Win32.Ramnit.C Problems

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by ESRaistlin, Sep 23, 2010.

  1. ESRaistlin

    ESRaistlin Private E-2

    Good Evening. The forums and resources here have been truely amazing. When my issue hit this was one of the only areas I found detailed descriptions on how to deal with it.

    I did follow the instructions provided and have some logs which I have posted. For some reason when I got to scanning the MGTools, I double clicked it but the dos prompt opened and closed quickly with nothing else happening. After a power cycle my virus software is still going off the wall detecting this issue.

    I'm not even sure how I got it. I haven't surfed anywhere different than usual or downloaded anything aside from through itunes. (No torrents or limewire files).

    Hopefully the logs will help shine some light on something I'm not aware of.

    Any help and feedback is greatly appreciated. Much thanks for the other resources as well.

    Cheers!
     

    Attached Files:

  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please immediately do the below. You must do this immediately and you must complete all 3 scans one after the other with only the delay to post logs in between. DO NOT use your PC for anything else but these instructions.

    Run this Using ESET's Online Scanner and immediately attach the log.

    Then run the Eset scan a second time and attach the 2nd log.

    Then run the Eset scan a third time and attach the 3rd log.

    After attaching the 3rd log, if any Ramnet infections were found by Eset, try to repeat the above until it comes up clean. The only infections of Ramnet you can ignore, are ones that may be found in the System Volume Information folder which is System Restore and cannot be cleaned. We will remove them later by disabling System Restore.
     
  3. ESRaistlin

    ESRaistlin Private E-2

    Re: Win32.Ramnit.C Problems - Scan 1

    Log one.
    Over 7000 infected files and 2.5 hours for the first scan. That was insane. log file was too big. Added to a zip file to fit acceptable size limit.

    Second scan to start.
     

    Attached Files:

  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes, continue on. Make some progress, and after you have attached the third log from the third scan, run it again and again until it finds no more.
     
  5. ESRaistlin

    ESRaistlin Private E-2

    Will do. Thanks again :)

    Second scan found much less. Only 30 infections. Said it couldnt fix one of them though.

    Anyhow, here's the log.
     

    Attached Files:

  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Ok, keep going.
     
  7. ESRaistlin

    ESRaistlin Private E-2

    Completed the 3rd scan. Only found 24. But then I went and did a fourth one that found around 30 or so. I don't understand it to be honest. Here are the logs.

    Guess I'll go for a 5th round. Its rough since each scan takes like 2 hours to complete :zzz
     

    Attached Files:

  8. ESRaistlin

    ESRaistlin Private E-2

    Currently completed scans 5 and scan 6. Its getting worse with each scan finding more infected files. Considering the locations of these I'm contemplating going in there and deleting all of these myself because its mostly in the same area all the time. Urgh.

    Do I just keep going even though it sgetting worse?
     

    Attached Files:

  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Are you now able to run MGTools? Does the MGTools folder exist? If it does, run the C:\MGTools\FindRN.bat. Attach that log.
     
  10. ESRaistlin

    ESRaistlin Private E-2

    EDIT - didn't see the reply before I posted. Must have just happened. I'll try running MG Tools again instead of doing scan 10 with eset and update this post.

    Hope this isn't considered a bump as I'm providing updated info.

    Currently starting scan 10 after this post. After scan 9 I'm back to 60 threats found. Not sure if this will get the issue resolved or just find threats continually. But to this point I haven't gone off and done anything else yet. Using my old laptop for all computer related stuff for now.

    Other scans attached.
     

    Attached Files:

  11. ESRaistlin

    ESRaistlin Private E-2

    For the life of me I couldn't find an edit option for my previous post. Apologies!

    Attached is a ramnet.txt file created via the FindRN.bat application. Also attached is a log from MGTools as well. Previously it would not run, this time it did and I was able to get a log for you. Hope it helps.

    Cheers!
     

    Attached Files:

  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I want you to uninstall both Shaw Secure and IE5. Once you have done that, run CCLeaner.

    Now, make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::
    
    Driver::
    zprkfeov
    File::
    I:\Documents and Settings\Cam\Local Settings\temp\tmp883d7230.bat
    I:\WINDOWS\system32\drivers\zprkfeov.sys
    I:\Program Files\temp\kill.exe
    Folder::
    I:\Documents and Settings\Cam\Local Settings\temp\tmp1825e015
    I:\Documents and Settings\Cam\Local Settings\temp\tmp5503362c
    I:\Documents and Settings\Cam\Local Settings\temp\tmpe2e9713e
    I:\Documents and Settings\Cam\Local Settings\temp\tmpee38bee8
    I:\Documents and Settings\Cam\Templates\VH56DJI7u87yo
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
    "nonep"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="i:\windows\system32\userinit.exe,"
    
    
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now download and install an AV program ( you could re-install Shaw if it is paid for ) and IE8.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  13. ESRaistlin

    ESRaistlin Private E-2

    Hi There Tim. Thanks for the heads up for the next steps. I look forward to seeing how they help out. I have removed shaw secure which is my ISP's security suite. However I do not have an IE 5 in my add/remove program list. I do have Internet explorer 8 installed however I cannot choose to un-install it from the add/remove programs list. Should I just go in manually to remove it from my program files etc?

    Thanks!
     
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I hope you have replaced your AV software. Avast or Avira or even Microsoft Security Essentials would be a good choice.

    What each eSet scan was showing was items in Shaw Security as well as system restore (which we will remove in the final cleanup) as well as these:
    I:\Documents and Settings\Cam\Local Settings\Temporary Internet Files\Content.IE5
    So you should delete that entire folder.

    Once you have removed it, then run another eSet scan and attach the log along with the new Combo log from my previous post and the new run of MGTools.
     
  15. ESRaistlin

    ESRaistlin Private E-2

    I actually wasn't planning on replacing my Av software because it was my old ISP's security suite that allowed this to happen. When the problem occurred I was with a different ISP and, as such, was using their program(s). Then I got the problems just as I had switched. So I then installed Shaw's protection and uninstalled the one from Rogers. Its just that Shaw happens to be the only AV program in there now, when it was actually the Rogers software that missed this before.

    I'll follow those instructions and get the logs posted later since I've been reduced to using my work computers and a rediculously old dell laptop at home.

    Thanks again!
     
  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    As I stated, you need to uninstall completely Shaw Security as it is infected!! Once removed, install a different AV program. We need to remove both Shaw and that IE5 folder.
     
  17. ESRaistlin

    ESRaistlin Private E-2

    Alright just started my weekend so I can get started on the newest steps you provided. Shaw has been uninstalled, and I'll remove that folder as well and get thos scans done. When everything does end up being clean and removed would it be ok to reinstall and use the Shaw service then?

    Next post will have the logs you've requested. Cheers!
     
  18. ESRaistlin

    ESRaistlin Private E-2

    Well, at this point I'm ready to just say to heck with it and reformat.

    As per your previous posts I:

    A: Uninstalled Shaw Secure which is my secuirt software provided to me by my ISP.

    B: Went to delete the folder located at I:\Documents and Settings\Cam\Local Settings\Temporary Internet Files\Content.IE5
    - problem is there was no folder with that name. So, I deleted everything in the temp internet files folder.

    C: From there I ran CC Cleaner.

    D: Copied the txt file and drag/dropped it as instructed to start the scan. No browsers were open and my virus scan/protection was un-installed at this point.

    E: Re-downloaded and installed Shaw Secure which you mentioned was fine to do at this point.

    F: Ran MG Tools

    I then ran MG Tools .bat file as directed.

    At this time, my virus software once again continued to go insane again with both Ramnit C and Ramnit detections.

    As instructed in the most recent post I completed another Eset scan. At this point it found around 13 or so threats. Various trojans etc however the main issue still is present with the ramnit situation and I have no idea why its not working for me when you have successfully helped other people with the same issue doing the exact same troubleshooting.

    -_-

    Attached are the most recent logs that I got after completing these steps.
     

    Attached Files:

  19. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Do not give up now as we are almost finished. If you check your last eSet log, you will see what got you into trouble. SO....you should read this:
    Warning about Porn, Keygens, Cracks, and other Illegal Software

    All that was left in that log was a false positive for MGTools, an item in the Combo quarantine folder and the rest are just system restore folders. We will have you toggle system restore in our final clean up instructions.

    Now, let's try to finish it up.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::
    
    File::
    I:\WINDOWS\temp\ASR4D2.tmp
    I:\WINDOWS\temp\fsaua.tmp
    I:\WINDOWS\temp\ih8.tmp
    i:\program files\microsoft\desktoplayer.exe
    I:\Documents and Settings\Cam\Local Settings\temp\ASR4D2.tmp
    I:\Documents and Settings\Cam\Local Settings\temp\NEventMessages.dll
    I:\Documents and Settings\Cam\Local Settings\temp\ih8.tmp
    I:\Documents and Settings\Cam\Local Settings\temp\prodsett.ini
    I:\Documents and Settings\Cam\Local Settings\temp\~E.tmp
    
    Folder::
    I:\\Documents and Settings\\Cam\\Application Data\\Laakyg
    i:\documents and settings\Cam\Application Data\Wifu
    i:\documents and settings\Cam\Application Data\Octoi
    i:\documents and settings\Cam\Application Data\Ybluuk
    i:\documents and settings\Cam\Application Data\Neaci
    i:\documents and settings\Cam\Application Data\Amnol
    I:\Documents and Settings\Cam\Templates\VH56DJI7u87yo
    
    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "{DF5CA06D-E1F0-82F6-B281-076B7E607628}"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="i:\windows\system32\userinit.exe,"
    
    
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  20. ESRaistlin

    ESRaistlin Private E-2

    Having looked at the logs I did notice an old keygen/crack I used for sony vegas show up. The weird thing is I got that months ago and had no problems on my system because of it until now. Also my security software at the time gave no red flags to it since I scanned the downloaded file etc before I used it.

    Anyhow I'll get this done and post the results.

    Cheers!
     
  21. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Hopefully that will be the last of it. :)
     
  22. ESRaistlin

    ESRaistlin Private E-2

    Alright, so, to complete the scans I disabled shaw secure as per the requirements. I have not yet turned it back on so I don't know if it will once again continue to find the crazy amounts of ramnit threats.

    Attached are the scans for your perusal.

    Thanks again!
     

    Attached Files:

  23. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Looks good to me. Turn on your AV software ( you should do that when ever you get on the web ).

    Tell me what issues you may still have, if any.
     
  24. ESRaistlin

    ESRaistlin Private E-2

    Well we have definitely moved forward.

    After the last scans my security software is no longer going crazy with the Ramnit notifications. HUGE THANK YOU!:wave

    With that being done, my software is now detecting a new threat.

    Gen: Win32.Malware.aaW@aeXL1IN

    My software states it recognizes it but cannot quarantine it, or remove it and so the status is "failed". Interesting thing is that in the log it gets detected or comes through every hour on the hour. On the :28's to be exact.

    Not sure what this one is or how it came to be here.

    Aside from this, at one point when I launch IE in my task manager it says I'm running two instances of it sometimes and my firefox will not start whatsoever stating that firefox has a problem and crashed. So I'm not sure if a simple remove and re-install will fix it. But that is where we are at this point. I cannot attach the logs because the forum is saying I already added them. So I put both of them into a nother zip file. sorry for the inconvenience.
     

    Attached Files:

  25. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You need to tell me the exact path to the file that is being reported as malware. Have you run SAS or MBAM to see if they will pick it up?
     
  26. ESRaistlin

    ESRaistlin Private E-2

    Ran MBam and go this log. Found 3 virii and I removed them as per Mbam inststructions. Will see if my main software continues to be annoyed or if this is all she wrote.
     

    Attached Files:

  27. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Each of the items that MBAM found are in your system restore folders. The only way to remove them is to toggle system restore. Please let me know if anything else is being reported. If it isn't, then we can do the final cleanup that will remove the last items:

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:



    Support MajorGeeks with Geek Wear!
     
  28. ESRaistlin

    ESRaistlin Private E-2

    Alrighty. Completed the removal of some of the apps and completed the sys restore point reset. I'll give this a couple hours to see if I get any more reports from my AV apps and let you know if we get anything else.

    Cheers!
     
  29. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Here is hoping all is working well. :)
     
  30. ESRaistlin

    ESRaistlin Private E-2

    Well, aside from some reinstalls I have to do for firefox and my mouse/keyboard software, I havent really had any new virus threats/alerts at all. For some reason when I run IE my task manager shows I have two running when I'm just using one window. That didnt happen before.

    Aside from this all is well. I am very appreciative of the time you guys have spent helping me out. Is there any options to provide monetary support for the time that has been spent with me and my problem? Paypal or the like? You guys offered for free what would have costed me an easy 50+ for time spent with local shops here.

    Let me know. :)

    Cheers!
     
  31. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    On behalf of Tim you are welcome. :)

    If you look at the end of my post, there's a link entitled "support majorgeeks" where you could purchase some geekwear if you like. :cool

    Take care and safe surfing!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds