Well that was fun…
I just spent 5 days cleaning my system out from this worm. AVAST free edition didnt EVER pick it up, so I installed AVG, it picked up the worm - but couldnt find the dropper!
In the end - I had to install PREVX1 to block it, and then slowly but surely go through my system checking ALL my files to find the bleeding dropper - and the only way I could do this? I had to set the columns to show the date of creation and modification!
Just for info, it turned out to be a copy of NOTEPAD which I had to delete and then replace with a copy from the original sp1 version from CD just to make sure!
Any reason why AVAST didnt pick up anything?
The virus goes by different names on diff sites, :
Email-Worm.Win32.Warezov.a (Kaspersky)
W32.Stration.A@mm (Symantec)
W32/Spamta.A.worm (Panda)
W32/Stration-A (Sophos)
W32/Stration.A (Norman)
W32/Stration@mm (Fortinet)
Win32/Stration.A (ESET)
Worm.Stration.A (ClamAV)
WORM_STRATION.A (Trend Micro)
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click ‘Yes to all’ if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you’ll see in next image:
IPB Image attached down
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can’t be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously, along with a new HijackThis log in your next reply.
You possibly got infected by a very new variation. Please send it to virus[at]avast.com in a password protected .zip file, along with a short decription and the password to un-zip the file.
Heres the news guys … Avast still cant’ handle it five days later!!
My sons machine is infected with what Avast identifies as Warezov-LE. It spots it and moves it to the chest, but after a reboot it reappears. Avast is not picking up the root dropper.
After 18 months of telling everyone how wonderful Avast and Alwil are, I am beginning to have my doubts.
As a side comment, Symantec has a general how to remove Warezov section, but this variant does not have the same registry entries that they identify.
Should NOT expect Avast to deal with every piece of
malware coming through the phone lines; should have a
"layered" defense, which includes antiSPYWARE program(s),
antiTROJAN program(s), a 2-way firewall and at least one
rootkit detection program.
This link gives a bad file, but if you go to the drweb site it will lead you to another link which is downloading very slowly, but then i guess it is very busy too …
Avast sees the created files & handles them, but it doesn’t stop the mailer sending out emails, it just keeps trapping the executable …
Having a very good idea of when the infection occurred, I ran a Search on Windows/System32/ and looked for files created in that 24 hour period and set them up for Deletion by Dr. Delete
Then I ran Dr. Web Cureit … that didnt pick up Stration/Warez, but it did find 18 other “items” that Avast doesn’t see mebbe one or more were related?
Then I ran AVG, and it found what it identified as a Stration.
As it was the middle of the night and the only other thing I had to do was sleep, I then reran Cureit, and then another AVG scan. Both came up clean.
Now, fingers crossed …
Can I send a file from the AVG chest to Avast? Would it help
3) Then I ran Dr. Web Cureit .... that didnt pick up Stration/Warez, but it did find 18 other "items" that Avast doesn't see mebbe one or more were related?
I think Drweb is identifying Warezov/Stration as Win32.HLLM.Limar: