vbs:exedropper-gen[trj] and win32:ramnit-b

[dingley_del]

Thanks SafeSurf,

I will certainly follow your advice.

This has been my first infection and happened when I tried to view a picture on a trusted Fishing Forum!

Windows firewall alerted me and then Avast started to block and then delete the Trojan/Malware (51 at a time).

Thanks to this forum, I live to fight another day.

Cheers Essexboy
Del

[SafeSurf]

Windows firewall alerted me <snip>

We all live by our mistakes.    That was one of the reasons I suggested that you get a third-party FW because I saw that you were using the XP FW.  Some FW's that work well with Avast (no conflicts) are Online Armor (free or premium), Outpost, Comodo (without AV).  I would recommend getting one as a trial for a month to see how it "plays" with your other software and how you like it.  Also, make sure you put both software (FW and Avast) as trusted exclusions since they are both security software.  If you need additional help with this, I can help you.

I'm glad things are looking brighter for you and your machine. 

[Mura]

Hi there. This is my first time using this forum, but since I'm experiencing this exact same issue, I'd revive this topic.

Since a few days ago, I've obtain this virus/spyware that spread across my files as win32:ramnit-f (I'm sure it has a different letter at the end because of different antivirus; I use the latest version of Avast with its latest updates). This also spawned those vbs:exedropper-gen[trj] in the process.

The "symptoms" were: Adobe Photoshop crashing automatically when I open it; having to reinstall Winrar each time I close the program (or restart my computer) because it can't detect its source files; having to reinstall Firefox each time I close it (or restart my computer); unable to download anything from the Internet except small saves like images, with a window saying this every time I try to download: "cannot find import; DLL may be missing, corrupt, or wrong version, File "zlib.dll", error 126".

However, after following SafeSurf's suggestions, using Malwarebytes and scanning as well as using Avast's boot-scan, I think I was able to get rid of the virus. I haven't done another thorough scan with Avast yet, but I did numerous Full-scan with Malwarebytes a few hours ago, and there weren't any infected files detected. Now Firefox doesn't crash anymore, and Winrar doesn't get broken. I haven't tried Photoshop yet since I need to reinstall it.

Even so, I still can't download from the Internet, with the same error popping out each time I try. I tried cleaning my registry with CCleaner and fixing things with Fixcleaner, but to no avail. I tried downloading this zlib1.dll from http://forums.ngemu.com/epsxe-discussion/106182-zlib1-dll-not-found-fix-here.html. I placed it in System32, rebooted and tried, but still didn't work. I even used regsvr32 to register it, but it wouldn't let me because some path couldn't be found or something although the .dll was found. So far all the things I downloaded (Malwarebytes, OTL) is by asking someone over IM to do it and send the .exe to me. It seems this is the only known issue that hasn't been fixed yet.

About half an hour ago, I followed the instructions given by SafeSurf again, so here's the Malwarebytes log as well as the two OTL/Extras files attached to the post.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5118

Windows 5.1.2600 Service Pack 3, v.5755
Internet Explorer 7.0.5730.13

11/15/2010 3:16:02 AM
mbam-log-2010-11-15 (03-16-02).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 199426
Time elapsed: 44 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[SafeSurf]

Hello Mura,

You do have some problems on your OTL logs and I am going to refer you to our Certified Malware expert, named Essexboy.  He will also review your logs and give you further instructions, however he comes on the forum late UK time.  He will respond to you in this thread, so remember to check this thread daily.  I will continue to provide assistance in the meantime, then remain in the background while he works with you.

Do you have another machine you can use to check the forum and use for email in the meantime?

Please download the free Dr. Web Cure It! in SAFE MODE to your desktop to scan for Winlogon and Explorer infections. 

Download Dr Web from here: http://www.freedrweb.com/?lng=en on the top right of the page, tick the EULA and then download.
 
It will download as an 8-digit file save it to your desktop.
Restart in Safe Mode and run.
Accept the enhanced version.
Then run the Quick Scan.
About halfway through you will be prompted to buy - just “X” the box closed.
Once finished, it will generate a log please attach that to your next post.

How Do I Use Dr.Web CureIt!?  http://www.freedrweb.com/cureit/how_it_works/

Download Dr.Web CureIt! and launch the utility in SAFE MODE.  A notification will inform you that the utility is running in the enhanced protection mode allowing it to operate even if malicious programs block access to the Windows interface.

In the enhanced protection mode Dr.Web CureIt! is run on a protected desktop where no other application can be launched.  In order to continue working in the enhanced protection mode choose OK or click Cancel to switch to the standard mode.
Click the “Start” button in the anti-virus window. Select “Yes” in the confirmation dialogue, and wait while Dr.Web CureIt! scans system memory and autorun objects. If you need to scan all or selected disks, choose between “Full Scan” or “Custom Scan” (if you choose “Custom Scan,” you need to select the objects you want to scan), and click on the "Start" button.

Dr.Web CureIt! will cure infected files and place incurable files in quarantine.  When the scanning is finished, you can view the report and perform desired actions with quarantined files.

Once the scanning is completed, simply remove the Dr.Web CureIt! file from your computer (put it in your recycle bin). 

If you need to perform another system scan using updated definitions, you will need to download Dr.Web CureIt! again.

After you attach your Dr.Web CureIt log to your next post, please do not make any further changes to your machine now that you have provided the logs.

Please let me know if you have any questions.  Thank you.

[Mura]

Yes, I can borrow a laptop for the meantime.

I guess by quick-scan you mean express-scan. I can't attach the log because it's around 826 KB, and it only allows me to attach a maximum of 192 KB, so I just uploaded it on sendspace. http://www.sendspace.com/file/qelicd

What do you mean exactly by not making any further changes to my machine? Does browsing Firefox count as a "change", or is it something deeper such as modifying system32 files?

[essexboy]

Hi there dependant on the variant that you have we may be able to clean it.  Over the last week or so I have seen a variant that is next to impossible to clean.. So I would advise you to backup your data now, but do not backup any files with .exe, .scr or .HTML - Just chcked Dr Web looks good

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  IE - HKU\S-1-5-21-725345543-1965331169-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5757
  O3 - HKU\S-1-5-21-725345543-1965331169-1801674531-500\..\Toolbar\WebBrowser: (no name) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No CLSID value found.
  O3 - HKU\S-1-5-21-725345543-1965331169-1801674531-500\..\Toolbar\WebBrowser: (no name) - {AEF44653-C059-42CB-A5B7-41C640DA4A67} - No CLSID value found.
  O33 - MountPoints2\{84e94543-07c1-11de-9885-c9b9f96977f6}\Shell\Open\command - "" = RECYCLER\S-5-3-19-100029926-100017965-100016774-1765.com e:\
  [2010/11/14 20:33:06 | 000,000,016 | ---- | M] () -- C:\WINDOWS\System32\dmlconf.dat
  [2010/11/14 16:30:25 | 000,000,036 | ---- | M] () -- C:\WINDOWS\System32\complete.dat
  [2010/11/13 13:27:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Ilguqa
  [2010/11/13 13:18:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Wasiqy
  [2010/11/14 20:32:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Qeif
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

THEN

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[Mura]

Okay, here's the OTL quick-scan log after the reboot as well as the Combofix log.

[essexboy]

OK two more programmes to run to check the MBR area in your system.  These look at it slightly differently

What are your current problems ?

Please download MBRCheck.exe to your desktop.

• Be sure to disable your security programs
  
• Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
• A window similar to this should open on your desktop:

• If you are prompted with options, enter N at the prompt and press Enter[/i]
  
• Press Enter[/i] again
  
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop.  Please post the contents of that file.

THEN

Please read carefully and follow these steps. 

• Download TDSSKiller
   and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
   
   
  
   
   
  
• If an infected file is detected, the default action will be Cure, click on Continue.
   
   
  
   
   
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
   
   
  
   
   
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
   
   
  
   
   
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

[Mura]

Sorry for the time it takes me to reply.

The only problem I have left so far is the downloading one (which is a pain since I always have to ask other people to send me the .exe's of the programs I am suggested to download. Here's some quotes from my first post.

[...]unable to download anything from the Internet except small saves like images, with a window saying this every time I try to download: "cannot find import; DLL may be missing, corrupt, or wrong version, File "zlib.dll", error 126" [...]

Even so, I still can't download from the Internet, with the same error popping out each time I try. I tried cleaning my registry with CCleaner and fixing things with Fixcleaner, but to no avail. I tried downloading this zlib1.dll from http://forums.ngemu.com/epsxe-discussion/106182-zlib1-dll-not-found-fix-here.html. I placed it in System32, rebooted and tried, but still didn't work. I even used regsvr32 to register it, but it wouldn't let me because some path couldn't be found or something although the .dll was found. So far all the things I downloaded (Malwarebytes, OTL) is by asking someone over IM to do it and send the .exe to me. It seems this is the only known issue that hasn't been fixed yet.

I attached the two logs to this post.

[essexboy]

Both MBR checks are clean - which is good

I tried cleaning my registry with CCleaner and fixing things with Fixcleaner, but to no avail.

Regostry cleaners can cause more problems than they repair

Lets see if windows can find the error

From the Start menu, select Run.
In the Open field, type sfc /scannow (Note: There is a space between sfc and /scannow)
Select the OK button.
Follow the prompts throughout the System File Checker process.
Reboot the computer when System File Checker completes.

let me know if that works

[Mr.T]

Hi, sorry to intervene but I did not want to make a new topic as this is very relevant to the issue I am facing.

A couple of days ago Avast (free home edition 4.8 ) detected a Win32:Ramnit-F on my computer. The recommended action was to move to virus chest, which I did, yet avast continued to detect the virus.

I immediately scheduled a boot-scan of the system and avast found and deleted many instances of Win32:Ramnit-F and vbs:exedropper-gen[trj]. After scan was completed avast still continued to detect the virus.

I followed instructions from a different website and downloaded a CCleaner to delete temporary internet files, turn off system restore and then reboot to safe mode and run a scan. Again, it found and deleted many instances of the virus but avast continues to detect the same virus. I then switched my computer off and now turning it on today my computer freezes 10 seconds after it loads my desktop in admin mode.

Any help in getting my computer up and running will be greatly appreciated! Thank you

[essexboy]

This virus is getting more virulent and complex by the day - we may not be able to save the system - depending on the variant - back up your data but no .EXE, .SCR or HTM(L) files

Download Dr Web from here http://www.freedrweb.com/?lng=en link on the top right of the page, tick the EULA and then download
 
It will download as an 8 digit file save it to your desktop

Restart in safe mode and run
Accept the enhanced version
Then run the express scan
About halfway through you will be prompted to buy - just X the box closed
When complete it will offer a full scan accept it
Once finished it will generate a log please attach that

[Mr.T]

Thank you for fast reply. I am not able to do anything in Administrator mode as it freezes within 10 seconds of loading. Will I be able to download in safe mode?

[essexboy]

Certainly

[Mura]

Thanks for all the help so far. The virus seems to be gone and only left over damages are present.

It seems it found some missing required files so that Windows can be run properly quite fast. I unfortunately don't have the CD with me right now, but when I'll get it back and try this again, I'll let you know. It mght take some time, maybe even a few weeks or so. I hope you don't mind.