yesterday at 13.00GMT I was on a streaming site and it loaded a popup triggering Microsoft Security Essentials to clean something.
Later on that day, Windows Firewall alerted me that svchost was being blocked, and asked me if I wanted to keep blocking. (A few days ago, I had been asked the same question out of context and I said 'unblock' as I thought it was a genuine system file).
I was now no longer able to load google through my firefox browser (which I was using up to now). I could search through yahoo though.
I decided to use IExplorer to use google for convenience and it worked fine.
I looked in system restore and found 4 points remaining, and that anything before 1st august was missing (may be related maybe not).
That's when I noticed two svchost files in processes. I tried to kill both but, they both reloaded.
I was unable to launch Malwarebytes successfully (it showed and then mysteriously disappeared everytime in processes, without loading the gui).
*In between cleans, malwarebytes finally loaded but I need to update so meanwhile I did other scans. But then the next restart after another scan, it stopped loading*
(After all scans and cleans were done, malwarebytes runs as normal everytime).
There was also a strange file in my user AppData: "bndoajxk.exe" created on 4th august in its own folder. I scanned it and no problems, but I deleted it anyway.
I ran Security Essentials scan and it found Ramnit Gen!A & D in couples (one in Win32, another in NT I think). I had to restart to finish the clean.
Security kept finding more so this had to be repeated 3 times.
Other scans I completed thereafter.
TDSS Killer cleaned about 4 items I think it was this scan which found iframe virus on my browser.
MBRcheck reported errors on external drive, but no errors after I disconnected that drive.
Malwarebytes cleaned a few items.
Msert found nothing.
Combofix did quite a few things but I was unable to decode what it was doing.
RogueKiller found some problems, additional ones looked like context menu edits which I had done earlier this year. Unsure.
Hitmanx64, Eset, Msert found nothing.
MGTools did things I couldn't decode what it was doing. It then tried to launch hijackthis, and tried to report errors about Hijackthis, but the url it web launched didnt exist. It then ran hijackthis and saved it somewhere on my pc.
I deleted some empty created folders that were created in my username's temp folder dated 4th August 13.00.
I searched for ramnit in regedit and found some items which seemed like virus scanner entries so I left them alone.
After all of this was complete, I ran security essentials and malwarebytes and tdsskiller multiple times after multiple restarts, and they didn't find anything. Firefox is also running as normal again.
PLEASE NOTE: All scans took place when windows was loaded normally.
Since then I saw some strange problems. I found a recently created folder on my system drive called "Qoobox" in which a folder named "BackEnv" is inaccessible (judging by its contents I think its related to one of the virus scanners).
I also discovered that something was unhiding my hidden files and folders, despite my efforts to hide them. But now it seems to stay as I left it.
After reading many posts on here and other forums, I've found cause to believe I can never be fully clean from Ramnit. I'm unsure. I have posted the logs on this thread: http://forums.majorgeeks.com/showthread.php?p=1759043#post1759043
Please check logs and advise!
Security Essentials just found another severe exploit: Java/Blacole.FK
SuperAntispyware just keeps finding adware threats every scan (3-4 each time).
Eset has found 2 threats:
A variant of Win32/Kryptic.AJKL trojan: C:\Qoobox\Quarantine\C\Users\HTS\AppData\Local\shlcpgot\bndoajxk.exe.vir
C:\Users\HTS\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\2b7bce33-7a709d7e multiple threats
Edited by heevyhivy, 05 August 2012 - 08:27 AM.