How to remove worms

[JonathanJonathan]

Hi,

After running a full system scan on Avast, this is the bad stuff of what it picks up.


6/4/2007 5:41:57 PM   Harry Potter   1992   Sign of "Win32:VB-DLK [Wrm]" has been found in "C:\Documents and Settings\Harry Potter\My Documents\Unused Desktop Shortcuts\Win-Spy Eval Setup.exe\1.txt\[Embedded#3051e8]" file. 
6/4/2007 5:42:49 PM   Harry Potter   1992   Sign of "Win32:WinSpy-Q [Tool]" has been found in "C:\Documents and Settings\Harry Potter\My Documents\Unused Desktop Shortcuts\Win-Spy Eval Setup.exe\1.txt\[Embedded#3155e8]" file. 
6/4/2007 5:42:54 PM   Harry Potter   1992   Sign of "Win32:WinSpy-E [Trj]" has been found in "C:\Documents and Settings\Harry Potter\My Documents\Unused Desktop Shortcuts\Win-Spy Eval Setup.exe\1.txt\[Embedded#332de8]" file. 
6/4/2007 5:43:01 PM   Harry Potter   1992   Sign of "Win32:WinSpy-J [Trj]" has been found in "C:\Documents and Settings\Harry Potter\My Documents\Unused Desktop Shortcuts\Win-Spy Eval Setup.exe\1.txt\[Embedded#3429e8]" file. 
6/4/2007 5:43:02 PM   Harry Potter   1992   Sign of "Win32:WinSpy-Q [Tool]" has been found in "C:\Documents and Settings\Harry Potter\My Documents\Unused Desktop Shortcuts\Win-Spy Eval Setup.exe\1.txt\[Embedded#35f3e8]" file. 
6/4/2007 5:43:04 PM   Harry Potter   1992   Sign of "Win32:WinSpy-Q [Tool]" has been found in "C:\Documents and Settings\Harry Potter\My Documents\Unused Desktop Shortcuts\Win-Spy Eval Setup.exe\1.txt\[Embedded#3715e8]" file. 
6/4/2007 5:43:05 PM   Harry Potter   1992   Sign of "Win32:WinSpy-N [Trj]" has been found in "C:\Documents and Settings\Harry Potter\My Documents\Unused Desktop Shortcuts\Win-Spy Eval Setup.exe\1.txt\[Embedded#3813e8]" file. 
6/4/2007 5:43:06 PM   Harry Potter   1992   Sign of "Win32:VB-DLL [Wrm]" has been found in "C:\Documents and Settings\Harry Potter\My Documents\Unused Desktop Shortcuts\Win-Spy Eval Setup.exe\1.txt\[Embedded#384de8]" file. 
6/4/2007 5:43:11 PM   Harry Potter   1992   Sign of "Win32:VB-DLJ [Wrm]" has been found in "C:\Documents and Settings\Harry Potter\My Documents\Unused Desktop Shortcuts\Win-Spy Eval Setup.exe\1.txt\[Embedded#3a77e8]" file. 
6/4/2007 5:43:13 PM   Harry Potter   1992   Sign of "Win32:VB-DLK [Wrm]" has been found in "C:\Documents and Settings\Harry Potter\My Documents\Unused Desktop Shortcuts\Win-Spy Eval Setup.exe\1.txt" file. 
6/4/2007 6:19:16 PM   Harry Potter   1992   Sign of "Win32:VB-DLK [Wrm]" has been found in "C:\Documents and Settings\Harry Potter\My Documents\Unused Desktop Shortcuts\Win-Spy Eval Setup.exe\1.txt\[Embedded#3051e8]" file. 
6/4/2007 11:27:38 PM   Harry Potter   1992   Sign of "Win32:WinSpy-Q [Tool]" has been found in "C:\Documents and Settings\Harry Potter\My Documents\Unused Desktop Shortcuts\Win-Spy Eval Setup.exe\1.txt\[Embedded#3155e8]" file. 
6/4/2007 11:27:38 PM   Harry Potter   1992   Sign of "Win32:WinSpy-E [Trj]" has been found in "C:\Documents and Settings\Harry Potter\My Documents\Unused Desktop Shortcuts\Win-Spy Eval Setup.exe\1.txt\[Embedded#332de8]" file. 
6/4/2007 11:27:39 PM   Harry Potter   1992   Sign of "Win32:WinSpy-J [Trj]" has been found in "C:\Documents and Settings\Harry Potter\My Documents\Unused Desktop Shortcuts\Win-Spy Eval Setup.exe\1.txt\[Embedded#3429e8]" file. 
6/4/2007 11:27:39 PM   Harry Potter   1992   Sign of "Win32:WinSpy-Q [Tool]" has been found in "C:\Documents and Settings\Harry Potter\My Documents\Unused Desktop Shortcuts\Win-Spy Eval Setup.exe\1.txt\[Embedded#35f3e8]" file. 
6/4/2007 11:27:39 PM   Harry Potter   1992   Sign of "Win32:WinSpy-Q [Tool]" has been found in "C:\Documents and Settings\Harry Potter\My Documents\Unused Desktop Shortcuts\Win-Spy Eval Setup.exe\1.txt\[Embedded#3715e8]" file. 
6/4/2007 11:27:39 PM   Harry Potter   1992   Sign of "Win32:WinSpy-N [Trj]" has been found in "C:\Documents and Settings\Harry Potter\My Documents\Unused Desktop Shortcuts\Win-Spy Eval Setup.exe\1.txt\[Embedded#3813e8]" file. 
6/4/2007 11:27:39 PM   Harry Potter   1992   Sign of "Win32:VB-DLL [Wrm]" has been found in "C:\Documents and Settings\Harry Potter\My Documents\Unused Desktop Shortcuts\Win-Spy Eval Setup.exe\1.txt\[Embedded#384de8]" file. 
6/4/2007 11:27:39 PM   Harry Potter   1992   Sign of "Win32:VB-DLJ [Wrm]" has been found in "C:\Documents and Settings\Harry Potter\My Documents\Unused Desktop Shortcuts\Win-Spy Eval Setup.exe\1.txt\[Embedded#3a77e8]" file. 
6/4/2007 11:27:39 PM   Harry Potter   1992   Sign of "Win32:VB-DLK [Wrm]" has been found in "C:\Documents and Settings\Harry Potter\My Documents\Unused Desktop Shortcuts\Win-Spy Eval Setup.exe\1.txt" file. 
6/5/2007 9:08:45 AM   Harry Potter   1992   Sign of "Win32:VB-DLL [Wrm]" has been found in "C:\WINDOWS\font.exe" file.

I've tried to remove it with avast, but each time I do it says "error in the processing of deleting...."; the reason being it's a corrupt zip file.  I've tried to locate the files manually and found one setup file in my documents and deleted it, not sure if that's what I was looking for.  Any suggestions on how to remove these worms and trojans, or why avast is unable to do so?  Thanks

JJ

[DavidR]

Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate.

It's strange that a .txt file is being picked up as a Visual Basic infection. However the "Win-Spy Eval Setup.exe" could mean that this contains the \1.txt file which could be a signature file ?

Where did you download this win-spy evaluation program (break links so they aren't active, e.g. http :// www . suspect-site.com / webpage.html.

You could also check the offending/suspect files, setup.exe and font.exe at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners. Post the results of the scan here.

Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.

[Spiritsongs]

   Hi Jonathan :

     Since Avast is "detecting" worm(s), it would be advisable to get a 2nd
     Opinion from an antiSPYWARE/antiTROJAN/antiWORM program, such as
     the FREE version of SUPERAntiSpyware from www.superantispyware.com ;
     do you have one or more of those types of programs on your computer ?

[Lisandro]

I've tried to remove it with avast, but each time I do it says "error in the processing of deleting...."; the reason being it's a corrupt zip file.  I've tried to locate the files manually and found one setup file in my documents and deleted it, not sure if that's what I was looking for.  Any suggestions on how to remove these worms and trojans, or why avast is unable to do so?  Thanks

Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning.
Select for scanning archives.
Boot.
If infected files are found, it's safer to send them to Chest instead of deleting them.
This way you can further analysis them.

[sasin44]

from the log it shows that all the malware is in one setup file[and one in c:\windows\font.exe]
u can safely delete the file the setup file without casing anyproblems ..if u have any problems deleteing it move it to the chest and delete it..or u can use a seperate tool and delete it
this small <500Kb file is quite good
http://www.snapfiles.com/download/dlmoveonboot.html
it is useful in deleting corrupted/cant read from disc/file does not exists cases...its a freeware

[DavidR]

Before deleting anything you should confirm the detection, unfortunately it already looks like JonathanJonathan may have already deleted it.

I've tried to locate the files manually and found one setup file in my documents and deleted it, not sure if that's what I was looking for.