[Not Curable] Ramnit.gen!A Infection. How to clean a files drive?

[Bobo888]

I was hit by Ramnit last night while browsing google images, just clicked an image and I got a warning from Comodo firewall saying it had blocked a serious threat or something. Before I could react the computer restarted.

After restart everything went pearshaped, skype broken, MSE reporting Ramnit and Alureon.A. Every time I cleaned them they came back.

So far I have disconnected my 2nd hard drive which just has files on it, and reinstalled windows on my C drive.

My plan is to get a USB auto run blocking program and connect my files drive via a USB hard drive dock.

Then I want to scan the drive as much as possible and make sure it is clean.

But this is where I get stuck. There is alsorts of information on Ramnit but I have seen warnings on here not to follow advice given to other people. So please can somebody direct me?

Thanks

 

[Bobo888]

Just completed a full Malware Bytes scan of the files drive and there was no sign of Ramnit. Am I safe?

 

[Bobbye]

There is alsorts of information on Ramnit but I have seen warnings on here not to follow advice given to other people. So please can somebody direct me?

If you do have Ramnit, regretfully I will be recommending a reformat/reinstall. Here what's you're dealing with:

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer.

Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A.

Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

With this particular infection the safest solution and only sure way to remove it effectively is to ]reformat and reinstall the OS. Here's why:

The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively curable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Please read:

• When should I re-format? How should I reinstall?
• Where to draw the line? When to recommend a format and reinstall?

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.
With appreciation to Broni for helping with the above information.
=================================
I'd like for you to at least do an online virus scan to try and confirm:
To run the Eset Online Virus Scan:
If you use Internet Explorer:

1. Open the ESETOnlineScan
2. Skip to #4 to "Continue with the directions"
   
   If you are using a browser other than Internet Explorer
3. Open Eset Smart Installer
   [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
   [o] Double click on the desktop icon to run.
   [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
   
4. Continue with the directions.
   
5. Check 'Yes I accept terms of use.'
6. Click Start button
7. Accept any security warnings from your browser.
   
   
8. Uncheck 'Remove found threats'
9. Check 'Scan archives/
10. Leave remaining settings as is.
11. Press the Start button.
12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
13. When the scan completes, press List of found threats
14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
15. Push the Back button, then Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

 

[Bobo888]

Thanks for helping. This is all ESET found

F:\C Backup\Downloads\cnet2_mx_2_5_18_1000_exe.exe a variant of Win32/InstallCore.D application
F:\Documents\Downloads\Applications\Nero\Nero-8.1.1.0b_eng_trial.exe Win32/Toolbar.AskSBar application

So far I have done 5 different scans.

Malware Bytes and Microsoft Security Essentials found nothing.

aswMBR found about 5 infected by Ramnit. (deleted those files)

Bit defender found another 1 infected by Ramnit (deleted also)

And finally ESET found those listed above, I assume win32/InstallCore.D is another name for Ramnit (I will delete that file too)

All the files that have been found with Ramnit infections were exe/dll files which I backed up from my infected C drive to the files drive before I formatted and re-installed windows. (probably was a bad idea, but I assumed the rest of the files drive would be infected anyway)

Would it be safe to say that if I delete all the files I copied from the infected C drive that I will most likely be clean?

EDIT: Deleted all dll, exe and htm/html files that were in the files I backed up from the C drive. Can ramnit infect any other file types?

 

[Bobbye]

I assume win32/InstallCore.D is another name for Ramnit

Never assume!
F:\C Backup\Downloads\cnet2_mx_2_5_18_1000_exe.exe a variant of Win32/InstallCore.D application.
Win32/InstallCoreD is from an Active X object that you have to get when you download from CNet.

Would it be safe to say that if I delete all the files I copied from the infected C drive that I will most likely be clean?

No, it would not. Did you read the information I left? Compromised system, Backdoor etc.?

Can ramnit infect any other file types?

Excerpts from: http://www.trusteer.com/blog/ramnit-evolution-–-worm-financial-malware

Ramnit morphed into a financial malware, or at least was used as a platform to commit financial fraud.
[/U]Ramnit can infect Windows executable files, HTML files, office files and possibly other file types as well

-continuously communicate with the Command and Control (C&C) server, reporting on its status and receiving configuration updates; inbound and outbound communication is over SSL (https).

The malware includes a Man-in-the-Browser (MitB) web injection module, which enables Ramnit to modify web pages (client-side), modify transaction content, insert additional transactions, etc. - all in a completely covert fashion invisible to both the user and host application.

Following is a partial list of Ramnit components:

• Proprietary "windows installer" (Download and Execute)
• Hooker & MITB web injects (Zeus bundle)
• FTP Grabber
• FTP server
• Cookie Graber
• Anti Debugging/Anti AV

=======================================
Let's run the following- it may show you related files:
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Before you run the Combofix scan, please disable any security software you have running.

Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe
  
  & follow the prompts.
• If prompted for Recovery Console, please allow.
• Once installed, you should see a blue screen prompt that says:
  • The Recovery Console was successfully installed.[/b]
  • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
  • Note: No query will be made if the Recovery Console is already on the system.
• .Close/disable all anti virus and anti malware programs
  (If you need help with this, please see HERE)
• .Close any open browsers.
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
=====================================

aswMBR found about 5 infected by Ramnit. (deleted those files)
Bit defender found another 1 infected by Ramnit (deleted also)

Show me the logs.

 

[Bobo888]

just as I thought it was nearly safe. I really can't afford to wipe my files drive :s

aswMBR Log

____________

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-29 16:58:06
-----------------------------
16:58:06.692 OS Version: Windows 6.1.7600
16:58:06.692 Number of processors: 4 586 0xF0B
16:58:06.692 ComputerName: BEN-PC UserName: Ben
16:58:07.520 Initialize success
17:00:29.935 AVAST engine defs: 12032900
17:01:04.279 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000056
17:01:04.279 Disk 0 Vendor: ST950056 SD24 Size: 476940MB BusType: 3
17:01:04.294 Disk 0 MBR read successfully
17:01:04.294 Disk 0 MBR scan
17:01:04.341 Disk 0 Windows 7 default MBR code
17:01:04.341 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
17:01:04.373 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 476838 MB offset 206848
17:01:04.451 Disk 0 scanning sectors +976771072
17:01:04.529 Disk 0 scanning C:\Windows\system32\drivers
17:01:12.513 Service scanning
17:01:18.560 Service MpKsl537172e8 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A3F203AC-453C-451C-BFD4-D5046C7B01E9}\MpKsl537172e8.sys **LOCKED** 32
17:01:18.607 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
17:01:29.544 Modules scanning
17:01:33.654 Disk 0 trace - called modules:
17:01:33.669 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll storport.sys nvstor.sys
17:01:33.669 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x860a73b8]
17:01:33.669 3 CLASSPNP.SYS[8be5a59e] -> nt!IofCallDriver -> [0x85c15b50]
17:01:33.669 5 ACPI.sys[8b6083b2] -> nt!IofCallDriver -> \Device\00000056[0x85c15c78]
17:01:39.669 AVAST engine scan F:\
17:02:40.638 File: F:\C Backup\Desktop\MaxPayneSoundPatchv1.12\RASMaker.exe **INFECTED** Win32:Ramnit-AC [Drp]
17:02:41.013 File: F:\C Backup\Desktop\MaxPayneSoundPatchv1.12\rl.dll **INFECTED** Win32:Ramnit-AC [Drp]
17:02:41.326 File: F:\C Backup\Desktop\MaxPayneSoundPatchv1.12\SHORTCUT.EXE **INFECTED** Win32:Ramnit-AC [Drp]
17:04:04.966 File: F:\C Backup\Downloads\GetFLV 9.0.8.2_Generic.Loader_Flash 11.1.102.55_Pack\GetFLV.v9.0.8.x.Generic.Loader-RES\GetFLV.v9.0.8.x.Generic.Loader-RES.exe **INFECTED** Win32:Ramnit-AC [Drp]
17:04:25.732 File: F:\C Backup\Downloads\Star Wars - Knights of the Old Republic Saga - Gbus Edition\KOTOR2\DirectX\DSETUP.dll **INFECTED** Win32:Ramnit-AC [Drp]
17:04:26.326 File: F:\C Backup\Downloads\Star Wars - Knights of the Old Republic Saga - Gbus Edition\KOTOR2\DirectX\dsetup32.dll **INFECTED** Win32:Ramnit-AC [Drp]
17:04:27.857 File: F:\C Backup\Downloads\Star Wars - Knights of the Old Republic Saga - Gbus Edition\KOTOR2\DirectX\dxsetup.exe **INFECTED** Win32:Ramnit-AC [Drp]
18:02:52.786 Scan finished successfully
18:04:31.310 Disk 0 MBR has been saved successfully to "C:\Users\Ben\Desktop\MBR.dat"
18:04:31.373 The log file has been saved successfully to "C:\Users\Ben\Desktop\aswMBR.txt"

__________

bitDefender Log

____________

BitDefender Log File

Product : BitDefender Free Edition 2009
Version : BitDefender UIScanner v.12
Scanning task : Contextual Scan
Log date : 29/03/2012 20:50:26
Log path : C:\Users\Ben\AppData\Roaming\BitDefender\Desktop\Profiles\Logs\contextual\1333050626_1_02.xml

Scan Pathsath 0000: F:\

Scan Options:Scan for viruses : Yes
Scan for adware : Yes
Scan for spyware : Yes
Scan for applications : Yes
Scan for dialers : Yes
Scan for rootkits : No

Target Selection Options:Scan registry keys : No
Scan cookies : No
Scan boot sectors : No
Scan memory processes : No
Scan archives : Yes
Scan runtime packers : Yes
Scan emails : Yes
Scan all files : Yes
Heuristic Scan : Yes
Scanned extensions :
Excluded extensions :

Target Processingefault action for infected objects : Disinfect
Default action for suspicious objects : None
Default action for hidden objects : None
Default action for encrypted infected objects : None
Default action for encrypted suspicious objects : None
Default action for password-protected objects : Prompt for password

Scan engines summaryNumber of virus signatures : 7000512
Archive plugins : 49
Email plugins : 7
Scan plugins : 15
System plugins : 5
Unpack plugins : 10

Overall scan summaryScanned items : 1320335
Infected items : 1
Suspicious items : 0
Resolved items : 1
Unresolved items : 725
Password-protected items : 725
Overcompressed items : 0
Individual viruses found : 1
Scanned directories : 13548
Scanned boot sectors : 0
Scanned archives : 7508
Input-output errors : 0
Scan time : 01:47:18
Files per second : 205

Scanned processes summaryScanned : 0
Infected : 0

Scanned registry keys summaryScanned : 0
Infected : 0

Scanned cookies summaryScanned : 0
Infected : 0

Resolved issues:Object Name Threat Name Final Status
F:\C Backup\Downloads\Max Payne 1 & 2 (The Collector's Edition)\Max Payne\Crack & Patch\Crack\MaxPayne.exe Win32.Ramnit.X Deleted

(I left out the list of password protected files)
______________

 

[Bobo888]

ComboFix Log

_______

ComboFix 12-03-29.02 - Ben 30/03/2012 0:50.1.4 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.44.1033.18.3071.1789 [GMT 1:00]
Running from: c:\users\Ben\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Ben\AppData\Local\Temp\{BA29590B-E2D4-44D3-9CBB-5ACA5E8385C1}\fpb.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-29 )))))))))))))))))))))))))))))))
.
.
2012-03-29 23:52 . 2012-03-29 23:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-29 20:49 . 2012-03-29 11:58 -------- d-----w- c:\windows\Panther
2012-03-29 18:32 . 2012-03-29 18:32 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A3F203AC-453C-451C-BFD4-D5046C7B01E9}\offreg.dll
2012-03-29 17:46 . 2012-03-29 17:46 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A3F203AC-453C-451C-BFD4-D5046C7B01E9}\MpKsld01785a8.sys
2012-03-29 17:44 . 2012-03-29 17:45 81984 ----a-w- c:\windows\system32\bdod.bin
2012-03-29 17:30 . 2012-03-29 23:55 -------- d-----w- c:\programdata\BitDefender
2012-03-29 17:30 . 2012-03-29 17:30 -------- d-----w- c:\program files\BitDefender
2012-03-29 17:30 . 2012-03-29 17:30 -------- d-----w- c:\program files\Common Files\BitDefender
2012-03-29 15:52 . 2012-03-29 15:52 -------- d-----w- c:\program files\ESET
2012-03-29 15:52 . 2012-03-29 15:52 -------- d--h--w- c:\windows\AxInstSV
2012-03-29 13:02 . 2012-01-25 05:44 57856 ----a-w- c:\windows\system32\rdpwsx.dll
2012-03-29 13:02 . 2012-01-25 05:44 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-03-29 13:02 . 2012-01-25 05:40 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-03-29 13:02 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-03-29 13:02 . 2012-02-15 05:44 826368 ----a-w- c:\windows\system32\rdpcore.dll
2012-03-29 13:02 . 2012-02-15 04:22 177152 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-29 13:02 . 2012-02-15 04:22 24064 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-03-29 13:02 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2012-03-29 12:59 . 2012-02-09 12:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5EDF1BEF-1925-4F10-8B6D-2F066A50514D}\gapaengine.dll
2012-03-29 12:59 . 2012-03-20 02:53 6582328 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A3F203AC-453C-451C-BFD4-D5046C7B01E9}\mpengine.dll
2012-03-29 12:50 . 2012-03-29 17:31 -------- d-sh--w- c:\windows\Installer
2012-03-29 12:50 . 2012-03-29 12:50 -------- d-----w- c:\program files\Microsoft Security Client
2012-03-29 12:50 . 2010-04-09 07:24 1285000 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-03-29 12:50 . 2010-04-09 07:24 240008 ----a-w- c:\windows\system32\drivers\netio.sys
2012-03-29 12:47 . 2012-03-29 12:47 -------- d-----w- c:\programdata\Panda Security
2012-03-29 12:47 . 2012-03-29 12:47 -------- d-----w- c:\program files\Panda USB Vaccine
2012-03-29 12:46 . 2012-03-29 12:46 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-29 12:46 . 2012-03-29 12:46 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-29 12:46 . 2012-03-29 12:46 -------- d-----w- c:\windows\system32\Macromed
2012-03-29 12:14 . 2012-03-20 02:53 6582328 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D146BC8F-3947-46CC-A0E4-74FE91113E66}\mpengine.dll
2012-03-29 12:14 . 2012-01-31 12:44 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-03-29 12:03 . 2012-03-29 12:03 -------- d-----w- c:\programdata\Malwarebytes
2012-03-29 12:03 . 2012-03-29 12:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-29 12:03 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-29 12:01 . 2012-03-29 17:51 -------- d-----w- c:\windows\system32\wbem\Performance
2012-03-29 11:58 . 2012-03-29 11:58 -------- d-----w- c:\users\Ben
2012-03-29 11:58 . 2012-03-29 11:58 -------- d-----w- C:\Recovery
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-29 17:44 . 2009-04-15 14:13 146312 ----a-w- c:\windows\system32\drivers\bdfm.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2012-03-29 782336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 253600]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
S1 MpKsld01785a8;MpKsld01785a8;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A3F203AC-453C-451C-BFD4-D5046C7B01E9}\MpKsld01785a8.sys [2012-03-29 29904]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S3 bdfm;bdfm;c:\windows\system32\drivers\bdfm.sys [2012-03-29 146312]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2009-07-13 657408]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 12:46]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.0.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\BitDefender\BitDefender 2009\vsserv.exe
c:\windows\system32\taskhost.exe
c:\program files\Panda USB Vaccine\USBVaccine.exe
c:\windows\system32\conhost.exe
c:\program files\BitDefender\BitDefender 2009\seccenter.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\DllHost.exe
.
**************************************************************************
.
Completion time: 2012-03-30 00:57:17 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-29 23:57
.
Pre-Run: 486,012,932,096 bytes free
Post-Run: 485,932,720,128 bytes free
.
- - End Of File - - EC986C730E35148E3B838F833FCF19AF

 

[Bobbye]

Maybe you'll think twice before you pirate any more files!

C Backup\Downloads\Max Payne 1 & 2 (The Collector's Edition)\Max Payne\Crack & Patch\Crack\MaxPayne.exe Win32.Ramnit.X Deleted

I suspect these may have been pirated also:

17:02:40.638 File: F:\C Backup\Desktop\MaxPayneSoundPatchv1.12\RASMaker.exe **INFECTED** Win32:Ramnit-AC [Drp]
17:02:41.013 File: F:\C Backup\Desktop\MaxPayneSoundPatchv1.12\rl.dll **INFECTED** Win32:Ramnit-AC [Drp]
17:02:41.326 File: F:\C Backup\Desktop\MaxPayneSoundPatchv1.12\SHORTCUT.EXE **INFECTED** Win32:Ramnit-AC [Drp]
17:04:04.966 File: F:\C Backup\Downloads\GetFLV 9.0.8.2_Generic.Loader_Flash 11.1.102.55_Pack\GetFLV.v9.0.8.x.Generic.Loader-RES\GetFLV.v9.0.8.x.Generic.Loader-RES.exe **INFECTED** Win32:Ramnit-AC [Drp]
17:04:25.732 File: F:\C Backup\Downloads\Star Wars - Knights of the Old Republic Saga - Gbus Edition\KOTOR2\DirectX\DSETUP.dll **INFECTED** Win32:Ramnit-AC [Drp]
17:04:26.326 File: F:\C Backup\Downloads\Star Wars - Knights of the Old Republic Saga - Gbus Edition\KOTOR2\DirectX\dsetup32.dll **INFECTED** Win32:Ramnit-AC [Drp]
17:04:27.857 File: F:\C Backup\Downloads\Star Wars - Knights of the Old Republic Saga - Gbus Edition\KOTOR2\DirectX\dxsetup.exe **INFECTED** Win32:Ramnit-AC [Drp]

Your choice: "I really can't afford to wipe my files drive :s"

You are running both MSE and BitDefender.

 

[Bobo888]

I actually own Max Payne 2 but the disc is damaged so I had to get hold of a disc image. I don't think those files have anything to do with the origin of the infection anyway.

This is just a temp install of windows while I try and see if my files are clean, so that's why I've ended up with both bit defender and MSE. I normally only run MSE.

Can you suggest anything that will come close to guaranteeing there is no infection left?

 

[Bobbye]

Did you completely overlook the information I left?

There is NO quarantee that Ramnit- and most likely the additional malware on the system has been removed.

It is not possible to work on 'parts' of a system for a problem that is on 'all' of the system.

Yes, the infection does have to do with the programs you pirated!! Since ALL these game backups DO show Ramnit infection, why do you insist they aren't the origen of the infection? At this point, it hardly matters.

Good explanation here: Virut and other File infectors - Throwing in the Towel?
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

You will find excellent reformat/reinstall instructions here:
http://www.tech-101.com/support/ind...and-repair-xp-vista-7/page__p__5329#entry5329