Help with Win32:Agent-AWB? (and possibly other infections)

[juditelucas]

Ok, no problem.
I have disabled autorun, and I have used done the OTMOVEIT2 fix.
I am attaching the logs.

[juditelucas]

I have also used QueryMountPoints.
Here go the results for each run. Will have to send different replies, as the files are too large. The last one (as with the previous OTMOVEIT2) are from the external Hard disk.

Here goes the first.

I'll be back in a couple of hours, and, if you still want it, will try to make the screenshots.
See you later.

[juditelucas]

The second.

[juditelucas]

The third.

[juditelucas]

The fourth.

[polonus]

Hi juditelucas,

This is quite some horrendous job. Oldman will lead you through the further malware removal routines.
Do not forget to ask him, if everything is removed and OK again, what you should do to be protected against reinfection, because you have experienced now for yourself that one ounce of protection is better than two  kilo's of cleansing,

polonus

[juditelucas]

No doubt, polonus. Completely agree. And I will indeed need some guidance. Thinking about throwing up an anti-virus party at school, 'cause things are pretty nasty there.
But first things first, one step at a time.
Off to make those screenshots. Will take a few minutes. Stupid girl, who told you to have all those pens???
CULater
JLucas

[juditelucas]

I have made screenshots to the roots of all my drives (partition C: and D: included), as well as to some other things that seemed peculiar (at least to me, might mean nothing), and have made a few annotations.
I have made a pdf out of them, but it is too big to post here (495 KB). There are a total 13 file images. Is it possible to send it by mail, or should I use slideshare or any other file sharing service?
Please let me know.
JLucas


Just editing my message to say I have published the screenshots as a slideshow at Zoho. This is the URL:
http://show.zoho.com/public/juditelucas/Driver-screenshots-12Feb-ppt
Should be seen in full screen mode.
Now I must sleep, it's 1:30 a.m. here in Portugal. Tomorrow I'll come back.
Thanks for your patience and help. Hope this will help not only me but also others, as well as help make AVAST even more efficient.
JLucas

[oldman]

Well that went well. One file that was scheduled to be moved on reboot. However OTMOVEIT2 does not log these files.

It was g:\Sex City.jpg.wsf from the 3rd run. Pair c run

This is what I got for the querymountpoints

 pair A

Blank autorun

pair 2

Blank

pair 3

two autoruns

G:\ and H:\

external drive

Blank

For the two drives that still show bad auto runs (g&H) you will have insert them and then run Flashdrive disinfector. I would suggest inserting all the drives in that group in the same order. This group also had a H and K drive.

Rerun the OTMOVEIT on the drives in the 3rd run.

I also noticed querymountpoint showed a drive H,L and K. We didn't do a OTMOVEIT fix for these originally, but see you have added to the list. Good for you. We can pick up the rest at the end.

All these tyoes of devices are suseptiable to autorun infections-Phone, USB Pen Drive, iPOD or other Portable Music Device.

I realize that the drive letters change, did we get all 13 devices?

I think what we'll do is add the missing drives and we'll make a list of all the files rerun them at the end with the groups as you made up. We can also add any more that show up.

I think you are on the right track when you say you should put on a class. The school should at least disable autoruns and make FlashDrive disinfector available if not mandatory. As an eductactor, I'm sure you will know where I stole this line of thought, that using a flash drive on a computer means you are using with every flash drive that been used on that computer, plus every computer those flash drives have been used on, and so on. Rather large circle of "friends". No one should have to go through this.

Speaking of autoruns, did you select all the letters in tweakUi, except of course your cd/dvd?

I'll review the info you sent me and put up a list.

Thanks

 

[oldman]

My browser kept crashing when I tried to view the pages full size and I had difficult reading it other wise. So I had to keep coming back again and again and


page1-ok  page2-ok page3-ok page4-ok

page5-you are correct, spotlight-v100 is mac related, perhaps the 501 folder is also. The adobe documents brio may be related to he HP computer line. ??

page6-looks ok, the launch u3 starts the u3. I don't know much about them but I think they have to "started", there should be a corresponding autorun to launch the drive and display the icon.

page7-You deleted both the autorun and the file? That's ok. When you run FDD it should place the good one there.

page8-I don't think there is anything wrong with that autorun.

page9-That's the other autorun that must go. Did you delete that one as well? That silly gotta shut down window keeps popping up, I could read the entire message you put in the corner. The file is bad, did you send it to avast as well?

page10-same comment as before,mac related. Google spotlight-v100 it may explain some other things you see.

page11-system volume information is system restore. Xp sees the drive as a hard drive and places a restore point on it. When we clear your system restore, you should have this drive plugged in and use the turn off on all drives button. That will clear it and when you turn it back on a new one will be made. They are all related to system restore, except the pdf writer.

page12-ok, the similar named files are windows messenger data files.

page13-ok

Why you have recycle bins in the usb drive, not sure. As soon as I have time I'll look for an answer. Windows does some strange things at times. I put my win98 HD in my other computer, it had xp at the time. The first thing it did was place a volume information folder on it and a recycle bin on the drive image partion. Still there.

Given what I see here, we should only need OTMOVEIT2 to clear the last 3 mountpoints. I didn't see any other files except the one(s) you deleted.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7531532f-d95d-11dc-abab-001302dc4e55}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{75315330-d95d-11dc-abab-001302dc4e55}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7ae374ce-8a05-11dc-aab1-001302dc4e55}

I must compliment you on the way you handled this.

[juditelucas]

OK, thanks, oldman.
Now let me see if I didn't miss anything. And try to be as efficient as possible, as I am running short on time.
I'll just clean the "Ne0k.exe" and "autorun" files in the drive shown on page 9. I can try to send it to AVAST, should my e-mail allow me. What do you suggest? Which is the best way of sending it? Then I'll run FDD to the drives from which I deleted "Ne0k.exe" and "autorun".

Then I'll use OTMOVEIT2 using the quote you give (no need to insert all my drives again, or must I?).

I'll wait for your help concerning system restore, I don't understand what you mean by "use the turn off on all drives button".

See you later, and thanks.

[juditelucas]

Hello, I have sent the files in a zipped folder protected with the password virus, to virus@avast.com.

CUL8
JLucas

[oldman]

Good, thank you.

You can delete the files, if you haven't done so already. Autorun files too.

I'll get some information up re restore points, etc.

You don't have to insert any drives when you run OTMOVEIT2 to remove the reg keys.

[oldman]

Your system is protected as best as it can be, given you are using usb devices. Any computer you plug into, should at the very least have autoruns disabled. But that's something you have to work on.

We can clean up the tools now.

Keep tweak ui, it may be useful to you later.

Delete the Ravmon tool and FDD. You can keep FDD if you want. Be sure to use it if you reformat or buy a new usb.


Now for the best part, clean up time.

1. Click startt button, click run, copy and paste this line into the box, click ok

combofix /u


2. Open OTMOVEIT2 then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

3. Remove the old restore points. Since you have multi harddrives, the checkbox may be labled "turn off system restore on all drives. Check this box, click apply. When it is finished uncheck the box and click apply.

See this link for info and a screenshot. Just use the info for reference.

http://www.5starsupport.com/tutorial/system-restore.htm

4. Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create



4. Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to "Java Runtime Environment (JRE) 6 Update 4...allows end-users to run Java applications".

Click the download button on the right.

 > If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.

 You do not have to install the Java Web Start ActiveX Control


Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u4-windows-i586-p.exe to your desktop; do not Run it. Do not install it yet.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure  and reboot if not prompted to do so.



5. Download and run this clean up utility. You can use it regularly. When it's first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp by Steven Gould

http://www.stevengould.org/downloads/cleanup/


6. If you are using windows firewall, please note that it doesn't provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0


Any problems, let me know,

 

[juditelucas]

Right, oldman. I'm not sure I'll be able to do it today. I have spent the whole day updating, scanning, cleaning and disabling auto-run in 15 computers at my school, and there are many others me and my mate will need to clean. I will also make flash disinfection available at school.
I did need a confirmation: I am supposed to have all the disks with hard drives installed, correct?


This experience has been extenuating but rather enlightening - and frightening.
Thank you.
JLucas