W32.ramnit!html issues

drfrancis · Oct 28, 2010

Thanks in advance for helping with this. I've tried to follow the process as directed to rid my xp based desktop of this . Issues originally were similar to others , antivirus software continuously trying to fix found virus files, and then slowness to the point of a crawl.

Things seem to be much better in terms of slowness but I have "status" dialogue boxes and windows install boxes that won't go away or keep coming back that I suspect may have something to do with all this. I also had a problem after I ran SAS in that, when it rebooted , it took me to an old windows start up ( rather than the regular one) my son has used at one point, and then would loop rather than load. There was , however, a choice to load a "tuneup backup" and that got me going and was where I ran all subsequent tools and tests. I also had a couple of antivirus tools loaded and I tried to uninstall but I could not get avg to uninstall so I left them, although I did disable everything I could whendirected and did manage to get all scans and logs .

I'll attach logs here, and one with next post. Appreciate efforts in having a look and telling me what I might need to do next to get things back to normal if poossible.

Thanks again

drfrancis · Oct 28, 2010

additional attachment from mgtools..trust I've provided all the right ones, if not let me know.

Thanks again

drfrancis

Kestrel13! · Oct 28, 2010

Hi there and welcome. I am currently reviewing your logs and will get back to you with a set of instructions in the next post I make to you.

drfrancis · Oct 28, 2010

Thanks for the reply...just looked at task manager, cpu usage is at 100 % , largely from the process avtray.exe , you probably know all this from the logs but thought I'd add that, suspect its attached itself to the avg program in some way..

Thanks again

Kestrel13! · Oct 28, 2010

What products do you have installed from norton/symantec as I am seeing this in your uninstall list:

LiveUpdate 2.6 (Symantec Corporation)

Uninstall this rubbish:

Messenger Plus! 3

Messenger Plus! Live

Important Notice: A new version of SUPERAntiSpyware is available.

Please uninstall your current version (this is necessary).

Then download this SUPERAntiSpyware

Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.

After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.

Now run a new full scan of your system. And attach this log later.

Now we need to use ComboFix

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!

If it is not on your Desktop, the below will not work.

Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.

If ComboFix tells you it needs to update to a new version, make sure you allow it to update.

Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
Code:
KILLALL::

File::
C:\Documents and Settings\Jesse\desktop\ComboFixSrv.exe
c:\windows\system32\runonceSrv.exe
c:\windows\system32\verclsidSrv.exe

Folder::
c:\program files\tmp
c:\documents and settings\Wendy\Application Data\Muhus
c:\documents and settings\Wendy\Application Data\Ogros
c:\documents and settings\Magie\Application Data\Idduy
c:\documents and settings\Magie\Application Data\Opgi
c:\documents and settings\Magie\Application Data\Cycau
c:\documents and settings\Magie\Application Data\Ufynmi
c:\program files\win
Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe

At this point, you MUST EXIT ALL BROWSERS NOW before continuing!

You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.

Now use your mouse to drag CFscript.txt on top of ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Follow the prompts.

When it finishes, a log will be produced named c:\combofix.txt

I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Please immediately do the below. You must do this immediately and you must complete all 3 scans one after the other with only the delay to post logs in between. DO NOT use your PC for anything else but these instructions.

Run this Using ESET's Online Scanner and immediately attach the log.

Then run the Eset scan a second time

Then run the Eset scan a third time and attach the 2nd and 3rd logs.

After attaching the 3rd log, if any Ramnet infections were found by Eset, try to repeat the above until it comes up clean. The only infections of Ramnet you can ignore, are ones that may be found in the System Volume Information folder which is System Restore and cannot be cleaned. We will remove them later by disabling System Restore.

drfrancis · Oct 30, 2010

I have symantec client firewall and symantec antivirus

I removed the messenger live stuff

Attaching here eset log 1 as well as sas and combofix, esets 2 and 3 later...eset took a long time to run , left it running through the night, not sure if 2 and 3 will take as long

thanks again for the help

drfrancis · Oct 30, 2010

I did ESET 2 and 3, both were clean so there was no log.

Let me know what I need to do next. I still have the issues with the window installer/ status dialogue boxes ,and one that says " the feature you are trying to install is on a cd rom that is not available" ... the case at the moment , it's looking for something , " insert the HPProduct Assistant" disk....

I'm going send this, then reboot and see if anything changes...will post again if it has changed in any way.

Thanks

TimW · Oct 30, 2010

Please go here and download and run the AVG Removal Tool.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\MGlogs.zip

drfrancis · Oct 30, 2010

Ran avgremoval successfully ( I think) , and mgtools.bat...log attached below

Thx again

TimW · Oct 30, 2010

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: Messenger Plus Live Toolbar - {9b339f6e-ddcd-401b-8764-230adbd01761} - C:\Program Files\Messenger_Plus_Live\tbMes1.dll
O3 - Toolbar: Messenger Plus Live Toolbar - {9b339f6e-ddcd-401b-8764-230adbd01761} - C:\Program Files\Messenger_Plus_Live\tbMes1.dll
Click to expand...

After clicking Fix, exit HJT.

Now use windows explorer to find and delete:
C:\Documents and Settings\LocalService\Local Settings\Application Data\Messenger_Plus_Live
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Messenger_Plus_Live

Now tell me what issues you still have, if any.

drfrancis · Oct 30, 2010

Well, I've done all that and at the moment , no noticable issues, things seem to running at resaonable speed etc. SAS must be in startup because it loads when I reboot and sits on the toolbar. I'm a bit reluctant to reboot now because I still have to use the "tuneup backup" to get windows going , and I don't know about now , but last time I did it took an abnormally loooonnnng time for the icons and everything to load.

Opps - spoke too soon- a dialogue box entitled Symantec client security just popped up, 2 in fact, one that says Please wait while window configure symantec client security and another that is saying same as before .." the feature you are trying to is on a CD rom not available ,,Insert and click ok"

I had re-enabled my security tools a few minutes prior to that happening.

Any suggestions?

Thanks again

drfrancis · Oct 31, 2010

I tried to leave things running until I heard back but unfortunately things froze so I rebooted, again having to use the "tuneup backup" to get in, and to my dismay symatec's autoprotect is now once again coming back up with continuous ramnit files being fixed, as well as software install dialogs box still being there....not sure where I go next but suspect I will need to start all over again? Just not sure if I need to start right at the beginning or somewhere else...

Please advise when you get a chance

Thanks

TimW · Oct 31, 2010

Go back and start running the eSet online scan. Do it back to back at least three times and save the logs. Attach them to your next reply.

drfrancis · Nov 13, 2010

ok , so things are considerable better, not entirely sure why...i have run a number of scans with eset, sas, malwarebytes an antimalware over the last few days and at the moment all appears to be clean. The problem I'm still having is that windows installer continues to pop up although I've discovered that if I kill the application in task manager is seems to stay gone until I reboot. The other issue is that some programs ( adobe, Wordperfect, open office to name a few) won't start,indicates that I'm missing dlls ( agm.dll for adobe, sal3.dll for open office) . I also can't seem to uninstall the old adobe
(error 1402: could not open key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\optional components\MSFS) or or install a new one. When I try to load wordperfect it acts like it's trying to install - if I could find my istall discs that might be ok ...

Any suggestions gratefully accepted, not feeling that confident that I'm out of the woods yet.

Thanks

TimW · Nov 13, 2010

Please attach the requested logs. Ramnit can corrupt many programs and the only course of action you have is to reinstall them.

I need to see the eSet logs as well as the other logs that we request:
SAS
MBAM
ComboFix
C:\MGLogs.zip --> from running the C:\MGTools.exe

drfrancis · Nov 13, 2010

Ok , so unless I'm doing something wrong, when eset doesn't find anything, which is now th case, it doesn't let you create a log...if that's wrong let me know and I'll run it agian. Rest of the logs are attached here. ALso , I'm still running the tunuo backup to start windoiws everytime I reboot, hopefully when we get to the end you can tell me how the fix that up.... one more log to follow

thanks again

drfrancis · Nov 13, 2010

last log...rrlog

thx

TimW · Nov 14, 2010

It is a very bad idea to allow all users to have Admin. privileges!! You need to run both SAS and MBAM on each user account.

Please use windows explorer to find and delete:
c:\documents and settings\Jesse\Application Data\Uhmun
c:\documents and settings\Jesse\Application Data\Kyby
c:\documents and settings\Jesse\Application Data\Upakf
c:\documents and settings\Jesse\Application Data\Eroh
c:\documents and settings\Jesse\Application Data\Dacia
c:\documents and settings\Jesse\Application Data\Ograo

I would also like to see these logs:
C:\ESET1NOV1.txt
C:\eset2NOV1.txt
C:\ESET3nov2.txt
C:\eset4nov3.txt

ALso , I'm still running the tunuo backup to start windoiws everytime I reboot,
Click to expand...

Please explain this.

Tell me what other issues you are having. You may need to reinstall some programs that the infection corrupted.

drfrancis · Nov 14, 2010

I've removed all the files/directories as indicated and removed admin rights from all other users . Currently running scans from other user accounts . Here are the requested logs from last weeks eset scans. Other problems are listed in my post above.

The issue I mentioned was that when I reboot, it gives me a regular startup option and a "tuneup backup" option,( "tuneup" is a set of utilities to clean up a computer)....when I choose regular windows will not load and it goes in a loop, if I choose the tuneup backup , it loads fine. so everytime I reboot i chose it now...at some point it probably makes sense to make that the regular startup although I'm not sure I know how to do that.

Will send additional logs when all other SAS and MBAM scans are complete.

Thx

TimW · Nov 15, 2010

Go ahead and get me a new MGLogs.zip by running the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

I do not know why you are not booting into normal mode without having to go thru the tuneup option. You may need to post in the software forum for that issue.

drfrancis · Nov 16, 2010

Logs from other users as requested, mgtools log to follow

thx

drfrancis · Nov 16, 2010

Mgtools log file attached

think that should be the last of the logs for this go round

thanks again for all the help.

TimW · Nov 16, 2010

What malware issues are you still having, if any? I am not seeing any thing in your logs.

drfrancis · Nov 16, 2010

Well, at the moment other than the issues with booting from a tuneup backup that I mentioned , and the fact that I can't seem to run or uninstall things like my old adobe , or get a new version installed, or run a couple of other programs, which, as you've said more to do with the damage done by the the virus than still having it, I think I may be ok.

Also, when I try to start my symantic antivirus, instead of loading, it brings up a windows installer dialogue box, not sure what's with that but it could be the same as some of the other things above. I think I'll try to get rid on it ( although again I don't saeem to be able to uninstall). I'd like to switch to one of the major geeks recommneded antivirus programs if I could get something loaded.

Any other suggestions or anything else I need to do let me know....and once again thanks for all the help - I'm in a much better place that I was a couple of weeks ago.

Thanks

DRF

TimW · Nov 17, 2010

You can try using Norton Removal Tool (SymNRT) a run > reboot your machine and then run it again for good measure.

The other problems should be addressed in the software forum.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /uninstall

Notes: The space between the combofix" and the /uninstall, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

If you are running Win 7, Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning procedures pointed to by step 7 of the READ ME
for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Support MajorGeeks with Geek Wear!

W32.ramnit!html issues

drfrancis Private E-2

Attached Files:

drfrancis Private E-2

Attached Files:

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

drfrancis Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

drfrancis Private E-2

Attached Files:

drfrancis Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

drfrancis Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

drfrancis Private E-2

drfrancis Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

drfrancis Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

drfrancis Private E-2

Attached Files:

drfrancis Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

drfrancis Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

drfrancis Private E-2

Attached Files:

drfrancis Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

drfrancis Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member