RJump-A worm - help with cleaning...

  • Thread starter Thread starter OK
  • Start date Start date
O

OK

Hi,

I have NOD32 for my anti-virus software. Every 30-45 minutes I get
alert from NOD32 that my computer is infected with Win32/RJump.A worm.

Log says that infected file is : F:\Autorun.inf.


I don't know what to do to clean infection, to stop alerts from NOD32
about infection.

F drive even doesn't exist on my computer, or autorun file either.

I've checked all infos from http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=58753
, but didn't find anything suspicious :/

Run NOD32 and Stinger check in Safe Mode - but they didn't found
anything.

What else to do?
Anyone had similar problem?

thanks
 
From: "OK" <[email protected]>

| Hi,
|
| I have NOD32 for my anti-virus software. Every 30-45 minutes I get
| alert from NOD32 that my computer is infected with Win32/RJump.A worm.
|
| Log says that infected file is : F:\Autorun.inf.
|
| I don't know what to do to clean infection, to stop alerts from NOD32
| about infection.
|
| F drive even doesn't exist on my computer, or autorun file either.
|
| I've checked all infos from http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=58753
| , but didn't find anything suspicious :/
|
| Run NOD32 and Stinger check in Safe Mode - but they didn't found
| anything.
|
| What else to do?
| Anyone had similar problem?
|
| thanks

You said "... F drive even doesn't exist on my computer,...".
Are you sure drive "F:" isn't a CDROM or a Jump Drive (thumb drive) ?
 
Yes I'am sure.

Computer is a part of workgroup in my company but F: drive isn't used
for anything.

That is basically my main problem cause I don't know how to find
infected file and delete it.


David H. Lipman je napisao/la:
 
From: "OK" <[email protected]>

| Yes I'am sure.
|
| Computer is a part of workgroup in my company but F: drive isn't used
| for anything.
|
| That is basically my main problem cause I don't know how to find
| infected file and delete it.
|


You may want to try the following...


Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *
 
OK said:
Yes I'am sure.

Computer is a part of workgroup in my company but F: drive isn't used
for anything.

From a command prompt issue the command:

net use

Do you have any network share connections listed? Even "disconnected"
ones?
That is basically my main problem cause I don't know how to find
infected file and delete it.

Grab SystemInternals' "handle" utility and see if it can help, or even
consider running "filemon" with a filter set to reduce the "noise"...
 
I entered net use but I didn't have any network shares - even
disconnected.

Also I used handle and filemon utilities, but not much help from them
either.

Thanks anyway

I'll try scan in safe mode with AV tool what Davit said.

Nick FitzGerald je napisao/la:
 
I tried everything but didn't cleaned my infection. Look at my hijack
and AV logfiles and try to find infection, cause I can't :/

Logfile of HijackThis v1.99.1
Scan saved at 09:17:48, on 11.06.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Eset\RA\Server\nod32ra.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution
\cssauthe.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Apple Computer\DVD@ccess\DVDAccess.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\TaskZip\TaskZip.exe
C:\Program Files\MailWasher\MailWasher.exe
C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\ESET\nod32kui.exe
c:\progra~1\common~1\instal~1\update~1\isuspm.exe
c:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\rdpclip.exe
C:\Program Files\ESET\RA\Console\console.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:
\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -
C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-
CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:
\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices
\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX
\Smax4.exe" /tray
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage
\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] c:
\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files
\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [cssauthe] "C:\Program Files\IBM ThinkVantage\Client
Security Solution\cssauthe.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage
\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files
\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google
\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper
Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker
\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -
k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search
& Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /
background
O4 - HKCU\..\Run: [Chronograph] "C:\Program Files\Chronograph
\chrono.exe" /autorun
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader
\AdobeUpdateManager.exe AcRdB7_0_5
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher
\MailWasher.exe
O4 - Startup: SyncBack.lnk = C:\Program Files\2BrightSparks\SyncBack
\SyncBack.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files
\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: (e-mail address removed) = ?
O4 - Global Startup: TaskZip.lnk = C:\Program Files\TaskZip
\TaskZip.exe
O8 - Extra context menu item: I&zvoz u Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-
AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin
\npjpi160_01.dll
O9 - Extra button: Istraživanje - {92780B25-18CC-41C8-
B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [JAVA_IBM] Java (IBM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F8EB107-ABDA-46A5-9F88-
AA8386C2E97B}: NameServer = 195.29.150.3,195.29.150.4
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: CS Fire Monitor - Unknown owner - C:\Program Files\CS
Fire Monitor\CSFireMonService.exe" -service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common Files\InstallShield\Driver
\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:
\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Ltd. - C:\WINDOWS
\system32\IPSSVC.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program
Files\Eset\nod32krn.exe
O23 - Service: NOD32 Remote Administration Server (NOD32RA) - Eset - C:
\Program Files\Eset\RA\Server\nod32ra.exe
O23 - Service: OracleOraHome90ClientCache - Unknown owner - C:\oracle
\ora90\BIN\ONRSD.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner
- C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service
(default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices
\SoundMAX\SMAgent.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS
\System32\PAStiSvc.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files
\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM
ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) -
Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate
\UCLauncherService.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) -
Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe



NOD32 log
Time Module Object Name Threat Action User Information
11.06.2007 08:52:40 AMON file F:\Autorun.inf Win32/RJump.A worm NT
AUTHORITY\SYSTEM Event occurred at an attempt to access the file by
the application: C:\WINDOWS\System32\svchost.exe.
 
Back
Top