Multi virus infection : w32/ramnit.c, drop.agent, tr.crypt.xpac.gen ....

Ramnit infections have really become quit nasty and dangerous. We could attempt to remove it, and we have had some success in the past, but recently it has become even more trouble to remove. It is really safer to just bite the bullet and do a clean reinstall.

The problem is that the damage caused by this infection really makes a PC unreliable/untrustworthy. PE file infectors like Ramnit, Virut,.... etc can infect all executable files (DLL, EXE, SCR....and many more and also HTML). These infections can open back doors that truly may compromise your computer and your security. These backdoors could allow a remote attacker to access and instruct the infected computer to download and execute more malicious files.

In many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus or by other scanning tools. Also when disinfection is attempted, the files often become corrupted and the system may become unstable or irrepairable. The longer Ramnit remains on a computer, the more files it may infect and/or corrupt so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies the Ramnit worm using a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are a major source of system infection.

So all the above being said, and please do take serious note of the warnings, do you really wish to attempt cleaning even though the stability and security of your be cannot be guaranteed? And also note that we could spend a lot of time trying to fix it and still fail due to the number of files that have been infected. What would you like to do?

 

If we don't try to clean it, then you have to save your important data and files to a cd or external drive. Then you have to use your Windows CD to do a reformat and clean install ( Yes, you will lose every thing on your system ). It will take time to replace everything, and you will need to have your protection software updated and current to scan the CD or the external drive before you transfer the data back to the clean system.

Running the eSet scan three times will take less time and we can then see how infected you are and advise you better at that point.

eSet Online Scan.

 

Yes, that is part of the problem as both drives may be infected. I will wait to see your eSet logs when you are ready. Either Kestrel or myself will be working with you.

 

The only way to fix this is to run eSet scans until they come back clean. I understand this is a long procedure, but the alternative would be to save your data and personal files and then do a reformat and clean install. You could save them to your H:\ drive but it looks like most of what is being found is on your C:\ drive. What do you have on that drive?

 

If you can't boot, then the infection has corrupted your system files. There is little you can do other than try to slave the drives to another computer that is very well protected and try to save your important data and files. Then format the drives and do a clean install.

 

You need to keep running the scans, back to back, until we only find items in your system restore folders.

 

No! They are infected which is why they are being found. Ramnit can infect all executables and html files.

I refer you to message # 3 from Kestrel13!. It is time to reinstall. There is no know safe and reliable cure for Ramnit especially when it has reach the level of infection you have.

I don't think this will work. It can be tried but I think the infection will just continue.

 

You need to now re-run all the other scans:
SAS
MBAM
ComboFix
C:\C:\MGtools\GetLogs.bat -- and attach the C:\MGLogs.zip.

 

Also you should reboot your PC and see if things are still clean after the reboot. If you did not scan C and H, they are likely still carrying the infection. If any single infected file remains, running this one file could start the whole infection again.

Also note that all the infected files you deleted during the scans, may have left many applications broken or unstable. Only time will tell.

 

Had you done the eSet scans on all drives? You are still very infected. So let's do this:

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

I didn't see ComboFix on your desktop. Please download it to your desktop and don't run it yet.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::
 
File::
d:\program files\microsoft\watermark.exe
D:\Documents and Settings\FAB\\Menu Démarrer\Programmes\Démarrage\ikowin32.exe
D:\Documents and Settings\FAB\\Menu Démarrer\Programmes\Démarrage\sishzm32.exe
D:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe
D:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe
D:\WINDOWS\system32\sys32_nov.exe
D:\WINDOWS\system32\{cad79195-a11c-d808-f596-467197d23ab2}.dll
Folder::
D:\Documents and Settings\FAB\\Menu Démarrer\Programmes\Démarrage
D:\Program Files\AntivirusPro_2010
D:\Program Files\PC_Antispyware2010
AtJob::
 

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

Why have you not installed either SP2 or SP3?