VBS:ExeDropper-gen, please help!

Hi I’m not fantastic with computers so bare with me.
I am having some severe issues with a virus named:
VBS:ExeDropper-gen

I’m running avast version 4.8

It seems that all of my .htm and .html files are being infected and detected as virus’s
I’m at a loose end any help would be much appreciated.

Thanks

Stefan

Please update to the latest Avast 6. There was a error in the definitions detecting false positives. Also Avast 6 has much better detection and removal then 4.8. You can download Avast 6 from this site :)Hope this helps!

Thanks, Doing this now.
I have also ran something called malwarebytes antimalware and that found 7 things which were put into quarantine.

Good! Sounds like your on the right path please make sure to uninstall avast 4.8 before install avast 6!

I recomed posting all scan logs here

As I am here and an waiting for a reply myself, thought I’d just say

Have you checked your task manager to see what processes are running?

There’s a good chance there’s some spawned browser processes - IEXPLORE.EXE or FIREFOX.EXE - running

These would be infecting your files with the ExeDropper

Going to post the logs here soon just have to get them from the infected computer to my laptop,
Going to install version 6 of avast.
I noticed 3 iexplorer.exe processes which I have now ended.
I have also turned off my wireless internet on the PC.

Yes that is the dreaded RAMNIT

Everyone seems to be having this problem and noone seems to have the definite answer to solving it

Your best bet so far, from me, is to END THOSE processes as soon as you turn on your computer to prevent further damages

If you check my post, on this thread, you will see my current progress
http://forum.avast.com/index.php?topic=63275.msg633553#msg633553

ahh damn that sounds bad…

well I’ll check out your post and will post my logs here shortly,

Am I looking at a full system re-boot here? I would really like to avoid this if possible

many thanks for your response :slight_smile:

Ornette please post a log of your Malwarebytes scan So we can determine further action.

Thanks! Also from this point we do not have enough data to determine if it is Ramnit, if you post logs and more info we can find the exact problem!

StefanR

Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:
     1. DDS.txt
     2. Attach.txt

Save both reports to your desktop. Post DDS.txt back to topic.

DDS log send as attach

Djleder,

The last scan I done with MBAM didn’t help me with this vbs:exedropper-gen[trj] and win32:ramnit-b problem

Hijack This was more helpful and showed me the entries in my HKLM..\Winlogon\Userinit & All Users\Startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon:
C:\WINDOWS\system32\userinit.exe,C:\Program Files\wskbplkv\fyynaotm.exe

C:\Documents and Settings\Ornette\Start Menu\fyynaotm.exe

To be honest I have been faffing around for two days with this, so you will forgive me if I appear to be ahead of myself.

Excellent! Is the problem still there or is it all fixed? ;D

Okay so I have attached two MBAM logs, and also an OTS log from the latest scans I have performed.
I’ll get DDS onto my infected computer and do that now.
I have also installed the latest version of avast which appears to be running okay.
Thanks again!

You are very welcome StefanR if you have any questions or need help feel free to tell me at any time and i’ll try my best to help.

That remains to be seen but I have certainly removed the

fyynaotm.exe

files referenced in the registry AND hard saved into my ‘startup’ folder

Worth noting that I COULD ONLY SEE them in safe mode!

C:\Program Files\wskbplkv\fyynaotm.exe
C:\Documents and Settings\Ornette\Start Menu\fyynaotm.exe

In normal mode these files do not appear, I am not sure why, I have my machine by default set to show all files. No doubt some clever trick was used to hide them

So far, problem has halted…

But there is now a problem with my Avast…
It is not loading properly in normal or safe modes, and now normal mode the desktop is freezing up. So, I have deinstalled my Avast 5.1.889 and reinstalled, with new version 6.0.1

Of course the worry will be that a Ramnit infected .EXE file will start this all over again. And without Avast running…

Off to restart computer again 8)

@ Ornette also Ramnit.B is a virus I believe not detectable at the moment if you can submit the file to Avast they can add it to their database making sure other users don’t get infected with it either.

Here is the DDS log,
any ideas?

StefanR

You have the Combofix log C:\Combofix.txt