Alwayup Trojan-Repair,Quarantine, Delete Failed--Access Denied?



Eli
07-09-2005, 10:48 PM
Hello:

I use Norton AntiVirus.

Was notifiied of an infection by Alwayup Trojan:

<<
Source: C:\WINDOWS\Temporary Internet
Files\Content.IE5\0Z4RMI0I\aun_0036[1].exe
Click for more information about this threat : Trojan.Alwayup
>>>>>>

NAV log reports that Repair Failed, Quarantine failed, delete failed. Access
denied.

Does "Access Denied" mean it was refused access to other files? In other
words that the Trojan failed to access other files?

I used Windows Explorer to locate that file within the TIF folder. It showed
a size of 0 bytes. and that it was created at about the same time that the
AntiVirus alerts came on my monitor. I simply deleted it, with no problem.
Wondering if that zero byte size implies that the antivirus somehow stripped
it ....

I ran a completeVirus Scan with Norton Antivirus and it came out clean.

1) Does "Access Denied" mean it was refused access to other files? In other
words that the Trojan failed to access other files?

2) Is there anything elase I should do to make sure I'm truly rid of this
Alwayup Trojan?

3) Can I safely delete all the contents of 0Z4RMI0I\ subfolder within my
Temp Inernet Files w/o losing important data and/or programs?

Thanks in advance:

-eli

Catamount
07-09-2005, 10:48 PM
Eli wrote:
> Hello:
>
> I use Norton AntiVirus.
>
> Was notifiied of an infection by Alwayup Trojan:
>
> <<
> Source: C:\WINDOWS\Temporary Internet
> Files\Content.IE5\0Z4RMI0I\aun_0036[1].exe
> Click for more information about this threat : Trojan.Alwayup
> >>>>>>
>
> NAV log reports that Repair Failed, Quarantine failed, delete failed. Access
> denied.
>
> Does "Access Denied" mean it was refused access to other files? In other
> words that the Trojan failed to access other files?
>
> I used Windows Explorer to locate that file within the TIF folder. It showed
> a size of 0 bytes. and that it was created at about the same time that the
> AntiVirus alerts came on my monitor. I simply deleted it, with no problem.
> Wondering if that zero byte size implies that the antivirus somehow stripped
> it ....
>
> I ran a completeVirus Scan with Norton Antivirus and it came out clean.
>
> 1) Does "Access Denied" mean it was refused access to other files? In other
> words that the Trojan failed to access other files?
>
> 2) Is there anything elase I should do to make sure I'm truly rid of this
> Alwayup Trojan?
>
> 3) Can I safely delete all the contents of 0Z4RMI0I\ subfolder within my
> Temp Inernet Files w/o losing important data and/or programs?
>
> Thanks in advance:
>
> -eli
>
>
Most likely it means that the file was in use. Disconnect from the
Internet, go into safe mode <assuming you are using windows> and run the
virus scan again. Also you can delete the temp Internet files.

David H. Lipman
07-09-2005, 10:48 PM
From: "Eli" <meagain@outthere.invalid>

| Hello:
|
| I use Norton AntiVirus.
|
| Was notifiied of an infection by Alwayup Trojan:
|
| <<
| Source: C:\WINDOWS\Temporary Internet
| Files\Content.IE5\0Z4RMI0I\aun_0036[1].exe
| Click for more information about this threat : Trojan.Alwayup
>>>>>>>
| NAV log reports that Repair Failed, Quarantine failed, delete failed. Access
| denied.
|
| Does "Access Denied" mean it was refused access to other files? In other
| words that the Trojan failed to access other files?
|
| I used Windows Explorer to locate that file within the TIF folder. It showed
| a size of 0 bytes. and that it was created at about the same time that the
| AntiVirus alerts came on my monitor. I simply deleted it, with no problem.
| Wondering if that zero byte size implies that the antivirus somehow stripped
| it ....
|
| I ran a completeVirus Scan with Norton Antivirus and it came out clean.
|
| 1) Does "Access Denied" mean it was refused access to other files? In other
| words that the Trojan failed to access other files?
|
| 2) Is there anything elase I should do to make sure I'm truly rid of this
| Alwayup Trojan?
|
| 3) Can I safely delete all the contents of 0Z4RMI0I\ subfolder within my
| Temp Inernet Files w/o losing important data and/or programs?
|
| Thanks in advance:
|
| -eli
|

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear


Download CLEAN.EXE from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter
{ http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
(.lnk) files and a PDF instruction file.

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
Scanner. If you are using Windows XP, you may have to disable the Windows XP FireWall to
allow the FTP utility to download the needed files

CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
http://www.bootdisk.com/bootdisk.htm

I need you to perform the following...

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }

Reboot the PC into Safe Mode [F8 key during boot]

Shutdown as many applications as possible !
It would also help for you to read - "How to perform a clean boot in Windows XP"
http://support.microsoft.com/kb/310353

Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Eli
07-09-2005, 10:48 PM
David wrote:

<<<
Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>>>>

************************
I have a subfolder under the folder "Temporary Internet Files" titled:
"Content..IE5". The folders and files in that subfolder are not delted when
I do the "Delete Files" operation you recommend above. I can however delete
those subfolders under "Content.IE5" manually if I choose to. Is the data in
that subfolder diposable? Can I safley delete them?

Incidentally, I did manually delete the TIF file which NAV initially claimed
was infected. I disabled " System Restore" and ran a full NAV scan and no
infections or threats were found.
In other words I followed Symantec's own recommendations for the
Alwayup.Trojan. I came out clean.

-Eli
******************************

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:eev4YP6WFHA.3760@TK2MSFTNGP15.phx.gbl...
| From: "Eli" <meagain@outthere.invalid>
|
| | Hello:
| |
| | I use Norton AntiVirus.
| |
| | Was notifiied of an infection by Alwayup Trojan:
| |
| | <<
| | Source: C:\WINDOWS\Temporary Internet
| | Files\Content.IE5\0Z4RMI0I\aun_0036[1].exe
| | Click for more information about this threat : Trojan.Alwayup
| >>>>>>>
| | NAV log reports that Repair Failed, Quarantine failed, delete failed.
Access
| | denied.
| |
| | Does "Access Denied" mean it was refused access to other files? In other
| | words that the Trojan failed to access other files?
| |
| | I used Windows Explorer to locate that file within the TIF folder. It
showed
| | a size of 0 bytes. and that it was created at about the same time that
the
| | AntiVirus alerts came on my monitor. I simply deleted it, with no
problem.
| | Wondering if that zero byte size implies that the antivirus somehow
stripped
| | it ....
| |
| | I ran a completeVirus Scan with Norton Antivirus and it came out clean.
| |
| | 1) Does "Access Denied" mean it was refused access to other files? In
other
| | words that the Trojan failed to access other files?
| |
| | 2) Is there anything elase I should do to make sure I'm truly rid of
this
| | Alwayup Trojan?
| |
| | 3) Can I safely delete all the contents of 0Z4RMI0I\ subfolder within
my
| | Temp Inernet Files w/o losing important data and/or programs?
| |
| | Thanks in advance:
| |
| | -eli
| |
|
| Dump the contents of the IE Temporary Internet Folder cache (TIF)
| Start --> Settings --> Control Panel --> Internet Options --> Delete Files
|
| Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
| Tools --> Options --> Privacy --> Cache --> Clear
|
|
| Download CLEAN.EXE from the URL --
| http://www.ik-cs.com/programs/virtools/clean.exe
|
| It is a self-extracting ZIP file that contains the Kixtart Script
Interpreter
| { http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart
scripts, two Link
| (.lnk) files and a PDF instruction file.
|
| GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee
Command Line
| Scanner. If you are using Windows XP, you may have to disable the Windows
XP FireWall to
| allow the FTP utility to download the needed files
|
| CLEAN.BAT -- For running within Windows after running
c:\mcafee\GetFiles.BAT. If you choose
| to scan again at a future date, run this batch file. It will
automatically check the date
| of the McAfee DAT files and if it is a couple of days old, it will
download (FTP) the latest
| signature files and install them before performing the scan.
|
| DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is
using FAT32 after
| you have booted from an Emergency Boot Disk or DOS disk and have already
executed;
| c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be
obtained from;
| http://www.bootdisk.com/bootdisk.htm
|
| I need you to perform the following...
|
| Execute; CLEAN.EXE
| Choose; Unzip
| Choose; Close
|
| Execute; c:\mcafee\GetFiles.BAT
| { or Double-click on 'GetFiles Link' in c:\mcafee }
|
| Reboot the PC into Safe Mode [F8 key during boot]
|
| Shutdown as many applications as possible !
| It would also help for you to read - "How to perform a clean boot in
Windows XP"
| http://support.microsoft.com/kb/310353
|
| Execute; c:\mcafee\CLEAN.BAT
| { or Double-click on 'Clean Link' in c:\mcafee }
|
| A final report in HTML format called C:\mcafee\ScanReport.HTML will be
generated. At the
| end of the scan, it will be displayed in your browser (Opera, FireFox or
Internet Explorer).
| It is suggested that you move the report out of c:\mcafee before
performing another scan.
| It would be a good idea to scan in Safe Mode and in Normal Mode and save a
copy of the HTML
| report for each session.
|
|
| * * * Please report back your results * * *
|
|
| --
| Dave
| http://www.claymania.com/removal-trojan-adware.html
| http://www.ik-cs.com/got-a-virus.htm
|
|

David H. Lipman
07-09-2005, 10:48 PM
From: "Eli" <meagain@outthere.invalid>

| David wrote:
|
| <<<
| Dump the contents of the IE Temporary Internet Folder cache (TIF)
| Start --> Settings --> Control Panel --> Internet Options --> Delete Files
| >>>>
|
| ************************
| I have a subfolder under the folder "Temporary Internet Files" titled:
| "Content..IE5". The folders and files in that subfolder are not delted when
| I do the "Delete Files" operation you recommend above. I can however delete
| those subfolders under "Content.IE5" manually if I choose to. Is the data in
| that subfolder diposable? Can I safley delete them?
|
| Incidentally, I did manually delete the TIF file which NAV initially claimed
| was infected. I disabled " System Restore" and ran a full NAV scan and no
| infections or threats were found.
| In other words I followed Symantec's own recommendations for the
| Alwayup.Trojan. I came out clean.
|
| -Eli
| ******************************

Good. Now did you run the McAfee Command Line Scanner like I asked you to ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

dpilloff@gmail.com
07-09-2005, 10:48 PM
Eli wrote:
> Hello:
>
> I use Norton AntiVirus.
>
> Was notifiied of an infection by Alwayup Trojan:
>
> <<
> Source: C:\WINDOWS\Temporary Internet
> Files\Content.IE5\0Z4RMI0I\aun_0036[1].exe
> Click for more information about this threat : Trojan.Alwayup
> >>>>>>
>
> NAV log reports that Repair Failed, Quarantine failed, delete failed.
Access
> denied.
>
> Does "Access Denied" mean it was refused access to other files? In
other
> words that the Trojan failed to access other files?
>
> I used Windows Explorer to locate that file within the TIF folder. It
showed
> a size of 0 bytes. and that it was created at about the same time
that the
> AntiVirus alerts came on my monitor. I simply deleted it, with no
problem.
> Wondering if that zero byte size implies that the antivirus somehow
stripped
> it ....
>
> I ran a completeVirus Scan with Norton Antivirus and it came out
clean.
>
> 1) Does "Access Denied" mean it was refused access to other files? In
other
> words that the Trojan failed to access other files?
>
> 2) Is there anything elase I should do to make sure I'm truly rid of
this
> Alwayup Trojan?
>
> 3) Can I safely delete all the contents of 0Z4RMI0I\ subfolder
within my
> Temp Inernet Files w/o losing important data and/or programs?
>
> Thanks in advance:
>
> -eli

dpilloff@gmail.com
07-09-2005, 10:48 PM
I also run NAV on Win XP, and got the Alwayup Trojan notifier, with the
access denied message. What does the access denied mean?


Alwayup Trojan-Repair,Quarantine, Delete Failed--Access Denied?