Hello everyone,
I have just been infected with 'RKIT/Hider.LKI' which from the research I have done seems to be the same as the Ramnit trojan. If this is the case then I fear the worst for my system but hopefully someone out there that can assist in its removal.
Anyway, the first thing to say is that I am using my iPhone to type this post since I cannot currently access the Internet from my infected laptop using either I.E.7 or Firefox - which may be a blessing In disguise since hopefully the Trojan will not have 'dialled home' yet. On the downside it means that I can't post any log files or download any removal tools until my Internet connection is restored. (Although I suppose I could take photos of the laptop screen with my iPhone and post .jpg images of any output).
So...
My laptop is a Dell Inspiron 9300 running XP-Pro SP3
I use Avira and ZoneAlarm - both of which will no longer autorun on system reboot. Infact I can't get ZoneAlarm to run at all.
At the point of infection my computer beeped and immediately powered off (ie no normal shutdown). When I rebooted Avira started for a couple of seconds then closed down. I manually restarted Avira but it's RealTime Protection feature is off and the message on the status page is 'Your computer is not secure, 2 services are not working correctly'. I can't restart RealTime Protection.
I tried rebooting a second time and Avira started a scanning process. But the main application window wasn't present. The appearance was pretty much just a small progress indicator with the Avira logo. Thinking about it I now wonder if this may have been the virus further infecting my system(?). However a popup did appear in the bottom right hand of the screen reporting that Avira had found a virus and asked what action to take. The message was
A virus or unwanted program 'RKIT/Hider.LKI' was found in file
'C:\Documents and Settings\...\jgtewcwb.sys'.
Access to this file was denied.
Please select further action.
I clicked Remove but the problem still persists.
Nothing exists in the quarantine list and the Report list says 'update failed' and 'no virus or unwanted program found' for the infection date.
I restarted Avira manually and performed a full system scan. Although it reports no viruses were found it detected 4 hidden objects. On previous scans (the last of which was 5-Sep-12) there were none.
The Avguard.log file for the infection date reports that RKIT/Hider.LKI root kit has been detected.
Now for some positives...
I have two mirrored backups of my hard drive (on separate external hard drives connected via USB). One of these drives was connected during the infection and probably remained connected for a few minutes until I remembered and disconnected it. One concern that I have is whether or not this drive may have been infected also.
Ideally I would like to remove the infection from my laptop rather than try to restore these files since :-
a) the image is quite old (3 - 4 months).
b) I have never actually tested the restore process
c) I am concerned about the external drive being infected
At this point I have no clue what the real extent to the infection is. Although the Avira system scan reports that it cannot find any malware my system is clearly infected.
My major concerns are whether of not any personal details have been transmitted. I don't save passwords for sensitive sites on my system (bank, PayPal etc) and I haven't tried logging in to any sites since the infection although my eBay and Amazon profiles are always logged in and there is a link to these sites in my quick launch toolbar.
If the worst comes to the worst and I have to restore my system either from the mirror image or restore the O.S. completely, would it be safe to copy the MS Outlook .pst file to retain my emails and also save some excel workbooks that are on my hard drive?
Also, the laptop has a Recovery Partition that will restore the machine to factory settings. Would it be safe to restore the OS from this because I'm not sure if I still have the XP cd?
I am aware that this may be a very deep infection and may prove difficult to remove so I would like to thank in advance anyone who chooses to assist me in this matter.
Thank you (in advance)
Keith
I have just been infected with 'RKIT/Hider.LKI' which from the research I have done seems to be the same as the Ramnit trojan. If this is the case then I fear the worst for my system but hopefully someone out there that can assist in its removal.
Anyway, the first thing to say is that I am using my iPhone to type this post since I cannot currently access the Internet from my infected laptop using either I.E.7 or Firefox - which may be a blessing In disguise since hopefully the Trojan will not have 'dialled home' yet. On the downside it means that I can't post any log files or download any removal tools until my Internet connection is restored. (Although I suppose I could take photos of the laptop screen with my iPhone and post .jpg images of any output).
So...
My laptop is a Dell Inspiron 9300 running XP-Pro SP3
I use Avira and ZoneAlarm - both of which will no longer autorun on system reboot. Infact I can't get ZoneAlarm to run at all.
At the point of infection my computer beeped and immediately powered off (ie no normal shutdown). When I rebooted Avira started for a couple of seconds then closed down. I manually restarted Avira but it's RealTime Protection feature is off and the message on the status page is 'Your computer is not secure, 2 services are not working correctly'. I can't restart RealTime Protection.
I tried rebooting a second time and Avira started a scanning process. But the main application window wasn't present. The appearance was pretty much just a small progress indicator with the Avira logo. Thinking about it I now wonder if this may have been the virus further infecting my system(?). However a popup did appear in the bottom right hand of the screen reporting that Avira had found a virus and asked what action to take. The message was
A virus or unwanted program 'RKIT/Hider.LKI' was found in file
'C:\Documents and Settings\...\jgtewcwb.sys'.
Access to this file was denied.
Please select further action.
I clicked Remove but the problem still persists.
Nothing exists in the quarantine list and the Report list says 'update failed' and 'no virus or unwanted program found' for the infection date.
I restarted Avira manually and performed a full system scan. Although it reports no viruses were found it detected 4 hidden objects. On previous scans (the last of which was 5-Sep-12) there were none.
The Avguard.log file for the infection date reports that RKIT/Hider.LKI root kit has been detected.
Now for some positives...
I have two mirrored backups of my hard drive (on separate external hard drives connected via USB). One of these drives was connected during the infection and probably remained connected for a few minutes until I remembered and disconnected it. One concern that I have is whether or not this drive may have been infected also.
Ideally I would like to remove the infection from my laptop rather than try to restore these files since :-
a) the image is quite old (3 - 4 months).
b) I have never actually tested the restore process
c) I am concerned about the external drive being infected
At this point I have no clue what the real extent to the infection is. Although the Avira system scan reports that it cannot find any malware my system is clearly infected.
My major concerns are whether of not any personal details have been transmitted. I don't save passwords for sensitive sites on my system (bank, PayPal etc) and I haven't tried logging in to any sites since the infection although my eBay and Amazon profiles are always logged in and there is a link to these sites in my quick launch toolbar.
If the worst comes to the worst and I have to restore my system either from the mirror image or restore the O.S. completely, would it be safe to copy the MS Outlook .pst file to retain my emails and also save some excel workbooks that are on my hard drive?
Also, the laptop has a Recovery Partition that will restore the machine to factory settings. Would it be safe to restore the OS from this because I'm not sure if I still have the XP cd?
I am aware that this may be a very deep infection and may prove difficult to remove so I would like to thank in advance anyone who chooses to assist me in this matter.
Thank you (in advance)
Keith