Ramnit!html headaches

Hi,

It appears that we were lucky to contain this virus to one machine. But, I have not had any luck in removing it. This is a Windows XP Pro machine with Symantec AntiVirus (Symantec Client Security 10).

The infection occured on Oct. 13, 2010. The user came across a suspiciously looking website and the auto-protect messages started.

So far I have performed the following, in this order:

1) Symantec instruction
- http://www.symantec.com/security_response/writeup.jsp?docid=2010-012006-3513-99&tabid=3
- What a joke, this did nothing for me, had to cancel the scan after around 16 hours or so
- found 2000+ infections and cleaned

2) Followed TimW's advice from this thread http://forums.majorgeeks.com/showthread.php?t=219821
- Tim's post is half way down the page and starts with "Let's start with this:"
- I did not run the BitDefender Online Scan or the Eset Online Scan as my IExplorer and FFox were not launching. I think they are now so I plan to run the Eset scan as my next step.

3) Removed a registry entry with desktoplayer.exe in it (the only one in the registry). Ooops, that damaged my login. Once logged in, I would be logged out immediately. Ran Windows repair to fix this.

4) Stepped through Quads' steps here: http://community.norton.com/t5/Nort...-help-virus-is-ruining-my-business/m-p/279931
- I found that my experience did not align with his
- This is a Norton forum, I am using Symantec

5) Ran Malwarebytes’ Anti-Malware took 6 hours
- Upon completion –> MS Visual C++ runtime error
-C:\Program..\Symantec\Liveup..\LUCOMS~1.exe -> Terminated in an unusual way
- 2 Infected objects found
- Trojan.Agent C:\Windows\system32\wsaupdater.exe
- Disabled.SecurityCenter HLM\Software\MS\SecCenter\FirewallDisableNotify
- Removed both

6) Followed the instructions in the READ & RUN ME FIRST. Malware Removal Guide and attached the logs.
- Deviation/issues while following these steps:
- RootRepeal will not run
- appears in the task manager as task name "Busy" - Not Responding
- I can see Ramnit replicate with RootRepeal.exe in front of my eyes, it creates RootRepealSrv.exe

Through out all of these steps, and when AV is enabled, the Auto-Protect pops up countinualy. It is always finding and cleaning W32.Ramnit!html.

I have noticed my System Restore enabled after I have turned it off.

I will try to upload the log files in my next post (from the infected machine), I am not going to copy them to this clean machine to upload! Please note that RootRepeal did not run for me so there is no log from that app.

If anyone is willing and able to help me remove this pest from this system I would be very grateful.

Regards,

Chris

 

I am unable to upload the log files from the infected system as my internet browsers are not working.

When the infection happened, both IE and FFox would not launch. At some point (I think it was while going through the MajorGeeks Malware Removal Guide) IE started to work.

After stepping through the above mentioned removal guide, I thought I would try the Eset online scan. I got to the point of downloading virus signatures then:
- Errored out “Could not download” 0% progress
- Check Proxy msg, we don’t use Proxy
- After this happened, neither browser worked. IE will launch, then a second instance opens, I can't navigate to any webpage, IE crashes.

Is there any way I can copy these log files (and any other data on this machine) without spreading Ramnit?

Thanks,

Chris