[Not curable - Ramnit] multi-infection?

Inactive
By adam88
Dec 4, 2012
  1. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  2. adam88

    adam88 Newcomer, in training Topic Starter Posts: 68

    C:\Documents and Settings\Michael\AppData\Local\Application Data\temp\qunklyrv.exe a variant of Win32/Ramnit.AX.Gen virus
    C:\Documents and Settings\Michael\AppData\Local\temp\qunklyrv.exe a variant of Win32/Ramnit.AX.Gen virus
    C:\Documents and Settings\Michael\do uzytku\libtiff.pdf JS/Exploit.Pdfka.OTO.Gen trojan
    C:\Documents and Settings\Michael\Local Settings\temp\qunklyrv.exe a variant of Win32/Ramnit.AX.Gen virus
    C:\Qoobox\Quarantine\C\Users\Michael\AppData\Roaming\Ivzaqa\yhihi.exe.vir a variant of Win32/Kryptik.APVV trojan
    C:\Users\Michael\AppData\Local\temp\qunklyrv.exe a variant of Win32/Ramnit.AX.Gen virus
    C:\Users\Michael\do uzytku\libtiff.pdf JS/Exploit.Pdfka.OTO.Gen trojan
    C:\Users\Michael\Local Settings\temp\qunklyrv.exe a variant of Win32/Ramnit.AX.Gen virus
    C:\zaladunek\OmniFormat.11.2.rar probably a variant of Win32/Agent.LUOIRVW trojan
    C:\zaladunek\PDFs from do uzytku\libtiff.pdf JS/Exploit.Pdfka.OTO.Gen trojan
    C:\zaladunek\zips\478c430788a177bf6d0366a54b5244aa00a.zip Win32/Packed.Themida.C trojan
    C:\zaladunek\zips\560c430788a177bf6d0366a54b5244aa00a.zip Win32/Packed.Themida.C trojan
    C:\zaladunek\zips\836c430788a177bf6d0366a54b5244aa00a.zip Win32/Packed.Themida.C trojan
    C:\zaladunek\zips\cscteddsaustraliaengineeringv10keygenlnd.zip Win32/Packed.Themida.C trojan
    Operating memory probably a variant of Win32/Ramnit.L virus
  3. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    I'm afraid I have very bad news.

    You're infected with Ramnit file infector virus.

    Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

    -- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.
    With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

    Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

    Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

    In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

    Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
    Backdoors and What They Mean to You

    This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

    Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.
  4. adam88

    adam88 Newcomer, in training Topic Starter Posts: 68

    Thanks Broni.

    Could you please advise on the following:

    - I need to backup my data. Any chances of the infection being 'imported' via data blocks (content) to the backup drive/another computer?

    - How to effectively verify whether any portable drives/other PCs that possibly shared data from my infected computer are affected? I am using another PC now, how to (quickly) check whether this piece of equipment is affected (data sharing with infected PC)?

    - Is it possible to identify when and with which particular file(s) the computer was infected?

    Thanks for your help



    -
  5. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    You can backup your data but do NOT back them up to another computer.
    Use external hard drive or USB flash drive to do so.
    Do NOT use them on another computer anymore.

    Format hard drive.
    Reinstall Windows install all updates and security tools (AV, firewall).

    Install Panda USB Vaccine, or BitDefender’s USB Immunizer on your computer to protect it from any infected USB device.

    Now you'll be safe to plugin your backup device and scan it with your AV program.

    If you exchanged any files between this and any computers, all other computers have to be checked.
    Create new topic for each computer.
  6. adam88

    adam88 Newcomer, in training Topic Starter Posts: 68

    I am using another computer now and it did not show any signs of infection. Which means really nothing, under the circumstances.
    What should be the first step to check the status of this particular PC?
    Thanks
  7. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    You'd have to start new topic and complete all preliminary steps.
  8. adam88

    adam88 Newcomer, in training Topic Starter Posts: 68

    As described in your first, very general instruction?
    The best effective way to verify (the safety of the contents of) the portable disk where the data is stored?
  9. Broni

    Broni Malware Annihilator Posts: 46,179   +251

  10. adam88

    adam88 Newcomer, in training Topic Starter Posts: 68

    Thanks.

    Panda (feature not included) and BD )portable HD not detected) cannot process my NFTS portable HD, any alternatives?

    Is it possible to pinpoint which particular file(s)/source was the source, establish the approx. date of infection?

    Thanks.
  11. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    No.

    As far as I know BD supports NTFS drives.
    Are you getting any error message?
     
  12. adam88

    adam88 Newcomer, in training Topic Starter Posts: 68

    When I am prompted to insert USB device and subsequently connect the external (NFTS) hard drive, it is not recognized by BD.
    Does it take a longer time for BD to recognize (and immune) 1.5TB HD?
  13. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    I'm not sure.
    You may try BD forum.
  14. adam88

    adam88 Newcomer, in training Topic Starter Posts: 68

    'immunize' :)
  15. adam88

    adam88 Newcomer, in training Topic Starter Posts: 68

    I assume I can safely (no downloads done before) use my iPod for immediate communication purposes since my computers are now 'suspect' (one for sure), is it safe?
  16. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    iPod should be fine.
  17. adam88

    adam88 Newcomer, in training Topic Starter Posts: 68

    Thanks
    Re the preliminary checks, since my AV suite seems to be ineffective (this major problem was not detected earlier), can I include Eset online scan in the preliminary check (in addition to MWAB and DDS)?

    Any recommendations re 'effective' (if it exists at all :)) AV program/suite, FW?
    I have Vista32 and W764 machines.
    Thanks
  18. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    I only need DDS and MBAM log to start with.

    There is no perfect security program.
    It's always about the ways you're using your computer.
  19. adam88

    adam88 Newcomer, in training Topic Starter Posts: 68

    I have started a new topic
    'Is my PC in harm's way'

    Appreciate your word of advice
  20. adam88

    adam88 Newcomer, in training Topic Starter Posts: 68

    Just one more question
    Are pdf files safe to be retrieved from the infected PC (unlikely to be infected by Ramnit)?
  21. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    There is no guarantee.
    Every single file has to be scanned.
  22. adam88

    adam88 Newcomer, in training Topic Starter Posts: 68

    Will a single AV (eg Eset) scan suffice?
  23. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    I would start with scanning with your regular updated AV program not online one like Eset.
  24. adam88

    adam88 Newcomer, in training Topic Starter Posts: 68

    Hence the reason for asking for good alternatives since my regular and very up-to-date AV program detected nothing ...
  25. Broni

    Broni Malware Annihilator Posts: 46,179   +251

    This is different.
    You got infected by some active infection which happened due to some of your computing activity.
    Active infection will do whatever needed to hide itself.
    On USB drive you're dealing with inactive files which should be detected by any AV program.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.