Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System infected by W32/Infector.Gen2...


  • Please log in to reply
5 replies to this topic

#1 Walrus75

Walrus75

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 26 October 2010 - 12:43 PM

Over the past 10 days or so I've been battling with something that was causing IE8 to throw up odd windows (even though I've disabled pop-ups) and also causing IE8 to hang when you click on the desktop icon to open it - if I open Task Manager and stop the iexplore.exe processes (2 of them) and then subsequently open IE8 it does work. I was using MalwareBytes Anti Malware and HiJack this and thought I was getting on top of it.

But then yesterday I got a big hit - Avira starting picking up on a couple of nasties that go by the names of W32/Infector.Gen2 and HTML/Rce.Gen which resulted in hundreds of HTM and dll files being thrown into the Avira quarantine bin. I tried running MalwareBytes at the time and although it picked up on a couple of other Trojans both Avira and MBAM seemed to be overwhelmed. So I switched off my computer and started browsing the web with my missuses laptop... which brought me to here :thumbsup:

So I'm looking for some advice and guidence please. I was going to run Combofix but thought I'd best take advice first.

My system is:
Win XP Home edition, fully upto date as of yesterday.
Anti virus: - Avira Personal free edition; again upto date with the latest definitions.
Malwarebytes Anti-Malware - again upto date.
And I also have Super Anti Spyware on the system too.

Just one word... Help! Please! (Oh OK, 2 words then!)

Cheers.

EDIT: I'm not sure but I think I may have posted this in the wrong area of the forum, my aplogies if I have (I'm running late for work so I will sort it tomorrow if it needs to be moved/posted elsewhere :flowers: )

Edited by Walrus75, 26 October 2010 - 12:49 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:43 AM

Posted 26 October 2010 - 01:40 PM

I'm afraid I have very bad news.

W32/Infector.Gen2 is the name used by Avira for variants of Win32/Ramnit.A / Win32/Ramnit.B, file infectors with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A or VBS/Generic. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of damage can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Walrus75

Walrus75
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 27 October 2010 - 08:44 AM

Thanks very much for the fast response, I was worried that someone was going to say exactly what you suggest but I suppose it makes perfect sense to go down that route.

I have a couple of questions about the rest of my system though if you dont mind me asking?
I have 2 HDDs in my system; the main one is partitioned into C: and D: drives - the OS is obviously on C: drive. I run apps from the D: drive and also have games downloads/patches, downlowded software, etc, etc stored on it - should I reformat the D: drive too? Obviously any apps will not run following a re-install of the system so they will themselves need reinstalling but I really dont want to loose all the game and software patches if possible.

The second HDD (E: drive) is used to keep family documents (various Word docs, pdf's, etc), photos and other trivial stuff on but no executable files - do you think this drive is 'safe' or should that be reformatted too?
Again I fear I know some of the answers already but am just seeking confirmation.
Thanks again.

Edited by Walrus75, 27 October 2010 - 08:46 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:43 AM

Posted 27 October 2010 - 09:17 AM

From what you describe, I would reformat both the C: and D: drives. Apps and games use .exe files so they are not safe from this type of infection.

Your E: drive with family documents should be safe but its best to scan that drive separately to make sure nothing is in there that my be infected. It's always possible to accidentially place an .exe/.html file in such a location without realizing you did so. Some types of malware will even install a piece of itself on all hard drives so its always best to double-check. If you encounter infected files, you can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), dynamic link library (*.dll), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If you're not sure how to reformat or need help with reformatting, please review:These links include specific step-by-step instructions with screenshots:Vista users can refer to these instructions:Windows 7 users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq, Toshiba, Gateway or Dell machine, you may not have an original CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. Also be sure to read Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead. If you lost or misplaced your recover disks, again you can contact and advise the manufacturer. In many cases they will send replacements as part of their support.

If you have made a disk image with an imaging tool (i.e. Acronis True Image, Drive Image, Ghost, Macrium Reflect, etc.) before your system was infected, then using it is another option. Disk Imaging allows you to take a complete snapshot (image) of your hard disk which can be used for system recovery in case of a hard disk disaster or malware resistent to disinfection. The image is an exact, byte-by-byte copy of an entire hard drive (partition or logical disk) which can be used to restore your system at a later time to the exact same state the system was when you imaged the disk or partition. Essentially, it will restore the computer to the state it was in when the image was made. You will then have to reinstall all programs that you added afterwards. This includes all security updates and patches from Microsoft.

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Operating Systems Subforums forum.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Walrus75

Walrus75
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 27 October 2010 - 09:41 AM

Thank you very much Quietman, very much as I suspected, ah well it's been a couple of years since my last system re-install so I need the practise :flowers:
In fact I think I might as well splash out a bit of dosh and go with Win7.

Again thanks for the help and advice, much appreciated. :thumbsup:

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:43 AM

Posted 27 October 2010 - 10:10 AM

You're welcome.

:thumbsup: Tips to protect yourself against malware and reduce the potential for re-infection:

Keep Windows and Internet Explorer current with all critical updates from Microsoft which will patch many of the security holes through which attackers can gain access to your computer. If you're not sure how to do this, see Microsoft Update helps keep your computer current.

Avoid gaming sites, porn sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs (i.e. Limewire, eMule, uTorrent). They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. Porn sites can lead to the Trojan.Mebroot MBR rootkit and other dangerous malware. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.Beware of Rogue Security software as they are one of the most common sources of malware infection. They infect machines by using social engineering and scams to trick a user into spending money to buy a an application which claims to remove malware. For more specific information on how these types of rogue programs install themselves and spread infections, read How Malware Spreads - How did I get infected.

Keeping Autorun enabled on USB (pen, thumb, jump) and other removable drives has become a significant security risk as they are one of the most common infection vectors for malware which can transfer the infection to your computer. To learn more about this risk, please read:Many security experts recommend you disable Autorun as a method of prevention. Microsoft recommends doing the same.

...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...

Microsoft Security Advisory (967940): Update for Windows Autorun
How to Maximize the Malware Protection of Your Removable Drives

Change all passwords: Anytime you encounter a malware infection on your computer, especially if that computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised and change passwords as a precaution in case an attacker was able to steal your information when the computer was infected. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.

Security Resources from Microsoft:Other Security Resources:Browser Security Resources:Finally, if you need to replace your anti-virus, firewall or need a reliable anti-malware scanner please refer to:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users