vbs:exedropper-gen[trj], win32:ramnit-f and win32 crypt-ibx

[Minty1888]

Hi there folks

Found this forum while looking for a solution to this virus problem.  I'm used to most malware/virus removal techniques but this one has me stumped.  The computer in question isn't mine but a friend's and it was recently attacked, in the last two weeks I think.  Facebook was mentioned.  Anyway, I managed to remove most of the pop ups, adware and such with Malwarebytes and SuperantiSpyware.  However there's something still there because when I look in the startup folder theres a file called qwvdwmii.exe, even after manually deleting using Killbox.  When I restarted the machine after deleting the file, it wouldn't be in the startup folder initially, but once firefox was started (although sometimes after opening other programs like HiJackThis, task manager etc) the file would appear again in the startup folder.

I decided to download avast and run a full scan and it came back with over 3000 files infected and that where I found the virus names  vbs:exedropper-gen[trj], win32:ramnit-f and win32 crypt-ibx.  I havent removed any files as I've done this in the past and removed files from the system32 folder and made an arse of it. 

I suppose firstly, can this machine be fixed?  I would prefer not to format but realise this may be the only option.

Secondly can any infected files be saved?  There's a lot of pictures needing saved

Attached is a quick scan OTL log and extras and a quick scan of malwarebytes

Please advise and thanks in advance

[Pondus]

Ramnit is very bad news......

http://forum.avast.com/index.php?topic=66688.0

[Minty1888]

Didn't think it was good.  I'm running a Dr Web scan as that seems to be the next step according to previous posts but think format and reinstall is going to be the only secure option as it gets used for internet banking and such.

[Pondus]

yepp, when Essexboy recomend format.....format it is   :'(

I sendt him a PM so you may wait for his reply before you do anything...  he  may be in bed now

[Minty1888]

OK mate thanks very much

[essexboy]

As it is used for banking

One or more of the identified infections is a backdoor Trojan and a key logger.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

Then I would highly recommend a reformat - Once done then check the MBR by using the following programme and post the logs
 
Please read carefully and follow these steps. 

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
   
   
  
   
   
  
• If an infected file is detected, the default action will be Cure, click on Continue.
   
   
  
   
   
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
   
   
  
   
   
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
   
   
  
   
   
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

SECOND MBR

Please download MBRCheck.exe to your desktop.

• Be sure to disable your security programs
  
• Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
• A window similar to this should open on your desktop:

• If you are prompted with options, enter N at the prompt and press Enter[/i]
  
• Press Enter[/i] again
  
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop.  Please post the contents of that file.

[Minty1888]

Hi essexboy

Thanks for having a look.  Just to clarify, I have to format the hard drive, reinstall windows and then run these two programs TDSS Killer and MBRCheck?  I have a recovery partition on the hard drive, can i re-install from that?  Or should I wipe the whole drive just to be on the safe side?

Also can I save things like photographs, pdfs, docs etc before formatting?  I know things like exes, htm(l), scr files shouldn't be copied.

Thanks for your time

[essexboy]

You can use the recovery partition

Any file except those that may have been infected are OK - so photos and documents are not a problem

The check for the MBR is just in case the virus dropped whistler of TDL4 into the MBR.  A format should cure that but it is better to be safe than sorry

[Minty1888]

Hi again

I performed a full destructive recovery on the machine and run the two programs as required.  Attached

TDSS came back clean but MBRCheck says there's something still there.  If I look in the startup folder there's a strange filename of exact size of the file I mentioned in post 1

[essexboy]

MBR check is reporting your recovery partition - so that is OK

Could you now run a fresh OTL log for me please

[Minty1888]

Hi essexboy

I ran the OTL quick scan.  Will that suffice?  Attached

[essexboy]

That looks OK nothing appears to have survived 

Any problems (apart from having Norton ) ?

[Minty1888]

Hi essexboy

Yeah, norton came as part of the recovery 

I've not really used the PC, just left it running after the scans.  I haven't connected it to the internet yet.  I've noticed it has been trying to access the floppy drive.  There's no floppy in the drive.  Not sure if thats a hardware issue. 

Can you tell me what the file in startup folder is? ijogalmv?  Seems suspect, much like the file I couldn't delete in post 1

[Minty1888]

I plugged in to the internet and got directed to a page called insiderinfo dot com so am sure somethings not right

[Pondus]

Removal tool for norton #26a  http://uninstallers.blogspot.com/