Solve : Ramnit-B virus rampaging through my computer?

1.	Solve : Ramnit-B virus rampaging through my computer?
Answer» Hi there, I've seen many people that are having the same problem with this virus but there are no '1-click-fix' things anywhere, so I figured I would just ask away. I am running Windows XP, SP 3 (I think it's 3, it's the latest one whatever it is). I did have Microsoft Security Essentials installed, and this kept detecting and cleaning all the infected files, then seconds later finding them infected again. On the advice of a computer technician, I have also installed Avast! Antivirus, and Malwarebytes anti-malware. I have turned off MSE, and have been running scans on the other two constantly for the last 36 hours. I've run two boot scans by Avast!, two full scans (again Avast!) and two full scans with MWB. The first few scans detected things, and deleted them, but the last Avast! Full scan and boot scan both came up clean. BUT Avast! keeps detecting attempts to infect other files by this virus, even thought the scans are coming back clean. Something, which i assume is the same virus, although I can't be sure, keeps redirecting both IE and Chrome to strange websites. The same is happening on 3 out of the 4 computers on my network. The virus detected is always the same, although sometimes it is classified as a trojan or a worm. It is "win32:Ramnit-B". It generally infects .exe files, which means my antivirus is slowly DELETING all my programmes . I do not use any P2P software, although someone on my LAN does. When the Computer technician I talked about earlier was looking at this computer, he found over 400 separate viruses. I'm sure I've left out something necessary, so I apologise in advance. I'm desperately putting off reformatting my computer, because i just don't have time.Clik Here and FOLLOW the Guide for posting your LOGS...Sorry, here are the logs. SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 10/01/2010 at 05:20 PM Application Version : 4.44.1000 Core Rules Database Version : 5614 Trace Rules Database Version: 3426 Scan type : Complete Scan Total Scan Time : 01:22:41 Memory items scanned : 445 Memory threats detected : 0 Registry items scanned : 5783 Registry threats detected : 0 File items scanned : 48184 File threats detected : 27 Adware.Tracking Cookie C:\Documents and Settings\Rob\Cookies\[emailprotected][1].txt C:\Documents and Settings\Rob\Cookies\[emailprotected][2].txt C:\Documents and Settings\Rob\Cookies\[emailprotected][3].txt C:\Documents and Settings\Rob\Cookies\[emailprotected][2].txt C:\Documents and Settings\Rob\Cookies\[emailprotected][1].txt C:\Documents and Settings\Rob\Cookies\[emailprotected][1].txt C:\Documents and Settings\Rob\Cookies\[emailprotected][2].txt C:\Documents and Settings\Rob\Cookies\[emailprotected][1].txt C:\Documents and Settings\Rob\Cookies\[emailprotected][1].txt C:\Documents and Settings\Rob\Cookies\[emailprotected][1].txt C:\Documents and Settings\Rob\Cookies\[emailprotected][2].txt C:\Documents and Settings\Rob\Cookies\[emailprotected][2].txt media.heavy.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\5ERH872R ] media1.break.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\5FMR537J ] objects.tremormedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\5FMR537J ] C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt .atdmt.com [ C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ] .atdmt.com [ C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ] .atdmt.com [ C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ] .atdmt.com [ C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ] .apmebf.com [ C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ] .mediaplex.com [ C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ] .mediaplex.com [ C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ] .doubleclick.net [ C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ] Trojan.Agent/Gen-FakeProt C:\DOCUMENTS AND SETTINGS\ROB\APPLICATION DATA\ENLUAS\NUWIE.EXE C:\PROGRAM FILES\TEMP\U21.EXE Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 21:50:00, on 02/10/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast5\AvastSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Application Updater\ApplicationUpdater.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Trusteer\Rapport\bin\RapportService.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\DivX\DivX Update\DivXUpdate.exe C:\Program Files\Alwil Software\Avast5\avastUI.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe \?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Program Files\Trend Micro\HiJackThis\sniper.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.tribalwars.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:os_startup O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263736093050 O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe O23 - Service: Application Updater - Spigot, Inc. - C:\Program Files\Application Updater\ApplicationUpdater.exe O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe -- End of file - 6743 bytes Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4712 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 02/10/2010 15:30:41 mbam-log-2010-10-02 (15-30-41).txt Scan type: Quick scan Objects scanned: 143635 Time elapsed: 21 minute(s), 41 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 5 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{0a11b96e-c7d4-82f7-1e77-c699f728b7da} (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\bk (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\idln2 (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nonep (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\registrymonitor2 (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,c:\program files\java\jre6\bin\jqssrv.exe,c:\program files\microsoft\desktoplayer.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)If it's Ramnit..... I'm afraid I have very bad news. Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file. -- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.[/color] Understanding virus names Threat aliases for Win32/Ramnit.A With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS. Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary. Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection. In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read: When should I re-format? How should I reinstall? Where to draw the line? When to recommend a format and reinstall? Quote Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include: • Reimaging the system • Restoring the entire system using a full system backup from before the backdoor infection • Reformatting and reinstalling the system Backdoors and What They Mean to You This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.Quote The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications). Important Note:: If your computer was used for online banking, has credit CARD information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which REQUIRE a username and password. You should consider them to be compromised[/b]. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity. Blast, that's exactly what I was hoping not to hear. Thanks anyway. Is there any way to back up my documents whilst still ensuring that I do not bring the virus onto my newly reformatted computer when they are transferred over?Yes, you can, if you follow very strict rules... * If you'll be using USB flash drive to move files from bad computer to good computer, make sure to install this on good computer... Download, and run Flash Disinfector, and save it to your desktop (Windows Vista and Windows 7 users, scroll down) *Please disable any AV / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process* Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear. The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well. Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present. Wait until it has finished scanning and then exit the program. Reboot your computer when done. Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files. Windows Vista and Windows 7 users Flash Disinfector is not compatible with the above Windows version. Please, use Panda USB Vaccine * If you'll be using external drive to back up your data, make sure to install Flash Disinfector on bad computer after formatting and installing Windows and BEFORE connecting your external drive, or using USB flash drive. Now, you're safe to connect your external drive, or USB stick. BEFORE moving anything back from an external drive, or USB stick, make sure to scan them with freshly updated AV program and, for a good measure with one of online scanners, like Eset, or Kaspersky. Sorry to be dense, but could you just run through that again? Im using windows XP and will be using an external hard drive to transfer data. The hard drive already has data on it that I want to be careful of. Unless it's necessary, i didn't plan to move the files from computer to computer, only from computer to EHD, then back to formatted computer.In that case, I wouldn't be using that external drive. You don't want to mix clean files with possibly infected files. Some choices... - empty external drive to another computer and use it - get another external drive - get couple of 8GB/16GB USB sticks, depending on how much data you need to moveSorry, you replied before edit. I'll empty the EHD and use it. So when should i use flashdisinfector on it? And also, how can i get flash disinfector onto the clean computer without inserting USB drive or EHD.You reinstall Windows first, so everything is working, including internet connection. Download and install Flash Disinfector. Connect external drive. Scan all files.Ok, got it. Thanks alot.You're very welcome

Answer»

Hi there, I've seen many people that are having the same problem with this virus but there are no '1-click-fix' things anywhere, so I figured I would just ask away. I am running Windows XP, SP 3 (I think it's 3, it's the latest one whatever it is). I did have Microsoft Security Essentials installed, and this kept detecting and cleaning all the infected files, then seconds later finding them infected again. On the advice of a computer technician, I have also installed Avast! Antivirus, and Malwarebytes anti-malware. I have turned off MSE, and have been running scans on the other two constantly for the last 36 hours. I've run two boot scans by Avast!, two full scans (again Avast!) and two full scans with MWB. The first few scans detected things, and deleted them, but the last Avast! Full scan and boot scan both came up clean. BUT Avast! keeps detecting attempts to infect other files by this virus, even thought the scans are coming back clean.

Something, which i assume is the same virus, although I can't be sure, keeps redirecting both IE and Chrome to strange websites. The same is happening on 3 out of the 4 computers on my network.

The virus detected is always the same, although sometimes it is classified as a trojan or a worm. It is "win32:Ramnit-B". It generally infects .exe files, which means my antivirus is slowly DELETING all my programmes .

I do not use any P2P software, although someone on my LAN does. When the Computer technician I talked about earlier was looking at this computer, he found over 400 separate viruses.

I'm sure I've left out something necessary, so I apologise in advance. I'm desperately putting off reformatting my computer, because i just don't have time.Clik Here and FOLLOW the Guide for posting your LOGS...Sorry, here are the logs.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/01/2010 at 05:20 PM

Application Version : 4.44.1000

Core Rules Database Version : 5614
Trace Rules Database Version: 3426

Scan type : Complete Scan
Total Scan Time : 01:22:41

Memory items scanned : 445
Memory threats detected : 0
Registry items scanned : 5783
Registry threats detected : 0
File items scanned : 48184
File threats detected : 27

Adware.Tracking Cookie
C:\Documents and Settings\Rob\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Rob\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Rob\Cookies\[emailprotected][3].txt
C:\Documents and Settings\Rob\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Rob\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Rob\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Rob\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Rob\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Rob\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Rob\Cookies\[emailprotected][1].txt
C:\Documents and Settings\Rob\Cookies\[emailprotected][2].txt
C:\Documents and Settings\Rob\Cookies\[emailprotected][2].txt
media.heavy.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\5ERH872R ]
media1.break.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\5FMR537J ]
objects.tremormedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\5FMR537J ]
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[emailprotected][1].txt
.atdmt.com [ C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.apmebf.com [ C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.mediaplex.com [ C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.mediaplex.com [ C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]
.doubleclick.net [ C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies ]

Trojan.Agent/Gen-FakeProt
C:\DOCUMENTS AND SETTINGS\ROB\APPLICATION DATA\ENLUAS\NUWIE.EXE
C:\PROGRAM FILES\TEMP\U21.EXE

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 21:50:00, on 02/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HiJackThis\sniper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.tribalwars.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Rob\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263736093050
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Application Updater - Spigot, Inc. - C:\Program Files\Application Updater\ApplicationUpdater.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 6743 bytes

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4712

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

02/10/2010 15:30:41
mbam-log-2010-10-02 (15-30-41).txt

Scan type: Quick scan
Objects scanned: 143635
Time elapsed: 21 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 5
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{0a11b96e-c7d4-82f7-1e77-c699f728b7da} (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\bk (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\idln2 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nonep (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\registrymonitor2 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,c:\program files\java\jre6\bin\jqssrv.exe,c:\program files\microsoft\desktoplayer.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)If it's Ramnit.....

I'm afraid I have very bad news.

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.[/color]

With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Quote

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.Quote

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

Important Note:: If your computer was used for online banking, has credit CARD information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which REQUIRE a username and password. You should consider them to be compromised[/b]. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.
Blast, that's exactly what I was hoping not to hear. Thanks anyway. Is there any way to back up my documents whilst still ensuring that I do not bring the virus onto my newly reformatted computer when they are transferred over?Yes, you can, if you follow very strict rules...

* If you'll be using USB flash drive to move files from bad computer to good computer, make sure to install this on good computer...

Download, and run Flash Disinfector, and save it to your desktop (Windows Vista and Windows 7 users, scroll down)

*Please disable any AV / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process*

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Windows Vista and Windows 7 users
Flash Disinfector is not compatible with the above Windows version.
Please, use Panda USB Vaccine

* If you'll be using external drive to back up your data, make sure to install Flash Disinfector on bad computer after formatting and installing Windows and BEFORE connecting your external drive, or using USB flash drive.

Now, you're safe to connect your external drive, or USB stick.
BEFORE moving anything back from an external drive, or USB stick, make sure to scan them with freshly updated AV program and, for a good measure with one of online scanners, like Eset, or Kaspersky.
Sorry to be dense, but could you just run through that again? Im using windows XP and will be using an external hard drive to transfer data. The hard drive already has data on it that I want to be careful of. Unless it's necessary, i didn't plan to move the files from computer to computer, only from computer to EHD, then back to formatted computer.In that case, I wouldn't be using that external drive.
You don't want to mix clean files with possibly infected files.

Some choices...
- empty external drive to another computer and use it
- get another external drive
- get couple of 8GB/16GB USB sticks, depending on how much data you need to moveSorry, you replied before edit. I'll empty the EHD and use it. So when should i use flashdisinfector on it? And also, how can i get flash disinfector onto the clean computer without inserting USB drive or EHD.You reinstall Windows first, so everything is working, including internet connection.
Download and install Flash Disinfector.
Connect external drive.
Scan all files.Ok, got it. Thanks alot.You're very welcome

Solve : Ramnit-B virus rampaging through my computer?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment