Facebook is a well known target for pretty much everything these days, so it’s no surprise that a worm called Ramnit that first appeared in the wild and on social websites back in 2010 has now stolen over 45,000 Facebook passwords. It’s not only Facebook that has been under attack. Online banking customers have also been targeted. I’ve seen Ramnit in operation (even with antivirus running in the background) and it is a very destructive piece of malware which if left on your system will infect thousands of files and can make your system irreparable. It’s therefore impossible to suggest one method will work for removal/cleaning of this malware. That said, if you read on I will make some simple suggestions. 🙂
Ramnit was devised* to steal your Facebook login credentials (using a keylogger) and then use the hijacked account to send malicious URLs to your friends and your friends friends. Facebook with it’s 800m+ members is an ideal online location for fast spreading (viralling) of malicious activities. Password stealing malware/worms/Trojans are nothing new, but given that people use the same password for multiple websites (and upload large amounts of personal and behaviour ‘habit’ data), it ‘s easy to see why Facebook is such a lucrative target for the malware writers.
The Ramnit malware is part of a ‘malware family’ (as most malware is re-engineered on a regular basis i.e. adding new malware modules/variants to evade detection by antivirus engines – this is also known as obfuscation). Ramnit variants are appearing all the time which makes detection and cleaning rather more difficult. Ramnit also infects HTML files, stealing stored FTP credentials and browser cookies as well as opening back-doors. Anyone for HTML5?.
I suggest you run a full antivirus scan in safemode with networking along with installing/running a full Malwarebytes scan and remove the unwanted/malicious files that way first. In addition I would also use HijackThis (Trend Micro) which will create an in-depth text report of any system settings that have been changed. You can then send this data to your antivirus vendor for analysis.
If that isn’t successful (or you notice your system is slow or is still behaving oddly), I’d suggest reinstalling Windows from scratch as you cannot take any risks that an infected file(s) still remains.
Bootnote: *Ramnit wasn’t specifically devised to attack Facebook users, however the main attack vector is Facebook for the reasons mentioned in this post.
Safe surfing folks!