Win32:Ramnit-B and VBS:ExeDropper-gen[trj] infection

[Lewis201]

Avast started informing me tonight that I was infected with Win32:Ramnit-B and began sending some files to the chest. It then started telling me I was infected with VBS:ExeDropper-gen[trj] and began sending a lot of files to the chest. Avast has stopped alerting now but I'd still like some advice over what to do next. I've run a scan with MBAM and followed the instructions in the sticky on here. The log is below:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4724

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

30/09/2010 22:45:25
mbam-log-2010-09-30 (22-45-25).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 263180
Time elapsed: 1 hour(s), 9 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Users\Lewis\AppData\Local\dbmspr.dll (Trojan.Hiloti.Gen) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nlebaxes (Trojan.Hiloti.Gen) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nqosugaborovom (Trojan.Agent.U) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Lewis\AppData\Local\dbmspr.dll (Trojan.Hiloti.Gen) -> No action taken.
C:\Users\Lewis\system\ssa3o.exe (Trojan.Hiloti.Gen) -> No action taken.
C:\Users\Lewis\AppData\Local\Temp\0.18298350959284504.exe (Trojan.Dropper) -> No action taken.
C:\Users\Lewis\AppData\Local\ugugevus.dll (Trojan.Agent.U) -> No action taken.


If there's any more scans I can do/logs I can post please let me know and I'll get those done ASAP. Thanks in advance.

[Gargamel360]

See here>>http://forum.avast.com/index.php?topic=64539.0

[YoKenny]

Let MBAM remove them.

C:\Users\Lewis\AppData\Local\dbmspr.dll (Trojan.Hiloti.Gen) -> No action taken.

[Lewis201]

Ok - doing a Dr.Web scan now. Thanks.

[DavidR]

T start with - Run MBAM again and this time when the scan is complete, all detections should have a check mark in the box to the left of the entry, leave them selected (or select if not selected). At the bottom of the window there is a button, Remove Selected, click that and the items will be removed.

There are a few topics about this Win32:Ramnit-B detection, check them out to see what is being suggested by essexboy, see http://forum.avast.com/index.php?topic=64539.0 and http://forum.avast.com/index.php?topic=63275.0.

[Lewis201]

I did click remove selected on MBAM, but that was after that log had been created. It said the system would need to be rebooted before the infected stuff would be deleted. Should I reboot? I saw some recommendations in other topics not to turn off the system during whilst it's infected.

Dr.Web scan's about 60% of the way through now so I'll post that soon.

[Lewis201]

I've done the Dr. Web scan but the report is a .csv file that the forum won't let me attach, so how should I post it?

Should I be rebooting my PC now?

Thanks in advance.

[DavidR]

I did click remove selected on MBAM, but that was after that log had been created. It said the system would need to be rebooted before the infected stuff would be deleted. Should I reboot? I saw some recommendations in other topics not to turn off the system during whilst it's infected.

Dr.Web scan's about 60% of the way through now so I'll post that soon.

Yes you need to reboot, some elements may not be able to be removed when they are active in windows, hence the need to reboot.

I'm not familiar with the DrWeb Scan but I would have though that it could be saved in a different format.

The .csv file is basically a text file, that can be opened in a database or something like MS Excel, a spread sheet. So you could try saving a copy (save as) file-name.txt rather than file-name.csv. That should be accepted for attachment, but I don't know if it might mess with the format, but it is worth a try.

[Lewis201]

Avast is no longer alerting me to anything. Everything seems fine. I ran another MBAM scan and got this:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4724

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

01/10/2010 12:11:03
mbam-log-2010-10-01 (12-11-03).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 262298
Time elapsed: 1 hour(s), 0 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nlebaxes (Trojan.Agent.U) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nqosugaborovom (Trojan.Agent.U) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





And here's the Dr. Web scan:

trzBFF7.tmp\VBScript.0;C:\Users\Lewis\Documents\My Stationery\trzBFF7.tmp;Trojan.Inor;;
trzBFF7.tmp;C:\Users\Lewis\Documents\My Stationery;Container contains infected objects;Moved.;
trzC0F2.tmp\VBScript.0;C:\Users\Lewis\Documents\My Stationery\trzC0F2.tmp;Trojan.Inor;;
trzC0F2.tmp;C:\Users\Lewis\Documents\My Stationery;Container contains infected objects;Moved.;
trzC1AE.tmp\VBScript.0;C:\Users\Lewis\Documents\My Stationery\trzC1AE.tmp;Trojan.Inor;;
trzC1AE.tmp;C:\Users\Lewis\Documents\My Stationery;Container contains infected objects;Moved.;
trzC25A.tmp\VBScript.0;C:\Users\Lewis\Documents\My Stationery\trzC25A.tmp;Trojan.Inor;;
trzC25A.tmp;C:\Users\Lewis\Documents\My Stationery;Container contains infected objects;Moved.;
trzC2C9.tmp\VBScript.0;C:\Users\Lewis\Documents\My Stationery\trzC2C9.tmp;Trojan.Inor;;
trzC2C9.tmp;C:\Users\Lewis\Documents\My Stationery;Container contains infected objects;Moved.;
trzC385.tmp\VBScript.0;C:\Users\Lewis\Documents\My Stationery\trzC385.tmp;Trojan.Inor;;
trzC385.tmp;C:\Users\Lewis\Documents\My Stationery;Container contains infected objects;Moved.;
trzC422.tmp\VBScript.0;C:\Users\Lewis\Documents\My Stationery\trzC422.tmp;Trojan.Inor;;
trzC422.tmp;C:\Users\Lewis\Documents\My Stationery;Container contains infected objects;Moved.;
trzC490.tmp\VBScript.0;C:\Users\Lewis\Documents\My Stationery\trzC490.tmp;Trojan.Inor;;
trzC490.tmp;C:\Users\Lewis\Documents\My Stationery;Container contains infected objects;Moved.;
trzC54C.tmp\VBScript.0;C:\Users\Lewis\Documents\My Stationery\trzC54C.tmp;Trojan.Inor;;
trzC54C.tmp;C:\Users\Lewis\Documents\My Stationery;Container contains infected objects;Moved.;
trzC5CA.tmp\VBScript.0;C:\Users\Lewis\Documents\My Stationery\trzC5CA.tmp;Trojan.Inor;;
trzC5CA.tmp;C:\Users\Lewis\Documents\My Stationery;Container contains infected objects;Moved.;
trzC638.tmp\VBScript.0;C:\Users\Lewis\Documents\My Stationery\trzC638.tmp;Trojan.Inor;;
trzC638.tmp;C:\Users\Lewis\Documents\My Stationery;Container contains infected objects;Moved.;
trzC6C6.tmp\VBScript.0;C:\Users\Lewis\Documents\My Stationery\trzC6C6.tmp;Trojan.Inor;;
trzC6C6.tmp;C:\Users\Lewis\Documents\My Stationery;Container contains infected objects;Moved.;
trzC743.tmp\VBScript.0;C:\Users\Lewis\Documents\My Stationery\trzC743.tmp;Trojan.Inor;;
trzC743.tmp;C:\Users\Lewis\Documents\My Stationery;Container contains infected objects;Moved.;
trzC7A2.tmp\VBScript.0;C:\Users\Lewis\Documents\My Stationery\trzC7A2.tmp;Trojan.Inor;;
trzC7A2.tmp;C:\Users\Lewis\Documents\My Stationery;Container contains infected objects;Moved.;
trzC82F.tmp\VBScript.0;C:\Users\Lewis\Documents\My Stationery\trzC82F.tmp;Trojan.Inor;;
trzC82F.tmp;C:\Users\Lewis\Documents\My Stationery;Container contains infected objects;Moved.;
trzC8CC.tmp\VBScript.0;C:\Users\Lewis\Documents\My Stationery\trzC8CC.tmp;Trojan.Inor;;
trzC8CC.tmp;C:\Users\Lewis\Documents\My Stationery;Container contains infected objects;Moved.;
trzC9B7.tmp\VBScript.0;C:\Users\Lewis\Documents\My Stationery\trzC9B7.tmp;Trojan.Inor;;
trzC9B7.tmp;C:\Users\Lewis\Documents\My Stationery;Container contains infected objects;Moved.;




What's next then?

[DavidR]

The MBAM one is showing remnants in the registry (and no memory module loaded), after the actual files were removed. The registry entry without the file is pretty much inert, but best removed as you have done. Do a search for this file C:\Users\Lewis\AppData\Local\dbmspr.dll and report if it is present.

Lots of strange stuff in the Stationery folder, whilst there might be a legitimate use for Visual Basic scripts, but in this form I think they are suspect at least. Since DrWeb has moved them and your avast is no longer alerting, I would just monitor your system activity for anything strange.

Anything else that you are seeing out of the ordinary ?

[Lewis201]

There's two files on my desktop called desktop.ini that have just appeared. Apart from that everything seems perfectly normal.

[DavidR]

Do you have an active desktop set-up as that would be the only reason I would think there would need to be a desktop.ini file, but there shouldn't be two of them, windows should stop duplicate names.

The .ini file is a text file and you could right click on it and Open with Notepad and examine the contents (if not personal you could paste them into a post), to see if it was/is trying to run any files etc.

[Lewis201]

I don't have an active desktop set=up to my knowledge. The contents of the two files are below:

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21799
[LocalizedFileNames]
Norton Internet Security.lnk=@C:\PROGRA~1\NORTON~2\Branding\muis.dll,-102
Microsoft Office - 60 Day Trial.lnk=@C:\PROGRA~1\MIDDD5~1\mui\oaa.dll,-103
HP Support Assistant.lnk=@C:\Workspaces\HPAssistant\Dev\HPSFSetup\SupportExes\HelpDTICO.dll,-101


and


[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769
IconResource=%SystemRoot%\system32\imageres.dll,-183

[DavidR]

This looks like they may be old rather than new.

The first one:
Do you have an HP system (looks like it) ?
The MS Office and Norton references may have come pre-installed on the HP system.
This one looks sort of legit, but I can't say for sure so may be redundant now.

The second one:
Looks like a bit of an update on the first, with possible removal of the trial products.

I don't have an imageres.dll file in my system32 folder (XP Pro).

####
The may well be redundant, but you don't want to delete anything for now I would suggest renaming them, e.g. desktopOldHP1.ini and desktopOld2.ini. That way if there is any reference to them i should throw up an error, missing file, etc. and possibly give a clue as to what is making the call to these files (if any).

[essexboy]

Those are system hidden files that some tools make unhidden whilst they work

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Do not show hidden files and folders.
  
• Click Yes to confirm.
• Click OK.