TechSpot

Does RAMNIT infect Dell recovery partition? How to safely back up data files?

Inactive
By KeithD
Nov 18, 2012
  1. My Dell home desktop computer got infected with a virus when (or perhaps before) I finally gave in and clicked "Yes" to a "Windows Command Center" dialogue box. Having done this, it turned UAC to the lowest setting and would no longer run firewall, antivirus (McAfee), Malwarebytes ANtimalware, or anything else.

    I lost an entire day trying to find out what was wrong and/or fix it. Eventually managed to get antivirus software to run by booting in Safe Mode. Tried RKILL but it didn't find anything to kill. Malwarebytes found and removed a couple of minor issues, but the system behavior was still poor (e.g. no Mcafee in Normal mode). Finally found eset online scanner (suggested by Broni), managed to run it without getting all the accompanying garbage software and toolbars by using Custom installation and unchecking all the extras, and it seemed to work -- finding and removing 3 instances of RAMNIT.AS.GEN as well as 2 instances of Softonic Downloader (may be actually the same company that makes eset which is just plain weird?)

    HOWEVER, further reading about RAMNIT made me realise I probably still have trouble, just cannot find it. Sure enough, McAfee runtime antivirus screening will no longer stay on. Could just be a damaged McAfee (have not found my access details to reinstall it so have not done that), BUT given that it's RAMNIT I am inclined to just give it a clean sweep. I have read about programs like Combofix but I really am not enough of an expert to mess with something like that.

    My Question #1 is: can I save time by using the Dell recovery partition (which may well include purchase software e.g. MS office, as well as McAfee and Dell specific tools), or am I pretty likely hosed with the only sensible option being to try find the recovery DVDs I made right after purchase?

    My Question #2 is: is there a way I can safely save my data without reinfecting myself when I restore it, and if yes, what is the best medium? I have bought a 64 GB USB drive but heard that those drives are easily infected. However, if there is a safe way to use USB it woudl be a lot easier than purchasing and burning about 15 DVD-ROMs to save my music.

    Thanks and best regards
    Keith

    P.S. I will be only occasionally on-line for the next couple of days, but I am grateful for any assistance provided even if I will not be able to provide thanks as quickly as I would like.
  2. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Welcome aboard [​IMG]

    First...general info about Ramnit. Unfortunately it's not curable.

    I'm afraid I have very bad news.

    You're infected with Ramnit file infector virus.

    Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

    -- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.
    With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

    Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

    Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

    In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

    Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
    Backdoors and What They Mean to You

    This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

    Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.

    ==============================

    Now to answer your questions....

    You can't use recovery partition because the only fool proof way to get rid of Ramnit is to format hard drive.
    Recovery disks won't format the drive either.
    You have to format hard drive using 3rd party utility and then you can use recovery disks to reinstall Windows.

    As for saving data files you can do this but you have to be careful.
    Use USB flash drive which won't be used on any other computer since.
    Reinstall Windows.
    When done with reinstalling, installing AV program etc...
    Install Panda USB Vaccine, or BitDefender’s USB Immunizer on the computer to protect it from any infected USB device.
    Now you're safe to insert USB flash drive and scan it with your AV program.
    When done with scanning and transferring healthy data file format USB flash drive and you can use it again.
  3. KeithD

    KeithD TS Rookie Topic Starter

    Thank you, Broni!

    Annoying about the recovery partition, but I wasn't clever enough to figure out upon purchase that it would have been worthwhile finding a third party utility to make an image of that. I have no idea how much of my OEM software will be included on the recovery DVDs, vs. whether I will have to beg Dell for a copy on separate media and/or repurchase it.

    I would have a few more questions for you:
    1) Am I supposed to vaccinate the brand new USB drive on a different computer using Panda USB Vaccine BEFORE I plug it into the infected computer to save the data?
    2) Even having done that -- when I plug my brand new USB drive into the infected computer, I assume the plugging in will execute software and at least try to infect the USB drive, especially given that my AV software did not stop the infection in the first place, correct? Is there any way to later ensure that the reformatted computer will not then become infected?
    3) Dell comes with McAfee preloaded and included so that is what I was using -- for the new / reformatted computer, would you recommend me to ditch McAfee and get free Avast or something else instead?
    4) Can you recommend a specific 3rd party utility with which to reformat the hard drive? And, if I boot the infected computer from the recovery media, then how should I get that 3rd party utility into use? Can I download it to a 2nd computer, put it onto a USB drive, and then plug the USB drive into the infected computer which has been botted up using recover media?
    5) When I am reloading software onto the newly formatted hard drive -- in order to avoid reinfection -- would it work if I turn off the wireless network adaptor using Windows Control Panel, and get the AV software using a USB stick (different from the data recover USB obviously) and a 2nd computer? Or do I need to get Dell to help me physically remove the WiFi adaptor card from the desktop before doing all of this`?
    6) Is there any utility I can download onto a 2nd computer that is able to safely scan my existing stock of USB drives and get rid of Ramnit if it's on those USB drives? Or do I need to just ditch or format all of them? If the latter -- how do I insert and format an infected USB drive without first loading its infection?

    THanks very much for your help! I will be travelling for the next couple of days so probably unresponsive to messages here until Wednesday, BUT the infected computer is a desktop (no battery), powered off, unplugged from the wall (power) socket, so hopefully RAMNIT authors have not yet figured out how to further their mischief under such conditions :)
  4. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    1. When you're done with reinstallation install Panda on the very same computer. Once installed it won't allow anything to execute form any external source, like USB flash drive. When you plug any USB into it Panda will ask you if you want to vaccinate that USB flash drive.
    2. Look at my answer #1.
    3. Yes.
    - Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html

    - free Microsoft Security Essentials: http://windows.microsoft.com/en-GB/windows/products/security-essentials
    Note for Windows 8 users: Microsoft Security Essentials comes preinstalled and renamed as Windows Defender.
    You can keep it or you have to disable it before installing another AV program. How to...

    - free Comodo Antivirus: http://www.comodo.com/home/internet-security/antivirus.php
    4. http://www.dban.org/ It'll create bootable CD whichwill allow you to format hard drive.
    5. Make sure Windows firewall is on and you'll be fine being connected to the net.
    6. You can use any AV program to do it. Install Panda vaccination utility first though.

    Good luck :)
  5. KeithD

    KeithD TS Rookie Topic Starter

    Hi Broni

    Thanks for your reply. I am awaiting my Windows 7 disc from Dell (I called tech support and apparently their own Recovery Disc won't cut the mustard) so it'll be next week before I can fix this, but meanwhile I have 3 more questions:

    (1) since the USB key (still new & in the pack) was purchased in order to copy data off of the infected computer before wiping it, I have to plug it in to the infected computer BEFORE the reinstallation. If I Panda-Vaccinate it on another (hopefully uninfected) computer first, can I then reliably plug it into the infected computer to get the data without also automatically putting the virus into the USB key's autorun? I do realise I need to be very careful about the DATA but that is a separate issue; probably I will scan the USB with multiple tools including ESET, AVAST and MALBYTES and even then I may try to be selective about which data files I actually put back onto my computer.

    (2) It has been suggested to disconnect the infected computer from Internet during reinstallation, but unfortunately the PC has a WiFi card inside with no on-off switch. I can unplug my wireless ROUTER to try to keep the post-reinstallation computer off of the internet until AVAST and Windows firewall are on, but am not sure if that is good enough given that there are other WiFi networks around. Question is: is there an easy way to keep my post-reinstallation computer from automatically trying to connect to neighbors' WiFi networks and then getting infected? Or do I need to open up the case and unplug the WiFi card, at the risk of giving it a static shock and frying the electronics?

    (3) Finally -- do you have any further insights about how the virus could survive a full reinstallation off of the Windows disc (without DBAN)? Reason I ask is, Dell claims to be 100% confident that the reinstall from Windows operating system disc would suffice. I have decided not to take them at their word -- if I have to reinstall anyway I see no downside to using DBAN first -- but if there is anything you can tell me that might help convince Dell that they're being incautious, it might help other Dell users avoid future problems, and/or it might help me to get further support from Dell in case something goes wrong with the reinstall after I refused to fully follow their advice.
  6. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    1. It really doesn't matter since you'll have to scan then format that USB drive anyway.

    2. You'll be fine since a router provides you with hardware firewall.

    3. Dell is surely wrong.
    Infections like Ramnit affect boot sector (MBR).
    If you look at hard drive structure the MBR code section is in the first 446 bytes of sector 0, the next 64 bytes belongs to partition table.
    Reinstalling Windows will overwrite partition where Windows is originally installed but it'll NOT overwrite MBR.
    That's why you have to format a whole hard drive.
    There are still some rare (at this moment) cases when the infection may affect computer's BIOS in which case even formatting won't help but it's not your case.
  7. KeithD

    KeithD TS Rookie Topic Starter

    Hi Broni

    your response #3 is very clear and I will pass it on to Dell, hoping that they may listen!

    re your #1, what I think you're saying is that the way to protect the reinstalled computer from the old (possibly infected) data is to vaccinate the reinstalled computer before plugging in any USB, and then to be extremely cautious in accessing that data.

    However, I am not sure I understood your response to #2, so to ensure I got that bit right and also to make sure I have correctly absorbed the total process to follow, here is what I've got:
    1) (optional) vaccinate the new "data" USB drive on an uninfected computer
    2) save data from the infected computer onto the "data" USB drive
    3) buy or format a second "AV" USB drive, vaccinate it, and download AVAST free and maybe MBAM onto it, all using an uninfected computer
    4) format the infected computer using the 3rd party tool you recommended (DBAN I think)
    5) Physically turn off my home wireless router
    6) Reinstall Windows onto the nuked HDD, and reboot / start the system in normal mode.
    7) Turn off the wireless adaptor (soft switch) on the reinstalled computer as soon as I get the opportunity
    8) install USB Vaccine, free AVAST, and MBAM onto the reinstalled windows system, and set all the security settings on high (including Windows Firewall, Vaccinate Computer, making sure the Antivirus is on). Turn on the wireless adaptor and home router if required to update AVAST, but only after having at least enabled Windows firewall. Don't open any internet browser until this is all done..
    9) Turn on the wireless adaptor (soft switch) and home wireless router (physical switch)
    10) Run another scan with eset online just to be (hopefully) sure.
    11) Put the "data" USB key into the reinstalled system, and scan it with AVAST and MBAM. Quarantine any bad files
    12) Restore desired data files onto the reinstalled windows system
    13) either reformat the "data" USB drive for re-use, or (in case I want to keep it as a backup) label it carefully so it will not be used for anything else
    14) Call Dell for help to download and reinstall other software (e.g. Microsoft Office, from www.microsoft.com, using the same activation key as with the original system and hoping Microsoft will recognise that I am still on the same physical computer if I follow Dell's instructions)

    If I get any virus warning or suspicious behavior (except maybe tracking cookies) after any step then I will plan to stop and describe the issue online in this forum.

    Do the above steps make sense, or should I add (or remove) any?

    And, the one bit I still don't get is this: while I don't worry about having a virus on my router, I do worry that as soon as I turn on the reinstalled system (step 6 above), since I will have no antivirus or firewall at that point, isn't there a risk that Windows will on its own go and connect to the internet using the wireless adapter, and then pick up a virus or malware (on the reinstalled computer) before I have had a chance to install antivirus software and turn on the firewall? While I can turn off my own wireless router to stop it from connecting there, I can see at least 5 other wireless networks on the computer I am using right now, and I am not sure how to prevent the newly installed Windows from trying to connect there automatically, short of physically disconnecting the wifi card inside of the computer case ... unless you tell me that Windows just won't do that (=connect on it own) and will be smart enough to refuse any incoming connection requests from those other networks and devices.

    Finally -- you are probably going to shake your head at this -- but there are a couple of .EXE files that I really would like to recover from the infected computer. The most important one of them is a printer driver: My Officejet Pro (copier + scanner + fax + printer) just won't work with the newest version of the driver, but I still happen to have a copy of the setup file for the previous version in my downloads folder -- on the infected computer. I.e. if I dump the driver EXE, then I probably have to buy a new physical printer as well. The other one is an application that has its own data format and that is no longer available, I.e. if I give up that application then I effectively give up access to all of the data. Question is: considering that ESET found only 3 copies of RAMNIT, and that I think I caught the infection pretty early, AND I am pretty sure I will not have run either of those applications in the past 6 months, is there a good hope that if I scan with multiple tools I can keep those EXE files? Or is it probably a lost cause for the printer and the application data..

    Thanks !
  8. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    As for the first part of your reply you understood everything correctly except for one thing.
    You don't have to turn your router off.
    Every router has build in hardware firewall which will protect you from anyone on the outside placing something on your computer.
    On a top of it as soon as you reinstall Windows, Windows firewall will kick in.
    That's all you need for your protection until you install AV program.

    Then, go ahead and save those two .exe files but make sure you scan them well before any use.
  9. KeithD

    KeithD TS Rookie Topic Starter

    Please keep this thread open for a few more days if you don't mind: I've been working late and won't be able to flatten and rebuild until this weekend. Thanks!
  10. Broni

    Broni Malware Annihilator Posts: 46,797   +254

  11. KeithD

    KeithD TS Rookie Topic Starter

    Hi Broni

    I could not get DBAN to run.

    It would not work in autonuke mode. I tried "interactive", where I select to wipe the specific HDD and choose the default options, which are
    DoD short
    Verify last pass
    1 round

    It still does not work.

    It says in each case,"DBAN finished with non fatal errors, check the log for more information" computer is unbootable now. It runs for 2 seconds and gives messages like this:

    Hardware clock operation start Sat Dec 01 20:01:07
    hardware clock operation finish Sat Dec 01 20:01:09)))
    is

    ERROR /dev/sde (process crash)
    ERROR /dev/sdd (process crash)
    ERROR /dev/sdc (process crash)
    ERROR /dev/sdb (process crash)
    ERROR /dev/sda (process crash)

    Sometimes the order of letters is different (sdb sde sdd sdc sda for instance) but otherwise it is always thhe same.

    It says to Press any key to continue, Then I press a key and got an ad for "BLANCCO OFFERS MORE FOR BUSINESS" / certified data erasure, and could do nothing other than hard power off.

    I reburned a second CD, and that did not help.

    Any suggestions?
     
  12. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    This is malware removal forum so I suggest you start new topic in Windows forum.
  13. KeithD

    KeithD TS Rookie Topic Starter

    I figured out how to launch DBAN. Even though it's a Windows topic, I thought some other people here might find this info helpful, given that DBAN may be a somewhat common last resort tool here for incurable infections, and it took me about 1/2 hour to figure it out.

    To get it to run I actually had to muck about with the hardware, albeit in a very simple way. Based on postings in DBAN help forum, I learned DBAN does not tolerate the presence of a media card reader on a Dell - it's as if it sees another SCSI drive that it cannot deal with.

    Having figured this out, I managed to find the owner's manual online (not delivered as hardcopy), open the computer case, identify which cable on the motherboard connects to the media card reader, and disconnect. Having done that, I reclosed the case, restarted PC, and now DBAN is running (probably it will take all night).

    I mention all this because there is risk of damaging hardware by electrostatic shock, so others may find it helpful to know in advance what they may need to do in order to use DBAN.

    Also, to Broni, since you've been so very helpful thus far Ii wanted to pass on this small tidbit in case it helps you to help others. And, if you know another 'wipe' tool that is able to run despite presence of media card readers, and that is perhaps also a wee bit faster, then that could be beneficial for some readers (too late for me as I decided to be stubborn and open the case, hoping not to touch anything I shouldn't inside ... So far so good though, as DBAN loaded up and is now 2.65 percent wiped and counting!).
  14. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Thank you for posting back :)
  15. KeithD

    KeithD TS Rookie Topic Starter

    Hi Broni

    I have 2 questions, one about the recovered data and one about making sure the wiped HDD is really wiped.

    1) re data: I scanned the data USB stick on a machine with ESET NOD32 and MBAM. Mbam came up clean, while ESEt complained about some password protected files (mainly .Zip, .Pdf, .Doc, .Xls, and similar including, yes, macro-enabled office files) and said that a couple MIME files had not been scanned but were normal. ESET had no other complaints. My assumption is that this means the files on the USB should be safe, except that if if I want to access protected ZIP files, I should unzip and then scan before using. For .doc, .xls and similar, I assume I should look for ways to open with macros disabled, save without password, and scan. Am I missing anything?

    2) There is one slightly odd observation upon starting to rebuild, which is that my 1TB HDD is now showing as having a size of only 931GB, ie it seems to be missing what I believe to be about the size of the recovery partition. That partition is not accessible by hitting F8 while booting, so I assume the virus, which had shown up in only 3 files before I wiped, probably did not find some clever way to lurk on the missing 69GB, and this probably just means Dell has done something, perhaps in BIOS, that limits out use of the recovery partition space for anything else. But I thought it worth double checking before I rebuild and use the machine...

    Thanks!
  16. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    1. You're good.

    2. Personally I've never heard of any type of infection affecting recovery partition. The main reason - that partition is locked.
  17. KeithD

    KeithD TS Rookie Topic Starter

    I think I'm all set. Windows is running again, Office is back, and Avast and Windows firewall are running. Thanks again for your help!

    Re: the 931GB, it's a math issue: Dell sells an HDD with what they call 1TB but they actually provide a HDD with 1 trillion bytes. As a GB is actually about 1.073 million bytes, that works out to 931 GB.

    Top things I wish I'd known before starting:
    1) McAfee seems like a poor product. Even now I suspect those 3 RAMNIT files might never have actually been executed, and that something else was making McAfee fail to run, but given RAMNITs potential payload I wasn't going to take any chances with that one so don't regret wiping even though it cost me many hours.
    2) with Avast it's important to uncheck the tickbox for Google Chrome if you don't want its slow install to happen automatically. It seems designed to make you not notice the box - maybe they get paid per installation?
    3) eset seems pretty clever. It's the only tool that even spotted Ramnit on my system. I'm considering whether to buy their paid version.
    4) DBAN not only requires messing with hardware in some cases, but it's also friggin' slow. Took 18 hours to run. It does the job but requires patience.
    5) Dell does not include a Windows disk but they'll send a new one upon request. It's probably worth requesting one upon receipt of any new PC instead of wasting hours making their useless recovery disks.
    6) Dell can also be quite helpful in reinstallation, thanks to remote connect. This isn't really a virus issue except that anyone who gets a bad virus may need to reinstall. Once I had Windows up, they directed me to reinstall WiFi driver from disk, and then reinstalled everything else for me remotely, in the right order, including a BIOS update, with the latest versions.
    7) last but not least, it really is worth having up to date data backups!
  18. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Good job :)

    Good luck!


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.