Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Ramnit.A.42 & can not log on


  • This topic is locked This topic is locked
21 replies to this topic

#1 RNice

RNice

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:27 AM

Posted 11 September 2012 - 11:14 AM

Hi there.. :hello:

Just fyi, English is not my primary language, so please be patient to any grammatical error.

My Computer OS is Windows XP Professional, SP3. Pre-installed when I bought it (2007) and I don't have the CD/DVD installer.

Now on to my problems..

1. My Spyware Terminator informed me that I have a Trojan Ramnit.A.42 in svchost.exe.

2. Then I found a file name WATERMARK.EXE in my Program Files\Microsoft folder, when I tried googling it they told me it was a virus.

3. I followed these steps to remove it (but I think I made something wrong along the way :unsure: ) :

Open “Task Manager” using “Ctrl+Alt+Del” click tab “Processes”.
Find “svchost.exe” with user YourComputerName (not LOCAL SERVICE, SYSTEM, or NETWORK SERVICE).
Delete or “End Process” all of them. Let the window Task Manager open.
Enter command prompt, Start -> Run, type “cmd”, enter.
Type "C:\"
Type “cd program files/microsoft”, press enter.
Type “del watermark.exe /a /s”, press enter.
Type “md watermark.exe”, press enter.
Type “cd watermark.exe”, press enter.
Type “md con\\”, press enter.
Restart komputer.
Open Registry, Start -> Run, type “regedit”, press enter.
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, and find “Userinit”, double click and look at the value.
Change “c:\windows\system32\userinit.exe, c:\program files\microsoft\WaterMark.exe” to “c:\windows\system32\userinit.exe”.
Refresh Registry and make sure the value of Userinit not change back.
If nothing change, then you can be assured that the virus is removed.


4. I made all those steps above on Safe Mode logon with Administrator password. And after I did all that, when I tried to logon again with Administrator password in Safe Mode I can't! It started to loading and then it seems to automatically logoff and back to logon screen.

5. So I can not do any of the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help", because I can't even logon.

Just fyi I don't have access to other computers and to send this I'm using my father's Laptop. I hope this laptop does not have any virus too.

Please, please, please help me..

Best Regards,

RNice


An expert should be with you soon.

Stay tuned.

nasdaq

Edited by nasdaq, 13 September 2012 - 08:14 AM.


BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:27 PM

Posted 15 September 2012 - 07:18 AM

Hi RNice,

Unfortunately, I have some bad news for you. Ramnit is a type of virus known as a file-infector which can infect any Windows executable files, Microsoft Office files and HTML files. As such, the only sensible route to take is to reformat your PC and reinstall Windows.

This would also solve your unbootable PC problems.

If you need any help on how to reformat your PC, or how to grab data from your machine, then please do not hesitate to ask.

Casey

Edited by Casey_boy, 15 September 2012 - 07:19 AM.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 RNice

RNice
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:27 AM

Posted 15 September 2012 - 08:53 AM

Hi Casey,

Thanks for the reply. Do I really have to reformat my PC or can I just reinstall my Windows? Because I have a lot of data in my PC. And almost all my important data are in office (doc and xls) and html format.

FYI, I have 2 internal HD in my PC, the master one I divided into 2 partition (C and D) and the slave one also has 2 partition (H and I). All my data are in drive D, H and I. Drive C only consist of system files. Do I have to reformat all of them? If I do have to reformat all of them then please can you guide me how to grab my data before I reformat them?

Thanks,

RNice

#4 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:27 PM

Posted 15 September 2012 - 09:21 AM

Thanks for the reply. Do I really have to reformat my PC or can I just reinstall my Windows? Because I have a lot of data in my PC. And almost all my important data are in office (doc and xls) and html format.


Reinstalling Windows should suffice. Unfortunately, though your data cannot be guaranteed to be safe and could reinfect Windows again when accessed. The best thing to do is to back up all your data to an external drive and then scan that drive with an anti-virus software before putting it back on to your fresh Windows installation.

FYI, I have 2 internal HD in my PC, the master one I divided into 2 partition (C and D) and the slave one also has 2 partition (H and I). All my data are in drive D, H and I. Drive C only consist of system files. Do I have to reformat all of them? If I do have to reformat all of them then please can you guide me how to grab my data before I reformat them?


Essentially, if the drives were visible to the infected Windows OS then any of them could, theoretically, be infected. As I said above, I would backup your data, format your drives, scan your data then move it back. However, if this was too inconvenient you could take a risker option of wiping and reinstalling Windows and as soon as Windows is installed, install an anti-virus program and then run a full system scan on the other partitions. I must stress, you should not access any data before checking with an AV program. This is not as safe as the previous method.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#5 RNice

RNice
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:27 AM

Posted 15 September 2012 - 10:22 AM

Reinstalling Windows should suffice. Unfortunately, though your data cannot be guaranteed to be safe and could reinfect Windows again when accessed. The best thing to do is to back up all your data to an external drive and then scan that drive with an anti-virus software before putting it back on to your fresh Windows installation.


How do I backup my data to an external drive if I can not even log on to my Windows?

Essentially, if the drives were visible to the infected Windows OS then any of them could, theoretically, be infected. As I said above, I would backup your data, format your drives, scan your data then move it back. However, if this was too inconvenient you could take a risker option of wiping and reinstalling Windows and as soon as Windows is installed, install an anti-virus program and then run a full system scan on the other partitions. I must stress, you should not access any data before checking with an AV program. This is not as safe as the previous method.


I think I have to choose the riskier option, because I do not have the budget to buy an external drive. Do you have any suggestion about the AV program? Is it Avira good enough?

After I reinstall the Windows, is it safe to scan my PC online? Which site do you suggest that I use to scan online, is it Symantec or ESET?

RNice

#6 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:27 PM

Posted 15 September 2012 - 11:07 AM

Hi RNice,

How do I backup my data to an external drive if I can not even log on to my Windows?


We could have used a bootable Linux environment - however I think you've decided to just go for the reformat.

I think I have to choose the riskier option, because I do not have the budget to buy an external drive. Do you have any suggestion about the AV program? Is it Avira good enough?

After I reinstall the Windows, is it safe to scan my PC online? Which site do you suggest that I use to scan online, is it Symantec or ESET?


Avira is a fine AV program - I personally use Microsoft's Security Essentials. As for an online scanner, I recommend ESET.

I hope that helps,

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#7 RNice

RNice
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:27 AM

Posted 15 September 2012 - 11:41 AM

Ok, so now, I will try to reinstalling Windows, scan my PC online, installing Avira, scan again with Avira, and then hoping (praying) that all my data are clean.

Thank you for all the help Casey. :thumbsup:

#8 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:27 PM

Posted 15 September 2012 - 12:12 PM

No problem. Let me know how it goes :)

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#9 RNice

RNice
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:27 AM

Posted 20 September 2012 - 04:17 AM

Hi, sorry to bother you again. I've been struggling the past 3 days to make sure that my system is virus free.

This morning I've been reformat my drive C and reinstall the windows. I'm not too concern if the exe files can not be salvage, but I need to know if it is safe for me to access my html data and office documents (mdb, doc, xls and pps).

Could you please help guide me to make sure the Ramnit virus (and other virus) is really gone from my system?

Here's the DDS.TXT

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by RNice at 15:37:15 on 2012-09-20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2696 [GMT 7:00]
.
AV: Avira Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
.
============== Pseudo HJT Report ===============
.
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
SecurityProviders: msapsspc.dll, schannel.dll, credssp.dll, digest.dll, msnsspc.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [2012-7-12 13616]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [2012-7-12 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [2012-7-12 13616]
R1 AppleCharger;AppleCharger;c:\windows\system32\drivers\AppleCharger.sys [2012-9-20 18544]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-9-20 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-9-20 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-9-20 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-9-20 83392]
R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2012-9-20 65136]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2012-9-20 1691480]
S3 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2012-09-07 13:26:23 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-09-07 13:26:23 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-07-12 12:45:47 3186 ----a-w- c:\windows\system32\presetup.cmd
2012-07-12 12:45:47 28672 ----a-w- c:\windows\system32\setupold.exe
2012-07-12 12:44:02 5632 ----a-w- c:\windows\system32\drivers\mv64xxmm.sys
2012-07-12 12:44:02 13616 ----a-w- c:\windows\system32\drivers\mvxxmm.sys
2012-07-12 12:44:02 13616 ----a-w- c:\windows\system32\drivers\mv61xxmm.sys
2012-07-12 12:36:55 990208 ----a-w- c:\windows\system32\syssetup.dll
2012-07-12 12:35:56 45568 ----a-w- c:\windows\system32\mshta.exe
2012-07-12 12:34:59 354816 ----a-w- c:\windows\system32\winhttp.dll
2012-07-12 12:33:58 304152 ----a-w- c:\windows\system32\msexcl40.dll
.
============= FINISH: 15:38:06.92 ===============

Please help!

Attached File  attach.txt   2.1KB   0 downloads

#10 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:27 PM

Posted 20 September 2012 - 05:26 AM

It's very hard to check for Ramnit in a DDS log, your best bet is to run a virus scan with an on-board scanner (e.g. your Avira) and also an online scanner:

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

If they both come back clean, then you should be ok :)

Casey

Edited by Casey_boy, 20 September 2012 - 05:27 AM.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#11 RNice

RNice
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:27 AM

Posted 20 September 2012 - 06:45 AM

Ok, I'm running ESET now.

The last time I run ESET it takes about 6-7 hours and Avira it's about 8 hours. So please don't close this topic yet. I will give you the update ASAP.

Thanks for the fast reply Casey. :thumbup2:

RNice.

#12 RNice

RNice
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:27 AM

Posted 21 September 2012 - 11:12 PM

Hi Casey,

ESET just finished scanning. There is only 3 threats (THANK GOD!) and I attach the ESET_result.txt. From the ESET result the threats should be deleted, right?

I haven't had time to run Avira yet. Is it necessary to run it too?

So what should I do next? Is it safe for me to access my data (html, pdf, mdb, doc, xls, pps etc) now?

RNice

#13 RNice

RNice
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:27 AM

Posted 21 September 2012 - 11:13 PM

Oops! Here is the ESET result :

Attached File  ESET_Result.txt   513bytes   4 downloads

#14 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:27 PM

Posted 22 September 2012 - 06:13 AM

They look like they could have been false positives - so I wouldn't worry too much about them. I would recommend that you run your Avira scan though :)

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#15 RNice

RNice
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:27 AM

Posted 22 September 2012 - 08:09 AM

Ok, I'm running a full scan using Avira now. This should take a while. I'll update again ASAP.

Thanks.

RNice.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users