Inactive [Not curable - Ramnit] multi-infection?

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • IMPORTANT! UN-check Remove found threats
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
 
C:\Documents and Settings\Michael\AppData\Local\Application Data\temp\qunklyrv.exe a variant of Win32/Ramnit.AX.Gen virus
C:\Documents and Settings\Michael\AppData\Local\temp\qunklyrv.exe a variant of Win32/Ramnit.AX.Gen virus
C:\Documents and Settings\Michael\do uzytku\libtiff.pdf JS/Exploit.Pdfka.OTO.Gen trojan
C:\Documents and Settings\Michael\Local Settings\temp\qunklyrv.exe a variant of Win32/Ramnit.AX.Gen virus
C:\Qoobox\Quarantine\C\Users\Michael\AppData\Roaming\Ivzaqa\yhihi.exe.vir a variant of Win32/Kryptik.APVV trojan
C:\Users\Michael\AppData\Local\temp\qunklyrv.exe a variant of Win32/Ramnit.AX.Gen virus
C:\Users\Michael\do uzytku\libtiff.pdf JS/Exploit.Pdfka.OTO.Gen trojan
C:\Users\Michael\Local Settings\temp\qunklyrv.exe a variant of Win32/Ramnit.AX.Gen virus
C:\zaladunek\OmniFormat.11.2.rar probably a variant of Win32/Agent.LUOIRVW trojan
C:\zaladunek\PDFs from do uzytku\libtiff.pdf JS/Exploit.Pdfka.OTO.Gen trojan
C:\zaladunek\zips\478c430788a177bf6d0366a54b5244aa00a.zip Win32/Packed.Themida.C trojan
C:\zaladunek\zips\560c430788a177bf6d0366a54b5244aa00a.zip Win32/Packed.Themida.C trojan
C:\zaladunek\zips\836c430788a177bf6d0366a54b5244aa00a.zip Win32/Packed.Themida.C trojan
C:\zaladunek\zips\cscteddsaustraliaengineeringv10keygenlnd.zip Win32/Packed.Themida.C trojan
Operating memory probably a variant of Win32/Ramnit.L virus
 
I'm afraid I have very bad news.

You're infected with Ramnit file infector virus.

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.
With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system
Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.
The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.
 
Thanks Broni.

Could you please advise on the following:

- I need to backup my data. Any chances of the infection being 'imported' via data blocks (content) to the backup drive/another computer?

- How to effectively verify whether any portable drives/other PCs that possibly shared data from my infected computer are affected? I am using another PC now, how to (quickly) check whether this piece of equipment is affected (data sharing with infected PC)?

- Is it possible to identify when and with which particular file(s) the computer was infected?

Thanks for your help



-
 
You can backup your data but do NOT back them up to another computer.
Use external hard drive or USB flash drive to do so.
Do NOT use them on another computer anymore.

Format hard drive.
Reinstall Windows install all updates and security tools (AV, firewall).

Install Panda USB Vaccine, or BitDefender’s USB Immunizer on your computer to protect it from any infected USB device.

Now you'll be safe to plugin your backup device and scan it with your AV program.

If you exchanged any files between this and any computers, all other computers have to be checked.
Create new topic for each computer.
 
I am using another computer now and it did not show any signs of infection. Which means really nothing, under the circumstances.
What should be the first step to check the status of this particular PC?
Thanks
 
As described in your first, very general instruction?
The best effective way to verify (the safety of the contents of) the portable disk where the data is stored?
 
Thanks.

Panda (feature not included) and BD )portable HD not detected) cannot process my NFTS portable HD, any alternatives?

Is it possible to pinpoint which particular file(s)/source was the source, establish the approx. date of infection?

Thanks.
 
Is it possible to pinpoint which particular file(s)/source was the source, establish the approx. date of infection?
No.

As far as I know BD supports NTFS drives.
Are you getting any error message?
 
When I am prompted to insert USB device and subsequently connect the external (NFTS) hard drive, it is not recognized by BD.
Does it take a longer time for BD to recognize (and immune) 1.5TB HD?
 
I assume I can safely (no downloads done before) use my iPod for immediate communication purposes since my computers are now 'suspect' (one for sure), is it safe?
 
Thanks
Re the preliminary checks, since my AV suite seems to be ineffective (this major problem was not detected earlier), can I include Eset online scan in the preliminary check (in addition to MWAB and DDS)?

Any recommendations re 'effective' (if it exists at all :)) AV program/suite, FW?
I have Vista32 and W764 machines.
Thanks
 
I only need DDS and MBAM log to start with.

There is no perfect security program.
It's always about the ways you're using your computer.
 
Just one more question
Are pdf files safe to be retrieved from the infected PC (unlikely to be infected by Ramnit)?
 
I would start with scanning with your regular updated AV program not online one like Eset.
 
Hence the reason for asking for good alternatives since my regular and very up-to-date AV program detected nothing ...
 
This is different.
You got infected by some active infection which happened due to some of your computing activity.
Active infection will do whatever needed to hide itself.
On USB drive you're dealing with inactive files which should be detected by any AV program.
 
Back