Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32/rjump Worm Help Please!


  • Please log in to reply
3 replies to this topic

#1 lizi

lizi

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 27 September 2007 - 03:52 PM

Ok, well heres the story...

Basically i am on my old computer as my new one is being fixed and yesterday i did not have any anti virus software. So anyway i was doing my homework, and saved it to my memory stick, and as i have gathered from the internet this worm i have spread thorugh use of removable storage(didnt know i had it by this point) so i took my memory card to school, plugged it in an the antivirus installed there said i had a w32/RJump worm. So i took it to my i.t technicians at school and they cleared it off there...fine... so i came home and installed my antivirus, and it was saying w32/RJump worm has been blocked, you are secure....this does not seem the case! (i didnt plug my memory stick back into my home computer by the way)

I tried to click onto my C: drive thorough My Computer but it could not allow me to acccess it, it kept saying open with: and giving me a list of files, like when you click something and it doesnt know what program to open it with, the exact window. so i closed it and right clicked on the c: drive and there was ltos of characters over the 1st 2 lines such as ΢, things like that, i dont know if this is normal, but i was expecting to see open.... etc.....but i know the 'open with' bit isnt right.

Soo....

I researched further into the case using the McAfee site....http://vil.nai.com/vil/content/v_139985.htm....and it said that the virus duplicated its self using a file name...ravmon.exe...so i right click my c:drive again and clicked search...and searched this name, two file names of this desription have come up in the C: drive in the locations C:\\WINDOWS\Prefetch. I think this has something to do with it.

(i am at the moment running that stinger tool they have suggested, but it is takig a while and i need to come off the computer so i cant tell you the results of that, i will try to tomorrow)

I am using an xp system, fujitsu siemens. And i would greatly aprpeciate your help. I hope this all makes sense

thank you

Lizi

Edited by lizi, 27 September 2007 - 03:55 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:04 AM

Posted 28 September 2007 - 12:23 PM

From what you describe, it appears to be a flash drive infection.

Flash drive infections usually involve malware that loads an autorun.inf file into the root folder of all drives (internal, external, removable) and automatically executes a malicious autorun.bat file which calls wscript.exe to run autorun.vbs on your computer. When a flash drive becomes infected, the Trojan will infect a system when the flash drive is inserted if autorun has not been disabled.

Download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • Wait until it has finished scanning and then exit the program.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

The name RavMon.exe belongs to both RAV AntiVirus and the W32/RJump.worm. Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer. If it's running from C:\Windows\system32\RavMon.exe, then it's more likely a trojan.

Edited by quietman7, 28 September 2007 - 12:39 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 lizi

lizi
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 29 September 2007 - 04:56 AM

Thank you so much quietman7!

I can now access the C drive yay.

Still got this ravmon thing, but its in the C:\WINDOWS\Prefetch folder so im hoping its ok. There names are RAVMON.EXE-28A5883A.pf and RAVMON.EXE-0414CFF3.pf. sound normal to you?

Thank you again, lizi

Edited by lizi, 29 September 2007 - 04:58 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:04 AM

Posted 29 September 2007 - 06:36 AM

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Then perform this online Virus scan: BitDefender Online Scanner. <- Add a check by "Autoclean".
(Requires Internet Explorer to work. Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.)

Edited by quietman7, 29 September 2007 - 06:37 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users