Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ramnit A & D detected! But am I really clean?


  • Please log in to reply
7 replies to this topic

#1 phickspc

phickspc

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:25 AM

Posted 05 August 2012 - 08:01 AM

Hi,
yesterday at 13.00GMT I was on a streaming site and it loaded a popup triggering Microsoft Security Essentials to clean something.

Later on that day, Windows Firewall alerted me that svchost was being blocked, and asked me if I wanted to keep blocking. (A few days ago, I had been asked the same question out of context and I said 'unblock' as I thought it was a genuine system file).

I was now no longer able to load google through my firefox browser (which I was using up to now). I could search through yahoo though.
I decided to use IExplorer to use google for convenience and it worked fine.

I looked in system restore and found 4 points remaining, and that anything before 1st august was missing (may be related maybe not).

That's when I noticed two svchost files in processes. I tried to kill both but, they both reloaded.

I was unable to launch Malwarebytes successfully (it showed and then mysteriously disappeared everytime in processes, without loading the gui).
*In between cleans, malwarebytes finally loaded but I need to update so meanwhile I did other scans. But then the next restart after another scan, it stopped loading*
(After all scans and cleans were done, malwarebytes runs as normal everytime).

There was also a strange file in my user AppData: "bndoajxk.exe" created on 4th august in its own folder. I scanned it and no problems, but I deleted it anyway.

I ran Security Essentials scan and it found Ramnit Gen!A & D in couples (one in Win32, another in NT I think). I had to restart to finish the clean.
Security kept finding more so this had to be repeated 3 times.

Other scans I completed thereafter.
TDSS Killer cleaned about 4 items I think it was this scan which found iframe virus on my browser.
MBRcheck reported errors on external drive, but no errors after I disconnected that drive.
Malwarebytes cleaned a few items.
Msert found nothing.
Combofix did quite a few things but I was unable to decode what it was doing.
RogueKiller found some problems, additional ones looked like context menu edits which I had done earlier this year. Unsure.
Hitmanx64, Eset, Msert found nothing.

MGTools did things I couldn't decode what it was doing. It then tried to launch hijackthis, and tried to report errors about Hijackthis, but the url it web launched didnt exist. It then ran hijackthis and saved it somewhere on my pc.

I deleted some empty created folders that were created in my username's temp folder dated 4th August 13.00.

I searched for ramnit in regedit and found some items which seemed like virus scanner entries so I left them alone.

After all of this was complete, I ran security essentials and malwarebytes and tdsskiller multiple times after multiple restarts, and they didn't find anything. Firefox is also running as normal again.


PLEASE NOTE: All scans took place when windows was loaded normally.

Since then I saw some strange problems. I found a recently created folder on my system drive called "Qoobox" in which a folder named "BackEnv" is inaccessible (judging by its contents I think its related to one of the virus scanners).
I also discovered that something was unhiding my hidden files and folders, despite my efforts to hide them. But now it seems to stay as I left it.

After reading many posts on here and other forums, I've found cause to believe I can never be fully clean from Ramnit. I'm unsure. I have posted the logs on this thread: http://forums.majorgeeks.com/showthread.php?p=1759043#post1759043

Please check logs and advise!

- Thanks.

*14.00 update:
Security Essentials just found another severe exploit: Java/Blacole.FK
SuperAntispyware just keeps finding adware threats every scan (3-4 each time).
Eset has found 2 threats:
A variant of Win32/Kryptic.AJKL trojan: C:\Qoobox\Quarantine\C\Users\HTS\AppData\Local\shlcpgot\bndoajxk.exe.vir
C:\Users\HTS\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\2b7bce33-7a709d7e multiple threats
*

Edited by heevyhivy, 05 August 2012 - 08:27 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:25 PM

Posted 05 August 2012 - 12:41 PM

Hello heevyhivy
I also agree that the only sure way to remove it effectively is to reformat and reinstall the OS.



Your system is infected with a nasty variant of Virut, a dangerous polymorphic file infector with IRCBot functionality which infects .exe, .scr files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). The Virux and Win32/Virut.17408 variants are an even more complex file infectors which can embed an iframe into the body of web-related files and infect script files (.php, .asp, .htm, .html, .xml). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of damage can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/Virut

Virut is commonly spread via a flash drive (usb, pen, thumb, jump) infection using RUNDLL32.EXE and other malicious files. It is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

However, the CA Security Advisor Research Blog have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

Since virut is not effectively disinfectable, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files (which could number in the thousands) cannot be deleted and anti-malware scanners cannot disinfect them properly. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what security expert miekiemoes has to say: Virut and other File infectors - Throwing in the Towel?

If I guide someone with Virut (or any other File Infector) present and their Antivirus cannot properly disinfect it, then I recommend a format and reinstall...dealing with such infections is a waste of time and that's why I prefer the fastest and safest solution - which is a format and reinstall...After all, I think it would be irresponsible to let the malware "stew" (download/spread/run more malware) for another couple of days/weeks if you already know it's a lost case.


This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 phickspc

phickspc
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:25 AM

Posted 05 August 2012 - 01:32 PM

I have important data on my system drive and don't have a backup.

I have 3 logical drives, one is external. They were connected during infection. (I wasn't aware of the infection ofcourse!)
They are now disconnected, I don't have backups, they contain exe installation files. After reformatting, and reconnecting those drives will they ruin my new clean pc?
Will I never be free of this stupid nightmare that has already affected me 4months ago this year?
It's just not fair. :'(

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:25 PM

Posted 05 August 2012 - 02:06 PM

Scan thise other drives with 2 Tools and see what they show.


Caution: If you are considering backing up data and reformatting, keep in mind, with a Virut infection, there is always a chance of backed up data reinfecting your system. If the data is that important to you, then you can try to salvage some of it but there is no guarantee so be forewarned that you may have to start over again afterwards if reinfected by attempting to recover your data. Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.Again, do not back up any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

If you're not sure how to reformat or need help with reformatting, please review:These links include step-by-step instructions with screenshots:Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Operating Systems Subforums forum.

Edited by boopme, 05 August 2012 - 02:08 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 phickspc

phickspc
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:25 AM

Posted 05 August 2012 - 02:20 PM

No I'm confused,
I understand what you are saying about backing up files on a system drive.
I'm asking you about my external drive and 2 internal ones.

1. Why do I need to reformat them there, I thought the infection affects data not the partition itself.

2. Why are external drives more susceptible, they're not usb thumb drives, they're connected with own power supply, what makes them more vulnerable than internal?

Is it okay to scan my other drives from within my affected OS?

Edited by heevyhivy, 05 August 2012 - 02:23 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:25 PM

Posted 05 August 2012 - 02:29 PM

Sorry to be unclear..

Scan the back up drives and see if they are clean...

I just posted info on reformatting the original infected drive.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 phickspc

phickspc
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:25 AM

Posted 05 August 2012 - 02:35 PM

Sorry to be unclear..

Scan the back up drives and see if they are clean...

I just posted info on reformatting the original infected drive.


Those are not backup drives they contain original content - most of my music, images, songs, project files, data and exe installations and zips.

Are you saying that my external and two internal data drives that were connected to my pc during the infection should be fine after 2 successful virus scans as in no reformat for the non-os drives?

Edited by heevyhivy, 05 August 2012 - 02:38 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:25 PM

Posted 05 August 2012 - 06:34 PM

They should be as they are not back up (they were put there directly) and most of the content is not malware interesting...music and pictures.
Again these are the riskiest
exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users