Trojan - WinNT/Ramnit.gen!A

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by t3rm3y, Mar 6, 2012.

  1. t3rm3y

    t3rm3y Private E-2

    On monday I had MSE give me a warning that this trojan had been found and cleaned, i ran a full scan, i dont recall if other files were found, but i restarted and got the same MSE warning, plus a "windows file protection" warning telling me that files required for windows to run properly have been replace, i need to insert the xp service pack 3 cd - but i updated via the internet / a download not a cd??

    I did the scans as per the forum requests and attached the files.
    Can someone please help me, every time i completed one and restarted i just got the same warnings...

    many thanks
     

    Attached Files:

  2. t3rm3y

    t3rm3y Private E-2

    last files
     

    Attached Files:

  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I want you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run


    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.

    Also...
    Run this and attach the results.

    Using ESET's Online Scanner
     
  4. t3rm3y

    t3rm3y Private E-2

    thank you for the reply, i will try tonight after work.
    I have noticed that it takes about 1 minute for the pc to be affected - after i boot up and everything is loading i can access websites like microsoft or norton, but as soon as MSE reports the threat and i google search the trojan name, i get an error when trying to open the relevent microsofts sites and others that are focused on virus info or repairing, as well as some of the links on this forum.
    Do i need to run the esat scanner after the threat has been reported? or start it as soon as pc is started, or will it make no difference? (and would this be the same for the other scanners?)
     
  5. t3rm3y

    t3rm3y Private E-2

    i have attached the files.
    i could not complete a eset scan as it says "Can not get update Is proxy configured" - i have done as the guide suggests for fixing redirections..

    little worried now, as i do not know what is happening.. i can hear the pc working constantly, like the noise when i downlaod a file..
    is there a way i can complete the scan? or anything else i need to do?
     

    Attached Files:

  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Uninstall outdated Java.
    • Java(TM) 6 Update 20
    • Java(TM) SE Development Kit 6 Update 20


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    AtJob::
    
    File::
    C:\Documents and Settings\LocalService\Local Settings\Application Data\tplfcigd\cvdrmimt.exe
    C:\Documents and Settings\User\Local Settings\Application Data\tplfcigd\cvdrmimt.exe
    C:\Documents and Settings\User\Start Menu\Programs\Startup\cvdrmimt.exe
    C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\cvdrmimt.exe
    c:\windows\system32\00G4C23
    C:\Documents and Settings\LocalService\Local Settings\Application Data\dwgmnhus.log
    C:\Documents and Settings\LocalService\Local Settings\Application Data\enkajecp.log
    C:\Documents and Settings\LocalService\Local Settings\Application Data\fnaphocf.log
    C:\Documents and Settings\LocalService\Local Settings\Application Data\ppenhwdg.log
    C:\Documents and Settings\LocalService\Local Settings\Application Data\rixktvhj.log
    C:\Documents and Settings\LocalService\Local Settings\Application Data\vwnayfhh.log
    C:\Documents and Settings\LocalService\Local Settings\Application Data\xhsajtno.log
    C:\Documents and Settings\LocalService\Local Settings\Application Data\yaglchbm.log  
    C:\Documents and Settings\User\00G4C23
    C:\Documents and Settings\User\Local Settings\Application Data\bopfcesf.log
    C:\Documents and Settings\User\Local Settings\Application Data\dwgmnhus.log
    C:\Documents and Settings\User\Local Settings\Application Data\igbhsalk.log   
    C:\Documents and Settings\User\Local Settings\Application Data\yaglchbm.log
    
    Folder::
    C:\Documents and Settings\LocalService\Local Settings\Application Data\tplfcigd
    C:\Documents and Settings\User\Local Settings\Application Data\tplfcigd
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe," 
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "CvdRmimt"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
    "AlcWzrd"=-
    [HKEY_USERS\S-1-5-21-707906100-2429813980-2985056293-1003\Software\Microsoft\Windows\CurrentVersion\run]
    "CvdRmimt"=-
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{032B75A3-A64F-457B-A326-86E1C144C224}]
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.


    Reboot
    your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6


    Now go to this MGTools and download the new version of MGtools.exe. Overwrite your previous MGtools.exe file with this one.
    Run the new MGTools and attach the new MGlogs.zip.

    Let me know how things are running now.
     
  7. t3rm3y

    t3rm3y Private E-2

    i have attached the combofix log with todays dat (8312) . i have downloaded mgtools but it doesnt seem to run a scan, it opens and then closes, and no new log is created...? i will restart the pc and try again..
     

    Attached Files:

  8. t3rm3y

    t3rm3y Private E-2

    mglog after a reboot...
    seems smaller the nprevious log? hope it helps. still getting the "windows file protection" message about missing service pack 3 files though
     

    Attached Files:

  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes you do have a Ramnit infection, and even if we get the ESET scanner to work and clean up for you, it may still be too deeply set in to repair. Do you have your Windows XP boot CD handy?

    Also, after following the below fix, please re-try the online ESET scanner and let me know the upshot of that.


    Now we need to use ComboFix by sUBs

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    Driver::
    Micorsoft Windows Service
    
    File::
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At2.job
    c:\windows\Tasks\At4.job
    c:\windows\Tasks\At3.job
    c:\documents and settings\User\Start Menu\Programs\Startup\cvdrmimt.exe
    
    Folder::
    c:\documents and settings\User\Local Settings\Application Data\tplfcigd
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe," 
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.


    Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

    • cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    • nwktst<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    • GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    • ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.
    • analyse <-- this attempts to run HijackThis. Be sure to click the Accept button twice in the license agreement popup or it will just sit there and wait.
    Now look for the C:\MGlogs.zip file and attach it no matter what happened while doing the above.
     
  10. t3rm3y

    t3rm3y Private E-2

    the combo and hijack logs below.

    MGtools didnt seem to work,
    nwktst - got as far as getting ip config info, then "the process cannot access the file because it is being used by another user" x2

    GetRunKey - access denied x 2
    process cannot... x2

    ShowNew - access denied x lots
    finding copies of various files went ok.
    the process cannot...

    Eset failed to update as well so wouldnt run, and got a webpage error still when trying the site directly.

    do i need to reinstall windows / wipe the harddrive?
     

    Attached Files:

  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    This infection has really become quite nasty and dangerous. We could attempt to remove and have had some success in the past, but recently it has become even more trouble to remove. It is really safer to just bite the bullet and do a clean reinstall.

    The problem is that the damage caused by this infection really makes a PC unreliable/untrustworthy. PE file infectors like Ramnit, Virut,.... etc are can infect all executable files (DLL, EXE, SCR....and many more and also HTML). These infections can open back doors that truly may compromise your computer and your security. These backdoors, could allow a remote attacker to access and instruct the infected computer to download and execute more malicious files.

    In many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus or by other scanning tools. Also when disinfection is attempted, the files often become corrupted and the system may become unstable or irrepairable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

    Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are a major source of system infection.
     
  12. t3rm3y

    t3rm3y Private E-2

    many thanks for your help.

    I will do a clean install over the weekend..
    would you still recommend MSE as good virus protection?
    what is the best free protection in your opionion? i have always heard avg and mse are as good as norton etc.

    I have 2 x portable harddrives - one has backed up pictures of my son (hasnt been backed up i nsome time though) and one has a few video files, is there a way to check these drives are safe without infecting them by using the current pc, or infecting the cleaned pc after a clean reinstall?

    Also - can thi virus affect picture files? or am i safe to back them up somehow prior to the reinstall?

    oh, and is there a way to know how i became infected? i dont want this one again.
     
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You're most welcome.
    I personally use the free edition of Avast!

    I would be very wary of the video files. The online ESET scan would have given us a far better idea of what files are infected and been able to remove alot possibly. Pictures are documents and text files are fine but I would not trust anything else.

    My last post explained a little about how you could have ended up infected.
     
  14. t3rm3y

    t3rm3y Private E-2

    hi kestrel,

    I was all set to do my format and reinstall, but my partner works in a computer place and suggested letting her tech guys have a look, she took it in and the boss had a go and cleaning it. I told her what was suggested here, but it sounds like her boss is pretty clued up and does a lot of program writing etc.

    He seems to think he has removed the virus - i am worried about the PC being compromised but he seems to think all is ok.. i dont want to just use it and find out a month later some one has all my details - is there any scans that can be run to confirm all is clear and as it should be?

    Many thanks
     
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    The ESET scan would be ideal. Or maybe there is another tool that your tech guy could recommend.
     
  16. t3rm3y

    t3rm3y Private E-2

    log attached of an eset scan, seems he has fixed it, as can use eset and update virus databases.

    my girlfriend doesnt know what he did or what program(s) were used.

    is it cleaned? safe to log into emails / bank etc??

    many thanks
     

    Attached Files:

    • log.txt
      File size:
      3.4 KB
      Views:
      4
  17. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

    • cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    • nwktst<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    • GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    • ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.
    • analyse <-- this attempts to run HijackThis. Be sure to click the Accept button twice in the license agreement popup or it will just sit there and wait.
    Now look for the C:\MGlogs.zip file and attach it no matter what happened while doing the above.
     
  18. t3rm3y

    t3rm3y Private E-2

    Hi, i have the hijack this log, but the mgtools log didnt appear, it just said sed.exe was not a valid file and didnt do a lot..
     

    Attached Files:

  19. t3rm3y

    t3rm3y Private E-2

    i deleted the MGtools folder and doubleclicked the MGtools.exe file to recreate the folder then ran the commands as you request, here is the proper logs..
     

    Attached Files:

  20. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    OK, not looking too bad. (But again, do heed my warning. I don't think I would trust a machine once Ramnit had run through it.)

    Before we continue, you need to use MSCONFIG to put the machine into normal start up mode.

    Delete these files.
    C:\Documents and Settings\LocalService\Local Settings\Application Data\dwgmnhus.log
    C:\Documents and Settings\LocalService\Local Settings\Application Data\xhsajtno.log
    C:\Documents and Settings\LocalService\Local Settings\Application Data\yaglchbm.log
    C:\Documents and Settings\User\Local Settings\Application Data\bopfcesf.log

    Now go to this MGTools and download the new version of MGtools.exe. Overwrite your previous MGtools.exe file with this one.

    Run the new C:\MGTools.exe and attach the new C:\MGlogs.zip.
     
  21. t3rm3y

    t3rm3y Private E-2

    updated logs...
    many thanks
     

    Attached Files:

    Last edited: Mar 14, 2012
  22. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    It is still embedded into your system. Show your tech guy:
    I wish you the best of luck with this one. We could keep cleaning and cleaning forever... :(
     
  23. t3rm3y

    t3rm3y Private E-2

    ok, i have decided to bite the bullet, and reinstall the os, is their a link or some help on doing a format / reinstall, i assume its not as simple as putting disc in the drive? i must have to wipe the computer completely so no traces of anything left??
     
  24. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You can post about this in the software forum. ;)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds