Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkit(s)/Trojans etc


  • Please log in to reply
7 replies to this topic

#1 uniflare

uniflare

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 05 October 2010 - 06:06 PM

Firstly i would like to mention how AWESOME these forums are, i have had viruses on other computers ive been asked to fix and these forums have helped me endlessly. Now i must start my own thread in hopes of a solution.
I have tried all the different forums and variations of google searches to try and completely remove this virus/trojan.

Computer:
Windows 7 x86
Firefox

The Story.

I believe the original infection came about a Javascript Vulnerability through a firefox webpage.

The original Symptoms:
Fake Anti-Virus Alerts
Inability to open various programs due to crashes (No EXE block though.)

I removed the anti virus program by using a mirage of software;

1. rkill (Worked Flawlessly as always :D)
2. combo fix (I know.. :/) (Got some error during its process, Comp restarted when i closed window. Kept restarting and running on startup but errored every time so i removed startup entry it created)
3. In Safe Mode: mbam (Quick clean found lots of viri and seemed to cure the anti-virus program and its program crashing symptom)


Symptoms At this Point:
I thought i had completely removed the problem but everytime i clicked on a google link it redirected to some junk websites.
Also, started experiencing strange lock-ups.

4. GooredFix (Did nothing, found nothing)
5. SuperAntiVirus (Free Edition, Seemed to clean things up. Stopped Google Redirects)


Symptoms At this Point:
Thought i had finally removed it all but i still got random "Pop Ups" (Actually firefox tabs) to Junk Sites.
I also noticed the computer seemed to gradually "Lock Up" after a random amount of time, 5 min~2 hours. For Ex. Clicking "Show All Processes" in task manager repeatedly crashed the task window - whilst the startmenu would open i could not click anything etc.

6. Used TDSSkiller (I know.. again..)
7. Used LSP Fix - After viewing HJT logs and removed an LSP 'loilsp.dll'


Current Symptoms:
(I have not noticed any abnormal slow-downs/lock ups or any random firefox tabs)
Only One Symptom -> "User Account control": Allow access to 'svchost.exe' in a Temp Folder of 'C:\Windows\Temp'

Looking in there right now i see Some 56kb exe files with a strange media player icon, google.exe and a random numbered .exe.
Also i remember looking in other temp folders like 'C:\ProgramData\Microsoft\RAC\Temp' and seeing 'svchost.exe' etc in there too.
They seem to rename/delete/reappear etc.

Let me know if you need logs or other info. :thumbsup:

Please Help xD
Thank you!

BC AdBot (Login to Remove)

 


#2 uniflare

uniflare
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 07 October 2010 - 06:35 PM

* BUMP *

#3 uniflare

uniflare
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 09 October 2010 - 09:01 AM

Ive never had to do moer than one bump before lol,

To people just reading this; is there anything in this topic putting you off? :thumbsup:

Cheers,
-uni

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:43 PM

Posted 09 October 2010 - 09:06 AM

If none of the tools you have used thus far have helped, this issue will require further investigation.

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is hidden piece of malware (rootkit) which has not been detected by your Security vendors that protects malicious files and registry keys so they cannot be permanently deleted. Other types of malware can even terminate your security tools by changing the permissions on targeted programs so that they cannot run or complete scans. Infections will vary and some will cause more harm to your system then others as backdoor Trojans have the ability to download more malicious files. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". If you cannot complete a step, then skip it and continue with the next. In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the Malware Response Team.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 uniflare

uniflare
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 09 October 2010 - 01:09 PM

Thanks :thumbsup:.

Currently i have found out that it is the Ramnit Variation of viruses that have infected over 90% of every html file on my disk. They are Locked out from every user.

I am currently in the process of trying to find a program that can "disinfect" rather than completely remove as this will break Most applications on this computer - including Firefox. (As i found out from deleting one html file).

I will see how this bitdefender scan goes and then post the logs etc in the appropriate forum. (I got a blue screen whilst running GMER+BitDefender).

Thanks,
Uni

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:43 PM

Posted 09 October 2010 - 01:17 PM

i have found out that it is the Ramnit Variation of viruses.

That is not good.

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of damage can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


Edited by quietman7, 09 October 2010 - 01:42 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 uniflare

uniflare
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 10 October 2010 - 01:01 PM

Ye uhh,

Bitdefender 60% scan reached over 25000 infections (mostly html files).

I formatted.
Now i have: Avira/SuperAntiSpyware Free/MalwareBytes AntiMalware/Hitman Pro 3.5

Installed COMODO Anti Virus+Firewall Free, but i couldn't update it, even after changing its service owner to myself rather than system (As per suggestion). Uninstalled.

Your post had probably saved me a few days, i might of gotten rid of it but it would of taken me a lot longer than to backup/format/reinstall windows.

Thanks,
Uni

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:43 PM

Posted 10 October 2010 - 03:56 PM

That is the decision I would have made if this were my computer.

:thumbsup: Tips to protect yourself against malware and reduce the potential for re-infection:

Keep Windows and Internet Explorer current with all critical updates from Microsoft which will patch many of the security holes through which attackers can gain access to your computer. If you're not sure how to do this, see Microsoft Update helps keep your computer current.

Avoid gaming sites, porn sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs (i.e. Limewire, eMule, uTorrent). They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. Porn sites can lead to the Trojan.Mebroot MBR rootkit and other dangerous malware. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.Beware of Rogue Security software as they are one of the most common sources of malware infection. They infect machines by using social engineering and scams to trick a user into spending money to buy a an application which claims to remove malware. For more specific information on how these types of rogue programs and infections install themselves, read How Malware Spreads - How did I get infected.

Keeping Autorun enabled on USB (pen, thumb, jump) and other removable drives has become a significant security risk as they are one of the most common infection vectors for malware which can transfer the infection to your computer. To learn more about this risk, please read:Many security experts recommend you disable Autorun as a method of prevention. Microsoft recommends doing the same.

...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...

Microsoft Security Advisory (967940): Update for Windows Autorun
How to Maximize the Malware Protection of Your Removable Drives

Change all passwords: Anytime you encounter a malware infection on your computer, especially if that computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised and change passwords as a precaution in case an attacker was able to steal your information when the computer was infected. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.

Security Resources from Microsoft:Other Security Resources:Browser Security Resources:Finally, if you need to replace your anti-virus, firewall or need a reliable anti-malware scanner please refer to:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users