i have an autorun virus on my system and when ever i copy any file to my flash drive it goes inside with it (Note i use avast antivirus and update daily), when i use this flash on my friends system his own antivirus software (karpersky) detects it immediately and removes this from the flash drive. When i bring it back into my system it contacts the autorun virus again.

My question is: Is it that avast antivirus cannot remove the autorun virus or is there something i am not doing right.

thanks

You could try an on line scan at kapersky. If it finds anythin, it won’t fix it, but will give you a report. From this you could submit the file(s) to www.virustotal.com and see if any other avs are detecting it. If so you can forward it to virus@ avast.com(without the space) in a password protected zipped email for further analisis.

What is kapersky detecting it as?

Maybe avast can even detect it…
Run Kaspersky on-line like oldman suggested or
ESET NOD32
Trendmicro housecall
AVGas (does not necessary if you have AVG antispyware installed)
F-Secure
BitDefender (free removal of the malware)
HitmanPro (new online scanner with multiply scanners)

the actual virus name is RavMonE.exe and it also has an autorun file.

what it does to my flash drive that i dont like are:

1. when i double click on my d: drive it opens it in a new window in the explorer view.
2. When i right click on the drive it shows auto first instead of open which is default

Download ComboFix from Here or Here to your Desktop.

Plug in your flash drive, then double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

After running ComboFix Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Follow the mauserme instructions. RavMonE.exe virus can be easily removed using HijackThis.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:29 AM, on 8/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\xmlxdyyp.exe
C:\WINDOWS\system32\spoolsvv.exe
C:\WINDOWS\system32\drvlcvzl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RavMonE.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\notepad.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\system32\ipv6mons.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [System] C:\WINDOWS\system32\kernels32.exe
O4 - HKLM..\Run: [ldmsrtc] C:\WINDOWS\system32\xmlxdyyp.exe
O4 - HKLM..\Run: [expcrt] C:\WINDOWS\system32\liscrts.exe
O4 - HKLM..\Run: [cpssystem] C:\WINDOWS\system32\smdlsset.exe
O4 - HKLM..\Run: [smiproc] C:\WINDOWS\system32\ldmprocs.exe
O4 - HKLM..\Run: [sdkeylib] C:\WINDOWS\system32\sedkeyss.exe
O4 - HKLM..\Run: [jcidls] C:\WINDOWS\system32\dfmmaps.exe
O4 - HKLM..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM..\Run: [wpxmls] C:\WINDOWS\system32\drvlcvzl.exe
O4 - HKLM..\Run: [scmplay] C:\WINDOWS\system32\drvlcvzl.exe
O4 - HKLM..\Run: [imcssl] C:\WINDOWS\system32\drvlcvzl.exe
O4 - HKLM..\Run: [ifperx] C:\WINDOWS\system32\drvlcvzl.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [RavAV] C:\WINDOWS\RavMonE.exe
O4 - HKCU..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Yahoo! Pager] “C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet
O4 - HKCU..\Run: [ldmsrtc] C:\WINDOWS\system32\xmlxdyyp.exe
O4 - HKCU..\Run: [expcrt] C:\WINDOWS\system32\liscrts.exe
O4 - HKCU..\Run: [cpssystem] C:\WINDOWS\system32\smdlsset.exe
O4 - HKCU..\Run: [smiproc] C:\WINDOWS\system32\ldmprocs.exe
O4 - HKCU..\Run: [sdkeylib] C:\WINDOWS\system32\sedkeyss.exe
O4 - HKCU..\Run: [jcidls] C:\WINDOWS\system32\dfmmaps.exe
O4 - HKCU..\Run: [wpxmls] C:\WINDOWS\system32\drvlcvzl.exe
O4 - HKCU..\Run: [scmplay] C:\WINDOWS\system32\drvlcvzl.exe
O4 - HKCU..\Run: [imcssl] C:\WINDOWS\system32\drvlcvzl.exe
O4 - HKCU..\Run: [ifperx] C:\WINDOWS\system32\drvlcvzl.exe
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra ‘Tools’ menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll (file missing)
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

–
End of file - 6031 bytes

First you don’t appear to have an active firewall or XP which is only half a firewall without a firewall that provides protection against unauthorised outbound Internet Connections you will have difficulty getting clean and staying that way.

You have a highly infested system.

This would appear to be the real culprit here, the rjump worm, http://vil.nai.com/vil/content/v_139985.htm.

C:\WINDOWS\RavMonE.exe

Suspect

[?] - C:\WINDOWS\system32\xmlxdyyp.exe
[?] - C:\WINDOWS\system32\drvlcvzl.exe
- C:\WINDOWS\RavMonE.exe
- O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\system32\ipv6mons.dll
- O4 - HKLM..\Run: [System] C:\WINDOWS\system32\kernels32.exe
[?] - O4 - HKLM..\Run: [ldmsrtc] C:\WINDOWS\system32\xmlxdyyp.exe
[?] - O4 - HKLM..\Run: [expcrt] C:\WINDOWS\system32\liscrts.exe
[?] - O4 - HKLM..\Run: [cpssystem] C:\WINDOWS\system32\smdlsset.exe
[?] - O4 - HKLM..\Run: [smiproc] C:\WINDOWS\system32\ldmprocs.exe
[?] - O4 - HKLM..\Run: [jcidls] C:\WINDOWS\system32\dfmmaps.exe
- O4 - HKLM..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
[?] - O4 - HKLM..\Run: [wpxmls] C:\WINDOWS\system32\drvlcvzl.exe
[?] - O4 - HKLM..\Run: [scmplay] C:\WINDOWS\system32\drvlcvzl.exe
[?] - O4 - HKLM..\Run: [imcssl] C:\WINDOWS\system32\drvlcvzl.exe
[?] - O4 - HKLM..\Run: [ifperx] C:\WINDOWS\system32\drvlcvzl.exe
- O4 - HKLM..\Run: [RavAV] C:\WINDOWS\RavMonE.exe
[?] - O4 - HKCU..\Run: [ldmsrtc] C:\WINDOWS\system32\xmlxdyyp.exe
[?] - O4 - HKCU..\Run: [expcrt] C:\WINDOWS\system32\liscrts.exe
[?] - O4 - HKCU..\Run: [cpssystem] C:\WINDOWS\system32\smdlsset.exe
[?] - O4 - HKCU..\Run: [smiproc] C:\WINDOWS\system32\ldmprocs.exe
[?] - O4 - HKCU..\Run: [jcidls] C:\WINDOWS\system32\dfmmaps.exe
[?] - O4 - HKCU..\Run: [wpxmls] C:\WINDOWS\system32\drvlcvzl.exe
[?] - O4 - HKCU..\Run: [scmplay] C:\WINDOWS\system32\drvlcvzl.exe
[?] - O4 - HKCU..\Run: [imcssl] C:\WINDOWS\system32\drvlcvzl.exe
[?] - O4 - HKCU..\Run: [ifperx] C:\WINDOWS\system32\drvlcvzl.exe

You’re infected. See the analysis of your HijackThis log: http://www.wikifortio.com/916866/ultrabrains.html
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67 E448373148} - C:\WINDOWS\system32\ipv6mons.dll
O4 - HKLM..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM..\Run: [RavAV] C:\WINDOWS\RavMonE.exe
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll (even that seems the file is missing)

Probably…
O4 - HKLM..\Run: [System] C:\WINDOWS\system32\kernels32.exe

Let’s put a copy of ravmone.exe in the avast! chest and upload it so it can be added to the detections.

Right click the a-icon in your system tray and click Start avast! antivirus. When the interface opens click the chest icon, then click User Files. In the tool bar click File>Add and navigate to

C:\WINDOWS\RavMonE.exe

Click Open, then close the confirmation window. Now highlight the file and click File>Email to Alwil Software. Add comments if you wish, then click Send Mail. Close the chest and the avast interface.

There are quite a few trojans running on your computer and we can clean many of them now. But I would still like you to run ComboFix as this may root out a few more and will show us some registry entries that cause the infection to jump between you computer and your flash drive.

First download OTMoveIt by OldTimer and save it to your desktop.

Now open HJT and click to Do a System Scan Only. When the scan is complete place a check mark next to these lines being carefull to check all the duplicates:

O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\system32\ipv6mons.dll
O4 - HKLM..\Run: [System] C:\WINDOWS\system32\kernels32.exe
O4 - HKLM..\Run: [ldmsrtc] C:\WINDOWS\system32\xmlxdyyp.exe
O4 - HKLM..\Run: [expcrt] C:\WINDOWS\system32\liscrts.exe
O4 - HKLM..\Run: [cpssystem] C:\WINDOWS\system32\smdlsset.exe
O4 - HKLM..\Run: [smiproc] C:\WINDOWS\system32\ldmprocs.exe
O4 - HKLM..\Run: [sdkeylib] C:\WINDOWS\system32\sedkeyss.exe
O4 - HKLM..\Run: [jcidls] C:\WINDOWS\system32\dfmmaps.exe
O4 - HKLM..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM..\Run: [wpxmls] C:\WINDOWS\system32\drvlcvzl.exe
O4 - HKLM..\Run: [scmplay] C:\WINDOWS\system32\drvlcvzl.exe
O4 - HKLM..\Run: [imcssl] C:\WINDOWS\system32\drvlcvzl.exe
O4 - HKLM..\Run: [ifperx] C:\WINDOWS\system32\drvlcvzl.exe
O4 - HKLM..\Run: [RavAV] C:\WINDOWS\RavMonE.exe
O4 - HKCU..\Run: [ldmsrtc] C:\WINDOWS\system32\xmlxdyyp.exe
O4 - HKCU..\Run: [expcrt] C:\WINDOWS\system32\liscrts.exe
O4 - HKCU..\Run: [cpssystem] C:\WINDOWS\system32\smdlsset.exe
O4 - HKCU..\Run: [smiproc] C:\WINDOWS\system32\ldmprocs.exe
O4 - HKCU..\Run: [sdkeylib] C:\WINDOWS\system32\sedkeyss.exe
O4 - HKCU..\Run: [jcidls] C:\WINDOWS\system32\dfmmaps.exe
O4 - HKCU..\Run: [wpxmls] C:\WINDOWS\system32\drvlcvzl.exe
O4 - HKCU..\Run: [scmplay] C:\WINDOWS\system32\drvlcvzl.exe
O4 - HKCU..\Run: [imcssl] C:\WINDOWS\system32\drvlcvzl.exe
O4 - HKCU..\Run: [ifperx] C:\WINDOWS\system32\drvlcvzl.exe
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll (file missing)

Close all other windows, including your browser, and click Fix Checked.

Next close HJT and open OTMoveIt. Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\kernels32.exe
C:\WINDOWS\system32\xmlxdyyp.exe
C:\WINDOWS\system32\liscrts.exe
C:\WINDOWS\system32\smdlsset.exe
C:\WINDOWS\system32\ldmprocs.exe
C:\WINDOWS\system32\sedkeyss.exe
C:\WINDOWS\system32\dfmmaps.exe
C:\WINDOWS\system32\spoolsvv.exe
C:\WINDOWS\system32\drvlcvzl.exe
C:\WINDOWS\RavMonE.exe
C:\WINDOWS\system32\a3dxq.dll

Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log. Its OK if some of the files are not found.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Now download and run ComboFix as outlined above, followed by a fresh HJT log.