Win32:Ramnit-G & VBS:ExeDropper-gen [Trj]

[borgia]

Hey, this is my first post so I'd just like to say Hello and cheers for any help that I might be given!

I'll just start off with a description of events. My pc randomly crashed with a BSOD on monday night. However, before the BSOD I was getting this program claiming to be Vista Firewall 2011 telling my that my pc was riddled with virus', key loggers and other such nasties. Anyway, I tried restarting the pc and it kept getting a BSOD even when trying to start in safe mode (not that I've ever fully understood what safe mode means!). I left it yesterday. Today I gave the inside of the case a clean as it had accumulated a fair amount of dust, and made sure the memory modules were firmly seated, and when I tried to start it up it went straight into windows no problems. This Vista 2011 Firewall started going haywire again though right at startup and I had another BSOD. I restarted the PC but this time with my internet cable unplugged. On startup this programme didn't appear, so suspecting a virus I done a quick scan with Avast. No virus found. Straight away I done a full system scan and there was 1 virus found. I moved the virus, which was listed as a High threat, and was called Win32:FakeAV-Bon [Trj] to the virus chest. Where I scanned it, and then deleted it. Should have I done this?

So, after I had done those scans and deleted the virus I tried opening Firefox, but nothing happened. And then when I tried opening other programs they wouldn't open and it would ask to so search for a program to open them with. I had the bright idea of doing a system restore back to saturday. After doing that and getting onto firefox I started getting bombared with notifications from avast about these  Win32:Ramnit-G & VBS:ExeDropper-gen [Trj] virus'. It sent hundreds of .htm and .dll files to the virus chest. During this time I completed I quick scan on Avast which showed 22 infected files, all of them being Win32:Ramnit-G & VBS:ExeDropper-gen [Trj]. I wasn't able to send them to the virus chest though. I also tried doing a boot scan, but I had to abort it because it was finding infected files but I wasn't able to move them or repair them.

I've managed, by using google chrome, as firefox won't open again, to download MBAM and OTS. MBAM found 2 infected files and has quarantined them, and since then Avast has stopped sending Win32:Ramnit-G & VBS:ExeDropper-gen [Trj] infected files to the virus chest.

Sorry if thats abit long winded, and I hope you can make sense of what I've said! I've come on here now as I don't know what to do next, or even if my problems have been solved by MBAM? So just looking for some pointers really.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6354

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

13/04/2011 22:25:44
mbam-log-2011-04-13 (22-25-41).txt

Scan type: Quick scan
Objects scanned: 163064
Time elapsed: 3 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\mark\AppData\Local\Temp\7624.tmp (Trojan.Agent) -> No action taken.
c:\Windows\Temp\76A0.tmp (Trojan.Agent) -> No action taken.

I Hope thats the information I need to post. I'm going to peform an OTS scan again as I can't find the log. So I'll edit that in a few minutes.

Thanks again for any help, borgia.

[Pondus]

I'm going to peform an OTS scan again as I can't find the log. So I'll edit that in a few minutes.

The log is saved the same plase as you saved OTS


you say avast started detecting all this on monday ?
if so it may be this
https://blog.avast.com/2011/04/12/follow-up-instructions-for-false-positive-issue-with-virus-defs-110411-1/

[borgia]

Um, no on monday I was getting BSOD and a program called Vista Firewall 2011 flagging up lots of virus'. But I believe this program itself was some suspicious virus or something. I was getting flagged by avast today when I rolled back to saturday using the system restore.

I just saved the second OTS log to my desktop but it doesn't appear to be there. I saved OTS straight to my downloads folder, the first log isn't in there either.

[Pondus]

it is recomended to save OTS to desktop and run the scan from there

as Essexboys guide say  http://forum.avast.com/index.php?topic=53253.0

[borgia]

Yeah, just realised I was running it through Avasts Sandbox aswell so they weren't saving. Heres the log anyway. I'm not sure if anyone will be able to make anything from it??

[Krelnadi]

Vista Firewall 2011 is the same thing as Anti Spyware 2011 and Win 7 Anti spyware, it is a false AV that pretends to be a real AV.


It is a "Scare" program that gives alot of false infections and attacks, then says if you want to remove these threats you need to buy this program. It is essentially a scam to get you to buy the product, most of the time it wont even work. Once installed it will block sites and programs that can potentially remove it as well.

[borgia]

Yeah, I suspected it was something along those lines. That's why I started doing virus scans today with Avast after I managed to get to my desktop without a BSOD. I'm not sure if what happened on monday with the false positive threats, is what has happened to me or not? Is there any way to check if everything that has been sent to my virus chest is in fact a virus?? Or if its safe to restore them?

[Krelnadi]

One thing to be careful of is the rogue AV (it will look and act like a real AV) and will show real system files but say they are infected (which is false), so you can sometimes delete a file that was never infected.

You can find tutorials online that can remove the rogue AV programs

[borgia]

Just to clarify, since deleting the file that the Avast full system scan flagged up as being a virus the Vista Firewall 2011 is nowhere to be seen. Its just since I done a system restore to Saturday I started getting all these files getting sent to the virus chest by Avast.

[Pondus]

Essexboy is notified, he will check your logs when he arrive

[borgia]

Ok, thank you.

[essexboy]

Hi - once this run has completed can you let me know what problems you are having

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Files/Folders - Created Within 30 Days]
NY ->  bweluvki -> C:\Program Files\bweluvki
[Files/Folders - Modified Within 30 Days]
NY ->  test.exe -> C:\Windows\System32\test.exe
NY ->  176u5ye3ex5ry35el1eh8m2h48 -> C:\Users\mark\AppData\Local\176u5ye3ex5ry35el1eh8m2h48
NY ->  176u5ye3ex5ry35el1eh8m2h48 -> C:\ProgramData\176u5ye3ex5ry35el1eh8m2h48
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

[borgia]

Hey, I couldn't get OTS to run for some reason. Tried reinstalling it but had no luck. MBAM found another 22 files infected, and my pc became pretty locked down. I've managed to backup all my important files and have done a fresh install of windows.

Thanks for the help.

[essexboy]

I think you have done the right thing as you may have had a file infector and they are nasty