WIN32:Ramnit-H: need help removing all of it

[Triophile]

Well, that was nice and quick. I've attached the log.

I'm going to have to see if I can dig up some more info on, and learn about, OTL, ComboFix, etc, as they seem to be such effective tools (when used correctly).

Regards, Jon.

[essexboy]

OK time for the big question .... What problems remain ??

[Triophile]

Ah, just had a couple of hiccups as Windows Automatic Updates were running:

1) Avast didn't seem to like the Skype toolbar (there was a Windows update relating to this - KB2727727), and either deleted it or moved it to chest, I don't remember.

2) An update for IE8 was flagged up by Avast as having been infected by Ramnit-H, and was moved to chest.

I was cleaning the capstans and pinch rollers of a tape deck as Windows was updating, so I wasn't always looking at the screen, but in total, Windows said three updates were not installed: KB2656370, KB2727727, and KB2656353. There may have been non-Ramnit reasons for them not being installed, I suppose, and the problems I saw, Avast seemed to deal with appropriately.

Regards, Jon.

[essexboy]

OK I would like a further bootscan with Avast to confirm that it did kill all the ramnit

The updates relate to net framework (always a pain) and Skype.. Do you have that installed ?

[Triophile]

Skype is installed. Windows downloaded another batch of updates, including Skype 5.1, and that seemed to install fine (as did the other updates). A second attempt at installing the .NET framework updates failed again.

I'll open Skype 5.1, and see if that provokes any problems, then run a boot-time scan with Avast.

Thanks again essexboy.

Regards, Jon.

[essexboy]

OK this is just me being paranoid...   Once you have completed we will try and fix the net framework problem (if it still exists)

[Triophile]

Just writing from my own PC as the boot-time scan proceeds on the laptop. Almost immediately, Avast found a file (an inbox dbx file) infected by WIN32:PUP-gen. Move to chest failed (again, disk full, despite me setting the chest size to unlimited), so I deleted it. I realise I may just have wiped out the entire inbox, but I don't think there was anything indispensable in there (if there was, can they be recovered)?

That was at 0%. Now, at about 40%, it's found Ramnit in one of the Dell support files. I'm stopping the scan to have a check to make sure that the change to Avast's chest size went through when I made them.

Regards, Jon.

[essexboy]

That is the problem with this, every single piece must go otherwise it could rear its head again

[Triophile]

Well, Maximum size of chest is 0 (MB), which Avast says means there's no limit, but I'm still getting the disk full error on scans :-(

Damn.

Do I need to make any changes to max size of files to be sent (currently 16384KB)? 16MB sounds a bit small.

I told my friend he could have his laptop back tomorrow. Might have to change that plan :-)

Regards, Jon.

[Triophile]

Sorry, posted just before your reply arrived.

Should I just go ahead and run a boot-time scan with Avast again, and simply delete and be damned when it comes to any further infected files?

Regards, Jon.

[essexboy]

No empty the chest and then continue to add them especially as system files may be involved, so select cure as the first option, quarantine as the second

[Triophile]

Sorry about the delayed reply - been busy with non-computer stuff.

I'm afraid I went ahead and hit delete all, but there seems to have been no fall-out so far. After that scan finished (Avast found another 500-odd infected files), I rebooted, and the laptop seemed fine. Next, I did a safe-mode scan with MBAM, and that came back clear too.

I gave the laptop back to my friend, and, touch wood, it's been fine so far - no warnings of further infected files, and no blue-screens or anything. Sorry, I should have thought to copy the last Avast log over to this (my) machine, but I forgot.

There's still the problem of the .NET framework updates failing, but my friend was nagging me for his machine back :-) If there are any further problems, I'll empty the chest first before scanning, and if Ramnit makes a comeback, I'll post again.

Many thanks for your help essexboy - it's much appreciated by both me and my friend.

Cheers, Jon.

[essexboy]

Reference the net framework problem .. See here http://blogs.msdn.com/b/astebner/archive/2008/08/28/8904493.aspx