Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware attack - 100's of things infected


  • Please log in to reply
25 replies to this topic

#1 Elusival

Elusival

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 19 October 2010 - 04:34 PM

I think I picked up a malware problem from tehparadox. I downloaded a version of avast there and to make it last till 2024 i had to move a file within the crack with the program. Anyway Avast did run fine but it kept detecting just countless virus's.

The name i got from avast notiforcation was vbs:exedropper-gen[trj] and win32:ramnit-b. Sort of thing so googled it and found a page about it. http://forum.avast.com/index.php?PHPSESSID=544a2370d1b7d77545d7e01346a5c665&topic=63275.60 But I'm not very good at computers so couldn't really do anything about it.

Anyway with avast I'd manually have to click and move the viruses myself (Avast version 4) to the virus vault which is annoying. So I deleted avast and downloaded AVG free version and whenever my computer is on I get AVG pop up with hundreds of infected places, new places being found.

Malwarebyes anti malware seemed to be a popular program. So i have that and updated it before a scan. Oh and I also allowed hidden folders and files to be seen then ran the scan. It found a few things. But obviously not the thing causing this virus since they're still popping up.

Really I will appreciate someones help so much.

Oh and my computer is XP. I think home edition but aren't 100% sure which version.

I can't update my AVG scanner at the moment for some reason either. I saved my last malwareantibyes log and here it is: I guess someone might of asked for it.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4875

Windows 5.1.2600 Service Pack 3
Internet Explorer Unknown

19/10/2010 01:15:19
mbam-log-2010-10-19 (01-15-19).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 174826
Time elapsed: 23 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{bea701d3-5e84-82f7-788d-54b3b41725f0} (Trojan.ZbotR.Gen) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions\[email protected] (Adware.ClickPotato) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\program files\microsoft\desktoplayer.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,c:\program files\microsoft\desktoplayer.exe,userinit.exe,,c:\windows\explorersrv.exe) Good: (userinit.exe) -> No action taken.

Folders Infected:
C:\Program Files\system32 (Backdoor.Bifrose) -> No action taken.

Files Infected:
C:\Program Files\Microsoft\desktoplayer.exe (Trojan.Agent) -> No action taken.

Edited by hamluis, 19 October 2010 - 06:14 PM.
Moved from XP forum to Am I Infected ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 BrainyTehBrain

BrainyTehBrain

  • Members
  • 190 posts
  • OFFLINE
  •  
  • Location:Mississauga, Ontario
  • Local time:07:59 AM

Posted 19 October 2010 - 05:21 PM

Re-do a full scan and click remove selected once it's done

#3 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:59 AM

Posted 19 October 2010 - 05:43 PM

There's a good chance that this is incurable, however after I post the standard warning please run the Kasp scan if you would.

http://www.bleepingcomputer.com/forums/topic353399.html/page__view__findpost__p__1974286

http://www.kaspersky.com/virusscanner

Please go to the Kaspersky website and perform an online antivirus scan.


Read through the requirements and privacy statement and click on Accept button.

It will start downloading and installing the Scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.

When the downloads have finished, click on Settings.

Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives

Click on My Computer under Scan.

Once the scan is complete, it will display the results. Click on View Scan Report.

You will see a list of infected items there. Click on Save Report As....

Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

Please post this log in your next reply.
Chewy

No. Try not. Do... or do not. There is no try.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 31,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:59 AM

Posted 19 October 2010 - 08:56 PM

Your log shows this entry: c:\windows\system32\userinit.exe,c:\program files\microsoft\desktoplayer.exe

That file and the detections by avast is an indication of a serious viral infection known as Ramnit. For specific details about that file please refer to these threat assessments:
Win32/Ramnit.A / Win32/Ramnit.B are file infectors with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A or VBS/Generic. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of damage can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#5 Elusival

Elusival
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 19 October 2010 - 09:12 PM

There's a good chance that this is incurable, however after I post the standard warning please run the Kasp scan if you would.

http://www.bleepingcomputer.com/forums/topic353399.html/page__view__findpost__p__1974286

http://www.kaspersky.com/virusscanner

Please go to the Kaspersky website and perform an online antivirus scan.


Read through the requirements and privacy statement and click on Accept button.

It will start downloading and installing the Scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.

When the downloads have finished, click on Settings.

Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives

Click on My Computer under Scan.

Once the scan is complete, it will display the results. Click on View Scan Report.

You will see a list of infected items there. Click on Save Report As....

Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

Please post this log in your next reply.


''The current Kaspersky Online Scanner is unavailable - we apologize for the inconvenience. While you are waiting for the improved Online Scanner, why not take a free trial of Kaspersky Internet Security 2011, which has everything you need to keep your computer safe.''

Only the individual file scanner is available

#6 Elusival

Elusival
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 19 October 2010 - 09:21 PM

Quietman I really really would rather not have to reinstall or reformat. I don't even have disks big enough to get half my files onto. Is there anything online I could upload them to if I have too. I have 1000's of music files.

I mean in my naivety this virus isn't causing any real problems. The only problems I got was deleting infected files. I mean if I just dont use my bank details typed on here, it will be fine. They can't access the other computer can they (On the same internet network).

I've read someone with a similiar problem to me and I think it was you quietman who advised him/her to run comfofix. I couldn't really follow the steps or get them to work for me so started this thread for advise.

Oh and I ran combo fix before I read the warning 'do not run combo fix unless instructed to do so. But here's the thread very similiar to my case and I think it resolved. http://www.bleepingcomputer.com/forums/topic336927.html

So really ideally I'd like advise to clear out the virus as much as possible so I dont have to reinstall.

Edited by Elusival, 19 October 2010 - 09:25 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 31,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:59 AM

Posted 19 October 2010 - 09:40 PM

There is an alternate link for the Kaspersky scan but as I have already advised, with this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

There are no security tools that I know of which will guarantee to completely repair the infected files. While ComboFix is one of the best tools we have, it cannot work miracles and cannot fix the issues you are dealing with as a result of Ramnit. If left on your machine, the infection will only become progressive worst and you may loss all your personal data before you can back it up.

If your data is that important, then backing it up should be your first priority no matter how many disks it will take but keep in mind, with file infectors, there is always a chance of backed up data reinfecting your system. You can try to salvage some of it but there is no guarantee so be forewarned that you may have to start over again afterwards if reinfected by attempting to recover your data. Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), dynamic link library (*.dll), autorun (.ini) or script files (.php, .asp, and .html) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.Again, do not back up any files with the following file extensions: exe, .scr, .dll, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:59 AM

Posted 19 October 2010 - 10:09 PM

I would save only the music to an external hard drive
Chewy

No. Try not. Do... or do not. There is no try.

#9 Elusival

Elusival
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 19 October 2010 - 11:41 PM

I've been reading the thread on this site with someone who had the same trouble. I did an ESET scan, these are the results. It got all except the one at the bottom and I think explorer.exe is important. So would that mean I'm unable to get rid of the malware? Oh and I don't know ComboFix.

Results of ESETscan:

Please I really would rather do things without having to uninstall and reformat.

C:\Documents and Settings\All Users\Application Data\DivX\Setup\DefaultBanner\defaultbanner-en-us.html Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\mkt\hi\Installation-Page_LinkScanner.html Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\mkt\hi\Installation-Page_Smart-Scanning.html Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\mkt\hi\Installation-Page_Social-Networking.html Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\mkt\us\Installation-Page_LinkScanner.html Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\mkt\us\Installation-Page_Smart-Scanning.html Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\mkt\us\Installation-Page_Social-Networking.html Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\pack\htmlayout.dll Win32/Ramnit.C virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\pack\license_cz.htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\pack\license_da.htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\pack\license_es.htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\pack\license_fr.htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\pack\license_ge.htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\pack\license_hu.htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\pack\license_id.htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\pack\license_in.htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\pack\license_it.htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\pack\license_jp.htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\pack\license_ko.htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\pack\license_ms.htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\pack\license_nl.htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\pack\license_pb.htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\pack\license_pl.htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\pack\license_pt.htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\pack\license_ru.htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\pack\license_sc.htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\pack\license_sk.htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\pack\license_sp.htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\pack\license_tr.htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\pack\license_us.htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\pack\license_zh.htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\All Users\Application Data\MFAData\pack\license_zt.htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\0VG101W1\online-scanner[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\0VG101W1\Sync[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\0VG101W1\topic87058[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\3OW4902A\imgres[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\3OW4902A\index[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\3OW4902A\JS[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\3OW4902A\show[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\3OW4902A\xmlProxy[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\79CT44WP\videoad[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\EIDJOMZ9\2[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\EIDJOMZ9\iframe[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\EIDJOMZ9\imgres[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\EIDJOMZ9\index[2].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\GXDE17MN\url[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\J0OI9CEJ\imgres[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\J0OI9CEJ\imgres[2].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\J0OI9CEJ\X-Men_Animated_Series[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\JMTKS18S\imgres[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\JMTKS18S\index[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\KPO6MVY7\deliver2[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\KPO6MVY7\imgres[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\KPO6MVY7\InboxLight[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\KPO6MVY7\likebox[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\KPO6MVY7\show[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\KPO6MVY7\show[2].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\MLY6Q3SH\JS[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\MLY6Q3SH\px[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\O07CFKDS\imgres[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\O07CFKDS\index[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\O07CFKDS\index[2].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\O07CFKDS\likebox[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\O28NG1IW\xd_receiver[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\O28NG1IW\xd_receiver[2].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\O2J6NJCI\forums[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\O2J6NJCI\imgres[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\O2J6NJCI\proxy[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\O2J6NJCI\redtube_com[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\P21H457N\imgres[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\P21H457N\imgres[2].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\P21H457N\index[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\P21H457N\index[2].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\S212K12I\ADTECH;adid=5651966;bnid=-1;target=_blank;sub1=5651973;misc=[timestamp][1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\S212K12I\like[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\S212K12I\topic137369[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\S212K12I\xd_receiver[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\S2L023SD\CASUQ983.HTM Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\S2L023SD\mcad[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\S2L023SD\Messenger[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\SM2412ZE\likebox[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\SM2412ZE\Re-+Mother[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\SM2412ZE\topic336927-30[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\SM2412ZE\videoad[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\SW8PL91H\c=211_rand=538641713_pv=y_rt=ifr_ct=y[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\SW8PL91H\HistoryFrame[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\SW8PL91H\microsoft_management_console[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\SW8PL91H\topic34773[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\SW8PL91H\tweet_button[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\T7MFM3KL\ad[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\T7MFM3KL\imgres[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\T7MFM3KL\index[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\T7MFM3KL\LocalStorage[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\T7MFM3KL\megavideo_com[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\T7MFM3KL\topic114351[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\XXMO5HJS\JS[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\Documents and Settings\computer\My Documents\My Music\other music\Oedipus.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Documents and Settings\computer\My Documents\My Music\Rock\One step Closer.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\S58Q2S9T\77t[1].htm Win32/Ramnit.A virus cleaned - quarantined
C:\WINDOWS\ExplorerSrv.exe Win32/Ramnit.A virus unable to clean

Edited by Elusival, 19 October 2010 - 11:43 PM.


#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:59 AM

Posted 20 October 2010 - 12:01 AM

Removing an infection like this is incredibly complicated and time consuming.

And then you would have to repair the OS as system files have probably been infected.

I remember one poster who I was helping who reloaded then was back in a few days with the same infection, he had reinstalled an infected application that he had saved on his external hard drive.

He formatted all drives and started from ground zero.
Chewy

No. Try not. Do... or do not. There is no try.

#11 Elusival

Elusival
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 20 October 2010 - 12:37 AM

I guess I really will have to reformat etc so I'll start preparing and won't turn off my computer for a few days till it's all sorted.

I have 3 disks that can hold 4.7GB each. Pressuming 2 of them which have stuff already on can be erased. Well they're DVD-RW but you can't delete, it says i can add over the top of them maybe though.

Is there anything online I can store stuff onto? My music alone is over 10GB and I have tons of videos and wordpad documents I want to save as well.

Also I have various operating disks. But I dont know where half the lisence codes are. Can I like find a windows XP online to download and use that?

Edited by Elusival, 20 October 2010 - 12:55 AM.


#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:59 AM

Posted 20 October 2010 - 01:05 AM

C:\Documents and Settings\computer\My Documents\My Music\other music\Oedipus.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Documents and Settings\computer\My Documents\My Music\Rock\One step Closer.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined


When you try to play these, they give you a popup to download a codec for media player which is really a trojan downloader, and there you are reinfected again.

http://www.magicaljellybean.com/keyfinder/ will retrieve your XP key
Chewy

No. Try not. Do... or do not. There is no try.

#13 Elusival

Elusival
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 20 October 2010 - 01:41 AM

C:\Documents and Settings\computer\My Documents\My Music\other music\Oedipus.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Documents and Settings\computer\My Documents\My Music\Rock\One step Closer.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined


When you try to play these, they give you a popup to download a codec for media player which is really a trojan downloader, and there you are reinfected again.

http://www.magicaljellybean.com/keyfinder/ will retrieve your XP key


Thanks. I deleted those two files and found my key and wrote it down.

Could someone answer my other point about extra storage space. I'd like to upload all of my music and pictures online. I can then fit the rest into my disks and begin the ...whatever it is (reformating etc). Can someone recommend a program or site I can upload to online.

Oh and if there's a program to change 100's of bitmap pictures to JPEG without having to do it manually. That would save a lot of MB's too. Recommend please?

Edited by Elusival, 20 October 2010 - 01:51 AM.


#14 Elusival

Elusival
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 20 October 2010 - 01:59 AM

Ugh now when I try copying files on my DVD-RW it says 'windows does not support this CD-R format please try another disk. I've used this very same disk on this same computer before and it worked fine. Whats wrong with it. This is very frustrating.

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 31,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:59 AM

Posted 20 October 2010 - 08:09 AM

Your Eset scan indicates there are files which it was unable to clean. That's usually the case.

As I said, this infection can get progressively worst the longer it remains on your system. File infectors can target critical system files required for booting up. If these files are removed during attempted disinfection or repair, you no longer may be able to boot your machine.

File infectors can target any file to include the drivers used for a CD-DVD drive. Malware can also modify registry settings, permissions and hamper attempts to make repair. That is why I said in a previous reply "If your CD/DVD drive is unusable ..." you may have no choice but to use an external drive.

There are online venues for storing and backing up data but I have never used any of them so I cannot make a recommendation. I hear a lot of adverts for Carbonite but they charge about $55 a year. You can do a Google Search for online data backup storage and read what is available and whether the service is free or charges a fee.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users