[Ramnit- Not curable] Licosearch hijack browser - im really struggling!

for the first on the list of 3 i am getting this message:

The file are userinit.exe uploaded by other users and scanned successfully at 2011/03/17 23:01:23, and 37 softwares update the database from last scan to now.

choice: Scan result or rescan

i am choosing rescan

the result: ERROR: Can't find upload file!

for:

c:\window\system32\svchost.exe

Path does not exist please verify the correct path was given.

note: this message comes from my computer and not the website.

i think ive managed to get the 3rd one to scan:


VirSCAN.org Scanned Report :
Scanned time : 2011/06/10 22:18:27 (BST)
Scanner results: Scanners did not find malware!
File Name : svchost.exe
File Size : 14336 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 27c6d03bcdb8cfeb96b716f3d8be3e18
SHA1 : 49083ae3725a0488e0a8fbbe1335c745f70c4667
Online report : http://file.virscan.org/report/00dff1361819c0c3a21d130fdc86a3b2.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.2 20110611040745 2011-06-11 5.55 -
AhnLab V3 2011.06.11.00 2011.06.11 2011-06-11 2.13 -
AntiVir 8.2.5.14 7.11.9.156 2011-06-10 0.27 -
Antiy 2.0.18 20110205.7694535 2011-02-05 0.02 -
Arcavir 2011 201105080215 2011-05-08 0.03 -
Authentium 5.1.1 201106101924 2011-06-10 1.41 -
AVAST! 4.7.4 110610-1 2011-06-10 0.01 -
AVG 8.5.850 271.1.1/3692 2011-06-10 0.23 -
BitDefender 7.90123.7406640 7.37559 2011-05-24 0.00 -
ClamAV 0.96.5 13177 2011-06-10 0.01 -
Comodo 4.0 9021 2011-06-10 1.25 -
CP Secure 1.3.0.5 2011.06.10 2011-06-10 0.04 -
Dr.Web 5.0.2.3300 2011.06.11 2011-06-11 12.52 -
F-Prot 4.4.4.56 20110610 2011-06-10 1.41 -
F-Secure 7.02.73807 2011.06.10.05 2011-06-10 12.68 -
Fortinet 4.2.257 13.310 2011-06-10 0.22 -
GData 22.584/22.154 20110610 2011-06-10 9.07 -
ViRobot 20110610 2011.06.10 2011-06-10 0.38 -
Ikarus T3.1.32.20.0 2011.06.10.78574 2011-06-10 4.78 -
JiangMin 13.0.900 2011.06.10 2011-06-10 1.58 -
Kaspersky 5.5.10 2011.06.10 2011-06-10 0.10 -
KingSoft 2009.2.5.15 2011.6.10.18 2011-06-10 0.78 -
McAfee 5400.1158 6368 2011-06-05 9.46 -
Microsoft 1.6903 2011.06.10 2011-06-10 7.32 -
NOD32 3.0.21 6197 2011-06-10 0.01 -
Norman 6.07.10 6.07.00 2011-06-10 14.02 -
Panda 9.05.01 2011.06.10 2011-06-10 2.35 -
Trend Micro 9.200-1012 8.214.11 2011-06-10 0.03 -
Quick Heal 11.00 2011.06.09 2011-06-09 1.18 -
Rising 20.0 23.61.04.07 2011-06-10 2.16 -
Sophos 3.20.2 4.66 2011-06-11 3.54 -
Sunbelt 3.9.2494.2 9544 2011-06-10 0.71 -
Symantec 1.3.0.24 20110610.002 2011-06-10 0.05 -
nProtect 20110601.01 3460661 2011-06-01 7.60 -
The Hacker 6.7.0.1 v00176 2011-04-18 0.58 -
VBA32 3.12.16.1 20110609.2030 2011-06-09 4.37 -
VirusBuster 5.3.0.4 14.0.75.2/5348666 2011-06-10 0.00 -

Can you clear this up for me please?
1. There is one computer.
2. You have a user account> you are the one who is experiencing the redirect.
3. Your wife has a user account (lorrainehobson)
4. You said:

What puzzles me is that this is one computer> one account can connect to the internet but the other can't- is that correct?
5. Why were you trying to get into Safe Mode. These scans are run in Normal Mode if it's available. You did the virus scan in Normal Mode. There are times when GMER won't run. IF that happens, one of the things we suggest is to try and run it in Safe Mode. But otherwise, Normal Mode should be used.
6. Then you told me:

7. The logs were run on the Run by lorraine hobson at 21:13:31 on 2011-06-04 account
===========================================
Regarding the download, install and running of the scan:
The download can be done to a flash drive if needed.
The installation has to be on the computer with the problem>>> and in your case, the account with the problem and the scans have to be run on the account with the problem.

Do you understand what I mean here? If you are the one being redirected to 'licosearch', then doing the scans on your wife's account isn't going to show us what's on your account. Any of the entries with a name in them all have 'lorraine hobson.'

The issue here is: "My browser redirects me to licosearch and wont allow lots of web pages to load."

Since licosearch.com belongs to a malicious domain, I'm going to have you block the domain on both your and your wife's account. You will do #1, #2 and #3 in Internet Options, doing the same thing on both accounts, the same way on each:

1. Restricting the Domain:
Open Internet Options either through the Control Panel or Tools in Internet Explorer> Choose the Security tab: Restricted Sites> Sites> type the following in the dialog box for 'Add this website'> Click on Add after each:

When you have finished Click on OK

2. Resetting the Cookies:
Then choose the Privacy Tab
Reset Cookies

For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List

For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
(First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
==========================================
3. Deleting Files and Cookies
Now choose the General tab> Temporaery Internet Files section> Click on each 'Delete files'> 'Delete Cookies'> Move down to the History section> Click on Delete History.
Whe finished> Click on OK

When you have finished setting both accounts with the Restricted Sites , resetting the Cookies, deleting the temporary internet files, Cookies and History> Click on OK> Apply> OK

Reboot the computer.
===================================
Run the following: Please download MBRCheck and save to your desktop

• Double click on MBRCheck.exeto run.(Vista and Windows 7 users will have to confirm the UAC prompt)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  [o] Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  [o] Found non-standard or infected MBR.
  [o] Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Paste this log to your next message.

hi,

thanks for your help.

i decided to do a system recovery having read a few other posts on this forum around the type of virus i think the pc contacted Ramnit (post 17).

i dont really keep anything of real importance on the pc and (as you can probably tell) im not the most knowledgable in finding my way around technically.

This added to my regular working away from home means i would have been weeks sorting it out.

The PC is running great, i have downloaded AVIRA and using that as my antivirus, i have updated JAVA and Adobe. I have updated from the microsoft website too.

I know this ramnit thing might reappear, but for now all seems well. I did a full scan with AVIRA and it was clear.

Is there anything else i can do, anything else i should do. All tips to stay clean would be gratefully appreciated.

You shouldn't do a system recovery> if you have Ramnit, you should do a reformat/reinstall. You are not trying to recover Windows from a serious error and you aren't trying to perform repairs to the files that Windows uses to start itself.

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Most of us think strongly that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

• When should I re-format? How should I reinstall?
• Where to draw the line? When to recommend a format and reinstall?

Ramnit tutorial courtesy Broni
=========================================
Good explanation here:
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

You will find excellent reformat/reinstall instructions here:
http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html