Read carefully and slowly
Ramnit.
Infects all drives connected to the the PC using an autorun.inf file on Flash drives also. The files infected are .htm(l), dll, and .exe files I have infected my PC on purpose with this ann been able to break the infection then remove the infections from the .exe's and .dll's.
After that I manually removed the "vscript" from the .htm(l) files as the last thing to do, by opening htm(l) files with Notepad and deleting the vscript section and saving the .htm(l) without the vscript. Norton will now remove the vscript without deleting the whole file
I did this, simply put and since some scanners may be updated to also break Ramnit, not just do the cleanup, step 3 may not be required if the service is not there
Programs used:
Hijackthis run with the name of "Hijackthis.com" so it doesn't get infected, instead of the usual Hijackthis.exe that would get infected.
Combofix, To be used under supervision, may not be needed if no step 3 is required.
Malwarebytes Installed if needed to, and updated by the update tab to make sure the definitions are up to date. Used to scan and remove the renamed infector and checked for others
Dr Web Cureit which runs without installing, used to cure the .exe and .dll files, detected as "W32.Rmnet"
1. Downloaded all the programs, Installed if needed, and updated them Now do not use browsers and take Flash Drives and CD/ DVD's out.
Do Not use browsers until after step 7.
2. Looked at Hijackthis output. Saw this entry "Service: Net Logon Z12 (netlogonz12) - Unknown owner - C:\WINDOWS\system32\lpqs.exe" (used Hijackthis as "Hijackthis.com" executable)
3. Ran Combofix with Script as Combofix without script doesn't remove it.
killall::
driver::
netlogonz12
Combofix restarted PC to remove it.
4. Turned off System Restore
5. Used Hijackthis to stop the Browser process that is actually for "DesktopLayer.exe" In playing with this step I had either IEXPLORE.EXE or Chrome.exe, you may see firefox.exe, You will see by the MBAM entries below I tested this step 3 times.
Then quickly, before it reloads, renamed the "DesktopLayer.exe", after I used Hijackthis to remove the Winlogon entry (F2)
6. Ran a Full Scan with the Updated Malwarebytes
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\Microsoft\Desktop.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft\Desktop1.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft\DesktopLay.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\ExplorerSrv.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
G:\RECYCLER\S-3-1-03-2277013152-6508142413-324572255-2073\oAeaoUSB.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lpqs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
7. Ran a Complete scan with Dr Web Cure-it and then had it cure the "W32.Rmnet" entries. It won't cure the .htm(l) entries. but will delete the .htm(l) files as "Trojan.Icor" so don't select those as some programs need the html files to run correctly
Quads
PS. that is why specialist Malware removal boards and trained people are required for some of this