Author Topic: vbs:exedropper-gen[trj] and win32:ramnit-b  (Read 68039 times)

0 Members and 1 Guest are viewing this topic.

rik130

  • Guest
Re: vbs:exedropper-gen[trj] and win32:ramnit-b
« Reply #105 on: February 04, 2011, 04:43:26 AM »
Yep, I am afraid you system will need a reformat and reinstall as too many files have been corrupted 


Have a look at this thread for a tutorial on hoow to reformat a computer and the things to save - but do not backup any files with exe, com, scr, zip

http://www.geekstogo.com/forum/topic/173729-reformat-and-install-of-windows/

Hi, sorry for the late reply but thanks for yours.  The T500 is not my main machine as it happens and there wasn't anything on there I needed to save so I finally decided to nuke it today and do a re-install.   I've not completed it yet but fingers crossed it'll be gone when I'm done.

Have there been any new developments on how to remove this virus once it takes hold, or even how to prevent it from wreaking havoc to begin with?  It's alright the AV software finding it, but if it can't do anything useful with it afterwards then it's all a bit pointless really..  I am just so glad this happened to me on a secndary machine and not my main tower PC with all my stuff on it as I would've been seriously pissed..  >:(

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: vbs:exedropper-gen[trj] and win32:ramnit-b
« Reply #106 on: February 04, 2011, 08:56:09 PM »
Nope there is as of today no AV that can stop this once it has infected one file

Ornette

  • Guest
Re: vbs:exedropper-gen[trj] and win32:ramnit-b
« Reply #107 on: April 19, 2011, 01:44:49 PM »
I thought I'd post here as this seems to be where the most information is

I've got this same problem since Friday and can't get rid of it. As I am computer savvy I clocked on to the suspicious Firefox processes straight away so the amount of extraneous infected files I've had is very low, but everytime I turn on the computer the problem starts again.

A link I've found to this

Malware Analysis » Blog Archiv » Ramnit.A Virus
http://www.malware-analysis.net/?p=321

a report by Microsoft & McAfee
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FRamnit.B
http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=346870

What I don't understand is how this kicked in whilst Avast 5.1.889 was running. My one started as detecting Win32:Ramnit-G on various DLL files in my system restore folder (checking has determined these were all restores for the prog files\firefox folder). Windows Firewall complained about suspicious activity by Firefox (which led me to seeing the 3 spawned firefox processes in my task list). Looking up on the internet also led me to disabling system restore whilst dealing with threat.

Everytime I turn on the computer Avast alerts me to VBS:ExeDropper-gen [Trj] or Win32:Ramnit-G infecting .htm or.exe files respectively until I manage to kill those firefox processes.

My version of this is kicking off via a HKLM\..\Winlogon:
Userinit = "C:\WINDOWS\system32\userinit.exe,C:\Program Files\wskbplkv\fyynaotm.exe"
yet the folder is always empty when I look. I also noticed the thing seems to make a number of .log files in my local settings\app data folder:
gacibnyi.log, ljwdggsd.log, spdjudky.log, ultghcoc.log, ywmvmloa.log

I've run MBAM but all it came up with was 2 files infected with Spyware.OnlineGames:
prog files\ owcsetup.dll & owsetup1.dll

and McAfee Stinger found some files with the FakeAlert!fakealert-REP trojan:
win\sys32\sethc.exe, sys32\..\flash\uninstall_activeX.exe, win\download prog files\FP_AX_CAB_INSTALLER.exe

I've noticed that this thing doesn't kick off if I boot in safe mode.  Checking HKLM\..\Winlogon shows the Userinit key hasn't been altered yet

It DOES if I boot safe mode networking, but only seemingly after I've logged onto a profile (the tell tell sign of FDD activity only begins then)

I've also noticed that Windows Live Mail, which has suddenly begun to shut down immediately after opening since all this, is fine under safe mode/safe mode networking

Despite all my efforts this problem persists. Now it seems that its managed to get its claws into Avast as it is now failing to initialise properly  :'(


If someone can tell me WHERE the launch point for this  blasted thing is I would happily remove it as I am confident that the rest of my computer is fine but until I do I'm having to go thru this blasted rigamarole every time I turn on.

Help?????!!!


!@#$%^&*


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33930
  • malware fighter
Re: vbs:exedropper-gen[trj] and win32:ramnit-b
« Reply #108 on: April 19, 2011, 06:49:42 PM »
Hi Omette,

This may indicate the presence of this malware:
Quote
The presence of the following files:
%programfiles%\adobe\adobe help viewer\1.0\ahv.exe
%programfiles%\adobe\adobe help viewer\1.0\help.html
%programfiles%\adobe\adobe help viewer\1.0\resources\en\crossproductlinkerror.html
%programfiles%\adobe\adobe help viewer\1.0\resources\en\linkerror.html
%programfiles%\internet explorer\dmlconf.dat
c:\documents and settings\administrator\local settings\temp\~tme.tmp
c:\documents and settings\administrator\local settings\temp\~tmf.tmp
c:\documents and settings\administrator\start menu\programs\startup\jonimvgn.exe   (source: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FRamnit.B )

So computers should have the latest updates for the OS and third party software, check with secunia online inspector:
http://secunia.com/vulnerability_scanning/online/

Then important to have ample protection in the Fx browser like with the NoScript and RequestPolicy extensions,

To cleanse you could try these methods proposed here: http://forums.majorgeeks.com/showthread.php?t=235252
but when it has really hooked in a total recall (reformat and reinstall) is your next best option,
as essexboy wrote here: http://forum.avast.com/index.php?topic=63275.msg585677#msg585677
and if anyone should be in the know, as ASAP member, he certainly is best informed...

polonus



« Last Edit: April 19, 2011, 06:51:59 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Ornette

  • Guest
Re: vbs:exedropper-gen[trj] and win32:ramnit-b
« Reply #109 on: April 21, 2011, 08:01:37 PM »
Just a heads up to inform I've managed to resolve this problem of VBS:ExeDropper-gen [Trj] or Win32:Ramnit-G coming up on multiple files.

Its being caused by a trojan that Avast 6.0.1 is detecting as Win32:Hiloti-AX (not detected  by Avast 5.1.889 or MBAM 1.50.1.1100).

The file is loading up either via HKLM\..\Winlogon: Userinit or the user's startup folder and its main action is to spawn 3 instances of the user's default browser, which then infects files with Exedropper or Ramnit

Looking at the file (in my instance fyynaotm.exe) it has a size of 180kb and gives the following information:
File Version: 8.63.155.2
Description: Yhat Ohawi Emebyfu
Copyright: Copyright © 2000-2005 Janu. All rights reserved.

The trojan also creates 5 log files in the users local settings\app data folder, and may allow a back door access, certainly Windows Firewall gave a notification on activity by Firefox. It also seems to interfere with the running of Windows Live Mail causing it to shut down as soon as it is opened

Somehow the file manages to hide itself in normal mode, I don't know how but they only appeared when I went into safe mode - certainly the one in my startup folder didn't show when I put a shortcut in there for taskmgr. Worth noting I use FAT32 on my hard drives - it may have slightly different effect on a NTFS partition

Interestingly, although detected by Avast 6.0.1 as Win32:Hiloti-AX it doesn't seem to correspond to what I have found on it on the internet:

http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Hiloti-AX/detailed-analysis.aspx