Win32/Ramnit.A, H Help!!!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by vailmij, Mar 31, 2011.

  1. vailmij

    vailmij Private E-2

    Hello all,

    Win32/Ramnit.A and Win32/Ramnit.H

    are absolutely destroying my computer.

    Starting a few days ago, I began noticing a slowness in my computer, followed by some random error messages from Microsoft Office Word, even though I wasn't even using it. It would keep saying that 'winlogon.doc was unable to be opened and resulted in a serious problems.'

    Within hours, Adobe Acrobat Reader kept trying to reinstall even though I wasn't using it, and I noticed a lot of extra Processes running in Task Manager. Most important I believe was that there was at least 4 or 5 firefox.exe running, regardless of whether I was actually using Firefox, and a process called winlogon.exe. Also, Ad-Aware kept crashing.

    I understand winlogon.exe is a normally safe process, but I kept receiving error messages about it.

    After doing some research online to try to fix the problem I decided to install numerous different anti-virus scanners, including: Sypbot S&D, Ad-Aware, MalwareBytes, Uniblue, Hijack This, SUPERanti-spyware, etc. - All of which were unable to detect anything that fixed the problem.

    So, after no luck with that, I decided to delete and re-install windows yesterday, which seemed to solve the problem for a couple hours, but it became quite clear the virus was back. Without going to ANY unusual websites on firefox I noticed there were 3 firefox.exe running again and Ad-Aware starting crashing again.

    Today, the computer struggles to even turn on, let alone try to fix the problem. I found this Thread on your website and I am following the steps now (I'm re-installing windows again first, which will hopefully give me enough time to put the .exe files of the necessary programs on the computer via CD, before the shit hits the fan again.)

    http://forums.majorgeeks.com/showthread.php?t=223776

    I will post my logs when I get them - hopefully soon.

    In the meantime, if you have any advice whatsoever I would REALLY REALLY appreciate it. This virus has consumed a rediculous amount of my time and I'm starting to worry the virus might win!! Thank you!!
     
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Ramnit infections have really become quit nasty and dangerous. We could attempt to remove it, and we have had some success in the past, but recently it has become even more trouble to remove. It is really safer to just bite the bullet and do a clean reinstall.

    The problem is that the damage caused by this infection really makes a PC unreliable/untrustworthy. PE file infectors like Ramnit, Virut,.... etc can infect all executable files (DLL, EXE, SCR....and many more and also HTML). These infections can open back doors that truly may compromise your computer and your security. These backdoors could allow a remote attacker to access and instruct the infected computer to download and execute more malicious files.

    In many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus or by other scanning tools. Also when disinfection is attempted, the files often become corrupted and the system may become unstable or irrepairable. The longer Ramnit remains on a computer, the more files it may infect and/or corrupt so the degree of infection can vary.

    Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies the Ramnit worm using a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are a major source of system infection.

    So all the above being said, and please do take serious note of the warnings, do you really wish to attempt cleaning even though the stability and security of your be cannot be guaranteed? And also note that we could spend a lot of time trying to fix it and still fail due to the number of files that have been infected. What would you like to do?
     
  3. vailmij

    vailmij Private E-2

    Thank you for your reply. I've been following the steps from your previous thread, and so far so good.

    After reinstalling Windows this time, all of my scans with MalwareBytes, MGtools, SuperAntiSpyware, ComboFix, and RootRepeal came out clean.

    I have to say though, the only thing notably that was different after reinstalling this time was that I immediately had a disc with ESET NOD32 on it, ready to install. After installing, I then connected to the internet when ESET began recognizing the Win32/Ramnit.A and H viruses but was able to stop them.

    The first time I reinstalled I did not have any Anti-Virus program installed immediately and as soon as I connected to the internet I had the virus program. I hope this will be of some use to whoever else gets the virus in the future Have ESET Anti-Virus Ready to install immediately after reinstalling Windows, then follow the steps in the removal of Malware provided by this site.

    If I have any more issues I will be sure to respond. Thank you for your help!!
     
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If you did a clean install of windows, then you must have some files that you had backed up that put it back on your system. Eset is about the only good scanner for these issues. Let me know if you need any other help. ;)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds