Author Topic: Win32:Ramnit-B infection (Read 11778 times)

paulos333 · « **on:** September 30, 2010, 08:19:05 PM »

I have been infected by Win32:Ramnit-B and avast is going crazy! Any ideas how to get rid of this without deleting half my harddrive? Please help!

Pondus · « **Reply #1 on:** September 30, 2010, 08:21:22 PM »

http://forum.avast.com/index.php?topic=64427.0

paulos333 · « **Reply #2 on:** September 30, 2010, 08:28:10 PM »

Thanks for that. It says my chest is full but i have set it to its biggest size. Should i just run malwarebytes first and leave avast going off all the time?

paulos333 · « **Reply #3 on:** September 30, 2010, 08:32:11 PM »

it actually says there is not enough space on the disk - which i don't understand

Pondus · « **Reply #4 on:** September 30, 2010, 08:40:49 PM »

Try MBAM and see what happens, remember to update before you scan

essexboy · « **Reply #5 on:** September 30, 2010, 08:42:47 PM »

This is not a pretty virus/malware

Download Dr.Web CureIt to the desktop.

Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, chose the Complete Scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look and see if you can click the following icon next to the files found:

If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer to allow files that were in use to be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new OTL log.

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

paulos333 · « **Reply #6 on:** October 02, 2010, 01:10:30 AM »

I have run MBAM and that seems to have helped - I haven't got any pop up avast warnings since. However I haven't run a full scan on avast again yet.

I have scanned with Dr. Web CureIt - it found a lot! I'll try and post the report but its huge...

paulos333 · « **Reply #7 on:** October 02, 2010, 01:37:39 AM »

=============================================================================
Dr.Web Scanner for Windows v6.00.05 (6.00.05.08310)
(c) Doctor Web, Ltd., 1992-2010
Log generated on: 2010-10-01, 00:36:40 [COMPUTER][Owner]
Command line: "C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\14692_xp.exe" /lng /ini:setup_xp.ini /fast
Operating system: Windows XP Home Edition x86 (Build 2600), Service Pack 3
=============================================================================
DwShield started
Engine version: 5.00 (5.00.2.03300)
Engine API version: 2.02
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\f3ff24dc - 1974 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\fa933f13 - 2564 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\b107db8a - 11383 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\d413d6e6 - 8957 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\9f6b9028 - 11015 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\75e6f6da - 11168 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\4b234184 - 7798 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\e7052795 - 7873 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\2f58102b - 6904 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\2b98a5ae - 6503 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\abba50d4 - 9823 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\64792b90 - 7572 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\6a83301b - 6996 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\5f976efb - 16360 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\a111d8af - 29168 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\403e8967 - 34202 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\f34f573d - 28292 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\e2136270 - 27164 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\fd278e4d - 25131 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\ee4caa81 - 31464 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\d88da3b3 - 18281 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\3b701c6e - 18009 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\01dcdd46 - 24685 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\9f309e25 - 13651 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\0f7c58c1 - 16025 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\26e5a23f - 15644 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\53f46fb4 - 23265 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\34d7f6c9 - 23135 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\a0a897ab - 20510 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\773ae913 - 25475 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\0c2f5f8b - 16298 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\0b9337bd - 19357 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\e0b242f5 - 18381 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\4bfcff5e - 19562 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\797d65b3 - 27102 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\42f2c0f8 - 21223 virus records

paulos333 · « **Reply #8 on:** October 02, 2010, 01:38:04 AM »

[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\a85cf26c - 24847 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\c05442f5 - 23251 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\51f5fe94 - 14982 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\40a87ea7 - 16817 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\afb40290 - 18725 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\250b2ede - 18429 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\a43f24bb - 6225 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\af517799 - 142240 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\b1e5723c - 66726 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\b16c01c3 - 24512 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\e81688f2 - 82762 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\2fb73709 - 508543 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\cf212de8 - 1255 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\749001d8 - 1959 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\01726553 - 2033 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\fc8158f3 - 1812 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\54586ebe - 1738 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\ecd6e20f - 1885 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\a7095594 - 2091 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\433ed7cf - 1569 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\705a73ab - 1834 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\00fa66cd - 1287 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\a9bf4c60 - 1614 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\a0da08a9 - 2297 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\9840f5a4 - 2110 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\2b306285 - 2007 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\6dedad81 - 2370 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\75dc98ab - 2241 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\7374a3bc - 2596 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\6584a4d5 - 2024 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\044881d8 - 1609 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\0233b52d - 1471 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\86d45c9b - 1445 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\c8077169 - 1895 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\303bc842 - 2312 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\b26d8819 - 3006 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\d740fcc6 - 2146 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\d1294ba9 - 1714 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\fbaf448a - 2095 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\156e77ee - 2715 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\c9cd4fc6 - 2545 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\438ecd2c - 2801 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\1cc2c97f - 6197 virus records
[Virus database] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\a1b48df2 - 28348 virus records
Total virus records: 1655994
[Self-checking] C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\14692_xp.exe
Key file: C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\setup.key
License key number: 0012913379
Registered to: An unauthorized User
License key activates on: 2010-09-17
License key expires on: 2011-03-20

paulos333 · « **Reply #9 on:** October 02, 2010, 01:38:30 AM »

Process in memory: System:4 - OK
Process in memory: \SystemRoot\System32\smss.exe:572 - OK
Process in memory: \??\C:\WINDOWS\system32\csrss.exe:620 - OK
Process in memory: \??\C:\WINDOWS\system32\winlogon.exe:660 - OK
Process in memory: C:\WINDOWS\system32\services.exe:704 - OK
Process in memory: C:\WINDOWS\system32\lsass.exe:716 - OK
Process in memory: C:\WINDOWS\system32\svchost.exe:880 - OK
Process in memory: C:\WINDOWS\system32\svchost.exe:948 - OK
Process in memory: C:\WINDOWS\System32\svchost.exe:1044 - OK
Process in memory: C:\WINDOWS\system32\svchost.exe:1136 - OK
Process in memory: C:\WINDOWS\system32\svchost.exe:1240 - OK
Process in memory: C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe:1280 - OK
Process in memory: C:\Program Files\Alwil Software\Avast4\ashServ.exe:1328 - OK
Process in memory: C:\WINDOWS\Explorer.EXE:1644 - OK
Process in memory: C:\WINDOWS\VistaDrive\VistaDrive.exe:1728 - OK
Process in memory: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe:1744 - OK
Process in memory: C:\Program Files\Java\jre6\bin\jusched.exe:1756 - OK
Process in memory: C:\WINDOWS\system32\RUNDLL32.EXE:1784 - OK
Process in memory: C:\WINDOWS\BCMSMMSG.exe:1804 - OK
Process in memory: C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe:1824 - OK
Process in memory: C:\Program Files\iTunes\iTunesHelper.exe:1848 - OK
Process in memory: C:\WINDOWS\system32\ctfmon.exe:1896 - OK
Process in memory: C:\WINDOWS\system32\spoolsv.exe:784 - OK
Process in memory: C:\WINDOWS\system32\svchost.exe:1876 - OK
Process in memory: C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe:352 - OK
Process in memory: C:\Program Files\Bonjour\mDNSResponder.exe:560 - OK
Process in memory: C:\Program Files\Java\jre6\bin\jqs.exe:1004 - OK
Process in memory: C:\WINDOWS\system32\nvsvc32.exe:1036 - OK
Process in memory: C:\WINDOWS\system32\HPZipm12.exe:1112 - OK
Process in memory: C:\WINDOWS\system32\svchost.exe:1448 - OK
Process in memory: C:\Program Files\iPod\bin\iPodService.exe:2536 - OK
Process in memory: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe:2704 - OK
Process in memory: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe:2764 - OK
Process in memory: C:\WINDOWS\System32\alg.exe:3192 - OK
Process in memory: C:\WINDOWS\system32\wuauclt.exe:4084 - OK
Process in memory: C:\Program Files\Internet Explorer\IEXPLORE.EXE:1060 - OK
Process in memory: C:\Program Files\Windows Live\Messenger\msnmsgr.exe:3516 - OK
Process in memory: C:\Program Files\Windows Live\Contacts\wlcomm.exe:3692 - OK
Process in memory: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XJ030ID6\drweb-cureit[1].exe:132 - OK
Process in memory: C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\2066b2.exe:4004 - OK
Process in memory: C:\Documents and Settings\Owner\Local Settings\Temp\2FC52A2A-7A6A48A4-77D1F932-9BC9EFE2\14692_xp.exe:1924 - OK
[Memory scanning] No viruses found
Master Boot Record HDD1 - OK
Active OS/2 or WinNT Boot Sector HDD1 - OK

-----------------------------------------------------------------------------
Scan statistics
-----------------------------------------------------------------------------
Scanned: 336767
Infected: 145
Modifications: 0
Suspicious: 0
Adware: 0
Dialers: 0
Jokes: 0
Riskware: 0
Hacktools: 0
Cured: 0
Deleted: 1
Renamed: 0
Moved: 138
Ignored: 0
Scan speed: 24 Kb/s
Scan time: 15:19:55
-----------------------------------------------------------------------------

C:\Program Files\Mozilla Firefox\res\hiddenWindow.html - deleted
C:\Program Files\OpenOffice.org 3\Basis\share\config\wizard\web\layouts\frame_bottom\mainframe.html - deleted
C:\Program Files\OpenOffice.org 3\Basis\share\config\wizard\web\layouts\frame_left\mainframe.html - deleted
C:\Program Files\OpenOffice.org 3\Basis\share\config\wizard\web\layouts\frame_right\mainframe.html - deleted
C:\Program Files\OpenOffice.org 3\Basis\share\config\wizard\web\layouts\frame_top\mainframe.html - deleted

=============================================================================
Total session statistics
=============================================================================
Scanned: 350372
Infected: 146
Modifications: 0
Suspicious: 0
Adware: 0
Dialers: 0
Jokes: 0
Riskware: 0
Hacktools: 0
Cured: 0
Deleted: 6
Renamed: 0
Moved: 139
Ignored: 0
Scan speed: 25 Kb/s
Scan time: 15:51:56
=============================================================================

I missed out all the OK files as it was too big to paste here!

Gargamel360 · « **Reply #10 on:** October 02, 2010, 02:06:14 AM »

If there is a next time, attachments work better for this

essexboy · « **Reply #11 on:** October 02, 2010, 01:26:07 PM »

Well the good news is that you did not have a severe case of this, I did expect to see at least 100 infected files, so Avast stopped it from spreading which is good. MBAM probably killed the trigger files

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

paulos333 · « **Reply #12 on:** October 02, 2010, 05:34:27 PM »

Here's the log...

essexboy · « **Reply #13 on:** October 02, 2010, 06:54:34 PM »

What are your currrent problems ?

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote

File::
c:\windows\Fdiwitifefe.dat
c:\windows\Jcoqu.bin

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new OTL log.

paulos333 · « **Reply #14 on:** October 04, 2010, 07:41:30 PM »

I don't think there are any problems at the moment! Thanks for your help!

Author Topic: Win32:Ramnit-B infection (Read 11778 times)

paulos333

Win32:Ramnit-B infection

Pondus

Re: Win32:Ramnit-B infection

paulos333

Re: Win32:Ramnit-B infection

paulos333

Re: Win32:Ramnit-B infection

Pondus

Re: Win32:Ramnit-B infection

essexboy

Re: Win32:Ramnit-B infection

paulos333

Re: Win32:Ramnit-B infection

paulos333

Re: Win32:Ramnit-B infection

paulos333

Re: Win32:Ramnit-B infection

paulos333

Re: Win32:Ramnit-B infection

Gargamel360

Re: Win32:Ramnit-B infection

essexboy

Re: Win32:Ramnit-B infection

paulos333

Re: Win32:Ramnit-B infection

essexboy

Re: Win32:Ramnit-B infection

paulos333

Re: Win32:Ramnit-B infection