Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Recycler USB virus?


  • Please log in to reply
4 replies to this topic

#1 Mrconeman

Mrconeman

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 18 April 2011 - 05:53 PM

Hi, guys. I'm infected again, and you guys have helped me out before.
Man this thing is persistent.

Symptoms:
Everytime I log into windows my symantic auto protect results start going crazy with virus results (w32.ramnitb.inf continually comes up, even when i close the dialog box it continually happens, among others). I googled the name and came to the conclusion that it's the recycler virus, so I popped in my only usb stick that I have, and yes, it has a folder named RECYCLER, that no matter what I do will not stay deleted. So I'm guessing this is the root of the problem. I've also had to use proxy sites to get on to several websites while infected. This virus would not let me see bleeping computer.com, microsoft.com and several other sites that could help. I'm using hidemyass.com to be here now. edit: I forgot to mention that I also get other dialog boxes with errors such as "windows explorer has encountered an error" or something to that effect. In which if I click the OK button windows explorer completely freezes, forcing a power off restart. It also will not let me run certain programs, msn messenger specifically.

What I have done so far:
I followed another persons instructions on here quite loosely (this thread http://www.bleepingcomputer.com/forums/topic226173.html). So I've done the usual, updated and ran rkill, mbam, super antispyware. They all found and "killed" their results. This was all done in safe mode, however, when I log back into regular boot mode, the problem persists. So I've logged back into safemode to retrieve and post my logs. Here are my logs for mbam, super antispyware and rkill. please note I have done this same cycle several times, so weather the problem was worse to begin with and these have helped slightly I do not know. What I mean is, the first runs of mbam and SAS I think found more things, but these are the logs from running mbam, rkill and SAS today.

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 18/04/2011 at 20:12:36.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\runonce.exe
C:\WINDOWS\system32\grpconv.exe


Rkill completed on 18/04/2011 at 20:12:48.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/18/2011 at 06:59 PM

Application Version : 4.50.1002

Core Rules Database Version : 6337
Trace Rules Database Version: 4149

Scan type : Complete Scan
Total Scan Time : 03:33:12

Memory items scanned : 281
Memory threats detected : 0
Registry items scanned : 8869
Registry threats detected : 0
File items scanned : 115097
File threats detected : 10

Adware.Tracking Cookie
ia.media-imdb.com [ C:\Documents and Settings\Ciaran\Application Data\Macromedia\Flash Player\#SharedObjects\7X8NZTQW ]
media.mtvnservices.com [ C:\Documents and Settings\Ciaran\Application Data\Macromedia\Flash Player\#SharedObjects\7X8NZTQW ]
secure-us.imrworldwide.com [ C:\Documents and Settings\Ciaran\Application Data\Macromedia\Flash Player\#SharedObjects\7X8NZTQW ]

Trojan.Agent/Gen-FakeAlert[Local]
C:\DOCUMENTS AND SETTINGS\CIARAN\DESKTOP\PSP STUFF\POPSTATION\DATA\POPSTATION.EXE

Trojan.Agent/Gen-IEFake
C:\DOCUMENTS AND SETTINGS\CIARAN\LOCAL SETTINGS\TEMP\RARSFX43\H\IEXPLORE.EXE
C:\DOCUMENTS AND SETTINGS\CIARAN\LOCAL SETTINGS\TEMP\RARSFX43\PROCS\IEXPLORE.EXE
C:\DOCUMENTS AND SETTINGS\CIARAN\LOCAL SETTINGS\TEMP\RARSFX44\H\IEXPLORE.EXE
C:\DOCUMENTS AND SETTINGS\CIARAN\LOCAL SETTINGS\TEMP\RARSFX44\PROCS\IEXPLORE.EXE
C:\DOCUMENTS AND SETTINGS\CIARAN\LOCAL SETTINGS\TEMP\RARSFX45\H\IEXPLORE.EXE
C:\DOCUMENTS AND SETTINGS\CIARAN\LOCAL SETTINGS\TEMP\RARSFX45\PROCS\IEXPLORE.EXE


Please help guys, I'm going insane!

EDIT: I forgot to ask this question aswell. Is there any way to clean my USB stick of this virus without running the risk of being infected again? I'd like to be able to use the stick again, but I tried everything including formatting it, and it would not get rid of the virus, I also don't think it would be worth putting it back into my pc to delete it if I ran the risk of having this virus infect me again. Any safe way of doing it, or should I just burn the thing? Cheers.

Edited by Mrconeman, 18 April 2011 - 05:59 PM.


BC AdBot (Login to Remove)

 


#2 Mrconeman

Mrconeman
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 19 April 2011 - 01:00 PM

Please help guys :(

other symptoms now include google redirecting me to random other search sites.

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:53 PM

Posted 19 April 2011 - 09:44 PM

OK do you have the MBAM log.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

I am concerned we have real trouble
EDIT
w32.ramnitb.inf

I'm afraid I have very bad news.

Win32/Ramnit (and related variants) is a dangerous file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A or VBS/Generic. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of damage can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


Edited by boopme, 19 April 2011 - 10:01 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Rais

Rais

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 19 October 2011 - 04:04 PM

I have used Dr. Web CureIT in windows Safe Mode& it worked wonders for me. No problem since.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:53 PM

Posted 19 October 2011 - 07:29 PM

Except if you had,Ramnit.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users