I have been having hundreds of problems with virus (SexCity.jpg.wsf and Ne0ks.exe, accompanied by an Autorun.inf were the most resilient ones). I have installed and unistalled several anti-virus programs, several cleaner, done on-line cleaners and so on. Yesterday, I asked someone to have a look at my computer, and after some time cleaning up, I was advised to format my laptop.
I started copying all my data to an extgernal Hard disk. However, AVAST tells me I have a virus there, or signs of the virus: Win32:Agent-AWB. The folder is hidden and has this structure:
09-02-2008 16:53:52 User 3644 Sign of “Win32:Agent-AWB [Adw]” has been found in “F:\System Volume Information_restore{16433FEA-F9F7-4745-ABF2-13C1202916C6}\RP608\A0130209.txt{tmp}\SetupInst.exe\Setup.exe” file.
09-02-2008 16:54:29 User 2036 Sign of “Win32:Agent-AWB [Adw]” has been found in “F:\System Volume Information_restore{16433FEA-F9F7-4745-ABF2-13C1202916C6}\RP608\A0130209.txt{tmp}\SetupInst.exe\Setup.exe” file.
09-02-2008 16:08:42 User 5580 Sign of “Win32:Agent-AWB [Adw]” has been found in “F:\Software de Instalação\Utilitários\PDF\PdfMaker\CuteComp.exe{tmp}\SetupInst.exe\Setup.exe” file.
AVAST couldn’t clean or move it to Quarantine. I tried deleting it mannually, but I couldn’t. I was told it’s a system file. I changed the file extension and after many trials did succeed once in deleting the whole folder. : Just to notice later on that the folder was ALSO on my C: partition, and I was denied access to it. The folders are also back to my external hard disk. AVAST no longer detects a virus, though.
My system keeps creating hidden “Thumb.db” files, even when I’m not opening any folder, and it is creating “Recycle” folders in my usb pendisks. When I delete anything, it goes into those folders. However, I have scanned my computer and no virus is detected.
Post a fresh hijackthis log text file as an attachment to your next posting, download hijackthis from here: http://download.hijackthis.eu/hijackthis_199.zip Unzip and put onto your desktop, save a hijackthis logfile,
also your avast log file there too, to establish where the malware resided, to remove it later, we also need to download ComboFix from here: http://subs.geekstogo.com/ComboFix.exe to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.
I am attaching the hijackthis and ComboFix logs. I do have obe question, though: what about partition D: and external disk? They were not analysed by hijack and ComboFix, were they? At least the external drive seems infected… But I’ll wait for your reply.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well (D: and external Disk)
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.
The first thing I want you to do is download Deckard’s System Scanner.
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, a text file will open - Main.txt
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt in your thread in the HijackThis Log Help Forum.
A folder, C:\Deckard, will also open. In it will be another text file, Extra.txt.
Attach Extra.txt to your post.
Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.
What Deckard’s System Scanner will do:
* create a new System Restore point in Windows XP and Vista.
* clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
* check some important areas of your system and produce a report for your analyst to review. Deckard's System Scanner automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
When you get the two notepad documents, attach them to your next reply Main.txt & Extra.txt,
After you have run both flashdrive disinfector and DSS, also attach a fresh HJT log.txt,
Hello, polonus
Let me see if I did / can do everything all right.
My first problem: I have so many usb drives, I couldn’t scan all of them at once. What I did was:
I ran Flash_Disinfector once with as many drives as I could, had the computer reboot, scanned with DDS, and saved a copy of all the .txt files to my desktop.
Than I did a second scan with Flash_Disinfector, reboot, scan with DDS again. I again made a copy of the .txt files - but alas, this time there was no extra.txt.
I will attach now the result of the scan to the first group of usb drives. Then I’ll reply again and attach the result of the second group. Hope that’s ok.
I tried copying and pasting the content of Main.txt (think that’s what you asked), but it far exceeds the character limit. I am therefore posting it as an attachment and not pasting it here.
JLucas
Here I am again.
This are the text files for the second group of usb drives.
Please let me know if this was the wrong way to do it and, should that be the case, suggest other action. As I said, there was no extra.txt file this second time.
By the way, the first time there was also a “Moved.txt”. Should I attach that as well?
Thanks.
We will look into that shortly, but you also have another infection, we have to look into to:
Ravmon cleansing
Cleansing of a flash drive infected with the RAVMON.exe virus, any visit of a strange flash drive
may infect your comp drives (yes all of 'em).
So this could infect any drive, so also a flash drive, what an USB stick is actually,
and RAVMON.exe is dangerous:
RAVMON.exe a.k.a. W32.Nomvar is a worm that copies itself to the root of all drives,
including removable and shared drives, and downloads potentially malicious files
onto a compromised computer.
Related files:
[DRIVE LETTER]:\RavMon.exe
[DRIVE LETTER]:\Autorun.inf
%Windir%\svchost.exe
Kill the process RavMon.exe and remove RavMon.exe from Windows startup
Also fix these with HijackThis, fire it up scan, tag what is given below and fix through giving an enter:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O8 - Extra context menu item: &Search - ?p=ZJxdm086YYPT
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
Here go the moved.txt file, the hijackthis file after using , and the logfile created by … That thing is strange. It kept telling I had no virus, but it did not let me get out of the program. Had to do ctrl+alt+del everytime I used. Then there were one or two times when, after saying I had no virus, said it had remove the virus and told me to remove the usb drive (which I can only do by right click and eject, the secure remove icon keeps disappearing from my notification area…).
Should I send an email to imani9009@gmail.com with the log file? I was asked to one of the times.
Hello again.
Guess I did it.
I am sending the hijackthis file after having selected the files you mentioned and pressing enter. Guess it cleaned them, right?
I repeat what you have to do, close your browser, run hijackthis scan, then tick the three entries I mentioned, and click fix checked, grasp it?
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O8 - Extra context menu item: &Search - ?p=ZJxdm086YYPT
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
That sure looks better. Have a look for yourself here: http://www.hijackthis.de/logfiles/7fceff8825345bd0c3f31a397c0a7a42.html
The analysis will be there for you for three consequent days, I think everything is OK now.
Oldman will have a secondary glance over your files again, but I think the maker of the programs we used has cleansed the malware from your computer while they ran.
Welcome to the forums, juditelucas,
* Save it to your desktop.
* Please double-click OTMoveIt.exe to run it.
* Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or,
after highlighting, right-click and choose copy):
* In either case the fixes will have to be run multi time because of the number of usb flash drives
she has. One run with each drive inserted.
* Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste. Paste all inside code as a text file into the lower left box under the yellow line titled "Paste List Of Files/Patterns To Search For and Move"
* Click the red Moveit! button.
Click "Exit" to close OTMoveIt.
**When ready to Reply on the forum, please Paste the content of the latest log which is located at the root of the drive where the OTMoveIt folder is:
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
This sounds really complicated… : Still more complicated is to run the OTMoveIt: the link doesn’t work ??? And to think I had it on my desktop but sent it away! >:(
Should I try google search and download it from somewhere else?
JLucas
Follow the instructions I gave to the dot, or print it out and do it from the text while it lays there next to your computer, we will talk you through it, and oldman is looking over our shoulder, hold on…
Here I am again.
I inserted a drive at a time, ran OTMoveIt everytime, and it always gave me the indication the files were not found. I am sending the Hijackthis log, as well as the last OTMoveIt one.
As for my external hard drive, which is recognized by the letter i:, it was the last to be scanned and I added it to the line codes. Therefore, my last scan looked like this:
[tr][td]c:\h.cmd
d:\h.cmd
c:\Knight.exe /s
d:\Knight.exe /s
e:\Knight.exe /s
f:\Knight.exe /s
e:\Knight.exe /s
f:\Knight.exe /s
i:\Knight.exe /s
g:\fun.xls.exe /s
c:\fun.xls.exe /s
d:\fun.xls.exe /s
i:\fun.xls.exe/s
c:\xo8wr9.exe /s
e:\fun.xls.exe /s
f:\fun.xls.exe /s
c:\xo8wr9.exe /s
d:\xo8wr9.exe /s
e:\xo8wr9.exe /s
f:\xo8wr9.exe /s
g:\xo8wr9.exe /s
i:\xo8wr9.exe /s
Didn’t know if I should also have written “i:\h.cmd”, so I didn’t.
I’ll take a look at your suggestions on the HojackThis logfiles later on.
I hope everything will be ok now and I dread having to use my pendrives at school tomorrow…
Thanks a million times.
It looks like the fix was ran from the top left box. It won’t work from there, it must be copied and pasted into the lower box (under the yellow bar). See image below.
Adding the I:\ drive is fine.
If you can plug in more than one usb device at a time it will make things go a dit faster for you.
Just to notice later on that the folder was ALSO on my C: partition, and I was denied access to it. The folders are also back to my external hard disk. AVAST no longer detects a virus, though.