Author Topic: VBS:exedropper-gen [trj] and Win32: Ramnit-D Infection with Avast ON!  (Read 8155 times)

0 Members and 1 Guest are viewing this topic.

naldnaldb

  • Guest
So i was browsing through forums when suddenly my avast alert went crazy, i then did a smart scan and came up with 5800+ infected files. I freaked out and noticed that most if not nearly all of my programs don't open anymore (most likely cause avast thought they are are infected files and put them in quarantine) Currently i have avast shields disabled in order to open internet explorer. PLEASE HELP!!!!

SafeSurf

  • Guest
Re: VBS:exedropper-gen [trj] and Win32: Ramnit-D Infection with Avast ON!
« Reply #1 on: October 21, 2010, 03:53:56 AM »
Currently i have avast shields disabled in order to open internet explorer.
1. Put your shields back on as now you are surfing naked in a sea of malware ready to bite you.

2. Open the Avast GUI > Settings > change the maximum size of the Virus Chest to zero > click OK.

3. Check your computer for malware with Malwarebytes’ Anti-Malware (MBAM).
·   Download free http://www.malwarebytes.org/ for an on-demand scanner.
·   Double Click mbam-setup.exe to install the application.
·   After install, click update so you have latest database before scanning.
·   Under Settings:
o   General: Automatically Save File After Scan Completes is checked off
o   Scanner SettingsCheck all boxes
o   Updater: Download and install update if available is checked off
·   Once the program has loaded, select "Perform FULL Scan", then click Scan.
·   The scan may take some time to finish, so please be patient.
·   When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
·   Click the “remove selected” button to quarantine anything found.  You will find the infection details under the Quarantine tab.
·   The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
·   Copy & Paste the entire report in your next reply.


naldnaldb

  • Guest
Re: VBS:exedropper-gen [trj] and Win32: Ramnit-D Infection with Avast ON!
« Reply #2 on: October 21, 2010, 04:03:17 AM »
just as i turned my avast shields back on, the popup thing started once again and went crazy. saying "malware blocked" but some of them include the software you told me to download "malwarebytes". Im doing the scan as we speak. Should i run another avast full scan and have everything it says dangerous to my computer quarantined first?

SafeSurf

  • Guest
Re: VBS:exedropper-gen [trj] and Win32: Ramnit-D Infection with Avast ON!
« Reply #3 on: October 21, 2010, 04:10:18 AM »
Should i run another avast full scan and have everything it says dangerous to my computer quarantined first?
No, give me the MBAM log first.  If you have difficulty, you can do this in Safe Mode as well.  Just make sure you updated MBAM prior to doing the scan.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: VBS:exedropper-gen [trj] and Win32: Ramnit-D Infection with Avast ON!
« Reply #4 on: October 21, 2010, 04:14:41 AM »
With that kind of numbers it sounds like you have been hit by a file infecter.

Try this tool - DrWeb CureIt! - See http://www.freedrweb.com/cureit/ - Download ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe (Free) Fairly effective against file infectors, Virut (infects .exe, .scr, .mp3 & .wmv), more so when used in safe mode. DrWeb also do a Live CD if you are unable to get into your system see, http://www.freedrweb.com/livecd/?lng=en, documentation ftp://ftp.drweb.com/pub/drweb/livecd/LiveCD-en.pdf

Can you give some examples of the malware names, file names and locations of the detections ?
« Last Edit: October 21, 2010, 04:16:38 AM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

naldnaldb

  • Guest
Re: VBS:exedropper-gen [trj] and Win32: Ramnit-D Infection with Avast ON!
« Reply #5 on: October 21, 2010, 05:09:49 AM »
Hi, sorry i took so long. I restarted Window xp in safe mode and ran Malwarebytes. Here is the log.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4897

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

20/10/2010 9:01:57 PM
mbam-log-2010-10-20 (21-01-57).txt

Scan type: Full scan (C:\|)
Objects scanned: 251258
Time elapsed: 43 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{9f44453e-1e46-4d5c-b57c-112ff2edae82} (Spyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\qvodplayer (Adware.Agent) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{0651900a-e0d7-82f7-c0cb-aee22db5dfa1} (Trojan.ZbotR.Gen) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\registrymonitor2 (Malware.Trace) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\program files\microsoft\desktoplayer.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe) Good: (userinit.exe) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\QvodPlayer\QvodBand.dll (Spyware.OnlineGames) -> No action taken.
C:\Program Files\QvodPlayer\QvodUninst.exe (Adware.Agent) -> No action taken.
C:\System Volume Information\_restore{CC029D65-F456-449C-BF6D-EE7CD26572BC}\RP173\A0066021.exe (Adware.Casino) -> No action taken.
C:\System Volume Information\_restore{CC029D65-F456-449C-BF6D-EE7CD26572BC}\RP192\A0075515.exe (Adware.HotBar) -> No action taken.
C:\System Volume Information\_restore{CC029D65-F456-449C-BF6D-EE7CD26572BC}\RP211\A0103857.exe (Patch.NetworkMagic) -> No action taken.
C:\System Volume Information\_restore{CC029D65-F456-449C-BF6D-EE7CD26572BC}\RP211\A0103858.exe (Patch.NetworkMagic) -> No action taken.
C:\System Volume Information\_restore{CC029D65-F456-449C-BF6D-EE7CD26572BC}\RP236\A0144213.exe (Adware.Agent) -> No action taken.
C:\System Volume Information\_restore{CC029D65-F456-449C-BF6D-EE7CD26572BC}\RP236\A0147670.exe (Adware.Agent) -> No action taken.
C:\Program Files\Microsoft\desktoplayer.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\qtplugin.exe (Rootkit.Agent) -> No action taken.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: VBS:exedropper-gen [trj] and Win32: Ramnit-D Infection with Avast ON!
« Reply #6 on: October 21, 2010, 02:46:30 PM »
You didn't take any action according to the MBAM log, if you didn't do it after the production of the log, pun it again and allow MBAM to deal with them.

The examples of some of the detections I asked about were the avast ones ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

dingley_del

  • Guest
Re: VBS:exedropper-gen [trj] and Win32: Ramnit-D Infection with Avast ON!
« Reply #7 on: October 21, 2010, 03:16:49 PM »
Hi

Some useful information in this thread that helped me (might be worth a read)

http://forum.avast.com/index.php?topic=63275.0

good luck
Del


naldnaldb

  • Guest
Re: VBS:exedropper-gen [trj] and Win32: Ramnit-D Infection with Avast ON!
« Reply #8 on: October 21, 2010, 05:43:11 PM »
You didn't take any action according to the MBAM log, if you didn't do it after the production of the log, pun it again and allow MBAM to deal with them.

The examples of some of the detections I asked about were the avast ones ?

1. i already deleted all of the ones i could from the mbam
2. there were too many to post all of them so i'll just list a few perhaps?
-win:32:Ramnit-D  0.12697921282448865.exe C:\Documentsandsettings\Ronald\Localsettings\temp
-win:32:Ramnit-D  0.7306046725451064.exe C:\Documentsandsettings\Ronald\Localsettings\temp
-win:32:Ramnit-D  AGM.dll                C:\Programfiles\adobe\adobe photoshop cs2
-win:32:Ramnit-D Alcmtr.exe C:\programfiles\realtek\audio\installshield
-win:32:Ramnit-D SC2.exe C:\programfiles\starcraft2\versions\base15405
VBS:exeDropper-gen [Trj] Blizzard Updater Log.html C:\documentsandsettings\allusers\applicationdata\blizz entertainment\logs\worldofwarcraft update\logs
VBS:exeDropper-gen adServer[1].htm C:\documentsandsetting\public\local settings\temporaryinternetfiles\content.ie5\pmejdc92
ther rest are just the same,thousands of files that dont make much sense to me...

naldnaldb

  • Guest
Re: VBS:exedropper-gen [trj] and Win32: Ramnit-D Infection with Avast ON!
« Reply #9 on: October 21, 2010, 05:45:33 PM »
With that kind of numbers it sounds like you have been hit by a file infecter.

Try this tool - DrWeb CureIt! - See http://www.freedrweb.com/cureit/ - Download ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe (Free) Fairly effective against file infectors, Virut (infects .exe, .scr, .mp3 & .wmv), more so when used in safe mode. DrWeb also do a Live CD if you are unable to get into your system see, http://www.freedrweb.com/livecd/?lng=en, documentation ftp://ftp.drweb.com/pub/drweb/livecd/LiveCD-en.pdf

Can you give some examples of the malware names, file names and locations of the detections ?

I also used DrWeb CureIt, and 5500+ Infected files came up, mostly similar to the ones i see on avast. They were either cured, moved, or deleted.
I could post a log of that up, but that would mean a file with 5500+ lines of infected files...

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: VBS:exedropper-gen [trj] and Win32: Ramnit-D Infection with Avast ON!
« Reply #10 on: October 21, 2010, 06:34:49 PM »
I think that they will generally follow what was found by avast, perhaps a different alias (malware name as they differ from AV to AV).

So it looks like this is a file infecter which is targeting .exe, .dll and .html files.

Hopefully essexboy will be home from work and come on-line soon to give you some more advice.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: VBS:exedropper-gen [trj] and Win32: Ramnit-D Infection with Avast ON!
« Reply #11 on: October 21, 2010, 08:33:46 PM »
Hi could you give me a selection of 10 or 15 lines from the cureit log please

Then :

Download OTS to your Desktop and double-click on it to run it
  • Make sure you close all other programs and don't use the PC while the scan runs.
  • Select All Users
  • Under additional scans select the following
Reg - NetSvcs
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
File - Purity Scan


  • Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Please attach the log in your next post.