W32.ramnit!inf help, how do you remove it?

Hello

 

I have Norton Internet Security and I followed the instructions on the website, I started my pc in safe mode and I find this W32.ramnit!inf virus, it tries to repair it, then remove it.  But that does not work, then if says to visit the website.  Why does Norton not remove it?

 

Also, how do I remove this virus? 

Hello

 

I have Norton Internet Security and I followed the instructions on the website, I started my pc in safe mode and I find this W32.ramnit!inf virus, it tries to repair it, then remove it.  But that does not work, then if says to visit the website.  Why does Norton not remove it?

 

Also, how do I remove this virus? 

When I use Norton, it detects the virus, and then I will click "repair" and then it comes back saying it is best for it to be "removed", and after Norton has tried to remove it, it says to visit the website.

 

So after 10 scans, I get the same result, I cannot remove the virus.

See above post I have added to it. I am thinking, 

 

I have been able to remove Ramnit from my PC more than once (infected on purpose) 

 

Quads

Thats great you have removed it.  I am no computer expert sadly, how do I go about removing this virus?

Read carefully and slowly

 

Ramnit.

 

Infects all drives connected to the the PC using an autorun.inf file on Flash drives also.  The files infected are .htm(l), dll, and .exe files I have infected my  PC on purpose with this ann been able to break the infection then remove the infections from the .exe's and .dll's.

After that I manually removed the "vscript" from the .htm(l) files as the last thing to do, by opening htm(l) files with Notepad and deleting the vscript section and saving the .htm(l) without the vscript. Norton will now remove the vscript without deleting the whole file

 

I did this, simply put and since some scanners may be updated to also break Ramnit, not just do the cleanup, step 3 may not be required if the service is not there

 

Programs used:

 

Hijackthis run with the name of "Hijackthis.com" so it doesn't get infected, instead of the usual Hijackthis.exe that would get infected.

Combofix,  To be used under supervision, may not be needed if no step 3 is required.

Malwarebytes  Installed if needed to, and updated by the update tab to make sure the definitions are up to date. Used to scan and remove the renamed infector and checked for others

Dr Web Cureit  which runs without installing, used to cure the .exe and .dll files, detected as "W32.Rmnet"

 

 

1. Downloaded all the programs, Installed if needed, and updated them Now do not use browsers and take Flash Drives and CD/ DVD's out.

Do Not use browsers until after step 7.


2. Looked at Hijackthis output. Saw this entry "Service: Net Logon Z12 (netlogonz12) - Unknown owner - C:\WINDOWS\system32\lpqs.exe" (used Hijackthis as "Hijackthis.com" executable)


3. Ran Combofix with Script as Combofix without script doesn't remove it.

killall::

driver::
netlogonz12

Combofix restarted PC to remove it.

4. Turned off System Restore

5. Used Hijackthis to stop the Browser process that is actually for "DesktopLayer.exe" In playing with this step I had either IEXPLORE.EXE or Chrome.exe, you may see firefox.exe,  You will see by the MBAM entries below I tested this step 3 times.
Then quickly, before it reloads, renamed the "DesktopLayer.exe", after I used Hijackthis to remove the Winlogon entry (F2)

6. Ran a Full Scan with the Updated Malwarebytes 

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Microsoft\Desktop.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft\Desktop1.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft\DesktopLay.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\ExplorerSrv.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
G:\RECYCLER\S-3-1-03-2277013152-6508142413-324572255-2073\oAeaoUSB.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lpqs.exe (Trojan.Agent) -> Quarantined and deleted successfully.

7. Ran a Complete scan with Dr Web Cure-it and then had it cure the "W32.Rmnet" entries. It won't cure the .htm(l) entries. but will delete the .htm(l) files as "Trojan.Icor" so don't select those as some programs need the html files to run correctly

 

Quads

 

PS. that is why specialist Malware removal boards and trained people are required for some of this

Thanks for the information.  I have downloaded all the stuff and renamed them.  I could not find some of the files when using hijack, I do not know what files are useful and which ones are not.  I will carry on following the instructions though.  I have printed them out.

Hijackthis shows no Service named above then Combofix is not needed.

 

No F2 Winlogon entry showing in Hijackthis??

 

This thread also looks successful using Dr Web Cureit to cure the .exe and .dll files  http://forums.spybot.info/showthread.php?p=380282

 

 

Quads

I will copy and paste what it says on the hijack report.

Quads, this is for you:

 

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:51:16, on 17/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: OneCare.lnk = C:\Program Files\OneCare\bin\matcli.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229526285281
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics.lexmark.com/serval.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 15374 bytes

I did everything as you said, but I am still with the virus.  I do not know what else to do, what about if I downloaded something called StopZilla, it says it will remove it. 

 

I honestly followed all your instructions, so I am stumped.

What You may be seeing is the fact Norton has the detection of Ramnit.inf stuck in the Unresolved Threats list as Norton did not fix the problem so is continually telling the user of the Unresolved threat even though other tools should have removed it., this is the same problem that occurs when using free removal tools to cure TDL3 (Tidserv) with say TDSSkiller Norton still reminds the user afterwards.

 

http://community.norton.com/t5/Norton-Internet-Security-Norton/Followed-manual-removal-instructions-for-Tidserv-backdoor-I-Inf/m-p/308626/highlight/true#M130840

 

But I notice you have what looks like an older version of Norton in your Hijackthis log entries of older versions listed compared to how the new 2009 - 2011 looks in Hijackthis you may have to use the Qbackup workaround or Uninstall and clean reinstall.

 

Depending on how old your version of Norton is (2005 -2008??) the engine within these older products just may not be able to handle the likes of W32.Ramnit or W32.Virut.CF and that is why for one, newer versions get released so they handle these new malware,  As I said I tested the second time Ramnit with NIS2011, and it's now correctly able to handle it after fixing problems 

 

Do you have the Malwarebytes log, and the Dr Web Cureit log from that full scan it should have detected 'Win32.Rmnet"

 

I have attached to this post only a small part of the Dr Web cureit log from the Complete Scan I did during figuring how to break and remove Ramnit,  when Norton caused problems, It's only a small part of the log as I have over 2000 files infected and yes I too ages for Dr Web Cureit to go though.

 

 

Quads 

I can imagine problems with Older Norton versions and definitions for newer Malware like TDL3, Ramnit, Zeloaces.inf.  Where the definitions are there but the older engines in older Symantec products can't handle what is being asked to be done, So Norton could act confusing.

 

Once for instance once Norton is able to handle the likes of TDL3 on its own, lets make this easy and say this happens in 2012 products, and definitions tell 2012 to Cure or swap the infected driver with a clean version,  No problems but people could be coming online with installed 2009 - 2011 products in a pickle because the older versions can't deal with it.

 

Quads 

My NIS, is 2006 and its up to date.  Is it better just to change NIS to 2011?  So it will handle this ramnit virus?  I will put the logs up as well for anti-Malware etc.

 


saban wrote:

My NIS, is 2006 and its up to date.  Is it better just to change NIS to 2011?  So it will handle this ramnit virus?  I will put the logs up as well for anti-Malware etc.


 

NIS 2006, hmmm,  It's not to do with the definitions themselves being up to date etc. but to do with the technology used in 2006 vs the advances in the likes of 2010, 2011. If there were no advances in the engine, SONAR etc. there would be no point in releasing versions. Just instead give definition updates and that's it.

There was a big change with Norton after 2008 with many things including the likes of it's resource use (footprint).

 

"So it will handle this ramnit virus?"   The problem I suspect is now not to do with Ramnit still being on the HD after using MBAM and Dr Web Cureit which detects ramnit .exe and .dll's as W32.Rmnet to remove it.  It's the fact that even though Ramnit is gone(unless you have plugged in another infected drive) NIS2006 has the threat stuck in the Unresolved list and also being an older product may not have been correctly able to handle the threat.

 

Symantec Employees may be able to explain (or someone) the ability of older products with the newest threats and not being able to handle them. We have had this appear before.

I don't even know if the Qbackup workaround works with NIS 2006.

 

I can't see the MBAM or Cureit logs,   Hijackthis shows the Winlogon entry for Ramnit has been removed (gone).

 

Quads

 

 

MBAM log:

 

Malwarebytes' Anti-Malware 1.46

Database version: 4052

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18372

17/10/2010 14:31:15
mbam-log-2010-10-17 (14-31-15).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 272811
Time elapsed: 1 hour(s), 11 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Saban\Local Settings\Temp\NI.UGA6P_0001_N122M2210 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\PerfInfo (Rogue.WinPerformance) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Saban\Local Settings\Temp\NI.UGA6P_0001_N122M2210\settings.ini (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Saban.PC249391538321\Local Settings\Temp\0.16060921354977953.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

 

If it helps, I do not know what has happened, but I do not have the pop ups that keep saying ramnit!inf anymore.  Just want to be sure it is gone really, thanks for the advice, let me know what you think.

The Malwarebytes Log shows No Entries to do with Ramnit now but a Rogue instead which you also had, but you had Malwarebytes remove them also.

 

Good to see Norton no longer alerting you of Ramnit after using the Ramnit removal instructions,  When I had Ramnit infected on my PC awhile ago, I had over 2000 files that were slowly detected in different locations so can take so time to slowly go though that lot.

 

I am concerned of the fact your Norton is way back at NIS 2006,  when I see some of the Malware out there, that is why Symantec and other AV companies work hard on the product technology and not just the definitions and release new product versions.

 

Quads

Hello saban

 

Once  your computer is completely clean and if you have a current subscription for NIS 2006, you can update for free to NIS 2011 if your computer meets the minimum requirements.

 

 

http://us.norton.com/internet-security/

 

If you want to upgrade, we can tell you how. Please start a new thread if you would like to upgrade to NIS 2011. Thanks.