Ramnit G / H

[studiot]

Avast rescue disk reports over 4000 infected files on my other (XP) pc which suddenly froze solid.

Is this recoverable or do I have to reformat?

If I ask the rescue disk to delete all infected files how safe am I recovering remaining data files (jpg etc) before reformat?

[Pondus]

There is a virus and worms section here     http://forum.avast.com/index.php?board=4.0

follow the guide here and attach the logs   http://forum.avast.com/index.php?topic=53253.0

Summary
Win32/Ramnit is a family of multi-component malware that infects Windows executable files, Microsoft Office files and HTML files. Win32/Ramnit spreads to removable drives, steals sensitive information such as saved FTP credentials and browser cookies. The malware may also open a backdoor to await instructions from a remote attacker.

seems to be a fileinfector and that is usually very bad news

[Pondus]

Virut and other File infectors - Throwing in the Towel?
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

http://www.tech-101.com/support/index.php/topic/1354-ramnit-the-newest-file-infector/

[studiot]

Thank you for the posts, Pondus.

I can't get the log file from the infected disk to post so that is not really an option.

The links you posted seem to concur with the web reports I found that no effective cure has yet been found.

I just wondered if Avast has anything to offer since they found it and named the variant G and H not A and B.

[Pondus]

I just wondered if Avast has anything to offer since they found it and named the variant G and H not A and B.

what do you mean?

[essexboy]

Sometimes Dr Web from a live cd has a reasonable result, so if you do not yet want to reformat it may be worth a shot

Please download the following programmes to your desktop:

Dr Web Live CD

ImgBurn

Install IMGBurn

• Double click Dr Web
• IMGBurn will open
• Burn the ISO to a cd

• Reboot the infected computer with the CD in the drive
• Ensure that the first boot device is CD - If you are not sure about that then see this page for instructions
  
• As loading starts, a dialogue window will prompt you to choose between the standard and safe modes.

• Use arrow keys to select  DrWeb-LiveCD (Default)
• When the system is loaded, check the disks or folders you want to scan, and click on “Start”.

• The programme will now scan for and cure/delete any malware that it finds.  Allow it to do so 
• Once completed reboot to normal windows
• No log is produced so once in normal windows run a fresh OTL scan and let me know if the problems persist

[ady4um]

I don't want to contradict any of the previous comments / suggestions. But I want to suggest a different approach.

It could be more effective (having so many files infected that could also prevent Windows from even boot again) to start the system with some Live system CD/UFD and try to backup any relevant user data, like emails, contacts, documents and so on. Alternatively, a full backup image could be useful too (and even recommended).

Only after having a backup, try to work on cleaning the system. Whatever happens with the attempt (to recover), you would still have the source to start over with a second attempt, or to try to use the backup data (not executables) on a new clean system.

Of course, if you use the backed up data in any way, you need to scan the specific files you would want to use, so to be sure you wouldn't be re-inserting the malware again in a clean system.

As mentioned, this doesn't contradict any previous suggestion.