PDA

View Full Version : Help I've got worms



samantha1303
24th February 2007, 22:45
When I run adaware, avast pops a warning up telling me that I have a worm.
It says C:\DOCUMENTS~1\OWNER\LOCALS~1\TEMP\AAWTMP\C8572093\324050\SET.

WIN32:VIBPACK

I have been to docs,owner etc and removed the file called aawtmp ( no idea what it was but deleted it anyway )but the warning is still popping up.
I moved it to chest ( I guess this is like quarantine ) which was recommended but it still keeps saying I have it.

How can I get rid of it?
I have looked on the net but can't understand most of it.

GlosRFC
25th February 2007, 02:46
Sounds like this should really be in the health forum from the title....

....first things first. The file name was a clue. AAW suggests that it's a temporary Adaware file and, as it's in your TEMP folder, your deleting it shouldn't be a problem.
So here's what is actually happening. When you run Adaware it will decompress files to check them out but without actually running them. It will also decompress any quarantined areas too including any viruses that have been safely placed there by Avast. Fortunately, it doesn't actually run them - all it's doing is checking to see if the file contains anything that resembles spyware. Unfortunately, when it decompresses them, your AV software does recognise that the file now contains the virus structure (even though it's safely contained within Adaware's temporary file), flags it up, and then asks if you want to put it into quarantine. If you say yes, it does so.

But now, when Adaware has finished running and tries to delete the temporary file, the virus file has already been quarantined so Adaware isn't able to properly close the temporary file it created. That's why you found the string of AAWTMP folders in your temporary folders.

In a nutshell, it's actually a false alarm - your AV is detecting the temporary file that Adaware is creating and then trying to quarantine it. Try running Adaware with Avast turned off. Then, when Adaware has finished, turn Avast back on and run that. You should find that both programs work fine, neither of them find this mysterious WIN32:VBPACK, and Adaware will have successfuly deleted its AAWTMP folders when it's finished.

Here's an idiot's guide to what's happening:

Avast decompresses every file including anything held in Adaware's quarantine area. If it finds a suspicious virus-like file it puts it into Avast's quarantine area (called the chest). Obviously, it doesn't have to search the chest anymore because that's quarantined.

Adaware decompresses every file including anything held in Avast's chest. If it finds a suspicious spyware-like file it puts it into Adaware's quarantine area.

BUT

When Adaware searches Avast's chest, it puts the contents into a temporary file which is now stored outside the chest. Avast (and other AV programs) immediately spot this suspicious virus-like file lurking outside the quarantined chest area and flags it up for attention. Adaware carries on decompressing other files because it's only concerned with finding spyware and knows no different.

You say yes to Avant's request to quarantine the suspicious virus-like file so Avast removes it from Adaware's temporary file and slaps it back inside the chest again.

Now Adaware has finished running and it hasn't found any spyware. So it tries to close its temporary file but it finds that a) this temporary file has been changed and b) the chest it decompressed it from has also changed because Avast has rewritten to that area when you told it to quarantine the suspicious virus-like file. So it just ignores the temporary file on the assumption that it's best not to delete anything if you haven't told it to. And, because Adaware is only concerned with spyware, that's job done and it closes.

samantha1303
25th February 2007, 03:31
Hi Glos thankyou for the help.

Does this mean because it is in the chest that I don't have worms anymore or do I need to still remove it somehow?

With adaware you can delete what is in quarantine, but with avast you can not delete what is in the chest. You can look to see what is in there but you can't do anything with it.

By the way if you go into quarantine in adaware and delete what is in there does that take it off your pc? Is this something you should do?

In between my post and your reply I looked around the net again and I found some info on it , it was written in computer talk so most of it went over my head but it recommended using a different checker to see what happened , having read your post above I now know they were meaning what you have said about adaware and avast.
Anyhow I downloaded a spyware/malware checker and this is what it found -

C:\PROGRAM FILES\WINUPDATES\a.TMP
Trojan Fake Setup.

Is this the same thing as the vibpack?
It wouldn't remove anything it was just a free scan.
I looked in program files and I cant find anything called winupdates.
I did a search for a.tmp but nothing came up there either.
There is nothing in avast chest apart from vibpack.

GlosRFC
25th February 2007, 04:39
That's correct...no need to do anything at all. It's just a false alarm generated by Avast when Adaware runs.

It's up to you if you delete stuff from Adaware's quarantine. It puts files there just in case it breaks something when it moves them. If everything is working fine you can remove stuff.

Winupdates/a.tmp IS a worm which is installed when you ran a zip file containing an executable setup file. If you use Limewire, it's almost certainly where you picked it up from. Make sure that there isn't another file in that folder called setup.exe. It might be hidden so, in your My Computer window, click on Tools, Folder Options and select the option to show hidden files.

It also affects the following files:
%SystemRoot%\SYSTEM32\netstat.com - size 2 bytes
%SystemRoot%\SYSTEM32\ping.com - size 2 bytes
%SystemRoot%\SYSTEM32\regedit.com - size 2 bytes
%SystemRoot%\SYSTEM32\taskkill.com - size 2 byes
%SystemRoot%\SYSTEM32\tasklist.com - size 2 bytes
%SystemRoot%\SYSTEM32\tracert.com - size 2 bytes
%SystemRoot%\SYSTEM32\cmd.com - size 2 bytes
%SystemRoot%\SYSTEM32\taskmgr.exe- size 87,824 bytes

and it makes a change to your registry. Best advice is to go to www.pandasoftware.com (http://www.pandasoftware.com/) and run their active scan to see if it removes it.

Alternatively, you can delete it manually.
First delete the file a.tmp and the setup.exe file if it's there. Also delete the Winupdates folder. You might have to change the attributes of the folder/files if Windows doesn't let you delete them.
Then check your Windows\System32 folder by navigating there via My Computer. Click on View, Details and check the files listed above - only if the file sizes in your directory match the ones above, then you need to delete them as well. If they're different sizes from those above, then they're fine and you can leave them be.

Next you'll need to extract the original files back from your original Windows disk. This is important as you need to run regedit.exe in order to delete the entry it made in your registry. This entry is
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winupdates
with the value" %ProgamFiles%\winupdates\winupdates.exe /auto" - usual caveats apply though. Don't make changes to your registry if you don't know what you're doing.

If you're lucky, the original Windows CAB files might be on your hard disk and you can extract them from there. If not, you need to find them on your Windows CD. Either way it's a pain so let me know if you have had to delete any of them and I'll email them or upload them somewhere for you.

samantha1303
25th February 2007, 04:52
Thanks Glos I will keep you updated.