Virus Name: fmwhytm.b Type: Win32:Confi[Wrm]

[Rawl]

Hi,

since some weeks ago my Avast is reporting this virus, all I do is delete it, but then 1 hour later or so, it finds it again; this has been happenig since 2 weeks; and I have tried to send it to the chest, repair it, delete it; but all actions seem useless for it: It used to be on C:\WINDOWS\system32\fmwhytm.b folder.
I have used the boot-time scan, but still got the same virus. Recently I installed Ad-Aware to fix it, and the same result; found it, Deleted it, and some mins later, appear again.

Is there any report or solution to fix this yet?

UPDATED [11/02/2009]:  Umm it seems now that is located here C:\WINDOWS\system32\fmwhytm.b\[UPX] ...

[DavidR]

AdAware is in my opinion a waste of hard disk space.

If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. What is your firewall ?
If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
1. SUPERantispyware On-Demand only in free version.
2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

Another tool that you might try is - DrWeb CureIt! - See http://www.freedrweb.com/cureit/ - Download ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe (Free) Fairly effective against file infectors, Virut, more so when used in safe mode.

And this one which can help immunise usb flash drives to try and combat reinfection.
Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Also see this link for more information on Flash Disinfector, http://experi3nc3.wordpress.com/2007/05/10/flash-disinfector-by-subs/

[Maxx_original]

simple question - is your OS fully updated?

[sheilalobo19]

Hi,

since some weeks ago my Nod32 is reporting this virus, all I do is delete it, but then 1 hour later or so, it finds it again; this has been happenig since 2 weeks; and I have tried to send it to the chest, repair it, delete it; but all actions seem useless for it: It used to be on Re: Virus Name:  Win32:TrojanDownloder.AgentXLWtrojan

I have used the boot-time scan, but still got the same virus. Same result; found it, Deleted it, and some mins later, appear again.

Is there any report or solution to fix this yet?
[/quote]

[Rawl]

To "DavidR":  Windows Firewall I must say  . Gonna try those programs... hope it solve my PC.
To "Maxx_original": yes I have my "WinXP SP3" is up to date.

thanks for the answers, still hope our Avast will fix it, without 3rd party software 

[sheilalobo19]

 
Thanks for your message... but stll I didn't understant how to delete the virus name:  Win32:TrojanDownloder.Agent.XLW trojan.


 

[DavidR]

Have you run the other programs that I suggested (items 1. and 2.) in my first reply ?

[Rawl]

Hi,

well I tried all those steps, ran them on safe mode; only the SUPERantispyware detected 4 adaware problems but thats it; now avast detected the virus again.
It let me delete it for 1 time, then avast detect it for 4-5 times more; I cant delete it 'cos is already deleted. So now its showing more advices of it 

But still no fix found for it... does Avast now about this fmwhytm.b yet?

[DavidR]

This could depending on the file type (if it were an archive, files would be extracted to be scanned) generate more than one detection.

If in the case of an archive if the actual archive is deleted then the files detected from the extracted files couldn't be deleted because the original archive file has already bee deleted. I hope that makes some sense.

So is an avast bot0time scan still detecting this C:\WINDOWS\system32\fmwhytm.b file ?

[Rawl]

yeah it makes sense, no problem with that, but on boot scan is not detected.

it is detected like each 30mins while I'm working at work. Im making now a list with the hours when is detected so maybe I can get the amount of time it takes to "rebirth" haha from nothing to my pc...

[DavidR]

So where is this detected on these 30 rebirths, is it in the same file name and location ?

If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. What is your firewall ?

You didn't say if you used the MalwareBytes AntiMalware tool, try that from safe mode.

[Rawl]

So where is this detected on these 30 rebirths, is it in the same file name and location ?

same location, same file.
I did used all those programs for detection on safe mode.
I dont use any firewall but windows one, maybe you can tell me of some, and Ill test it; maybe I can block the virus from being created again.

thanks for your help man. 

[DavidR]

I can't give a personal recommendation for a firewall other than the one I'm using (haven't used any other one in over 6 years), but that isn't free.

Some with outbound protection (which I feel is essential) are a little complex, though PC Tools firewall by all accounts provides reasonable protection without being overbearing.

- There are many freeware firewalls such as, Comodo (care required now it is a suite not to install the anti-virus element), PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.

See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
See http://www.matousec.com/projects/firewall-challenge/results.php.

####
Some other tools as what ever it might be could be hidden by a rootkit.
- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip.
- Trend Micro RootkitBuster - http://www.trendmicro.com/download/rbuster.asp
- F-Secure Blacklight may not always be available, http://www.f-secure.com/blacklight

[Rawl]

well the virus is detected by Avast each hour, so I dont know if avast check that directory each hour or the virus each hour tries to act. the curious part is that the hours chosen are 10am-11am-12am and so on; no minutes or seconds added.

Well I tried those other softwares but no detection found; now I installed "Outpost Firewall" to check if the virus is being reactivated via internet; and also have a zone alarm installer ready if this one fails.

Hope to fix it soon, and share more info about this.

[DavidR]

avast doesn't check every hour, but is activity based (resident, on-access scanner) so when that file is recreated avast would scan the newly created file and alert.

You could check the task scheduler and see if there is a task that is scheduled to run at these times and if so, disable it (not delete, yet) and report the file name that it runs.