Ramnit.A infection

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by stuartr, Aug 28, 2010.

  1. stuartr

    stuartr Private E-2

    Hi

    I am having problems with Ramnit.A.

    ESET is reporting a number of infected html files, which sure enough when I review them in textpad they all have the VBscript appended to the end of them.

    All files appear to be dated the same date 20-07-2010 and are timed within a few minutes of each hour. A quick windows search based on file type and date seems to suggest a substantial number of infected files.

    I have ran all the tests and they all ran without error, with the exception of rootrepeal, which failed with an error "FOPS - DeviceIoControlError! Error Code = 0xc0000024 Extended Info (0x00000dc)

    SuperAntiSpyWare reported one trojan.

    Logs are attached.


    Many Thanks

    Stuart
     

    Attached Files:

    stuartr, Aug 28, 2010
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Your logs are not showing any of the standard signs of this infection.

    Please immediately do the below. You must do this immediately and you must complete all 3 scans one after the other with only the delay to post logs in between. DO NOT use your PC for anything else but these instructions.

    Run this Using ESET's Online Scanner and immediately attach the log.

    Then run the Eset scan a second time and attach the 2nd log.

    Then run the Eset scan a third time and attach the 3rd log.

    After attaching the 3rd log, if any Ramnet infections were found by Eset, try to repeat the above until it comes up clean. The only infections of Ramnet you can ignore, are ones that may be found in the System Volume Information folder which is System Restore and cannot be cleaned. We will remove them later by disabling System Restore.
     
    chaslang, Aug 29, 2010
    #2
  3. stuartr

    stuartr Private E-2

    First log from ESET Scann attached

    Two things of note
    The desktop txt file is a copy of the Ramnit script that I used to clean approx 5000 infected HTML files manually.

    I used the find in file capability of textpad to search for the opening script tag, and then used the open all capability to open these files in batches of up to 1000 at a time, and then used the find/replace capability of TextPad combined with regular expressions to remove the script from all the open files, before resaving them.

    While it seemed to work, it looks like I missed 50 or so which are included in teh ESET log

    ESET also detected the Process Viewer within MGTools as a virus.

    Attach Feature not working at the moment getting a timeout with the following error:

    Error 503!

    /newattachment.php

    Service Unavailable!

    so pasted results below.

    Will start 2nd scan now.

    Thanks

    Stuart


    C:\MGtools\Process.exe Win32/PrcView application cleaned by deleting - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\Adobe\CS5\jre\Welcome.html Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\Creative\ZenCast\Program Guide\ZenCastGuide.html Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\Creative\ZenCast\Program Guide\ZenCastGuide2.html Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\Macrovision\FLEXnet Connect\6\ui\about.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\Macrovision\FLEXnet Connect\6\ui\authFailed.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\Macrovision\FLEXnet Connect\6\ui\checkfor.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\Macrovision\FLEXnet Connect\6\ui\checking.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\Macrovision\FLEXnet Connect\6\ui\getall.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\Macrovision\FLEXnet Connect\6\ui\help.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\Macrovision\FLEXnet Connect\6\ui\history.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\Macrovision\FLEXnet Connect\6\ui\InstallInstr.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\Macrovision\FLEXnet Connect\6\ui\notconnected.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\Macrovision\FLEXnet Connect\6\ui\security.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\Macrovision\FLEXnet Connect\6\ui\settings.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\Macrovision\FLEXnet Connect\6\ui\toaster.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\Macrovision\FLEXnet Connect\6\ui\toaster_multiple.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\Macrovision\FLEXnet Connect\6\ui\um.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\Macrovision\FLEXnet Connect\6\ui\umbcpc.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\Macrovision\FLEXnet Connect\6\ui\updatecomplete.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\Macrovision\FLEXnet Connect\6\ui\updates.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\Microsoft\VSTAHost\SSIS_ScriptComponent\9.0\ItemTemplatesCache\CSharp\Web\1033\HTMLPage.zip\HTMLPage.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\Microsoft\VSTAHost\SSIS_ScriptTask\9.0\ItemTemplatesCache\CSharp\Web\1033\HTMLPage.zip\HTMLPage.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_ara.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_chi-hk.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_chi-sc.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_chi-tc.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_cze.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_dan.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_dut.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_eng-us.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_eng.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_fin.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_fre.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_ger.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_heb.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_hin.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_hun.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_ind.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_ita.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_kor.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_may.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_nor.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_pol.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_por-br.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_por.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_rum.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_rus.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_slk.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_spa-co.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_spa.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_swe.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_tha.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_tur.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_ukr.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\AppData\Local\VirtualStore\ProgramData\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\Eula\Licence_vie.htm Win32/Ramnit.A virus deleted - quarantined
    C:\Users\stuart\Desktop\ramnitA.txt Win32/Ramnit.A virus deleted - quarantined
     
    stuartr, Aug 29, 2010
    #3
  4. stuartr

    stuartr Private E-2

    Second ESET Scan results attached

    Only two threats reported, being the Process viewer from MGTools and my text file containing the VB Script code

    Third SCAN to commence
     

    Attached Files:

    stuartr, Aug 29, 2010
    #4
  5. stuartr

    stuartr Private E-2

    Third ESET run completed - showing all clear, so no log created.
     
    stuartr, Aug 29, 2010
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes this is just a false detection. It is just a process management toot that can list and kill processes. Like a command line version of Task Manager.;)

    Great. Then are you currently having any problems?
     
    chaslang, Aug 29, 2010
    #6
  7. stuartr

    stuartr Private E-2

    None apparent at the moment. Have also ran various rootkit detectors which all seem clear, so fingers crossed all seems well at the moment.

    Have managed to removed or clean around 20,000 infected html files over the last couple of days. That thing certainly spreads itself around!
     
    stuartr, Aug 29, 2010
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes it does. If you run into it again or know anyone else who gets it, try starting with the ESET Online Scanner. It has been doing quite well on finding and fixing this. Even though you had ESET NOD32 installed, the online scanner was able to do more.;)


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Aug 29, 2010
    #8
  9. stuartr

    stuartr Private E-2

    Thanks again, will finish the clean-up and then review the software firewall in line with your recommendations :)
     
    stuartr, Aug 29, 2010
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Aug 29, 2010
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds