Win32 Ramon detected, can't access certain websites or run programs

Inactive
By Mafamoo
Jul 11, 2012
Topic Status:
Not open for further replies.
  1. Avast has detected a lot of instances of Win32.Ramon, it seems to detect them when I try to run programs like iexplore.exe, and then gets worryingly slap happy with deleting files. Fortunately I can run Firefox and have been able to run MBAM in safe mode, but I can't access the Gmer or DDS websites in normal or safe mode to follow the initial instructions.

    I would much appreciate any help with this problem, as I'm already worried most of my programs won't work once its been fixed due to AVAST deleting stuff like there's no tomorrow =S

    MBAM Log:

    Malwarebytes Anti-Malware (Trial) 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.07.11.08

    Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
    Internet Explorer 8.0.6001.18702
    Administrator :: ANONYMOUS [administrator]

    Protection: Disabled

    7/11/2012 6:21:38 PM
    mbam-log-2012-07-11 (18-21-38).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 735236
    Time elapsed: 2 hour(s), 7 minute(s), 9 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 1
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE (Trojan.Agent) -> Delete on reboot.

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 21
    C:\Documents and Settings\Custom Settings\ToggleQL.exe (Trojan.WinLock) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner.ANONYMOUS\Application Data\Ihna\ryode.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner.ANONYMOUS\Desktop\RK_Quarantine\ryode.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner.ANONYMOUS\Local Settings\Temp\0.46930046814993165.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    D:\System Volume Information\_restore{15871599-FFBE-429E-B416-550FBA0D6C13}\RP6\A0021657.dll (Trojan.FakeMS) -> Quarantined and deleted successfully.
    D:\System Volume Information\_restore{15871599-FFBE-429E-B416-550FBA0D6C13}\RP6\A0021667.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    D:\System Volume Information\_restore{15871599-FFBE-429E-B416-550FBA0D6C13}\RP6\A0021815.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    D:\System Volume Information\_restore{15871599-FFBE-429E-B416-550FBA0D6C13}\RP6\A0022004.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    D:\System Volume Information\_restore{15871599-FFBE-429E-B416-550FBA0D6C13}\RP6\A0022454.dll (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
    D:\System Volume Information\_restore{15871599-FFBE-429E-B416-550FBA0D6C13}\RP6\A0023073.dll (Trojan.FakeMS) -> Quarantined and deleted successfully.
    D:\System Volume Information\_restore{15871599-FFBE-429E-B416-550FBA0D6C13}\RP6\A0023162.exe (Backdoor.Hupigon) -> Quarantined and deleted successfully.
    D:\System Volume Information\_restore{15871599-FFBE-429E-B416-550FBA0D6C13}\RP6\A0023214.exe (FakeMS) -> Quarantined and deleted successfully.
    D:\System Volume Information\_restore{15871599-FFBE-429E-B416-550FBA0D6C13}\RP6\A0023244.dll (Trojan.FakeMS) -> Quarantined and deleted successfully.
    D:\System Volume Information\_restore{15871599-FFBE-429E-B416-550FBA0D6C13}\RP6\A0023339.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    D:\System Volume Information\_restore{15871599-FFBE-429E-B416-550FBA0D6C13}\RP6\A0023413.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    D:\System Volume Information\_restore{15871599-FFBE-429E-B416-550FBA0D6C13}\RP6\A0023434.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
    D:\Users\Matt\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\1d039235-5fabc789 (Trojan.Agent.TW) -> Quarantined and deleted successfully.
    D:\Windows\ERDNT\cache86\svchost.exe (FakeMS) -> Quarantined and deleted successfully.
    D:\Windows\SysWOW64\Smackw32.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner.ANONYMOUS\0.7424709912964477.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

    (end)
  2. Broni

    Broni Malware Annihilator Posts: 46,171   +251

    Welcome aboard [​IMG]

    Stay in safe mode with networking.

    Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  3. Mafamoo

    Mafamoo Newcomer, in training Topic Starter

    Hi Broni, thanks for your fast response =)

    It seems that I can't access the ESET website either unfortunately. Looks like this bugger is doing its best to not be removed!
  4. Broni

    Broni Malware Annihilator Posts: 46,171   +251

    Basically Avast Win32.Ramon is another name for more popular name, Ramnit which is not curable but I wanted to double check.

    Do you have any example of a file and its location indicated by Avast?
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.