adober.exe

Hi, I did email a sample of adober.exe to virus@avast.com around a week ago. This adober.exe is basically the same as W32/RJump.worm. It’s worth pointing out that at the moment adober.exe seems to infest PCs in China/HK but no doubt it will spread further.

However, it seems this virus is still not being picked up by Avast. Is it possible someone from Avast could look into it and get the definintions updated? Thanks!
Graham Marsh
Hong Kong

Hi gmarsh,

It is part of a spyware install, and from the Chinese reports it appears on windows machines that are not fully patched, so that is one side of preventing against this.

polonus

No, it appears to be stand-alone and it spreads by using the AutoRun feature - it infects removable drives and flags the files as System files so they do not show up in Explorer - when an infected USB drive is plugged into a clean system, the AutoRun feature infects the clean system.

Also it does affect fully-patched XP systems. I sent samples to various anti-virus vendors (F-Secure, CA, Mcafee) and all respond that it is the RJump worm. Unfortunately Avast does not detect it yet. I sent a sample but it is still undetected…which is why I am posting in this discussion group. It makes me wonder a bit about the effectiveness of the Avast product. Although the free version is great for home use (can’t argue with the price). I’m hoping that the defs will be updated soon.

Best regards
Graham

I think I have the same problem. I worked a few days in China and now it’s a big mess.

Avast told me that I have a worm “adober.exe” win32:Rjump but never find the solution to destroy it.
What can I do if Avast don’t do anything?

François
Paris

Hi clercdesign,

The technical info is here:

http://www.k7computing.com/virusinfo/WormRJumpA.htm

You have to remove the process, and remove the registry entry for the process at
autostart.

polonus

OK, I’m going to try

In fact I have different message telling me that I have a worm or torjan, I don’t know.

Win32:Wow-AK (RX921.exe and Wow921.exe)
Win32:Qqpass-AK (king.exe)
win32:Rjump (adober.exe)

My USB key is also strange, there is a folder RavMonLog that I never saw before and I can’t eject it.

I try
thank you very much
francois

Hi clercdesign,

If you cannot kill the process normally, use killbox on it, get it from here:
http://download.bleepingcomputer.com/spyware/KillBox.zip

If you change something in the registry, make a copy to go back to first.

Bonne chance,

polonus

I think it worked for adober.exe (merci)

But for the others : RX921.exe, Wow921.exe and king.exe it didn’t. I tried to use Killbox but when I star the computer again they still here!

What can I do? Any idea?

thank you, I’m always amazed to have an answer!! that’s great!!

francois

If a virus is replicant (coming and coming again) or you can’t delete it (access denied), you should, at least:

  1. Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;[LN];310405
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
  4. Use a-squared, ewido or Spyware Terminator (trojan removers).

Can you try?

:slight_smile: Hi Clercdesign :

  Since this is part of a SPYWARE install, why are you not
  seeking help from volunteer Expert(s) on one of the
  many antiSPYWARE forums !? Have you asked for help
  on the forum of your antiSPYWARE Provider ? Who
  knows what else you picked up in addition to what
  you are currently aware !?

is there a difference between a antiSPYWARE and a firewall?

I have got more and more problems…

francois

Hi clercdesign :slight_smile:

Yes there is a difference !
http://www.webopedia.com/TERM/f/firewall.html
http://en.wikipedia.org/wiki/Firewall_(networking)
http://en.wikipedia.org/wiki/Spyware

Hi Francois, download this little utility and install it. then let it generate a log and post that log back here and let us see how bad your problems are :wink:
http://www.majorgeeks.com/download3155.html

Before you run scan with HiJackThis you have to save in to its own folder as this folder will be used when HijackThis makes backups. If you run it out of a compressed file, like a zip file, instead of running it from a directory, the backups will not be made.

Also before scaning follow this instructions:

Go to Start->(Settings)->Control Panel->Folder Options->View and select Show hidden files and folders. Next uncheck Hide file extensions for known file types. Also make sure that Display the contents of System Folders is checked (if this option is available)Close any applications you have running currently, especially Internet Explorer. Open HiJackThis and do a system scan and save log, after that post the log here DO NOT FIX ANYTHING
Edit:How to show system files http://www.xtra.co.nz/help/0,,4155-1916458,00.html

I followed the instuctions and deleted adober.exe from c:windows and ravman.log from reg, scaned system and my usb disk and now it seems ok, but when i click to usbhdd icon win opens “open with/choose the program…” window. ofcouce if i choose explorer it works but every time i need to do it. what should i do?
thx
jah

Google is your friend…
http://www.dougknox.com/xp/fileassoc/xp_directory_reg.zip
or to read more http://www.dougknox.com/xp/file_assoc.htm

thx, but only my removable disk is doing wrong… i dl fix and still opens the same dialog… maybe something else… I also tried folder association and lnk file ass fix… nothing…

I had this same problem. Here’s the deal. The worm added some entries to the registry which then changed the context menus (which is what you get when you right click) for all mounted drives (including removable disks). It changes the default from Open to Auto. So here is what you need to do:

  1. Open regedit.
  2. Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
    Back this up before making changes
    Option A
  3. Search the various keys for a sub key with Shell (capitalize)
  4. Then search the subkeys under ones containing Auto
  5. If any of the Auto subkeys contain subkeys named command click on them and see if “adober.exe” or “ravmonlog” are referenced.
  6. If so, delete the entire key.

Option B
3. Go to Edit-Find…
4. Search only in keys and for the string “Auto”. Check “Match Whole String Only”
5. Follow steps 5 and 6 from above

  1. Repeat 5 and 6 until you can open your drive normally.

hope that helps.

onfire

hallo,

I would like to know when will be fixed the Avast real-time scanning for this worm. I’ve many problems with it: any time someone plugs an infected device on our lan i’m infected (please note that other antivirus, one of all AVS, find the threat as devices will be plugged-in).

thanks