[Resolved] VBS: ExeDropper-Gen [trj] notifications every few minutes

[pogo4eva]

Got this notification every few minutes.

VBS: ExeDropper-Gen [trj]

Half my programs not working now and driving me slightly crazy. Any help you can provide would be great.

Included my MBAM and OTL Logs

[SafeSurf]

Hello pogo4eva and welcome to the forum. 

Thank you for providing the logs as they are helpful.  Can you tell me when your problems began and what you are experiencing (besides your programs not working)?  Did anything change after putting things in quarantine with MBAM?

I am going to refer you to our Certified Malware expert, named Essexboy.  He will also review your logs and give you further instructions, however he comes on the forum late UK time.  He will respond to you in this thread, so remember to check this thread daily.  I will continue to provide assistance in the meantime, then remain in the background while he works with you.

Please do not make any further changes to your machine now that you have provided the logs.

Let me know if you have any questions.  Thank you.

[pogo4eva]

Hi SS.

Machine has been running slowly for a couple of days. Then all these notifications start appearing. Have had a BSOD today as well, and more blocked malware notifications are appearing on avast for Exedropper Gen and a couple of others...

Thanks for your help and passing my info to your malware expert. looking forward to a diagnosis!

Gaz

[Left123]

a vbs dropper?so surprised..curious to have a look at the source code^^

[essexboy]

Hi there - lets clear you up a bit shall we

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O4 - HKLM..\Run: [Qneneviwec] C:\WINDOWS\ewejuciv.DLL ()
  O4 - HKCU..\Run: [Dwm] C:\Documents and Settings\Gaz and Sandy\Application Data\dwm.exe File not found
  O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: XQRXMDM = C:\WINDOWS\system32\prntvptm.exe File not found
  O20 - HKLM Winlogon: UserInit - (c:\program files\microsoft\watermark.exe) - c:\Program Files\Microsoft\WaterMark.exe ()
  [2010/10/26 23:05:39 | 000,000,024 | ---- | M] () -- C:\WINDOWS\System32\complete.dat
  [2010/10/26 21:47:10 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Cveqab.dat
  [2010/10/26 18:01:18 | 000,000,024 | ---- | C] () -- C:\WINDOWS\System32\complete.dat
  [2010/10/26 18:00:24 | 000,000,016 | ---- | C] () -- C:\WINDOWS\System32\dmlconf.dat
  [2010/10/26 10:07:08 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Cveqab.dat
  [2010/10/26 10:07:08 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Fnoyecabaf.bin
  
  :Files
  ipconfig /flushdns /c
  C:\WINDOWS\tasks\At*.job
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

THEN

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[pogo4eva]

Hi thanks for the advice, but have come to a stumbling block.

I ran the process through OTL, and then did a quick scan (will attach the log later as at work now), downloaded Combofix, but when I run it, i get the following error pop up.

3278SR22FWJFW/Iexplore.exe
Windows cannot access the specified path or file

and that repeats about a dozen times then comes up with the same message for a few other files.

Not sure if its relevant, but have started getting notifications for Ramnit B as well... Also had to re-download OTL before I fan your script as avast quarantined it...

Will attach the logs when I get home this PM.


Thanks,

Gaz

[pogo4eva]

Most recent OTL log attached

[essexboy]

I can see what is causing the problem - so I would like you to retry Combofix from safe mode (download a fresh copy first )

[pogo4eva]

Will get on that as soon as I get home later..

[pogo4eva]

Ok Here is the Combofix log.

[essexboy]

On completion of these runs can you let me know what problems remain

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\32788R22FWJFW.2.tmp
C:\32788R22FWJFW.1.tmp

Folder::
C:\32788R22FWJFW.2.tmp
C:\32788R22FWJFW.1.tmp

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new OTL log.

[pogo4eva]

OK all done, please see logs attached.

[essexboy]

What problems remain ?

[pogo4eva]

Everything looked ok but Getting a whole load of Win32: Ramnit-E notifications from Avast now! 

[essexboy]

This is becoming a very virulent malware now and each version is getting stronger

Download Dr Web from here http://www.freedrweb.com/?lng=en link on the top right of the page, tick the EULA and then download
 
It will download as an 8 digit file save it to your desktop

Restart in safe mode and run
Accept the enhanced version
Then run the full scan
Select cure for all infected files
About halfway through you will be prompted to buy - just X the box closed
Once finished it will generate a log please attach that