ramnit infection?

manuka · Nov 7, 2011

Saturday pm Micro Security Essentials started to flag up what was described as various Trojans and Exploits
eg Win32/Ramnit.A B C D AE etc
WinNT Ramnit.gen!A
Win32/CplLnk.A
Repeatedly pressed clean button and they all came up in MSE log as "Removed"
However, some ramnit.D and ramnit.gen!B showed in log as "allowed"
Spent most of Sat and Sun doing all sorts of scans etc to see if anything was identified on the m/c
Nothing came up and no subsequent alarms have been flagged up.
However, I'm not confident that this problem has been eradicated.
Can someone have a look at the attached logs and feedback please?
What should I do next?
Any comment on the "removed" vs "allowed"?
Thanks

TimW · Nov 7, 2011

While I look at your logs, please go here and run the online scan:
eSet Online Scan.

TimW · Nov 7, 2011

Once you finish the eSet scan and attach the log, do this:
* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

File::
C:\Users\Kat\AppData\Local\kxatyujg.log

Folder::
C:\Users\Kat\AppData\Local\{027BAF1E-A72D-40BE-ABD6-C96703DE3677}
C:\Users\Kat\AppData\Local\{3D126BD5-4A39-4311-97AA-466B7D909077}
C:\Users\Kat\AppData\Local\{3F11C692-987F-497E-ADF2-61AB9151D009}
C:\Users\Kat\AppData\Local\{51C3C919-4619-48C9-8D91-7AF9CB0CBE10}
C:\Users\Kat\AppData\Local\{5F9B05AB-8FE0-46CE-9B11-98F5D437C345}
C:\Users\Kat\AppData\Local\{6CAF26B0-47B5-4BB8-A72D-6C1BEEC486D9}
C:\Users\Kat\AppData\Local\{714C04D9-7402-4DC7-B2E3-BD99E253C6B2}
C:\Users\Kat\AppData\Local\{7508575D-D9A1-4106-A8D6-671B4439D76C}
C:\Users\Kat\AppData\Local\{7AB287DE-A1DB-46CD-8D31-88E929D9DAEF}
C:\Users\Kat\AppData\Local\{A055A806-F2A5-4419-BF60-B6FBDE69D62C}
C:\Users\Kat\AppData\Local\{A2B842D1-253D-4CA8-B12F-2ECED14E8F27}
C:\Users\Kat\AppData\Local\{B5DE1B29-BDAB-4523-B3AE-380861D043AF}
C:\Users\Kat\AppData\Local\{CE4B6717-3BE3-4970-8833-9FFB7F5E8415}
C:\Users\Kat\AppData\Local\{D90AB340-4C23-406E-A9F0-5CBF5C5E32A1}
C:\Users\Kat\AppData\Local\{EB53E83D-8253-4D43-9EFC-4D6670D08BA1}
C:\Users\Kat\AppData\Local\{ECA9280C-C89D-4DC0-B693-4B73562CD066}
C:\Users\Kat\AppData\Local\{FB3F5535-1727-4C72-A2AB-15B70A2568C0}

FireFox::
FF - ProfilePath - c:\users\Kat\AppData\Roaming\Mozilla\Firefox\Profiles\vfh5fkd1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2117678&SearchSource=3&q={searchTerms}
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2117678&q=
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below log:

C:\MGlogs.zip

Make sure you tell me how things are working now!

manuka · Nov 7, 2011

Thanks very much
I ran ESET and exported file to txt file and saved to desktop.
However, I can't now find it!
It found 3 items one of which was MGlogs
Other two were variant of Java trojan plus another that I can't remember name.

TimW · Nov 7, 2011

Doesn't sound as though it found any remnants of Ramnit. Go ahead and do my fix and you should be good to go.

manuka · Nov 7, 2011

Attached are combofix and MG logs

TimW · Nov 7, 2011

What malware issues are you still having, if any?

manuka · Nov 7, 2011

There doesn't appear to be any issues since Saturday. During a period from 13:00 to 23:00 I appeared to be getting attacked by a variety of Ramnit variants. Log in MSE showed most had been deleted as I pressed "clean computer" but some were marked as "allowed" in the log. I didn't know what this meant and presumed that Ramnit had got into the system. Reading online seemed to suggest it was not possible for a novice like me to get rid of it (presuming it had got in in the first place). Initially, I did a system restore (novice) and then did multiple scans with MWBytes and MSE. No flags since then. However, I began to read about Ramnit and got worried that my computer was compromised. For a novice, terms like backdoor are pretty scary and I was presuming that I could not be sure my m/c was safe for stuff like online banking etc. Although I've probably been worrying unnecessarily I was taking this seriously as I hope you appreciate. In anticipation that I'd have to reformat drive I moved some files to USB stick/remote hard drive. I've repeatedly scanned these with MSE/MWBytes and nothing has come up. Thanks for your help with this. I greatly appreciate it! I take it I restore all the bits I undid (user a/c settings) etc now? Again, many many thanks.

TimW · Nov 7, 2011

You are most welcome. You got to the infection in the nick of time. Your system is clean.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /uninstall

Notes: The space between the combofix" and the /uninstall, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

If you are running Win 7, Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning procedures pointed to by step 7 of the READ ME
for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Malware removal from a National Chain = $149
Malware removal from MajorGeeks = $0

Majorgeeks Geek Wear. Hats, T-Shirts, Hoodies

MajorGeeks on FaceBook

manuka · Nov 7, 2011

All done. I'm extremely grateful for your help.
Best wishes.

TimW · Nov 8, 2011

Thank you. Safe surfing.

Log in or Sign up

ramnit infection?

manuka Private E-2

Attached Files:

mbam-log-2011-11-07 (17-14-51).txt

MGlogs.zip

ComboFix.txt

SUPERAntiSpyware Scan Log - 11-07-2011 - 16-58-58.log

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

manuka Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

manuka Private E-2

Attached Files:

ComboFix.txt

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

manuka Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

manuka Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Log in or Sign up

ramnit infection?

manuka Private E-2

Attached Files:

mbam-log-2011-11-07 (17-14-51).txt

MGlogs.zip

ComboFix.txt

SUPERAntiSpyware Scan Log - 11-07-2011 - 16-58-58.log

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

manuka Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

manuka Private E-2

Attached Files:

ComboFix.txt

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

manuka Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

manuka Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Useful Searches