Apr 15, 2007, 10:06 PM // 22:06
|
#1
|
Site Legend
|
Worm Infection
Hi,
I need some help. My computer is infected with this worm:
Win32:Warezov-AHW [WRM]
I found this while doing a through system scan. My Anti-Virus (Avast) found 2 copies of the worm, 1 was removed to chest, when I tried to remove the other one it came up with "access denied". My second is logged in this file:
C:\WINDOWS\system32\mebqouio.exe
Any help needs to be in 'English' I'm not all the computer 'savvy'
Thanks.
__________________
Old Skool '05
|
|
|
Apr 16, 2007, 12:47 AM // 00:47
|
#2
|
Forge Runner
Join Date: Nov 2005
Location: Stoke, England
Guild: The Godless [GOD]
Profession: W/
|
Have you ran Spybot S&D? If not, then go and grab it from here :-
http://www.spybot.info/
Install it, run an update from within the program then let it scan your system.
|
|
|
Apr 16, 2007, 12:59 AM // 00:59
|
#3
|
Site Legend
|
Had that installed since last time my computer got hit with a serious infection.
It never comes up with anything major, just the normal ad-ware/tracking cookie rubbish.
__________________
Old Skool '05
|
|
|
Apr 16, 2007, 01:13 AM // 01:13
|
#4
|
Banned
|
Boot into safe mode, mash F8 a few times before the Windows splash screen appears. Run the scanner that way, or manually try to delete the file. Make sure to permanently delete it before booting back into regualr Windows.
|
|
|
Apr 16, 2007, 01:22 AM // 01:22
|
#5
|
Site Legend
|
Is it safe to delete a system32 file though? I thought about just deleting the file but that crossed my mine as I was about to hit delete.
__________________
Old Skool '05
|
|
|
Apr 16, 2007, 01:34 AM // 01:34
|
#6
|
Jungle Guide
|
Do some more research (I tried google but didn't find anything) on alternate names for that virus or something. Then research those alternate names or post them here, and you can find out if it has infected a system file or if it just dropped into system32. Either way it is probably safe to delete/your only option.
|
|
|
Apr 16, 2007, 01:46 AM // 01:46
|
#8
|
Site Legend
|
Closest things I can match it to is
Vundo
Win32:Warez
__________________
Old Skool '05
|
|
|
Apr 17, 2007, 12:03 PM // 12:03
|
#9
|
Desert Nomad
Join Date: Nov 2006
Location: Garden City, Idaho
Guild: The Order of Relumination (TOoR)
Profession: R/
|
There's many variants unfortunately:
http://www.viruslist.com/en/alerts?alertid=203996079
Quote:
Email-Worm.Win32.Warezov:
Kaspersky Lab has detected mass mailings of new variants of Email-Worm.Win32.Warezov, which started on 15th January, 2007.
A new version is being sent out in each mass mailing. The variants are all highly similar, and spread as an attachment to infected emails. Once launched, they may terminate antivirus and firewall programs and download other malware.
Antivirus updates have been released for all the latest variants. Users are strongly recommended to ensure that they keep their antivirus software up to date.
|
How it functions:
http://www.avast.com/eng/win32-warezov-family.html
Quote:
Win32:Warezov family:
When Win32:Warezov is launched, it creates several executables in %WINDOWS% and %SYSTEM% directory (count and names of the files depend on the exact version of Win32:Warezov). These files are also detected as Win32Warezov. Then, it opens Notepad and displays random characters in the text file.
Win32:Warezov sets itself to run every time Windows starts by creating a registry entry in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
Win32:Warezov is a fast growing family.
|
The hard part is to keep it from insinuating itself back on your PC. Also, it may have already been:
Quote:
downloading other dangerous or unwanted applications as Trojans or Adware. Many variants may disable security related products and/or disable their updating and browsing their websites by adding lines to hosts file (e.g. ‘127.0.0.1 download.microsoft.com’).
|
It could be a royal mess if that's the case. But, it sounds like you have it isolated via your anti-virus software.
|
|
|
Apr 17, 2007, 03:01 PM // 15:01
|
#10
|
Forge Runner
Join Date: Nov 2005
Location: Stoke, England
Guild: The Godless [GOD]
Profession: W/
|
Sorry, I forgot to post this in my first reply. Download and run this :-
http://www.softpedia.com/get/Antivirus/VundoFix.shtml
It needs no installation, so just download and run it. It'll get rid of your problem if it's Vundo related.
|
|
|
Apr 17, 2007, 03:36 PM // 15:36
|
#11
|
Krytan Explorer
Join Date: Apr 2007
Location: Denmark
Guild: Dragonslayers Of The [Mist]
Profession: W/Mo
|
C:\WINDOWS\system32\mebqouio.exe is not a windows file, so just kill it!
|
|
|
Apr 17, 2007, 03:56 PM // 15:56
|
#12
|
Banned
|
If you got infected by a worm that spreads by attaching itself to emails, you fail unless it was your lil sibling who did it.
Practice safe computing.
Last edited by tomcruisejr; Apr 17, 2007 at 03:59 PM // 15:59..
|
|
|
Apr 17, 2007, 04:48 PM // 16:48
|
#13
|
Frost Gate Guardian
Join Date: Apr 2006
Location: NYC,NY
Guild: Gods Special Forces (GSF)
Profession: R/E
|
I Run AVG anti-spyware and I have not had any problems since using it.
Try the free demo (and clean out that worm while you’re at it).
http://www4.grisoft.com/doc/download.../crp/0?prd=amw
|
|
|
Apr 17, 2007, 05:41 PM // 17:41
|
#14
|
Lion's Arch Merchant
Join Date: Feb 2007
Location: England
Profession: R/
|
If you trying to delete it and it won't then FORCE delete it, Don't know how? LEARN
|
|
|
Thread Tools |
|
Display Modes |
Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT. The time now is 11:07 AM // 11:07.
|