Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32/Ramnit.A or rootkit activity


  • Please log in to reply
3 replies to this topic

#1 haveanicedayman

haveanicedayman

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 04 October 2010 - 03:35 PM



Hey, this is my first post on this forum, I found it when generally searching symptoms my computer is suffering I found a similar entry here.

Basically I'm running a Dell PC on windows XP with Avira Antivir Personal as my protection, I scan with malwarebytes antimalware too. My computer was previously infected and I had an expert friend restore it, who turned me onto my current protection measures.

Recently I was online, in a codemasters f1 2010 forum, not exactly a hotbed of malicious activity, and antivirus started bleeping that viruses are attacking, I always click "deny access" on these - I was getting the signature "TR/Crypt.XPACK.Genz", and "RKIT/TDss.acd". This was about 4 days ago, since the computer has been wrecked before, I started noticing that occassionally a new random tab will just pop open, or very rarely I will be redirected to random websites. Previously this was the biggest problem suffered prior to restoring. However today my brother ran an antivir scan and got 544 detections(!), when the other day i ran it and got 4, all of which were quarantined etc. Now the computer will not open apps like ITunes, saying
"this application has faield to start because QTCF.dll was not found. Re-installing the application may fix this problem."
and mozilla firefox, my default browser won't open either, I'm currently running Internet Explorer. Just minutes ago antivir detected "W32/Ramnit.A" signatures. I googled this signature and am hence extremely worried.

If anyone can give any advice or help it would be enormously appreciated.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:51 PM

Posted 04 October 2010 - 10:39 PM

Hello. I'm afraid I have very bad news.

Your system is infected with a Win32/Ramnit.A!dll, a file infector with IRCBot functionality which infects .exe, .dll and .HTML files and opens a back door that compromises your computer.

Ramnit.A!dll is a component injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Win32/Ramnit.A infected executable file. Ramnit.A also infects .exe, and .HTML/HTM files, downloads more malicious files to your system, and opens a back door that compromises your computer. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A

In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer Ramnit.A remains on a computer, the more files will become infected and corrupt so the degree of infection can vary.

Ramnit.A is commonly spread via a flash drive (usb, pen, thumb, jump) infection which is often contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 haveanicedayman

haveanicedayman
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 05 October 2010 - 06:43 AM

Thanks alot for the rapid response!

Yeah, not good news, I've got no problem flattening and restarting from scratch, the only problem is, since I can't access my Itunes accound I can't get a recent backup, and my music files are the only ones I really need. Is there anyway to get it working again, or has this virus corrupted it too much? The speed in which it happened is incredible so like you said, I have no idea how long it may have been here.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:51 PM

Posted 05 October 2010 - 10:58 AM

See if going to Control Panel, Programs, Quick Time, Repair fixexes the dll as it is a QuickTime dl
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users