Hi there folks

Found this forum while looking for a solution to this virus problem. I’m used to most malware/virus removal techniques but this one has me stumped. The computer in question isn’t mine but a friend’s and it was recently attacked, in the last two weeks I think. Facebook was mentioned. Anyway, I managed to remove most of the pop ups, adware and such with Malwarebytes and SuperantiSpyware. However there’s something still there because when I look in the startup folder theres a file called qwvdwmii.exe, even after manually deleting using Killbox. When I restarted the machine after deleting the file, it wouldn’t be in the startup folder initially, but once firefox was started (although sometimes after opening other programs like HiJackThis, task manager etc) the file would appear again in the startup folder.

I decided to download avast and run a full scan and it came back with over 3000 files infected and that where I found the virus names vbs:exedropper-gen[trj], win32:ramnit-f and win32 crypt-ibx. I havent removed any files as I’ve done this in the past and removed files from the system32 folder and made an arse of it.

I suppose firstly, can this machine be fixed? I would prefer not to format but realise this may be the only option.

Secondly can any infected files be saved? There’s a lot of pictures needing saved

Attached is a quick scan OTL log and extras and a quick scan of malwarebytes

Please advise and thanks in advance

Ramnit is very bad news…

http://forum.avast.com/index.php?topic=66688.0

Didn’t think it was good. I’m running a Dr Web scan as that seems to be the next step according to previous posts but think format and reinstall is going to be the only secure option as it gets used for internet banking and such.

yepp, when Essexboy recomend format…format it is

I sendt him a PM so you may wait for his reply before you do anything… he may be in bed now

OK mate thanks very much

As it is used for banking

One or more of the identified infections is a backdoor Trojan and a key logger.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

Then I would highly recommend a reformat - Once done then check the MBR by using the following programme and post the logs

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

SECOND MBR

Please download MBRCheck.exe to your desktop.

[]Be sure to disable your security programs
[]Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
[*]A window similar to this should open on your desktop:

http://i677.photobucket.com/albums/vv132/RPMcMurphy_album_photos/mbrcheck.png

[*]If you are prompted with options, enter N at the prompt and press [i]Enter[/i]
[*]Press [i]Enter[/i] again
[*]A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.

Hi essexboy

Thanks for having a look. Just to clarify, I have to format the hard drive, reinstall windows and then run these two programs TDSS Killer and MBRCheck? I have a recovery partition on the hard drive, can i re-install from that? Or should I wipe the whole drive just to be on the safe side?

Also can I save things like photographs, pdfs, docs etc before formatting? I know things like exes, htm(l), scr files shouldn’t be copied.

Thanks for your time

You can use the recovery partition

Any file except those that may have been infected are OK - so photos and documents are not a problem

The check for the MBR is just in case the virus dropped whistler of TDL4 into the MBR. A format should cure that but it is better to be safe than sorry

Hi again

I performed a full destructive recovery on the machine and run the two programs as required. Attached

TDSS came back clean but MBRCheck says there’s something still there. If I look in the startup folder there’s a strange filename of exact size of the file I mentioned in post 1

MBR check is reporting your recovery partition - so that is OK

Could you now run a fresh OTL log for me please

Hi essexboy

I ran the OTL quick scan. Will that suffice? Attached

That looks OK nothing appears to have survived ;D

Any problems (apart from having Norton ) ?

Hi essexboy

Yeah, norton came as part of the recovery :

I’ve not really used the PC, just left it running after the scans. I haven’t connected it to the internet yet. I’ve noticed it has been trying to access the floppy drive. There’s no floppy in the drive. Not sure if thats a hardware issue.

Can you tell me what the file in startup folder is? ijogalmv? Seems suspect, much like the file I couldn’t delete in post 1

I plugged in to the internet and got directed to a page called insiderinfo dot com so am sure somethings not right

Removal tool for norton #26a http://uninstallers.blogspot.com/

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qgb9.hpwis.com/

Don’t think this is right.

I’m considering doing a 3-pass zero out on the hard drive as I’m sure something’s still there. Cheers for the link Pondus

Issue now resolved

I formatted the whole hard drive including the recovery partition and installed from CD. Nothing in the startup folder now and no re-directs to that insiderinfo site.

Thanks to all who helped and assisted

Lets kill it shall we

1. Please download The Avenger2 by Swandog46 to your Desktop.
   [*]Right click on the Avenger.zip folder and select “Extract All…”
   [*] Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:

Files to delete:
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ijogalmv.exe

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

[*] Right click on the window under Input script here:, and select Paste.
[*] You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
[*] Click on Execute
[*] Answer “Yes” twice when prompted.

4. The Avenger will automatically do the following:
   [*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete” or “Drivers to Disable”, The Avenger will actually restart your system twice.)
   [*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
   [*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh OTL log .