For the past two weeks, Avast keeps finding this virus Win32:Trojano-3239 every morning in a subdirectory of %TEMP%\AAWTMP\ in a file called WPA.exe. The subdirectory always changes. Each day I tell it to either delete it or move it to the chest, and each day it reappears. I did a Google search and wound up at this Symantec page about the virus. Symantec has a removal tool on the page, which I tried running. It searched all my harddrives and found nothing (this was after I had moved it to the Avast chest). I am at a loss here as to how to make this go away. As a matter of fact, I’m really not even sure if it is an actual virus, or just a misidintified one. The AAWTMP directory and the fact that it reappears every morning leads me to believe that it may have something to do with Ad-Aware, which is set to run a background scan every morning at 10:00 AM. Does anybody have any ideas?
Here is a copy of my log file:
12/29/2005 10:17:52 AM SYSTEM 1960 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C406968812\C3360\WPA.exe" file.
12/30/2005 10:18:15 AM SYSTEM 1768 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C73199531\124D80\WPA.exe" file.
12/31/2005 10:20:10 AM SYSTEM 1768 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C159596843\24DAAA\WPA.exe" file.
1/1/2006 10:18:16 AM SYSTEM 1768 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C245996890\3211EC\WPA.exe" file.
1/2/2006 10:18:18 AM SYSTEM 1768 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C332396046\1CBED\WPA.exe" file.
1/3/2006 10:17:45 AM SYSTEM 1768 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C418796390\CD2CF\WPA.exe" file.
1/4/2006 10:18:07 AM SYSTEM 1768 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C505204625\409CA1\WPA.exe" file.
1/5/2006 10:18:27 AM SYSTEM 1768 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C591605343\115154\WPA.exe" file.
1/6/2006 10:19:19 AM SYSTEM 1768 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C678005187\2B0B79\WPA.exe" file.
1/7/2006 10:18:20 AM SYSTEM 1768 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C764405000\32033C\WPA.exe" file.
1/8/2006 10:18:35 AM SYSTEM 1768 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C850803531\1D42DE\WPA.exe" file.
1/8/2006 3:35:15 PM SYSTEM 1768 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C850803531\1D42DE\WPA.exe" file.
1/9/2006 10:18:39 AM SYSTEM 1768 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C937217687\3340E4\WPA.exe" file.
1/10/2006 10:18:27 AM Scott A. Nelson 1056 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C52776859\219C5D\WPA.exe" file.
1/11/2006 10:18:35 AM Scott A. Nelson 300 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C54469000\3BE955\WPA.exe" file.
1/12/2006 10:21:19 AM Scott A. Nelson 2036 Sign of "Win32:Trojano-3239 [Trj]" has been found in "T:\Temp\AAWTMP\C51922812\148BC9\WPA.exe" file.
From the Symantec link, we know this is the Esbot worm. As the removal tool doesn’t find it, it could be a new variant. avast! will have problems removing the worm even during a boot time scan, as wpa runs as a service. The malware also injects itself into explorer.exe. (avast! has a problem dealing with process injecting malware.)
# Runs itself as a service:Service Name: wpa
Display Name: Windows Product Activation
Path to executable: %System%\wpa.exeInjects itself to explorer.exe.
http://securityresponse.symantec.com/avcenter/venc/data/w32.esbot.b.html
Ewido anti-Trojan is good at removing malware which injects itself into other processes- you could try that:
Here’s a procedure for dealing with a malware running as a service, as described by doc_esb, who obviously knows what he’s talking about:
http://forum.avast.com/index.php?topic=18381.msg156364#msg156364
My advice would be to kill the service and then run Ewido to deal with the process injecting malware, if still present.
Actually, my advice would be to try Trend Micro Sysclean, which seems to be a lot better at removing sophisticated malware:
If you are not a Trend Micro customer please download the following file.
http://uk.trendmicro-europe.com/enterprise/support/tsc.php
For the TSC package to be effective, you must download and use the latest pattern file. Place the pattern file in the same folder as the Trend Micro System Cleaner Package.
http://uk.trendmicro-europe.com/enterprise/support/pattern.php
Well, the thing is, I don’t think this file ever gets run. It’s a file in the temp directory, that keeps reappearing once a day, every day around 10:15 AM, which is just about the time the Ad-Aware scan should be finishing up. It’s not in the Windows or System32 folder, and any scans will reveal nothing. I’m running the Trend-Micro program right now, and so far it hasn’t found anything yet, however one interesting thing to note is that I had to disable Avast to run the program, because Avast thought that the removal program was itself, a virus!
1/12/2006 6:23:38 PM Scott A. Nelson 2036 Sign of "VBS:Redlof" has been found in "C:\PROGRA~1\MOZILL~1\sysclean.exezz" file.
1/12/2006 6:23:48 PM Scott A. Nelson 2036 Sign of "VBS:Redlof" has been found in "C:\Program Files\Mozilla Firefox\sysclean.exezz" file.
I’m thinking that I don’t actually have a virus at all, and Avast is just screwing up, but it’s damn annoying.
The avast! detection of a virus in Sysclean is a false alarm, don’t worry.
Just search the forum for VBS:Redlof.
One AV can detect the virus definitions of another AV or anti-spyware program.
Exactly. I’m thinking that’s what’s causing this WPA virus scare that Avast keeps notifying me about. Like I said, it seems to happen just after an Ad-aware background scan, and at no other time, and no other virus removal tool can find any indication of this, or any other virus.
Ooops! Yes, this is just avast! detecting Ad-Aware’s definition files as they are temporarily un-encrypted during a scan.
AAWTMP is the Ad-Aware temp folder.
Just ignore my previous posts except this one:
One AV can detect the virus definitions of another AV or anti-spyware program.
I think that’s what was happening. :-[
OK, so is there any way to make this stop other than excluding the AAWTMP folder and all its subdirectories? That doesn’t sound like it’s exactly safe. Should the files in quarantine be sent somewhere so that the developers can fix the problem?
This is a known phenomenon- see here for example:
http://forum.avast.com/index.php?topic=12522.msg107124#msg107124
AAW: This the temporary folder of Ad-AWare, which it uses for unpacking/scanning of archives usually exists only during a scan with ad-aware, unless adaware crashes and doesn't clean it up after scanning
It may be that you do have a copy of the worm in an archive somewhere on your disk but not in an active form. Have you done a scan with avast! with the scan archives box ticked? That might be worth doing.
Apart from that, you could temporarily disable avast!'s on-access scanning while scanning with Ad-Aware. This applies to other AV or anti-spyware scanners as well, as you found with Trend Micro. avast! can sometimes detect virus definitions as the virus itself.
Sanelson :
If your problem involves Ad-Aware, I suggest you ask the Experts on the
forums at www.landzdown.com ; this forum is staffed by ALL the Experts
who used to provide advise on the now-defunct Lavsoft Ad-Aware
Support forums .
Why is this? I added T:\Temp\AAWTMP* to the exclusions list, and this morning, I still got a warning, that it had found the trojan in T:\Temp\AAWTMP\C22956343\B7388\WPA.exe.
There are in fact two exclusion lists: one in program settings, for the on-demand scanning.
And other in Standard Shield settings, for the on-access protection (residents).
Which one are you refering to?
The one in program settings. I guess I should be using the other one? Does the on-access exclusion list include subfolders, if I type “T:\TEMP\AAWTMP*”?
So, the on-demmand exclusion list.
If you’re not running a scanning and the message appears, it means the on access scanner is touching the files.
And yes, the exclusion list understand wildcards and include subfolders.