Got this notification every few minutes.
VBS: ExeDropper-Gen [trj]
Half my programs not working now and driving me slightly crazy. Any help you can provide would be great.
Included my MBAM and OTL Logs
Hello pogo4eva and welcome to the forum. 
Thank you for providing the logs as they are helpful. Can you tell me when your problems began and what you are experiencing (besides your programs not working)? Did anything change after putting things in quarantine with MBAM?
I am going to refer you to our Certified Malware expert, named Essexboy. He will also review your logs and give you further instructions, however he comes on the forum late UK time. He will respond to you in this thread, so remember to check this thread daily. I will continue to provide assistance in the meantime, then remain in the background while he works with you.
Please do not make any further changes to your machine now that you have provided the logs.
Let me know if you have any questions. Thank you.
Hi SS.
Machine has been running slowly for a couple of days. Then all these notifications start appearing. Have had a BSOD today as well, and more blocked malware notifications are appearing on avast for Exedropper Gen and a couple of others…
Thanks for your help and passing my info to your malware expert. looking forward to a diagnosis!
Gaz 
a vbs dropper?so surprised…curious to have a look at the source code^^
Hi there - lets clear you up a bit shall we
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL O4 - HKLM..\Run: [Qneneviwec] C:\WINDOWS\ewejuciv.DLL () O4 - HKCU..\Run: [Dwm] C:\Documents and Settings\Gaz and Sandy\Application Data\dwm.exe File not found O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: XQRXMDM = C:\WINDOWS\system32\prntvptm.exe File not found O20 - HKLM Winlogon: UserInit - (c:\program files\microsoft\watermark.exe) - c:\Program Files\Microsoft\WaterMark.exe () [2010/10/26 23:05:39 | 000,000,024 | ---- | M] () -- C:\WINDOWS\System32\complete.dat [2010/10/26 21:47:10 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Cveqab.dat [2010/10/26 18:01:18 | 000,000,024 | ---- | C] () -- C:\WINDOWS\System32\complete.dat [2010/10/26 18:00:24 | 000,000,016 | ---- | C] () -- C:\WINDOWS\System32\dmlconf.dat [2010/10/26 10:07:08 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Cveqab.dat [2010/10/26 10:07:08 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Fnoyecabaf.bin:Files
ipconfig /flushdns /c
C:\WINDOWS\tasks\At*.job:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[*]Double click on ComboFix.exe & follow the prompts.
[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Hi thanks for the advice, but have come to a stumbling block.
I ran the process through OTL, and then did a quick scan (will attach the log later as at work now), downloaded Combofix, but when I run it, i get the following error pop up.
3278SR22FWJFW/Iexplore.exe
Windows cannot access the specified path or file
and that repeats about a dozen times then comes up with the same message for a few other files.
Not sure if its relevant, but have started getting notifications for Ramnit B as well… Also had to re-download OTL before I fan your script as avast quarantined it…
Will attach the logs when I get home this PM.
Thanks,
Gaz
Most recent OTL log attached
I can see what is causing the problem - so I would like you to retry Combofix from safe mode (download a fresh copy first )
Will get on that as soon as I get home later…
Ok Here is the Combofix log.
On completion of these runs can you let me know what problems remain
-
Please open Notepad
[*] Click Start , then Run[*]Type notepad .exe in the Run Box. -
Now copy/paste the entire content of the codebox below into the Notepad window:
File:: C:\32788R22FWJFW.2.tmp C:\32788R22FWJFW.1.tmpFolder::
C:\32788R22FWJFW.2.tmp
C:\32788R22FWJFW.1.tmp
-
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
-
Save the above as CFScript.txt
-
Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
- After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
[*]Combofix.txt [*]A new OTL log.
OK all done, please see logs attached.
What problems remain ?
Everything looked ok but Getting a whole load of Win32: Ramnit-E notifications from Avast now! ???
This is becoming a very virulent malware now and each version is getting stronger
Download Dr Web from here http://www.freedrweb.com/?lng=en link on the top right of the page, tick the EULA and then download
It will download as an 8 digit file save it to your desktop
Restart in safe mode and run
Accept the enhanced version
Then run the full scan
Select cure for all infected files
About halfway through you will be prompted to buy - just X the box closed
Once finished it will generate a log please attach that
Left that scan running overnight and it found something like 2600 infected files and was still running this morning at over 14 hours scan time :o. Got to go through it after work and cure/quarantine anything that didnt get automatically cured, then will post the log…
Whoah, my log file is 134MB, so wont be able to post it, any other options?
Could you copy a selection of say 20 lines of the infection for me to see
Also is Avast still reporting the virus ?
Hi,
Here is a random exerpt that shows some infections. Avast hasnt given any notifications since the Drweb scan completed.
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\A0045089.exe/Microsoft Frontpage 2003/ZY561401.CAB/SETUP.CHM_1033/img/comm_cd.jpg - OK
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\A0045089.exe/Microsoft Frontpage 2003/ZY561401.CAB/SETUP.CHM_1033/img/comm_faq.jpg - OK
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\A0045089.exe/Microsoft Frontpage 2003/ZY561401.CAB/SETUP.CHM_1033/img/comm_intro.jpg - OK
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\A0045089.exe/Microsoft Frontpage 2003/ZY561401.CAB/SETUP.CHM_1033/img/comm_website.jpg - OK
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\A0045089.exe/Microsoft Frontpage 2003/ZY561401.CAB/SETUP.CHM_1033/img/expandtri.gif - OK
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\A0045089.exe/Microsoft Frontpage 2003/ZY561401.CAB/SETUP.CHM_1033/img/home2.gif - OK
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\A0045089.exe/Microsoft Frontpage 2003/ZY561401.CAB/SETUP.CHM_1033/img/netall.gif - OK
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\A0045089.exe/Microsoft Frontpage 2003/ZY561401.CAB/SETUP.CHM_1033/img/setall.gif - OK
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\A0045089.exe/Microsoft Frontpage 2003/ZY561401.CAB/SETUP.CHM_1033/img/setcom.gif - OK
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\A0045089.exe/Microsoft Frontpage 2003/ZY561401.CAB/SETUP.CHM_1033/img/setfirst.gif - OK
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\A0045089.exe/Microsoft Frontpage 2003/ZY561401.CAB/SETUP.CHM_1033/img/setnet.gif - OK
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\A0045089.exe/Microsoft Frontpage 2003/ZY561401.CAB/SETUP.CHM_1033/img/setnot.gif - OK
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\A0045089.exe/Microsoft Frontpage 2003/ZY561401.CAB/SETUP.CHM_1033/setup.hhc - OK
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\A0045089.exe/Microsoft Frontpage 2003/ZY561401.CAB/SETUP.CHM_1033 - OK
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\A0045089.exe/Microsoft Frontpage 2003/ZY561401.CAB - OK
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\A0045089.exe/Microsoft Frontpage 2003/ZZ561401.CAB - archive CAB
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\A0045089.exe/Microsoft Frontpage 2003/ZZ561401.CAB/TREEHELP.TXT - OK
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\A0045089.exe/Microsoft Frontpage 2003/ZZ561401.CAB - OK
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\A0045090.dll infected with Win32.Rmnet - cured
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\A0045090.dll - OK
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\A0045091.dll infected with Win32.Rmnet - cured
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\A0045091.dll - OK
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\A0045092.dll infected with Win32.Rmnet - cured
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\A0045092.dll - OK
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\A0045093.exe infected with Win32.Rmnet - cured
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\A0045093.exe - OK
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\change.log - OK
E:\System Volume Information_restore{1CAD30BF-DE5C-40BE-898C-EF0AC5FBF6EA}\RP6\RestorePointSize - OK
Let me know if you need any more.
Thanks,
Gaz
OK they are all in your restore point so system restore at the moment is useless lets get a new one made and the other removed
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
THEN
Please run a fresh OTL sca (you will only get one log this time) and attach that, also let me know of any problems that you are experiencing