Remnants of _ex-68.exe and win32malware/Ramnit-H

Viruses and worms
1

Hi guys, recently I have had major issues with the _ex-68.exe virus, along with win32malware and Ramnit-G and -H popping up all over my Avast. I ran. malwarebytes, which apparently removed the bulk of the virus (No longer being redirected on google).

However I have boot up hanging issues now. I have a lot of popups from Avast still telling me I have the win32:Ramnit-H and G viruses on random files, as well as DNSChanger-VJ trojan and Malware-Gen in my temp files \windows\assembly\temp\u\00000002.@ and 80000032.@

I also get regular malwarebytes messages popping up telling me it is blocking urls in idle.

Then, I am having a problem where I am unable to activate a firewall, as the windows Authorization driver is missing in services.

Can you help get my computer clean?

Malwarebytes’ Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8060

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

01/11/2011 14:51:25
mbam-log-2011-11-01 (14-51-24).txt

Scan type: Full scan (C:|F:|)
Objects scanned: 439129
Time elapsed: 1 hour(s), 36 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Protection log:
13:14:54 Andy MESSAGE Protection started successfully
13:14:58 Andy MESSAGE IP Protection started successfully
13:20:13 Andy IP-BLOCK 91.207.60.22 (Type: outgoing, Port: 52596, Process: svchost.exe)
13:36:09 Andy IP-BLOCK 83.128.87.5 (Type: outgoing, Port: 53107, Process: svchost.exe)
13:36:09 Andy IP-BLOCK 83.128.87.5 (Type: outgoing, Port: 53127, Process: svchost.exe)
13:52:11 Andy IP-BLOCK 91.207.60.22 (Type: outgoing, Port: 53454, Process: svchost.exe)
13:52:11 Andy IP-BLOCK 83.128.87.5 (Type: outgoing, Port: 53498, Process: svchost.exe)
14:08:16 Andy IP-BLOCK 91.207.60.22 (Type: outgoing, Port: 54155, Process: svchost.exe)
14:08:16 Andy IP-BLOCK 83.128.87.5 (Type: outgoing, Port: 54171, Process: svchost.exe)
14:24:14 Andy IP-BLOCK 91.207.60.22 (Type: outgoing, Port: 54495, Process: svchost.exe)
14:24:14 Andy IP-BLOCK 83.128.87.5 (Type: outgoing, Port: 54511, Process: svchost.exe)
14:40:12 Andy IP-BLOCK 91.207.60.22 (Type: outgoing, Port: 54680, Process: svchost.exe)
14:40:12 Andy IP-BLOCK 83.128.87.5 (Type: outgoing, Port: 54734, Process: svchost.exe)
14:46:34 Andy IP-BLOCK 77.91.231.166 (Type: outgoing, Port: 54745, Process: svchost.exe)
14:46:42 Andy IP-BLOCK 77.91.231.166 (Type: outgoing, Port: 54747, Process: svchost.exe)
14:54:11 Andy MESSAGE IP Protection stopped
15:49:29 Andy MESSAGE Protection started successfully
15:49:34 Andy MESSAGE IP Protection started successfully
15:52:18 Andy MESSAGE IP Protection stopped
17:40:26 Andy MESSAGE Protection started successfully
17:40:34 Andy MESSAGE IP Protection started successfully
17:46:48 Andy MESSAGE Protection started successfully
17:46:55 Andy MESSAGE IP Protection started successfully

OTL, MBR and Hijack this attached to message.

Thanks a lot guys, any help to get my system clean will be appreciated.

2

Sorry but Ramnit is a file infector…and that is very bad news if you have it. It is usually a format/reinstall case

Virut and other File infectors - Throwing in the Towel?
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

http://www.tech-101.com/support/index.php/topic/1354-ramnit-the-newest-file-infector/

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Virus:Win32/Ramnit.A!dll

3

OK the main thing is … Is Avast keeping it in check, you also have the conserv malware. It may, just may be recoverable

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\config\systemprofile\AppData\Local\xfvlvssi\glnxgvcy.exe) -C:\Windows\SysWOW64\config\systemprofile\AppData\Local\xfvlvssi\glnxgvcy.exe ()

:Files
ipconfig /flushdns /c
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\xfvlvssi

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

4

Hi Monkeywool,

You could do a full scan with a tool that is good at these fileinfectors later, download from here: http://majorgeeks.com/downloadget.php?id=4783&file=1&evp=ef9669e4f16e6e75d95abcde8f88163d
But with essexboy you are in the best of hands, and maybe he can offer you that shimmering of hope
on this specific day of the season, so follow his instructions to the dot, I will keep my fingers crossed for you,

polonus

5

That would be the next option once conserv has gone depending on the condition of the system

6

Cheers folks, just doing the OTL scan now, when it began the fix, windows popped up with a message saying it’ll reboot in 1 minute due to an error. I didn’t touch anything and let the computer reboot, but unsure whether OTL finished doing what it needed to do.

7

Hi Monkeywool,

That is what essexboy also gives as a second option a complete scan with DrWebCureIt will freeze all of your computer before the scanner is doing it’s bid. You might just need that bit of “status-quo” on the system, because the additional rebooting will get you further into infected stages,

polonus

8

Try OTL from safe mode as the malware is getting a bit uppity

Otherwise go straight to combofix

9

Ok, well, I just did OTL how it was and did the combofix. Should I do OTL again in safemode?

I’ve put the logs how they stand at the moment.

10

Essexboy usually log out around midnight…so check back tomorrow

he is usually in here around 08:00pm - 11:59pm UK time

11

No worries, I can monitor how it goes till tomorrow. Thanks for all the help so far.

12

Ok, not sure if it’s related, but I booted my PC today and now I am unable to connect to the internet with my wireless connection. I can do it through LAN, but not wireless.

Persistent little bugger this virus.

*Edit

Fixed that problem, disabled Hamachi completely.

13

Hi the conserv element is now history - so lets look at the other bit

Download Cure-it from here

It will download to your desktop as Launcher

Accept the Enhanced Protection Mode

http://i1224.photobucket.com/albums/ee362/Essexboy3/Untitled1.jpg

Select Quick scan initially

http://i1224.photobucket.com/albums/ee362/Essexboy3/Capture-1.gif

Once done select file - save report list

http://i1224.photobucket.com/albums/ee362/Essexboy3/Untitled-2.jpg

Upload the report list to Mediafire and post the sharing link please

14

http://www.mediafire.com/?zehttua2fmnqtu1

It reckons it found some stuff and I should do a full scan.

15

Yes run a full scan please - once completed could you let me know how the computer is behaving

16

Had no hangups on boot today and things seem to be running normally. Avast hasn’t popped up with any blocks since I have logged in, albeit it is only 5 minutes or so. The scan last night took a fair few hours, started at 9 and by 1am when I went to bed it was only 25% done, so checked it when I got up this morning for work.

Anyway, here is the log.

http://www.mediafire.com/?e1jhralydsj4ha7

Thanks for your help so far.

17

Looks like it got the last of it… Avast appeared to be keeping it in check

Run your computer as normal for the next day or so to ensure that it is working properly… Once you are happy let me know and I will remove my tools

18

No worries, cheers.

19

Hi Monkeywool,

Thanks to essexboy and fine it worked out OK,

polonus