TOMTHUMB]

The "Firewall" I just downloaded, was the Comodo one. and they have got through that as well. WEB SHIELD. could you explain this please.
Thanks Bob.

[DavidR]

Check out the avast help file (right click the avast icon, select Start avast! Antivirus, Menu, Help or press F1), Resident Protection, Web Shield, but basically it monitors the traffic from the web to your system and if infected content is found it should alarm and effectively block it from being downloaded and stop it arriving on your HDD.

Comodo should do the job of checking outbound connections, but you have to read what it is telling you. You have to have some idea that it isn't something you are doing at that time that is trying to connect and not just say Yes to all questions or say No to all questions.

[TOMTHUMB]

OK done that, will just see if that stops it.
Thanks bob.

[TOMTHUMB]

Nope still no good, it comes up twice every time. could there be something that is in the PC, that is triggering it.

[DavidR]

When you say it keeps coming up each time please restate the file name and location even if the same and also what were you doing when it returned ?


You could try DrWeb CureIT!  http://download.drweb.com/drweb+cureit/

Have you tried a forum search as suggested
http://forum.avast.com/index.php?topic=24400.0
http://www3.ca.com/be/securityadvisor/virusinfo/virus.aspx?id=58375

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2 or HiJackThis Tutorial 3
On-line analysis - HiJackThis Log file - On-line Analysis OR HiJackThis Log file - On-line Analysis 2
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.

[TOMTHUMB]

Thanks, I will try all you sugest. Well, the Alarm goes off, and it says it has found a Virus, in these two files.
9/12/2006   6:57:42 AM   1165607862   SYSTEM   1960   Sign of "Win32:Warezov-QV [Wrm]" has been found in "C:\WINDOWS\system32\alrsbatt.dll" file. 
9/12/2006   6:57:48 AM   1165607868   SYSTEM   1960   Sign of "Win32:Warezov-QU [Wrm]" has been found in "C:\WINDOWS\system32\strmwin8.dll" file.
The Alarm goes off regulary, throughout the Day. Always twice. and puts them in the same files. I just put them in the chest.

[DavidR]

Were you browsing or just working on the system ?
If browsing something is downloading and installing those files and the firewall isn't stopping this.

Check out CureIt and the other links, that doesn't work, you really need to download HJT and read the Tutorials and post (paste) the contents of the hijackthis.log file here.

[TOMTHUMB]

Hi Dr Web cure it fixed it up, it did a quick scan and said to "Reboot" it would then fix the three files it found. Thanks no Worms for two Days now.

[DavidR]

Thanks for the feed back, glad that it is now sorted.