Windows Recovery Virus Help

I'm will attempt to work up a fix for you, but it may not work. I need to warn you ahead of time that it appears that you have a Ramnit infection and could require a total clean reinstall to recover from this. In addition, just due to the security risks of it being a backdoor infection, you may still need to install just to be secure. Below is the normal boilerplate that we post for Ramnit infections.

 

Okay I will post a starting fix just incase you wish to attempt cleaning which will likely not be successful, since you may have thousands of infected files.


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,,C:\Program Files\yqloqqtu\hwdbbqdl.exe
O4 - Startup: hwdbbqdlmgr.exe
O4 - Startup: hwdbbqdlmgrmgr.exe
O4 - Startup: hwdbbqdlmgrmgrmgr.exe
O4 - Startup: hwdbbqdlmgrmgrmgrmgr.exe
O4 - Startup: hwdbbqdlmgrmgrmgrmgrmgr.exe
O4 - Startup: hwdbbqdlmgrmgrmgrmgrmgrmgr.exe
O4 - Startup: hwdbbqdlmgrmgrmgrmgrmgrmgrmgr.exe
O4 - Startup: hwdbbqdlmgrmgrmgrmgrmgrmgrmgrmgr.exe
O20 - Winlogon Notify: !SASWinLogon - Invalid registry found

After clicking Fix, exit HJT.


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\temp
C:\Documents and Settings\Harshil\Local Settings\temp

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You're welcome but it is looking like this may be what you will have to do because of what the Ramnit infection has done to your PC. However let's try the below before deciding.

Run the ESET Online Scan in the below link and attach the log:

Using ESET's Online Scanner


Then run the scan one more time and attach the second log. This will hopefully give us a better idea of the degree of infection.

 

That's is what I as suspecting. You did not attach a log, but I will repeat what I have already stated a couple times. You will have to reinstall.

 

Yes you need to back up your personal data, and NO EXECUTABLES as they are all likley infected. Also you have a C and a D drive and the both are infected and need to be formatted.

Note if you back even one executable file that is infected, and rerun it in any form, you will start the infection all over again.

Yes. And before reconnecting to the internet, make sure that you have all of your protection in place. Refer to the below on how to properly protect your PC:

How to Protect yourself from malware!

 

You're welcome. Surf safely!