Persistent virus, Ramnit A and C, I need help!!!

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Persistent virus, Ramnit A and C, I need help!!!

Post by natty on Sat Oct 16, 2010 8:35 pm

Hi,

I have a Ramnit Virus. Within a few second from a system load my security NOD32 finds infected files. I can not run Mozilla, IE etc

I have Windows XP SP2

Please help!

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on Sat Oct 16, 2010 8:37 pm

If your computer is infected with this threat, please read the following:

Attention: Your computer is severely infected with Win32\Ramnit what is now called, a cocktail infection. This is an infection that is comprised of many different types of viruses and other malware, to damage your computer, and use it as a zombie for its backdoor network. In other words, your computer is under control of a hacker, and regaining control is now next to impossible.

The first component is a [You must be registered and logged in to see this link.], which is a type of trojan that communicates with a hacker: to transfer personal information about you, use your computer to help perform a denial-of-service attack, redirect your internet searches in order to make money off of your browsing habits, and can be a keylogger to steal personal identifiable information to help rob your identity.

The second component is a [You must be registered and logged in to see this link.], which is a type of malware to take control over your computer at administrator access, having full permission to modify all of your device drivers, and allowing itself to hide all the malware on the system. In other words, it is a hackers way of taking control of your computer, and hiding in the dark at the same time. This is a prime initiative of hackers to help keep access to your computer, robbing all of your personal information, and using your computer to send spam across the internet.

The third component is a [You must be registered and logged in to see this link.], which is a type of virus to purposely damage as many files as possible, in order to keep control of your system, so you have as little access as possible.

Not only has your system been compromised severely, it is also highly damaged, and if you do not commit to my suggested removal method below, then your computer may not function anymore.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:


Removal method:

It is recommended to do a reformat and reinstall of your operating system. The experts in the [You must be registered and logged in to see this link.] security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety.

I recommend the following articles to read:
Guides for format and reinstall:

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on Sat Oct 16, 2010 9:17 pm

I have decided against a reformat, for many reasons. Please help me to clean my computer of this virus as much as possible, I would really appreciate it! Thank you.

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on Sat Oct 16, 2010 9:20 pm

Ok. This may not be easy, so please follow instructions carefully.

Please download [You must be registered and logged in to see this link.] and save it to your Desktop. Do NOT perform a scan yet

  • Double-click on drweb-cureit.exe to start the program.
    An Express Scan of your PC notice will appear.
  • Under Start the Express Scan Now, Click OK to start the scan.
    This is a short scan that will scan the files currently running in memory.
    If something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the Scan tab and UNcheck Heuristic analysis
  • Back at the main window, click Custom Scan, then Select drives (a red dot will show which drives have been chosen).
  • Then click the Start/Stop Scanning button (green arrow on the right, and the scan will start.
  • When finished, a message will be displayed at the bottom advising if any viruses were found.
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found.
    If so, click it, then click the next icon right below and select Move incurable.
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your Desktop.
  • Exit Dr.Web Cureit when you have finished.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)





Save these instructions so you can have access to them while in Safe Mode.

Please click [You must be registered and logged in to see this link.] to download AVP Tool by Kaspersky.
  • Save it to your desktop.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
  • Double click the setup file to run it.
  • Click Next to continue.
  • Accept the License agreement and click on next.
  • It will, by default, install it to your desktop folder. Click Next.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.
  • Hidden Startup Objects
  • System Memory
  • Disk Boot Sectors.
  • My Computer.
  • Also any other drives (Removable that you may have)
Leave the rest of the settings as they appear as default.
  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be neutralized then choose the delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

    Note: This tool will self uninstall when you close it so please save the log before closing it.





ESET Online Scan

Please run a free online scan with the [You must be registered and logged in to see this link.]
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on Sat Oct 16, 2010 9:56 pm

I don't see an option for the express scan, it just asks if i want to scan now... do I say yes?

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on Sat Oct 16, 2010 10:18 pm

Sure.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Dr.web log

Post by natty on Sun Oct 17, 2010 3:27 pm

I cannot post the contents for the message is too big, so I have joined the file in question, in notepad form.

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Kaspersky log

Post by natty on Sun Oct 17, 2010 8:55 pm

Here is my kaspersky log...
I am trying to run the ESET online scanner but the link will not open in my Internet Explorer, and I cannot open Firefox or Safari anymore either! I have a laptop which runs fine...is there a way for me to download this software so I can then transfer it to my desktop computer?

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on Mon Oct 18, 2010 9:03 am

As you can probably see, most of your personal files are corrupted. Don't be alarmed, as this is expected.

Also, in the Kaspersky log there, the Kaspersky AVP Tool that was used had gotten infected within minutes of starting its scan. We need to work a bit more efficient.

The tools can be transferred, but keep in mind, if you use a flash drive, the flash drive will be instantly infected once connected to the system.

Let's see...

Please visit this webpage for a tutorial on downloading and running ComboFix:

[You must be registered and logged in to see this link.]

See the area: Using ComboFix, and when done, post the log back here.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

ComboFix log

Post by natty on Mon Oct 18, 2010 2:10 pm

Ok I used my flash drive to dowload the tool onto my PC and used it following the instructions, so here is my log. What can I do now? Your help is so precious thank you.

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on Mon Oct 18, 2010 10:26 pm

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    killall::
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe,"

    File::
    c:\program files\microsoft\desktoplayer.exe

    SysRst::

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.





Please do a scan with [You must be registered and logged in to see this link.]

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Note: If the scan freezes for more than 30 minutes, stop the scan, and report back to me.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on Mon Oct 18, 2010 10:41 pm

My Internet browser works now, should I also run the ESET online scan?

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

ComboFix re-scan

Post by natty on Tue Oct 19, 2010 12:48 am

Here is my ComboFix log #2.

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on Tue Oct 19, 2010 1:05 am

I tried 3 times to run the Kaspersky online scanner, and each time it tells me:

Launch of the Java application is interrupted! Please establish an uninterrupted Internet connection for work with this program.

What does this mean?

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on Tue Oct 19, 2010 5:13 am

Yeah. See if the ESET scan will work.

ComboFix is running in a reduced functionality, and will not give me enough info. This is because of the infection.



Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

ESET online scan

Post by natty on Tue Oct 19, 2010 2:53 pm

Ok, it has cleaned 44 out of 48 infected files (so 4 are still left uncleaned). Here is my log.

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on Tue Oct 19, 2010 5:37 pm

1. Please download [You must be registered and logged in to see this link.] by Swandog46 to your Desktop.

  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\Program Files\QuickTime\QTSystem\QTCF.dll
C:\Program Files\iTunes\iTunesHelperSrv.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your next reply along with a re-run of ESET online scanner..


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on Wed Oct 20, 2010 1:42 am

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Program Files\QuickTime\QTSystem\QTCF.dll" deleted successfully.
File "C:\Program Files\iTunes\iTunesHelperSrv.exe" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

This is my log for the Avenger task, and attached is my updated log for the ESET scan. 34 files were found and one could not be cleaned (bottom). Is this normal? Am I doing something wrong here? I have uninstalled my antivirus (because it keeps interfering and obviously wasn't very effective in the first place)and I usually disactivate my Firewall when running a scan...should I always keep it on? Should I permanently install an antivirus/antimalware right away or just follow your step-by-step instructions first? Thank you!

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on Wed Oct 20, 2010 8:25 am

I will give you some tips on the antivirus later, if you like.

There could still be tons more infected files. So, we must keep on going till there are no more detections.

Please download [You must be registered and logged in to see this link.] and save to your desktop.
[You must be registered and logged in to see this link.]
  • Double-click on Norman_Malware_Cleaner.exe to start the program.
  • Read the End User License Agreement and click the Accept button to open the scanning window.
  • Click Start Scan to begin.
  • In some cases Norman Malware Cleaner may require that you restart the computer to completely remove an infection. If prompted, reboot and run the tool again to ensure that all infections are removed.
  • After the scan has finished, a log file with the date (i.e. NFix_2009-06-22_07-08-56.log) will be created on your desktop with the results. Please post the results, when complete.
Note: For usb flash drives and/or other removable drives to scan, use the Add button to browse to the drives location, click on the drive to highlight and choose Ok.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

1st Norman log

Post by natty on Thu Oct 21, 2010 4:04 am

Norman Malware Cleaner
Version 1.8.2
Copyright © 1990 - 2010, Norman ASA. Built 2010/10/19 21:36:56

Norman Scanner Engine Version: 6.06.07
Nvcbin.def Version: 6.06.00, Date: 2010/10/19 21:36:56, Variants: 7835834

Scan started: 2010/10/20 09:09:58

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600 Service Pack 2
Logged on user: DELL_E521\Natty

Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe" -> "C:\WINDOWS\System32\userinit.exe,"
Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLS = -> ""
Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools = 0x00000000
Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000
Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000

Scanning kernel...

Kernel scan complete


Scanning bootsectors...

Number of sectors found: 3
Number of sectors scanned: 3
Number of sectors not scanned: 0
Number of infections found: 0
Number of infections removed: 0
Total scanning time: 0s 453ms


Scanning running processes and process memory...

Number of processes/threads found: 2912
Number of processes/threads scanned: 2912
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 2m 22s


Scanning file system...

Scanning: prescan

Scanning: C:\*.*

C:\Documents and Settings\Natty\Application Data\U3\1535830CB8C14D53\PelicanBusyPage.htm (Infected with HTML/Ramnit.A)
Deleted file

C:\Documents and Settings\Natty\Application Data\Ubovo\insea.exe (Infected with W32/Ramnit.A)
Repaired file

C:\Documents and Settings\Natty\Local Settings\Temporary Internet Files\Content.IE5\VSJSHEOC\freq[1].htm (Infected with HTML/Ramnit.A)
Deleted file

C:\Program Files\Safari\PubSub.resources\Entry.html (Infected with HTML/Ramnit.A)
Deleted file

C:\Qoobox\Quarantine\C\Documents and Settings\Natty\Application Data\BA19028B9503566C3DFAE04EDF32AAFD\enemies-names.txt.vir (Infected with TXT/JunkFile.BL)
Deleted file

Scanning: D:\*.*

D:\Documents\Nathalie\DS\Movies\Star.Wars.Episode.I.The.Phantom.Menace.1999.1080p.HDTV.x264-hV.mkv.7z/Star.Wars.Episode.I.The.Phantom.Menace.1999.1080p.HDTV.x264-hV.mkv.dpg (Error whilst scanning file: I/O Error (0x00220000))

D:\Documents\Nathalie\DS\Movies\Star.Wars.Episode.II.Attack.Of.The.Clones.2002.1080p.7z/Star.Wars.Episode.II.Attack.Of.The.Clones.2002.1080p.HDTV.x264-hV.mkv.dpg (Error whilst scanning file: I/O Error (0x00220000))

D:\Documents\Nathalie\My Music\Ma musique\La Vie En Rose (soundtrack)\22 - Jil Aigrot - Les Mtmes De La Cloche.mp3 (Error opening file: Not found)

D:\LogiCiel\Audio\Winamp\Plugins\Milkdrop2\docs\milkdrop_preset_authoring.html (Infected with HTML/Ramnit.A)
Deleted file

D:\LogiCiel2\Gravure\Silent MicroBurner\MicroBurner.exe (Infected with Packed_Upack.I)
Deleted file

D:\LogiCiel2\MultiMedia\Video\GomPlayer\GNF.ax (Infected with W32/Suspicious!api.A)
Deleted file

D:\LogiCiel2\Office\EssentialPIM\EssentialPIM.exe (Infected with W32/Packed_Upack.H)
Deleted file

D:\LogiCiel3\Gravure\Silent MicroBurner\MicroBurner.exe (Infected with Packed_Upack.I)
Deleted file

D:\LogiCiel3\MultiMedia\Audio\Winamp\Plugins\Milkdrop2\docs\milkdrop_preset_authoring.html (Infected with HTML/Ramnit.A)
Deleted file

D:\LogiCiel3\MultiMedia\Video\GomPlayer\GNF.ax (Infected with W32/Suspicious!api.A)
Deleted file

D:\LogiCiel3\Office\EssentialPIM\EssentialPIM.exe (Infected with W32/Packed_Upack.H)
Deleted file

Scanning: L:\*.*

L:\$RECYCLE.BIN\S-1-5-21-2814603516-3568070594-1710464331-1001\$RP82T15\Setup.exe (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\bookmarks.html (Infected with HTML/Ramnit.A)
Deleted file

L:\Desktop Documents (backup)\Download\en_talk-msn.exe (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Nathalie\DS\Movies\Star.Wars.Episode.I.The.Phantom.Menace.1999.1080p.HDTV.x264-hV.mkv.7z/Star.Wars.Episode.I.The.Phantom.Menace.1999.1080p.HDTV.x264-hV.mkv.dpg (Error whilst scanning file: I/O Error (0x00220000))

L:\Desktop Documents (backup)\Nathalie\DS\Movies\Star.Wars.Episode.II.Attack.Of.The.Clones.2002.1080p.7z/Star.Wars.Episode.II.Attack.Of.The.Clones.2002.1080p.HDTV.x264-hV.mkv.dpg (Error whilst scanning file: I/O Error (0x00220000))

L:\Desktop Documents (backup)\Nathalie\Mozilla\Mozilla\Firefox\Profiles\oum7p34x.default\bookmarkbackups\bookmarks-2007-10-29.html (Infected with HTML/Ramnit.A)
Deleted file

L:\Desktop Documents (backup)\Nathalie\Mozilla\Mozilla\Firefox\Profiles\oum7p34x.default\bookmarkbackups\bookmarks-2007-10-30.html (Infected with HTML/Ramnit.A)
Deleted file

L:\Desktop Documents (backup)\Nathalie\Mozilla\Mozilla\Firefox\Profiles\oum7p34x.default\bookmarkbackups\bookmarks-2007-11-05.html (Infected with HTML/Ramnit.A)
Deleted file

L:\Desktop Documents (backup)\Nathalie\Mozilla\Mozilla\Firefox\Profiles\oum7p34x.default\bookmarkbackups\bookmarks-2007-11-09.html (Infected with HTML/Ramnit.A)
Deleted file

L:\Desktop Documents (backup)\Nathalie\Mozilla\Mozilla\Firefox\Profiles\oum7p34x.default\bookmarkbackups\bookmarks-2007-11-12.html (Infected with HTML/Ramnit.A)
Deleted file

L:\Desktop Documents (backup)\Nathalie\Mozilla\Mozilla\Firefox\Profiles\oum7p34x.default\bookmarks.html (Infected with HTML/Ramnit.A)
Deleted file

L:\Desktop Documents (backup)\Nathalie\Mozilla\Mozilla\Firefox\Profiles\oum7p34x.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Nathalie\Mozilla\Mozilla\Firefox\Profiles\oum7p34x.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Nathalie\My Music\Ma musique\Gregory Isaacs\gregory isaacs COLLECTION COMPLETE!\2004 - gregory isaacs - give it all up\ABREME- OPEN ME.html (Infected with HTML/Ramnit.A)
Deleted file

L:\Desktop Documents (backup)\Nathalie\My Music\Ma musique\La Vie En Rose (soundtrack)\22 - Jil Aigrot - Les Mtmes De La Cloche.mp3 (Error opening file: Not found)

L:\Desktop Documents (backup)\Nathalie\My Stationery\ArtDeco.htm (Infected with HTML/Ramnit.A)
Deleted file

L:\Desktop Documents (backup)\Nathalie\My Stationery\BlueTiles.htm (Infected with HTML/Ramnit.A)
Deleted file

L:\Desktop Documents (backup)\Nathalie\My Stationery\Bubbles.htm (Infected with HTML/Ramnit.A)
Deleted file

L:\Desktop Documents (backup)\Nathalie\My Stationery\Cheddar.htm (Infected with HTML/Ramnit.A)
Deleted file

L:\Desktop Documents (backup)\Nathalie\My Stationery\ColorStripe.htm (Infected with HTML/Ramnit.A)
Deleted file

L:\Desktop Documents (backup)\Nathalie\My Stationery\Dinosaur.htm (Infected with HTML/Ramnit.A)
Deleted file

L:\Desktop Documents (backup)\Nathalie\My Stationery\Garden.htm (Infected with HTML/Ramnit.A)
Deleted file

L:\Desktop Documents (backup)\Nathalie\My Stationery\HandPrints.htm (Infected with HTML/Ramnit.A)
Deleted file

L:\Desktop Documents (backup)\Nathalie\My Stationery\LED.htm (Infected with HTML/Ramnit.A)
Deleted file

L:\Desktop Documents (backup)\Nathalie\My Stationery\Money.htm (Infected with HTML/Ramnit.A)
Deleted file

L:\Desktop Documents (backup)\Nathalie\My Stationery\Mosiac1.htm (Infected with HTML/Ramnit.A)
Deleted file

L:\Desktop Documents (backup)\Nathalie\My Stationery\Mosiac2.htm (Infected with HTML/Ramnit.A)
Deleted file

L:\Desktop Documents (backup)\Nathalie\My Stationery\Music.htm (Infected with HTML/Ramnit.A)
Deleted file

L:\Desktop Documents (backup)\Nathalie\My Stationery\Snowboard.htm (Infected with HTML/Ramnit.A)
Deleted file

L:\Desktop Documents (backup)\Nathalie\My Stationery\Southwest.htm (Infected with HTML/Ramnit.A)
Deleted file

L:\Desktop Documents (backup)\Nathalie\My Stationery\YellowTiles.htm (Infected with HTML/Ramnit.A)
Deleted file

L:\Desktop Documents (backup)\Nathalie\My Videos\Mes vidéos\I POD VIDEOz AND GAMEz\IPOD 20 games\iPodWizard\iPodWizard.exe (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Nathalie\Program Install\Ahead Nero v7.0.5.4 Premium Edition\Keygen.exe (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\AtiCimUn.exe (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\BIN\aticds10.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\BIN\AtiCIM.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\BIN\atiicdxx.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\CatalystRegistration\CatalystRegistration.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\CCC\CCC.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\CheckVer.exe (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\Driver\Driver.DLL (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\Driver\XP_INF\B_53901\atiiiexx.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\SBDrv\SBDrv.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\steam\setup.exe (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\steam\steam.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\SteamShortcut\setup.exe (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\SteamShortcut\SteamShortcut.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\vc8\vc8.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\WDM_ALL\WDM_ALL.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\Canon i560 Installer\Inst2\cnmis.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\Canon i560 Installer\Inst2\Cnmvsa.exe (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\Canon i560 Installer\Inst2\devid.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\Canon i560 Installer\Inst2\helpkicker.exe (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\Son\HDAQFE\win2k_xp\us\kb835221.exe (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\Son\WDM\stacapi.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\Son\WDM\staco.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\Son\WDM\suhlp.exe (Infected with W32/Ramnit.A)
Repaired file

Scanning: K:\*.*

Scanning: M:\*.*

M:\System\Apps\f121f3ff-0c8d-4ce1-a24b-c9f8c82dc5a2\Exec\doc\editorhelp.htm (Infected with HTML/Ramnit.A)
Deleted file

M:\System\Apps\f121f3ff-0c8d-4ce1-a24b-c9f8c82dc5a2\Exec\doc\gamehelp.htm (Infected with HTML/Ramnit.A)
Deleted file

Scanning: postscan


Running post-scan cleanup routine:
Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe" -> "C:\WINDOWS\System32\userinit.exe,"

Number of files found: 321087
Number of archives unpacked: 2933
Number of files scanned: 321061
Number of files not scanned: 26
Number of files skipped due to exclude list: 0
Number of infected files found: 69
Number of infected files repaired/deleted: 69
Number of infections removed: 69
Total scanning time: 2h 20m 37s

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on Thu Oct 21, 2010 4:06 am

It did not prompt me to restart, but I did anyway and ran a scan just in case...here is my 2nd log:

Norman Malware Cleaner
Version 1.8.2
Copyright © 1990 - 2010, Norman ASA. Built 2010/10/19 21:36:56

Norman Scanner Engine Version: 6.06.07
Nvcbin.def Version: 6.06.00, Date: 2010/10/19 21:36:56, Variants: 7835834

Scan started: 2010/10/20 20:29:18

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600 Service Pack 2
Logged on user: DELL_E521\Natty

Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe" -> "C:\WINDOWS\System32\userinit.exe,"

Scanning kernel...

Kernel scan complete


Scanning bootsectors...

Number of sectors found: 3
Number of sectors scanned: 3
Number of sectors not scanned: 0
Number of infections found: 0
Number of infections removed: 0
Total scanning time: 0s 172ms


Scanning running processes and process memory...

Number of processes/threads found: 2955
Number of processes/threads scanned: 2955
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 2m 25s


Scanning file system...

Scanning: prescan

Scanning: C:\*.*

C:\Documents and Settings\Natty\Application Data\Dehyox\vyne.exe (Infected with W32/Ramnit.A)
Repaired file

C:\Documents and Settings\Natty\Application Data\Ubovo\insea.exe (Infected with W32/Ramnit.A)
Repaired file

Scanning: D:\*.*

D:\Documents\Nathalie\DS\Movies\Star.Wars.Episode.I.The.Phantom.Menace.1999.1080p.HDTV.x264-hV.mkv.7z/Star.Wars.Episode.I.The.Phantom.Menace.1999.1080p.HDTV.x264-hV.mkv.dpg (Error whilst scanning file: I/O Error (0x00220000))

D:\Documents\Nathalie\DS\Movies\Star.Wars.Episode.II.Attack.Of.The.Clones.2002.1080p.7z/Star.Wars.Episode.II.Attack.Of.The.Clones.2002.1080p.HDTV.x264-hV.mkv.dpg (Error whilst scanning file: I/O Error (0x00220000))

D:\Documents\Nathalie\My Music\Ma musique\La Vie En Rose (soundtrack)\22 - Jil Aigrot - Les Mtmes De La Cloche.mp3 (Error opening file: Not found)

Scanning: L:\*.*

L:\$RECYCLE.BIN\S-1-5-21-2814603516-3568070594-1710464331-1001\$RP82T15\Setup.exe (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Download\en_talk-msn.exe (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Nathalie\DS\Movies\Star.Wars.Episode.I.The.Phantom.Menace.1999.1080p.HDTV.x264-hV.mkv.7z/Star.Wars.Episode.I.The.Phantom.Menace.1999.1080p.HDTV.x264-hV.mkv.dpg (Error whilst scanning file: I/O Error (0x00220000))

L:\Desktop Documents (backup)\Nathalie\DS\Movies\Star.Wars.Episode.II.Attack.Of.The.Clones.2002.1080p.7z/Star.Wars.Episode.II.Attack.Of.The.Clones.2002.1080p.HDTV.x264-hV.mkv.dpg (Error whilst scanning file: I/O Error (0x00220000))

L:\Desktop Documents (backup)\Nathalie\Mozilla\Mozilla\Firefox\Profiles\oum7p34x.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Nathalie\Mozilla\Mozilla\Firefox\Profiles\oum7p34x.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Nathalie\My Music\Ma musique\La Vie En Rose (soundtrack)\22 - Jil Aigrot - Les Mtmes De La Cloche.mp3 (Error opening file: Not found)

L:\Desktop Documents (backup)\Nathalie\My Videos\Mes vidéos\I POD VIDEOz AND GAMEz\IPOD 20 games\iPodWizard\iPodWizard.exe (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Nathalie\Program Install\Ahead Nero v7.0.5.4 Premium Edition\Keygen.exe (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\AtiCimUn.exe (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\BIN\aticds10.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\BIN\AtiCIM.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\BIN\atiicdxx.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\CatalystRegistration\CatalystRegistration.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\CCC\CCC.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\CheckVer.exe (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\Driver\Driver.DLL (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\Driver\XP_INF\B_53901\atiiiexx.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\SBDrv\SBDrv.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\steam\setup.exe (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\steam\steam.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\SteamShortcut\setup.exe (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\SteamShortcut\SteamShortcut.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\vc8\vc8.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\ATI\WDM_ALL\WDM_ALL.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\Canon i560 Installer\Inst2\cnmis.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\Canon i560 Installer\Inst2\Cnmvsa.exe (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\Canon i560 Installer\Inst2\devid.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\Canon i560 Installer\Inst2\helpkicker.exe (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\Son\HDAQFE\win2k_xp\us\kb835221.exe (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\Son\WDM\stacapi.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\Son\WDM\staco.dll (Infected with W32/Ramnit.A)
Repaired file

L:\Desktop Documents (backup)\Pilotes\Son\WDM\suhlp.exe (Infected with W32/Ramnit.A)
Repaired file

Scanning: K:\*.*

Scanning: M:\*.*

Scanning: postscan


Running post-scan cleanup routine:
Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe" -> "C:\WINDOWS\System32\userinit.exe,"

Number of files found: 324904
Number of archives unpacked: 2901
Number of files scanned: 324878
Number of files not scanned: 26
Number of files skipped due to exclude list: 0
Number of infected files found: 32
Number of infected files repaired/deleted: 32
Number of infections removed: 32
Total scanning time: 2h 44m 56s

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on Thu Oct 21, 2010 4:11 am

..the L: is my external hard drive, which I thought might not be infected because I hadn't plugged it in my computer for a long time, but I scanned it just in case.. Whoa!

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on Fri Oct 22, 2010 3:19 am

Now, ESET online scan once more, please.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

ESET log 22 oct.

Post by natty on Fri Oct 22, 2010 3:53 pm

So I ran the scan again, and 62 out of 63 files were «cleaned»...

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on Fri Oct 22, 2010 9:00 pm

I want to try something real quick...

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.

  • Double-click on MBRCheck.exe to run it.
  • It will open a black window...please do not fix anything (if it gives you an option).
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will appear on the desktop.
  • Please copy and paste the contents of that log in your next reply.



==============

Please download TDSSKiller from [You must be registered and logged in to see this link.] and save it to your Desktop.
  • Doubleclick TDSSKiller.exe to run the tool
  • Click the Start Scan button
  • After the scan has finished, click the Close button
  • Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the C:\ directory.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

MBR log

Post by natty on Sat Oct 23, 2010 8:15 pm

Ok done! So here's the MBR log...

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

TDSSKiller

Post by natty on Sat Oct 23, 2010 8:20 pm

...and the TDSSKiller log:

2010/10/23 15:55:50.0515 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/23 15:55:50.0515 ================================================================================
2010/10/23 15:55:50.0515 SystemInfo:
2010/10/23 15:55:50.0515
2010/10/23 15:55:50.0515 OS Version: 5.1.2600 ServicePack: 2.0
2010/10/23 15:55:50.0515 Product type: Workstation
2010/10/23 15:55:50.0515 ComputerName: DELL_E521
2010/10/23 15:55:50.0515 UserName: Natty
2010/10/23 15:55:50.0515 Windows directory: C:\WINDOWS
2010/10/23 15:55:50.0515 System windows directory: C:\WINDOWS
2010/10/23 15:55:50.0515 Processor architecture: Intel x86
2010/10/23 15:55:50.0515 Number of processors: 2
2010/10/23 15:55:50.0515 Page size: 0x1000
2010/10/23 15:55:50.0515 Boot type: Normal boot
2010/10/23 15:55:50.0515 ================================================================================
2010/10/23 15:55:50.0859 Initialize success
2010/10/23 15:55:55.0421 ================================================================================
2010/10/23 15:55:55.0421 Scan started
2010/10/23 15:55:55.0421 Mode: Manual;
2010/10/23 15:55:55.0421 ================================================================================
2010/10/23 15:55:56.0578 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/23 15:55:56.0625 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/23 15:55:56.0671 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2010/10/23 15:55:56.0703 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
2010/10/23 15:55:56.0796 AmdK8 (fefe7f885ea456194656c6a00ea16c93) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2010/10/23 15:55:56.0890 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/23 15:55:56.0906 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/23 15:55:56.0953 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/23 15:55:56.0984 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/23 15:55:57.0015 bcm4sbxp (78e7b52da292fa90bad2f887bbf22159) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
2010/10/23 15:55:57.0046 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/23 15:55:57.0140 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/23 15:55:57.0203 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/10/23 15:55:57.0234 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/23 15:55:57.0265 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/23 15:55:57.0296 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/23 15:55:57.0343 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/10/23 15:55:57.0437 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/23 15:55:57.0468 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/23 15:55:57.0515 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/23 15:55:57.0546 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/23 15:55:57.0593 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/23 15:55:57.0625 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/23 15:55:57.0781 EverestDriver (54a76d2c2d892dcbd8e9e94293ba8f2c) D:\LogiCiel\Systeme\Everest\kerneld.wnt
2010/10/23 15:55:57.0828 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/23 15:55:57.0843 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
2010/10/23 15:55:57.0859 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/23 15:55:57.0875 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/10/23 15:55:57.0906 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/10/23 15:55:57.0984 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
2010/10/23 15:55:58.0015 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/23 15:55:58.0031 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/23 15:55:58.0062 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/10/23 15:55:58.0093 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/23 15:55:58.0109 HDAudBus (e31363d186b3e1d7c4e9117884a6aee5) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/10/23 15:55:58.0140 HidBatt (13c0d55da4b7148ef980e130b85d9f2c) C:\WINDOWS\system32\DRIVERS\HidBatt.sys
2010/10/23 15:55:58.0171 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/23 15:55:58.0218 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/23 15:55:58.0281 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\drivers\i8042prt.sys
2010/10/23 15:55:58.0312 ICAM3NT5 (67ad57ae9aa6a2f02561325ea1b3e4b2) C:\WINDOWS\system32\Drivers\ICAM3D2.SYS
2010/10/23 15:55:58.0359 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/23 15:55:58.0421 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/10/23 15:55:58.0453 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/23 15:55:58.0500 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/23 15:55:58.0546 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/23 15:55:58.0593 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/23 15:55:58.0656 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/23 15:55:58.0734 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/23 15:55:58.0765 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/23 15:55:58.0765 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/10/23 15:55:58.0812 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/23 15:55:58.0859 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/23 15:55:58.0921 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/23 15:55:58.0968 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/23 15:55:59.0000 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/23 15:55:59.0031 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/23 15:55:59.0078 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/23 15:55:59.0203 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/23 15:55:59.0218 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/23 15:55:59.0250 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/23 15:55:59.0281 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/23 15:55:59.0296 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/23 15:55:59.0312 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/23 15:55:59.0328 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/10/23 15:55:59.0359 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/23 15:55:59.0437 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/10/23 15:55:59.0468 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/23 15:55:59.0484 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/10/23 15:55:59.0531 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/23 15:55:59.0546 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/23 15:55:59.0562 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/23 15:55:59.0593 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/23 15:55:59.0640 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/23 15:55:59.0687 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/23 15:55:59.0734 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/23 15:55:59.0812 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/23 15:56:00.0468 nv (4c3696c1ed1a36629ebb348bf745a328) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/10/23 15:56:00.0734 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/23 15:56:00.0765 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/23 15:56:00.0796 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
2010/10/23 15:56:00.0812 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/23 15:56:00.0828 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/23 15:56:00.0859 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/23 15:56:00.0921 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/10/23 15:56:00.0953 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/10/23 15:56:01.0062 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/23 15:56:01.0093 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/10/23 15:56:01.0109 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/23 15:56:01.0187 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/23 15:56:01.0218 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/23 15:56:01.0234 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/23 15:56:01.0250 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/23 15:56:01.0250 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/23 15:56:01.0296 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/23 15:56:01.0343 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/23 15:56:01.0453 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/23 15:56:01.0546 Secdrv (4e7c4709aab1f24e8fe1763ddbffb93d) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/23 15:56:01.0562 Serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/23 15:56:01.0609 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/23 15:56:01.0656 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/23 15:56:01.0750 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/10/23 15:56:01.0812 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/23 15:56:01.0984 SQTECH905C (80bba4f191ad76ef2d31dab9162d3fae) C:\WINDOWS\system32\Drivers\Capt905c.sys
2010/10/23 15:56:02.0031 Sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/23 15:56:02.0062 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/23 15:56:02.0125 STHDA (8990440e4b2a7ca5a56a1833b03741fd) C:\WINDOWS\system32\drivers\sthda.sys
2010/10/23 15:56:02.0156 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/10/23 15:56:02.0156 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/23 15:56:02.0203 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/23 15:56:02.0296 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/23 15:56:02.0328 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/23 15:56:02.0390 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/23 15:56:02.0437 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/23 15:56:02.0500 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/23 15:56:02.0625 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/23 15:56:02.0703 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/23 15:56:02.0796 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/10/23 15:56:02.0890 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/23 15:56:02.0953 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/23 15:56:02.0968 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/10/23 15:56:03.0000 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/23 15:56:03.0031 usbstor (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/23 15:56:03.0218 vcdrom (bfa4ae30b3ac10e9223830bf103f5a3f) D:\LogiCiel\Systeme\VirtualDVD\VCdRom.sys
2010/10/23 15:56:03.0281 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/10/23 15:56:03.0312 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/23 15:56:03.0343 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/23 15:56:03.0390 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/23 15:56:03.0453 WpdUsb (1385e5aa9c9821790d33a9563b8d2dd0) C:\WINDOWS\system32\Drivers\wpdusb.sys
2010/10/23 15:56:03.0500 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/10/23 15:56:03.0531 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/10/23 15:56:03.0687 ================================================================================
2010/10/23 15:56:03.0687 Scan finished
2010/10/23 15:56:03.0687 ================================================================================

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on Sun Oct 24, 2010 6:22 pm

Fix using MBRCheck.exe

Run MBRCheck.exe again by double-clicking on it.
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Enter 'Y' and then press Enter.
  • When asked: 'Enter your choice:', select option 2 (Restore the MBR of a physical disk with a standard boot code) and press the Enter key.
  • Now the program will ask: 'Enter the physical disk number to fix (0-99, -1 to cancel)'
  • Enter 5 and press the Enter key.
  • The program will show Available MBR codes followed by a list of operating systems as shown below:
    Available MBR codes:
    [ 0] Default (Windows XP)
    [ 1] Windows XP
    [ 2] Windows Server 2003
    [ 3] Windows Vista
    [ 4] Windows 2008
    [ 5] Windows 7
    [-1] Cancel
    Please select the MBR code to write to this drive:
  • Please select your version of Windows from the list and enter the corresponding number and then press Enter.
  • When prompted for confirmation: "Do you want to fix the MBR code?". Type the full word Yes (not Y or the fix will not work) and press Enter.
  • Left-click on the title bar (where program name and path is written).
  • From the menu chose Edit -> Select All.
  • Press the Enter key to copy selected text.
  • Open Notepad, paste that text into it and save to your desktop as MBRCheck.txt.
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • Reboot your computer to complete the fix and copy/paste MBRCheck.txt in your next reply.
  • If your computer does not restart on its own, please restart it manually.

Important Note: The Master Boot Record contains the Partition Table for the hard disk and a a little executable code for the boot start. While fixing the [You must be registered and logged in to see this link.] is generally safe, there is a small risk of damaging the MBR, which may cause the computer to not boot up or it may corrupt a partition.

The following are signs of a damaged MBR:
  • Invalid Partition Table
  • Missing Operating System
  • Error loading operating system


If it is the worst case scenario, and your computer cannot boot, please take note of the following:

Please have your Windows CD available, which will allow recovering the boot code via the Windows Recovery Console in case of any problems or install the [You must be registered and logged in to see this link.] before proceeding with the above fix. Then, if any problems occur, the links below explain how to use and repair the MBR:

If you do not have a Windows CD available, please let me know. You will need access to a computer that can burn CDs.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on Mon Oct 25, 2010 5:17 pm

I do not have a Windows CD available, but I have a 2 yr-old Ghost and also have access to a computer that can burn CDs.

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on Mon Oct 25, 2010 8:34 pm

Not a problem. We have proven recovery methods, and since you have XP, we can say there is a good possibility for recovery.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on Mon Oct 25, 2010 11:19 pm

Ok, I just tried twice to run the program again but it never asks me to press Y for other options, it just says Done! after a few seconds and 'press ENTER to exit'...?

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on Thu Oct 28, 2010 4:03 am

Delete the old copy and download a new one, and try once more, please.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on Thu Oct 28, 2010 5:26 pm

Arrrrgggghhh!!! I've deleted it from my desktop, as well as the logs, and all related files I could find (using Total Kommander)... Twice. Reinstalled it, twice, using different links for download, and still I have the same problem. How can I truly delete the old copy from my computer??

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on Sat Oct 30, 2010 10:35 am

Please download Stealth MBR Rootkit Detector by GMER from [You must be registered and logged in to see this link.], and save to your Desktop.
  • Double-click mbr.exe to start the program.
  • When done scanning, it will save a log on the Desktop called mbr.log.
  • Please post the contents of that log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on Sat Oct 30, 2010 5:35 pm

Windows 5.1.2600 Disk: WDC_WD2500JS-75NCB3 rev.10.02E04 -> \Device\Ide\IdeDeviceP0T0L0-3

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on Mon Nov 01, 2010 1:33 am

One final (hopefully) ESET scan...


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

ESET scan

Post by natty on Tue Nov 02, 2010 4:14 am

«found:19, cleaned:18»

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Crush on Wed Nov 03, 2010 1:23 am

Hi Natty

I'll take over here since Jay is away.

Attention: Your computer is severely infected with Win32\Ramnit what is now called, a cocktail infection. This is an infection that is comprised of many different types of viruses and other malware, to damage your computer, and use it as a zombie for its backdoor network. In other words, your computer is under control of a hacker, and regaining control is now next to impossible.

The first component is a [You must be registered and logged in to see this link.], which is a type of trojan that communicates with a hacker: to transfer personal information about you, use your computer to help perform a denial-of-service attack, redirect your internet searches in order to make money off of your browsing habits, and can be a keylogger to steal personal identifiable information to help rob your identity.

The second component is a [You must be registered and logged in to see this link.], which is a type of malware to take control over your computer at administrator access, having full permission to modify all of your device drivers, and allowing itself to hide all the malware on the system. In other words, it is a hackers way of taking control of your computer, and hiding in the dark at the same time. This is a prime initiative of hackers to help keep access to your computer, robbing all of your personal information, and using your computer to send spam across the internet.

The third component is a [You must be registered and logged in to see this link.], which is a type of virus to purposely damage as many files as possible, in order to keep control of your system, so you have as little access as possible.

Not only has your system been compromised severely, it is also highly damaged, and if you do not commit to my suggested removal method below, then your computer may not function anymore.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:




Removal method:

It is recommended to do a reformat and reinstall of your operating system. The experts in the [You must be registered and logged in to see this link.] security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety.

I recommend the following articles to read:


Guides for format and reinstall:

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42088
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on Wed Nov 03, 2010 2:37 pm

Thank you, but as I said before, I have decided against a reformat, for many reasons. Please help me to clean my computer of this virus as much as possible, I would really appreciate it! I would also appreciate if you looked at all the information I have sent from the beginning because this process has been underway for 2 weeks now and we might be getting somewhere... hopefully. So let me know what I can do now. Thank you!

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on Mon Nov 08, 2010 4:10 pm

Please let me know asap if you cannot help, so that I can look for help elsewhere... Now, should I remove all the programs I've downloaded onto my desktop while following your instructions, and can you please give me some tips on antivirus/antimalware to prevent this type of problem from happening again, once I've managed to fix it? Thank you!

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on Tue Nov 09, 2010 10:45 am

Hello. I am back from vacation and will continue from here.

Clean infected files with Dr. Web CureIt

Please download [You must be registered and logged in to see this link.] and save it to your Desktop. Do NOT perform a scan yet

  • Double-click on drweb-cureit.exe to start the program.
    An Express Scan of your PC notice will appear.
  • Under Start the Express Scan Now, Click OK to start the scan.
    This is a short scan that will scan the files currently running in memory.
    If something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the Scan tab and UNcheck Heuristic analysis
  • Back at the main window, click Custom Scan, then Select drives (a red dot will show which drives have been chosen).
  • Then click the Start/Stop Scanning button (green arrow on the right, and the scan will start.
  • When finished, a message will be displayed at the bottom advising if any viruses were found.
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found.
    If so, click it, then click the next icon right below and select Move incurable.
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your Desktop.
  • Exit Dr.Web Cureit when you have finished.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on Tue Nov 09, 2010 10:27 pm

Many objects were uncurable, so I "selected all" and when all the logos had a green dot on them, I selected "move" but still it seems they have not been moved. I tried this twice. When I attempted to exit, a message showed up saying "The list of detected threats contains objects to which no actions were applied. It is strongly recommended to neutralize them b4 closing the application." So I will stop here and wait for your answer to proceed.

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on Wed Nov 10, 2010 6:38 am

Avira Antivirus Rescue System

Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore or defeating the Ramnit infection.
  • Download The Avira AntiVir Rescue System from [You must be registered and logged in to see this link.].
  • Just double-click on the rescue system package to burn it to a CD/DVD.
  • Then please use that CD/DVD with Avira Rescue System to boot your computer.
You'll get a boot option to either boot from hard drive or AntiVir Rescue System.


Press the number 2 on your keyboard to boot into AntiVir Rescue System.

Please wait until drivers are loaded and Main menu shows. Then please select the second option “Scan your system with AntiVir” and hit Enter.


Under Configuration, please select Scan all files, Try to repair infected files and Rename files if they cannot be removed?.


Then please start the scan.

The Avira AntiVir Rescue System wil now

  • repair a damaged system,
  • rescue data,
  • scan the system for virus infections.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

DrWeb

Post by natty on Wed Nov 10, 2010 2:41 pm

Ok I will try this, but I just wanted to let you know that although the files could not be moved, they could be deleted. Since they didn't seem like files I needed anyway (all related to Adobe Reader or Java), I deleted them, and managed to exit the application. Here is my log.

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on Sat Nov 13, 2010 2:05 am

Please, how can I use the CD to boot my computer? My computer never automatically opens anything I plug into (or insert in) it, I have to manually open "my computer" to see and execute what I want. When I insert the CD, I can open it to see all the files (package) I just burned, but I have no idea which action to take to execute the boot. I have tried to look for ways to configure my Windows so that it opens it automatically, but I don't know how. Can you help me? Is there a file I can click on to make it boot?

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on Sat Nov 13, 2010 10:46 am

Make sure the CD is in first...then reboot the computer.

On boot up, quickly press F12, then choose your CD/DVD device from the menu and hit enter.

You should see something like "Press any key to boot from cd..."

Let me know if you see that.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on Sun Nov 14, 2010 4:23 am

It has finished scanning, so what do I do now, to leave the program? Just turn off my computer? Does it leave a log somewhere? Thank you.

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on Mon Nov 15, 2010 6:05 am

Did it state it removed anything?

Reboot back to normal mode, and give me another ESET scan please.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on Tue Nov 16, 2010 1:39 am

Don't know if it removed anything, but it says :
Records: 26
Suspect files: 0
Warnings: 25

Here are the results of my ESET scan.
1822 found
1819 cleaned

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on Wed Nov 17, 2010 6:05 am

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    *desktoplayer*
    scecli.dll
    netlogon.dll
    eventlog.dll
    winlogon.exe
    comres.dll
    crypt32.dll
    gpedit.dll
    rundll32.exe
    sfc.dll
    svchost.exe
    cngaudit.dll
    beep.sys
    wscntfy.exe
    atapi.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum