vbs:exedropper-gen[trj] and win32:ramnit-b

[billatthebar]

i pulled that post from someone named elise on another forum, but as you can see its pretty severe - thats me done with this now...i just try to post as much as i can to spare others the pain of dealing with this crappy virus.

cheers and thanks

Bill

[dingley_del]

Thank you Safesurf.  I followed your instruction on page 1 and it worked. Phew!

The virus 'took out' most of my programs and left me with the problem of clearing up the mess. I was unable to uninstall what was left through add/remove programs.  With the help of some uninstall utilities (and a bit of careful deleting and re-naming) I was then able to re-install all my programs.

Thanks again.

[dingley_del]

following on from my previous post.......... is the general opinion that this virus is impossible to get rid of, except with a clean install of the OS?  My laptop has been ok now for 7 days and I run scans everyday just in case.

Is this virus lurking somewhere ready to re-appear?  Is there anything I can do to prove I am clean (or still infected)?

Thanks
Del

[SafeSurf]

@ dingley_del,

You can run an Full MBAM and OTL log and attach them in your next post for review. 

Please see this thread for instructions:  Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0. 

Follow the directions of obtaining an MBAM log (make sure you update MBAM first) and the OTL logs.  Post the MBAM log here (copy and paste) and the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post).  Should anything be lurking, I will contact our Certified Malware expert to clean your machine of this nasty.

[dingley_del]

Thanks SafeSurf

Here are the results of the MBAM log. I have also attached otl.txt and extras.txt files.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4755

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/10/2010 21:39:38
mbam-log-2010-10-12 (21-39-38).txt

Scan type: Quick scan
Objects scanned: 138897
Time elapsed: 16 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Many thanks for all your help

Del

[SafeSurf]

Hi Del,

Had you previously done an Avast Full or Boot-time scan and if so, do you have anything sitting in your Avast Virus Chest?  If so, can you give me a screen shot or type exactly what is in the Chest?  Thank you.

Although the MBAM scan was only a Quick scan instead of a Full scan, it is clean.

As for the OTL logs, I am going to refer you to Essexboy, our malware expert, for evaluation.  He will contact you here in this thread, so keep an eye for his post and further instructions from him.  He is on UK time zone.  Please do not make any changes to your machine until you hear from him or you will need to repeat the steps you just did.  In the meantime, I will continue to assist you then remain in the background.  Thank you.

[dingley_del]

Hi SafeSurf

I have included my first MBAM log file with the detected malware.  Subsequent scans have been clear.  I have also managed to include a screen shot of my Avast Chest.  The chest is full of similar items (as I set the chest size to 0 whilst I was under attack -  as you suggested on page 1).

Once again, thanks for your help and time,
Del

[essexboy]

The logs look clean - are you experiencing any problems or oddities at all ? 

[dingley_del]

Hi essexboy

My laptop is running ok with no problems.... mostly thanks to safeSurfs advice.

Thanks for taking a look at the logs.

Del

[essexboy]

Kudos to the man 

[billatthebar]

lol i used malware bytes too it doesnt find it.....bah i dont know, maybe you can clean it - do me a favour tho, navigate to C:programfiles\microsoft....   if you have a file in the called desktoplayer.exe then you are still infected.  for this virus a REINSTALL IS HIGHLY RECOMMENDED!!! your security has been compromised and ports in your computer have been opened so it needs done, take it or leave it but its the truth

[essexboy]

Normal ports are open according to the scan and there is no sign of desktoplayer, I have found that some variants of this go quietly others hang on for grim death

[dingley_del]

Thanks for the info

I have had a look in c:\program files\microsoft and it is empty (even with 'show hidden files' enabled and 'hide protected operating system files' disabled).

another good sign?
Del

[essexboy]

Yep 

[SafeSurf]

I'm glad everything worked out for you.  Thank you Essexboy for checking the OTL logs. 

Since there have been several software updates recently (and this is ongoing), I would recommend that you check out Secunia Software Inspector to make sure you have the latest software patches: http://secunia.com/vulnerability_scanning/personal/, as well as checking the Avast "General Topics" section of the forum for updates on software or security warnings.  Secunia will give you the vendor's direct download for a patch if one is needed.  Remember to reboot after an uninstall and again after an install.

I'm not sure if you are using a system cleaner, but many of us use CCleaner - a freeware system optimization, privacy and cleaning tool.  There is a Slim version available as well at http://www.piriform.com/ccleaner/builds - 4th option down.  It removes unused files (cache, temporary Internet files, etc.) from your system, allowing Windows to run faster and freeing up valuable hard disk space.  It also cleans traces of your online activities such as your Internet history.  Additionally it contains a fully featured registry cleaner; I recommend making a backup prior to using the registry cleaner.

You can also keep your machine running smoothly with free Puran Defrag http://www.puransoftware.com/.  It includes a boot-time defrag as well, and works with 64-bit; click on "More Info" to learn more about the product.

Most importantly, try to learn from your experience as to how you got infected.  Use safe browsing practices, adjust your browsers for maximum protection, and layer your lines of security defense by using on-demand tools like MBAM (there are others as well) in addition to your regular AV and FW.  XP Windows FW is not effective enough (only 1-way protection) and a third-party FW is strongly recommended for 2-way protection.

Let us know if you experience any additional problems.