Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

2nd computer with multiple infections


  • Please log in to reply
19 replies to this topic

#1 RevGAM

RevGAM

  • Members
  • 723 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin, USA
  • Local time:06:58 AM

Posted 12 November 2011 - 10:08 PM

This is a SEPARATE topic for a DIFFERENT computer from my thread http://www.bleepingcomputer.com/forums/topic425721.html/page__gopid__2470896#entry2470896 - I don't know if treatment of this computer is completed yet.

This computer is my bro-in-law's that I was fixing so that he can use it for his business...Then the viruses piggybacked on a flashdisk and hell moved in. :(

I have a Windows XP SP2 PC (ASUS MB, 512 MB DDR RAM, C: 10GB, D: 60GB, Pentium 4) on which I cannot get my USB flashdrive router to work. Since I don't know if my other computer is clean nor how to transfer programs like DDS and GMER to it safely, I haven't got anything definitive I can post.

I've already cleaned up and defragged the system. Antivirus programs like MBAM and AVG 8.5 Pro have caught several infections, but the system remains infected. Several programs became infected to the point that the AVs removed key programs that have made it impossible for me to use the Add/Remove
Programs CP to remove them, so I've had to remove them manually by removing the reference to them with CCleaner and then deleting the folders I could find.

One infection, especially when I try to access anything through the toolbar or system tray, attempts to run the installer to add MS Office's Project. When I use task manager and select "go to process", it doesn't take me back to the installer or Project, it takes me to the program I ran from the toolbar, including task manager! At one point, a program claimed that explorer is infected, but that's not been repeated. I have attempted to disable programs from startup using CCleaner, but those programs get re-enabled on reboot.

Lest I forget, my XP disk is trashed. :(

What should I do?
Glenn

Namaste, Peace & Love,
Glenn


If I have frustrated you, then I must be a student. If I've imparted information or a skill to you, then I must be a teacher. If I've helped you, then I must be a volunteer. If I've touched your life, then I must be happy!
If you had to choose between saving just your family, or saving 10,000 GOOD people (but not your family), what would you choose?


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:58 AM

Posted 12 November 2011 - 11:28 PM


zbot.g, prast!rts, trojan horses, ramnit, and more


I'm afraid I have very bad news.

You're infected with Ramnit file infector virus.

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.
With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).



Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.








My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 RevGAM

RevGAM
  • Topic Starter

  • Members
  • 723 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin, USA
  • Local time:06:58 AM

Posted 13 November 2011 - 12:12 AM

I was afraid you'd say that. Afraid because both that computer and my laptop have ramnit. :(

If I burn a backup ISO of WXP onto a disc, is it likely that it will become infected?

Glenn

Namaste, Peace & Love,
Glenn


If I have frustrated you, then I must be a student. If I've imparted information or a skill to you, then I must be a teacher. If I've helped you, then I must be a volunteer. If I've touched your life, then I must be happy!
If you had to choose between saving just your family, or saving 10,000 GOOD people (but not your family), what would you choose?


#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:58 AM

Posted 13 November 2011 - 12:55 AM

I'm not sure what backup ISO are referring to...
A backup of an existing setup?
If so that won't be a good idea.

You can backup your data but it can be scanned well BEFORE putting it back on fresh Windows installation.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#5 RevGAM

RevGAM
  • Topic Starter

  • Members
  • 723 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin, USA
  • Local time:06:58 AM

Posted 13 November 2011 - 01:55 AM

I made an ISO image file (basically, a file that is a copy of the disc) which can be run through a virtual CD program (like Daemon Tools or Magic CD) or it can be burned to a disc to be used. The extension is .iso (and there are other formats) and, unless it's is run in a virtual CD program, infectable files in it are probably inaccessible.

Does anyone know if it's safe to burn that to disc?

Glenn

Namaste, Peace & Love,
Glenn


If I have frustrated you, then I must be a student. If I've imparted information or a skill to you, then I must be a teacher. If I've helped you, then I must be a volunteer. If I've touched your life, then I must be happy!
If you had to choose between saving just your family, or saving 10,000 GOOD people (but not your family), what would you choose?


#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:58 AM

Posted 13 November 2011 - 11:38 AM

As I said:

You can backup your data but it can be scanned well BEFORE putting it back on fresh Windows installation.


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#7 RevGAM

RevGAM
  • Topic Starter

  • Members
  • 723 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin, USA
  • Local time:06:58 AM

Posted 13 November 2011 - 08:25 PM

Since you know a lot about this virus, I have two more questions, if you don't mind.

Am I correct that if I store infected files on an external HDD, then reformat and reinstall Windows, the infection won't be able to jump unless I access the HDD before turning off autoplay and running an antivirus to catch the infected files?

Is it possible to catch ramnit in memory and stop it?

Glenn

Namaste, Peace & Love,
Glenn


If I have frustrated you, then I must be a student. If I've imparted information or a skill to you, then I must be a teacher. If I've helped you, then I must be a volunteer. If I've touched your life, then I must be happy!
If you had to choose between saving just your family, or saving 10,000 GOOD people (but not your family), what would you choose?


#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:58 AM

Posted 13 November 2011 - 08:36 PM

the infection won't be able to jump unless I access the HDD before turning off autoplay and running an antivirus to catch the infected files?

That's correct.

Your best option is to install this on your computer before connecting that external drive....

Download, and run Flash Disinfector, and save it to your desktop (Windows Vista and Windows 7 users, scroll down)

*Please disable any AV / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process*

  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Windows Vista and Windows 7 users
Flash Disinfector is not compatible with the above Windows version.
Please, use Panda USB Vaccine, or BitDefender’s USB Immunizer

Is it possible to catch ramnit in memory and stop it?

Most AV programs will recognize files infected with Ramnit, so as long as you scan them and they appear to be clean you'll be fine.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#9 RevGAM

RevGAM
  • Topic Starter

  • Members
  • 723 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin, USA
  • Local time:06:58 AM

Posted 13 November 2011 - 08:42 PM

Thanks! I have Panda's program and was wondering how it differs from FD?

A local program I used to use (SMADAV) also put a special autorun folder on my flashdisk, but that didn't stop Ramnit. In fact, when I got the flashdisk back (infected), there was no autorun.inf, no strange .dll files (like some viruses and worms use) and nothing obvious in the root directory (hidden or otherwise) using dir /ashr and its variants, and the virus appeared to have hidden itself in the recycler. Any thoughts on how to deal with that, or does FD also handle that?

I've already used Panda's program to protect my flashdisk, but it isn't designed for NTFS and cannot protect my external USB HDD. Any suggestions?

Glenn

Namaste, Peace & Love,
Glenn


If I have frustrated you, then I must be a student. If I've imparted information or a skill to you, then I must be a teacher. If I've helped you, then I must be a volunteer. If I've touched your life, then I must be happy!
If you had to choose between saving just your family, or saving 10,000 GOOD people (but not your family), what would you choose?


#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:58 AM

Posted 13 November 2011 - 08:44 PM

I'm not familiar with SMADAV (?).
FD will simply prevent any file from an external USB device to selfexecute on your computer.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#11 RevGAM

RevGAM
  • Topic Starter

  • Members
  • 723 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin, USA
  • Local time:06:58 AM

Posted 13 November 2011 - 08:54 PM

SMADAV is a locally made (Indonesian) program that I stopped using because it's resource intensive and usually only catches local malware. One of its functions is to "immunize" the autorun issue on flashdisks.

How does FD achieve that goal? Does it only create the autorun folder, or does it also address the problem of malware that cleverly hides itself in the recycler or other areas?

Glenn

Namaste, Peace & Love,
Glenn


If I have frustrated you, then I must be a student. If I've imparted information or a skill to you, then I must be a teacher. If I've helped you, then I must be a volunteer. If I've touched your life, then I must be happy!
If you had to choose between saving just your family, or saving 10,000 GOOD people (but not your family), what would you choose?


#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:58 AM

Posted 13 November 2011 - 08:57 PM

More info here: http://experi3nc3.wordpress.com/2007/05/10/flash-disinfector-by-subs/

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#13 RevGAM

RevGAM
  • Topic Starter

  • Members
  • 723 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin, USA
  • Local time:06:58 AM

Posted 13 November 2011 - 09:02 PM

Thanks so much for all your help!

Glenn

Namaste, Peace & Love,
Glenn


If I have frustrated you, then I must be a student. If I've imparted information or a skill to you, then I must be a teacher. If I've helped you, then I must be a volunteer. If I've touched your life, then I must be happy!
If you had to choose between saving just your family, or saving 10,000 GOOD people (but not your family), what would you choose?


#14 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:58 AM

Posted 13 November 2011 - 09:05 PM

You're very welcome Posted Image

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#15 RevGAM

RevGAM
  • Topic Starter

  • Members
  • 723 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, Wisconsin, USA
  • Local time:06:58 AM

Posted 13 November 2011 - 10:20 PM

Any comments on Lok-IT? http://www.lok-it.net

Namaste, Peace & Love,
Glenn


If I have frustrated you, then I must be a student. If I've imparted information or a skill to you, then I must be a teacher. If I've helped you, then I must be a volunteer. If I've touched your life, then I must be happy!
If you had to choose between saving just your family, or saving 10,000 GOOD people (but not your family), what would you choose?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users