Virus dosen't want to remove

Hello,

I have the avast free installed on my computer.
I was receive a virus from my ICQ user.
I know… I make a mistake and accept this… :frowning:

The avast detecting all the time the virus WIN32:Warezov-LE [wrn] on the file
c:\windows\chater.exe[Upack]

I choose the delete option, after some time or the next restart the message come back.

I try many way to scan my computer :

  1. online virus scanning in safe mode, find some DLL file infected theire are not important I delete them.
  2. Use HIJACKTHIS
  3. On the registry
    HCR/Software/Microsoft/windows\CurrentVersion\Run
    HCR/Software/Microsoft/windows\CurrentVersion\RunOnce
    HLM/Software/Microsoft/windows\CurrentVersion\RunServices

HLM/Software/Microsoft/windows\CurrentVersion\Run
HLM/Software/Microsoft/windows\CurrentVersion\RunOnce
HLM/Software/Microsoft/windows\CurrentVersion\RunOnceEx

I don’t see any unavailable program in the registry.

Somebody can help me with this problem ?

Hi kolola,

Could you post your HijackThis! log for us to look at?

Hi FreewheelinFrank,

It’s my Hijackthis logfile, It’s a long file.
I hope that you can help me.

There are some strange .exe files and .dll’s on your log that look very suspicious. I’d recommend downloading Ewido anti-malware (Now AVG) and scanning with this.

http://www.ewido.net/en/

There is also at least one item of Adware, so I’d recommend a scan with two free anti-adware/spyware programs, Ad-Aware and Spybot Search & Destroy:

http://www.download.com/3000-2144-10045910.html

http://www.safer-networking.org/

Can you please post a new HijackThis! log after you have completed these scans?

I’d also suggest installing a free third-party firewall like Zone Alarm so you can control outgoing connections from your computer. Here is a page giving information about how to set up ZA:

http://www.zonelabs.com/store/content/support/zasc/gettingStarted.jsp?anchor=alerts&lid=zasupp_u

The entries I was suspicious of are definitely Warezov spreading through ICQ:

http://forums.techguy.org/security/509040-worm-waresov.html

http://viry.cz/forum/viewtopic.php?t=21484

Unfortunately the HijackThis! entries mean it is starting up early with Windows and injecting itself into various processes, which Will make it difficult to remove.

If Ewido fails, try DrWeb’s CureIT!

http://download.drweb.com/drweb+cureit/

Hi,

I tried the AVG
http://www.ewido.net/en/
The AVG detect the Warezov, delete and quarantine.
I need resart windows to complete the procedure I, after the reboot the windows dosen’t work.
I have a password to my user, the windows is freezing before the user screen.
I tried to load in safe mode it’s also freezing.

Can you boot into Safe Mode with Command Prompt?

If you can, run System Restore from Command Prompt as described here:

http://support.microsoft.com/kb/304449

Hi,

I disbale the system restore.
I installed windows to another hard drive with bitdefender and AVG anti-spy.
I connect my infected hard drive in slave and make a scanning.
After that I think to repare the windows with the CD.
What did you think?

Which best antivirus and antispy can you recommend me ?

You may be able to get windows running again if you can delete the malware files and remove the registry entries which are starting the malware.

Can you use HijackThis! on the disk? I’ve never tried this from another disk. If you can, deleting these entries (which are the ones that start the malware very early) may solve the problem:

O20 - AppInit_DLLs: cfgmmprm.dll confcon.dll constat.dll
O20 - Winlogon Notify: conmgr - C:\WINDOWS\SYSTEM32\conmgr32.dll
O20 - Winlogon Notify: uregdeve - C:\WINDOWS\system32\uregdeve.dll

(You could also use a registry editing program to do this, although this would require a good deal of computer expertise.)

You should also remove this entry:

O4 - HKLM..\Run: [egdiag] C:\WINDOWS\system32\yapconf.exe

Whichever AV you choose, remember that new variants of Warezov are emerging every day, if not every few hours- this worm has infected computers protected by Kaspersky, for example, which has a reputation for one of the best detection rates in the business.

So if you click files in ICQ, nothing is going to give 100% protection!

Hi,

Thanks I will try this.
Before my windows was crash, I was remove those entries from the Hijackthis, bur they come back.

I hope that I can remove from the registry through another hard drive, mybe it exist a tool to make this procedure.

Before my windows was crash, I was remove those entries from the Hijackthis, bur they come back.

While the malware is active in memory, the registry entries are protected, so you cannot remove them. This malware injects itself into various Windows processes very early in the boot process, which makes removing the entries almost impossible.

As you are booting from another disk, the malware won’t be in memory, so there is nothing to prevent you editing the registry and deleting these entries.

Scanning the disk with Ewido may well do this, as it does a registry scan: I’d try that first.

EDIT: The 020 section in the bleepingcomputer.com HijackThis! guide gives the location of the registry key and a link to a tool you can use to edit the registry, if you feel you are knowlegable enough to attempt this.

http://www.bleepingcomputer.com/tutorials/tutorial42.html#O20Diag

OK.

I was load the registry from a clean windows installation with
start → run —> regerdit , file → load hive

I remove those entries.
I find in the symantec site the removal way for all the W32.Stration

I thinks the registry is clean.
I will try reconnect my hard drive and boot the windows.
If it’s freezing I will repaire it and recheck the drive for the virus.

I will post the result

Hello,

I have the result of my process.
After the scanning, files with the virus was deleted.
I succefully remove the entries from the registry from another windows istallation.
The windows came back, I can enter to my user.
I rescan my drive with the AVG antispy, it found one file in the restore

I post the new hijackthis log file.
Some line have (file missing), what is mean ?
How is the file now?

Glad to see you got your computer back to life!

The malware entries have certainly gone from the HijackThis! log.

(file missing) sometimes only means that HijackThis! cannot find the file. This is true for the 023 avast! entries. This is perfectly normal when the program is working OK.

This may well be true for the BitDefender entries as well.

The other (file missing) entry is for Remote Packet Capture Protocol:

http://www.bleepingcomputer.com/startups/rpcapd.exe-7147.html

Again the (file missing) tag may not mean there is any problem, and I reckon it’s best to leave it.

Hi,

Thanks for your help.
I have notice this is not the end of this virus :cry:

I have 2 SATA drive and one IDE drive
My windows is installed on the SATA drive.

I remove the second SATA to check my windows he is booting.
When I reconnect my second hard drive SATA the windows is freezing, I don’t check this yet.
Did you have an idea?

At the moment the second sata drive is not connected.

I rescan my drive with bitdefender he found 2 files with the STRATION virus.
It’s a little strange… I was scan this drive when it connected in slave position and remove all files infected by this virus.
Mybe the registry was not completely cleanning.

I hope the bitdefender was finnaly removed those 2 files…

It’s better to make backup and formating my drive…
I very don’t want to do that… I have a lot of thing on my drive :frowning:

SATA drives are outside my experience, I’m afraid. Maybe somebody else can help you.

A good double-check for signs of Warezov would be to run DrWeb’s CureIT!:

http://download.drweb.com/drweb+cureit/