W32/Ramnit.D

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by cheesiemonster, Aug 1, 2012.

  1. cheesiemonster

    cheesiemonster Private E-2

    Hi there,

    I'm a new member to the forum - I would say I'm computer literate but by no means an expert so really would appreciate any help.

    I'm in a similar situation to a previous member - http://forums.majorgeeks.com/showthread.php?t=252347

    After visiting a website (and not a dodgy one!) about 18 hours ago, I started getting persistent UAC prompts for the Command Processor. However, after pressing "No" a number of times I accidentally pressed "Yes" - this proceeded to turn off UAC and restart my computer automatically. After this, I found that I was unable to turn UAC back on, unless I went into safe mode. When I rebooted normally, the UAC prompts were back.

    I tracked the UAC prompts to a process (pmnnfrwl.exe) and stopped it, which also stopped the UAC prompts. I then found a random exe file (called 0.6802653494669689.exe) in my userprofile\Appdata folder, and also pmnnfrwl.exe (the one pushing the UAC prompts) in temp. I deleted them both (as well as all the temp files) but upon reboot, pmnnfrwl.exe was back and the same problem continued. I also found "xhpsapuf.exe" in C:\User\xxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup, but I couldn't delete this as it was "open in Host Process for Windows Services".

    Running Microsoft Safety Scanner found Win32/Ramnit.D, but the Scanner could not remove it. I then successfully deleted pmnnfrwl.exe and xhpsapuf.exe in safe mode, but they were back again with the UAC prompts when I rebooted.

    This is when I then turned to majorgeeks for help...

    I ran the 4 scans prescribed and have attached the logs - I want to add that, following the instructions for running each of the scanners, I didn't delete any of the detected items, except in MalwareBytes, where I selected "remove selected".

    Not knowing much about these things, I run my PC using one administrator account only (be assured this will change once this is sorted out) but hopefully it hasn't managed to infect many locations. I do have antivirus (Avira) and both this and the PC are up-to-date. I've also turned UAC back on for the moment.

    Any help at all would be greatly appreciated! Sorry for the long post.
    Thanks in advance
     

    Attached Files:

    cheesiemonster, Aug 1, 2012
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Let's see how deeply it is set in before I start reviewing all those logs.


    Run this and attach the results.

    Using ESET's Online Scanner
     
    Kestrel13!, Aug 2, 2012
    #2
  3. cheesiemonster

    cheesiemonster Private E-2

    Thank you so much for your help - muchly appreciated. I've run the scan and attached the log file below. Seems like its Ramnit.AE again in the files I tried to delete (but respawn).

    Also I had to run ESETScan on Internet Explorer as in Firefox the "page could not be found". This also happened with the link for Malwarebytes. Firefox and Thunderbird are playing up and keep crashing upon startup or don't startup at all - could this be due to the malware also?

    Again, thank you so much - I'm very grateful.
     

    Attached Files:

    cheesiemonster, Aug 2, 2012
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    And you are very welcome. :)

    Delete these files:

    • C:\Users\Ron\AppData\Local\abjyolwy.log
    • C:\Users\Ron\AppData\Local\bbyomvap.log
    • C:\Users\Ron\AppData\Local\bsquirin.log
    • C:\Users\Ron\AppData\Local\etwgxhgt.log
    • C:\Users\Ron\AppData\Local\lddmpebp.log
    • C:\Users\Ron\AppData\Local\nvtjydfs.log
    • C:\Users\Ron\AppData\Local\rkmyemcq.log
    • C:\Users\Ron\AppData\Local\unfkhovv.log
    • C:\Users\Ron\AppData\Local\ykclvopx.log
    • C:\Users\Ron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xhpsapuf.exe
    • C:\ProgramData\mlkjqdtd.log

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.



    Re run HitmanPro and RogueKiller - no fixes, just scans, and attach logs from each.



    I want you to run TDSSKiller so refer to the below for how to do so. (DO NOT just quit after running TDSSKiller and MBRCheck, there is MUCH more to do, scroll further down and follow the Read and Run Me First Malware removal procedures link.)

    TDSSkiller - How to run


    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.

    Now re run the ESET online scanner and let me know what it finds.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Aug 2, 2012
    #4
  5. cheesiemonster

    cheesiemonster Private E-2

    Hi again,

    I did as you instructed, although to delete C:\Users\Ron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xhpsapuf.exe I had to first do the prescan from RogueKiller to kill the svchost process.

    The FixME.reg was merged successfully, and ESET picked up 2 threats this time (as opposed to 6 last time).

    With MGlogs I started it and walked away, when I was back it had closed by itself - hopefully it finished and I'm attaching the updated files.

    Thanks very much!
     

    Attached Files:

    cheesiemonster, Aug 3, 2012
    #5
  6. cheesiemonster

    cheesiemonster Private E-2

    double post to upload a couple of extra files
     

    Attached Files:

    cheesiemonster, Aug 3, 2012
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode, if you haven't done so already.


    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    • O4 - HKCU\..\Run: [XhpSapuf] C:\Users\Ron\AppData\Local\pbxgppoo\xhpsapuf.exe
    • O4 - Startup: xhpsapuf.exe

    After clicking Fix exit HJT.



    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.

    Code:
    :Files
C:\Users\Ron\AppData\Local\Temp\pmnnfrwl.exe
C:\Users\Ron\AppData\Local\abjyolwy.log
C:\Users\Ron\AppData\Local\bbyomvap.log
C:\Users\Ron\AppData\Local\bsquirin.log
C:\Users\Ron\AppData\Local\etwgxhgt.log
C:\Users\Ron\AppData\Local\lddmpebp.log
C:\Users\Ron\AppData\Local\nvtjydfs.log
C:\Users\Ron\AppData\Local\rkmyemcq.log
C:\Users\Ron\AppData\Local\unfkhovv.log
C:\Users\Ron\AppData\Local\ykclvopx.log
C:\Users\Ron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xhpsapuf.exe
C:\ProgramData\mlkjqdtd.log

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"XhpSapuf"=-
[HKEY_USERS\S-1-5-21-3965089189-2858296701-1019616836-1000\Software\Microsoft\Windows\CurrentVersion\run]
"XhpSapuf"=-

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.


    Run the ONLINE ESET scanner again and let me know of the results.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Aug 4, 2012
    #7
  8. cheesiemonster

    cheesiemonster Private E-2

    Hello again,

    I've done everything you said, except:

    Running MGtool\analyse.exe , HijackThis did not pick up the 2 files you mentioned.

    The OTM instructions were completed successfully and I rebooted the machine, although the majority of the files to be moved were not found (I've attached the log).

    The Online ESET Scanner picked up no threats this time.

    I've attached the new MGLogs.zip file (Incidentally last time I ran Getlogs.bat I forgot to turn of UAC beforehand - could this have affected it? This time I did turn UAC off though).

    When I restart the computer now the UAC driven by pmnnfrwl.exe does not come up anymore, and pmnnfrwl.exe and xhpsapuf.exe in temp are staying deleted. svchost processes (2 of them originally) are also not showing up in taskmgr.

    Does this mean I'm almost clean and home free???

    Thank you so much for all your help, could not have even started to do any of this without you.
     

    Attached Files:

    cheesiemonster, Aug 5, 2012
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No you are not out of the woods yet I'm afraid. :( A while back I think I asked you to use MSCONFIG to set up for normal start up mode. Did you actually do that?
     
    Kestrel13!, Aug 5, 2012
    #9
  10. cheesiemonster

    cheesiemonster Private E-2

    Ah no I didn't - I misunderstood and thought that meant coming out of safe mode. I will put the machine into normal startup and repeat all the steps.

    Thanks again!
     
    cheesiemonster, Aug 5, 2012
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No, no need to redo ALL the steps, for now just do this once in normal mode:

    Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Aug 5, 2012
    #11
  12. cheesiemonster

    cheesiemonster Private E-2

    Hello again,

    I've restarted in normal mode and done Hijack this (again the things you asked me to delete weren't there in the results of the scan) and OTM before I read your latest post.

    So here is the latest OTM log and also the MGLogs.zip in normal mode.

    Thanks, as ever.
     

    Attached Files:

    cheesiemonster, Aug 5, 2012
    #12
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    The below probably wont show but just incase:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    • O4 - HKCU\..\Run: [XhpSapuf] C:\Users\Ron\AppData\Local\pbxgppoo\xhpsapuf.exe
    • O4 - Startup: xhpsapuf.exe

    After clicking Fix exit HJT.


    Download The Avenger by Swandog469, and save it to your Desktop.

    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.



    SystemLook

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
*xhpsapuf*
:Regfind
*xhpsapuf*
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt


    • Re- scan with RogueKiller - no fix just a scan and attach log.
    • Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Aug 6, 2012
    #13
  14. cheesiemonster

    cheesiemonster Private E-2

    Hi there,

    Analyse.exe again did not find those 2 files.

    I don't think avenger.exe completed properly. The first time upon reboot Avira stopped a file called "cleanup.bat" which I assumed was needed for avenger to complete. So I uninstalled Avira and did the avenger.exe steps again, but again no popup and log file was created upon reboot.

    No files found again with systemlook.

    I've attached systemlook log, roguekiller log and mslogs.zip, and also a list of the quarantined files from my last ESETscan (the last time you told me to do it) - in case they turn out to be revealing. With Getlogs.bat each time only 2 logs within Mslogs.zip get updated - GetUnKey.txt and runkeys.txt - hope this is correct?

    Thanks as ever.
     

    Attached Files:

    cheesiemonster, Aug 6, 2012
    #14
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Download OTL to your desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    Attach both of these logs into your next reply.
     
    Kestrel13!, Aug 6, 2012
    #15
  16. cheesiemonster

    cheesiemonster Private E-2

    Here they are.

    Many thanks.
     

    Attached Files:

    cheesiemonster, Aug 6, 2012
    #16
  17. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    We need to run an OTL Fix

    • Right-click OTL.exe And select " Run as administrator " to run it. If Windows UAC prompts you, please allow it.
    • Copy and Paste the following code into the textbox. Do not include the word Code

    Code:
    :otl
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{4632AF93-7A90-4683-8213-90579B3EA358}: "URL" = http://uk.kelkoopartners.net/ctl/do/search?siteSearchQuery={searchTerms}&fromform=true&x=true&y=true&partner=hp&partnerId=96913936
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
[2012/08/01 10:11:33 | 000,000,000 | ---D | C] -- C:\Users\Ron\AppData\Local\pbxgppoo
[2012/08/06 15:14:52 | 000,061,440 | ---- | M] () -- C:\Windows\SysWow64\drivers\hpga.sys
[2012/08/06 14:53:29 | 000,061,440 | ---- | M] () -- C:\Windows\SysWow64\drivers\ffmwccgt.sys
  
:commands
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]
    • Then click the Run Fix button at the top.
    • Click Image.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. ATTACH that report in your next reply.

    Run C:\MGTools\analyse.exe do a system scan only and save a log file. Attach it for me to see.

    Now run OTL like you did the very first time, just a scan and attach the log.
     
    Kestrel13!, Aug 6, 2012
    #17
  18. cheesiemonster

    cheesiemonster Private E-2

    I've done as you asked and here are the logs. OTL run like the first time only produced a OTL.txt file this time, there was no extras.txt

    Thanks
     

    Attached Files:

    cheesiemonster, Aug 6, 2012
    #18
  19. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    The logs finally look good. Run ESET online scan once more. Attach results. :)
     
    Kestrel13!, Aug 6, 2012
    #19
  20. cheesiemonster

    cheesiemonster Private E-2

    I've just run ESETs again and no detections so no log.

    Am I now clean???

    Thank you so much for your help - I couldn't even begin to sort this out on my own. Muchly appreciated.

    One more thing if I am clean now - I had a USB hard drive connected to my computer when I got infected and then unplugged it, not wanting it to get infected and passing the virus onto other computers. Could you advise me on doing a scan of the hard drive and let me know what program to use to scan etc?

    Thanks again.
     
    cheesiemonster, Aug 7, 2012
    #20
  21. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Are you asking what can scan the flashdrive or what can scan the HD?
     
    Kestrel13!, Aug 7, 2012
    #21
  22. cheesiemonster

    cheesiemonster Private E-2

    Sorry my post was super confusing - I meant what I can use to scan the USB hard drive. Thanks!
     
    cheesiemonster, Aug 7, 2012
    #22
  23. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Have it plugged in when you do an ESET scan, if there's anything on it, it should pick it up. Also have it plugged in when you scan with Malware Bytes.
     
    Kestrel13!, Aug 8, 2012
    #23
  24. cheesiemonster

    cheesiemonster Private E-2

    Sorry for the late reply, I've been away for the last week and a half.

    Just finished both scans with the hard drive plugged in, nothing was detected, so good news.

    Thanks so much for all your help through this - I'm very grateful indeed.
     
    cheesiemonster, Aug 17, 2012
    #24
  25. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Glad to hear it, and you are most welcome. :)
     
    Kestrel13!, Aug 17, 2012
    #25

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds