Hi,

since some weeks ago my Avast is reporting this virus, all I do is delete it, but then 1 hour later or so, it finds it again; this has been happenig since 2 weeks; and I have tried to send it to the chest, repair it, delete it; but all actions seem useless for it: It used to be on C:\WINDOWS\system32\fmwhytm.b folder.
I have used the boot-time scan, but still got the same virus. Recently I installed Ad-Aware to fix it, and the same result; found it, Deleted it, and some mins later, appear again.

Is there any report or solution to fix this yet?

UPDATED [11/02/2009]: Umm it seems now that is located here C:\WINDOWS\system32\fmwhytm.b[UPX] …

AdAware is in my opinion a waste of hard disk space.

If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. What is your firewall ?
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

1. SUPERantispyware On-Demand only in free version.
2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

Another tool that you might try is - DrWeb CureIt! - See http://www.freedrweb.com/cureit/ - Download ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe (Free) Fairly effective against file infectors, Virut, more so when used in safe mode.

And this one which can help immunise usb flash drives to try and combat reinfection.
Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
[*] Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.[*] The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.[*] Wait until it has finished scanning and then exit the program.[*] Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don’t delete this folder…it will help protect your drives from future infection.

Also see this link for more information on Flash Disinfector, http://experi3nc3.wordpress.com/2007/05/10/flash-disinfector-by-subs/

simple question - is your OS fully updated?

Hi,

since some weeks ago my Nod32 is reporting this virus, all I do is delete it, but then 1 hour later or so, it finds it again; this has been happenig since 2 weeks; and I have tried to send it to the chest, repair it, delete it; but all actions seem useless for it: It used to be on Re: Virus Name: Win32:TrojanDownloder.AgentXLWtrojan

I have used the boot-time scan, but still got the same virus. Same result; found it, Deleted it, and some mins later, appear again.

Is there any report or solution to fix this yet?
[/quote]

To “DavidR”: Windows Firewall I must say :-. Gonna try those programs… hope it solve my PC.
To “Maxx_original”: yes I have my “WinXP SP3” is up to date.

thanks for the answers, still hope our Avast will fix it, without 3rd party software 8)

:
Thanks for your message… but stll I didn’t understant how to delete the virus name: Win32:TrojanDownloder.Agent.XLW trojan.

???

Have you run the other programs that I suggested (items 1. and 2.) in my first reply ?

Hi,

well I tried all those steps, ran them on safe mode; only the SUPERantispyware detected 4 adaware problems but thats it; now avast detected the virus again.
It let me delete it for 1 time, then avast detect it for 4-5 times more; I cant delete it 'cos is already deleted. So now its showing more advices of it :-\

But still no fix found for it… does Avast now about this fmwhytm.b yet?

This could depending on the file type (if it were an archive, files would be extracted to be scanned) generate more than one detection.

If in the case of an archive if the actual archive is deleted then the files detected from the extracted files couldn’t be deleted because the original archive file has already bee deleted. I hope that makes some sense.

So is an avast bot0time scan still detecting this C:\WINDOWS\system32\fmwhytm.b file ?

yeah it makes sense, no problem with that, but on boot scan is not detected.

it is detected like each 30mins while I’m working at work. Im making now a list with the hours when is detected so maybe I can get the amount of time it takes to “rebirth” haha from nothing to my pc…

So where is this detected on these 30 rebirths, is it in the same file name and location ?

If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. What is your firewall ?

You didn’t say if you used the MalwareBytes AntiMalware tool, try that from safe mode.

same location, same file.
I did used all those programs for detection on safe mode.
I dont use any firewall but windows one, maybe you can tell me of some, and Ill test it; maybe I can block the virus from being created again.

thanks for your help man.

I can’t give a personal recommendation for a firewall other than the one I’m using (haven’t used any other one in over 6 years), but that isn’t free.

Some with outbound protection (which I feel is essential) are a little complex, though PC Tools firewall by all accounts provides reasonable protection without being overbearing.

• There are many freeware firewalls such as, Comodo (care required now it is a suite not to install the anti-virus element), PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.

See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
See http://www.matousec.com/projects/firewall-challenge/results.php.

Some other tools as what ever it might be could be hidden by a rootkit.

• Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip.
• Trend Micro RootkitBuster - http://www.trendmicro.com/download/rbuster.asp
• F-Secure Blacklight may not always be available, http://www.f-secure.com/blacklight

well the virus is detected by Avast each hour, so I dont know if avast check that directory each hour or the virus each hour tries to act. the curious part is that the hours chosen are 10am-11am-12am and so on; no minutes or seconds added.

Well I tried those other softwares but no detection found; now I installed “Outpost Firewall” to check if the virus is being reactivated via internet; and also have a zone alarm installer ready if this one fails.

Hope to fix it soon, and share more info about this.

avast doesn’t check every hour, but is activity based (resident, on-access scanner) so when that file is recreated avast would scan the newly created file and alert.

You could check the task scheduler and see if there is a task that is scheduled to run at these times and if so, disable it (not delete, yet) and report the file name that it runs.

I just checked that scheduler, woah it has 40 shceduled tasks called “A#” (A1 to A39). I click on properities and I got this:

C:\WINDOWS\Tasks\At1.job
Run: rundll32.exe fmwhytm.b,czvaiwyn
Comments: Created by NetScheduleJobAdd.
Run As: NT AUTHORITY\SYSTEM

now what should I do? hehe

Well first off disable all the tasks that ‘you’ personally didn’t create (that should hopefully stop this hourly creation and detection) and I would go so far as to check those you did create just to make sure they haven’t been modified in any way.

Then do a search using windows explorer for this file, fmwhytm.b also czvaiwyn and report their locations.

Create a folder on c:\ called SuspectJobs and cut and paste these A1-A39.job files from the c:\windows\tasks\ folder so they aren’t in the original location, should the tasks become active again the .job files won’t be present. I don’t like deleting anything without a full investigation, but ultimately that is likely to be the outcome.

Open one or two of these .job files using notepad and paste the contents in your next post, just to see if there is anything else being activated.

• Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image.

http://img26.imageshack.us/img26/2194/tasksud5.th.jpg


http://img99.imageshack.us/img99/6842/tasks1gz9.th.jpg

I cant disable or do anything but delete the tasks, each task has the fmwhytm.b name, but the next name is different in eahc task; I tried most of them with show hidden files, but didnt find anything.

At1.job


®ÐFcä¼ÝBç·di€ƒ3F æ < s   !Ùa    r u n d l l 3 2 . e x e  f m w h y t m . b , c z n g l o v w a S Y S T E M  C r e a d o p o r N e t S c h e d u l e J o b A d d . 
0 Ùa   


2²`ú!̽úz]× ž Ô¥›Ñ`ã¢5. !%þXC`{~aLÈ3‹n_iÖ‚#ü`íÌ¡ÂŒI¾‹ºv-¥$-

At30.job


ýÁ`ÏŠNIºÂ¢ ã‡úF à < s   !Ùa   
È r u n d l l 3 2 . e x e  f m w h y t m . b , s x n d o a S Y S T E M  C r e a d o p o r N e t S c h e d u l e J o b A d d . 
0 Ùa   
 x
s

&B~'¤<¬¢ â¡ × d—4éï˜yÉ6$k;ÐdúgO^桺£¿Wvñ%¢Uq$b`ǹï¹j±|3

OK it is fairly clear that these are in no way malign but malicious, so direct deletion of the tasks rather than disabling them is fine. So to is deleting the associated .job files in the Windows\Tasks folder.

David i have just been reading about a removal tool that mentions about scheduled tasks.If configured it will delete the tasks ( If deleting them the ordinary way did not work ) Its mentioned in configuration options and scheduled tasks. Don’t know if its needed, heres the link anyway

http://www.sophos.com/support/knowledgebase/article/51416.html#edit