Inactive RKIT/Hider.LKI infection (Ramnit???)

Status
Not open for further replies.

Keith67

Posts: 9   +0
Hello everyone,

I have just been infected with 'RKIT/Hider.LKI' which from the research I have done seems to be the same as the Ramnit trojan. If this is the case then I fear the worst for my system but hopefully someone out there that can assist in its removal.

Anyway, the first thing to say is that I am using my iPhone to type this post since I cannot currently access the Internet from my infected laptop using either I.E.7 or Firefox - which may be a blessing In disguise since hopefully the Trojan will not have 'dialled home' yet. On the downside it means that I can't post any log files or download any removal tools until my Internet connection is restored. (Although I suppose I could take photos of the laptop screen with my iPhone and post .jpg images of any output).

So...
My laptop is a Dell Inspiron 9300 running XP-Pro SP3
I use Avira and ZoneAlarm - both of which will no longer autorun on system reboot. Infact I can't get ZoneAlarm to run at all.
At the point of infection my computer beeped and immediately powered off (ie no normal shutdown). When I rebooted Avira started for a couple of seconds then closed down. I manually restarted Avira but it's RealTime Protection feature is off and the message on the status page is 'Your computer is not secure, 2 services are not working correctly'. I can't restart RealTime Protection.

I tried rebooting a second time and Avira started a scanning process. But the main application window wasn't present. The appearance was pretty much just a small progress indicator with the Avira logo. Thinking about it I now wonder if this may have been the virus further infecting my system(?). However a popup did appear in the bottom right hand of the screen reporting that Avira had found a virus and asked what action to take. The message was

A virus or unwanted program 'RKIT/Hider.LKI' was found in file
'C:\Documents and Settings\...\jgtewcwb.sys'.
Access to this file was denied.
Please select further action.

I clicked Remove but the problem still persists.

Nothing exists in the quarantine list and the Report list says 'update failed' and 'no virus or unwanted program found' for the infection date.

I restarted Avira manually and performed a full system scan. Although it reports no viruses were found it detected 4 hidden objects. On previous scans (the last of which was 5-Sep-12) there were none.

The Avguard.log file for the infection date reports that RKIT/Hider.LKI root kit has been detected.

Now for some positives...

I have two mirrored backups of my hard drive (on separate external hard drives connected via USB). One of these drives was connected during the infection and probably remained connected for a few minutes until I remembered and disconnected it. One concern that I have is whether or not this drive may have been infected also.

Ideally I would like to remove the infection from my laptop rather than try to restore these files since :-
a) the image is quite old (3 - 4 months).
b) I have never actually tested the restore process
c) I am concerned about the external drive being infected

At this point I have no clue what the real extent to the infection is. Although the Avira system scan reports that it cannot find any malware my system is clearly infected.

My major concerns are whether of not any personal details have been transmitted. I don't save passwords for sensitive sites on my system (bank, PayPal etc) and I haven't tried logging in to any sites since the infection although my eBay and Amazon profiles are always logged in and there is a link to these sites in my quick launch toolbar.

If the worst comes to the worst and I have to restore my system either from the mirror image or restore the O.S. completely, would it be safe to copy the MS Outlook .pst file to retain my emails and also save some excel workbooks that are on my hard drive?

Also, the laptop has a Recovery Partition that will restore the machine to factory settings. Would it be safe to restore the OS from this because I'm not sure if I still have the XP cd?

I am aware that this may be a very deep infection and may prove difficult to remove so I would like to thank in advance anyone who chooses to assist me in this matter.

Thank you (in advance)

Keith
 
Welcome aboard
yahooo.gif


Do you have same issues in safe mode with networking?
 
Hello Broni,

First of all let me thank you for picking this up.

Yes - the behaviour is pretty much the same except that in Safe mode with Networking the Intel PROSet/Wireless software reports that 'No supported wireless adapters available to the system'. In Normal mode the wireless adapter is recognised.

However I am able to get an Internet connection using an Ethernet cable connection. This may also work when I reboot in Normal mode but I haven't tried yet.
 
Hi Broni,

Ok...
I tried internet access from Normal mode but this was not possible.
So I have rebooted in Safe mode with Networking and have managed to get the avguard.log for the date of the infection.
My system is running much slower than usual even in Safe mode but not sure if that is because of Firefox addins. At least I should be able to download any diagnostic tools that are required.

9/17/2012,18:41:53 [INFO] Current Engine Version: 8.2.10.162
9/17/2012,18:41:53 [INFO] Current Pattern File: 7.11.43.78
9/18/2012,18:23:49 [DETECTION] Contains recognition pattern of the RKIT/Hider.LKI root kit!
C:\Documents and Settings\Keith\Local Settings\Temp\jgtewcwb.sys
[INFO] User: KCSLAPTOP\KEITH
[INFO] File not transferred to Scanner.
9/18/2012,18:25:36 [INFO] ---------------------------------------------------------
9/18/2012,18:25:36 [INFO] Avira Free Antivirus has been started successfully!
9/18/2012,18:26:15 [INFO] Realtime Protection version: 12.03.00.15, Engine version 8.2.10.162, VDF version: 7.11.43.78
9/18/2012,18:26:16 [INFO] Online services are available.
9/18/2012,18:26:16 [INFO] Realtime Protection was enabled.
9/18/2012,18:26:16 [INFO] On-Access configuration used:
- Files to scan: scan files from local drives
- Files to scan: Use file extension list: . .386 .?HT* .ACM .ADE .ADP .ANI .APK .APP .ASD .ASF .ASP .ASX .AWX .AX .BAS .BAT .BIN .BOO .CDF .CHM .CLASS .CMD .CNV .COM .CPL .CPX .CRT .CSH .DEX .DLL .DLO .DO* .DRV .EMF .EML .EXE* .FAS .FLT .FOT .HLP .HT* .INF .INI .INS .ISP .J2K .JAR .JFF .JFI .JFIF .JIF .JMH .JNG .JP2 .JPE .JPEG .JPG .JS* .JSE .LNK .LSP .MD? .MDB .MOD .MS? .NWS .OBJ .OCX .OLB .OSD .OV? .PCD .PDF .PDR .PGM .PHP .PIF .PKG .PL* .PNG .POT* .PPAM .PPS* .PPT* .PRG .RAR .REG .RPL .RTF .SBF .SCR .SCRIPT .SCT .SH .SHA .SHB .SHS .SHTM* .SIS .SLD? .SPL .SWF .SYS .TLB .TMP .TSP .TTF .URL .VB? .VCS .VLM .VXD .VXO .WIZ .WLL .WMD .WMF .WMS .WMZ .WPC .WSC .WSF .WSH .WWK .XAR .XL* .XML .XXX .ZIP
- Device mode: Scan file on open, scan file on close
- Actions: ask the user
- Scan archive: Disabled
- Heuristic: Enabled
- Win32 file heuristic: Medium detection level
- Logfile report level Default
9/18/2012,18:31:02 [INFO] ---------------------------------------------------------
9/18/2012,18:31:02 [INFO] Avira Free Antivirus has been started successfully!
9/18/2012,18:40:34 [INFO] ---------------------------------------------------------
9/18/2012,18:40:34 [INFO] Avira Free Antivirus has been started successfully!
9/18/2012,18:41:11 [INFO] Realtime Protection version: 12.03.00.15, Engine version 8.2.10.162, VDF version: 7.11.43.78
9/18/2012,18:41:14 [INFO] Online services are available.
9/18/2012,18:41:14 [INFO] Realtime Protection was enabled.
9/18/2012,18:41:14 [INFO] On-Access configuration used:
- Files to scan: scan files from local drives
- Files to scan: Use file extension list: . .386 .?HT* .ACM .ADE .ADP .ANI .APK .APP .ASD .ASF .ASP .ASX .AWX .AX .BAS .BAT .BIN .BOO .CDF .CHM .CLASS .CMD .CNV .COM .CPL .CPX .CRT .CSH .DEX .DLL .DLO .DO* .DRV .EMF .EML .EXE* .FAS .FLT .FOT .HLP .HT* .INF .INI .INS .ISP .J2K .JAR .JFF .JFI .JFIF .JIF .JMH .JNG .JP2 .JPE .JPEG .JPG .JS* .JSE .LNK .LSP .MD? .MDB .MOD .MS? .NWS .OBJ .OCX .OLB .OSD .OV? .PCD .PDF .PDR .PGM .PHP .PIF .PKG .PL* .PNG .POT* .PPAM .PPS* .PPT* .PRG .RAR .REG .RPL .RTF .SBF .SCR .SCRIPT .SCT .SH .SHA .SHB .SHS .SHTM* .SIS .SLD? .SPL .SWF .SYS .TLB .TMP .TSP .TTF .URL .VB? .VCS .VLM .VXD .VXO .WIZ .WLL .WMD .WMF .WMS .WMZ .WPC .WSC .WSF .WSH .WWK .XAR .XL* .XML .XXX .ZIP
- Device mode: Scan file on open, scan file on close
- Actions: ask the user
- Scan archive: Disabled
- Heuristic: Enabled
- Win32 file heuristic: Medium detection level
- Logfile report level Default
9/18/2012,18:42:11 [DETECTION] Contains recognition pattern of the RKIT/Hider.LKI root kit!
C:\Documents and Settings\Keith\Local Settings\Temp\jgtewcwb.sys
[INFO] User: KCSLAPTOP\KEITH
[INFO] File not transferred to Scanner.
9/18/2012,18:51:55 [INFO] ---------------------------------------------------------
9/18/2012,18:51:55 [INFO] Avira Free Antivirus has been started successfully!
9/18/2012,18:51:56 [INFO] ---------------------------------------------------------
9/18/2012,18:51:56 [INFO] Avira Free Antivirus has been started successfully!
9/18/2012,19:04:48 [INFO] ---------------------------------------------------------
9/18/2012,19:04:48 [INFO] Avira Free Antivirus has been started successfully!
9/18/2012,19:05:09 [INFO] Realtime Protection version: 12.03.00.15, Engine version 8.2.10.162, VDF version: 7.11.43.78
9/18/2012,19:05:09 [INFO] Online services are available.
9/18/2012,19:05:09 [INFO] Realtime Protection was enabled.
9/18/2012,19:05:09 [INFO] On-Access configuration used:
- Files to scan: scan files from local drives
- Files to scan: Use file extension list: . .386 .?HT* .ACM .ADE .ADP .ANI .APK .APP .ASD .ASF .ASP .ASX .AWX .AX .BAS .BAT .BIN .BOO .CDF .CHM .CLASS .CMD .CNV .COM .CPL .CPX .CRT .CSH .DEX .DLL .DLO .DO* .DRV .EMF .EML .EXE* .FAS .FLT .FOT .HLP .HT* .INF .INI .INS .ISP .J2K .JAR .JFF .JFI .JFIF .JIF .JMH .JNG .JP2 .JPE .JPEG .JPG .JS* .JSE .LNK .LSP .MD? .MDB .MOD .MS? .NWS .OBJ .OCX .OLB .OSD .OV? .PCD .PDF .PDR .PGM .PHP .PIF .PKG .PL* .PNG .POT* .PPAM .PPS* .PPT* .PRG .RAR .REG .RPL .RTF .SBF .SCR .SCRIPT .SCT .SH .SHA .SHB .SHS .SHTM* .SIS .SLD? .SPL .SWF .SYS .TLB .TMP .TSP .TTF .URL .VB? .VCS .VLM .VXD .VXO .WIZ .WLL .WMD .WMF .WMS .WMZ .WPC .WSC .WSF .WSH .WWK .XAR .XL* .XML .XXX .ZIP
- Device mode: Scan file on open, scan file on close
- Actions: ask the user
- Scan archive: Disabled
- Heuristic: Enabled
- Win32 file heuristic: Medium detection level
- Logfile report level Default
9/18/2012,19:07:32 [DETECTION] Contains recognition pattern of the RKIT/Hider.LKI root kit!
C:\Documents and Settings\Keith\Local Settings\Temp\jgtewcwb.sys
[INFO] User: KCSLAPTOP\KEITH
[INFO] File not transferred to Scanner.
9/18/2012,19:12:47 [INFO] ---------------------------------------------------------
9/18/2012,19:12:47 [INFO] Avira Free Antivirus has been started successfully!
 
While in safe mode with networking....

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • IMPORTANT! UN-check Remove found threats
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
 
Hmmm. It looks like I am being blocked from the eset site...
I'm getting
Firefox can't establish a connection to the server at www.eset.com

Similar in I.E.

I can't access Avira or Microsoft sites either.

Is there a proxy site that I can use?
 
Please click HERE to download Kaspersky Virus Removal Tool.

  • Double click on the file you just downloaded and let it install.
  • It will install to your desktop (be patient; it may take a while).
  • Accept license agreement and click "Start" button.
  • Click on Settings button
    p4484522.gif
    • In Scan scope leave pre-checked items as they're and also checkmark My Computer
    • In Actions checkmark Select action: (disinfect; delete if disinfection fails) instead of preselected Prompt on detection
  • Click on Automatic Scan tab and then click on Start scanning button.
  • Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
  • When the scan is done NO log will be produced.
  • Click on Report button
    p4484523.gif
    then on Automatic Scan report tab.
  • Right click anywhere within right pane, click Select All then right click again and click Copy.
  • This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
  • You can save this on the desktop.
  • Post the contents of the document in your next reply.
 
Hi Broni,

Unfortunately I can't access the Kaspersky site either.
I could try and access Kaspersky or Eset via a proxy server,
or download the Eset exe file from the above link
or possibly get a friend to download the Kaspersky Virus Removal Tool and burn it to a CD and then run on my laptop.
The problem I envisage is if the removal tool tries to access the Kaspersky site it will be blocked.

I'm leaning towards trying to download the Eset software from

http://download.eset.com/special/eos/esetsmartinstaller_enu.exe

but I'm not doing anything yet until you give the instruction.
 
...btw, when I say use a proxy I do mean a trustworthy private 'pay' service - if there are any that you may know of.
 
OK. All I'm trying to do is to establish if indeed you're infected with Ramnit which is not curable so I don't want to waste time going through a whole cleaning procedure.

Go ahead and try that Eset thingy.
 
Hello Broni,
My apologies for not getting back for a few days. I have been trying to find an antivirus site that I can actually access.
I cannot download the eset software or access any anti-virus sites (that I know of).
I found some info about ramnit at :

www.f-secure.com/v-descs/virus_w32_ramnit_n.shtml

but again I cannot access this site from my laptop or run the associated software.

I am resigned to the fact that I must perform a system restore so my questions are really:

  1. Is it possible to take a copy of my outlook .pst file so that I have the latest copy of my emails?
  2. Can I copy excel spreadsheets safely?
  3. Will pictures / videos and .mp3 files be contaminated?
As I said on my first post I have two images (albeit a few months old) of my local hard drive on separate external hard drives.
One of these hard drives was connected at the time of the infection and therefore I must assume it is contaminated, so the restore must be done from the other hard drive. However, I haven't ever attempted this process so I was thinking I could do a restore from the hidden recovery partition first. Would this be safe or is this also likely to be infected?

In terms of backing up my data before a restore I am not sure where to put this since if I use an external drive it will become infected. Will turning autorun to 'Off' prevent reinfection of a clean system from an infected external drive?

thanks,

Keith
 
Please click HERE to download Kaspersky Virus Removal Tool.

  • Double click on the file you just downloaded and let it install.
  • It will install to your desktop (be patient; it may take a while).
  • Accept license agreement and click "Start" button.
  • Click on Settings button
    p4484522.gif
    • In Scan scope leave pre-checked items as they're and also checkmark My Computer
    • In Actions checkmark Select action: (disinfect; delete if disinfection fails) instead of preselected Prompt on detection
  • Click on Automatic Scan tab and then click on Start scanning button.
  • Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
  • When the scan is done NO log will be produced.
  • Click on Report button
    p4484523.gif
    then on Automatic Scan report tab.
  • Right click anywhere within right pane, click Select All then right click again and click Copy.
  • This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
  • You can save this on the desktop.
  • Post the contents of the document in your next reply.
 
Status
Not open for further replies.
Back