Persistent virus, Ramnit A and C, I need help!!!

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

MBR log

Post by natty on 23rd October 2010, 8:15 pm

Ok done! So here's the MBR log...

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22998
# Likes # Likes : 0

View user profile

Back to top Go down

TDSSKiller

Post by natty on 23rd October 2010, 8:20 pm

...and the TDSSKiller log:

2010/10/23 15:55:50.0515 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/23 15:55:50.0515 ================================================================================
2010/10/23 15:55:50.0515 SystemInfo:
2010/10/23 15:55:50.0515
2010/10/23 15:55:50.0515 OS Version: 5.1.2600 ServicePack: 2.0
2010/10/23 15:55:50.0515 Product type: Workstation
2010/10/23 15:55:50.0515 ComputerName: DELL_E521
2010/10/23 15:55:50.0515 UserName: Natty
2010/10/23 15:55:50.0515 Windows directory: C:\WINDOWS
2010/10/23 15:55:50.0515 System windows directory: C:\WINDOWS
2010/10/23 15:55:50.0515 Processor architecture: Intel x86
2010/10/23 15:55:50.0515 Number of processors: 2
2010/10/23 15:55:50.0515 Page size: 0x1000
2010/10/23 15:55:50.0515 Boot type: Normal boot
2010/10/23 15:55:50.0515 ================================================================================
2010/10/23 15:55:50.0859 Initialize success
2010/10/23 15:55:55.0421 ================================================================================
2010/10/23 15:55:55.0421 Scan started
2010/10/23 15:55:55.0421 Mode: Manual;
2010/10/23 15:55:55.0421 ================================================================================
2010/10/23 15:55:56.0578 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/23 15:55:56.0625 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/23 15:55:56.0671 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2010/10/23 15:55:56.0703 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
2010/10/23 15:55:56.0796 AmdK8 (fefe7f885ea456194656c6a00ea16c93) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2010/10/23 15:55:56.0890 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/23 15:55:56.0906 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/23 15:55:56.0953 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/23 15:55:56.0984 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/23 15:55:57.0015 bcm4sbxp (78e7b52da292fa90bad2f887bbf22159) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
2010/10/23 15:55:57.0046 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/23 15:55:57.0140 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/23 15:55:57.0203 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/10/23 15:55:57.0234 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/23 15:55:57.0265 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/23 15:55:57.0296 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/23 15:55:57.0343 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/10/23 15:55:57.0437 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/23 15:55:57.0468 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/23 15:55:57.0515 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/23 15:55:57.0546 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/23 15:55:57.0593 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/23 15:55:57.0625 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/23 15:55:57.0781 EverestDriver (54a76d2c2d892dcbd8e9e94293ba8f2c) D:\LogiCiel\Systeme\Everest\kerneld.wnt
2010/10/23 15:55:57.0828 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/23 15:55:57.0843 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
2010/10/23 15:55:57.0859 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/23 15:55:57.0875 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/10/23 15:55:57.0906 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/10/23 15:55:57.0984 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
2010/10/23 15:55:58.0015 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/23 15:55:58.0031 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/23 15:55:58.0062 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/10/23 15:55:58.0093 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/23 15:55:58.0109 HDAudBus (e31363d186b3e1d7c4e9117884a6aee5) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/10/23 15:55:58.0140 HidBatt (13c0d55da4b7148ef980e130b85d9f2c) C:\WINDOWS\system32\DRIVERS\HidBatt.sys
2010/10/23 15:55:58.0171 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/23 15:55:58.0218 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/23 15:55:58.0281 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\drivers\i8042prt.sys
2010/10/23 15:55:58.0312 ICAM3NT5 (67ad57ae9aa6a2f02561325ea1b3e4b2) C:\WINDOWS\system32\Drivers\ICAM3D2.SYS
2010/10/23 15:55:58.0359 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/23 15:55:58.0421 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/10/23 15:55:58.0453 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/23 15:55:58.0500 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/23 15:55:58.0546 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/23 15:55:58.0593 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/23 15:55:58.0656 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/23 15:55:58.0734 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/23 15:55:58.0765 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/23 15:55:58.0765 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/10/23 15:55:58.0812 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/23 15:55:58.0859 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/23 15:55:58.0921 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/23 15:55:58.0968 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/23 15:55:59.0000 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/23 15:55:59.0031 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/23 15:55:59.0078 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/23 15:55:59.0203 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/23 15:55:59.0218 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/23 15:55:59.0250 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/23 15:55:59.0281 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/23 15:55:59.0296 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/23 15:55:59.0312 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/23 15:55:59.0328 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/10/23 15:55:59.0359 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/23 15:55:59.0437 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/10/23 15:55:59.0468 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/23 15:55:59.0484 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/10/23 15:55:59.0531 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/23 15:55:59.0546 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/23 15:55:59.0562 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/23 15:55:59.0593 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/23 15:55:59.0640 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/23 15:55:59.0687 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/23 15:55:59.0734 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/23 15:55:59.0812 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/23 15:56:00.0468 nv (4c3696c1ed1a36629ebb348bf745a328) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/10/23 15:56:00.0734 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/23 15:56:00.0765 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/23 15:56:00.0796 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
2010/10/23 15:56:00.0812 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/23 15:56:00.0828 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/23 15:56:00.0859 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/23 15:56:00.0921 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/10/23 15:56:00.0953 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/10/23 15:56:01.0062 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/23 15:56:01.0093 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/10/23 15:56:01.0109 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/23 15:56:01.0187 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/23 15:56:01.0218 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/23 15:56:01.0234 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/23 15:56:01.0250 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/23 15:56:01.0250 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/23 15:56:01.0296 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/23 15:56:01.0343 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/23 15:56:01.0453 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/23 15:56:01.0546 Secdrv (4e7c4709aab1f24e8fe1763ddbffb93d) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/23 15:56:01.0562 Serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/23 15:56:01.0609 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/23 15:56:01.0656 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/23 15:56:01.0750 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/10/23 15:56:01.0812 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/23 15:56:01.0984 SQTECH905C (80bba4f191ad76ef2d31dab9162d3fae) C:\WINDOWS\system32\Drivers\Capt905c.sys
2010/10/23 15:56:02.0031 Sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/23 15:56:02.0062 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/23 15:56:02.0125 STHDA (8990440e4b2a7ca5a56a1833b03741fd) C:\WINDOWS\system32\drivers\sthda.sys
2010/10/23 15:56:02.0156 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/10/23 15:56:02.0156 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/23 15:56:02.0203 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/23 15:56:02.0296 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/23 15:56:02.0328 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/23 15:56:02.0390 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/23 15:56:02.0437 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/23 15:56:02.0500 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/23 15:56:02.0625 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/23 15:56:02.0703 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/23 15:56:02.0796 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/10/23 15:56:02.0890 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/23 15:56:02.0953 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/23 15:56:02.0968 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/10/23 15:56:03.0000 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/23 15:56:03.0031 usbstor (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/23 15:56:03.0218 vcdrom (bfa4ae30b3ac10e9223830bf103f5a3f) D:\LogiCiel\Systeme\VirtualDVD\VCdRom.sys
2010/10/23 15:56:03.0281 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/10/23 15:56:03.0312 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/23 15:56:03.0343 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/23 15:56:03.0390 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/23 15:56:03.0453 WpdUsb (1385e5aa9c9821790d33a9563b8d2dd0) C:\WINDOWS\system32\Drivers\wpdusb.sys
2010/10/23 15:56:03.0500 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/10/23 15:56:03.0531 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/10/23 15:56:03.0687 ================================================================================
2010/10/23 15:56:03.0687 Scan finished
2010/10/23 15:56:03.0687 ================================================================================

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22998
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on 24th October 2010, 6:22 pm

Fix using MBRCheck.exe

Run MBRCheck.exe again by double-clicking on it.
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Enter 'Y' and then press Enter.
  • When asked: 'Enter your choice:', select option 2 (Restore the MBR of a physical disk with a standard boot code) and press the Enter key.
  • Now the program will ask: 'Enter the physical disk number to fix (0-99, -1 to cancel)'
  • Enter 5 and press the Enter key.
  • The program will show Available MBR codes followed by a list of operating systems as shown below:
    Available MBR codes:
    [ 0] Default (Windows XP)
    [ 1] Windows XP
    [ 2] Windows Server 2003
    [ 3] Windows Vista
    [ 4] Windows 2008
    [ 5] Windows 7
    [-1] Cancel
    Please select the MBR code to write to this drive:
  • Please select your version of Windows from the list and enter the corresponding number and then press Enter.
  • When prompted for confirmation: "Do you want to fix the MBR code?". Type the full word Yes (not Y or the fix will not work) and press Enter.
  • Left-click on the title bar (where program name and path is written).
  • From the menu chose Edit -> Select All.
  • Press the Enter key to copy selected text.
  • Open Notepad, paste that text into it and save to your desktop as MBRCheck.txt.
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • Reboot your computer to complete the fix and copy/paste MBRCheck.txt in your next reply.
  • If your computer does not restart on its own, please restart it manually.

Important Note: The Master Boot Record contains the Partition Table for the hard disk and a a little executable code for the boot start. While fixing the [You must be registered and logged in to see this link.] is generally safe, there is a small risk of damaging the MBR, which may cause the computer to not boot up or it may corrupt a partition.

The following are signs of a damaged MBR:
  • Invalid Partition Table
  • Missing Operating System
  • Error loading operating system


If it is the worst case scenario, and your computer cannot boot, please take note of the following:

Please have your Windows CD available, which will allow recovering the boot code via the Windows Recovery Console in case of any problems or install the [You must be registered and logged in to see this link.] before proceeding with the above fix. Then, if any problems occur, the links below explain how to use and repair the MBR:

If you do not have a Windows CD available, please let me know. You will need access to a computer that can burn CDs.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on 25th October 2010, 5:17 pm

I do not have a Windows CD available, but I have a 2 yr-old Ghost and also have access to a computer that can burn CDs.

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22998
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on 25th October 2010, 8:34 pm

Not a problem. We have proven recovery methods, and since you have XP, we can say there is a good possibility for recovery.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on 25th October 2010, 11:19 pm

Ok, I just tried twice to run the program again but it never asks me to press Y for other options, it just says Done! after a few seconds and 'press ENTER to exit'...?

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22998
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on 28th October 2010, 4:03 am

Delete the old copy and download a new one, and try once more, please.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on 28th October 2010, 5:26 pm

Arrrrgggghhh!!! I've deleted it from my desktop, as well as the logs, and all related files I could find (using Total Kommander)... Twice. Reinstalled it, twice, using different links for download, and still I have the same problem. How can I truly delete the old copy from my computer??

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22998
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on 30th October 2010, 10:35 am

Please download Stealth MBR Rootkit Detector by GMER from [You must be registered and logged in to see this link.], and save to your Desktop.
  • Double-click mbr.exe to start the program.
  • When done scanning, it will save a log on the Desktop called mbr.log.
  • Please post the contents of that log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on 30th October 2010, 5:35 pm

Windows 5.1.2600 Disk: WDC_WD2500JS-75NCB3 rev.10.02E04 -> \Device\Ide\IdeDeviceP0T0L0-3

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22998
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on 1st November 2010, 1:33 am

One final (hopefully) ESET scan...


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

ESET scan

Post by natty on 2nd November 2010, 4:14 am

«found:19, cleaned:18»

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22998
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Crush on 3rd November 2010, 1:23 am

Hi Natty

I'll take over here since Jay is away.

Attention: Your computer is severely infected with Win32\Ramnit what is now called, a cocktail infection. This is an infection that is comprised of many different types of viruses and other malware, to damage your computer, and use it as a zombie for its backdoor network. In other words, your computer is under control of a hacker, and regaining control is now next to impossible.

The first component is a [You must be registered and logged in to see this link.], which is a type of trojan that communicates with a hacker: to transfer personal information about you, use your computer to help perform a denial-of-service attack, redirect your internet searches in order to make money off of your browsing habits, and can be a keylogger to steal personal identifiable information to help rob your identity.

The second component is a [You must be registered and logged in to see this link.], which is a type of malware to take control over your computer at administrator access, having full permission to modify all of your device drivers, and allowing itself to hide all the malware on the system. In other words, it is a hackers way of taking control of your computer, and hiding in the dark at the same time. This is a prime initiative of hackers to help keep access to your computer, robbing all of your personal information, and using your computer to send spam across the internet.

The third component is a [You must be registered and logged in to see this link.], which is a type of virus to purposely damage as many files as possible, in order to keep control of your system, so you have as little access as possible.

Not only has your system been compromised severely, it is also highly damaged, and if you do not commit to my suggested removal method below, then your computer may not function anymore.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:




Removal method:

It is recommended to do a reformat and reinstall of your operating system. The experts in the [You must be registered and logged in to see this link.] security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety.

I recommend the following articles to read:


Guides for format and reinstall:

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on 3rd November 2010, 2:37 pm

Thank you, but as I said before, I have decided against a reformat, for many reasons. Please help me to clean my computer of this virus as much as possible, I would really appreciate it! I would also appreciate if you looked at all the information I have sent from the beginning because this process has been underway for 2 weeks now and we might be getting somewhere... hopefully. So let me know what I can do now. Thank you!

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22998
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on 8th November 2010, 4:10 pm

Please let me know asap if you cannot help, so that I can look for help elsewhere... Now, should I remove all the programs I've downloaded onto my desktop while following your instructions, and can you please give me some tips on antivirus/antimalware to prevent this type of problem from happening again, once I've managed to fix it? Thank you!

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22998
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on 9th November 2010, 10:45 am

Hello. I am back from vacation and will continue from here.

Clean infected files with Dr. Web CureIt

Please download [You must be registered and logged in to see this link.] and save it to your Desktop. Do NOT perform a scan yet

  • Double-click on drweb-cureit.exe to start the program.
    An Express Scan of your PC notice will appear.
  • Under Start the Express Scan Now, Click OK to start the scan.
    This is a short scan that will scan the files currently running in memory.
    If something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the Scan tab and UNcheck Heuristic analysis
  • Back at the main window, click Custom Scan, then Select drives (a red dot will show which drives have been chosen).
  • Then click the Start/Stop Scanning button (green arrow on the right, and the scan will start.
  • When finished, a message will be displayed at the bottom advising if any viruses were found.
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found.
    If so, click it, then click the next icon right below and select Move incurable.
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your Desktop.
  • Exit Dr.Web Cureit when you have finished.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on 9th November 2010, 10:27 pm

Many objects were uncurable, so I "selected all" and when all the logos had a green dot on them, I selected "move" but still it seems they have not been moved. I tried this twice. When I attempted to exit, a message showed up saying "The list of detected threats contains objects to which no actions were applied. It is strongly recommended to neutralize them b4 closing the application." So I will stop here and wait for your answer to proceed.

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22998
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on 10th November 2010, 6:38 am

Avira Antivirus Rescue System

Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore or defeating the Ramnit infection.
  • Download The Avira AntiVir Rescue System from [You must be registered and logged in to see this link.].
  • Just double-click on the rescue system package to burn it to a CD/DVD.
  • Then please use that CD/DVD with Avira Rescue System to boot your computer.
You'll get a boot option to either boot from hard drive or AntiVir Rescue System.


Press the number 2 on your keyboard to boot into AntiVir Rescue System.

Please wait until drivers are loaded and Main menu shows. Then please select the second option “Scan your system with AntiVir” and hit Enter.


Under Configuration, please select Scan all files, Try to repair infected files and Rename files if they cannot be removed?.


Then please start the scan.

The Avira AntiVir Rescue System wil now

  • repair a damaged system,
  • rescue data,
  • scan the system for virus infections.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

DrWeb

Post by natty on 10th November 2010, 2:41 pm

Ok I will try this, but I just wanted to let you know that although the files could not be moved, they could be deleted. Since they didn't seem like files I needed anyway (all related to Adobe Reader or Java), I deleted them, and managed to exit the application. Here is my log.

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22998
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on 13th November 2010, 2:05 am

Please, how can I use the CD to boot my computer? My computer never automatically opens anything I plug into (or insert in) it, I have to manually open "my computer" to see and execute what I want. When I insert the CD, I can open it to see all the files (package) I just burned, but I have no idea which action to take to execute the boot. I have tried to look for ways to configure my Windows so that it opens it automatically, but I don't know how. Can you help me? Is there a file I can click on to make it boot?

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22998
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on 13th November 2010, 10:46 am

Make sure the CD is in first...then reboot the computer.

On boot up, quickly press F12, then choose your CD/DVD device from the menu and hit enter.

You should see something like "Press any key to boot from cd..."

Let me know if you see that.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on 14th November 2010, 4:23 am

It has finished scanning, so what do I do now, to leave the program? Just turn off my computer? Does it leave a log somewhere? Thank you.

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22998
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on 15th November 2010, 6:05 am

Did it state it removed anything?

Reboot back to normal mode, and give me another ESET scan please.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on 16th November 2010, 1:39 am

Don't know if it removed anything, but it says :
Records: 26
Suspect files: 0
Warnings: 25

Here are the results of my ESET scan.
1822 found
1819 cleaned

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22998
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on 17th November 2010, 6:05 am

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    *desktoplayer*
    scecli.dll
    netlogon.dll
    eventlog.dll
    winlogon.exe
    comres.dll
    crypt32.dll
    gpedit.dll
    rundll32.exe
    sfc.dll
    svchost.exe
    cngaudit.dll
    beep.sys
    wscntfy.exe
    atapi.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

SystemLook

Post by natty on 20th November 2010, 10:07 pm

SystemLook 04.09.10 by jpshortstuff
Log created at 16:52 on 20/11/2010 by Natty
Administrator - Elevation successful

No Context: Code:

========== filefind ==========

Searching for "*desktoplayer*"
C:\Qoobox\Quarantine\C\Program Files\Microsoft\_DesktopLayer_.exe.zip --a---- 49424 bytes [00:43 19/10/2010] [13:00 09/11/2010] 4047C00887AB8F3278B57990CB54C219

Searching for "scecli.dll"
C:\WINDOWS\ERDNT\cache\scecli.dll --a---- 180224 bytes [14:00 18/10/2010] [01:07 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\system32\scecli.dll --a---- 180224 bytes [01:07 04/08/2004] [01:07 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\system32\dllcache\scecli.dll --a--c- 180224 bytes [01:07 04/08/2004] [01:07 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A

Searching for "netlogon.dll"
C:\WINDOWS\ERDNT\cache\netlogon.dll --a---- 407040 bytes [14:00 18/10/2010] [01:07 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\system32\netlogon.dll --a---- 407040 bytes [01:07 04/08/2004] [01:07 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\system32\dllcache\netlogon.dll --a--c- 407040 bytes [01:07 04/08/2004] [01:07 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A

Searching for "eventlog.dll"
C:\WINDOWS\ERDNT\cache\eventlog.dll --a---- 55808 bytes [14:00 18/10/2010] [01:07 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\system32\eventlog.dll --a---- 55808 bytes [01:07 04/08/2004] [01:07 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\system32\dllcache\eventlog.dll --a--c- 55808 bytes [01:07 04/08/2004] [01:07 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78

Searching for "winlogon.exe"
C:\WINDOWS\ERDNT\cache\winlogon.exe --a---- 502272 bytes [14:00 18/10/2010] [01:07 04/08/2004] 01C3346C241652F43AED8E2149881BFE
C:\WINDOWS\system32\winlogon.exe --a---- 502272 bytes [01:07 04/08/2004] [01:07 04/08/2004] 93469F95485FA06E5D8BEB8D18AE309C
C:\WINDOWS\system32\dllcache\winlogon.exe --a---- 502272 bytes [01:07 04/08/2004] [01:07 04/08/2004] 93469F95485FA06E5D8BEB8D18AE309C

Searching for "comres.dll"
C:\WINDOWS\system32\comres.dll --a---- 792064 bytes [01:07 04/08/2004] [01:07 04/08/2004] 6728270CB7DBB776ED086F5AC4C82310
C:\WINDOWS\system32\dllcache\comres.dll --a--c- 792064 bytes [01:07 04/08/2004] [01:07 04/08/2004] 6728270CB7DBB776ED086F5AC4C82310

Searching for "crypt32.dll"
C:\WINDOWS\system32\crypt32.dll --a---- 597504 bytes [01:07 04/08/2004] [01:07 04/08/2004] EFC958396A7A7EF7E6D4A52B97512E18
C:\WINDOWS\system32\dllcache\crypt32.dll --a--c- 597504 bytes [01:07 04/08/2004] [01:07 04/08/2004] EFC958396A7A7EF7E6D4A52B97512E18

Searching for "gpedit.dll"
C:\WINDOWS\system32\gpedit.dll --a--c- 566784 bytes [01:07 04/08/2004] [01:07 04/08/2004] C4EE648B2474D84CF081C3FE0DC578DA
C:\WINDOWS\system32\dllcache\gpedit.dll --a--c- 566784 bytes [01:07 04/08/2004] [01:07 04/08/2004] C4EE648B2474D84CF081C3FE0DC578DA

Searching for "rundll32.exe"
C:\WINDOWS\system32\rundll32.exe --a---- 33280 bytes [01:07 04/08/2004] [01:07 04/08/2004] DA285490BBD8A1D0CE6623577D5BA1FF
C:\WINDOWS\system32\dllcache\rundll32.exe --a--c- 33280 bytes [01:07 04/08/2004] [01:07 04/08/2004] DA285490BBD8A1D0CE6623577D5BA1FF

Searching for "sfc.dll"
C:\WINDOWS\ERDNT\cache\sfc.dll --a---- 5120 bytes [14:00 18/10/2010] [01:07 04/08/2004] E8A12A12EA9088B4327D49EDCA3ADD3E
C:\WINDOWS\system32\sfc.dll --a---- 5120 bytes [01:07 04/08/2004] [01:07 04/08/2004] E8A12A12EA9088B4327D49EDCA3ADD3E
C:\WINDOWS\system32\dllcache\sfc.dll --a--c- 5120 bytes [01:07 04/08/2004] [01:07 04/08/2004] E8A12A12EA9088B4327D49EDCA3ADD3E

Searching for "svchost.exe"
C:\WINDOWS\ERDNT\cache\svchost.exe --a---- 14336 bytes [14:00 18/10/2010] [01:07 04/08/2004] 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\system32\svchost.exe --a---- 14336 bytes [01:07 04/08/2004] [01:07 04/08/2004] 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\system32\dllcache\svchost.exe --a--c- 14336 bytes [01:07 04/08/2004] [01:07 04/08/2004] 8F078AE4ED187AAABC0A305146DE6716

Searching for "cngaudit.dll"
No files found.

Searching for "beep.sys"
C:\WINDOWS\ERDNT\cache\beep.sys --a---- 4224 bytes [14:00 18/10/2010] [01:07 04/08/2004] DA1F27D85E0D1525F6621372E7B685E9
C:\WINDOWS\system32\dllcache\beep.sys --a--c- 4224 bytes [01:07 04/08/2004] [01:07 04/08/2004] DA1F27D85E0D1525F6621372E7B685E9
C:\WINDOWS\system32\drivers\beep.sys --a---- 4224 bytes [01:07 04/08/2004] [01:07 04/08/2004] DA1F27D85E0D1525F6621372E7B685E9

Searching for "wscntfy.exe"
C:\WINDOWS\ERDNT\cache\wscntfy.exe --a---- 13824 bytes [14:00 18/10/2010] [01:07 04/08/2004] 49911DD39E023BB6C45E4E436CFBD297
C:\WINDOWS\system32\wscntfy.exe --a--c- 13824 bytes [01:07 04/08/2004] [01:07 04/08/2004] 49911DD39E023BB6C45E4E436CFBD297
C:\WINDOWS\system32\dllcache\wscntfy.exe --a--c- 13824 bytes [01:07 04/08/2004] [01:07 04/08/2004] 49911DD39E023BB6C45E4E436CFBD297

Searching for "atapi.sys"
C:\WINDOWS\ERDNT\cache\atapi.sys --a---- 95360 bytes [14:00 18/10/2010] [22:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\drivers\atapi.sys --a---- 95360 bytes [01:07 04/08/2004] [22:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-= EOF =-

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22998
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on 21st November 2010, 6:16 pm

Many of your system drivers and important system files are infected.

Delete your copy of ComboFix and download a new one.

Note: the following tool is to only be used under the guidance of a malware helper. In the event you already have the tool, please delete the old copy and download a new copy.

Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.] (Click the green button on the page to download it).

Rename ComboFix.exe to desktoplayer.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\desktoplayer.exe" /killall
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    *NOTE*: If you already have the Recovery Console installed, ComboFix will skip this part and will continue scanning for malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

ComboFix

Post by natty on 22nd November 2010, 4:29 pm

Done.

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22998
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on 22nd November 2010, 8:48 pm

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    killall::

    folder::
    c:\documents and settings\Natty\Application Data\Ygin
    c:\documents and settings\Natty\Application Data\Ixexri
    c:\documents and settings\Natty\Application Data\Mofyu
    c:\documents and settings\Natty\Application Data\Yhciuv

    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\drivers\\svchost.exe"=-

    FileLook::
    c:\windows\system32\drivers\svchost.exe

    Snapshot::

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on 27th November 2010, 6:38 pm

Here is my log.

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22998
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on 28th November 2010, 6:41 pm

Please go to: [You must be registered and logged in to see this link.]




  • Click the Browse button and search for the following file: c:\windows\system32\sfcfiles.dll
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.

If it says already scanned -- click "reanalyze now"

Please post the results in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on 9th December 2010, 2:23 am

File name: sfcfiles.dll
Submission date: 2010-12-09 01:38:08 (UTC)
Current status: finished
Result: 0/ 43 (0.0%)

Antivirus Version Last Update Result
AhnLab-V3 2010.12.09.00 2010.12.08 -
AntiVir 7.10.14.228 2010.12.08 -
Antiy-AVL 2.0.3.7 2010.12.08 -
Avast 4.8.1351.0 2010.12.08 -
Avast5 5.0.677.0 2010.12.08 -
AVG 9.0.0.851 2010.12.08 -
BitDefender 7.2 2010.12.09 -
CAT-QuickHeal 11.00 2010.12.08 -
ClamAV 0.96.4.0 2010.12.09 -
Command 5.2.11.5 2010.12.08 -
Comodo 6996 2010.12.09 -
DrWeb 5.0.2.03300 2010.12.09 -
Emsisoft 5.1.0.1 2010.12.08 -
eSafe 7.0.17.0 2010.12.07 -
eTrust-Vet 36.1.8027 2010.12.08 -
F-Prot 4.6.2.117 2010.12.08 -
F-Secure 9.0.16160.0 2010.12.09 -
Fortinet 4.2.254.0 2010.12.08 -
GData 21 2010.12.09 -
Ikarus T3.1.1.90.0 2010.12.08 -
Jiangmin 13.0.900 2010.12.08 -
K7AntiVirus 9.71.3191 2010.12.08 -
Kaspersky 7.0.0.125 2010.12.09 -
McAfee 5.400.0.1158 2010.12.09 -
McAfee-GW-Edition 2010.1C 2010.12.09 -
Microsoft 1.6402 2010.12.08 -
NOD32 5686 2010.12.08 -
Norman 6.06.12 2010.12.08 -
nProtect 2010-12-08.02 2010.12.08 -
Panda 10.0.2.7 2010.12.08 -
PCTools 7.0.3.5 2010.12.09 -
Prevx 3.0 2010.12.09 -
Rising 22.77.01.08 2010.12.08 -
Sophos 4.60.0 2010.12.09 -
SUPERAntiSpyware 4.40.0.1006 2010.12.09 -
Symantec 20101.2.0.161 2010.12.08 -
TheHacker 6.7.0.1.097 2010.12.08 -
TrendMicro 9.120.0.1004 2010.12.08 -
TrendMicro-HouseCall 9.120.0.1004 2010.12.09 -
VBA32 3.12.14.2 2010.12.08 -
VIPRE 7568 2010.12.09 -
ViRobot 2010.12.8.4191 2010.12.08 -
VirusBuster 13.6.82.0 2010.12.08 -

Additional information

MD5 : 9f960fac5166f8626b9cde4dd9a0eb84
SHA1 : c8b4fcb567d1decc3f0c44c0dddc8479fd01cd2d
SHA256: 444adb57966fad0f0299d3e08d2d3c8525477c3bc39f7d3609f3d1d50e909212
ssdeep: 3072:1b9Ro/7HtFUipn9tVtjRVSLKKWPY+/eRlYw4a75pGgdR5TmVG3cxmFD9yRMNujWw:18/7N
FU8tCm075wg9gG3emF4RMNu
File size : 1580544 bytes
First seen: 2009-07-27 14:33:37
Last seen : 2010-12-09 01:38:08
TrID:
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows 2000 System File Checker
original name: sfcfiles.dll
internal name: sfcfiles.dll
file version.: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x120D
timedatestamp....: 0x41107C20 (Wed Aug 04 06:03:12 2004)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0xCBF, 0xE00, 5.88, 26f3f85ddf7d183e3679894901dc54b3
.data, 0x2000, 0x1765B8, 0x176600, 3.27, 6bd241897cebe97665834f6b79fce245
.rsrc, 0x179000, 0x418, 0x600, 2.54, 3602e2d32d16564d93b70db769379042
.reloc, 0x17A000, 0x9E56, 0xA000, 5.76, d5f4de8f8bae56e26c617081b34c746a

[[ 1 import(s) ]]
ntdll.dll: LdrDisableThreadCalloutsForDll, NtClose, NtQueryValueKey, NtOpenKey, RtlInitUnicodeString, RtlGetVersion, NtTerminateProcess, RtlUnhandledExceptionFilter, RtlUnwind, NtQueryVirtualMemory

[[ 1 export(s) ]]
SfcGetFiles

ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 3584
CompanyName: Microsoft Corporation
EntryPoint: 0x120d
FileDescription: Windows 2000 System File Checker
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 1544 kB
FileSubtype: 0
FileType: Win32 DLL
FileVersion: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
FileVersionNumber: 5.1.2600.2180
ImageVersion: 5.1
InitializedDataSize: 1575936
InternalName: sfcfiles.dll
LanguageCode: English (U.S.)
LegalCopyright: Microsoft Corporation. All rights reserved.
LinkerVersion: 7.1
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 5.1
ObjectFileType: Executable application
OriginalFilename: sfcfiles.dll
PEType: PE32
ProductName: Microsoft Windows Operating System
ProductVersion: 5.1.2600.2180
ProductVersionNumber: 5.1.2600.2180
Subsystem: Windows command line
SubsystemVersion: 4.1
TimeStamp: 2004:08:04 08:03:12+02:00
UninitializedDataSize: 0


natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22998
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on 10th December 2010, 3:16 am

Now, please re-run ComboFix and post a log.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

ComboFix log

Post by natty on 21st December 2010, 5:12 pm

ComboFix 10-12-20.05 - Natty 2010-12-21 11:41:01.5.2 - x86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.33.1033.18.1022.695 [GMT -5:00]
Lancé depuis: c:\documents and settings\Natty\Desktop\desktoplayer.exe
* Un nouveau point de restauration a été créé
.

((((((((((((((((((((((((((((( Fichiers créés du 2010-11-21 au 2010-12-21 ))))))))))))))))))))))))))))))))))))
.

Pas de nouveau fichier créé dans ce laps de temps

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[-] 2008-01-16 . 9F960FAC5166F8626B9CDE4DD9A0EB84 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="d:\logiciel\Divers\RocketDock\RocketDock.exe" [2010-10-17 418181]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-10-14 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2004-08-04 99840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2008-3-7 221247]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\LogiCiel\\Internet\\eMule\\emule.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\LogiCiel\\Internet\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:Enabled:DHCP Discovery Service

R1 vcdrom;Virtual CD-ROM Device Driver;d:\logiciel\Systeme\VirtualDVD\VCdRom.sys [2009-11-08 8576]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;d:\logiciel\Systeme\Everest\kerneld.wnt [2008-03-06 22640]
.
Contenu du dossier 'Tâches planifiées'

2010-10-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2010-10-29 c:\windows\Tasks\DriverCure.job
- d:\logiciel\DriverCure\DriverCure.exe [2009-08-07 19:36]
.
.
------- Examen supplémentaire -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
DPF: CabBuilder - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Natty\Application Data\Mozilla\Firefox\Profiles\5iz7nibw.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - d:\logiciel\Internet\Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - d:\logiciel\Internet\Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-12-21 11:43
Windows 5.1.2600 Service Pack 2 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\d:\logiciel\Systeme\Everest\kerneld.wnt"
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'explorer.exe'(2996)
c:\windows\system32\msi.dll
.
Heure de fin: 2010-12-21 11:44:36
ComboFix-quarantined-files.txt 2010-12-21 16:44
ComboFix2.txt 2010-11-27 18:23
ComboFix3.txt 2010-11-22 16:21
ComboFix4.txt 2010-10-19 00:45
ComboFix5.txt 2010-12-21 16:39

Avant-CF: 864 837 632 bytes free
Après-CF: 854 503 424 bytes free

- - End Of File - - 347D82CAEAB336392EE960D68D0BB3D4

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22998
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on 22nd December 2010, 11:10 am

I see no other malware.

Hiya! Your logs appear to be clean. If there are no more issues, then we shall clean up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE

You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done


Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download [You must be registered and logged in to see this link.] by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Please download [You must be registered and logged in to see this link.] to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


Security Check

Please download Security Check by screen317 from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Tell me in your next reply, if you have completed these tasks:
  • Cleaned System Restore
  • Ran OTC
  • Ran TFC
  • Ran Security Check

Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on 23rd December 2010, 1:00 am

I have completed all 4 tasks.
Here is my log:

Results of screen317's Security Check version 0.99.8
Windows XP Service Pack 2
[You must be registered and logged in to see this link.]
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
ESET Online Scanner v3
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java(TM) 6 Update 3
Out of date Java installed!
Adobe Flash Player 10.0.22.87
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Reader 8.2.0
Out of date Adobe Reader installed!
Mozilla Firefox (3.5.13) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````

My computer seems to be running ok, but some error messages always pop up when I start it. Do I delete SecurityCheck now?
I was thinking of installing Avira antivirus, do you have any better suggestions?
Thanks a million for your help, it was most useful! Smile
Natty

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22998
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by Dr Jay on 23rd December 2010, 6:30 am

Please upgrade to Windows XP SP3, because it includes all previously released updates. It also includes a small number of new functionalities. Some of the updates that Service Pack 3 provides, you may not have. It is now available via [You must be registered and logged in to see this link.].

More info about SP3: [You must be registered and logged in to see this link.]

Update Firefox

Firefox is out of date. Firefox is a very popular web browser, and if it is out of date, it is very vulnerable to security bugs, and other holes. To update it now, click Help > Check for Updates.


Update Adobe Reader

Please download the newest version of Adobe Acrobat Reader from [You must be registered and logged in to see this link.]

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.



Update Java

Please download the newest version of Java from [You must be registered and logged in to see this link.].

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.


Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Antivirus/Antispyware

  • [You must be registered and logged in to see this link.]: this is Microsoft's free antivirus/antispyware program. It equips you with protection against viruses, spyware, trojans, rootkits, and worms. It is also light on the computer's performance. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.
  • [You must be registered and logged in to see this link.]: this is one of the most powerful, and easiest to use security software. The free version equips you with protection against viruses, spyware, trojans, rootkits, worms, and rogue software.


Firewall

  • [You must be registered and logged in to see this link.]: the free version is just as good as the premium. I have linked you to the free version.
  • [You must be registered and logged in to see this link.]: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  • [You must be registered and logged in to see this link.]: free and excellent firewall.


Note: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Securing your computer

  • [You must be registered and logged in to see this link.] - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • [You must be registered and logged in to see this link.] replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.


Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:


See [You must be registered and logged in to see this link.] for more info about malware and prevention.

Thank you for choosing GeekPolice. Please see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site. Do you have any more questions?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Persistent virus, Ramnit A and C, I need help!!!

Post by natty on 8th February 2011, 5:02 am

Done, done, and done! But a few questions arise:
I cannot download adobe reader for some reason. everytime it says that it deletes permanently from my computer the application I download.
Also, I was wondering if it's ok to have 2 firewalls running (3 including windows), or should I only have one?
And how do I use hpHosts file? Do I have to download something?
Lastly, my avira antivirus is still telling me I have a ramnit virus... so I'm not quite sure we've eradicated it completely! SOS..

natty
Novice
Novice

Posts Posts : 36
Joined Joined : 2010-10-16
OS OS : Windows XP SP2
Points Points : 22998
# Likes # Likes : 0

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum