So, last night I got hit with a real nasty win32:ramnit-b infection that caused Avast! to start spamming alerts like crazy, countering rapid and relentless attempts by this thing to spread. Within about ten minutes, the infection had caused Avast! to obliterate all the .exe’s and .dll’s in a folder that I kept full of graphics drivers. The infection had also been trying to access a 1TB external HD that I use to store all my games (I have Steam installed to this drive).
While the Win32:ramnit-b component itself, along with VBS:ExeDropper-gen, were busy molesting the internal HD…another component, identified as “LNK:Runner” was doing something on the external HD; this time, creating/infecting files with the extension “.lnk”
These files were located in randomly-named folders inside a hidden “recycle” folder on the external HD.
(EDIT: To clarify, the Win32:ramnit-b and VBS:ExeDropper-gen components were also infecting htm and html files.)
Like with the other two components, Avast! seemed to be managing to spot and delete every one of these attempts, but the thing generating these attempts was still running wild.
So I ran every scan I could: Avast itself (including boot time scan, which identified a threat but could do nothing about it), Malwarebytes, Dr. Web CureIt, Ad-Aware and SAS.
The Dr. Web CureIt program was successful at killing the process generating the spread of the infection (though, of course, it regenerated when the machine was restarted), so I used this opportunity to back up files (excluding executables and dlls) on the external HD.
Then, having read up on the subject and discovered the possibility that my system may never fully recover from such an infection, I reformatted it and reinstalled windows.
Windows, now, seems fine. I’ve installed ZoneAlarm, Avast! and Ad-Aware, (edit: and Malwarebytes) and it looks like an utterly clean installation complete with new car smell.
But, as I said, I backed up data onto the external HD (pictures, word documents etc). I had little choice; there was no other device/burnable disc at hand. Which leaves me with something of a dilemma.
Avast! destroyed a lot of attempts by this “LNK:Runner” component, and there was no sign that the infection was touching any .exe on the external HD.
Interestingly, the Win32:Ramnit-b and VBS:ExeDropper-gen components seemed to be infecting the system in an alphabetical order. I say this, because the folder I discussed earlier, containing graphics drivers, contained specifically AMD/ATI drivers and was listed as such (C:\AMD and C:\ATI), and no other folder had been touched by the time I halted the spread.
The dilemma:
The external HD, as I said, has Steam installed to it. That means nearly 300GB’s of games, replete with .exe’s and .dlls.
After backing up data to this HD, in the quiet period after Dr. Web CureIt halted the initial growth of this infection, I ran a full scan (using Avast!) of the external HD. Nothing was detected, so I unplugged it, and went ahead with reformatting the machine.
How do I approach the external HD? I could reformat it, but that would require that I plug it in…and it would also mean losing a lot of data.
If I were to extract data from it before reformatting, is there any way that image files (.bmps .jpgs) video files (.wmv .mpg etc) and text documents (.doc .docx .txt) could be infected?
Is there any way to access the contents of this HD in a secure “sandbox” environment? Would accessing it in safe mode make any difference?
I’d appreciate any advice anyone could give.
EDIT: Oh, and for the record, the first thing I did today was change all my passwords.