1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

[Not curable - Ramnit] help

Discussion in 'Malware and Virus Removal Archive' started by keith 1000, 2010/10/22.

  1. 2010/10/22
    keith 1000

    keith 1000 Inactive Thread Starter

    Joined:
    2006/10/23
    Messages:
    72
    Likes Received:
    0
    hello guys.
    i really think i may have a virus of some sort. it all started with my kaspersky antivirus going nuts finding a "ramnit.f virus. i scanned and scanned, (fixing, quarentine, remove) everything i could to keep on top of it. then it started affecting programs, a few say files are missing like "msvcp80.dll, mfc80u.dll" for starters and could be more. others wouldn't start at all. it even affected my kaspersky, i have since uninstalled kasp and it would not load again(gets all the way to finalize install then reverts) other programs stopped working like my printer, adobe reader, quick tax, acer stuff, so i have removed them all, put adobe back in but it still don't work. so at that point i had no security so i loaded microsoft security essentials. its went nuts with this same virus name 9ramnit) i bet there is a 100 logs in the history. i have also scanned with "housecall" and it found half a dozen also.. well since the last scan of housecall the no more virus's are being detected as of now (thats good yes?) but i still don't believe its gone, but just taking a break lol.
    at this point i just want my cpu working properly again and also need those missing files back :(
    thx in advance
    keith

    here is ur scans


    DDS (Ver_10-10-21.02) - NTFSx86
    Run by Keith&Carrie at 0:29:24.53 on 23/10/2010
    Internet Explorer: 8.0.7600.16385
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.2.1033.18.3327.2246 [GMT -4:00]


    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\RtHDVCpl.exe
    C:\Acer\Empowering Technology\SysMonitor.exe
    C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
    C:\Program Files\HP\HP Software Update\hpwuschd2.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
    C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\svchost.exe -k SDRSVC
    C:\Windows\system32\Macromed\Flash\FlashUtil10k_ActiveX.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
    C:\Windows\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Keith&Carrie\Desktop\dds.scr
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uSEARCH PAGE = hxxp://ca.rd.yahoo.com/customize/ycomp/defaults/sp/*http://ca.yahoo.com
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    mDefault_Page_URL = hxxp://en.ca.acer.yahoo.com
    mStart Page = hxxp://en.ca.acer.yahoo.com
    uSearchURL,(Default) = hxxp://ca.rd.yahoo.com/customize/ycomp/defaults/su/*http://ca.yahoo.com
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe
    BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - No File
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - No File
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [cdloader] "c:\users\keith&carrie\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK
    uRun: [{957C0047-4F03-82F6-87E5-E99B69D898D7}] c:\users\keith&carrie\appdata\roaming\dioma\uram.exe
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [Skytel] Skytel.exe
    mRun: [Acer Assist Launcher] c:\program files\acer assist\launcher.exe
    mRun: [Acer Empowering Technology Monitor] c:\acer\empowering technology\SysMonitor.exe
    mRun: [Acer Product Registration] "c:\program files\acer registration\ACE1.exe" /startup
    mRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
    mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [<NO NAME>]
    mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
    DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: intu-qt2009 - {03947252-2355-4e9b-B446-8CCC75C43370} -

    ============= SERVICES / DRIVERS ===============

    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 42368]
    R3 SrvHsfPCI;SrvHsfPCI;c:\windows\system32\drivers\VSTBS23.SYS [2009-7-13 266752]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2009-11-16 54632]
    S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-20 1343400]
    S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2009-12-27 80744]

    =============== Created Last 30 ================

    2010-10-23 02:59:10 6146896 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{38ffe149-d294-49d7-864f-1756d4be3e2c}\mpengine.dll
    2010-10-21 17:50:33 -------- d-----w- c:\users\keith&carrie\win
    2010-10-21 13:14:54 6146896 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    2010-10-21 02:36:47 388096 ----a-r- c:\users\keith&~1\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2010-10-21 02:36:46 -------- d-----w- c:\program files\Trend Micro
    2010-10-20 03:25:45 -------- d-----w- c:\windows\system32\appmgmt
    2010-10-20 02:09:55 -------- d-----w- c:\program files\Microsoft Security Essentials
    2010-10-20 00:27:55 -------- d-----w- c:\program files\windows
    2010-10-19 20:28:15 -------- d-----w- c:\users\keith&carrie\windows
    2010-10-19 07:16:18 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{3258b62b-0a10-4bc2-a968-4966e7b7b203}\mpengine.dll
    2010-10-17 04:12:48 -------- d-----w- c:\program files\win
    2010-10-14 03:18:04 4247040 ----a-w- c:\program files\windows nt\accessories\wordpad.exe
    2010-10-14 03:18:04 1413632 ----a-w- c:\windows\system32\ole32.dll
    2010-10-14 03:18:00 859648 ----a-w- c:\program files\internet explorer\iedvtool.dll
    2010-10-14 03:18:00 673040 ----a-w- c:\program files\internet explorer\iexplore.exe
    2010-10-14 03:18:00 44544 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-29 07:01:49 190976 ----a-w- c:\windows\system32\drivers\ks.sys
    2010-09-28 23:44:12 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-09-28 23:44:07 13312 ----a-w- c:\program files\internet explorer\iecompat.dll

    ==================== Find3M ====================

    2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-09-08 04:30:04 978432 ----a-w- c:\windows\system32\wininet.dll
    2010-09-08 03:22:31 386048 ----a-w- c:\windows\system32\html.iec
    2010-09-08 02:48:16 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-09-01 04:23:49 12625408 ----a-w- c:\windows\system32\wmploc.DLL
    2010-09-01 02:34:52 2327552 ----a-w- c:\windows\system32\win32k.sys
    2010-08-31 04:32:30 954752 ----a-w- c:\windows\system32\mfc40.dll
    2010-08-31 04:32:30 954288 ----a-w- c:\windows\system32\mfc40u.dll
    2010-08-27 05:46:48 168448 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 04:39:58 109056 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-21 05:36:33 738816 ----a-w- c:\windows\system32\wmpmde.dll
    2010-08-21 05:36:24 224256 ----a-w- c:\windows\system32\schannel.dll
    2010-08-21 05:33:24 530432 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-21 05:32:37 316928 ----a-w- c:\windows\system32\spoolsv.exe
    2010-07-29 06:30:49 197632 ----a-w- c:\windows\system32\ir32_32.dll
    2010-07-29 06:30:34 82944 ----a-w- c:\windows\system32\iccvid.dll

    ============= FINISH: 0:29:43.75 ===============




    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-10-21.02)

    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume2
    Install Date: 27/12/2009 7:32:21 PM
    System Uptime: 21/10/2010 10:53:05 PM (26 hours ago)

    Motherboard: Acer | | F690GVM
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4400+ | Socket AM2 | 2185/199mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 144 GiB total, 107.782 GiB free.
    D: is FIXED (NTFS) - 69 GiB total, 52.725 GiB free.
    E: is FIXED (NTFS) - 75 GiB total, 4.628 GiB free.
    F: is CDROM (UDF)
    G: is Removable
    H: is Removable
    I: is Removable
    J: is Removable

    ==== Disabled Device Manager Items =============

    Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
    Description: PS/2 Compatible Mouse
    Device ID: ACPI\PNP0F13\3&18D45AA6&0
    Manufacturer: Microsoft
    Name: PS/2 Compatible Mouse
    PNP Device ID: ACPI\PNP0F13\3&18D45AA6&0
    Service: i8042prt

    ==== System Restore Points ===================

    RP128: 19/10/2010 3:14:38 AM - Windows Update
    RP129: 19/10/2010 9:39:16 PM - Installed Kaspersky Internet Security 2010.
    RP130: 19/10/2010 9:46:23 PM - Installed Kaspersky Internet Security 2010.
    RP131: 19/10/2010 10:11:44 PM - Windows Update
    RP132: 19/10/2010 11:23:08 PM - Removed Acer eDataSecurity Management
    RP133: 19/10/2010 11:25:02 PM - Removed Adobe Reader 9.1.
    RP134: 20/10/2010 7:32:33 AM - Installed Adobe Reader 9.4.0.
    RP135: 20/10/2010 7:54:03 PM - Installed Microsoft Visual C++ 2005 Redistributable
    RP136: 20/10/2010 10:01:38 PM - Removed Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    RP137: 20/10/2010 10:02:57 PM - Removed Microsoft Visual C++ 2005 Redistributable
    RP138: 20/10/2010 10:07:24 PM - Removed QuickTax 2009.
    RP139: 20/10/2010 10:36:26 PM - Installed HiJackThis
    RP140: 21/10/2010 9:14:14 AM - Windows Update
    RP141: 22/10/2010 10:58:56 PM - Windows Update

    ==== Installed Programs ======================

    32 Bit HP CIO Components Installer
    Acer Assist
    Acer Empowering Technology
    Acer ePerformance Management
    Acer Registration
    Acer ScreenSaver
    Acer Tour
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader 9.4.0
    BufferChm
    EasyBCD 1.7.2
    HiJackThis
    HP Update
    IncrediMail
    IncrediMail 2.0
    Junk Mail filter update
    LightScribe 1.4.142.1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office Live Add-in 1.5
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Search Enhancement Pack
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft Works
    Microsoft XML Parser
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    neroxml
    NTI CD & DVD-Maker
    NVIDIA Drivers
    PVSonyDll
    Realtek High Definition Audio Driver
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for 2007 Microsoft Office System (KB982312)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    UnloadSupport
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    VCRedistSetup
    VistaBootPRO 3.3
    Windows 7 Upgrade Advisor
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Family Safety
    Windows Live ID Sign-in Assistant
    Windows Live Mail
    Windows Live Messenger
    Windows Live Movie Maker
    Windows Live Photo Gallery
    Windows Live Sync
    Windows Live Toolbar
    Windows Live Upload Tool
    Windows Live Writer
    WinRAR archiver
    Xilisoft AVI to DVD Converter
    Yahoo! Toolbar

    ==== Event Viewer Messages From Past Week ========

    22/10/2010 10:21:15 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer JULZROCKS that believes that it is the master browser for the domain on transport NetBT_Tcpip_{B2506C98-0ADE-44D5-A5AD-18B8CA41. The master browser is stopping or an election is being forced.
    21/10/2010 9:52:41 AM, Error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:VBS/Ramnit.B&threatid=2147636913 User: NT AUTHORITY\SYSTEM Name: Virus:VBS/Ramnit.B ID: 2147636913 Severity: Severe Category: Virus Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.93.186.0, AS: 1.93.186.0 Engine Version: 1.1.6301.0
    21/10/2010 12:37:09 PM, Error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:VBS/Ramnit.B&threatid=2147636913 User: NT AUTHORITY\SYSTEM Name: Virus:VBS/Ramnit.B ID: 2147636913 Severity: Severe Category: Virus Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.93.186.0, AS: 1.93.186.0 Engine Version: 1.1.6301.0
    21/10/2010 12:14:02 PM, Error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:VBS/Ramnit.B&threatid=2147636913 User: NT AUTHORITY\SYSTEM Name: Virus:VBS/Ramnit.B ID: 2147636913 Severity: Severe Category: Virus Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.93.186.0, AS: 1.93.186.0 Engine Version: 1.1.6301.0
    21/10/2010 11:50:38 AM, Error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:VBS/Ramnit.B&threatid=2147636913 User: NT AUTHORITY\SYSTEM Name: Virus:VBS/Ramnit.B ID: 2147636913 Severity: Severe Category: Virus Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.93.186.0, AS: 1.93.186.0 Engine Version: 1.1.6301.0
    21/10/2010 11:27:45 AM, Error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:VBS/Ramnit.B&threatid=2147636913 User: NT AUTHORITY\SYSTEM Name: Virus:VBS/Ramnit.B ID: 2147636913 Severity: Severe Category: Virus Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.93.186.0, AS: 1.93.186.0 Engine Version: 1.1.6301.0
    21/10/2010 11:04:42 AM, Error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:VBS/Ramnit.B&threatid=2147636913 User: NT AUTHORITY\SYSTEM Name: Virus:VBS/Ramnit.B ID: 2147636913 Severity: Severe Category: Virus Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.93.186.0, AS: 1.93.186.0 Engine Version: 1.1.6301.0
    21/10/2010 10:53:43 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the LightScribeService Direct Disc Labeling Service service to connect.
    21/10/2010 10:52:34 PM, Error: Service Control Manager [7016] - The NVIDIA Display Driver Service service has reported an invalid current state 32.
    21/10/2010 10:40:31 AM, Error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:VBS/Ramnit.B&threatid=2147636913 User: NT AUTHORITY\SYSTEM Name: Virus:VBS/Ramnit.B ID: 2147636913 Severity: Severe Category: Virus Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.93.186.0, AS: 1.93.186.0 Engine Version: 1.1.6301.0
    21/10/2010 1:24:16 PM, Error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:VBS/Ramnit.B&threatid=2147636913 User: NT AUTHORITY\SYSTEM Name: Virus:VBS/Ramnit.B ID: 2147636913 Severity: Severe Category: Virus Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.93.186.0, AS: 1.93.186.0 Engine Version: 1.1.6301.0

    ==== End Of File ===========================

    [HJT log removed - Broni]
     
    Last edited by a moderator: 2010/10/23
    keith 1000,
    #1
  2. 2010/10/23
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I'm afraid I have very bad news.

    You're infected with Ramnit file infector virus.

    Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

    -- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.
    With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

    Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

    Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

    In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

    Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
    Backdoors and What They Mean to You

    This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

    Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.
     
    broni,
    #2


  3. to hide this advert.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...