MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 02-27-11, 20:41
woodchopper88 woodchopper88 is offline
Private E-2
 
Join Date: Feb 2011
Posts: 9
Thanks: 1
Thanked 0 Times in 0 Posts
Default Ramnit Virus Removal

My mum's netbook has become infected with the ramnit A/H virus and I am trying to fix it for her.

NOD32 initially found an NCG trojan while the netbook was in use on a public wifi network. Since then it has intermitently bombarded me with messages about cleaned files being found all over my system. On the one hand at least it's cleaning them, but it looks like it has spread to affect programs like Skype and Adobe Reader from running due to missing files which I assume became infected and were deleted by the anti-virus.

I have read through the Read and Run thread and scanned the system with all the suggested software as well as all other steps. Pretty much next to nothing was found in the attached logs.

The NOD32 quarantine still has many files there that I haven't yet removed. Should I do so? It seems like a lot of them are related to programs which may not run properly with files missing.

Anyway, here are the logs. I hope it's not a problem posting in this thread again to add the fifth log.

Thank you in advance for your assistance!
Attached Files
File Type: txt combofixlog.txt (9.1 KB, 11 views)
File Type: txt mbam-log.txt (900 Bytes, 5 views)
File Type: txt rr.txt (690 Bytes, 3 views)
File Type: txt SUPERAntiSpywareLog.txt (465 Bytes, 7 views)
Reply With Quote
Sponsored links
  #2  
Old 02-27-11, 20:42
woodchopper88 woodchopper88 is offline
Private E-2
 
Join Date: Feb 2011
Posts: 9
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: Ramnit Virus Removal

MG Tools log attached
Attached Files
File Type: zip MGlogs.zip (97.3 KB, 49 views)
Reply With Quote
  #3  
Old 02-27-11, 20:49
dr.moriarty's Avatar
dr.moriarty dr.moriarty is offline
Malware Super Sleuth
 
Join Date: Nov 2007
Location: Spying on 221b Baker St.
Posts: 4,878
Thanks: 154
Thanked 549 Times in 532 Posts
Default Re: Ramnit Virus Removal

Welcome to MajorGeeks, woodchopper88

Quote:
Ramnit infections have really become quit nasty and dangerous. We could attempt to remove it, and we have had some success in the past, but recently it has become even more trouble to remove. It is really safer to just bite the bullet and do a clean reinstall.

The problem is that the damage caused by this infection really makes a PC unreliable/untrustworthy. PE file infectors like Ramnit, Virut,.... etc can infect all executable files (DLL, EXE, SCR....and many more and also HTML). These infections can open back doors that truly may compromise your computer and your security. These backdoors could allow a remote attacker to access and instruct the infected computer to download and execute more malicious files.

In many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus or by other scanning tools. Also when disinfection is attempted, the files often become corrupted and the system may become unstable or irrepairable. The longer Ramnit remains on a computer, the more files it may infect and/or corrupt so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies the Ramnit worm using a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are a major source of system infection.

So all the above being said, and please do take serious note of the warnings, do you really wish to attempt cleaning even though the stability and security of your be cannot be guaranteed? And also note that we could spend a lot of time trying to fix it and still fail due to the number of files that have been infected. What would you like to do?
*However, if you want to try, then you need to start running this scan back to back. Do it three times, one after the other and post each log in your next reply.

eSet Online Scan.
__________________
"Education never ends, Watson.... It is a series of lessons, with the greatest for the last."
Free malware removal from MajorGeeks
Support MajorGeeks!
Reply With Quote
  #4  
Old 02-27-11, 22:22
woodchopper88 woodchopper88 is offline
Private E-2
 
Join Date: Feb 2011
Posts: 9
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: Ramnit Virus Removal

Thanks for your quick reply.

I searched the site for information on the ramnit virus and it does look worrying although as yet my system appears to be running fairly well considering. I would like to try and remove it if possible although if it looks like that becomes too difficult I'll give up and reformat.

For the time being though I'd like to do whatever else I can. I did two scans using ESET's online scanner. The first time it only found the process.exe file associated with MGtools which I believe is a false report.

The second time it found no threats and so I was unable to access any log to attach here. A third try therefore seemed pointless.

What else can I do? The best record of the infected (but cleaned) files is on my NOD32 log. Is that any use?
Reply With Quote
  #5  
Old 02-27-11, 22:46
dr.moriarty's Avatar
dr.moriarty dr.moriarty is offline
Malware Super Sleuth
 
Join Date: Nov 2007
Location: Spying on 221b Baker St.
Posts: 4,878
Thanks: 154
Thanked 549 Times in 532 Posts
Default Re: Ramnit Virus Removal

That's good news, sofar - I'm reviewing your logs attachments.

dr.m
__________________
"Education never ends, Watson.... It is a series of lessons, with the greatest for the last."
Free malware removal from MajorGeeks
Support MajorGeeks!
Reply With Quote
The Following User Says Thank You to dr.moriarty For This Useful Post:
woodchopper88 (02-27-11)
Sponsored links
  #6  
Old 02-27-11, 23:34
dr.moriarty's Avatar
dr.moriarty dr.moriarty is offline
Malware Super Sleuth
 
Join Date: Nov 2007
Location: Spying on 221b Baker St.
Posts: 4,878
Thanks: 154
Thanked 549 Times in 532 Posts
Default Re: Ramnit Virus Removal

More good news - I don't see any remaining malware.

A couple of things, though...

What can you tell me about these?
c:\documents and settings\SAMSUNG\Start Menu\Programs\Startup\yghaubfg.exe
C:\Program Files\qdpnkxvp


*Other than the tools our guide instructed you to save there, I strongly recommend that you clean up this account's Desktop immediately leaving only shortcut links. [ C:\Documents and Settings\SAMSUNG\Desktop ] Do not store downloads, exe files, iso files....etc on your Desktop. First it is not a safe place to keep them (i.e., you may loose them due to malware, and a cluttered Desktop is an easy hiding place for malware), and last but not least - it can have an effect on your PCs performance.

Please look in Add/Remove Programs (Programs and Features if using Vista or Windows 7) for the following and uninstall if found.
Quote:
Java(TM) 6 Update 21
__________________
"Education never ends, Watson.... It is a series of lessons, with the greatest for the last."
Free malware removal from MajorGeeks
Support MajorGeeks!
Reply With Quote
  #7  
Old 02-28-11, 10:18
woodchopper88 woodchopper88 is offline
Private E-2
 
Join Date: Feb 2011
Posts: 9
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: Ramnit Virus Removal

I have cleaned up the desktop and left only shortcuts.

The yghaubfg.exe file appears to be 'Outpost User Interface' by Agnitum Ltd although I don't know why this is here and whether it is genuine. The other mysterious folder contains the same executable file. Should I remove it them both?

I also removed the Java update 21 from the programs list.

Although the computer appears to be malware free from the scans I am still receiving notifications from NOD32 about cleaned files. Just a few hours ago my mum plugged in a card reader to the netbook (bad idea I know! ) and received the notifications which I have attached to a text file below. I hope this is of some use to you.
Attached Files
File Type: txt nod32.txt (1.6 KB, 5 views)
Reply With Quote
  #8  
Old 02-28-11, 11:31
dr.moriarty's Avatar
dr.moriarty dr.moriarty is offline
Malware Super Sleuth
 
Join Date: Nov 2007
Location: Spying on 221b Baker St.
Posts: 4,878
Thanks: 154
Thanked 549 Times in 532 Posts
Default Re: Ramnit Virus Removal

Hello, woodchopper88

*Does Outpost Firewall appear in your "Add/Remove Programs"? In CCleaner's "Tools"/Uninstall listing?

Using Windows Explorer, navigate to and delete this folder:
C:\Program Files\qdpnkxvp

Next - Insert your flash drive/card reader before you begin. Hold down the Shift key when inserting the flash drive/card reader until Windows detects it to bypass the autorun feature. This will keep the autorun.inf from executing automatically.

Please have all your removable storage devices ready for disinfection.

Download Flash Disinfector by sUBs and save it to your desktop.

* Double-click Flash_Disinfector.exe to run it.
* Your desktop and icons may disappear. This is normal.
* It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
* Follow any prompts that may appear.
* The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
* Wait until it has finished scanning and then exit the program.
* There will be no GUI interface or log file produced.
* Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Then - We are going to be uninstalling your version of FireFox and re-installing. So do the below to save bookmarks:
  • Run FireFox and click Bookmarks.
  • Then select Organize Bootmarks.
  • Then on the next window click File and then select Export. Save the bookmarks.html file to your Desktop for later use in importing.

Now download and save the installer for the current version of FireFox but DO NOT install it yet. Get it here: Mozilla FireFox

You will need to exit FireFox now and use Internet Explorer to continue with the below until we reinstall FireFox.

Start by uninstalling FireFox and then reboot. Do not skip the reboot.
After reboot, delete the below folders:

C:\Documents and Settings\UserAccount\Local Settings\Application Data\Mozilla
C:\Program Files\Mozilla Firefox

*Remember to substitue the actual user account name being used for "UserAccount".

Then run CCleaner.

Now reinstall FireFox from the file previously downloaded.
Import your bookmarks file. (similar process to exporting).

Please inform me of any further detections by NOD32.
dr.m
__________________
"Education never ends, Watson.... It is a series of lessons, with the greatest for the last."
Free malware removal from MajorGeeks
Support MajorGeeks!
Reply With Quote
  #9  
Old 02-28-11, 12:13
woodchopper88 woodchopper88 is offline
Private E-2
 
Join Date: Feb 2011
Posts: 9
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: Ramnit Virus Removal

Quote:
Originally Posted by dr.moriarty View Post
Hello, woodchopper88

*Does Outpost Firewall appear in your "Add/Remove Programs"? In CCleaner's "Tools"/Uninstall listing?

Using Windows Explorer, navigate to and delete this folder:
C:\Program Files\qdpnkxvp
Before I use the flash disinfector and reinstall Firefox I'd like to understand what's going on with this.

The program doesn't appear anywhere. When I tried to delete that folder I was told it was in use elsewhere so couldn't be removed. I restarted the computer and then found that the folder was empty (or at least appeared to be) but when trying to delete it I got the message "cannot delete qdpnkxvp: the directory is not empty".

How can I remove this?

Also, after restarting I received a few more NOD32 notifications which I have attached.

Thank you
Attached Files
File Type: txt nod32(2).txt (1.3 KB, 4 views)
Reply With Quote
  #10  
Old 02-28-11, 12:26
dr.moriarty's Avatar
dr.moriarty dr.moriarty is offline
Malware Super Sleuth
 
Join Date: Nov 2007
Location: Spying on 221b Baker St.
Posts: 4,878
Thanks: 154
Thanked 549 Times in 532 Posts
Default Re: Ramnit Virus Removal

As your nod32.txt logs indicated that FireFox is infected with Win32/Ramnit.A virus, I would recommend that you quickly follow my last instructions. I would then scan the flashdrive/card reader with your AV.

Then we'll deal with the "C:\Program Files\qdpnkxvp" folder.

dr.m
__________________
"Education never ends, Watson.... It is a series of lessons, with the greatest for the last."
Free malware removal from MajorGeeks
Support MajorGeeks!

Last edited by dr.moriarty; 02-28-11 at 12:28.. Reason: Additional comment
Reply With Quote
Sponsored links
  #11  
Old 02-28-11, 13:14
woodchopper88 woodchopper88 is offline
Private E-2
 
Join Date: Feb 2011
Posts: 9
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: Ramnit Virus Removal

I uninstalled Firefox as per your instructions. I also removed Adobe Reader and Skype since they were frequently coming up with infections in NOD32.

I scanned the card reader with NOD32 which said it was clean. I wasn't able to run FlashDisinfector as the error message "is not a valid Win32 application" came up.

Here are the latest log files from NOD32. Please note that all these came up before uninstalling Firefox, Adobe and Skype. Nothing since.
Attached Files
File Type: txt nod32(3).txt (34.9 KB, 1 views)
Reply With Quote
  #12  
Old 02-28-11, 15:27
woodchopper88 woodchopper88 is offline
Private E-2
 
Join Date: Feb 2011
Posts: 9
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: Ramnit Virus Removal

Lots of notifications from NOD32 coming up again. I've attached the latest ones in a new log.

It looks like it has spread quite badly, yet the files still keep being cleaned.

Please advise.

Thanks very much
Attached Files
File Type: txt nod32(4).txt (24.4 KB, 10 views)
Reply With Quote
  #13  
Old 02-28-11, 17:57
dr.moriarty's Avatar
dr.moriarty dr.moriarty is offline
Malware Super Sleuth
 
Join Date: Nov 2007
Location: Spying on 221b Baker St.
Posts: 4,878
Thanks: 154
Thanked 549 Times in 532 Posts
Default Re: Ramnit Virus Removal



I had hopes that we had caught the infection in time, but this behavoir pattern indicates a worsening condition. There is little that you can do at this point other than a reformat and clean re-install. IMPORTANT! You really must be extremely careful on what you backup before the reinstall. All executable files, all HTML files and more may be infected. Reusing just one of them after a reinstall, can cause the infection to respawn all over again.
__________________
"Education never ends, Watson.... It is a series of lessons, with the greatest for the last."
Free malware removal from MajorGeeks
Support MajorGeeks!
Reply With Quote
  #14  
Old 02-28-11, 18:26
woodchopper88 woodchopper88 is offline
Private E-2
 
Join Date: Feb 2011
Posts: 9
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: Ramnit Virus Removal

Oh well, I feared I may have to do a clean reinstall eventually. Better to do that now than waste any more of your time.

Can you provide any information for how to backup files considering I don't want the virus to infect my portable hard drive?

There isn't too much in need of backing up anyway which should make things easier. I'm mainly concerned about not infecting any usb or external drives (and therefore other computers).

Thanks for all your help
Reply With Quote
  #15  
Old 02-28-11, 18:49
dr.moriarty's Avatar
dr.moriarty dr.moriarty is offline
Malware Super Sleuth
 
Join Date: Nov 2007
Location: Spying on 221b Baker St.
Posts: 4,878
Thanks: 154
Thanked 549 Times in 532 Posts
Default Re: Ramnit Virus Removal

Hello, woodchopper88

The safest thing for you to do is backup your personal data ONLY. (In this case to CD or DVD to prevent chances of infecting other storage devices and in turn any pc's that they would be attached to) Do not back up any executable files ( like: .avi, .com, .bin, .dat., .exe, .pdf, .mov, .mpg....etc.). This includes programs that you have downloaded since any of them could be infected. Anything you may have already backed up that is an executable type file (things you downloaded to install programs....etc) are most likely infected and will cause you to be reinfected if you reuse these files.

Once you backup, you need to format partitions and reinstall Windows and all other software especially your protection software. Then install all updates for all software. DO NOT reinstall from any executable file backups you made while this PC was infected or you will just be reinstalling the infection. Be sure to scan those backups FIRST before copying back to the reformatted machine.

You're Welcome! Best of luck, I'm sorry that we couldn't get rid of this baddie.
dr.m
__________________
"Education never ends, Watson.... It is a series of lessons, with the greatest for the last."
Free malware removal from MajorGeeks
Support MajorGeeks!

Last edited by dr.moriarty; 02-28-11 at 18:51.. Reason: Added note
Reply With Quote
Sponsored links
  #16  
Old 02-28-11, 19:14
woodchopper88 woodchopper88 is offline
Private E-2
 
Join Date: Feb 2011
Posts: 9
Thanks: 1
Thanked 0 Times in 0 Posts
Default Re: Ramnit Virus Removal

I'll be sure to follow that advice.

Biggest problem now is that the netbook has no optical drive. I've got a Windows XP disc and an external hard drive. No idea how I can reinstall windows on it.
Reply With Quote
  #17  
Old 02-28-11, 19:24
dr.moriarty's Avatar
dr.moriarty dr.moriarty is offline
Malware Super Sleuth
 
Join Date: Nov 2007
Location: Spying on 221b Baker St.
Posts: 4,878
Thanks: 154
Thanked 549 Times in 532 Posts
Default Re: Ramnit Virus Removal

I'm sure that you can receive help with this in our Software Forum.
__________________
"Education never ends, Watson.... It is a series of lessons, with the greatest for the last."
Free malware removal from MajorGeeks
Support MajorGeeks!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
w32/Z-Bot ... w32/Ramnit Virus removal devillain Malware Removal 1 01-30-11 14:06
ramnit.a and desktoplayer virus maritmanelleke Malware Removal 7 11-09-10 16:15
W32.Ramnit.a & Watermark.exe Removal InvisibleSoul Malware Removal 1 11-04-10 23:37
oh boy... Win32/Ramnit.A /B /C virus HELP! david0012 Malware Removal 10 10-04-10 14:35
Persistent ramnit.a virus magnani Malware Removal 25 08-06-10 16:12


All times are GMT -5. The time now is 00:59.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger