Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Whatsapp email attachment virus and Ramnit.H


  • This topic is locked This topic is locked
11 replies to this topic

#1 YesImOtto

YesImOtto

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 14 December 2013 - 02:46 AM

Hi BleepingComputer

 

This morning my mom received an email from what seemed to be from Whatsapp. It was something along the lines of "Someone you know sent you a picture..click here to open!" She is not tech savvy so she opened it, seconds before I told her not to...

 

Anyway, I told her that stuff is dangerous and could be some malware/virus etc. And I was right. My computer has been acting very strangely ever since, trying to open command prompt...minimizing every single thing I have....

 

I will tell you what I have done so far, bleeping. The knowledge I used in doing this was gained from Bleepincomputer a few years ago when I first asked for help here, I also learned many valuable experiences in dealing with viruses etc. So here ges:

 

 

 

 

I have restarted my computer, and went into safe mode. From there, I went to (user)->app data-> Roaming and deleted the crazy weird folders with random names like dejiju.exe, qesyzy.exe, etc. Now they are not present anymore, even though my computer is still acting strange.

 

Right now, as I type this post, I am running avast full scan, MBAM, SuperSAS, and ESET online scanner. Now I feel quite relaxed and calm, even though I can see some infections from those antivirus. That is, until I saw a win32/ramnit.H virus from ESET and I did some google research and I stumbled upon this.....

 

http://www.bleepingcomputer.com/forums/t/449347/please-help-ramnit-virus/

 

boopme, one of the people from BC that has helped me tremendously, said that ramnit virus is a trojan horse that allows the hacker to sneak into my system through flaws and gain remote access to my computer, and he said that this is almost incurable, so the best option is to just format the computer. Format is the last thing I want to do...And to be honest, after reading what boopme posted in that link above, I do feel like I am being watched by this hacker, maybe he can gain access to my computer or something. Of course, this could simply be my imagination...but there is always a chance that the hacker is monitoring my right this second

 

 

 

 

I am in shock at the moment. Hopefully someone from BC can come to my aid again. Ask me anything about this, I will do my best to provide information to you all. I am ready to use RKill...OTL....ComboFix.......whatever tools BC normally use to help kill this malware, I am ready to use. Thank you again

 

 

Thank you again for reading, BC.


Edited by dynwar7, 14 December 2013 - 03:01 AM.


BC AdBot (Login to Remove)

 


#2 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 5,787 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:37 PM

Posted 14 December 2013 - 03:16 AM

What action did Eset take ...can you post the log here please ?

 

 

 

 

Also....click on the "FOLLOW THIS TOPIC" button located on the right hand side towards the top of the page ....that will ensure that replies go to your in box immediately.


Edited by Condobloke, 14 December 2013 - 03:23 AM.

Condobloke ...Outback Australian  

 

fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

 

Microsoft gives you Windows, Linux gives you the whole house...

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

#3 YesImOtto

YesImOtto
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 14 December 2013 - 03:30 AM

Done, this topic is followed.

 

 

Not yet, Eset is still doing the scan. Once it is finished, and the other AV finish, I will post the logs here if required.

 

Thanks



#4 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 5,787 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:37 PM

Posted 14 December 2013 - 03:36 AM

Ok....thank you.

 

I will be here.


Condobloke ...Outback Australian  

 

fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

 

Microsoft gives you Windows, Linux gives you the whole house...

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

#5 hamluis

hamluis

    Moderator


  • Moderator
  • 55,411 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:37 AM

Posted 14 December 2013 - 07:15 AM

Hi BleepingComputer

 

boopme, one of the people from BC that has helped me tremendously, said that ramnit virus is a trojan horse that allows the hacker to sneak into my system through flaws and gain remote access to my computer, and he said that this is almost incurable, so the best option is to just format the computer. Format is the last thing I want to do..

 

Boopme is the Moderator of this forum...I believe that his suggestions/advice is the best that you can have...and should be followed.

 

Louis

 

Edit:  Unlike some of the other BC forums, where members and Advisors may have more knowledge/experience/expertise with a given situation...the Staff personnel in the BC Am I Infected and Malware Removal Logs forums should be considered as providing the best possible advice/suggestions re any malware situation which appears as a topic seeking assistance.


Edited by hamluis, 14 December 2013 - 07:45 AM.
Edited.


#6 YesImOtto

YesImOtto
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 14 December 2013 - 09:03 AM

I understand, however, is it possible to run some checks with BC's tools such as combofix, OTL, and so on? I have read a number of cases of people being infected with ramnit, and were able to remove it. After all it is better to try than not trying at all.



#7 hamluis

hamluis

    Moderator


  • Moderator
  • 55,411 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:37 AM

Posted 14 December 2013 - 10:12 AM

We understand your unwillingness to accept the prescribed suggestions...but life is full of unpleasant outcomes and the mature person realizes that and doesn't hope that, all of a sudden, life will move in reverse, IMO.

 

I've looked at the most recent cases involving Ramnit and I suggest that you take a look at http://www.bleepingcomputer.com/forums/t/516071/not-able-to-remove-qsubqpccexe-from-startup/?p=3222520, which affirms previous guidance provided here at BC.

 

There are two malware forums here at BC...you now have read the same pertinent information re Ramnit...from each of them.  If you would like to initiate a topic in the Malware Removal Logs forum...and see the above comments for a third time...that is your privilege and I cannot prevent such.  But, ultimately, the advice here will essentially present the same scenario to you.

 

As for your comment that you have "read a number of cases of people being infected with ramnit, and were able to remove it."...if you could post links to such, I am sure that the BC community which deals with malware...would greatly appreciate reviewing those links.

 

To initiate a topic in the Malware Removal Logs forum, follow Steps 6-8 of Preparation Guide and post your topic in the MRL forum, which contains the Prep Guide.

 

Louis


Edited by hamluis, 14 December 2013 - 10:20 AM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:37 AM

Posted 14 December 2013 - 09:26 PM

Thank you Louis, as per your PM dynwar.

Proceed at your own risk:


If you insist on trying to fix this infection instead of following our advice to reformat and reinstall your operating system, there are some tools and various rescue disks available from several anti-virus vendors. Keep in mind there is no guarantee the repair will be successful and you may need to try more than one. Even vendors like Kaspersky say there is no guarantee that some files will not get corrupted during the disinfection process. This means that infected executables and system files can become unusable after attempting to repair them and there's still no quarantee the virus is really gone. Since many of these are legitimate critical files required by the operating system, deletion is not a viable option. This destructive behavior may be by design as explained in File Infectors: To Junk Or Not To Junk.

In my experience, users may find their system performing better for a short time after attempted disinfection only to have it become progressively worst again as the malware continues to reinfect thousands of files. Some folks will try every tool or rescue disk they can find in futile attempts to repair critical system files. If something goes awry during the malware removal process the computer may become unstable or unbootable and you could loose access to all your data. In the end most folks end up reformatting out of frustration after spending hours attempting to repair and remove the infected files.

Bleeping Computer DOES NOT assume any responsibility for your attempt to repair this infection using any of the following tools. You do this at your own risk and against our advice.

If your computer is bootable, disinfection can be attempted through a combination of the following tools:These are links to Anti-virus vendors that offer free LiveCD or Rescue CD utilities that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.- Tutorial for Avira Rescue CD.
If you encounter problems running the Rescue Disk, you can get further assistance at the Avira Support Forum.

Edited by boopme, 15 December 2013 - 05:52 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 YesImOtto

YesImOtto
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 14 December 2013 - 11:43 PM

Boopme, for all those links, do I need to use an empty CD? I currently do not have any empty CDs



#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:37 AM

Posted 15 December 2013 - 05:51 PM

Then I guess you have to look at the file sizes and see if your CD has room.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 YesImOtto

YesImOtto
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 16 December 2013 - 05:17 AM

boopme, I have managed to clean many of the infected files, etc. and did the scans again in safe mode, deleted infected files again, and lastly now for the third round, I am doing scans again. So far there is no infected files, which is very good when compared to the first round scan which had 80+ infected files.

 

Does this mean I am safe? Very soon after the computer got infected, I disconnected my internet completely to my computer, I thought it would make a difference and would prevent the hacker from accessing my compute remotely. Maybe this is why the virus did not have the time to fully replicate itself and infect the majority of my system?

Well, I do not know much, but so far the scans are showing good results.



#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:37 AM

Posted 16 December 2013 - 10:48 AM

Does this mean I am safe?

 


 
In my opinion, Ramnit is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed

 

 

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

This is all I can say .
 


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users