Ramnit-D infection: is this a new variant?

[Froggy]

Hi all,

New here, but have been a longtime lurker. I'm semi computer literate, and have figured my way out of removing some minor malware infections in the past. I have a ramnit-d infection on my home computer that's been spreading itself all over like a horny syphillitic.

Not sure how/where I picked it up as I take great care to keep AV/malware software up to date, avoid certain sites, don't download excessively, etc, etc....I've read numerous threads about ramnit, and it seems to be pretty scary - although it ranges from low threat to severe. THIS Microsoft bulletin scares me however.

So, ...based on how many ramnit threads here and elsewhere end, I was thinking of just nuking my drive and doing a clean install. At this point will this save me a lot of frustration and energy (as well as ensuring my comp is safe)?

cheers,

Froggy

[Froggy]

bump to add that I'll post my last MBAM log once I get home...

[RPMcMurphy]

Win32/Ramnit is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files.

With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS. Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

In my opinion, Ramnit is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

If you'd like, I can confirm that you are indeed infected with Ramnit with these logs:

Please download DDS by sUBs from one of the following links and save it to your desktop.

DDS.scr

DDS.pif

• Disable any script blocking protection (How to Disable your Security Programs)
  
• Double click DDS icon to run the tool (may take up to 3 minutes to run)
  
• When done, DDS.txt will open.
  
• After a few moments, attach.txt will open in a second window.
  
• Save both reports to your desktop.
  

---------------------------------------------------

• Post the contents of the DDS.txt report in your next reply
  
• Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
  

Please download Rootkit Unhooker and save it on your desktop.

• Disable your security programs
  
• Double click RKUnhookerLE.exe to run it
  
• Click the Report tab, then click Scan
  
• Check Drivers, Stealth Code, Files, and Code Hooks
  
• Uncheck the rest, then click OK
  
• When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  
• Wait till the scanner has finished then go File > Save Report
  
• Save the report somewhere you can find it. Click Close
  
• Copy the entire contents of the report and paste it in your next reply.
  

Note - You may get this warning it is ok, just ignore it:

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

Please include the following in your next post:

• DDS and Attach.txt logs
  
• Rootkit Unhooker log
  

[Froggy]

Cheers for the help RP...that's the answer I was somewhat expecting, but afraid of.

DDS.txt

DDS (Ver_10-10-10.03) - NTFSx86

Run by Digby at 19:19:50.10 on 14/10/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1315 [GMT -4:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\Alwil Software\Avast5\avastUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Digby\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/

mWinlogon: SfcDisable=-99 (0xffffff9d)

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

dRunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32

StartupFolder: c:\docume~1\digby\startm~1\programs\access~1\startup\setup_~1.lnk - c:\documents and settings\digby\desktop\virus removal tool\setup_9.0.0.722_13.10.2010_16-37[1]\startup.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250563155109

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

AppInit_DLLs: mwxdua.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

LSA: Authentication Packages = msv1_0 c:\windows\system32\xxyxXQGw

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\digby\applic~1\mozilla\firefox\profiles\3mv5ael9.default\

FF - prefs.js: browser.search.selectedEngine - Ask

FF - prefs.js: browser.startup.homepage - hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1266799219&rver=6.0.5285.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-us

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\thrixxx\weblaunch\binaries\npWebLaunch.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R0 43765712;43765712 Boot Guard Driver;c:\windows\system32\drivers\43765712.sys [2010-10-13 37392]

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-10-11 64288]

R1 43765711;43765711;c:\windows\system32\drivers\43765711.sys [2010-10-13 128016]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-10-11 165584]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R1 setup_9.0.0.722_13.10.2010_16-37[1]drv;setup_9.0.0.722_13.10.2010_16-37[1]drv;c:\windows\system32\drivers\4376571.sys [2010-10-13 315408]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-10-11 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-11 40384]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-11 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-11 40384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-13 136176]

S3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]

S3 utiymzq1;AVZ Kernel Driver;c:\windows\system32\drivers\utiymzq1.sys [2010-10-14 7168]

S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1357464]

=============== Created Last 30 ================

2010-10-14 04:43:06 7168 ----a-w- c:\windows\system32\drivers\utiymzq1.sys

2010-10-14 02:15:28 -------- d-----w- C:\stdtsa

2010-10-14 01:13:50 37392 ----a-w- c:\windows\system32\drivers\43765712.sys

2010-10-14 01:13:50 128016 ----a-w- c:\windows\system32\drivers\43765711.sys

2010-10-14 01:13:49 315408 ----a-w- c:\windows\system32\drivers\4376571.sys

2010-10-14 00:44:11 -------- d-----w- c:\program files\Enigma Software Group

2010-10-14 00:43:45 -------- d-----w- c:\windows\9EFA732347A048E28F7735DB5EED500A.TMP

2010-10-13 02:16:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-10-13 02:16:49 -------- d-----w- c:\docume~1\digby\applic~1\SUPERAntiSpyware.com

2010-10-13 02:15:28 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-10-13 01:17:00 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-10-12 13:38:15 -------- d-----w- c:\program files\windows

2010-10-12 04:01:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-10-12 04:01:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-10-12 04:01:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-10-12 03:57:53 38848 ----a-w- c:\windows\avastSS.scr

2010-10-12 03:30:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

2010-10-12 02:41:57 28672 ----a-w- c:\windows\system32\setupold.exe

2010-10-12 02:28:34 -------- d-----w- c:\docume~1\digby\applic~1\AVG10

2010-10-12 02:04:47 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files

2010-10-12 01:57:09 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-10-12 01:52:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10

2010-10-12 01:50:48 -------- d--h--w- C:\$AVG

2010-10-12 01:47:31 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}

2010-10-12 01:45:22 -------- d-----w- c:\program files\Lavasoft

2010-10-12 01:41:34 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData

2010-10-12 00:31:26 -------- d-----w- c:\program files\win

2010-10-12 00:31:22 -------- d-----w- c:\program files\tmp

2010-10-12 00:31:16 -------- d-----w- c:\program files\Microsoft

2010-10-09 02:32:45 -------- d-----w- c:\program files\NVIDIA Corporation

2010-10-02 21:27:59 -------- d-----w- c:\program files\DAEMON Tools Lite

2010-10-01 18:06:04 14808 ----a-w- c:\program files\mozilla firefox\plugin-container.exe

2010-10-01 18:06:02 718296 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll

2010-09-28 04:31:19 -------- d-----w- c:\docume~1\alluse~1\applic~1\t01x97GIiTqrf7M2Q

2010-09-28 04:27:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\19Rgeit2iTqrf7M2Ql65

2010-09-25 17:49:00 -------- d-----w- c:\docume~1\digby\applic~1\Miweaw

==================== Find3M ====================

2010-09-26 01:54:08 202032 ----a-w- c:\windows\system32\PnkBstrB.exe

2010-08-27 00:41:15 224960 ----a-w- c:\windows\system32\PnkBstrB.xtr

2010-08-27 00:34:35 75064 ----a-w- c:\windows\system32\PnkBstrA.exe

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2007-07-21 08:11:20 20480 ----a-w- c:\program files\WowMon.dll

2007-07-17 19:14:33 57344 ----a-w- c:\program files\loaderplus.exe

2007-06-20 22:53:12 53248 ----a-w- c:\program files\Loader.exe

2005-12-05 16:07:30 61136 ----a-w- c:\program files\xinput9_1_0.dll

============= FINISH: 19:21:02.93 ===============

Have to put my kid to bed, so I'll try and get the Rootkit Unhooker log up later tonight once it is done.

cheers,

F.

Attach.txt

[RPMcMurphy]

Hi,

Run this while you're at it:

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
  

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

• Once the update is complete, click on Settings.
  
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • 
    
  • Spyware, adware, dialers, and other riskware
    
  • Archives
    
  • E-mail databases
    

  [*]Click on My Computer under the green Scan bar to the left to start the scan.

  [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

  [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

  [*]Click View report... at the bottom.

  [*] Click the Save report... button.

  [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

[Froggy]

I've attached the RKU report instead of pasting it here...it's pretty long.

Report.txt

[Froggy]

Hi,

Run this while you're at it:

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
  

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

• Once the update is complete, click on Settings.
  
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • 
    
  • Spyware, adware, dialers, and other riskware
    
  • Archives
    
  • E-mail databases
    

  [*]Click on My Computer under the green Scan bar to the left to start the scan.

  [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

  [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

  [*]Click View report... at the bottom.

  [*] Click the Save report... button.

  [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

My java is out of date for the Kaspersky tool and when I try to update it I get this message: "bin\axbridge.dll: old file not found. however, a file of the same name was found. No update done since file contents do not match."

Then I get an Error 1722 message from the Java installer as well.

[RPMcMurphy]

Do you have that MBAM log you were going to post?

[Froggy]

Hey RP...here are the first two that were ugly, back on Tuesday. desktoplayer.exe is/was in there...but my files are f'ed up now. Avast keeps finding some and deleting them. I'm just backing up everything personal, and am going to reformat/reinstall....

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4798

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/10/2010 4:48:49 PM

mbam-log-2010-10-12 (16-48-49).txt

Scan type: Full scan (C:\|F:\|G:\|)

Objects scanned: 303069

Time elapsed: 15 hour(s), 19 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 4

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 8

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\registrymonitor1 (Heuristics.Shuriken) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{24c3e02c-e734-82f5-26fc-5d4ee2092c0d} (Trojan.ZbotR.Gen) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nonep (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\registrymonitor2 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\program files\microsoft\desktoplayer.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,c:\program files\microsoft\desktoplayer.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{5D836F8B-2506-4CF4-B139-6C8894EFE848}\RP736\A0164735.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{5D836F8B-2506-4CF4-B139-6C8894EFE848}\RP745\A0172175.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\ExplorerSrv.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\qtplugin.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\_avast5_\unp17277494.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\Microsoft\desktoplayer.exe (Trojan.Agent) -> Delete on reboot.

C:\Program Files\Mozilla Firefox\firefoxSrv.exe (Trojan.PWS) -> Quarantined and deleted successfully.

C:\Documents and Settings\Digby\Application Data\Akuwb\ciivm.exe (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.

[RPMcMurphy]

That is the best thing you can do - as you suspected that is definitely Ramnit. DO NOT backup any applications or installers and DO NOT backup any files with the following extensions:

* .exe

* .scr

* .htm

* .html

* .xml

* .zip

* .rar

Be sure to completely reformat the drive before you reinstall. If you need instructions on how to carry out a Reformat and Reinstall, please see this page.

[Froggy]

Hi RP, thanks for all your help. I shouldn't back up any *.rar or *zip files either? I thought those were okay...but good to know...Thanks for the link, ...fun times ahead!

[RPMcMurphy]

You're welcome; I'm sorry I didn't have better news. Take care.

[LDTate]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!