WIN 32: Ramnit- B

[philipb231190]

Firstly I'd just like to apologise since I've searched this forum and seen solutions posted to fix this but I really need a step by step guide because nothing I've done has worked. I got this virus yesterday and I tried to fix it using avast but it didn't seem to work so I decided to format my hard drive using f10 when the computer boots up. I formatted the hard drive and my computer seemed clean but within a few minutes of reinstalling Avast and Google Chrome It said I was coming under attack. I tried again to fix it using Avast and MBAM but MBAM froze about 12 minutes into the scan. By froze I mean the timer kept rolling but it the number of files check stayed the same and didn't move. I again tried to format my computer but now when I use f10 from the boot menu it loads me to my format hard drive screen then the computer just restarts itself. Can anyone tell me where I should start when it comes to getting rid of this virus? Thanks.

[Jtaylor83]

Try disinfecting Ramnit with Dr. Web LiveCD.


Download and burn Dr. Web LiveCD to a blank CD from a non-infected computer using ISO Burner.


Follow these steps:

http://www.freedrweb.com/livecd/how_it_works/

[philipb231190]

Try disinfecting Ramnit with Dr. Web LiveCD.


Download and burn Dr. Web LiveCD to a blank CD from a non-infected computer using ISO Burner.


Follow these steps:

http://www.freedrweb.com/livecd/how_it_works/

I don't have any cds at the minute but would that definitely work? In the mean time I've been running various scans and I used ComboFix last night which seemed to slightly help. Microsoft Security Essentials had stopped working but after ComboFix it seemed to work again. I ran an antivirus scan today and it found 11 infected files but a full scan only took 15-20mins so I don't know if it is working correctly. I just did an MBAM scan and it didn't find anything?? Here is the log
 
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4967

Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 6.0.2900.2180

28/10/2010 15:13:29
mbam-log-2010-10-28 (15-13-29).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 204626
Time elapsed: 16 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Pondus]

OBS: you did not update MBAM before you scanned, latest database is 4974 and you scanned with 4967

You can try Dr.Web Cureit, that is no cd. download and save to desktop and run

Dr.Web CureIt http://www.freedrweb.com/cureit/?lng=en
How Do I Use Dr.Web CureIt!? http://www.freedrweb.com/cureit/how_it_works/?lng=en

[philipb231190]

OBS: you did not update MBAM before you scanned, latest database is 4974 and you scanned with 4967

You can try Dr.Web Cureit, that is no cd. download and save to desktop and run

Dr.Web CureIt http://www.freedrweb.com/cureit/?lng=en
How Do I Use Dr.Web CureIt!? http://www.freedrweb.com/cureit/how_it_works/?lng=en

Thanks for the link I am downloading Dr.Web now. Just updated MBAM what should I run first, Dr.Web or the updated MBAM?

[Pondus]

Try MBAM quick first ......since it is quick 


If no success with the above.....

Follow this guide from our expert malware remover Essexboy, and post the log`s here
http://forum.avast.com/index.php?topic=53253.0

To avoid using multiple post`s with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt.)

[philipb231190]

Try MBAM quick first ......since it is quick 


If no success with the above.....

Follow this guide from our expert malware remover Essexboy, and post the log`s here
http://forum.avast.com/index.php?topic=53253.0

To avoid using multiple post`s with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt.)

MBAM found nothing so is there any point in posting the log? I also did the Dr.Web Cure it scan which also found nothing. The virus(s) are there though so I don't know what's going on!

[Pondus]

then follow the guide and post the OTL log`s so Essexboy can have a look. He enters the forum here in 2-3 hours

[philipb231190]

I have attached the MBAM Scan (Which came up clean again) the OTL and Extras.txt.

Google Chrome is working again which it wasn't yesterday but last night I did the ComboFix thing and it seems to have helped. I still can't format my hard drive from pressing f10 when the computer boots up though so I'm not sure what's happening there.

[essexboy]

Lets have a look at the MBR first - I see you have run combofix, could you attach the log please

Please download MBRCheck.exe to your desktop.

• Be sure to disable your security programs
  
• Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
• A window similar to this should open on your desktop:

• If you are prompted with options, enter N at the prompt and press Enter[/i]
  
• Press Enter[/i] again
  
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop.  Please post the contents of that file.

[philipb231190]

Lets have a look at the MBR first - I see you have run combofix, could you attach the log please

Please download MBRCheck.exe to your desktop.

• Be sure to disable your security programs
  
• Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
• A window similar to this should open on your desktop:

• If you are prompted with options, enter N at the prompt and press Enter[/i]
  
• Press Enter[/i] again
  
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop.  Please post the contents of that file.

Here are the logs, thanks.

[essexboy]

MBR is good, could you delete your current copy of combofix and download then run a fresh one, as there is a hidden file I will need to look at

 Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[philipb231190]

Here's the ComboFix log.

[essexboy]

Do you still have the F10 problem ?   The logs look good now - what other problems are you experiencing ?

[philipb231190]

Do you still have the F10 problem ?   The logs look good now - what other problems are you experiencing ?

Yea the f10 at boot up still won't let me format my computer. Also when I click on Windows Media Player it just says searching for file. The WMP icon has changed as well to a box with a blue header on it. I'm pretty sure the virus is gone since Avast isn't going crazy like it was but I don't think everything is fixed. I was also trying to uninstall Java update using Add/Remove programs which didn't work.