Ramnit

View previous topic View next topic Go down

Ramnit

Post by Maxim on Fri 02 Sep 2011, 5:46 pm

Hello!

My Avast AV found 2500 infections on my pc, but malwarebytes found none... I already used combofix and nothing happened...

The virus/trojans found by Avast are: - vbs:ExeDropper-gen; win32:Ramnit-G

After reading some posts from here, I used TFC.exe (Temp File Cleaner) by OldTimer, and did a search with ESET - online-scanner

ESET online scanner found more than 19000 infected files with the virus: Win32/Ramnit.A virus and Win32/Ramnit.H virus

Could anyone help me with this?

Thanks

Maxim

Unborn
Unborn

Posts : 4
Joined : 2011-03-27
Operating System : win7

View user profile

Back to top Go down

Re: Ramnit

Post by Gabethebabe on Fri 02 Sep 2011, 6:22 pm

Hi there Maxim and welcome to GeekPolice!

I am Gabethebabe and I will be helping you with this issue. Before we start some general remarks/rules:
  • Whilst I´m helping you, please follow my instructions carefully and do not experiment on your own or accept help from other persons.
  • Feel free to ask questions! Especially if my instructions are not clear. I´m here to help, not confuse you.
  • I will try and respond quickly, but please understand I do have a real life (job, wife, 3 kids, kinky hobbies).
  • Stick with me till the end. If your computer starts running better, doesn´t mean it is clean yet!

====================

Time to use ComboFix by sUBs, a powerful tool that you are advised not to run without supervision of a trained malware helper. Please visit this webpage and read the tutorial on using ComboFix very carefully. After that download the tool and save it to your desktop.

Doubleclick ComboFix.exe to run the tool. Please post its log back here.

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Ramnit

Post by Maxim on Fri 02 Sep 2011, 9:34 pm

Thank you very much for your support.

Here is the combofix log:


ComboFix 11-09-01.03 - Max 02-09-2011 10:56:51.6.4 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.351.2070.18.2047.1222 [GMT 1:00]
Executando de: c:\users\Max\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((( Arquivos/Ficheiros criados de 2011-08-02 to 2011-09-02 ))))))))))))))))))))))))))))
.
.
2011-09-02 10:05 . 2011-09-02 10:05 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-09-02 10:05 . 2011-09-02 10:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-02 10:05 . 2011-09-02 10:05 -------- d-----w- c:\users\Classic .NET AppPool\AppData\Local\temp
2011-09-01 18:47 . 2011-09-01 18:47 -------- d-----w- c:\program files\ESET
2011-09-01 15:18 . 2011-09-01 15:18 -------- d-----w- c:\users\Max\AppData\Roaming\GetRightToGo
2011-09-01 14:49 . 2011-09-01 15:09 -------- d-----w- C:\sh4ldr
2011-08-31 14:53 . 2011-08-31 14:53 -------- d-----w- c:\users\Max\AppData\Local\bitComposer
2011-08-31 14:52 . 2011-08-31 14:52 -------- d-----w- c:\programdata\mpDRM
2011-08-31 14:52 . 2011-08-31 14:52 -------- d-----w- c:\program files\Common Files\mpDRM
2011-08-31 14:52 . 2011-08-31 14:52 -------- d-----w- c:\users\Max\AppData\Roaming\ProtectDISC
2011-08-31 14:29 . 2011-08-31 14:29 -------- d-----w- c:\users\Max\AppData\Local\Redlynx
2011-08-31 09:39 . 2011-09-01 23:47 -------- d-----w- c:\program files\xikiicro
2011-08-14 21:00 . 2011-08-14 21:00 -------- d-----w- c:\users\Max\AppData\Local\Arktos
2011-08-14 21:00 . 2011-08-14 21:00 -------- d-----w- c:\users\Max\AppData\Local\CrashRpt
2011-08-09 20:55 . 2011-08-09 20:55 -------- d-----w- c:\users\Max\partilha
2011-08-06 01:14 . 2011-08-06 01:14 -------- d-----w- c:\programdata\PixelActive
2011-08-06 01:13 . 2011-08-06 01:13 -------- d-----w- c:\users\Max\AppData\Local\IsolatedStorage
2011-08-06 01:13 . 2011-08-06 01:13 -------- d-----w- c:\users\Max\AppData\Local\PixelActive_Inc
2011-08-06 01:10 . 2011-08-06 01:10 -------- d-----w- c:\program files\CityScape 1.8 Autodesk Promo
2011-08-03 21:39 . 2011-09-01 00:28 -------- d-----w- c:\programdata\boost_interprocess
.
.
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-06 18:52 . 2011-03-26 18:11 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52 . 2011-03-26 18:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-04 11:43 . 2011-05-31 22:32 40112 ----a-w- c:\windows\avastSS.scr
2011-07-04 11:43 . 2011-05-31 22:32 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-07-04 11:36 . 2011-05-31 22:32 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-07-04 11:36 . 2011-05-31 22:32 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-07-04 11:35 . 2011-05-31 22:32 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-07-04 11:32 . 2011-05-31 22:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-07-04 11:32 . 2011-05-31 22:32 54104 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-07-04 11:32 . 2011-05-31 22:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-06-25 17:35 . 2010-02-07 23:10 109080 ----a-w- c:\windows\system32\OpenAL32.dll
.
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por padrão não são apresentadas.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ------w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-10 4240760]
"DAEMON Tools Lite"="c:\program files\_DVD\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2010-09-30 95576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-06-10 202256]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2009-09-16 153608]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
"Malwarebytes' Anti-Malware"="c:\program files\_Utils\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /M:77a2076d0
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Max^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Iniciação Rápida do Microsoft Office OneNote 2007.lnk]
path=c:\users\Max\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Iniciação Rápida do Microsoft Office OneNote 2007.lnk
backup=c:\windows\pss\Iniciação Rápida do Microsoft Office OneNote 2007.lnk.Startup
backupExtension=.Startup
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Serviço Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 135664]
R2 mi-raysat_3dsmax2012_32;mental ray 3.9 Satellite for Autodesk 3ds Max Design 2012 32-bit - English 32-bit;c:\program files\Autodesk\3ds Max Design 2012\mentalimages\satellite\raysat_3dsmax2012_32server.exe [2011-02-23 86016]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
R3 gupdatem;Serviço Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 135664]
R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2007-02-22 2808664]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-02-02 691696]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-04-17 218688]
S2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2010-02-24 185472]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-08-26 176128]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-07-04 54104]
S2 Autodesk Content Service;Autodesk Content Service;c:\program files\Autodesk\Content Service\Connect.Service.ContentService.exe [2011-02-02 18656]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-09-30 238952]
S2 MBAMService;MBAMService;c:\program files\_Utils\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-08-26 6380032]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-08-26 221696]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l160x86.sys [2009-10-13 49152]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2010-07-15 101904]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2010-09-06 36608]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Conteúdo da pasta 'Tarefas Agendadas'
.
2011-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 07:34]
.
2011-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 07:34]
.
.
------- Scan Suplementar -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Max\AppData\Roaming\Mozilla\Firefox\Profiles\guj38cs8.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: United States English Spellchecker: [You must be registered and logged in to see this link.] - %profile%\extensions\en-US@dictionaries.addons.mozilla.org
FF - Ext: avast! WebRep: [You must be registered and logged in to see this link.] - c:\program files\AVAST Software\Avast\WebRep\FF
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
------- Associação de arquivos/ficheiros -------
.
.scr=AutoCADScriptFile
.txt=
.
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------
.
- - - - - - - > 'Explorer.exe'(4968)
c:\windows\system32\ieframe.dll
.
Tempo para conclusão: 2011-09-02 11:06:53
ComboFix-quarantined-files.txt 2011-09-02 10:06
ComboFix2.txt 2011-09-01 13:43
ComboFix3.txt 2011-09-01 13:31
ComboFix4.txt 2011-05-31 21:21
ComboFix5.txt 2011-09-01 16:42
.
Pré-execução: 46.314.291.200 bytes livres
Pós execução: 46.266.675.200 bytes livres
.
- - End Of File - - AEAC4C3BF6582D5ED6FF6D2C4032CEBF

Sorry for the portuguese language.


Maxim

Unborn
Unborn

Posts : 4
Joined : 2011-03-27
Operating System : win7

View user profile

Back to top Go down

Re: Ramnit

Post by Gabethebabe on Fri 02 Sep 2011, 10:41 pm

ugh, I did not see that you used combofix previously. I missed that in your original post. Can you find the old combofix logs for me to have a look at?
They will be in the root directory of your harddisk (C:\).

Note that running combofix without supervision of a trained malware helper is not a good idea. It is a loaded gun that can shoot big holes, you don´t want that in rookie hands

Also note that ramnit is an infection that sometimes warrants complete reformat and reinstall, because it damages the system too much. We will see if that is the case.

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Ramnit

Post by Maxim on Sat 03 Sep 2011, 12:11 pm

Upps...
I erased the log file before making the last run of combofix.

The previous file was too extensive and i thought that it was a lot of lines to put here... my mistake!

Do we have another solution?

Most of "exe" files are infected... Assuming that we could eliminate the virus, it's possible recover the "exe" files?

Thanks again for your time!


Maxim

Unborn
Unborn

Posts : 4
Joined : 2011-03-27
Operating System : win7

View user profile

Back to top Go down

Re: Ramnit

Post by Gabethebabe on Sun 04 Sep 2011, 2:02 am

You said that you have found 2500 infections with avast and 19000 with eset

If that is true, there really is no other option but to format and reinstall your system.

Do you have any kind of log from either of these scanners? I would like to verify a couple of the files that are reported as infected, to doublecheck that they really are infected.

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Ramnit

Post by Maxim on Sun 04 Sep 2011, 11:23 am

Hello!

I've seen that I have a battle for this Sunday ... Clean and reinstall all programs and O.S..

I'll search the ESET log and I'll send you if I find it!

Thank you for your help!!

Maxim

Unborn
Unborn

Posts : 4
Joined : 2011-03-27
Operating System : win7

View user profile

Back to top Go down

Re: Ramnit

Post by Sponsored content Today at 6:06 pm


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum