I thought I'd post here as this seems to be where the most information is
I've got this same problem since Friday and can't get rid of it. As I am computer savvy I clocked on to the suspicious Firefox processes straight away so the amount of extraneous infected files I've had is very low, but everytime I turn on the computer the problem starts again.
A link I've found to this
Malware Analysis » Blog Archiv » Ramnit.A Virus
http://www.malware-analysis.net/?p=321a report by Microsoft & McAfee
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FRamnit.Bhttp://www.mcafee.com/threat-intelligence/malware/default.aspx?id=346870What I don't understand is how this kicked in whilst Avast 5.1.889 was running. My one started as detecting Win32:Ramnit-G on various DLL files in my system restore folder (checking has determined these were all restores for the prog files\firefox folder). Windows Firewall complained about suspicious activity by Firefox (which led me to seeing the 3 spawned firefox processes in my task list). Looking up on the internet also led me to disabling system restore whilst dealing with threat.
Everytime I turn on the computer Avast alerts me to VBS:ExeDropper-gen [Trj] or Win32:Ramnit-G infecting .htm or.exe files respectively until I manage to kill those firefox processes.
My version of this is kicking off via a HKLM\..\Winlogon:
Userinit = "C:\WINDOWS\system32\userinit.exe,C:\Program Files\wskbplkv\fyynaotm.exe"
yet the folder is always empty when I look. I also noticed the thing seems to make a number of .log files in my local settings\app data folder:
gacibnyi.log, ljwdggsd.log, spdjudky.log, ultghcoc.log, ywmvmloa.log
I've run MBAM but all it came up with was 2 files infected with Spyware.OnlineGames:
prog files\ owcsetup.dll & owsetup1.dll
and McAfee Stinger found some files with the FakeAlert!fakealert-REP trojan:
win\sys32\sethc.exe, sys32\..\flash\uninstall_activeX.exe, win\download prog files\FP_AX_CAB_INSTALLER.exe
I've noticed that this thing doesn't kick off if I boot in safe mode. Checking HKLM\..\Winlogon shows the Userinit key hasn't been altered yet
It DOES if I boot safe mode networking, but only seemingly after I've logged onto a profile (the tell tell sign of FDD activity only begins then)
I've also noticed that Windows Live Mail, which has suddenly begun to shut down immediately after opening since all this, is fine under safe mode/safe mode networking
Despite all my efforts this problem persists. Now it seems that its managed to get its claws into Avast as it is now failing to initialise properly :'(
If someone can tell me WHERE the launch point for this blasted thing is I would happily remove it as I am confident that the rest of my computer is fine but until I do I'm having to go thru this blasted rigamarole every time I turn on.
Help?
?!!!
!@#$%^&*
