Another WIn32/Ramnit infection

nunoH · Apr 12, 2011

Hello everybody, I just read a couple of threads on here and you seem like a helpful bunch. Whenever I get infections I usually cope by just reading someone elses thread, but this one seems like it needs more attention.

I just got some kind of browser hijacker earlier today, managed to clean it up with mbam and eset online. In the end I did scans with spybot and mbam and the results shwoed no infections. Just to make sure I did a scan with Avira free edition and all of a sudden it started beeping like crazy with a Ramnit.C infection plus some weird html viruses? Most of these were infected Adobe CS5 files and a whole new directory on my cameras memory card which was plugged in (i deleted the folder straight away and ejected the card).

I am currently in safe mode and started doing another eset online scan, 15mins so far and already one threat, this time not Ramnit.C, but Ramnit.A?!

Any hints on how should I proceed? Should I keep doing eset until its clean? And whats with all the infected files in my Adobe CS5, can Eset fix them?

Thank you in advance!

Edit: 20mins on the first Eset online scan and it found a second threat - 'a variant of Win32/Kryptik.MOD trojan'.

nunoH · Apr 12, 2011

Ok, its currently scanning the Adobe program files folder with 3500 infected files so far. I really hope I can fix that...

chaslang · Apr 13, 2011

Welcome to Major Geeks!

Yes you need to run ESET's Online scans a minimum of 3 times however please take note of the below warning about Ramnit infections.

Ramnit infections have really become quit nasty and dangerous. We could attempt to remove it, and we have had some success in the past, but recently it has become even more trouble to remove. It is really safer to just bite the bullet and do a clean reinstall.

The problem is that the damage caused by this infection really makes a PC unreliable/untrustworthy. PE file infectors like Ramnit, Virut,.... etc can infect all executable files (DLL, EXE, SCR....and many more and also HTML). These infections can open back doors that truly may compromise your computer and your security. These backdoors could allow a remote attacker to access and instruct the infected computer to download and execute more malicious files.

In many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus or by other scanning tools. Also when disinfection is attempted, the files often become corrupted and the system may become unstable or irrepairable. The longer Ramnit remains on a computer, the more files it may infect and/or corrupt so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies the Ramnit worm using a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are a major source of system infection.

So all the above being said, and please do take serious note of the warnings, do you really wish to attempt cleaning even though the stability and security of your be cannot be guaranteed? And also note that we could spend a lot of time trying to fix it and still fail due to the number of files that have been infected. What would you like to do?
Click to expand...

nunoH · Apr 13, 2011

Thanks for the quick reply. I am aware of that, but have to give it a go anyway... So far things dont look good. I uninstalled programs with major folders infected (Like all adobe products, ATI drivers and tools). However, the infection has spread faster than expected. Im on my 6th ESET run, and threats found seem to be randomly changing. On 2nd and 4th run things seemed to have gone quiet, however on all other runs at least 2k threats have been found. I am gonna do a couple more runs for the sake of it and then if theres no change to the situation Im gonna head to the pc store to get an external hard drive to try and save some pictures/music/movies (careful not to copy the infection).

EDIT: Log from ESET online added.

chaslang · Apr 14, 2011

nunoH said: ↑

So far things dont look good.
Click to expand...

Correct assesment. A reinstall is highly recommended. Your system has been extremely compromised.

nunoH said: ↑

However, the infection has spread faster than expected. Im on my 6th ESET run, and threats found seem to be randomly changing.
Click to expand...

Yes this is what Ramnit and other PE file infectors do and that is the reason why reinstalls are needed. And in addition, this infection opens up backdoors on your PC which means your security may have been totally compromised.

nunoH said: ↑

I am gonna do a couple more runs for the sake of it and then if theres no change to the situation Im gonna head to the pc store to get an external hard drive to try and save some pictures/music/movies (careful not to copy the infection).
Click to expand...

You must be extremely careful on what is backed up and reused because just 1 bad file could start the whole process over again. Whatever you backup, make sure that you scan that copied files with ESET Online by scanning the external drive. If you put any executable or html type files on the external drive and if you access that drive from this infected PC, you will infect the files.

Log in or Sign up

Another WIn32/Ramnit infection

nunoH Private E-2

nunoH Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

nunoH Private E-2

Attached Files:

log.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Log in or Sign up

Another WIn32/Ramnit infection

nunoH Private E-2

nunoH Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

nunoH Private E-2

Attached Files:

log.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Useful Searches