W32/Ramnit.a

Discussion in 'Malware Help (A Specialist Will Reply)' started by Oneear, Nov 6, 2010.

  1. Oneear

    Oneear Private E-2

    Hi all.

    Firstly, i apologise for my lack of technical knowhow, and my ignorance.

    I have a DELL Inspiron laptop, pre-installed with Mcafee, about 6 weeks old. Got a blue screen shut down yesterday - error along the lines of 'IRQL not less or equal' rebooted and found windows error window of something approximating 'missing file ...appdata\local\wmaterx.dll'

    Today i've gotten the blue screen a couple of times, error again along the lines as above, plus 'page not found in none paged area'.

    After rebooting, i ran a FULL SCAN using Mcafee, which came back 1 file found infected, 1 file repaired. I then checked the logs and saw that the Real Time scan was finding a file every second or so, infected with W32/Ramnit.a, and repairing them. I then rebooted into safe mode and ran the programs suggested in the READ THIS FIRST pinned topic. I'm hopefully attaching the relevant logs correctly!

    Thanks for any help you can provide.

    Ben
     

    Attached Files:

    Oneear, Nov 6, 2010
    #1
  2. Oneear

    Oneear Private E-2

    Forgot to mention, it's Windows 7, 64bit, hence didn't run the other programs.

    Ben
     
    Oneear, Nov 6, 2010
    #2
  3. Oneear

    Oneear Private E-2

    Having read a few threads on here, i've ran ESET and am attaching log to this post.

    NB. I'm running all of these scans etc whilst in Safe Mode, hope this is correct procedure.

    Thanks again.
     

    Attached Files:

    Oneear, Nov 6, 2010
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You are way out of date with your version of SUPERAntiSpyware.
    • Please uninstall your current version (this is necessary).
    • Then download this SUPERAntiSpyware
    • Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
    • After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
    • Now run a new full scan of your system. And attach this new log.

    Now boot your PC in NORMAL BOOT MODE, and complete the below.

    Run a new full scan with ESET Online Scanner.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the new SUPERAntiSpyware log
    • the new ESET log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Nov 6, 2010
    #4
  5. Oneear

    Oneear Private E-2

    Hi, updated Superantispyware and ran it (log attached). Then ran Eset again which came up no threats found (but didn't give option for saving/viewing log). Finally ran MGTools...bat file (log attached).

    All done in Normal Mode.

    Again, thank you!

    Ben
     

    Attached Files:

    Oneear, Nov 7, 2010
    #5
  6. Oneear

    Oneear Private E-2

    Further news, two blue screen shut downs this morning.
     
    Oneear, Nov 7, 2010
    #6
  7. Oneear

    Oneear Private E-2

    And again this evening. Last few times upon starting up in Normal Mode, when trying to launch browser to start Eset.com scan, it blue screens without browser opening. Attached are the logs from the last SuperAntispyware scan that i was able to run win Normal Mode without bluescreen stopping it.

    Hope it helps.

    Ben
     

    Attached Files:

    Oneear, Nov 7, 2010
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What is in the below folder?
    C:\Users\Ben\AppData\Local\{F4111F7C-3664-4955-81DF-07EF3BA4661F}

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - .DEFAULT User Startup: cenace.exe (User 'Default user')
    O4 - .DEFAULT User Startup: says.exe (User 'Default user')
    O4 - Startup: iweg.exe

    After clicking Fix, exit HJT.

    Now download OTL by Old Timer and save it to your Desktop.
    • Double-click OTL.exe to start the program.
    • Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code
      Code:
      :processes
:otl
:files
C:\Users\Ben\AppData\Local\Xrewuzeqijiwawan.bin
C:\Users\Ben\Local Settings\TEMP\3361.tmp
C:\Users\Ben\Local Settings\TEMP\A5D0.tmp
C:\Users\Ben\Local Settings\TEMP\bnywg5hk.0.cs
C:\Users\Ben\Local Settings\TEMP\bnywg5hk.cmdline
C:\Users\Ben\Local Settings\TEMP\bnywg5hk.dll
C:\Users\Ben\Local Settings\TEMP\bnywg5hk.err
C:\Users\Ben\Local Settings\TEMP\bnywg5hk.out
C:\Users\Ben\Local Settings\TEMP\bnywg5hk.tmp
C:\Users\Ben\Local Settings\TEMP\C7EF.tmp
C:\Users\Ben\Local Settings\TEMP\Cab5BB6.tmp
C:\Users\Ben\Local Settings\TEMP\CSC186.tmp
C:\Users\Ben\Local Settings\TEMP\NODE7B.tmp
C:\Users\Ben\Local Settings\TEMP\pxifraov.0.cs
C:\Users\Ben\Local Settings\TEMP\pxifraov.cmdline
C:\Users\Ben\Local Settings\TEMP\pxifraov.dll
C:\Users\Ben\Local Settings\TEMP\pxifraov.err
C:\Users\Ben\Local Settings\TEMP\pxifraov.out
C:\Users\Ben\Local Settings\TEMP\pxifraov.tmp
C:\Users\Ben\Local Settings\TEMP\RES187.tmp
C:\Users\Ben\Local Settings\TEMP\si966B.tmp
C:\Users\Ben\Local Settings\TEMP\SUPERSetup
C:\Users\Ben\Local Settings\TEMP\TFR6099.tmp
C:\Users\Ben\Local Settings\TEMP\TFR67BB.tmp
C:\Users\Ben\Local Settings\TEMP\TFRB57C.tmp
C:\Users\Ben\Local Settings\TEMP\TFRFAF5.tmp
C:\Users\Ben\Local Settings\TEMP\_rfgjc09.0.cs
C:\Users\Ben\Local Settings\TEMP\_rfgjc09.cmdline
C:\Users\Ben\Local Settings\TEMP\_rfgjc09.dll
C:\Users\Ben\Local Settings\TEMP\_rfgjc09.err
C:\Users\Ben\Local Settings\TEMP\_rfgjc09.out
C:\Users\Ben\Local Settings\TEMP\_rfgjc09.tmp
C:\Users\Ben\Local Settings\TEMP\{8C49856A-4BF1-4146-A63D-1E9D2B38D09B}
C:\Users\Ben\Local Settings\TEMP\{FD813F7C-4695-4A5C-B296-02FD730CEC84}
C:\Users\Ben\Local Settings\TEMP\~DF0F381F6861A43C20.TMP
C:\Users\Ben\Local Settings\TEMP\~DF1358B7AD9D564269.TMP
C:\Users\Ben\Local Settings\TEMP\~DF5178D411CBB2A41C.TMP
C:\Users\Ben\Local Settings\TEMP\~DFC1C67A5ED3D710F8.TMP
C:\Users\Ben\Local Settings\TEMP\~DFE1F7BF9738C4A944.TMP
:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[CREATERESTOREPOINT]
[CLEARALLRESTOREPOINTS
[REBOOT]
    • Then click the Run Fix button at the top.
    • Click the OK button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.
     
    chaslang, Nov 7, 2010
    #8
  9. Oneear

    Oneear Private E-2

    As instructed, log from OTL attached.

    Also, in the specified folder are three items:

    1. a folder named 'chrome'
    2. 'chrome.manifest'
    3. 'install.rdf'
     

    Attached Files:

    Oneear, Nov 7, 2010
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay let's just do 2 more follow up scans to be safe. Seems you caught the Ramnit infection early enough before it spread too much or caused too much damage. Many times Ramnit infections will require a reinstall to properly fix.

    Please run a full scan with ESET Online again and attach the new log.

    Also, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Nov 7, 2010
    #10
  11. Oneear

    Oneear Private E-2

    Hi,

    Booted up Normal Mode to run Eset scan, and got blue screen when trying ot launch browser. So, back into Safe Mode with Networking to post this. Will run Eset and attach logs/reply.

    Thanks for your help!

    Ben
     
    Oneear, Nov 7, 2010
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Which browser? And what is the exact word for word message on the BSOD?
     
    chaslang, Nov 7, 2010
    #12
  13. Oneear

    Oneear Private E-2

    IE9 Beta.

    Message is (approximately)

    IRQL Not_Less_Or_Equal

    or

    Page fault in none paged area


    Ben
     
    Oneear, Nov 7, 2010
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Unless you are a developer or beta tester for Microsoft, you should not run Beta programs. They are not stable. The error message you are getting may not have anything to do with malware. Or it could be that due to the Ramnit infection, many important files were deleted because they were infected, Ramnit frequently requires a reinstall.

    I suggest that you uninstall it. You could also try to use Firefox for the scan.
     
    chaslang, Nov 7, 2010
    #14
  15. Oneear

    Oneear Private E-2

    ESET Scan log attached. Ran in Safe Mode with Networking.
    Then ran C:\MGtools\GetLogs.bat file, log attached.

    Thanks again.

    Ben
     

    Attached Files:

    Oneear, Nov 7, 2010
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    GetLogs.bat must be run from normal boot mode to allow us to properly diagnose your PC. Otherwise we will only see what happens in safe mode and not in normal mode.
     
    chaslang, Nov 7, 2010
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Note that based on your ESET log, other user accounts on this PC were/still are infected. Notice things being removed from different accounts ( the restricted user accounts ) than what you posted your logs from!
     
    chaslang, Nov 7, 2010
    #17
  18. Oneear

    Oneear Private E-2

    Hi,

    I've tried to log on in Normal mode several times now, and am getting BSOD within a few seconds, and can only get as far as Explorer and begin to launch MGTools BAT file, then crashes. So am unable to run the BAT file during normal mode, unless there is another way?

    Not sure what you are suggesting ref your second post regarding other User accounts, yes there is another user account on the laptop, but i haven't used it at all for at least 24hrs. Should i be doing something by logging on using that account?

    Thanks.
     
    Oneear, Nov 7, 2010
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    When you say Explorer, I assume you mean Windows Explorer?? Try not opening Windows Explorer nor your browser. Just try pasting C:\MGtools\GetLogs.bat into the run box or into a command prompt Window. Does that work?

    When you get the error message, you need to give me the exact ( not approximate ) and complete word for word error message on the BSOD. Do not paraphrase.

    There are two other user accounts.
    Code:
    d-----w          0 2010-11-06 09:37:04  C:\Users\Kezia
d-----w          0 2010-10-29 22:09:06  C:\Users\Mcx1-BEN-PC
    You should run scans with ESET, SUPERAntiSpyware and Malwarebytes on them too.
     
    chaslang, Nov 7, 2010
    #19
  20. Oneear

    Oneear Private E-2

    Yes, i was referring to Windows Explorer previously, sorry for the confusion .

    Tried to follow instructions, logged onto User Ben in Normal Mode, BSOD before i could run MGTools bat file, likewise with User Kezia. Not sure how to log onto the other one.

    Will try and take a picture of the BSOD so i can copy the text to here verbatim, although i noticed that along with the two previously mentioned, there's now a third varient which shows nothing towards the top where, for example, it would have "IRQL Not_Less_Or_Equal" , but does show a numerical code towards the bottom of the text body.

    I do appreciate the help - especially as after 4 weeks of owning it, i still hadn't gotten round to making a 'back up' recovery disc for it due to being lazy and not getting any discs yet. It's all bad news! You must despair at idiots like me! :)

    Will report back with BSOD details soon as poss.

    Thanks,

    Ben
     
    Oneear, Nov 8, 2010
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It is very possible that the Ramnit infection you had has cause too many problems to your Windows Operating System to recovery from. Typically people have to reinstall to resolve problems due to Ramnit. And this may be what you will have to do too; however, try running the below which has to be run in normal boot mode.

    Click Start, Run, and enter sfc /scannow and click OK. There is a space after the sfc. This runs System File Checker which looks for missing or corrupted system files and attempts to replace/repair them from files on your hard disk or from the CD if necessary. So it will ask for the Windows CD if it needs it.


    If you cannot run the above, see if you can run System Restore to go back to a restore point from before your problems began.
     
    chaslang, Nov 9, 2010
    #21

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds