Author Topic: Warezov-AAV : can't remove this virus  (Read 12052 times)

0 Members and 1 Guest are viewing this topic.

anuloma_viloma

  • Guest
Warezov-AAV : can't remove this virus
« on: January 18, 2007, 10:29:08 PM »
Hi,

    I have opened a mail attachement with postcard.exe. Unfortunately, this is the virus Warezov -AAV:
     http://img70.imageshack.us/img70/6388/warezovaavoe4.jpg

    The same message appear every 30 minutes.

     A scan has been launched before windows startup. The problem is still there.

    Here is my config :
- OS : Windows XP SP2
- Avast Version : 4.7 Edition Familiale (4.7.942)
- VPS Version : 000704-0

- Internet Connection : ADSL - No Proxy - Windows Firewall
- Mail : Outlook Express
- No other security software


I don't want to reinstall all my compurter but this virus is very hard to remove :'(

Thanks in advance
Hervé -

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re: Warezov-AAV : can't remove this virus
« Reply #1 on: January 19, 2007, 01:37:38 AM »
A scan has been launched before windows startup. The problem is still there.
Well the picture itself seems clean...  ::)

If a virus is replicant (coming and coming again), you should:

1) Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
2) Clean your temporary files. You can use the Windows Advanced Care features for that.
3) Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
4) It will be good if you download, install, update and run other trojan remover tools:
    a-squared
    Free AVG Antispyware
    SUPERantispyware
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86139
  • No support PMs thanks
Re: Warezov-AAV : can't remove this virus
« Reply #2 on: January 19, 2007, 02:11:56 AM »
@ Tech
Well the image is just the avast alert Tech not malware.

The file c:\windows\smm32.exe is the file avast is alerting on, so if it is coming back every 30 minutes something is recreating it otherwise avast would continue to detect it not just every 30 minutes. Hopefully the other tools Tech mentioned will stop whatever is recreating it.

Do you have a firewall, if so what ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.11.2500 (build 21.11.6809.528) UI 1.0.683/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

mauserme

  • Guest
Re: Warezov-AAV : can't remove this virus
« Reply #3 on: January 19, 2007, 02:19:26 AM »
Well the picture itself seems clean...  ::)
The picture is clean



- Internet Connection : ADSL - No Proxy - Windows Firewall
Warezov connects to different URLs to download new varients on a regular basis.  The Windows Firewall will not stop the connection - you need a third party firewall to try to stop this.  Zone Alarm, Comodo, Kerio, etc are good choices.  After installing the firewall carefully review any programs requesting an internet connection.  You want to allow normal processes while blocking the bad ones.

After installing the firewall a hijackthis log would be usefull.  You can dowload the program here

http://www.bleepingcomputer.com/files/hijackthis.php

and paragraph 2 under Usage Instructions will tell you how to extract and run the program.  Make sure not to "fix" anything right now, just run the program and post the log here.

tutties430

  • Guest
Re: Warezov - Help !
« Reply #4 on: February 11, 2007, 02:31:22 AM »
Hi,

New to this forum but have been reading the Warezov thread with interest. I have recently been hit with the Warezov virus and have followed most - if not all - of the things posted on this forum to try and get rid of it. I now find myself in the situation where Avast isn't finding anything, AVG AntiSpyware, Super AntiSpyware and SpyBot all say I am clean...but I am not clean. I am still churning out bogus emails at the rate of about 10 an hour...and its doin' my head in ! I now know a lot more about Firewalls, Antivirus and all of these kind of things...but I just can't get this email thing to stop !
Problen originally detected by Avast..but Avast couldn't delete because was embedded in .pst archive. Deleted the .pst archive ...as it wasn't that important !

Any help gratefully received.

Graham

For the record :-
OS: XP SP2
Email: Outlook 2003
Antivirus : Avast 4.7 Home
Firewall : ZonaAlarm (the free one...just newly installed as a result of reading posts here..used to just use the Windows Firewall).

Now I figure I will probably be asked to post a HijackThis log...so here goes ...have included the startup list as well !





Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Warezov-AAV : can't remove this virus
« Reply #5 on: February 11, 2007, 09:55:06 AM »
Hi tutties430,

Nothing stands out in the log. I believe some variants of Warezov use rootkit technology to hide themselves, so it would be a good idea to run a few rootkit scans.

I'd recommend F-Secure BlackLight, the Panda scanner, the BitDefender Scanner and maybe the Sophos scanner listed here:

http://www.antirootkit.com/software/index.htm

Legitimate applications can sometimes have hidden processes, so check here if you find anything suspicious.

If you find and remove a rootkit, run a scan with avast! immediately afterwards.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

tutties430

  • Guest
Re: Warezov-AAV : can't remove this virus
« Reply #6 on: February 11, 2007, 11:44:13 AM »
Hi,

Tried these...Sophos gave me this..but wouldn't allow me to remove !

Area:   Windows registry
Description:   Hidden registry value
Location:   \HKEY_USERS\S-1-5-21-1789158869-1094879326-2890962713-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Cebtenz Svyrf\UnzzreFavcr CbjreGbby\CbjreGbby.rkr
Removable:   No
Notes:   (type 3, length 16) "\xbc\x02  \x06   \x90\xe7%\x855C\xc7\x01"

Still at a loss !

Thanks for humouring me
Graham

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Warezov-AAV : can't remove this virus
« Reply #7 on: February 11, 2007, 12:19:09 PM »
From a web search, I suspect the key Sophos found is some sort of encrypted key and not part of a rootkit, which means the problem is probably an unrecognised process starting from a location not included in HijackThis!

Have you managed to block the process sending out emails with Zone Alarm? What was the name of the process? If not, check for suspicious applications connecting to the net and try and identify the malware process and block it.

You could try downloading Process Explorer from SysInternals and looking for the malware process. Kill the malware process and find and remove the startup entry with Autoruns, also from the same source.

Alternatively, try online scans with F-Secure and Trend Micro Housecall.

You are running an out of date version of Sun Java. I recommend you run Secunia Software Inspector to confirm this and also look for other out-of-date software. It will also give you a download link to get latest secure versions of software.

http://secunia.com/software_inspector/

EDIT: Instructions on how to use Process Explorer here:

http://www.microsoft.com/emea/itsshowtime/sessionh.aspx?videoid=359

!Quite technical.
« Last Edit: February 11, 2007, 12:55:44 PM by FreewheelinFrank »
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Spiritsongs

  • Guest
Re: Warezov-AAV : can't remove this virus
« Reply #8 on: February 11, 2007, 06:31:58 PM »
 :)  Hi Graham :

     As Frank said, your version of Sun Java is 5 Updates behind, a serious security risk; should
     uninstall it ASAP. The latest version for your XP SP2 OS is at :
     www.majorgeeks.com/download4648.html .

     Perhaps it is time for you to ask an experienced, trained, volunteer Malware Expert for help !?
     Since you have Spybot, there are many at http://forums.spybot.info . Probably the 1st thing
     they will ask you is to "rename" your "HijackThis.exe" to something else .
« Last Edit: February 11, 2007, 06:41:57 PM by Spiritsongs »

mauserme

  • Guest
Re: Warezov-AAV : can't remove this virus
« Reply #9 on: February 11, 2007, 08:55:08 PM »
This is just a hunch but would you try AVG's Vcleaner.  Download it here and scan in safe mode

http://www.grisoft.com/doc/removal/lng/us/tpl/tpl01?uti=Vcleaner

Also, Spiritsongs' suggested renaming of hijackthis.exe to something like hijackthat.exe is worth a try.  Usually this is a trick to use with Vundo (which you don't have) but if Vundo can hide from hijackthis.exe other malware might as well.  Do this after Vcleaner.

tutties430

  • Guest
Re: Warezov-AAV : can't remove this virus
« Reply #10 on: February 11, 2007, 11:13:04 PM »
Thanks to all of you for your help.
Don't think I am any further forward - although emails seem to have stopped for just now !

Ran vcleaner in safe mode - didn't find anything.
Renamed HijackThis (to DesperateNow  :( ) but logs just looked pretty much identical.

I haven't been brave enough to start editing using the Process Manager stuff yet !

Frank (I think it was you ?) asked if I had isolated which app was sending the email by using Zone Alarm.
All I can say is that every time I start Outlook I get at best a handful of 'delivery failures' in my inbox and at worst about 70. I have everything set to ask for access via Zone Alarm...but nothing really does. Not sure what - if anything else I can do there ?

In another desperate effort to stop me throwing the whole PC out the window I have just repaired Microsoft Office. No dodgy emails in the last half hour - but this is most likely a false dawn. I have gone a couple of hours before with nothing.

When I first found the Warezov-MF (via Avast) it was embedded in one of my pst files. It was one that I didn't use so I just deleted the whole .pst.

I have updated my Java app as well as several others. I have also ditched all of the BTYahoo protection stuff that I seem to be paying pretty dearly for - and its no use !

At the end of all this I think I have learned that Avast Home 4.7 plus the free Zone Alarm is good enough security for me in the future (with regular SpyBot style checking too !)

Thank you all for your help. It is good to know that there are some good folk out there willing to help this sad geezer !

Graham

P.S. Whole 50 minutes now since last dodgy email.....needs to go until I wake in the morning before I am happy ! 

mauserme

  • Guest
Re: Warezov-AAV : can't remove this virus
« Reply #11 on: February 12, 2007, 03:57:06 AM »
I believe your computer is clean, Graham, and has been clean since you deleted the infected pst file.

Unfortunately I think someone else's computer is infected with malware that is sending out spam with your email address spoofed as the senders address.  This is why you're getting bounced email.

There's nothing you can do about this other than wait for the other person to recognize and clean up the problem.  Given the sudden disappearance of returned email this may have already happened (or maybe they just turned off their computer).

Area:   Windows registry
Description:   Hidden registry value
Location:   \HKEY_USERS\S-1-5-21-1789158869-1094879326-2890962713-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Cebtenz Svyrf\UnzzreFavcr CbjreGbby\CbjreGbby.rkr
This seems benign

http://forum.sysinternals.com/forum_posts.asp?TID=9380&PN=3


EDIT:
At the end of all this I think I have learned that Avast Home 4.7 plus the free Zone Alarm is good enough security for me in the future (with regular SpyBot style checking too !)
Keep AVG Antispyware and SuperAntipyware too.  They're a little better than Spybot right now.
« Last Edit: February 12, 2007, 05:33:33 AM by mauserme »

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Warezov-AAV : can't remove this virus
« Reply #12 on: February 12, 2007, 10:59:17 AM »
Quote
Frank (I think it was you ?) asked if I had isolated which app was sending the email by using Zone Alarm.
All I can say is that every time I start Outlook I get at best a handful of 'delivery failures' in my inbox and at worst about 70. I have everything set to ask for access via Zone Alarm...but nothing really does. Not sure what - if anything else I can do there ?

As mauserme said, this certainly looks like a case of address spoofing, not a spambot infection on your computer.

http://www.lse.ac.uk/itservices/help/spamming&spoofing.htm

http://www.mailsbroadcast.com/email.broadcast.faq/46.email.spoofing.htm

http://www.windowsecurity.com/articles/Email-Spoofing.html
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

tutties430

  • Guest
Re: Warezov-AAV : can't remove this virus
« Reply #13 on: February 12, 2007, 10:29:22 PM »
Frank, Mauserme,

Thanks for all of your help and pointers.
Things aint gettin' any better....dodgy email still flooding in..if anything its getting worse. (200 emails today already)

Is there really nothing I can do ? Seems strange that you can go to all sorts of lengths to remove viruses from your PC...but with this (which is probably worse than a virus) there is nothing to be done !

Changing my email address would always be an option I suppose ?

Many Thanks,

Graham

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Warezov-AAV : can't remove this virus
« Reply #14 on: February 12, 2007, 11:19:44 PM »

Changing my email address would always be an option I suppose ?


It would, untill you sent an email with your new address to the infected computer. Then you would be right back where you started. Had the same thing a few years ago. It took a month and I had to finally get the infected user's ips involved.  >:(

Hope it doesn't take you as long.  :)