I have Ramnit - please help reduce risk of reinfection

You could either go thru the trouble of backing up and reinstalling or just start running eSet online scans back to back until you get a clean report.
eSet Online Scan.

Then you could do the Read and Run First instructions to be sure it is all gone.

 

eSet has been very good at fixing these. Just keep running the scans back to back, save the logs and attach them to your next reply. You may need to run it more than 3 times. I will want to see the later logs as often the only thing left to fix is in your system restore folder, which no scan can fix. It then is just a matter of toggling system restore.

But once we finish with eSet, I will want to see theother requested logs:
SAS
MBAM
ComboFix
C:\MGLogs.zip --> from running the C:\MGTools.exe
All from doing the Read and Run FIrst instructions.

We can fix this!!

 

It will eventually remove all of it. Have faith. We have done this numerous times before. Save the next two logs and attach them to your next reply so I can see what all is being found. We may need to manually remove some items.

Please read this:
How to attach items to your post.

 

Just wait on running the other scans ( it will slow down the eSet scan ). Continue on with the back to back eSet scans. Attach this up coming result so I can see what is being found.

 

I realize it is slow, but it is progress.

 

In the meantime, do this:

Now I need you to click Start, Run, and enter cmd and click OK to open a command prompt window.

* Now hight the below bold text with your mouse and hit CTRL-C to copy it into the Windows clipboard

%systemdrive%\MGtools\vfind.exe -ltf -s 57344 "%systemdrive%\*Srv.exe" > %systemdrive%\findsrv.txt

* Now right click in command prompt window and select Paste to copy in the above copied text and then hit enter to run the command.
* This will take awhile to run thru all files and folders on your PC so just wait for it to finish. When it finishes, your command prompt line will return.
* Now attach C:\findsrv.txt log

 

What error message did you get with MGTools?

 

Do you have this:
C:\MGTools folder? Is it populated? Do you have within the folder: C:\MGTools\FindRN.bat? If so, run it and attach the log.

Are you still running the eSet scan?

 

You should also have a C:\MGLogs.zip. Please attach that.

 

That doesn't have all the logs. Let's try it again. Run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
* C:\MGlogs.zip

 

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
C:\WINDOWS\system32\lsassSrv.exe
C:\WINDOWS\explorerSrv.exe
c:\program files\microsoft\desktoplayer.exe
c:\documents and settings\Tihomir\Application Data\Mopyqy\puydk.exe
Folder::
c:\documents and settings\Tihomir\Application Data\Mopyqy
c:\documents and settings\Tihomir\Application Data\Iqiriw
C:\documents and settings\Tihomir\LocalSettings\Temp\tmp067ed2a0
C:\Documents and Settings\Tihomir\Application Data\Qoibx
C:\Documents and Settings\Tihomir\Application Data\Poanef
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"{9E17D16E-828D-82F6-6AB2-FDFD92EC8CBE}"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"nonep"=-

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

Now see if you can run SAS and MBAM and attach those logs. Continue running the eSet scans.

 

I am about to log off for the evening. Attach the logs when you are ready and continue the eSet scans until they hopefully stop reporting infections. I will be back tomorrow to see what else is left to do.

 

Looks like MBAM got rid of the desktoplayer.exe. We still have things to remove and I want you to continue with the eSet scans. ( I also will ask Chasling to have a look as we have not had to run so many scans to remove this infection as you have been doing. )

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
C:\WINDOWS\system32\rundll32SrvSrv.exe
C:\WINDOWS\system32\rundll32Srv.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,"

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip
* eSet logs.

 

Sigh......never had one being this stubborn.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
c:\program files\microsoft\desktoplayersrv.exe
c:\windows\ExplorerSrvSrv.exe

Folder::
c:\documents and settings\Tihomir\Application Data\Hane
c:\documents and settings\Tihomir\Application Data\Zoyv
c:\documents and settings\Tihomir\Application Data\Qifu
C:\Documents and Settings\Tihomir\Application Data\Abpyu

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"{9E17D16E-828D-82F6-6AB2-FDFD92EC8CBE}"=-

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip
* next eSet log.

 

Let's remove the folders that keep coming up ( You will have to reinstall some of them ):

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotraysrvSrv.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotraysrvSrv.exe
C\WINDOWS\ExplorerSrv.exe.    
c:\windows\system32\rundll32Srv.exe
c:\windows\system32\rundll32SrvSrv.exe
c:\program files\microsoft\desktoplayer.exe

Folder::
C:\Program Files\Real\RealPlayer
C:\Program Files\Microsoft Office
C:\Program Files\epson\TPMANUAL
C:\Program Files\Common Files\Microsoft Shared\Stationery
C:\Program Files\CaseSoft\CaseMap 6
C:\Program Files\AviSynth 2.5
C:\Documents and Settings\Tihomir\My Documents\Tehno Emails
C:\Documents and Settings\Tihomir\My Documents\Media
C:\Documents and Settings\Tihomir\My Documents\Pollitika
C:\Program Files\Adobe\Acrobat 7.0
C:\Documents and Settings\Tihomir\Local Settings\temp\Acrobat Distiller 7

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

Then run eSet one more time.

 

Yes....move them to a separate folder.

 

You should be able to just reinstall them when we are done. Anything that is broken, we will either remove the remnants or just have you install it again.

We want to get you down to just having system restore items left in the eSet logs.

 

We are making progress considering the new logs. I will wait on the latest eSet log to give you the next fix.

 

Are you rebooting after each scan? Depending on how long this infection has been on your system, the harder it is to remove. But I still have faith.

 

Yes, let's try rebooting after the scan. Then run MBAM and start a new eSet scan. Get me the log from eSet so we can see what else needs to be removed.

 

OKay!! Progress. Almost all of this is the Combo quarantine folders. Let's uninstall COmbo.
If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
"%userprofile%\Desktop\combofix" /uninstall

• Notes: The space between the combofix" and the /uninstall, it must be there.
• This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Now, toggle system restore.

Now redownload ComboFix to your desktop, but don't run it yet.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
c:\program files\microsoft\desktoplayer.exe
Folder::
C:\Documents and Settings\Tihomir\Application Data\Ufasl
C:\Program Files\AVG
C:\Program Files\Common Files\Real
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"{9E17D16E-828D-82F6-6AB2-FDFD92EC8CBE}"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,"

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now download and reinstall AVG.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
* New MBAM log
* C:\ComboFix.txt
* C:\MGlogs.zip

 

The fix I gave you is going to delete the C:\Program Files\AVG. If you want, try uninstalling it first before you run the fix.

 

LOL.....some days are better than others.