Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win32 / Ramnit.b?


  • This topic is locked This topic is locked

#1
Allaw

Allaw

    Member

  • Member
  • PipPip
  • 19 posts
I became infected about 36 hours ago.

Since then, IE appears to wrok normally, but new tabs do not always open. AVG will not update, and Windows update doesn't work. Google Chrome hangs on loading,and Firefox will not run.

In addition, my PC is coninuously accessing the (empty) floppy drive.

I have managed to run MBAM, which comes up clean, and have also tried MSE, which hung after a while, and re-installed AVG which gave multiple infection warnings, but has been silent since my last reboot.

I have downloaded and run OTL, but it seems to stick when scanning the Local Machine section of the registry.

What can I do next?
  • 0

Advertisements


#2
mitch8

mitch8

    Trusted Helper

  • Malware Removal
  • 1,356 posts
Hello Allaw, and welcome to GeeksToGo! My name is Mitch8 and I will be helping you with your problem. Here are a few things I would like to point out:
  • Please post your logs, don't attach them unless stated.
  • Please read my posts carefully and if you have any questions ask.
  • Stay with this topic until I tell you that your system is clean. Malware can still be on your system even if you don't notice it.

What anti-virus are you using now? You should only have one installed at a time because they can conflict with each other.

Note: If using Firefox right-click on any download links and choose Save As

Please download OTH to your desktop
Please download OTL to your desktop

Double click the OTH file to run it and click Kill All Processes, your desktop will go blank.

Posted Image

Then select Start OTL. OTL will now run

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Click the Internet Explorer button, post these logs in your Virus Removal topic.

  • 0

#3
Allaw

Allaw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi Mitch, thanks for your response.

I have dwonloaded OTH and OTL to my desktop

'Kill all processes' removes all Icons,the Taskbar and the System Tray from the desktop,but leaves the wallpaper in place.

Running OTL goes fine, until it hangs at 'HKEY_LOCAL_MACHINE Run keys.
  • 0

#4
mitch8

mitch8

    Trusted Helper

  • Malware Removal
  • 1,356 posts
Yes, when you kill all processes it is supposed to do that. You have to restart your computer by clicking on reboot to put things back to normal.

Try this.

1. Go HERE and download FileLister.
  • Save it to your Desktop
  • Rt Click ->> Extract all ->> And extract it to your Desktop
  • Additional help on extracting zip files can be found HERE
  • Open the File Lister Folder.
  • Note: Leave the FileLister.vbe file in the folder and run it from there.
  • Rt Click FileLister.vbe ->>Select Open Then Open to confirm.
  • When the program is fnished it will produce a log for you Files.txt
  • Which will be located in the default location from which FileLister was run(the FileLister folder)

  • 0

#5
Allaw

Allaw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Thanks Mitch

Unfortunately, the bamajim link gives me an internal server error..... :D
  • 0

#6
mitch8

mitch8

    Trusted Helper

  • Malware Removal
  • 1,356 posts
Oops, the website appears to be down.

  • Run OTL
  • Click the None button at the top
  • Under the Custom Scan box paste this in:


    hklm\software\microsoft\windows\currentversion\run

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
  • When the scan completes, it will open a notepad window. Post OTL.Txt here.

Next,

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder then attach the zip file to your next post zip
The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip

Posted Image
  • 0

#7
Allaw

Allaw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
OTL.txt follows:

OTL logfile created on: 24/01/2011 22:47:17 - Run 1
OTL by OldTimer - Version 3.2.20.5 Folder = C:\Documents and Settings\Allen Lawford\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 59.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 372.60 Gb Total Space | 109.17 Gb Free Space | 29.30% Space Free | Partition Type: NTFS

Computer Name: MAIN | User Name: Allen Lawford | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========


< hklm\software\microsoft\windows\currentversiion\run >

< End of report >
  • 0

#8
Allaw

Allaw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
AVP zip is attachedAttached File  avptool_sysinfo.zip   171.97KB   114 downloads
  • 0

#9
mitch8

mitch8

    Trusted Helper

  • Malware Removal
  • 1,356 posts
Hi,

While I look at your log, can you ran the OTL scan again? Follow the same instructions, but this time copy and paste the line into the custom scans box. It appears your spelled it wrong.

  • Run OTL
  • Click the None button at the top
  • Under the Custom Scan box paste this in:


    hklm\software\microsoft\windows\currentversion\run

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
  • When the scan completes, it will open a notepad window. Post OTL.Txt here.

  • 0

#10
Allaw

Allaw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
OTL File below - apologies for delay - IE8 will not run, and I eventually had to dload Firefox/Opera to get back to you :D



OTL logfile created on: 25/01/2011 21:43:27 - Run 3
OTL by OldTimer - Version 3.2.20.5 Folder = C:\Documents and Settings\Allen Lawford\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 65.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 372.60 Gb Total Space | 97.86 Gb Free Space | 26.26% Space Free | Partition Type: NTFS
Drive D: | 4.35 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive I: | 982.72 Mb Total Space | 970.25 Mb Free Space | 98.73% Space Free | Partition Type: FAT

Computer Name: MAIN | User Name: Allen Lawford | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========


< hklm\software\microsoft\windows\currentversion\run >
"P17Helper" = Rundll32 SPIRun.dll,RunDLLEntry -- [2006/07/03 12:43:16 | 000,010,752 | ---- | M] (Creative Technology Ltd.)
"Logitech Utility" = Logi_MwX.Exe -- [2000/01/01 00:00:00 | 000,019,968 | ---- | M] (Logitech Inc.)
"NvMediaCenter" = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit -- [2010/11/05 01:34:34 | 000,110,696 | ---- | M] (NVIDIA Corporation)
"nwiz" = C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet -- [2010/10/21 17:51:04 | 001,753,192 | ---- | M] ()
"NvCplDaemon" = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup -- [2010/11/05 01:34:34 | 013,861,480 | ---- | M] (NVIDIA Corporation)
"AVG_TRAY" = C:\Program Files\AVG\AVG10\avgtray.exe -- [2010/10/22 04:57:54 | 002,745,696 | ---- | M] (AVG Technologies CZ, s.r.o.)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

< End of report >
  • 0

Advertisements


#11
mitch8

mitch8

    Trusted Helper

  • Malware Removal
  • 1,356 posts
Hi,

Do you want PacificPoker installed on your computer?

  • Re-run AVPTool
  • Select the Manual Disinfection tab
  • Where it states Step 3 paste in the following disinfection script and press execute

    begin
     DelBHO('{1E796980-9CC5-11D1-A83F-00C04FC99D61}');
    end.
    

Next we will run a virus scan
On the first tab select all elements down to Computer and then select start scan
Once it has finished select report and post that.

Posted Image

Next,

Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

  • 0

#12
Allaw

Allaw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Kapersky is stil running ( The default is 'prompt for action' :D ) currnelty at 92% on the Restore section - will report when complete.
  • 0

#13
mitch8

mitch8

    Trusted Helper

  • Malware Removal
  • 1,356 posts
OK
  • 0

#14
Allaw

Allaw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Kaprsky report is now saved as a text file , but takes up 1.6mb (!)

This is too big to post,and exceeds my upload limit,apparently - how do I get it to you?
  • 0

#15
Allaw

Allaw

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I've attached azip copy - hope this is ok

Attached Files


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP