Ramnit Virus and Blueinit Trojan - have they really gone?

[catface]

Hi everyone,

I did a Malware Bytes scan yesterday and found my computer was infected with the Ramnit Virus as well as Blueinit Trojan and Trojan.Downloader. I scanned twice with MBAM (a quick scan and a full scan) then did a system restore to a month ago from Safe Mode. This seemed to sort out the problems with browser redirects and Chrome refusing to initialise but then I came across this forum and did some reading about Ramnit and how serious it is. I followed your malware removal guide and also did two ESET scans. The programs removed and quarantined some files and the logs are below. I haven't added Super Anti Spyware as all it found were tracking cookies.

ComboFix.txt

eset.txt

mbam-log-2012-01-16 (11-31-17).txt

mbam-log-2012-01-16 (12-32-16).txt


ESET, MBAM and Norton are now saying my computer is clear of threats but my question is, given the seriousness of Ramnit, can I be sure that my computer is completely safe?

Many thanks for any advice.

[catface]

Posting again to attach my MGlogs files.

MGlogs.zip

[Kestrel13!]

Run the online ESET scan twice more back to back and attach the logs.

Using ESET's Online Scanner

[catface]

Thank you for the quick reply. I've scanned twice more with ESET and it found no threats. It doesn't give a log when it is clean so nothing to attach. Does this mean I'm definitely clear of it? Thanks again!

[Kestrel13!]

Well, it's looking good yes.


Java(TM) 6 Update 23 <--- Uninstall outdated Java.

delete these if you do not know what they are for.

C:\Users\Trish\AppData\Local\fnuwwvli.log
C:\Users\Trish\AppData\Local\hcetwvdb.log


I want you to run TDSSKiller so refer to the below for how to do so.

TDSSkiller - How to run


Please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.

[catface]

Still looking good

Uninstalled Java and deleted those files. TDSS didn't find anything neither did MBRCheck. MBRCheck_01.19.12_00.00.02.txt.

Thanks again for your help

[Kestrel13!]

Quote:

TDSS didn't find anything

Would still like to see the log if you don't mind. And you are most welcome.

[catface]

Sorry for the delay in replying. Here's the log: tdsskillerreport.txt

[Kestrel13!]

Java(TM) 6 Update 23 <--- uninstall outdated Java.

Reboot your machine and install the most current and up to date version of Java available here at the below link:

Java Runtime 6

Another scan with MBAM... if all clean follow the below steps.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required (If we renamed it please rename it back to Combofix.exe.
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

[catface]

Hmmm - I had already uninstalled two out of date versions of Java when you told me to earlier via Control Panel. I'm not seeing anything to uninstall on my Add/Remove programs list. Should I just go ahead and install the most up to date version, or do I need to completely get rid of this old version and, if so, how do I do it as I can't do it via Control Panel?

Many thanks

[Kestrel13!]

Sorry, that was my bad, just get the latest version installed if not already.

[catface]

That's all done, thanks again Kestrel and everyone on this helpful site.

I noticed this thread http://forums.majorgeeks.com/showthread.php?t=252347 - I was getting the same 'do you want to run this program?' messages popping up only I clicked yes as I was stressed and just wanted to get on with my work. I only did something about it when I started getting browser redirects I know, I know, that was seriously stupid and I actually do know better. I will not be so stupid in the future, I was really lucky not to have to reformat my computer.

Anyway, the reason I'm pointing that thread out to you is that I'm not sure if it's OK for me to post in other people's threads and they may have the same version of Ramnit as me that is actually possible to get rid of. Here's hoping!

[Kestrel13!]

Yes, the warning about Ramnit still applies to you. It looks like you got very lucky, some people do. Keep an eye on things.