Ramnit A + H.virus

Run this three times back to back and attach the results.

Using ESET's Online Scanner

I think a reinstall will probably be the best way to go though

 

Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and attach the requested logs when you finish these instructions.

• **** If something does not run, write down the info to explain to us later but keep on going. ****
• Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
​

 

It might be a PITA however, what would be more of a PITA is if I simply told you to reinstall without fully knowing whether that is necessary or not. Sometimes people get lucky with Ramnet. Sometimes not, let's see what the case is for you.

 

OK, let's take our throughts away from the reinstall at the moment. I want you to run TDSSKiller so refer to the below for how to do so.

TDSSkiller - How to run

Doesn't matter that Rootrepeal will not run, but I would like to try and get MGTools to run. Try this:

Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.
GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.

Do you have logs from running those now?

 

Download OTL to your desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Attach both of these logs into your next reply.

 

Running from: c:\windows\system32\config\systemprofile\Desktop\ComboFix.exe <--- Combofix needs to be run directly from your desktop not where you have it. Please move it there before we continue.

Java(TM) 6 Update 22 <--- uninstall outdated java

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

File::
C:\Windows\jautoexp.dat
C:\ProgramData\ubu1g06qna22xo0d6g4fsrfg2do
C:\ProgramData\q8d0koh7sty104n886j5381r151ce1n85cl3o47
C:\ProgramData\~22994704r
C:\ProgramData\~22994704
C:\ProgramData\22994704
c:\users\Rkane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mkyavjcm.exe
c:\windows\is-J6VLO.exe
C:\Windows\is-J6VLO.msg
C:\Windows\is-J6VLO.lst
Folder::
c:\program files\eehnljsv
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"InnoSetupRegFile.0000000001"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

Reboot your machine and install the most current and up to date version of Java available here at the below link:

Java Runtime 6

Go to C:\MGTools.exe and rename it to jumping.com so you have C:\jumping.com and see if it will run in order to produce a C:\MGlogs.zip. If it really will not then you will need to run OTL again as you did last time and attach the log.

How are things running now?

 

Attach the requested logs please and then we will deal with any remaining issues afterwards.

 

Do NOT, I repeat do not, run any temp file cleaner such as Ccleaner. Do not delete temp files manually yourself either.

 

You do not need to re run it, you just need to follow my instructions and run the script I gave you. We are going to have to see what's going on in normal mode too soon.

 

You need to put ComboFix DIRECTLY on your desktop, not here:
Running from: c:\windows\system32\config\systemprofile\Desktop\ComboFix.exe

Your MGLogs. did not populate as it should have. Did you allow it to run until it told you it was finished?

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :filefind
  smtmp*
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

Then attach the below logs:

* System look log
* C:\MGlogs.zip

 

Please do this, click Start, Run and enter cmd and click OK. This will open a command prompt window. In the command prompt window, enter the below commands each followed by the enter key. Note there is a space after the cd

cd \MGtools
GetLogs.bat

Does this produce a C:\MGlogs.zip? Hopefully a complete set of logs this time

How is the desktop situation in normal mode? Everything as it should be?

 

OK then let's go with OTL instead. Run that again and attach the log like you did before.

 

It will be a while until Kestrel is back on. What malware issues are you still having, if any?

 

Let us know if you start having any malware issues. In the meantime:

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
     
     
   
   
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
   
   
10. After doing the above, you should work thru the below link:
    
    • How to Protect yourself from malware!

Malware removal from a National Chain = $149
Malware removal from MajorGeeks = $0

Help Support MajorGeeks
Buy Discounted Software @ Majorgeeks Store. Giveaways Too!

Majorgeeks Geek Wear. Hats, T-Shirts, Hoodies

MajorGeeks on FaceBook

 

Given the fact that Eset is not finding any more infected files, I'm pretty well sure you are clean. Nothing is showing up in any of your logs, so unless you are just still uncertain that you are clean, a reformat and install is probably not needed. But it is up to you.

We always suggest that after an infection, you use a different computer to change all your online passwords.

 

You are most welcome.

 

Hello there. If the below folders exist still...

• C:\Users\Rkane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Vista Recovery
• C:\Users\Rkane\AppData\Local\ubu1g06qna22xo0d6g4fsrfg2do
• C:\Users\Rkane\AppData\Local\q8d0koh7sty104n886j5381r151ce1n85cl3o47

You need to use Windows Explorer to delete them. Reboot the machine > check back to their locations and tell us whether they are gone for good or if they are still there.

 

Hmm, if you have not followed final steps yet then please do the following.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

DirLook::
c:\windows\system32\config\systemprofile

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

 

Yes. I should have noticed this myself. Never mind. All is well You can definately follow final steps.

 

Yes

You were very lucky, most ramnit victims wind up reformatting.

 

You're welcome. Safe surfing!