Ramnit rootkit infection - pls help!

Welcome to Major Geeks!

Based on what logs you attach thus far, it does look like it is a Ramnit infection so let me post the below warning message that we post for these infections.

 

Did you try to run MGtools from the READ & RUN ME? We could really use the logs from it.

Not a chance and most of the time, others fail too which is one of the main reasons for needing a reinstall in most cases. Plus if can infect so many files required by Windows and other programs which may need to be deleted to repair. This can result in a broken or unstable Windows OS and can affect your other programs the same way.


If you still want to try to fix, just remember that your PC could potentially become unbootable at anytime so back up important data immediately. DO NOT BACKUP any executable files like programs or any html files as they are quite possibly already infected.

Then uninstall any antivirus program that you have installed so that we can do the below. After the uninstall download install and run a full scan with Microsoft Security Essentials from the below link. See the big orange "Download it free* today > " clickable part of the web page.

Microsoft Security Essentials

After running it, if it finds anything at all, reboot your PC and then run it again. Repeat this process at least 3 times if if is finding malware. After the 4 time, come back and report what happend.

Also please try to run MGtools from the READ & RUN ME and attach the MGlogs.zip file we ask for.

 

Okay report back on the results and then move right on to the below afterwards. Some of these may or may not be fixed already but it is best to just be redundant.


Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Program Files\lrrvmxlp\txjiwbrg.exe,
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay well that may be a good sign.