Infection Help Request - Possible Ramnit.gen!a

Moonraker · May 3, 2012

Hi All,

I believe i have a pretty serious infection and wonder if anyone can help.

My PC frequently crashes , every time it boots up an internet explorer window mysteriously opens , and i'm barred from many websites (eg Microsoft, Kaspersky, MalwareBytes) with a “Page Cannot Be Found” error .

Microsoft Security Essentials (MSE) originally identified something called Trojan:WinNt/Ramnit.gen!a and I now get a message on booting up that it has identified a threat and is cleaning it. According to the history log it is always this same threat, but also noted in the log is “Security Essentials encountered the following error: Error code 0x80508023. The program could not find the malware and other potentially unwanted software on this computer.”

MSE may have been jinxed to some extent because it now won’t update its virus and spyware definitions.

Now I’ve read many of the forum pages and from what I’ve seen this Ramnit threat may well be terminal. This request is just to see if theres any chance of recovering the situation.

Unfortunately I’ve had problems with running many of the requirements laid out in your pages and therefore may be beyond help, but here goes

1. Super Anti Spyware downloaded and ran fine. Log is attached.

2. MalwareBytes Anti Malware. I already had this on my PC. It won’t run. Even using their “Chameleon” tool to try and subvert the processes stopping it, it won’t work. Therefore, I have no log from here.

3. Combofix. Unfortunately I can’t download this – the site directed to (bleepingcomputer) is one of those where I get a “Page Cannot Be Found” error, so nothing from this.

4. RootRepeal. I could download this, but unfortunately it wouldn’t run. I got an error message about not having enough virtual memory. This was with everything turned off (ie MSE , Firewall). I don’t know if this is a genuine error or the program is jinxed.

5. Lastly , MG Tools. I could get this to work thankfully and the zip log is attached.

Apologies for not being able to supply all the data you usually like.

Any suggestions gratefully received.

Many Thanks
Cheers
Steve.

TimW · May 3, 2012

Please do an online scan three times!! Reboot between each scan and save the logs. Attach the three logs when you are done:
eSet Online Scan.

Moonraker · May 4, 2012

Hi,

unfortunately eset.com is one of those sites which i'm prevented from going to. This pops up in the browser window.

The page cannot be found
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.

Please try the following:

If you typed the page address in the Address bar, make sure that it is spelled correctly.
Open the www.eset.com home page, and then look for links to the information you want.
Click the Back button to try another link.

HTTP 404 - File not found
Internet Information Services

Technical Information (for support personnel)

More information:
Microsoft Support

This is the same in firefox or internet explorer. I have chrome as well, but can't even get that to open now either.

As mentioned in my first post, there seems to be a number of help sites i'm entirely blocked from going to and get the same message as above.

I did try out the tips under the google redirection thread before making the first post, but to no avail. Again, certain things like TDSKiller on Kaspersky's pages i was simply blocked from getting to.

Is there anything else i could try ?
Cheers
Steve.

TimW · May 4, 2012

Now download The Avenger by Swandog46 to your Desktop.

See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
Extract avenger.exe from the Zip file and save it to your desktop.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,C:\Documents and Settings\Mike\Local Settings\Application Data\jiqwvtdd\roijgtmt.exe,
O4 - HKCU\..\Run: [RoiJgtmt] C:\Documents and Settings\Mike\Local Settings\Application Data\jiqwvtdd\roijgtmt.exe
Click to expand...

After clicking Fix, exit HJT.

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"RoiJgtmt"=-

[HKEY_USERS\S-1-5-21-2025429265-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\run]
"RoiJgtmt"=-

Click to expand...

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Extract avenger.exe from the Zip file and save it to your desktop.

Run avenger.exe by double-clicking on it.

Click OK at the warning to continue to use The Avenger

Do not change any of the check box options!

Shut down your protection software now to avoid possible conflicts.

Copy everything in the Quote box below, and paste it into the Input script here: part of The Avenger

Files to delete:
C:\Documents and Settings\Mike\Local Settings\Application Data\lmsosthh.log
C:\Documents and Settings\Mike\Local Settings\Application Data\oplavsbm.log
C:\Documents and Settings\Mike\Local Settings\Application Data\qeuwvspf.log
C:\Documents and Settings\Mike\Local Settings\Application Data\spibhvrp.log
C:\Documents and Settings\Mike\Local Settings\Application Data\tgpodsyp.log
C:\Documents and Settings\Mike\Local Settings\Application Data\udfebacg.log
C:\Documents and Settings\Mike\Local Settings\Application Data\uuwktvne.log
C:\Documents and Settings\Mike\Local Settings\Application Data\xydvidjm.log
C:\Documents and Settings\Mike\Templates\0d0w4kk54c0b50x30s4tl5v
C:\Documents and Settings\Mike\Local Settings\Application Data\ffjfbldg.log
C:\Documents and Settings\Mike\Local Settings\Application Data\hwoapeud.log
C:\Documents and Settings\Mike\Local Settings\Application Data\jiqwvtdd\roijgtmt.exe

Folders to delete:
C:\Documents and Settings\Mike\Local Settings\Application Data\jiqwvtdd
Click to expand...

Now click the http://img33.imageshack.us/img33/9159/executeavenger.jpg button

Click Yes to the prompt to confirm you want to execute.

Click Yes to the Reboot now? question that will appear when The Avenger finishes running.

Your PC should reboot, if not, reboot it yourself.

A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

Then attach the below logs:

* C:\Avenger.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

Moonraker · May 5, 2012

Hi Tim,

thanks for this. I've followed your instructions and all worked ok.

(1) Fixed rows in analyse.exe successfully.

(2) Registry update worked successfully.

(3) The avenger.exe updates worked and the log is attached.

(4) Getlogs.bat file ran and MGLogs.Zip file also attached. Incidentally, i never saw this bit - Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ). . Also , I don't have the Microsoft.NET framework installed and got an error message concerning processdll.exe. Was never able to download this because of the block to microsoft.com sites and in fact i still can't.

When the PC was rebooted after running the Avenger process, it seemed to boot up okay and without the annoying IE browser which has popped up since this attack.

However, on subsequent reboots it appears to be back to how it was previously - ie much slower to initialize the desktop and with the browser window automatically opening.

And I'm still currently barred from accessing many websites with the "page cannot be found" message referred to previously.

Is there anything else left to try ?
Thanks for your help so far.
Kind Rgds
Steve.

TimW · May 5, 2012

Download OTL to your desktop.

Double-click OTL.exe to start the program.

Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

Code:

:processes
:killallprocesses
:otl
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,,C:\Documents and Settings\Mike\Local Settings\Application Data\jiqwvtdd\roijgtmt.exe
O4 - HKCU\..\Run: [RoiJgtmt] C:\Documents and Settings\Mike\Local Settings\Application Data\jiqwvtdd\roijgtmt.exe

:files
C:\Documents and Settings\Mike\Local Settings\Application Data\ffjfbldg.log
C:\Documents and Settings\Mike\Local Settings\Application Data\hwoapeud.log
C:\Documents and Settings\Mike\Local Settings\Application Data\jiqwvtdd
C:\Documents and Settings\Mike\Local Settings\Application Data\lmsosthh.log
C:\Documents and Settings\Mike\Local Settings\Application Data\oplavsbm.log
C:\Documents and Settings\Mike\Local Settings\Application Data\spibhvrp.log
C:\Documents and Settings\Mike\Local Settings\Application Data\tgpodsyp.log
C:\Documents and Settings\Mike\Local Settings\Application Data\udfebacg.log
C:\Documents and Settings\Mike\Local Settings\Application Data\uuwktvne.log
C:\Documents and Settings\Mike\Local Settings\Application Data\xydvidjm.log
C:\Documents and Settings\Mike\Local Settings\Application Data\jiqwvtdd

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"RoiJgtmt"=-

[HKEY_USERS\S-1-5-21-2025429265-527237240-725345543-1003\Software\Microsoft\Windows\CurrentVersion\run]
"RoiJgtmt"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\SYSTEM32\Userinit.exe,"

:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]

Then click the Run Fix button at the top.
Click the OK button.
OTL may ask to reboot the machine. Please do so if asked.
The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

C:\MGlogs.zip

Moonraker · May 6, 2012

Hi Tim,

thanks , have followed instructions and attach the OTL log and MGLogs as requested.

Regards
Steve.

TimW · May 6, 2012

In spite of our best efforts, it all is coming back. That is the nature of a Ramnit infection. Your inability to do an online scan is making it impossible to remove the infection. Your best course of action is to reformat and re-install.

The problem is that the damage caused by this infection really makes a PC unreliable/untrustworthy. PE file infectors like Ramnit, Virut,.... etc can infect all executable files (DLL, EXE, SCR....and many more and also HTML). These infections can open back doors that truly may compromise your computer and your security. These backdoors could allow a remote attacker to access and instruct the infected computer to download and execute more malicious files.

In many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus or by other scanning tools. Also when disinfection is attempted, the files often become corrupted and the system may become unstable or irrepairable. The longer Ramnit remains on a computer, the more files it may infect and/or corrupt so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies the Ramnit worm using a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are a major source of system infection.

Moonraker · May 7, 2012

Hi Tim,

i though this may be the case, having perused some of the other ramnit threads. I will try to reformat and reinstall windows as per your suggestion. Fortunately there not really much of any value on this particular PC and i may replace it in the near future anyway.

Many thanks for your time and efforts in trying to assist me.

Kind Regards
Steve.

TimW · May 7, 2012

You are most welcome.

Log in or Sign up

Infection Help Request - Possible Ramnit.gen!a

Moonraker Private E-2

Attached Files:

SUPERAntiSpyware Scan Log - 05-01-2012 - 19-26-39.log

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Moonraker Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Moonraker Private E-2

Attached Files:

avenger.txt

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Moonraker Private E-2

Attached Files:

05062012_202910.log

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Moonraker Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member