Results 1 to 6 of 6

Thread: Got infected by win32.ramnit.N

  1. #1

    Question Got infected by win32.ramnit.N

    Hi,

    Last weekend, my AV program just started showing that it found virus win32.ramnit.N and deleted it. Then I did the complete scan of the system and almost for every file it is giving the same message.
    Besides this MS word started opening several instances automatically with message that 'Normal.dot' is changed.
    I'm using Mcaffe AV as provided by my ISP and my machine is win XP SP3.
    Any idea how to clean my system.

    Thanks
    Darknite
    The more one comes to know a man the more one admires a dog.

  2. #2
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    I would suggest starting off with the kaspersky rescue cd: http://support.kaspersky.com/viruses/rescuedisk -- This is a bootable Linux ISO. It will take you into a graphical environment, where you can run updates, and then launch a virus scan. This will be more effective than running one inside of Windows.

    After the scan has finished, I would recommend downloading Malwarebytes AntiMalware - http://malwarebytes.org - Update and run, then reboot to safemode, and run it again. Optionally, you can run Ccleaner to clean up your temp folders, and other locations that malware likes to hide.

    You should also probably run a few other removal tools, as different ones have better success rates depending on the malicious software you are trying to remove. Some other free ones include:

    Spybot Search and Destroy
    Combofix
    Adaware
    etc.

    Just make sure that you download them from a good location, such as download.com... It might be advisable to download the installation files from a clean computer. If you move them over to the infected computer with a thumbdrive, I would suggest creating a folder on the drive called autorun.inf, and set it to be read only. That will sometimes stop the drive from becoming infected.

    You might also want to disable system restore...

    I am sure that you will get a dozen other replies to this thread suggesting different things. It is really up to personal preference in the end, but these are usually the steps I take on an infected system.

    Good luck!
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  3. #3
    Banned
    Join Date
    Jan 2008
    Posts
    605
    Quote Originally Posted by westin View Post
    I would suggest starting off with the kaspersky rescue cd: http://support.kaspersky.com/viruses/rescuedisk -- This is a bootable Linux ISO. It will take you into a graphical environment, where you can run updates, and then launch a virus scan. This will be more effective than running one inside of Windows.
    Running a live disk just to launch antiviral software is a waste of time. If you actually need a live disk then you'll end up reinstalling anyway.

    After the scan has finished, I would recommend downloading Malwarebytes AntiMalware - http://malwarebytes.org - Update and run, then reboot to safemode, and run it again. Optionally, you can run Ccleaner to clean up your temp folders, and other locations that malware likes to hide.
    Multiple software just to do the same job twice? Even if one did a better job than another... its just a prime example of failure and inefficiency.

    Reinstall then setup a group policy.

  4. #4
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    Reinstall then setup a group policy.
    This is valid advice. A full reinstall is the only way to be sure that the infection is completely gone. I use GPOs to curb malware as well. Depending on the environment, I use whitelisting of executables, or software restriction policies [SRPs] to prevent software from running out of the temp folders. You can also lock the system down so that it only runs applications that are installed in the 'Program Files' directory. That, combined with a non-admin user, will help quite a bit when it comes to avoiding infection.

    spec - What other policies do you suggest?
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    This is a messy one, as there are a number of varietals and it is probably still evolving.

    http://www.spywarepoint.com/win32-ra...-t62407p5.html

    I would say that the simplest solution is to backup what you can (copy the entire HDD if you want) then wipe the drive and reinstall.

    If you are going to try to clean it, you must get rid of restore points or at least allow them to be scanned & cleaned (their default is read only).

    Because this malware seems to infect executables it is likely that you won't be able to clean everything, so you will lose files and fetch up with an unusable and/or dysfunctional system because of stuff that was deleted or quarantined.

    Running a live disk just to launch antiviral software is a waste of time. If you actually need a live disk then you'll end up reinstalling anyway.
    Not entirely, using a live disk or slaving the drive will let you get rid of stuff that defends itself. On the other hand some malware would need to be dealt with from within Windows, as it needs to run to be detected?

    Multiple software just to do the same job twice? Even if one did a better job than another... its just a prime example of failure and inefficiency.
    Anti-malware is always behind the pace, particularly signature or pattern based ones. It isn't failure or inefficiency, it's the way things work (or not). Given well obfuscated versions or new malware the best AV/AM will only score around 40% detection

    Optionally, you can run Ccleaner to clean up your temp folders, and other locations that malware likes to hide
    I generally do that and defragment in SAFE MODE first. No point in scanning rubbish, and scans run faster if the pattern files and targets are defragmented.

    As you are running XP you might take a look at Online Armor by Tall Emu, and use FF with the NoScript plugin.

    SpyBot S&D and Ad-Aware have interactive modules that may provide some additional protection, albeit with possible performance issues on low end machines. They work just fine on a 1.6GHz single core with 1GB 0f 266MHz DDR.

    All the good stuff about Polices and restricted user accounts as well

    You might also consider using a browser sandbox like Sandboxie or Fortres Grand.

    If you reinstall stuff from backups, be sure to scan it first, and I would certainly use more than one application. I use Malwarebytes, Spybot, Ad-Aware and Avira AV. Remember, if you get any hits at all, your backup is probably compromised.

  6. #6
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Don't forget TDSSkiller:

    http://support.kaspersky.com/faq/?qid=208283363

    Just clean it up with the apps Westin and Nihil suggested. Be aware
    badly infected machines have often been hit by rootkits, which act
    to reinfect a machine. Then when you get it cleaned up, run...

    sfc /scannow

    ...from a shell to replace any corrupted system files w/ an XP cd in
    the computer.

    Reinstalling Windows is such a pain...
    “Everybody is ignorant, only on different subjects.” — Will Rogers

Similar Threads

  1. Hacker used Twitter to control infected PCs
    By t34b4g5 in forum Security News
    Replies: 0
    Last Post: August 15th, 2009, 04:26 AM
  2. Infected computer
    By cyd in forum AntiVirus Discussions
    Replies: 11
    Last Post: May 25th, 2006, 08:41 PM
  3. The Bulgarian and Soviet Virus Factories
    By foxdie in forum AntiVirus Discussions
    Replies: 11
    Last Post: April 4th, 2004, 02:52 AM
  4. Hacked Red Hat 7.3
    By t3gilligan in forum *nix Security Discussions
    Replies: 18
    Last Post: February 28th, 2004, 02:31 AM
  5. A new Trojan for *Nix...
    By [WebCarnage] in forum Security Archives
    Replies: 0
    Last Post: January 10th, 2002, 09:10 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •