[Quads]

That doesn't match my instructions of the,

a) When MBAM is updated
b) The renaming of DesktopLayer, DesktopLayer kept as the same name reloads reasonably quickly
c) stop the fake browser service first otherwise you can't rename the file, self protection, looks like it's one of the "firefox.exe"'s

But that is the way it goes. So now it's not my method of cleaning when the steps have been changed on when things are updated run at different times the I did, different files run then in my instructions.

Quads

[Sneakyone]

Shoot, I forgot I was going to add that in, I will add that when they reply back.

But, they had to be modified because I don't have control of their computer so I can't get it exactly as you put them. :)

Overall, I was using the basis of your instructions.

[Quads]

Well at least I can see how Malware creators can beat helpers on Malware Removal Forums and I just laugh, I have removed Malware from people PC's over forums with strict steps with just changing file names and locations within the steps but the steps remain in the correct order and the correct programs or scripts by using templates. Even highly infected PC's with Combinations.

So when I say to download, install (if required) programs and update as step1, why is that not as your step 1, updating Malwarebytes is further down at like around step 5.

Quads

[wealllbe20]

easiest way for removal if you don't know exactly what you are doing.

http://devbuilds.kaspersky-labs.com/dev ... cueDisk10/

download the iso, burn it to cd/dvd, boot from the cd and do an update and scan.

should remove most malicious files.

[Jaxryley]

Another sample:
exe.exe - 21/42 (50.0%) - MD5 : 4480225757dd699766f374d8e80f2629
http://www.virustotal.com/file-scan/rep ... 1282951130

exe.rar

(45.99 KiB) Downloaded 105 times

[SecConnex]

Thanks. Looking over the sample.

Kaspersky I.S. caught the download, and called it Backdoor.Win32.IRCNite.ani.

I'm curious why they label it IRCNite, instead of the entire collective technology it is: Backdoor.Win32.Ramnit.A,B,C,D.

Has anyone here caught the D variant? I only know of ABC which I have tested so far...yet to find D, even though I heard it is out.

[Buster_BSA]

Kaspersky doesn´t detect anything as "Backdoor.Win32.Ramnit"

[SecConnex]

I know. Which is why I said it should be detected as Backdoor.Win32.Ramnit.

They should use that instead of the other name.

[Buster_BSA]

I know. Which is why I said it should be detected as Backdoor.Win32.Ramnit.

They should use that instead of the other name.

How to know what´s the name of the D variant for Kaspersky?

[SecConnex]

Not sure. I suppose I will just follow the name they give, IRCNite.