Ramnit Virus Removal

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by woodchopper88, Feb 27, 2011.

  1. woodchopper88

    woodchopper88 Private E-2

    My mum's netbook has become infected with the ramnit A/H virus and I am trying to fix it for her.

    NOD32 initially found an NCG trojan while the netbook was in use on a public wifi network. Since then it has intermitently bombarded me with messages about cleaned files being found all over my system. On the one hand at least it's cleaning them, but it looks like it has spread to affect programs like Skype and Adobe Reader from running due to missing files which I assume became infected and were deleted by the anti-virus.

    I have read through the Read and Run thread and scanned the system with all the suggested software as well as all other steps. Pretty much next to nothing was found in the attached logs.

    The NOD32 quarantine still has many files there that I haven't yet removed. Should I do so? It seems like a lot of them are related to programs which may not run properly with files missing.

    Anyway, here are the logs. I hope it's not a problem posting in this thread again to add the fifth log.

    Thank you in advance for your assistance!
     

    Attached Files:

  2. woodchopper88

    woodchopper88 Private E-2

    MG Tools log attached
     

    Attached Files:

  3. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Welcome to MajorGeeks, woodchopper88

    *However, if you want to try, then you need to start running this scan back to back. Do it three times, one after the other and post each log in your next reply.

    eSet Online Scan.
     
  4. woodchopper88

    woodchopper88 Private E-2

    Thanks for your quick reply.

    I searched the site for information on the ramnit virus and it does look worrying although as yet my system appears to be running fairly well considering. I would like to try and remove it if possible although if it looks like that becomes too difficult I'll give up and reformat.

    For the time being though I'd like to do whatever else I can. I did two scans using ESET's online scanner. The first time it only found the process.exe file associated with MGtools which I believe is a false report.

    The second time it found no threats and so I was unable to access any log to attach here. A third try therefore seemed pointless.

    What else can I do? The best record of the infected (but cleaned) files is on my NOD32 log. Is that any use?
     
  5. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    That's good news, sofar - I'm reviewing your logs attachments.

    dr.m
     
  6. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    More good news - I don't see any remaining malware.

    A couple of things, though...

    What can you tell me about these?
    c:\documents and settings\SAMSUNG\Start Menu\Programs\Startup\yghaubfg.exe
    C:\Program Files\qdpnkxvp


    *Other than the tools our guide instructed you to save there, I strongly recommend that you clean up this account's Desktop immediately leaving only shortcut links. [ C:\Documents and Settings\SAMSUNG\Desktop ] Do not store downloads, exe files, iso files....etc on your Desktop. First it is not a safe place to keep them (i.e., you may loose them due to malware, and a cluttered Desktop is an easy hiding place for malware), and last but not least - it can have an effect on your PCs performance.

    Please look in Add/Remove Programs (Programs and Features if using Vista or Windows 7) for the following and uninstall if found.
     
  7. woodchopper88

    woodchopper88 Private E-2

    I have cleaned up the desktop and left only shortcuts.

    The yghaubfg.exe file appears to be 'Outpost User Interface' by Agnitum Ltd although I don't know why this is here and whether it is genuine. The other mysterious folder contains the same executable file. Should I remove it them both?

    I also removed the Java update 21 from the programs list.

    Although the computer appears to be malware free from the scans I am still receiving notifications from NOD32 about cleaned files. Just a few hours ago my mum plugged in a card reader to the netbook (bad idea I know! rolleyes) and received the notifications which I have attached to a text file below. I hope this is of some use to you.
     

    Attached Files:

  8. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Hello, woodchopper88

    *Does Outpost Firewall appear in your "Add/Remove Programs"? In CCleaner's "Tools"/Uninstall listing?

    Using Windows Explorer, navigate to and delete this folder:
    C:\Program Files\qdpnkxvp

    Next - Insert your flash drive/card reader before you begin. Hold down the Shift key when inserting the flash drive/card reader until Windows detects it to bypass the autorun feature. This will keep the autorun.inf from executing automatically.

    Please have all your removable storage devices ready for disinfection.

    Download Flash Disinfector by sUBs and save it to your desktop.

    * Double-click Flash_Disinfector.exe to run it.
    * Your desktop and icons may disappear. This is normal.
    * It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
    * Follow any prompts that may appear.
    * The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    * Wait until it has finished scanning and then exit the program.
    * There will be no GUI interface or log file produced.
    * Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

    Then - We are going to be uninstalling your version of FireFox and re-installing. So do the below to save bookmarks:
    • Run FireFox and click Bookmarks.
    • Then select Organize Bootmarks.
    • Then on the next window click File and then select Export. Save the bookmarks.html file to your Desktop for later use in importing.

    Now download and save the installer for the current version of FireFox but DO NOT install it yet. Get it here: Mozilla FireFox

    You will need to exit FireFox now and use Internet Explorer to continue with the below until we reinstall FireFox.

    Start by uninstalling FireFox and then reboot. Do not skip the reboot.
    After reboot, delete the below folders:

    C:\Documents and Settings\UserAccount\Local Settings\Application Data\Mozilla
    C:\Program Files\Mozilla Firefox

    *Remember to substitue the actual user account name being used for "UserAccount".

    Then run CCleaner.

    Now reinstall FireFox from the file previously downloaded.
    Import your bookmarks file. (similar process to exporting).

    Please inform me of any further detections by NOD32.
    dr.m
     
  9. woodchopper88

    woodchopper88 Private E-2

    Before I use the flash disinfector and reinstall Firefox I'd like to understand what's going on with this.

    The program doesn't appear anywhere. When I tried to delete that folder I was told it was in use elsewhere so couldn't be removed. I restarted the computer and then found that the folder was empty (or at least appeared to be) but when trying to delete it I got the message "cannot delete qdpnkxvp: the directory is not empty".

    How can I remove this?

    Also, after restarting I received a few more NOD32 notifications which I have attached.

    Thank you
     

    Attached Files:

  10. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    As your nod32.txt logs indicated that FireFox is infected with Win32/Ramnit.A virus, I would recommend that you quickly follow my last instructions. I would then scan the flashdrive/card reader with your AV.

    Then we'll deal with the "C:\Program Files\qdpnkxvp" folder.

    dr.m
     
    Last edited: Feb 28, 2011
  11. woodchopper88

    woodchopper88 Private E-2

    I uninstalled Firefox as per your instructions. I also removed Adobe Reader and Skype since they were frequently coming up with infections in NOD32.

    I scanned the card reader with NOD32 which said it was clean. I wasn't able to run FlashDisinfector as the error message "is not a valid Win32 application" came up.

    Here are the latest log files from NOD32. Please note that all these came up before uninstalling Firefox, Adobe and Skype. Nothing since.
     

    Attached Files:

  12. woodchopper88

    woodchopper88 Private E-2

    Lots of notifications from NOD32 coming up again. I've attached the latest ones in a new log.

    It looks like it has spread quite badly, yet the files still keep being cleaned.

    Please advise.

    Thanks very much
     

    Attached Files:

  13. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    :(

    I had hopes that we had caught the infection in time, but this behavoir pattern indicates a worsening condition. There is little that you can do at this point other than a reformat and clean re-install. IMPORTANT! You really must be extremely careful on what you backup before the reinstall. All executable files, all HTML files and more may be infected. Reusing just one of them after a reinstall, can cause the infection to respawn all over again.
     
  14. woodchopper88

    woodchopper88 Private E-2

    Oh well, I feared I may have to do a clean reinstall eventually. Better to do that now than waste any more of your time.

    Can you provide any information for how to backup files considering I don't want the virus to infect my portable hard drive?

    There isn't too much in need of backing up anyway which should make things easier. I'm mainly concerned about not infecting any usb or external drives (and therefore other computers).

    Thanks for all your help
     
  15. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Hello, woodchopper88

    The safest thing for you to do is backup your personal data ONLY. (In this case to CD or DVD to prevent chances of infecting other storage devices and in turn any pc's that they would be attached to) Do not back up any executable files ( like: .avi, .com, .bin, .dat., .exe, .pdf, .mov, .mpg....etc.). This includes programs that you have downloaded since any of them could be infected. Anything you may have already backed up that is an executable type file (things you downloaded to install programs....etc) are most likely infected and will cause you to be reinfected if you reuse these files.

    Once you backup, you need to format partitions and reinstall Windows and all other software especially your protection software. Then install all updates for all software. DO NOT reinstall from any executable file backups you made while this PC was infected or you will just be reinstalling the infection. Be sure to scan those backups FIRST before copying back to the reformatted machine.

    You're Welcome! Best of luck, I'm sorry that we couldn't get rid of this baddie.
    dr.m
     
    Last edited: Feb 28, 2011
  16. woodchopper88

    woodchopper88 Private E-2

    I'll be sure to follow that advice.

    Biggest problem now is that the netbook has no optical drive. I've got a Windows XP disc and an external hard drive. No idea how I can reinstall windows on it.
     
  17. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    I'm sure that you can receive help with this in our Software Forum.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds