win32:warezov-mf[wrm]

Hi every one , I picked up win32:warezov-mf[wrm] yesterday. I put it in the virus chest and is quarantined. I then disabled system restore and ran another scan , it came up clean. Itook computer for a spin through Trendmicro pc-cillin housecall and Bitdefender all gave me no virus found. Now is it safe to delete the entries in the virus chest or attemp to repair…I am running windows xp home avast , zone alarm pro ,webroot spy sweeper spy bot adaware …Thank you

You have done the right thing, ‘first do no harm’ don’t delete, send virus to the chest and investigate.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a week or two. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.

You can attempt a repair inside the chest, however, I doubt that it would work as the file is likely to be entirely malicious rather than a genuine file that has been infected. For a repair to work in this case the file would also have to have been scanned by the VRDB process also.

You didn’t say what the infected file name is or where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

Hi DavidR, Thanks for your fast response, the name of the infected file is ati2mdxx.exe , which i have 6 enteries in the virus chest… and 2 entries c:\windows\system32 …I did an individula scan on each file while still in chest… and all came out clean… i believe i may have a false positive… I will keep in virus chest and play it by ear…Thanks again for you help…danco135

A google search for ati2mdxx.exe returns many hits http://www.google.co.uk/search?q=ati2mdxx.exe, this is only one, http://www.liutilities.com/products/wintaskspro/processlibrary/ati2mdxx/. So there is a possibility that it was a False Positive detection, though why it would not detect the files sent to the chest is beyond my comprehension. Unless of course you have had a VPS update since then which has corrected the FP.

You mention two entries in system32, are they for this same file, it shouldn’t be possible to have duplicates of the same file name in the same folder (so what are these file names) ?

Yes DavidR the file names that i have 2 entries are dgsetup.dll c:\windows \system32\dll.cache and dgsetup c:\windows\system32\ …and yes i did have vps update right after i got a virus warning from avast…danco135

I suggest you scan those files at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can’t do this with the file in the chest, you will need to move it out.

A google search for dgsetup.dll returns many hits, but appears to belong Digi International, which rings a bell, do you have DigiMate TFT monitor (probably unrelated) ?

Two of the hits also shows an avast detection on this file but they are both in Frence and I doubt you would learn anything more if you translated them. They are searching for answers also, so you should do the ches=ck using the multi-engine scanners and confirm one way or another if this is a good detection.

Will do DavidR ,( i don’t have a Digimate tft monitor)…i will go along with your advice… Thanks for your help…danco135

Your welcome.

Let us know the outcome of the virustotal checks, etc.

I thought it was clutching at straws, I have a DigiMate 17" TFT as backup monitor, that is were I plucked the association from.

@ DavidR

vps file: 0644-3, 31.10.06 (only this file, day, not later)

on drive C:

01.11.2006 18:42:12 KLK 1380 Sign of “Win32:Warezov-MF [Wrm]” has been found in “C:\WINDOWS\I386\DGSETUP.DL_\dgsetup.dll” file.
01.11.2006 18:47:21 KLK 1380 Sign of “Win32:Warezov-MF [Wrm]” has been found in “C:\WINDOWS\I386\MANAGER.CAB\mwwdmhlp.dll” file.
01.11.2006 18:53:35 KLK 1380 Sign of “Win32:Warezov-MF [Wrm]” has been found in “C:\WINDOWS\system32\Ati2mdxx.exe” file.
01.11.2006 18:55:35 KLK 1380 Sign of “Win32:Warezov-MF [Wrm]” has been found in “C:\WINDOWS\system32\dgsetup.dll” file.
01.11.2006 18:55:52 SYSTEM 1700 Sign of “Win32:Warezov-MF [Wrm]” has been found in “C:\WINDOWS\system32\dllcache\dgsetup.dll” file.
01.11.2006 18:56:00 KLK 1380 Sign of “Win32:Warezov-MF [Wrm]” has been found in “C:\WINDOWS\system32\dllcache\dgsetup.dll” file.

on original OEM Windows Installation CD:

05.11.2006 08:02:30 KLK 152 Sign of “Win32:Warezov-MF [Wrm]” has been found in “E:\I386\DGSETUP.DL_\dgsetup.dll” file.
05.11.2006 08:05:41 KLK 152 Sign of “Win32:Warezov-MF [Wrm]” has been found in “E:\I386\MANAGER.CAB\mwwdmhlp.dll” file.

Nothing found on original OEM CD by Kaspersky, F-Secure, Bitdefender

Complete scanning result of “dgsetup.dll”, processed in VirusTotal at
11/05/2006 09:45:44 (CET).

[ file data ]

  • name: dgsetup.dll
  • size: 86556
  • md5.: 95b589edd7e7f4c9e49564cfd20b778b
  • sha1: 708f35eb04f23cceb4a149d8afae84cc7bab60b2

[ scan result ]
AntiVir 7.2.0.37/20061103 found nothing
Authentium 4.93.8/20061105 found nothing
Avast 4.7.892.0/20061103 found nothing
AVG 386/20061104 found nothing
BitDefender 7.2/20061105 found nothing
CAT-QuickHeal 8.00/20061104 found nothing
ClamAV devel-20060426/20061105 found nothing
DrWeb 4.33/20061105 found nothing
eTrust-InoculateIT 23.73.45/20061103 found nothing
eTrust-Vet 30.3.3176/20061103 found nothing
Ewido 4.0/20061104 found nothing
F-Prot 3.16f/20061104 found nothing
F-Prot4 4.2.1.29/20061104 found nothing
Fortinet 2.82.0.0/20061105 found nothing
Ikarus 0.2.65.0/20061103 found nothing
Kaspersky 4.0.2.24/20061105 found nothing
McAfee 4888/20061103 found nothing
Microsoft 1.1609 /20061104 found nothing
NOD32v2 1.1853/20061103 found nothing
Norman 5.80.02/20061103 found nothing
Panda 9.0.0.4/20061104 found nothing
Sophos 4.10.0/20061026 found nothing
TheHacker 6.0.1.112/20061103 found nothing
UNA 1.83/20061103 found nothing
VBA32 3.11.1/20061104 found nothing
VirusBuster 4.3.15:9/20061104 found nothing

Is it a false positive?

karl99

Well, why don’t you test with 0645-4, 03.11.06 latest version of virus database?
Most probably, false positives and I suppose most of them (if not all) were corrected in the next vps updates… ::slight_smile:

@ Tech

I did test with 0645-4, 03.11.06, found nothing.
Is that proof of a false positive, not probably but surely?
Why didn’t anyone else have the same problem, when it was with Windows original files?

Thank you for your very qualified answer.

karl99

I suspect that they are false positive detections also. As Tech said you should update your VPS file it is a week out of date and that can make a large difference as any detected and reported false positives are quickly corrected.

Ensure you have the Auto Update set for the VPS updates so you don’t have an out of date VPS, it is essential to keep ALL security based software fully up to date. Once you have updated it scan them again. Any that are still detected, send the sample to virus @ avast.com (without the spaces) zipped and password protected with password in email body and false positive in the subject.

Someone may have had the same problem and reported it as outlined above and the VPS corrected, you can now see why it is essential to keep it up to date. The other factor is how frequently you do an on-demand scan and the sensitivity of it. I only do a weekly Standard scan Without archives, that would have ruled many of your detections. Some might not do any on-demand scans or very infrequently as the resident scanners can detect the same viruses so they are providing a first line of defence.

Yes. It’s a proof of false positive. Virus signatures are not removed, I mean, the detection always increase, never a detected one is ‘removed’ from the database just to make it smaller.

Maybe because others aren’t using this file?
But, indeed, strange…