[Elise]

Sorry, but that is otl.txt, not extra.txt

[Advertisements]

umm... what exactly do i need to do?

[LSEactuary]

umm... what exactly do i need to do?

[Elise]

Please rerun OTL, click the NONE button, then change the value under Extra Registry to "use safelist" and click Run Scan. Post me extra.txt

This.

[LSEactuary]

I did what you said and the attached file is the only things that came up. it came up really quickly and my MSE anti-virus software I think is going haywire. It keeps saying to clean the computer and then i click yes and then within 5 mins it comes up again...

Attached Files

•  OTL.Txt   2.63KB   495 downloads

[LSEactuary]

all my USB drives seem to have this virus:

http://www.sophos.co...32patchedi.html

What do i do? I think the computer is still infected..

[Elise]

That is really bad news.

Win32/Ramnit.A / Win32/Ramnit.B is a dangerous file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A or VBS/Generic. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.

• Understanding virus names
• VirusTotal Threat aliases for W32/Ramnit <- Win32.Ramnit!IK, W32.Ramnit!inf, Win32.Rmnet
• VirScan Threat aliases for W32/Ramnit <- Win32/Zbot, PWS.Panda.387, PE_RAMNIT, Trojan/Generic.arhm
• McAfee Threat aliases for W32/Ramnit - link 1 <- Trojan.Generic.KD, Win32/Zbot, W32/Cosmu
• McAfee Threat aliases for W32/Ramnit - link 2 <- SHeur3.AQRA, W32/Patched-I, Win32.Nimnul, W32/Pedalac

With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of damage can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

• When should I re-format? How should I reinstall?
• Where to draw the line? When to recommend a format and reinstall?

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

[LSEactuary]

oh man.... okay ill do the above this evening.

will it delete the virus off my USB's though - all my work and stuff is saved on there.

[Elise]

Best would be to use something like Flash Disinfector and save your work to a CD.

Flash disinfector will prevent the virus from infectin usb-drives and thus prevent the risk of spreading the infection. But be very careful. One leftover file is enough to reinfect everything!

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
• Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

[LSEactuary]

okay some questions before I start:

1. Can I use the flash disinfector on this 'infected' computer? and will it wipe out everything from the flash drive?

2. If I do the above to my 'infected' computer will it wipe out everything and delete all documents and stuff? And how long will it take?

3. If I insert an 'infected' USB onto another computer will the new computer be infected?

[Elise]

1. Flash Disinfector doesn't remove any data. It creates a hidden autorun.inf folder, which acts as a dummy. That way malware cannot install autorun components and thus not spread the infection that easy.

2. Meaning a reformat? Yes, it will remove everything? Typically it takes a few hours to reformat and reinstall most things.

3. Yes, unless that computer has an antivirus that catches and stops the infection.

[LSEactuary]

okay so how do I reformat my computer? the instructions above don't make sense to me....

remember I don't have any windows disc - everything came pre-installed!!!!

[Elise]

In that case, please download and install kaspersky virus removal tool and post me the results.

[LSEactuary]

okay done!

Attached Files

•  report.txt   1.08KB   520 downloads

[Elise]

Did you clean all your flashdrives? Looks like it hasn't spread to this computer. How are things running?

[LSEactuary]

this computer is working okay....
but when i click internet explorer - tools - internet options - delete - the cookies box is always unticked. even if i tick it once i open a new internet explorer its back to normal.
im cleaning all the flash drives atm.