Ramnit.A?

Hi,

These were my original two posts that I made on another forum :


[quote name='Yetiboy' date='Oct 13 2010, 09:05 AM' post='1972627']
AVG has been finding so much stuff in the past few days. At first it was Cryptic and Generic trojans. I nuked it all, ran MBAM in safe mode and was happy. Then a few days later much of the same stuff pops up again, including SHeur3 stuff. I nuked it all again last night, ran Kaspersky and was satisfied that I had got rid of it all.

Now today everything seems ok, I decide to run Kaspersky again. As it's running AVG pops up again.

There are 4 threats mentioned, though it seems like the same two files listed twice :

c:\Users\Jon\AppData\Local\Temp\csenxmwroa.exe
c:\Documents and Settings\Jon\AppData\Local\Temp\csenxmwroa.exe
c:\Users\Jon\AppData\Local\Temp\swemxorcna.exe
c\Documents and Settings\Users\Jon\AppData\Local\Temp\swemxorcna.exe

These look familiar and I'm sure I've attempted to nuke them at least once or twice with AVG in the past few days, but they were definitely not listed as 'Generic19.AZMG' at that time. Google yields nothing on either filename. Are these false positives?

What do I do? Thanks, and apologies for the lack of details in some areas. Oh and I have Windows 7 Home Premium.

edit - sorry I misspoke in the thread title. As I alluded to earlier, AVG was reporting it as 'Trojan Horse Generic19.AZMG'.
[/quote]


[quote name='Yetiboy' date='Oct 13 2010, 09:14 AM' post='1972646']
More information :

I just opened the Virus Vault in AVG. There were a LOT of mentions from the past few days of htm files coming us as 'VBS/Generic'. Most were in the IE Temporary Internet files. I don't use Internet Explorer. I assume all of these are nothing to worry about? Anyway it seems the filenames I listed in the above post were very very similar to the ones being reported as other stuff in the past few days :


[/quote]




The first guy had me run a couple of tests. I did but before he replied again a second guy identified Win32/Zbot in the screenshot as Ramnit.A and stated :

"Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed."

The thread is here fwiw (I am assuming it is ok to link to other forums).




From reading around on this forum it seems the advice is usually less severe, and it seems that if Ramnit is stopped early you can be ok with no need to format.

My problems with formatting are :

- I don't have a Windows disc (stupid Samsung laptop, I think I was supposed to create one but I didn't, all I have is this backup stuff on the D drive which I wouldn't want to use).

- Lots of photos etc that I'd like to keep

Having said that, security is important to me and I frequently access various online accounts containing money. If there's a chance I'm still infected I'll have to bite the bullet. I'd really like to see what everyone has to say.

My scans are all running clear at the moment, and seem to have been doing since I cleared the temp files using TFC.

I have done the required tests and included the logs in this post, however RootRepeal would not work for me. I also just ran the online ESET scan, and nothing came up. After I hit reply on this I'm going to restart and run it twice back to back, but I fear nothing more will come up.

Sorry for being so wordy and thanks for all your help.

 

Well I'd like to stay with you then.

I have just run ESET three times. There is nothing coming up whatsoever, and as such, I don't believe there are any logs?

It seems every program I run reports clean stuff right now. I guess my question is simply 'is there a chance I am still infected?'

Thanks for the reply.

 

Ok. Thanks for the diagnosis Tim, i'll get on that right now. Much appreciated.