adober.exe

[gmarsh]

Hi, I did email a sample of adober.exe to virus@avast.com around a week ago. This adober.exe is basically the same as W32/RJump.worm. It's worth pointing out that at the moment adober.exe seems to infest PCs in China/HK but no doubt it will spread further.

However, it seems this virus is still not being picked up by Avast. Is it possible someone from Avast could look into it and get the definintions updated? Thanks!
Graham Marsh
Hong Kong

[polonus]

Hi gmarsh,

It is part of a spyware install, and from the Chinese reports it appears on windows machines that are not fully patched, so that is one side of preventing against this.

polonus

[gmarsh]

No, it appears to be stand-alone and it spreads by using the AutoRun feature - it infects removable drives and flags the files as System files so they do not show up in Explorer - when an infected USB drive is plugged into a clean system, the AutoRun feature infects the clean system.

Also it does affect fully-patched XP systems. I sent samples to various anti-virus vendors (F-Secure, CA, Mcafee) and all respond that it is the RJump worm. Unfortunately Avast does not detect it yet. I sent a sample but it is still undetected...which is why I am posting in this discussion group. It makes me wonder a bit about the effectiveness of the Avast product. Although the free version is great for home use (can't argue with the price). I'm hoping that the defs will be updated soon.

Best regards
Graham

[clercdesign]

I think I have the same problem. I worked a few days in China and now it's a big mess.

Avast told me that I have a worm "adober.exe" win32:Rjump but never find the solution to destroy it.
What can I do if Avast don't do anything?

François
Paris

[polonus]

Hi clercdesign,

The technical info is here:

http://www.k7computing.com/virusinfo/WormRJumpA.htm

You have to remove the process, and remove the registry entry for the process at
autostart.

polonus

[clercdesign]

OK, I'm going to try

In fact I have different message telling me that I have a worm or torjan, I don't know.

Win32:Wow-AK (RX921.exe and Wow921.exe)
Win32:Qqpass-AK (king.exe)
win32:Rjump (adober.exe)

My USB key is also strange, there is a folder RavMonLog that I never saw before and I can’t eject it.

I try
thank you very much
francois

[polonus]

Hi clercdesign,

If you cannot kill the process normally, use killbox on it, get it from here:
http://download.bleepingcomputer.com/spyware/KillBox.zip

If you change something in the registry, make a copy to go back to first.

Bonne chance,

polonus

[clercdesign]

I think it worked  for adober.exe (merci)

But for the others : RX921.exe, Wow921.exe and king.exe it didn't. I tried to use Killbox but when I star the computer again they still here!

What can I do? Any idea?

thank you, I'm always amazed to have an answer!! that's great!!

francois

[Lisandro]

But for the others : RX921.exe, Wow921.exe and king.exe it didn't. I tried to use Killbox but when I star the computer again they still here!

If a virus is replicant (coming and coming again) or you can't delete it (access denied), you should, at least:

1) Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
2) Clean your temporary files.
3) Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
4) Use a-squared, ewido or Spyware Terminator (trojan removers).

Can you try?

[Spiritsongs]

   Hi Clercdesign :

      Since this is part of a SPYWARE install, why are you not
      seeking help from volunteer Expert(s) on one of the
      many antiSPYWARE forums !? Have you asked for help
      on the forum of your antiSPYWARE Provider ? Who
      knows what else you picked up in addition to what
      you are currently aware !?

[clercdesign]

is there a difference between a antiSPYWARE and a firewall?

I have got more and more problems...

francois

[SNOWHITE]

is there a difference between a antiSPYWARE and a firewall?

I have got more and more problems...

francois

Hi clercdesign

Yes there is a difference !
http://www.webopedia.com/TERM/f/firewall.html
http://en.wikipedia.org/wiki/Firewall_(networking)
http://en.wikipedia.org/wiki/Spyware

[galooma]

Hi Francois, download this little utility and install it. then let it generate a log and post that log back here and let us see how bad your problems are
http://www.majorgeeks.com/download3155.html

[SNOWHITE]

Hi Francois, download this little utility and install it. then let it generate a log and post that log back here and let us see how bad your problems are
http://www.majorgeeks.com/download3155.html

Before you run scan with HiJackThis you have  to save  in to its own folder as this folder  will be used when HijackThis makes backups. If you run it out of a compressed file, like a zip file, instead of running it from a directory, the backups will not be made.

 Also before scaning follow this instructions:

Go to Start->(Settings)->Control Panel->Folder Options->View and select Show hidden files and folders. Next uncheck Hide file extensions for known file types. Also make sure that Display the contents of System Folders is checked (if this option is available)Close any applications you have running currently, especially Internet Explorer. Open HiJackThis and do a system scan and save log, after that post the log here DO NOT FIX ANYTHING
Edit:How to show system files http://www.xtra.co.nz/help/0,,4155-1916458,00.html

[JAH011]

I followed the instuctions and deleted adober.exe from c:windows and ravman.log from reg, scaned system and my usb disk  and now it seems ok, but when i click to usbhdd icon win opens "open with/choose the program...." window. ofcouce if i choose  explorer it works but every time i need to do it. what should i do? 
thx
jah