[RESOLVED]- Rjump issue

With Standaad shield set to high, Avast still doe snot detect Ravmone.exe. I can even execute ravmone and it still does not detect it.

When I submitted my samples, I did indeed quote the forum link so they’d know what it was all about.

Eicar detection appears to be fine, although an eicar text file did not get detected until I renamed it Eicar.com

Text (.txt) files aren’t scanned by default on creation or modification, that is why I suggested downloading the com (or exe version, which I see isn’t included in the samples on the site) of the test.

I think it would be worth while to email support on this and attack it from both directions, it is certainly weird.

Could it be that this is somehow being stealthed/protected in some way. avast usually hooks .exe files so they are scanned before they are executed. Check and ensure that standard .exe files are in fact scanned, enable the ‘Show detailed info on performed actions’ in standard shield and execute some normal exe files and see if they are scanned or watch the Last scanned: in standard shield detailed view.

You didn’t mention your standard shield settings check the Customise button, Scanner Advanced.

Which are your Standard Shield configurations at this time?

Scanner shield settings are default, haven’t been changed since installed.

Here’s a couple of screenshots so you can see what happens.

The first one is when I execute Ravmone.exe, Avast is set to show detailed…
http://i55.photobucket.com/albums/g136/101nick/ravmoneexecuting.jpg

and the second is the tasklist open so you can see it is actually running, and theres a ravmone.log file on the desktop too.
http://i55.photobucket.com/albums/g136/101nick/ravmonerunning.jpg

Ondrej dropped me a line this morning for some more info, what a hero he is!

A Hijackthis log from one of the infected computers might shed a little more light on this:

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

.

The log will be long - use multiple posts if you need to.

That is good news that you have been contacted, I had hoped for and tried to get some input from one of the Alwil team. Hopefully they will be able to get to the bottom of it as beyond my limited knowledge of avasts inner workings.

Well since I infected my PC several times…here’s a Hijack log from it.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 13:26:29, on 13/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\aswServ.exe
C:\Program Files\Alwil Software\Avast4\AvAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Alwil Software\Avast4\aswWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Gemplus\GAC\GACService.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrv.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Alwil Software\Management Tools\asaAdmin.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\qeh-xt\xt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\N.Castleton\Desktop\Root Kit Detection\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://zeus
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://zeus
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1033
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by QEH
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe”
O4 - HKLM..\Run: [GACService] C:\Program Files\Gemplus\GAC\GACService.exe
O4 - HKLM..\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent
O4 - HKLM..\Run: [TomTomHOME.exe] “C:\Program Files\TomTom HOME\TomTomHOME.exe” -s
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [RavAV] C:\WINDOWS\RavMonE.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU..\Run: [H/PC Connection Agent] “C:\Program Files\Microsoft ActiveSync\wcescomm.exe”
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra ‘Tools’ menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://zeus
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0470E62C-C97E-4317-81E5-0774D8CBF7B7} (EndPointScan Class) - http://www.endpointscan.com/EndPointScan.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://futuresoft.webex.com/client/T25L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xqehkl.nhs.uk
O17 - HKLM\Software..\Telephony: DomainName = xqehkl.nhs.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xqehkl.nhs.uk
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswServ.exe
O23 - Service: avast! NetAgent - ALWIL Software - C:\Program Files\Alwil Software\Avast4\AvAgent.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GemSAFE Card Server - Gemplus - C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe


End of file - 9195 bytes

I think this one: O4 - HKLM..\Run: [RavAV] C:\WINDOWS\RavMonE.exe is connected to Rjump

These need further investigation:
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
C:\Program Files\Gemplus\GAC\GACService.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrv.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM..\Run: [GACService] C:\Program Files\Gemplus\GAC\GACService.exe
DPF: {0470E62C-C97E-4317-81E5-0774D8CBF7B7} (EndPointScan Class) - http://www.endpointscan.com/EndPointScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xqehkl.nhs.uk
O17 - HKLM\Software..\Telephony: DomainName = xqehkl.nhs.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xqehkl.nhs.uk
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: GemSAFE Card Server - Gemplus - C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe

I suspect that QEHNick is aware of this 04 entry as he has intimate knowledge of the RavMonE.exe file (see Reply #17).

QEHNick’s problem is that although the file is detected by avast signatures on an on-demand scan, it isn’t detected with the on-access scan and avast allows it to execute.

The 022 entries are fine, they appear on the latest Trend Micro HijackThis v2.0.0 (BETA) version but not on HJT 1.99.1, when they first appeared on my first use of the 2.0 version I checked them out fully.

For sure that’s where ravmone.exe is loading. The problem is I was half expecting to see something stealthy here (or see no entry at all) to explain the avast! behavior, but it’s just out in the open running as a start up.

If you fix this line in HJT

O4 - HKLM..\Run: [RavAV] C:\WINDOWS\RavMonE.exe

and delete these files

C:\WINDOWS\RavMonE.exe

C:\WINDOWS\ADOBER.EXE (if present)

you will clean the individual computer, but the scanning mystery will remain and you will still need to prevent potential reinfection through the LAN or via USB drives.

Do you recognize the domain in these lines

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xqehkl.nhs.uk
O17 - HKLM\Software..\Telephony: DomainName = xqehkl.nhs.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xqehkl.nhs.uk

EDIT: Had you already killed the ravmone.exe process before you ran HJT? Or was ravmone.exe runnng when you generated the log?

The domains are legit.

Ravmone wasn’t running, I was just too lazy to remove the reg entry.

We now have disabled auto-run on all PC’s on the network. I’m running daily on-demand scans to try to keep it clean.

Still the mystery remains.

I don’t have a solution to that but the following may help clean this:

On an infected computer download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press “Enter”.
Choose your usual account.

In Safe Mode, double click SDFix.exe and install to the default location by clicking Install. The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically ‘C:\SDFix’) Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool. Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log.

Thanks for the tips.

Hopefully I’ll hear something from the Avast! chaps.

I’ll keep you all posted.

Have you looked for adober.exe?

You probably already know this but its likely a copy of ravmone.exe is present in c:\windows\adober.exe. If this is the reality of your situtation and avast! does not see it then there may be a rootkit hiding the copy rather than the primary file. SDFix should clean it.

Also remember that this is very capable of stealing information so you should be taking steps to protect sensitive data.

There are no occurances of Adober.exe
However the most recent “scan on demand” has netted somehting interesting.

See the screenshot HERE

There are other variants of the trz##.tmp file, mostly with a different number.

Odd that Avast! detects Ravmone.exe as a trojan and the trz##.tmp as RJUMP.

Ah!

Now we’re getting somewhere. That trz##.tmp file is still sitting on a cleaned PC although with a different name.
So now I had better check some of these PC’s for rootkits.
edit seems that it’s not a root kit. The PC I had looked at had simply been reinfected by the users USB Device.

I have infected a PC several times (on purpose) but it has not once been infected with the trz##.tmp part of the virus. I wonder why.

Still doesn’t answer why Avast! doesn’t detect “on access”.

na the lab people dont respond…the only way ur sure that wat u mailed them has been noticed is they include it in the future updates… and the response is very slow…if the malware is of no serious threat…

In this case they did … :slight_smile:

@QEHNick

This has downloader capability and may be responsible for the trz##.tmp files. There are several tools we could run against it but I still recommend SDFix first.

Is there any chance of keeping those USB drives away from the PCs for now? They will just continually re-infect them (if I’m not mistaken files transfers from an infected USB drive carries some risk even with autorun turned off).

No, it doesn’t. Nor does it make sense to allow the infection to continue while a solution to the scanning dilemma is being worked on.

It looks like you’ve had this problem since at least 22 March and, while I have every confidence if the ability of the analysts to solve the scanning dilemma, a two pronged approach seems logical.

Please, team, drop a line about this… I’m curious too…

A little feedback would be nice …

I’m aware of RJUMP connecting to sites to download other malware. Luckily our Webfilter software (websense) blocks all attempts by any malware at connecting to these sites. So at least that avenue is closed to it.
All in all, it causes little impact on our systems, however, it is still an unwanted process.