Inactive Win32 Ramon detected, can't access certain websites or run programs

Status
Not open for further replies.
Avast has detected a lot of instances of Win32.Ramon, it seems to detect them when I try to run programs like iexplore.exe, and then gets worryingly slap happy with deleting files. Fortunately I can run Firefox and have been able to run MBAM in safe mode, but I can't access the Gmer or DDS websites in normal or safe mode to follow the initial instructions.

I would much appreciate any help with this problem, as I'm already worried most of my programs won't work once its been fixed due to AVAST deleting stuff like there's no tomorrow =S

MBAM Log:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.11.08

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Administrator :: ANONYMOUS [administrator]

Protection: Disabled

7/11/2012 6:21:38 PM
mbam-log-2012-07-11 (18-21-38).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 735236
Time elapsed: 2 hour(s), 7 minute(s), 9 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE (Trojan.Agent) -> Delete on reboot.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 21
C:\Documents and Settings\Custom Settings\ToggleQL.exe (Trojan.WinLock) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.ANONYMOUS\Application Data\Ihna\ryode.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.ANONYMOUS\Desktop\RK_Quarantine\ryode.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.ANONYMOUS\Local Settings\Temp\0.46930046814993165.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{15871599-FFBE-429E-B416-550FBA0D6C13}\RP6\A0021657.dll (Trojan.FakeMS) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{15871599-FFBE-429E-B416-550FBA0D6C13}\RP6\A0021667.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{15871599-FFBE-429E-B416-550FBA0D6C13}\RP6\A0021815.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{15871599-FFBE-429E-B416-550FBA0D6C13}\RP6\A0022004.dll (Trojan.Agent) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{15871599-FFBE-429E-B416-550FBA0D6C13}\RP6\A0022454.dll (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{15871599-FFBE-429E-B416-550FBA0D6C13}\RP6\A0023073.dll (Trojan.FakeMS) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{15871599-FFBE-429E-B416-550FBA0D6C13}\RP6\A0023162.exe (Backdoor.Hupigon) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{15871599-FFBE-429E-B416-550FBA0D6C13}\RP6\A0023214.exe (FakeMS) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{15871599-FFBE-429E-B416-550FBA0D6C13}\RP6\A0023244.dll (Trojan.FakeMS) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{15871599-FFBE-429E-B416-550FBA0D6C13}\RP6\A0023339.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{15871599-FFBE-429E-B416-550FBA0D6C13}\RP6\A0023413.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{15871599-FFBE-429E-B416-550FBA0D6C13}\RP6\A0023434.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
D:\Users\Matt\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\1d039235-5fabc789 (Trojan.Agent.TW) -> Quarantined and deleted successfully.
D:\Windows\ERDNT\cache86\svchost.exe (FakeMS) -> Quarantined and deleted successfully.
D:\Windows\SysWOW64\Smackw32.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.ANONYMOUS\0.7424709912964477.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

(end)
 
Welcome aboard
yahooo.gif


Stay in safe mode with networking.

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • IMPORTANT! UN-check Remove found threats
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
 
Hi Broni, thanks for your fast response =)

It seems that I can't access the ESET website either unfortunately. Looks like this bugger is doing its best to not be removed!
 
Basically Avast Win32.Ramon is another name for more popular name, Ramnit which is not curable but I wanted to double check.

Do you have any example of a file and its location indicated by Avast?
 
Status
Not open for further replies.
Back