Help with Win32:Agent-AWB? (and possibly other infections)

[juditelucas]

I have been having hundreds of problems with virus (SexCity.jpg.wsf and Ne0ks.exe, accompanied by an Autorun.inf were the most resilient ones). I have installed and unistalled several anti-virus programs, several cleaner, done on-line cleaners and so on. Yesterday, I asked someone to have a look at my computer, and after some time cleaning up, I was advised to format my laptop.
I started copying all my data to an extgernal Hard disk. However, AVAST tells me I have a virus there, or signs of the virus: Win32:Agent-AWB. The folder is hidden and has this structure:

09-02-2008 16:53:52   User   3644   Sign of "Win32:Agent-AWB [Adw]" has been found in "F:\System Volume Information\_restore{16433FEA-F9F7-4745-ABF2-13C1202916C6}\RP608\A0130209.txt\{tmp}\SetupInst.exe\Setup.exe" file. 
09-02-2008 16:54:29   User   2036   Sign of "Win32:Agent-AWB [Adw]" has been found in "F:\System Volume Information\_restore{16433FEA-F9F7-4745-ABF2-13C1202916C6}\RP608\A0130209.txt\{tmp}\SetupInst.exe\Setup.exe" file.
09-02-2008 16:08:42   User   5580   Sign of "Win32:Agent-AWB [Adw]" has been found in "F:\Software de Instalação\Utilitários\PDF\PdfMaker\CuteComp.exe\{tmp}\SetupInst.exe\Setup.exe" file. 


AVAST couldn't clean or move it to Quarantine. I tried deleting it mannually, but I couldn't. I was told it's a system file. I changed the file extension and after many trials did succeed once in deleting the whole folder. Just to notice later on that the folder was ALSO on my C: partition, and I was denied access to it. The folders are also back to my external hard disk. AVAST no longer detects a virus, though.
My system keeps creating hidden "Thumb.db" files, even when I'm not opening any folder, and it is creating "Recycle" folders in my usb pendisks. When I delete anything, it goes into those folders. However, I have scanned my computer and no virus is detected.

What should I do? Are these things normal?

Thanks in advance.
Thanks in advance.

[polonus]

Hi juditelucas,

Post a fresh hijackthis log text file as an attachment to your next posting, download hijackthis from here:
http://download.hijackthis.eu/hijackthis_199.zip Unzip and put onto your desktop, save a hijackthis logfile,
also your avast log file there too, to establish where the malware resided, to remove it later, we also need to download ComboFix from here: http://subs.geekstogo.com/ComboFix.exe  to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

polonus

[juditelucas]

Hi polonus

I am attaching the hijackthis and ComboFix logs. I do have obe question, though: what about partition D: and external disk? They were not analysed by hijack and ComboFix, were they? At least the external drive seems infected... But I'll wait for your reply.

Judite Lucas

[polonus]

Hi juditelucas,

You have an autorun infection,

To bad you didn't have the flash drive inserted before combofix.

You may be able to run flashdrive disinfecter and you then should insert the flash when the program asks.

Download this program, Flash Drive Disinfector by sUBs from

http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

Plug in your usb hd

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well (D: and external Disk)
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Then we have to perform an extra scan with DDS to be downloaded here:
http://www.techsupportforum.com/sectools/Deckard/dss.exe

The first thing I want you to do is download Deckard's System Scanner.

   1. Close all applications and windows.
   2. Double-click on dss.exe to run it, and follow the prompts.
   3. When the scan is complete, a text file will open - Main.txt
   4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt in your thread in the HijackThis Log Help Forum.
   5. A folder, C:\Deckard, will also open. In it will be another text file, Extra.txt.
   6. Attach Extra.txt to your post.

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

What Deckard's System Scanner will do:

    * create a new System Restore point in Windows XP and Vista.
    * clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
    * check some important areas of your system and produce a report for your analyst to review. Deckard's System Scanner automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

When you get the two notepad documents, attach them to your next reply Main.txt & Extra.txt,
After you have run both flashdrive disinfector and DSS, also attach a fresh HJT log.txt,

polonus

[juditelucas]

Hello, polonus
Let me see if I did / can do everything all right.
My first problem: I have so many usb drives, I couldn't scan all of them at once. What I did was:
I ran Flash_Disinfector once with as many drives as I could, had the computer reboot, scanned with DDS, and saved a copy of all the .txt files to my desktop.
Than I did a second scan with Flash_Disinfector, reboot, scan with DDS again. I again made a copy of the .txt files - but alas, this time there was no extra.txt.
I will attach now the result of the scan to the first group of usb drives. Then I'll reply again and attach the result of the second group. Hope that's ok.

I tried copying and pasting the content of Main.txt (think that's what you asked), but it far exceeds the character limit. I am therefore posting it as an attachment and not pasting it here.
JLucas

[juditelucas]

Here I am again.
This are the text files for the second group of usb drives.
Please let me know if this was the wrong way to do it and, should that be the case, suggest other action. As I said, there was no extra.txt file this second time.

By the way, the first time there was also a "Moved.txt". Should I attach that as well?
Thanks.

JLucas

[polonus]

Hi juditelucas,

We will look into that shortly, but you also have another infection, we have to look into to:
Ravmon cleansing

Cleansing of a flash drive infected with the RAVMON.exe virus, any visit of a strange flash drive
may infect your comp drives (yes all of 'em).

So this could infect any drive, so also a flash drive, what an USB stick is actually,
and RAVMON.exe is dangerous:
- RAVMON.exe a.k.a. W32.Nomvar is a worm that copies itself to the root of all drives,
including removable and shared drives, and downloads potentially malicious files
onto a compromised computer.

Related files:
[DRIVE LETTER]:\RavMon.exe
[DRIVE LETTER]:\Autorun.inf
%Windir%\svchost.exe

Kill the process RavMon.exe and remove RavMon.exe from Windows startup

or run this tool for a pendrive aka USB stick, download from:
http://javedkhalil.com/techBlog/wp-content/uploads/2007/11/ravmon-removal.rar

Then put in another hjt file, include that moved.txt as well,

polonus

[polonus]

Hi juditetelucas,

Also fix these with HijackThis, fire it up scan, tag what is given below and fix through giving an enter:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O8 - Extra context menu item: &Search - ?p=ZJxdm086YYPT
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)

polonus

[juditelucas]

Hi, polonus

I'm afraid I don't understand your last reply...

Here go the moved.txt file, the hijackthis file after using , and the logfile created by ... That thing is strange. It kept telling I had no virus, but it did not let me get out of the program. Had to do ctrl+alt+del everytime I used. Then there were one or two times when, after saying I had no virus, said it had remove the virus and told me to remove the usb drive (which I can only do by right click and eject, the secure remove icon keeps disappearing from my notification area...).
Should I send an email to imani9009@gmail.com with the log file? I was asked to one of the times.

I'll try to make sense of your post...

[juditelucas]

Hello again.
Guess I did it.
I am sending the hijackthis file after having selected the files you mentioned and pressing enter. Guess it cleaned them, right?

[polonus]

I repeat what you have to do, close your browser, run hijackthis scan, then tick the three entries I mentioned, and click fix checked, grasp it?


O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O8 - Extra context menu item: &Search - ?p=ZJxdm086YYPT
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)

polonus

[juditelucas]

All right. I got it. Here it goes.

[polonus]

Hi juditelucas,

That sure looks better. Have a look for yourself here:
http://www.hijackthis.de/logfiles/7fceff8825345bd0c3f31a397c0a7a42.html
The analysis will be there for you for three consequent days, I think everything is OK now.
Oldman will have a secondary glance over your files again, but I think the maker of the programs we used has cleansed the malware from your computer while they ran.
Welcome to the forums, juditelucas,

polonus aka Damian

[polonus]

Hi juditelucas,

We are not completely there, because there are infections of your additional drives that should be cleansed:
 Please download the OTMoveIt by OldTimer from here:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

    * Save it to your desktop.
    * Please double-click OTMoveIt.exe to run it.
    * Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or,   
       after highlighting, right-click and choose copy):     
    * In either case the fixes will have to be run multi time because of the number of usb flash drives
       she has. One run with each drive inserted.

Code: [Select]


c:\h.cmd
d:\h.cmd
c:\Knight.exe /s
d:\Knight.exe /s
e:\Knight.exe /s
f:\Knight.exe /s
e:\Knight.exe /s
f:\Knight.exe /s
g:\fun.xls.exe /s
c:\fun.xls.exe /s
d:\fun.xls.exe /s
c:\xo8wr9.exe /s
e:\fun.xls.exe /s
f:\fun.xls.exe /s
c:\xo8wr9.exe /s
d:\xo8wr9.exe /s
e:\xo8wr9.exe /s
f:\xo8wr9.exe /s
g:\xo8wr9.exe /s

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62d4f78c-ba8b-11db-a8dc-001302dc4e55}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b235fe6-afcf-11dc-ab40-001302dc4e55}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b235fe9-afcf-11dc-ab40-001302dc4e55}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97ec00ec-146a-11dc-a9ba-001302dc4e55}
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f264bde2-cd2a-11dc-ab7d-001302dc4e55}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8199dd7a-d239-11db-a916-001302dc4e55}


    * Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and  choose Paste. Paste all inside code as a text file into the lower left box under the yellow line titled "Paste List Of Files/Patterns To Search For and Move"
    * Click the red Moveit! button.
      Click "Exit" to close OTMoveIt.

      **When ready to Reply on the forum, please Paste the content of the latest log which is located at the root of the drive where the OTMoveIt folder is:
      C:\_OTMoveIt\MovedFiles\********_******.log
      (where "********_******" is the "date_time")


If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
========================================

Waiting for the log files,

polonus

[juditelucas]

This sounds really complicated... Still more complicated is to run the OTMoveIt: the link doesn't work  And to think I had it on my desktop but sent it away!
Should I try google search and download it from somewhere else?
JLucas