explorer.exe restarting

Hello,

I hope someone can help me! One of our computers started playing up yesterday and the the explorer.exe process kept restarting every 5 seconds.
I have Avira installed on the computer and it is picking up lots of threats on every scan.

It is also placing 4 files on any usb key placed in the computer!

I have carried out the steps on the "read me first" thread and attached all the log files.

Thanks in advance

Chris

 

Final attachment

 

Hi and welcome to Major Geeks, monkeystandards!

ComboFix was supposed to be run from the desktop.

MGtools.exe was supposed to be run from the root of C:

http://img716.imageshack.us/img716/4756/msmsg.gif Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.

• See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
• Double-click MessengerDisable.exe
• Place a check-mark in Uninstall Windows Messenger
• Click Apply
• Click Exit

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]DirLook::[/COLOR]
C:\Documents and Settings\User\Application Data\Futearl
C:\Documents and Settings\User\Application Data\Quakk
C:\TempEI4
[COLOR="DarkRed"]File::[/COLOR]
C:\nbljxtgf.exe
C:\Documents and Settings\User\Local Settings\Application Data\kfrycntr.log
C:\Documents and Settings\User\Local Settings\Application Data\mikexy.dll
C:\Documents and Settings\User\Local Settings\Application Data\mtxwnpjq.log
C:\Documents and Settings\User\Local Settings\Application Data\ukojyx.com
C:\Documents and Settings\User\Local Settings\Application Data\xumu.scr
C:\Documents and Settings\User\Local Settings\Application Data\zybowacamy._sy
C:\Documents and Settings\LocalService\Local Settings\Application Data\bumfsiwr.log
C:\Documents and Settings\LocalService\Local Settings\Application Data\dngcfhbu.log
C:\Documents and Settings\LocalService\Local Settings\Application Data\hcyrkqxs.log
C:\Documents and Settings\LocalService\Local Settings\Application Data\kfrycntr.log
C:\Documents and Settings\LocalService\Local Settings\Application Data\mtxwnpjq.log
C:\Documents and Settings\LocalService\Local Settings\Application Data\ocobyslb.log
C:\Documents and Settings\LocalService\Local Settings\Application Data\pssoupsb.log
C:\Documents and Settings\LocalService\Local Settings\Application Data\qslhswvr.log
C:\Documents and Settings\User\1pt1
[COLOR="DarkRed"]Folder::[/COLOR]
c:\documents and settings\User\Local Settings\Application Data\futwnqwo
C:\Documents and Settings\LocalService\Local Settings\Application Data\futwnqwo
c:\documents and settings\User\Local Settings\Application Data\SyncobjVdm
[COLOR="DarkRed"]Registry::[/COLOR]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NblJxtgf"=-

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

http://img684.imageshack.us/img684/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run


http://img707.imageshack.us/img707/6703/generalxpicon.gif Please download MBRCheck by clicking here and save it to your desktop.

• Double-click on the file to run it. (Vista/7 right-click and select Run as Administrator)
• A window will open on your desktop.
• If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter.
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
• Attach that file to your next message. (How to attach)

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know how the system is running!

 

Hi, Thisisu, thank you for getting back to me.

Sorry for the delay in getting back to you, i have been out of work for a while.

All the logs are attached.

The computer has been running ok recently, explorer.exe has not restarted for a while. The computer has not received any emails through outlook, not sure if this is due to the virus.

The computer is still placing 4 files on any usb key placed in it.

Avira keeps picking up Ramnit.E file.

 

Can you attach the log from Avira that reports Ramnit? This is a particularly serious threat if present.

 

Avira report attached from this mornings scan!

 

It does look like you have a Ramnit infection.

In most cases the only safe and reliable way to properly remove Ramnit is to reinstall due to the damage it causes and also due to the security issues it opens. So let me first post a canned speech/warning about Ramnit.