Win32:Otwycal-Z [Wrm]

[Bellzemos]

Hello!

Avast! just found this virus on my PC (Windows XP SP2).

Win32:Otwycal-Z [Wrm] was in two files:

C:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

C:\System Volume Information\_restore{376ED84E-0008-4FF4-BB6F-CD438FAC6925}\RP41\A0036162.exe

When Avast! found it, I clicked on "Delete" both times, and these two files are gone now. Is that ok? Or is IKernel.exe needed for the system to work?

Should I run another Avast! scan in safe mode now? Or what should I do?

Thank you a lot!

[Bellzemos]

Should I run Hijackthis and post the results here maybe?

Is it possible that this virus came from some blog site? Because I really don't know how I got it...

Thank you!

[Lisandro]

C:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
C:\System Volume Information\_restore{376ED84E-0008-4FF4-BB6F-CD438FAC6925}\RP41\A0036162.exe
When Avast! found it, I clicked on "Delete" both times, and these two files are gone now. Is that ok? Or is IKernel.exe needed for the system to work?

It's safer and wiser send the file to Chest. Then you could analyze it and check if it is not a false positive, if the file is needed to the system... now the files are gone... you can't recover them.

Should I run another Avast! scan in safe mode now? Or what should I do?

You can run avast at boot time and be careful to not mess with system files. Report first.

Should I run Hijackthis and post the results here maybe?

Go ahead... hope someone that knows more about cleaning could help you.

[Chunker]

I had the very same thing on my latest scan this morning.  Only I had 3 places, one on the c drive and two on the d drive.  I placed all in the chest.  The c drive one can be restored, but the two on the d drive can't.  I believe this is a part of my HP nVidia driver and is perhaps a false positive by avast???

[Lisandro]

I had the very same thing on my latest scan this morning.  Only I had 3 places, one on the c drive and two on the d drive.  I placed all in the chest.  The c drive one can be restored, but the two on the d drive can't.  I believe this is a part of my HP nVidia driver and is perhaps a false positive by avast???

What's the error message while trying to restore?

[Chunker]

I never tried, the avast file says non restorable and doesn't give that option as it does for the file from the c drive.  My d drive is my restoration drive.  I restored the main file on the c drive and took a look at it.  I'm sure this is a false positive my avast.  The folder is on C:\HP\drivers\video_nVidia  It contains 118 files and is 28.3mg in size created in 2005 when I first got my pc.  Wonder why avast doesn't give the option to restore those to the d drive???  Maybe I should just go and do a restore point back to yesterday???

[Lisandro]

Maybe I should just go and do a restore point back to yesterday???

It won't be a bad idea.
Anyway, check the workaround to avoid avast detection for a while.

[Bellzemos]

I had the very same thing on my latest scan this morning.  Only I had 3 places, one on the c drive and two on the d drive.  I placed all in the chest.  The c drive one can be restored, but the two on the d drive can't.  I believe this is a part of my HP nVidia driver and is perhaps a false positive by avast???

What? I have a nVidia graphic card too! And I bought my PC in 2005 too. I hope I havent't do something wrong with deleting of IKernel.exe - but how could be this file connected to nVidia files?

@Tech: How do I run a boot scan?

[Lisandro]

@Tech: How do I run a boot scan?

Click on the Menu button.
Choose Schedule Boot Time Scan.
Doing so displays a dialog allowing you to schedule virus scanning.
Check Archives, if you want scan all the archives.
Specify whether all the disks or just a specific folder should be scanned.
Select Advanced options for scheduling details.
Select how to automatically process infected files (suggestion: send to Chest)
Choose how to automatically process infected system files (suggestion: ignore/do nothing)
Click the Schedule button to confirm the settings.

[DavidR]

Personally I would confirm the detection is good or not first.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here.
You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

[ampwork]

I had this same worm turn up on my very old Nvidia driver in ikernal.ex_.  I quarantined the worm in the virus chest and sent in for analysis.  I suspect a false positive.

[DavidR]

I would suggest confirming by submission to the VT link above. If confirmed an FP then you can exclude it form scans and restore it pending a correction by avast.

[Chunker]

Finally back with good news and bad news.  I did system restore back 2 days.  Then had to redo all the program updates that I've done since that time.  Ran a new avast scan and just ignored the indication on the c drive.  The scan completed but "no indications of the two files on the d drive!"  In other words, the restore does not rebuild the recovery drive as it does the c drive.  Now the big question is "why does avast allow you to move items to the chest from that drive, but doesn't provide the option of returning them??  I'm not at all happy with this and if I ever have to do a complete system recovery, I'll be dead in the water!  What I've done now is to exclude from scanning c:\hp\drivers\video_aVidia so at least that won't show up in future scans.  I'm convinced beyond a shadow of a doubt that this is a "false positive" by avast and could cause a lot of problems for many customers.  I think the moral here is to "never" let avast move anything from your recovery drive to the chest!

[DavidR]

It does and it is called Restore, see image.
Open the chest, select the Infected files if it was a detection by avast and you select the file you want to restore, right click and select Restore.

It would have been better to have asked this question before jumping in with a system restore.

[Aztec]

I am also having this same error.  However, when I goto move to chest I get this error:

Access is denied:
Cannot process "C:\Program Fiels (x86)\Common Files\Install Shield\Engine\6\Intel 32\Kernel.exe" file

It is an endless loop.