Curse

Malice Black · Apr 15, 2007, 10:06 PM // 22:06

Hi,

I need some help. My computer is infected with this worm:

Win32:Warezov-AHW [WRM]

I found this while doing a through system scan. My Anti-Virus (Avast) found 2 copies of the worm, 1 was removed to chest, when I tried to remove the other one it came up with "access denied". My second is logged in this file:

C:\WINDOWS\system32\mebqouio.exe

Any help needs to be in 'English' I'm not all the computer 'savvy'

Thanks.

Tachyon · Apr 16, 2007, 12:47 AM // 00:47

Have you ran Spybot S&D? If not, then go and grab it from here :-

http://www.spybot.info/

Install it, run an update from within the program then let it scan your system.

Malice Black · Apr 16, 2007, 12:59 AM // 00:59

Had that installed since last time my computer got hit with a serious infection.

It never comes up with anything major, just the normal ad-ware/tracking cookie rubbish.

Hockster · Apr 16, 2007, 01:13 AM // 01:13

Boot into safe mode, mash F8 a few times before the Windows splash screen appears. Run the scanner that way, or manually try to delete the file. Make sure to permanently delete it before booting back into regualr Windows.

Malice Black · Apr 16, 2007, 01:22 AM // 01:22

Is it safe to delete a system32 file though? I thought about just deleting the file but that crossed my mine as I was about to hit delete.

Gimme Money Plzkthx · Apr 16, 2007, 01:34 AM // 01:34

Do some more research (I tried google but didn't find anything) on alternate names for that virus or something. Then research those alternate names or post them here, and you can find out if it has infected a system file or if it just dropped into system32. Either way it is probably safe to delete/your only option.

Hockster · Apr 16, 2007, 01:39 AM // 01:39

Google has exactly one hit for that file. It doesn't say what it is either. I don't have the file on either of two machines at home.

Could always check with an online scanner, Trend is a very good one.
http://housecall.trendmicro.com/

Malice Black · Apr 16, 2007, 01:46 AM // 01:46

Closest things I can match it to is

Vundo
Win32:Warez

Kuldebar Valiturus · Apr 17, 2007, 12:03 PM // 12:03

There's many variants unfortunately:

http://www.viruslist.com/en/alerts?alertid=203996079

Quote:

Email-Worm.Win32.Warezov:
Kaspersky Lab has detected mass mailings of new variants of Email-Worm.Win32.Warezov, which started on 15th January, 2007.

A new version is being sent out in each mass mailing. The variants are all highly similar, and spread as an attachment to infected emails. Once launched, they may terminate antivirus and firewall programs and download other malware.

Antivirus updates have been released for all the latest variants. Users are strongly recommended to ensure that they keep their antivirus software up to date.

How it functions:
http://www.avast.com/eng/win32-warezov-family.html

Quote:

Win32:Warezov family:

When Win32:Warezov is launched, it creates several executables in %WINDOWS% and %SYSTEM% directory (count and names of the files depend on the exact version of Win32:Warezov). These files are also detected as Win32Warezov. Then, it opens Notepad and displays random characters in the text file.

Win32:Warezov sets itself to run every time Windows starts by creating a registry entry in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

Win32:Warezov is a fast growing family.

The hard part is to keep it from insinuating itself back on your PC. Also, it may have already been:

Quote:

downloading other dangerous or unwanted applications as Trojans or Adware. Many variants may disable security related products and/or disable their updating and browsing their websites by adding lines to hosts file (e.g. ‘127.0.0.1 download.microsoft.com’).

It could be a royal mess if that's the case. But, it sounds like you have it isolated via your anti-virus software.

Tachyon · Apr 17, 2007, 03:01 PM // 15:01

Sorry, I forgot to post this in my first reply. Download and run this :-

http://www.softpedia.com/get/Antivirus/VundoFix.shtml

It needs no installation, so just download and run it. It'll get rid of your problem if it's Vundo related.

Mineria · Apr 17, 2007, 03:36 PM // 15:36

C:\WINDOWS\system32\mebqouio.exe is not a windows file, so just kill it!

tomcruisejr · Apr 17, 2007, 03:56 PM // 15:56

If you got infected by a worm that spreads by attaching itself to emails, you fail unless it was your lil sibling who did it.

Practice safe computing.

redant751 · Apr 17, 2007, 04:48 PM // 16:48

I Run AVG anti-spyware and I have not had any problems since using it.
Try the free demo (and clean out that worm while you’re at it).

http://www4.grisoft.com/doc/download.../crp/0?prd=amw

Darko_UK · Apr 17, 2007, 05:41 PM // 17:41

If you trying to delete it and it won't then FORCE delete it, Don't know how? LEARN