WIN32:Ramnit-H: need help removing all of it

Hi there everyone.

I’m trying to sort out a laptop (Dell Inspiron 6400 with XP Home) which has been heavily infected with a number of problems, the main one being Ramnit-H, which appears in about 700-800 instances when I first ran Avast. Even then, the laptop still ran, albeit slowly, but Malwarebytes anti-malware wouldn’t start, and the laptop invariably blue-screened if I tried to start in safe-mode.

The main problem was that Avast kept showing the error: “Could not move to chest: disk full” when I tried to quarantine a lot of the Ramnit results. The HDD space appears to be fine - under Windows, it shows as over 40Gigs free - so I assume Ramnit or one of the few other problems found is causing this problem for Avast.

Since then, I’ve run Dr Web Cure It, which managed to repair a lot of the infected files, the laptop’s running faster, and Malwarebytes will run (I ran it, and it nailed some more problems).

The problem is, Ramnit seems to have gotten into a lot of the system files, and if I just run Avast and delete them (still can’t move to chest, as mentioned above), I assume the laptop just isn’t going to boot again, or will run unstably. Is there any way to repair these system files, or is it the case that so many have been infected that an HDD wipe and re-installation is the only answer?

Any advice much appreciated.

Logs to follow later today.

Cheers, Jon.

Hello,
there is some limit of Virus chest size in settings, see “settings → virus chest”.

Milos

Ramnit is a file infector (computer cancer) and many experts recomend format and reinstall

Director of research Malwarebytes
http://miekiemoes.blogspot.no/2009/02/virut-and-other-file-infectors-throwing.html

Essexboy is notified…wait for his advice

Once you have followed Milos suggestion to increase the chest size

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
winsock.*
/md5stop
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

OK, the OTL scan finished successfully, and I’ve posted the OTL.Txt log here http://home.btconnect.com/audiostate/OTL.Txt and the Extras.Txt http://home.btconnect.com/audiostate/Extras.Txt here.

Many thanks for your input Milos and Essexboy (and I’ve set the chest size in Avast to 0, which apparently means it’s unlimited).

Regards, Jon.

Unfortunately the formating is corrupt… Could you attach the files here please

Sorry about that. Not sure how I attach here though. I assume by attach you don’t mean simply cut and paste into the message body (I tried that, and even a third of each log seems to exceed the 10,000 character limit). I saw Mediafire listed as a place to share logs. Should I sign up for a Mediafire account?

Regards, Jon.

Doh, should have read below the reply box as well as above. Please ignore the previous fine example of my stupidity! The logs will follow in a minute…

Apologies, Jon.

OK, here we go…

Ta ;D
On completion of these two runs let me know how the computer is behaving

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
FF - prefs.js..extensions.enabledAddons: {3bbd3c14-4c16-4989-8366-95bc9179779d}:10.10.27.6
FF - prefs.js..extensions.enabledAddons: {ebd898f8-fcf6-4694-bc3b-eabc7271eeb1}:10.10.27.6
[2012/08/22 11:13:02 | 000,000,000 | ---D | M] (FLV Runner) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\dmymrk9x.default\extensions\{3bbd3c14-4c16-4989-8366-95bc9179779d}
[2012/08/01 13:34:09 | 000,000,000 | ---D | M] (Babylon) -- C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\dmymrk9x.default\extensions\ffxtlbr@babylon.com
O3 - HKLM\..\Toolbar: (Babylon Toolbar) - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.29.1\BabylonToolbarTlbr.dll (Babylon Ltd.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKU\S-1-5-21-3201766555-2859469657-3983071691-1006..\Run: [MlmOrmgt] C:\Documents and Settings\Richard\Local Settings\Application Data\eiuchjwg\mlmormgt.exe File not found
O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\Richard\Local Settings\Application Data\eiuchjwg\mlmormgt.exe) - File not found

:Files
C:\Documents and Settings\Richard\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb
C:\Documents and Settings\Richard\Local Settings\Application Data\eiuchjwg

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Great, I’ll get started on these next steps immediately.

I’ve already got ComboFix on the laptop, having read some of your other posts :slight_smile:

Cheers, Jon.

OK, here’s the log OTL produced after running the fix above.

Going to run ComboFix now.

Thanks again, Jon.

Right, here’s the log produced by ComboFix.

The machine certainly seems to be running more quickly now.

How do the logs look essexboy? I’ll keep my fingers crossed, and keep using the laptop to see if anything obvious crops up.

Regards, Jon.

Looking good so far, browsing with multiple windows open, playing tunes from Youtube. I remember Avast kept popping up warnings when I tried to play music in Windows Media player, and that problem seems to have gone from what I can see so far.

Regards, Jon.

Looks like you have beaten it… However, there are some bad toolbars to kill next

CLEAR THE BAD TOOLBARS

Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete

https://dl.dropbox.com/u/73555776/AdwCleaner.GIF

Once done it will ask to reboot, allow this
On reboot a log will be produced please attach that

Well, that was nice and quick. I’ve attached the log.

I’m going to have to see if I can dig up some more info on, and learn about, OTL, ComboFix, etc, as they seem to be such effective tools (when used correctly).

Regards, Jon.

OK time for the big question … What problems remain ??

Ah, just had a couple of hiccups as Windows Automatic Updates were running:

  1. Avast didn’t seem to like the Skype toolbar (there was a Windows update relating to this - KB2727727), and either deleted it or moved it to chest, I don’t remember.

  2. An update for IE8 was flagged up by Avast as having been infected by Ramnit-H, and was moved to chest.

I was cleaning the capstans and pinch rollers of a tape deck as Windows was updating, so I wasn’t always looking at the screen, but in total, Windows said three updates were not installed: KB2656370, KB2727727, and KB2656353. There may have been non-Ramnit reasons for them not being installed, I suppose, and the problems I saw, Avast seemed to deal with appropriately.

Regards, Jon.

OK I would like a further bootscan with Avast to confirm that it did kill all the ramnit

The updates relate to net framework (always a pain) and Skype… Do you have that installed ?

Skype is installed. Windows downloaded another batch of updates, including Skype 5.1, and that seemed to install fine (as did the other updates). A second attempt at installing the .NET framework updates failed again.

I’ll open Skype 5.1, and see if that provokes any problems, then run a boot-time scan with Avast.

Thanks again essexboy.

Regards, Jon.