[Not Curable] Ramnit.gen!A Infection. How to clean a files drive?

By Bobo888
Mar 29, 2012
Topic Status:
Not open for further replies.
  1. I was hit by Ramnit last night while browsing google images, just clicked an image and I got a warning from Comodo firewall saying it had blocked a serious threat or something. Before I could react the computer restarted.

    After restart everything went pearshaped, skype broken, MSE reporting Ramnit and Alureon.A. Every time I cleaned them they came back.

    So far I have disconnected my 2nd hard drive which just has files on it, and reinstalled windows on my C drive.

    My plan is to get a USB auto run blocking program and connect my files drive via a USB hard drive dock.

    Then I want to scan the drive as much as possible and make sure it is clean.

    But this is where I get stuck. There is alsorts of information on Ramnit but I have seen warnings on here not to follow advice given to other people. So please can somebody direct me?

    Thanks
  2. Bobo888

    Bobo888 Newcomer, in training Topic Starter

    Just completed a full Malware Bytes scan of the files drive and there was no sign of Ramnit. Am I safe?
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    If you do have Ramnit, regretfully I will be recommending a reformat/reinstall. Here what's you're dealing with:

    Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer.

    Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A.

    Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

    With this particular infection the safest solution and only sure way to remove it effectively is to ]reformat and reinstall the OS. Here's why:

    The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

    Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with malware and a major source of system infection.

    In my opinion, Ramnit.A is not effectively curable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

    Please read:
    Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.
    With appreciation to Broni for helping with the above information.
    =================================
    I'd like for you to at least do an online virus scan to try and confirm:
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
  4. Bobo888

    Bobo888 Newcomer, in training Topic Starter

    Thanks for helping. This is all ESET found

    F:\C Backup\Downloads\cnet2_mx_2_5_18_1000_exe.exe a variant of Win32/InstallCore.D application
    F:\Documents\Downloads\Applications\Nero\Nero-8.1.1.0b_eng_trial.exe Win32/Toolbar.AskSBar application

    So far I have done 5 different scans.

    Malware Bytes and Microsoft Security Essentials found nothing.

    aswMBR found about 5 infected by Ramnit. (deleted those files)

    Bit defender found another 1 infected by Ramnit (deleted also)

    And finally ESET found those listed above, I assume win32/InstallCore.D is another name for Ramnit (I will delete that file too)

    All the files that have been found with Ramnit infections were exe/dll files which I backed up from my infected C drive to the files drive before I formatted and re-installed windows. (probably was a bad idea, but I assumed the rest of the files drive would be infected anyway)

    Would it be safe to say that if I delete all the files I copied from the infected C drive that I will most likely be clean?

    EDIT: Deleted all dll, exe and htm/html files that were in the files I backed up from the C drive. Can ramnit infect any other file types?
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Never assume!
    F:\C Backup\Downloads\cnet2_mx_2_5_18_1000_exe.exe a variant of Win32/InstallCore.D application.
    Win32/InstallCoreD is from an Active X object that you have to get when you download from CNet.
    No, it would not. Did you read the information I left? Compromised system, Backdoor etc.?

    Excerpts from: http://www.trusteer.com/blog/ramnit-evolution-–-worm-financial-malware

    =======================================
    Let's run the following- it may show you related files:
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Before you run the Combofix scan, please disable any security software you have running.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =====================================
    Show me the logs.
  6. Bobo888

    Bobo888 Newcomer, in training Topic Starter

    just as I thought it was nearly safe. I really can't afford to wipe my files drive :s

    aswMBR Log

    ____________

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-03-29 16:58:06
    -----------------------------
    16:58:06.692 OS Version: Windows 6.1.7600
    16:58:06.692 Number of processors: 4 586 0xF0B
    16:58:06.692 ComputerName: BEN-PC UserName: Ben
    16:58:07.520 Initialize success
    17:00:29.935 AVAST engine defs: 12032900
    17:01:04.279 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000056
    17:01:04.279 Disk 0 Vendor: ST950056 SD24 Size: 476940MB BusType: 3
    17:01:04.294 Disk 0 MBR read successfully
    17:01:04.294 Disk 0 MBR scan
    17:01:04.341 Disk 0 Windows 7 default MBR code
    17:01:04.341 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
    17:01:04.373 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 476838 MB offset 206848
    17:01:04.451 Disk 0 scanning sectors +976771072
    17:01:04.529 Disk 0 scanning C:\Windows\system32\drivers
    17:01:12.513 Service scanning
    17:01:18.560 Service MpKsl537172e8 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A3F203AC-453C-451C-BFD4-D5046C7B01E9}\MpKsl537172e8.sys **LOCKED** 32
    17:01:18.607 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
    17:01:29.544 Modules scanning
    17:01:33.654 Disk 0 trace - called modules:
    17:01:33.669 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll storport.sys nvstor.sys
    17:01:33.669 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x860a73b8]
    17:01:33.669 3 CLASSPNP.SYS[8be5a59e] -> nt!IofCallDriver -> [0x85c15b50]
    17:01:33.669 5 ACPI.sys[8b6083b2] -> nt!IofCallDriver -> \Device\00000056[0x85c15c78]
    17:01:39.669 AVAST engine scan F:\
    17:02:40.638 File: F:\C Backup\Desktop\MaxPayneSoundPatchv1.12\RASMaker.exe **INFECTED** Win32:Ramnit-AC [Drp]
    17:02:41.013 File: F:\C Backup\Desktop\MaxPayneSoundPatchv1.12\rl.dll **INFECTED** Win32:Ramnit-AC [Drp]
    17:02:41.326 File: F:\C Backup\Desktop\MaxPayneSoundPatchv1.12\SHORTCUT.EXE **INFECTED** Win32:Ramnit-AC [Drp]
    17:04:04.966 File: F:\C Backup\Downloads\GetFLV 9.0.8.2_Generic.Loader_Flash 11.1.102.55_Pack\GetFLV.v9.0.8.x.Generic.Loader-RES\GetFLV.v9.0.8.x.Generic.Loader-RES.exe **INFECTED** Win32:Ramnit-AC [Drp]
    17:04:25.732 File: F:\C Backup\Downloads\Star Wars - Knights of the Old Republic Saga - Gbus Edition\KOTOR2\DirectX\DSETUP.dll **INFECTED** Win32:Ramnit-AC [Drp]
    17:04:26.326 File: F:\C Backup\Downloads\Star Wars - Knights of the Old Republic Saga - Gbus Edition\KOTOR2\DirectX\dsetup32.dll **INFECTED** Win32:Ramnit-AC [Drp]
    17:04:27.857 File: F:\C Backup\Downloads\Star Wars - Knights of the Old Republic Saga - Gbus Edition\KOTOR2\DirectX\dxsetup.exe **INFECTED** Win32:Ramnit-AC [Drp]
    18:02:52.786 Scan finished successfully
    18:04:31.310 Disk 0 MBR has been saved successfully to "C:\Users\Ben\Desktop\MBR.dat"
    18:04:31.373 The log file has been saved successfully to "C:\Users\Ben\Desktop\aswMBR.txt"

    __________

    bitDefender Log

    ____________

    BitDefender Log File

    Product : BitDefender Free Edition 2009
    Version : BitDefender UIScanner v.12
    Scanning task : Contextual Scan
    Log date : 29/03/2012 20:50:26
    Log path : C:\Users\Ben\AppData\Roaming\BitDefender\Desktop\Profiles\Logs\contextual\1333050626_1_02.xml

    Scan Paths:path 0000: F:\

    Scan Options:Scan for viruses : Yes
    Scan for adware : Yes
    Scan for spyware : Yes
    Scan for applications : Yes
    Scan for dialers : Yes
    Scan for rootkits : No

    Target Selection Options:Scan registry keys : No
    Scan cookies : No
    Scan boot sectors : No
    Scan memory processes : No
    Scan archives : Yes
    Scan runtime packers : Yes
    Scan emails : Yes
    Scan all files : Yes
    Heuristic Scan : Yes
    Scanned extensions :
    Excluded extensions :

    Target Processing:Default action for infected objects : Disinfect
    Default action for suspicious objects : None
    Default action for hidden objects : None
    Default action for encrypted infected objects : None
    Default action for encrypted suspicious objects : None
    Default action for password-protected objects : Prompt for password

    Scan engines summaryNumber of virus signatures : 7000512
    Archive plugins : 49
    Email plugins : 7
    Scan plugins : 15
    System plugins : 5
    Unpack plugins : 10

    Overall scan summaryScanned items : 1320335
    Infected items : 1
    Suspicious items : 0
    Resolved items : 1
    Unresolved items : 725
    Password-protected items : 725
    Overcompressed items : 0
    Individual viruses found : 1
    Scanned directories : 13548
    Scanned boot sectors : 0
    Scanned archives : 7508
    Input-output errors : 0
    Scan time : 01:47:18
    Files per second : 205

    Scanned processes summaryScanned : 0
    Infected : 0

    Scanned registry keys summaryScanned : 0
    Infected : 0

    Scanned cookies summaryScanned : 0
    Infected : 0

    Resolved issues:Object Name Threat Name Final Status
    F:\C Backup\Downloads\Max Payne 1 & 2 (The Collector's Edition)\Max Payne\Crack & Patch\Crack\MaxPayne.exe Win32.Ramnit.X Deleted

    (I left out the list of password protected files)
    ______________
  7. Bobo888

    Bobo888 Newcomer, in training Topic Starter

    ComboFix Log

    _______

    ComboFix 12-03-29.02 - Ben 30/03/2012 0:50.1.4 - x86
    Microsoft Windows 7 Professional 6.1.7600.0.1252.44.1033.18.3071.1789 [GMT 1:00]
    Running from: c:\users\Ben\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Ben\AppData\Local\Temp\{BA29590B-E2D4-44D3-9CBB-5ACA5E8385C1}\fpb.tmp
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-29 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-29 23:52 . 2012-03-29 23:52 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-03-29 20:49 . 2012-03-29 11:58 -------- d-----w- c:\windows\Panther
    2012-03-29 18:32 . 2012-03-29 18:32 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A3F203AC-453C-451C-BFD4-D5046C7B01E9}\offreg.dll
    2012-03-29 17:46 . 2012-03-29 17:46 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A3F203AC-453C-451C-BFD4-D5046C7B01E9}\MpKsld01785a8.sys
    2012-03-29 17:44 . 2012-03-29 17:45 81984 ----a-w- c:\windows\system32\bdod.bin
    2012-03-29 17:30 . 2012-03-29 23:55 -------- d-----w- c:\programdata\BitDefender
    2012-03-29 17:30 . 2012-03-29 17:30 -------- d-----w- c:\program files\BitDefender
    2012-03-29 17:30 . 2012-03-29 17:30 -------- d-----w- c:\program files\Common Files\BitDefender
    2012-03-29 15:52 . 2012-03-29 15:52 -------- d-----w- c:\program files\ESET
    2012-03-29 15:52 . 2012-03-29 15:52 -------- d--h--w- c:\windows\AxInstSV
    2012-03-29 13:02 . 2012-01-25 05:44 57856 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-03-29 13:02 . 2012-01-25 05:44 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
    2012-03-29 13:02 . 2012-01-25 05:40 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
    2012-03-29 13:02 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
    2012-03-29 13:02 . 2012-02-15 05:44 826368 ----a-w- c:\windows\system32\rdpcore.dll
    2012-03-29 13:02 . 2012-02-15 04:22 177152 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-03-29 13:02 . 2012-02-15 04:22 24064 ----a-w- c:\windows\system32\drivers\tdtcp.sys
    2012-03-29 13:02 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
    2012-03-29 12:59 . 2012-02-09 12:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5EDF1BEF-1925-4F10-8B6D-2F066A50514D}\gapaengine.dll
    2012-03-29 12:59 . 2012-03-20 02:53 6582328 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A3F203AC-453C-451C-BFD4-D5046C7B01E9}\mpengine.dll
    2012-03-29 12:50 . 2012-03-29 17:31 -------- d-sh--w- c:\windows\Installer
    2012-03-29 12:50 . 2012-03-29 12:50 -------- d-----w- c:\program files\Microsoft Security Client
    2012-03-29 12:50 . 2010-04-09 07:24 1285000 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2012-03-29 12:50 . 2010-04-09 07:24 240008 ----a-w- c:\windows\system32\drivers\netio.sys
    2012-03-29 12:47 . 2012-03-29 12:47 -------- d-----w- c:\programdata\Panda Security
    2012-03-29 12:47 . 2012-03-29 12:47 -------- d-----w- c:\program files\Panda USB Vaccine
    2012-03-29 12:46 . 2012-03-29 12:46 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-03-29 12:46 . 2012-03-29 12:46 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-03-29 12:46 . 2012-03-29 12:46 -------- d-----w- c:\windows\system32\Macromed
    2012-03-29 12:14 . 2012-03-20 02:53 6582328 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D146BC8F-3947-46CC-A0E4-74FE91113E66}\mpengine.dll
    2012-03-29 12:14 . 2012-01-31 12:44 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-03-29 12:03 . 2012-03-29 12:03 -------- d-----w- c:\programdata\Malwarebytes
    2012-03-29 12:03 . 2012-03-29 12:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-03-29 12:03 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-03-29 12:01 . 2012-03-29 17:51 -------- d-----w- c:\windows\system32\wbem\Performance
    2012-03-29 11:58 . 2012-03-29 11:58 -------- d-----w- c:\users\Ben
    2012-03-29 11:58 . 2012-03-29 11:58 -------- d-----w- C:\Recovery
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-03-29 17:44 . 2009-04-15 14:13 146312 ----a-w- c:\windows\system32\drivers\bdfm.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    "BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2012-03-29 782336]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 253600]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
    S1 MpKsld01785a8;MpKsld01785a8;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A3F203AC-453C-451C-BFD4-D5046C7B01E9}\MpKsld01785a8.sys [2012-03-29 29904]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S3 bdfm;bdfm;c:\windows\system32\drivers\bdfm.sys [2012-03-29 146312]
    S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2009-07-13 657408]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bdx REG_MULTI_SZ scan
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-03-29 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 12:46]
    .
    .
    ------- Supplementary Scan -------
    .
    TCP: DhcpNameServer = 192.168.0.1
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
    c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
    c:\program files\BitDefender\BitDefender 2009\vsserv.exe
    c:\windows\system32\taskhost.exe
    c:\program files\Panda USB Vaccine\USBVaccine.exe
    c:\windows\system32\conhost.exe
    c:\program files\BitDefender\BitDefender 2009\seccenter.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\system32\DllHost.exe
    .
    **************************************************************************
    .
    Completion time: 2012-03-30 00:57:17 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-03-29 23:57
    .
    Pre-Run: 486,012,932,096 bytes free
    Post-Run: 485,932,720,128 bytes free
    .
    - - End Of File - - EC986C730E35148E3B838F833FCF19AF
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Maybe you'll think twice before you pirate any more files!
    I suspect these may have been pirated also:
    Your choice: "I really can't afford to wipe my files drive :s"

    You are running both MSE and BitDefender.
  9. Bobo888

    Bobo888 Newcomer, in training Topic Starter

    I actually own Max Payne 2 but the disc is damaged so I had to get hold of a disc image. I don't think those files have anything to do with the origin of the infection anyway.

    This is just a temp install of windows while I try and see if my files are clean, so that's why I've ended up with both bit defender and MSE. I normally only run MSE.

    Can you suggest anything that will come close to guaranteeing there is no infection left?
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Did you completely overlook the information I left?

    There is NO quarantee that Ramnit- and most likely the additional malware on the system has been removed.

    It is not possible to work on 'parts' of a system for a problem that is on 'all' of the system.

    Yes, the infection does have to do with the programs you pirated!! Since ALL these game backups DO show Ramnit infection, why do you insist they aren't the origen of the infection? At this point, it hardly matters.

    Good explanation here: Virut and other File infectors - Throwing in the Towel?
    http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

    You will find excellent reformat/reinstall instructions here:
    http://www.tech-101.com/support/ind...and-repair-xp-vista-7/page__p__5329#entry5329
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.