Hi everyone. I’m very new to Avast. Great program so far. Obviously this also means I’m brand new here as well.

Very short version: I think I have a virus. The program itself does not return ANY hits on any search engine anywhere.

Shorter version:

I have a program, vwm33.exe, that is located in C:\WINDOWS/System32\vwm33.exe. I am running Windows XP Pro (Was on SP1, after all this I finally made the jump to SP2). It wants internet access. It ends up running up to 10 times in Task Manager Processess after the computer has been on a few hours.

I think it’s a virus, but no one has ANY information about it nor do any programs have a problem with it.

What’s the best next step for me to try to find out what this is?? Should I go ahead and send it in under that virus@avast address, or is there a better next step?

The Full Long Version:

A while ago, I got a notice from Zone Alarm that a program vwm33.exe is trying to access the internet.

I of course said ‘Uhhh… NO!’.

Did a google search. Zero hits. Tried a few other places. Zero hits. Ran Ad-Aware and Spybot. They have no problem with the file. Ran AVG - no problem with the file (All of the above were most recent version/updates).

Had a friend come over who knows this stuff much better than I. He did some registry work, found some Search Assistant stuff in the registry which may/may not have been a result of the vwm file. Those are cleaned out.

He ALSO found that now vwm33.exe was suddenly cleared through Zone Alarm for internet access!

Since then, it has not come off the deny list for zone alarm.

He tried installing Norton - that froze up. We ran CW Shredder, just to check. That ran fine, didn’t have a problem with the vwm file.

Avast also has no problem with this file.

Nowadays, after the computer is on a while, I’m finding that bringing up task manager and looking in processes, vwm33 is running now an average of 5-10 times after a couple hours.

I’ve had some wierd computer issues since this. VERY long startup and shutdown times (30 seconds or so from the desktop showing up until the icons appear… 1 minute + to shutdown) and some other things.

If I wanted to find out if this REALLY actually IS a virus, what should I do? Does anyone have any information on this file? Has anyone else seen it?

By the way, if you now go do a Google search for the filename, it’ll bring up the other site where I brought this up a while ago. It’s the gaming board I frequent.

Thank you if anyone can offer any insight.

Bingo

Hi and welcome bingo969,
If you wanted to you could investigate that file a bit further (maybe you already have) Just follow the path to where its located in system 32 folder and check its properties. Most legitimate stuff will have a parent organisation or program listed . the size might be important and also the date it was installed.
if it has no sign of ownership like the one in the pic below it might require further scrutiny. You could possibly move or rename it temporarily and see what doesnt work as a result.
If it is MS file then i wouldnt advise this .
have you tried shutting down the suspect processes in taskmanager?
Can I ask what version of Java you are running?

Hi Bingo969,

File names which don’t come up on Google are usually malware. This one is certainly behaving like malware!

The way to check is to submit the file to an online multi-engine scanner and see what it says. (That is, if you can find the file on the hard disk, of course, which is not always as easy as it sounds.)

If vwm33.exe is visible, you could submit it to these scanners:

http://www.virustotal.com/flash/index_en.html

http://virusscan.jotti.org/

Check the application security list for this process and see if your friend has created a rule to allow vwm33.exe access to the internet. If so, delete the rule and don’t allow further access.

Installing Norton on top of avast! is likely to cause big problems: you may need to remove traces of Norton later. Search the forum for ‘removing Symantec’ to find links to removal tools.

Submit the file to avast! for analysis:

virus@avast.com

Zip the file and set the password to ‘virus’.

To remove the malware, you have these options:

Run a scan with Ewido anti-Trojan program:

http://www.ewido.net/en/

Submit the file to Ewido if it’s not detected.

Try an online scan with one of the online scanners. The F-Secure, Panda, eTrust, Trend Micro and Bitdefender scanners remove malware:

http://www.geocities.com/dontsurfinthenude/antivir2.htm

Disable avast! while scanning to avoid false alarms!

Hi bingo 969.

Yep, we have found the information on this worm here and the instructions for removal:
http://vil.mcafeesecurity.com/vil/content/v_98915.htm.
Hope this will help you to get rid of it. Loads of success and again welcome to the forum,

polonus

Mona.worm adds the file VMM33.EXE.

This malware adds vwm33.exe.

It could be the same [if the name is typed incorrectly], but mona.worm was added to McAfee’s descriptions in 2000. Surely avast! would detect it by now? ???

Thank you for tip, Polonus.

I should have made a point to mention in my first post that I did find this, and this references vMm33.exe (Note the M there) and NOT what I have, which is vWm (Note the W).

Trust me, I looked long and hard at it to make sure I wasn’t seeing something!

I appreciate you taking the time to try to help me though!

Bingo

You’re welcome. Bingo 969. Together we are strong. You see I was right after all, the good virus seeker always go the extra m… ;D

greets,

polonus

Thank you all for the suggestions and the welcomes!

I am posting from work, so I will check these out when I get home.

I do have a couple quick questions:

"Can I ask what version of Java you are running? "
– Posted by Cloussau

How do I tell? I am pretty good with computers, but the farther you go into the guts, my knowledge exponentially drops.

I did check the file as you said, and it does NOT show any ownership info. It is an approx 300k file with no other information.

“The way to check is to submit the file to an online multi-engine scanner and see what it says. (That is, if you can find the file on the hard disk, of course, which is not always as easy as it sounds.)”
– Posted by FreewheelinFrank

You are certainly right there! I had to go into the system folder properties and uncheck the ‘Show protected OS files’ option just to even see the file!

I will check those scanners this evening when I get home. Thank you for the tips!

“Check the application security list for this process and see if your friend has created a rule to allow vwm33.exe access to the internet. If so, delete the rule and don’t allow further access.”
– Posted by FreewheelinFrank

Are you referring to my Firewall (Zone Alarm) and it’s program control where you set which programs to allow internet access, or are you referring to something else?

Bingo

Click ‘verify installation’ here:

http://java.com/en/download/windows_xpi.jsp

It should be 1.5.0_5.

Note: it’s vital to uninstall older versions of Java from add/remove programs otherwise malware can exploit vulnerabilities in older versions still installed to run on your computer.

Are you referring to my Firewall (Zone Alarm) and it's program control where you set which programs to allow internet access, or are you referring to something else?

Yes, ZA.

He ALSO found that now vwm33.exe was suddenly cleared through Zone Alarm for internet access!

Check that an allow access run for the malware hasn’t inadvertently been created.

Good luck with the online scans: Jotti or Virus Total should tell us what we’re dealing with.

Current update -

Progress is being made, thanks directly to you all!

First - the simple stuff.

I have now updated to Java 1.5.0_5. I was NOT previously current (Even though I just recently spent like 3 hours updating everything through Windows Update. grrrr). I also uninstalled the previous version. I would never have thought of that bit on my own. Thank you!

Since that first time I found it was allowed access, the program has stayed as being shut off from internet access by Zone Alarm. I do have to be realistic and accept the possibility that I had somehow screwed up and allowed it instead of denying it, but I still don’t think I did.

On to the good yet also more complicated:

The two on-line places did have a few positive ID’s on the program! Not many, but there were some, and they all are same/similar.

The tough question is… Now what the heck do I do? I know I can just delete the file, but obviously I would need to know what has been affected and how to check the registries and such. Any hints there?

Here are screen shots of what was found:

Which program? avast or Java are you talking about?

Send the file to Chest. Do not delete it if you’re not sure, absolutely sure… and we’re never absolutely sure ;D
Send the file to Chest. It will be safe there and can’t hurt you. On contrary, it could be restored if you do something wrong.

I was meaning the program that appears to be the virus, vwm33.exe

[quote="Bingo969 post:10, topic:601948"] Now what the heck do I do? I know I can just delete the file, but obviously I would need to know what has been affected and how to check the registries and such. Any hints there? [/quote] Send the file to Chest. Do not delete it if you're not sure, absolutely sure... and we're never absolutely sure ;D Send the file to Chest. It will be safe there and can't hurt you. On contrary, it could be restored if you do something wrong.

I have done this.

However, today the program is back. Grrrrr. I suspect the thing to do will be to get one of the programs that recognizes it as a virus. Perhaps they will be able to delete it?

B

I would reccommend a on-line scan at kapersky . It takes a long time but is very thorough.
http://www.kaspersky.com/remoteviruschk.html
they have a virus removal tool as well http://www.kaspersky.com/removaltools
good luck

kolweb.g is detected by a-squared:

http://www.emsisoft.com/en/malware/stats/

a-Squared’s scanner is free (You pay for real-time protection.)

http://www.emsisoft.com/en/

This should remove the Trojan, and it’s also good to keep on your system as a double check.

I installed and ran Kaspersky, and so far that seems to have resolved the issue!

It found about 12 seperate instances of the Kolweb virus!!

Here’s hoping that this does in fact solve the issue.

Thank you all for your assistance. I would not have been able to solve this without your help!

B

Glad you found an answer. Sad avast! couldn’t remove the Trojan for you. Some people say that detection rate isn’t everything, but Kaspersky’s detection rate just won over another customer, if perhaps just temporarily?

I will say that I do so far prefer Avast!.

However, at least in this case where I had a specific problem that needed to be solved, I sadly really had the choice made for me.

Who knows but that maybe in the future there will be a situation where Avast! can solve the problem where no one else can! Heh, no offense but I sure as heck hope I don’t run into something like this again!

If nothing else, it was you folks, the community here that eventually solved my problem, even if it was pointing me to a different product that actually did the work. Without your help, I wouldn’t have even known where to look.

So in that aspect, it was still Avast! that got me to the solution.

Thanks again -

Bingo

Forum wins again 8)
Welcome and thanks for sharing your confidence in our help.