Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

trojan.dnschanger-codec


  • Please log in to reply

#31
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,796 posts
  • MVP
I asked about your case in our internal forum and our guru thinks you have a Ramnit infection. He thinks it is incurable.

"Your user has Ramnit onboard - game over. With that infection, there's no telling how deeply it was imbedded, what legit files it may have infected, and what effect/interference it would have during any malware removal process."

I found this on the virus:

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.

Understanding virus names
Threat aliases for Win32/Ramnit.A



With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

When should I re-format? How should I reinstall?
Where to draw the line? When to recommend a format and reinstall?


Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system
Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.
The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.

From http://www.d-a-l.com...ecting-ads.html

You will see ads claiming to fix Ramnit. They are scams. Don't fall for them.

Check the USB drive you have been using for the presence of a hidden system file called autorun.inf. If you find it delete it then create a folder called autorun.inf in its place. Windows recently turned off the feature that allows autorun.inf to be used to spread viruses so hopefully it hasn't spread to your netbook. Do not open any .exe or .html files from the sick PC.

If you go to the Dell support site you can usually get a set of CDs or DVDs to rebuild your sick PC for the cost of shipping. The info you gave me is for a netbook. Is that the one that works or the sick one? Does the sick PC have a CD/DVD reader/burner or only work with USB drives?

When you reformat make sure you delete the partition information first so that it has to recreate the mbr. That's the only way to insure its not hiding in the mbr. You can do that with some of the mbr tools on the Hiren's boot cd.

That said you might have some luck with the AVG Rescue Disk: http://www.geekstogo...ystem-tutorial/

Ron
  • 0

Advertisements


#32
mullac

mullac

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
hi Ron managed to burn a disc loaded it up started to go ok,,,, it states that unable to locate license agreement file ,,,. DLGLICE.TXT1!!! PLEASE MAKE SURE THAT THELICCENSE AGREEMENT FILE IS LOCATED IN THE SAME PATH AS DLGDIAG.EXE.... Mike
  • 0

#33
mullac

mullac

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
hi Ron :) :unsure:
firstly thankyou for all of your efforts,absoloutly fantastic support throughout.
the very sick pc has a dvd/burner/reader etc.. + usb's.
netbook appears to be ok,have spotted that when memory stick plugged in a window would pop up with auto run below something else fortunetly didn't click on that :yes: :) :beer:with the scanning software that we've been using is it wise to use on the netbook,it has microsoft security essentials, and has picked up the RAMNIT and removed them everytime the memory stick was plugged in! i did think it odd.

as for the sick pc could i have some help in starting all over again, factory settings and all,i'll get hold of dell and explain situation!!!!
might invest in apple!!you know what they say "apple a day keeps the BUGS AWAY!"

Mike
  • 0

#34
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,796 posts
  • MVP
Will be glad to help. Glad to see that MSSE was on top of Ramnit and kept it from getting on your mini. To fix your USB drive:

Download Flash_Disinfector.exe by sUBs
http://download.blee...Disinfector.exe
and save it to your desktop.

* Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
* The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
* Wait until it has finished scanning and then exit the program.
* Reboot your computer when done.


Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
Also want to install AutoRun Eater v2.5
http://download.cnet...4-10752777.html
It will stay resident and prevent USB drives from infecting your PC.


Send me a PM and we will take this off-line. Rebuilding a PC doesn't really belong in the malware forum.

Ron
  • 1






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP