Win32/RAMNIT.A Anyone?
in [Anti-Virus]
|
From: David Kaye on 27 Jul 2010 00:51 Sorry about the crosspost to ba.internet, but I know there are malware experts out there. Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a devil of a time removing it. The only tool the detects it consistently is MS Security Essentials, and MSSE keeps counting it and "disinfecting" it. I'm not sure if it's a virus or a worm. MSSE says it's a virus, but I can't figure out what's launching it. I have eliminated one rootkit and subsequent scans show no more rootkits. This thing has dropped startup payloads into the StartUp folder, into the Run keys, into Prefetch, and it masquerades as everything from random 4-letter clusters to names like "Microsoft Suite", etc. It also captures the date when Windows was first installed, so I can't reliably search for the thing via date, either. Whenever MSSE detects a new round of infections (15, 78, all kinds of counts) the infections are in everything from drivers to executables in all kinds of directories. At the moment I'm running the computer in safe mode with no Internet and MSSE is not detecting any more Ramnit. I've scanned it 3 times. But as soon as I go back into regular mode and get an Internet connection back up it'll start infecting again. Oh, and I've reset the Winsock stack twice just in case there's a little wedgie in there. Still comes back. Any help would be most appreciated. You can reach me directly by email. The address is valid. Thanks.
From: Roy on 27 Jul 2010 00:58 A friend of mine that does virus removal as part of his business swears by MalwareBytes http://www.malwarebytes.org/mbam.php
From: David Kaye on 27 Jul 2010 01:27 Roy <aa4re(a)aa4re.ampr.org> wrote: >A friend of mine that does virus removal as part of his business swears >by MalwareBytes I do this professionally as well. I asked *specifically* for comments from people who have *experience* with this threat. I used MalwareBytes Antimalware several times including the complete disk scan for 2 1/2 hours. It did not detect anything. Again, I'm interested in hearing only from people who have *experience* with Win32.Ramnit.A Thank you.
From: David H. Lipman on 27 Jul 2010 06:07 From: "David Kaye" <sfdavidkaye2(a)yahoo.com> | Sorry about the crosspost to ba.internet, but I know there are malware experts | out there. | Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a devil of a | time removing it. The only tool the detects it consistently is MS Security | Essentials, and MSSE keeps counting it and "disinfecting" it. | I'm not sure if it's a virus or a worm. MSSE says it's a virus, but I can't | figure out what's launching it. | I have eliminated one rootkit and subsequent scans show no more rootkits. | This thing has dropped startup payloads into the StartUp folder, into the Run | keys, into Prefetch, and it masquerades as everything from random 4-letter | clusters to names like "Microsoft Suite", etc. | It also captures the date when Windows was first installed, so I can't | reliably search for the thing via date, either. | Whenever MSSE detects a new round of infections (15, 78, all kinds of counts) | the infections are in everything from drivers to executables in all kinds of | directories. | At the moment I'm running the computer in safe mode with no Internet and MSSE | is not detecting any more Ramnit. I've scanned it 3 times. But as soon as I | go back into regular mode and get an Internet connection back up it'll start | infecting again. | Oh, and I've reset the Winsock stack twice just in case there's a little | wedgie in there. Still comes back. | Any help would be most appreciated. You can reach me directly by email. The | address is valid. | Thanks. What is the fully qualified name and path to the file deemed infected with RAMNIT.A and did you capture a copy of this malware ? -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: Virus Guy on 27 Jul 2010 08:06
David Kaye wrote: > Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a > devil of a time removing it. If at all physically possible, the standard proceedure for insuring that any hard drive is free of malware (trojans, viruses, rootkits, spyware, etc) is to remove the drive and connect it as a slave to a known/good computer that has competent anti-malware software on it. The suspect drive can then be scanned in a way that insures that any malware on it is not operational and therefore not actively thwarting the scanning and file-quarantine processes in any way. |