Help with Win32:Agent-AWB? (and possibly other infections)

[juditelucas]

I'll do it shortly.. Since the pen drives letter keep changing (some of them appear as m:; the usb hard drive's letter isn't always the same...) should I add the same code adding the letters with which the usb disks are identified at the moment of scanning?
I'll wait a little further before doing the scan...

[polonus]

Hi juditelucas,

Yes you can add the driver letters and insert them into the script that oldman made available. Think you get a feeling towards doing this now. Hope he gets online soon to aid us in this malware removal routine, but all is going well, and I hope you soon will be "out of the woods" and out of  this predicament. Assume you can also educate your pupils further on secure practices as a good teacher should, being in education myself I know how it works,

polonus

[oldman]

You can add the additional drive letter plus add this one, we may have to get a bigger stick for it.

c:\xo8wr9.exe

The hjt log good, but will review the latest DSS scan when you return.

Thanks

[juditelucas]

Hi oldman.
Was just about to send you my log file when I saw your post.
I am attaching the first OTMOVEIT log (which actually moved something) and the last one (in-between nothing was moved, the logs were pretty much like the last one), as well as the main.txt and the hijackthis log.

I have also run OTMOVEIT again, the resulting log was pretty much the same as the majority of the other ones: nothing found. Should you need it, I'll send it in another post. Sould I do another Hijackthis?

Sorry if I don't answer back today. It's past bedtime now. Thank you!
JLucas

[oldman]

It looks better, however you have picked up a new one. One or more of your drives did not get protected with Flashdrive disinfecter. Did you use any today? If you did start with those. Rerun Flashdrive disinfecter with those drives first then do the OTMOVEIT2 fix. I think the C:\ is okay, but will include them all.

c:\xo8wr9.exe
m:\xo8wr9.exe
m:\Knight.exe /s
m:\fun.xls.exe /s
g:\Knight.exe /s
c:\Sex City.jpg.wsf /s
d:\Sex City.jpg.wsf /s
e:\Sex City.jpg.wsf /s
f:\Sex City.jpg.wsf /s
g:\Sex City.jpg.wsf /s
i:\Sex City.jpg.wsf /s
m:\Sex City.jpg.wsf /s
F:\h.cmd
g:\h.cmd
d\h.cmd
e:\h.cmd
c:\h.cmd
i:\h.cmd
m:\h.cmd
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{92cbb41e-baf9-11dc-ab4b-001302dc4e55}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c58f6788-d845-11dc-ab9e-001302dc4e55}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{efd1c99c-d902-11dc-abaa-001302dc4e55}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f264bde2-cd2a-11dc-ab7d-001302dc4e55}

With the m:\ included all drives should now be detected.

I would seriously concider talking to the school and running at least Flashdrive disinfecter on their computer.

I will need another DSS log along with the results.

Thanks, don't worry if the reslts show a lot of not found, that's a good  sign. 


Now then, we can make your pc a bit safer, by disabling autoruns. After you are finished the above, please do this

 Download and Install Microsoft's TweakUI: http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx

Obtain and install TweakUI (right hand panel, 147kb in size), and then start TweakUI.

Expand the My Computer branch, then the AutoPlay branch, and then select Drives.

Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters

This will prevent autoruns from running on your computer.

[juditelucas]

Old Sex City is back  - it was that thing that started calling my attention in the first place. Damn it!)
Before I go on with the above suggestions and try to find that SEX City and its comapinons - and I have no idea in which of the pens it is, as I haven't been using them) I am sending you a screenshot I have done to my MP4, along with the MoveIt log. As you can see from the screenshot there is another "old friend" of mine, which I thought I was free from: Ne0k.exe (it used to be on all the pens that had Sex City, together with the "autorun.inf").
That recycling bin keeps appearing as well - not sure it should.
I guess I'd better copy all my files to my external hard disk, and format all the pens (just afraid about the "special ones" for the portable apps and the mp3s and mp4, but if you think that I should do it, specially to the "normal pens", I'll do it).
I'll be back in about 20 minutes' time to see if I have a new reply. Now off to grab a bite...
JLucas

[oldman]

I'm going have to think about this and come up with some thing. The screenshot is to small to read.

Off to work now, I'll check this more asap.

[juditelucas]

Ok, thanks. I'm at school now. Be back later.
New screenshot. Bigger.

[oldman]

I'm back with a plan.

I'm wondering if for some reason DSS isn't showing us all the mountpoints and what we are seeing is some old ones. Reason- the Sex City file wasn't found.

So, install the tweakui and disable autoruns per previous instructions.
The tweak ui will prevent any autoruns from running, in case there is an infected drive, the bad files won't execute.

Next put your drives in two groups so you can keep track of them and the drive letters windows sees them as. We'll try to keep them, hopefully with the same letter each time.

Click this link and download to your desktop this program

querymountpoints.

http://cid-32d8666f4048075b.skydrive.live.com/browse.aspx/Malware%20files

This will show us not only all the mountpoints, but also all autoruns and their contents. From this we can determine which drives have the protected autorun and which don't. We can then protect those drives if needed.

Set your folder options like this

At the top of windows explorer, click tools, folder options, click the
view tab

 check Show hidden files and folders
 uncheck "Hide extensions for known file types" box
 uncheck "Hide protecting operating system files" box

Click apply.


Insert the usd drives then run the program.

Run, by double clicking, the file you downloaded. Post the results for each run.

Thanks for the pic. I wasn't aware of that file. We can add it to our list, or you can delete it and empty the recycle bin. I'm not 100% certain about the bin, but may show up when something has been deleted from the drive. Try emptying it .

I share your concern about transfer bad files. So let's try to get rid of them.

[oldman]

I really like your idea of the screen shot showing the root of the drive. After you get the autoruns disabled and we can see whare we're going, could you do one for each drive? You've had so many autrun infections, we may miss a file.

I only have to see the portion with the files (not folders).

[juditelucas]

Hello again.
Two things.
1. Since I detected Ne0k.exe, I didn't proceed with the last OTMOVEIT2 fix. Should I do it before starting TweakUI?
2. I keep getting an error when I try downloading querymountpoints from
http://cid-32d8666f4048075b.skydrive.live.com/browse.aspx/Malware%20files (even after entering my Windows Live ID).

CULater

[oldman]

Hi
I was sure you gave me a log with SEX City. which would have been the last one. Or did you mean with the  Ne0k.exe file?

I just tried the download and it worked, what I did

clicked the link, clicked the file, it then opened another page, clicked the download button on that page.

Wouldn't you know it, just tried it 2 minutes later and got an error. The server may be having problems, just keep trying. Get the tweak up and running and autoruns disabled.

Quick, it's working again.

[oldman]

I meant to say also, we should diable autoruns before inserting any more usb, just incase.

[juditelucas]

Ok, so I'll disable autorun first thing of all, then I'll run MoveIt into all my usb drives - I interrupted that action having spotted Ne0k.exe in the very first one.

I have already downloaded the file. Off to  disable autorun.

[oldman]

Okay good, we are making progress.    It's going to be a busy afternoon for me,    so, I won't be able to get back to this until later.