I have Ramnit - please help reduce risk of reinfection

Don't worry about it. Just finish what Tim last requested and attach the new logs from ComboFix and MGtools so we can review where you are at.

Since Ramnit can infect hundreds if not thousands of files, some programs may need to be reinstalled when/if we ever get things cleaned up where it stops spreading. Having just one laying around can cause it to spread again. Also it may even be in our best interest to uninstall a few things to lessen what starts up and what can get infected. Minimize the use of this PC as much as possible. Everything you open/run is prone to getting infected and hence possibly broken.

 

Frankly, I am not sure. If it completes the report, then that isn't a problem.

 

Now we need to see what is still being reported by the eSet scan. After uninstalling AVG, re-run the scan and get us the new eSet log. Keep the computer off the net and I will be back tomorrow to see the progress. ( Wife beckons!! )

 

Oh and a few more things to do right now. In fact, please get a new log from MGtools after doing the below.

• Since System Restore had already been disabled, no useful restore points exists for us to use. Thus disable System Restore right now and keep it disable until we are finished with cleanup.
• Also immediately uninstall AVG and delete all folders from it that you can see. It is only going to add to the list of things being picked up in scans as being infected and make logs longer and make it harder to cleanup.
• Also uninstall any Adobe programs you have installed since it typically had lots of HTMLs which are all propagating the infection. Do not reinstall this either at this point in time.

 

Sorry about that. Tim had asked me to look in here. I did not know he was still posting.

Yes do what I requested in my last message. Disable System Restore, uninstall AVG and all Adobe. Then reboot. After reboot, run C:\MGtools\GetLogs.bat and attach a new log so I can continue with things from that point. Again take note of my warning about minimizing the use of this PC to avoid spreading the infection further.

 

Stop the Eset scan!

Okay I see you already posted again. Try to wait in between messages a little since we have other things we are looking at too. Since you already uninstalled the programs, just try doing the below to try and stop desktoplayer.exe.



Please do the below in the exact order/way written.

• Flush the Internet Explorer Cache. To flush your Internet Explorer Cache:
  • click Tools
  • Internet Options
  • Now on the General tab and click Delete Files and select Delete all Offline content too
  • Click OK.
  • When it finishes Click OK.
• Now right click Start and select Explore to open a Windows Explorer window.
• Navigate to the c:\program files\microsoft folder and just click once on the folder to have it selected. Don't do anything else yet.
• Now simultaneously press CTRL-SHIFT-ESC to bring up Task Manger
• In Task Manager locate the desktoplayer.exe process and right click on it and kill the process. If you do not see the desktoplayer.exe process, just continue on with the below anyway.
• Then quickly go back to your Windows Explorer window and right click on the selected Microsoft folder and choose Rename. Change the name to BAD
• Now just wait for my next post to come as I look through your last log. Do not run anything else.

 

Yes because that is what desktoplayer.exe must be appearing as. Kill all 3 iexplore.exe processes and then quickly rename the Microsoft folder to BAD. It should work after the processes are killed. I will post what to do next in a couple minutes.

 

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,c:\windows\system32\rundll32srv.exe,,c:\program files\microsoft\desktoplayersrv.exe
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)

After clicking Fix, exit HJT.


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

I'm not too sure what the outcome will be since you seem to have acquired a particularly nasty dose of this infection. I clean one of this in person recently and had no problems getting rid of desktoplayer.exe by this method. It did not come back; however the infection had not spread all the way through to all HTML files and other executables like yours had. The level to which this infections spreads, can sometimes lead to a reinstall being necessary to get a PC running properly again. Too many things could be broken. And even one remaining infected file, could allow it to spread again.

 

Not clean yet!! I want to check to see if your userinit.exe file is infected.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  Code:

  :filefind
  userinit.exe

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
• Please attach the SystemLook.txt log found on your Desktop to next reply.

 

Okay that looks okay.

Please kill any iexplore.exe processes again and then rename the C:\Program Files\Microsoft folder to BAD again.

Then also see if you can delete the C:\Program Files\system32 folder. It looks like ComboFix is not deleting this. It may be skipping this when we request it because it is thinking that it is a valid folder. However only the C:\Windows\system32 folder is valid. The one in C:\Program Files is an infection.

Let me know what happens when you do the above.

 

Also see if you can run the below and attach the log from GMER.

Example using GMER to fix things - Informational Only

 

The reboot will require renaming / deleting the folders again.

Okay now delete both the BAD2 and the BAD folders.


Then see if you can do the below. If you need more info on how to do this, just ask.

• Create two copies of the C:\MGtools.exe file in the C:\Program Files folder. You will do this one at a time.
• After getting the first copy there, right click on it and rename it to Microsoft ( ignore the error message about renaming the file making it become unusable ).
• The right click on the renamed file and select Properties. Then put checks in the boxes to make it Read-only and Hidden.
• Then get the second copy into the C:\Program Files folder and rename it to ( you guessed it ) system32.
• Change this copy to be Read-only and Hidden too.

Let me know if you are able to do all of the above.

 

Okay. You will also have to attach a new log from C:\MGtools\GetLogs.bat since the reboot may have cause changes.

I'm only going to try one more fix and then I will suggest that the safest and most reliable thing would really be to reinstall. While we have had some luck in removing this infection, the damage caused by this infection really makes a PC unreliable/untrustworthy. PE file infectors like Ramnit, Virut,.... etc are can infect all executable files (DLL, EXE, SCR....and many more and also HTML). These infections can open back doors that truly may compromise your computer and your security. These backdoors, could allow a remote attacker to access and instruct the infected computer to download and execute more malicious files.

In many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus or by other scanning tools. Also when disinfection is attempted, the files often become corrupted and the system may become unstable or irrepairable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are a major source of system infection.

 

May not be possible, but what you could try doing is exporting the bookmarks to a different file name extension ( like bookmarks.bak ). And then copy that file to a clean PC. On the clean PC, rename the file to bookmarks.html

Do not open the file on this clean PC. First run a full ESET scan on the assumed clean PC and see if this copy from the infected PC is detected and if so is it cleaned. Run a 2nd scan if it is detected and cleaned to see if really cleaned.

However, just be aware that putting in any usb drive into this PC, could cause a spread of the infection to other PCs. If you have an empty USB drive and only copy just the one file (bookmarks.bak) to it. It would be safer since there are no executables to infect. Even emailing it to yourself could be dangerous. Copying just the one file to a CD is another choice.


Do you know where/how you picked this infection up?

 

Highly recommended along with running a couple other online scanners just to be safe. You can see a few other tools here: Alternative Scans

Also run a full scan with your fully updated antivirus program on it. It the data is really important ( and also the security of your other PCs ), it is in your best interest to really check this usb drive in detail.

 

If you still want to try cleaning it ( not recommended) then it would be best not to power down.

 

Sigh, yes, we will keep the thread open. I am sorry that we were unable to get you clean without a reformat. I know you were originally expecting to do that, but it appears as though, even with Chaslangs assistance, you were too far gone to accomplish that. My apologies.

 

This is our list of programs that we recommend having:

How to Protect yourself from malware!

And yes, that thread too may fall to the virus.

 

I am not familiar with that program, but I see it is something that would reside along side of your other AV and AS software.

To quote from Chaslang a couple of years ago:

 

Yes, that is a common occurrence when two programs seem to conflict. I suggest you post in the software forum for further advice.

 

Personally, I would just use all of Comodo Security Suite and not mix it with AVG at all. I would stay away from AVG since it has been becoming more and more problematic since version 8 was released long ago. The How to protect thread even stated there are issues with AVG.