-
March 21st, 2011, 05:04 PM
#1
Member
Got infected by win32.ramnit.N
Hi,
Last weekend, my AV program just started showing that it found virus win32.ramnit.N and deleted it. Then I did the complete scan of the system and almost for every file it is giving the same message.
Besides this MS word started opening several instances automatically with message that 'Normal.dot' is changed.
I'm using Mcaffe AV as provided by my ISP and my machine is win XP SP3.
Any idea how to clean my system.
Thanks
Darknite
The more one comes to know a man the more one admires a dog.
-
March 21st, 2011, 05:59 PM
#2
I would suggest starting off with the kaspersky rescue cd: http://support.kaspersky.com/viruses/rescuedisk -- This is a bootable Linux ISO. It will take you into a graphical environment, where you can run updates, and then launch a virus scan. This will be more effective than running one inside of Windows.
After the scan has finished, I would recommend downloading Malwarebytes AntiMalware - http://malwarebytes.org - Update and run, then reboot to safemode, and run it again. Optionally, you can run Ccleaner to clean up your temp folders, and other locations that malware likes to hide.
You should also probably run a few other removal tools, as different ones have better success rates depending on the malicious software you are trying to remove. Some other free ones include:
Spybot Search and Destroy
Combofix
Adaware
etc.
Just make sure that you download them from a good location, such as download.com... It might be advisable to download the installation files from a clean computer. If you move them over to the infected computer with a thumbdrive, I would suggest creating a folder on the drive called autorun.inf, and set it to be read only. That will sometimes stop the drive from becoming infected.
You might also want to disable system restore...
I am sure that you will get a dozen other replies to this thread suggesting different things. It is really up to personal preference in the end, but these are usually the steps I take on an infected system.
Good luck!
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
March 22nd, 2011, 04:23 AM
#3
Originally Posted by westin
I would suggest starting off with the kaspersky rescue cd: http://support.kaspersky.com/viruses/rescuedisk -- This is a bootable Linux ISO. It will take you into a graphical environment, where you can run updates, and then launch a virus scan. This will be more effective than running one inside of Windows.
Running a live disk just to launch antiviral software is a waste of time. If you actually need a live disk then you'll end up reinstalling anyway.
After the scan has finished, I would recommend downloading Malwarebytes AntiMalware - http://malwarebytes.org - Update and run, then reboot to safemode, and run it again. Optionally, you can run Ccleaner to clean up your temp folders, and other locations that malware likes to hide.
Multiple software just to do the same job twice? Even if one did a better job than another... its just a prime example of failure and inefficiency.
Reinstall then setup a group policy.
-
March 22nd, 2011, 02:32 PM
#4
Reinstall then setup a group policy.
This is valid advice. A full reinstall is the only way to be sure that the infection is completely gone. I use GPOs to curb malware as well. Depending on the environment, I use whitelisting of executables, or software restriction policies [SRPs] to prevent software from running out of the temp folders. You can also lock the system down so that it only runs applications that are installed in the 'Program Files' directory. That, combined with a non-admin user, will help quite a bit when it comes to avoiding infection.
spec - What other policies do you suggest?
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
March 23rd, 2011, 11:16 AM
#5
This is a messy one, as there are a number of varietals and it is probably still evolving.
http://www.spywarepoint.com/win32-ra...-t62407p5.html
I would say that the simplest solution is to backup what you can (copy the entire HDD if you want) then wipe the drive and reinstall.
If you are going to try to clean it, you must get rid of restore points or at least allow them to be scanned & cleaned (their default is read only).
Because this malware seems to infect executables it is likely that you won't be able to clean everything, so you will lose files and fetch up with an unusable and/or dysfunctional system because of stuff that was deleted or quarantined.
Running a live disk just to launch antiviral software is a waste of time. If you actually need a live disk then you'll end up reinstalling anyway.
Not entirely, using a live disk or slaving the drive will let you get rid of stuff that defends itself. On the other hand some malware would need to be dealt with from within Windows, as it needs to run to be detected?
Multiple software just to do the same job twice? Even if one did a better job than another... its just a prime example of failure and inefficiency.
Anti-malware is always behind the pace, particularly signature or pattern based ones. It isn't failure or inefficiency, it's the way things work (or not). Given well obfuscated versions or new malware the best AV/AM will only score around 40% detection
Optionally, you can run Ccleaner to clean up your temp folders, and other locations that malware likes to hide
I generally do that and defragment in SAFE MODE first. No point in scanning rubbish, and scans run faster if the pattern files and targets are defragmented.
As you are running XP you might take a look at Online Armor by Tall Emu, and use FF with the NoScript plugin.
SpyBot S&D and Ad-Aware have interactive modules that may provide some additional protection, albeit with possible performance issues on low end machines. They work just fine on a 1.6GHz single core with 1GB 0f 266MHz DDR.
All the good stuff about Polices and restricted user accounts as well
You might also consider using a browser sandbox like Sandboxie or Fortres Grand.
If you reinstall stuff from backups, be sure to scan it first, and I would certainly use more than one application. I use Malwarebytes, Spybot, Ad-Aware and Avira AV. Remember, if you get any hits at all, your backup is probably compromised.
-
March 23rd, 2011, 07:03 PM
#6
Don't forget TDSSkiller:
http://support.kaspersky.com/faq/?qid=208283363
Just clean it up with the apps Westin and Nihil suggested. Be aware
badly infected machines have often been hit by rootkits, which act
to reinfect a machine. Then when you get it cleaned up, run...
sfc /scannow
...from a shell to replace any corrupted system files w/ an XP cd in
the computer.
Reinstalling Windows is such a pain...
“Everybody is ignorant, only on different subjects.” — Will Rogers
Similar Threads
-
By t34b4g5 in forum Security News
Replies: 0
Last Post: August 15th, 2009, 04:26 AM
-
By cyd in forum AntiVirus Discussions
Replies: 11
Last Post: May 25th, 2006, 08:41 PM
-
By foxdie in forum AntiVirus Discussions
Replies: 11
Last Post: April 4th, 2004, 02:52 AM
-
By t3gilligan in forum *nix Security Discussions
Replies: 18
Last Post: February 28th, 2004, 02:31 AM
-
By [WebCarnage] in forum Security Archives
Replies: 0
Last Post: January 10th, 2002, 09:10 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|