Hi, I did email a sample of adober.exe to virus@avast.com around a week ago. This adober.exe is basically the same as W32/RJump.worm. It’s worth pointing out that at the moment adober.exe seems to infest PCs in China/HK but no doubt it will spread further.
However, it seems this virus is still not being picked up by Avast. Is it possible someone from Avast could look into it and get the definintions updated? Thanks!
Graham Marsh
Hong Kong
It is part of a spyware install, and from the Chinese reports it appears on windows machines that are not fully patched, so that is one side of preventing against this.
No, it appears to be stand-alone and it spreads by using the AutoRun feature - it infects removable drives and flags the files as System files so they do not show up in Explorer - when an infected USB drive is plugged into a clean system, the AutoRun feature infects the clean system.
Also it does affect fully-patched XP systems. I sent samples to various anti-virus vendors (F-Secure, CA, Mcafee) and all respond that it is the RJump worm. Unfortunately Avast does not detect it yet. I sent a sample but it is still undetected…which is why I am posting in this discussion group. It makes me wonder a bit about the effectiveness of the Avast product. Although the free version is great for home use (can’t argue with the price). I’m hoping that the defs will be updated soon.
Since this is part of a SPYWARE install, why are you not
seeking help from volunteer Expert(s) on one of the
many antiSPYWARE forums !? Have you asked for help
on the forum of your antiSPYWARE Provider ? Who
knows what else you picked up in addition to what
you are currently aware !?
Hi Francois, download this little utility and install it. then let it generate a log and post that log back here and let us see how bad your problems are http://www.majorgeeks.com/download3155.html
Before you run scan with HiJackThis you have to save in to its own folder as this folder will be used when HijackThis makes backups. If you run it out of a compressed file, like a zip file, instead of running it from a directory, the backups will not be made.
Also before scaning follow this instructions:
Go to Start->(Settings)->Control Panel->Folder Options->View and select Show hidden files and folders. Next uncheck Hide file extensions for known file types. Also make sure that Display the contents of System Folders is checked (if this option is available)Close any applications you have running currently, especially Internet Explorer. Open HiJackThis and do a system scan and save log, after that post the log here DO NOT FIX ANYTHING
Edit:How to show system files http://www.xtra.co.nz/help/0,,4155-1916458,00.html
I followed the instuctions and deleted adober.exe from c:windows and ravman.log from reg, scaned system and my usb disk and now it seems ok, but when i click to usbhdd icon win opens “open with/choose the program…” window. ofcouce if i choose explorer it works but every time i need to do it. what should i do?
thx
jah
thx, but only my removable disk is doing wrong… i dl fix and still opens the same dialog… maybe something else… I also tried folder association and lnk file ass fix… nothing…
I had this same problem. Here’s the deal. The worm added some entries to the registry which then changed the context menus (which is what you get when you right click) for all mounted drives (including removable disks). It changes the default from Open to Auto. So here is what you need to do:
Open regedit.
Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 Back this up before making changes
Option A
Search the various keys for a sub key with Shell (capitalize)
Then search the subkeys under ones containing Auto
If any of the Auto subkeys contain subkeys named command click on them and see if “adober.exe” or “ravmonlog” are referenced.
If so, delete the entire key.
Option B
3. Go to Edit-Find…
4. Search only in keys and for the string “Auto”. Check “Match Whole String Only”
5. Follow steps 5 and 6 from above
Repeat 5 and 6 until you can open your drive normally.
I would like to know when will be fixed the Avast real-time scanning for this worm. I’ve many problems with it: any time someone plugs an infected device on our lan i’m infected (please note that other antivirus, one of all AVS, find the threat as devices will be plugged-in).