Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

help! I'm ifected with 'W32/Ramnit.a'


  • Please log in to reply

#1
skinnypig

skinnypig

    Member

  • Member
  • PipPip
  • 44 posts
every few seconds I'm getting popups from Mcafee telling me it has automatically fixed a file infected with 'W32/Ramnit.a'.
It's a different file every time and many or them are associated with legitimate programs.

is this serious? what should I do?

Thanks in advance
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,139 posts
  • MVP
very serious. Most people have to reformat after a Ramnit infection. As you are seeing it infects legitimate .exe files (and not only .exe). The core of it are 4 files:
* %PROGRAMFILES%\Microsoft\DesktopLayer.exe

* C:\Documents and Settings\ADMINI~1SrvSrv.exe

* %PROGRAMFILES%\Microsoft\DesktopLayerSrv.exe

* C:\Documents and Settings\ADMINI~1Srv.exe

The top one is started by changing the userinit entry in the registry so it starts when you logon.

Your best bet (if it still works - haven't tried it in a few months) is to have a friend download
Avira's Rescue Disk and burn it to a CD. Then you boot the sick PC off it and let Avira scan it and remove the infected files. That way it won't get any worse.

http://dlpro.antivir...m-common-en.iso

Instructions here:
http://www.techmixer...rus-and-malware

It also appears to spread via USB drives so any USB drive you use should be immunized first on a good computer with FlashDisinfector:
Download Flash_Disinfector.exe by sUBs
http://download.blee...Disinfector.exe
and save it to your desktop.

* Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
* The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
* Wait until it has finished scanning and then exit the program.
* Reboot your computer when done.


Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

You might also want to install AutoRun Eater v2.5
http://oldmcdonald.w...orun-eater-v25/

It will stay resident and prevent USB drives from infecting your PC.


Ron
  • 0

#3
skinnypig

skinnypig

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
Thanks,
unfortunatelly I can't get the Avira cd to work,when I boot from the cd it stops with 'loading modules' at 98%and then says something about '/dev/fd0' I can't scan or update, but I can configure and shutdown.

Is there anything I can do to fix this?

Rather stupidly I already used a SD card with this machine that has subsiquently been used with another computer :D but I think this card may have been already treated with the Flash Disinfector as I had quite a bad attack a few months back and subsiquently used Flash Disinfector on all my usb sticks, SD cards and externall hard drives.
Will this be ok or should I be worried about spreading the infection?

thanks in advance
  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,139 posts
  • MVP
See if you can get F-Secure's Rescue CD to work. Make sure you make it on a clean PC.

http://www.f-secure....ools/rescue-cd/

You can look at the SD in explorer if you have made hidden files visible:


If using Windows XP:

* Close all programs so that you are at your desktop.
* Double-click on the My Computer icon.
* Select the Tools menu and click Folder Options.
* After the new window appears select the View tab.
* Put a checkmark in the checkbox labeled Display the contents of system folders.
* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
* Remove the checkmark from the checkbox labeled Hide protected operating system files.
* Press the Apply button and then the OK button and exit My Computer.
* Now your computer is configured to show all hidden files.


If using Windows Vista or Windows 7:

* Close all programs so that you are at your desktop.
* Open the Control Panel menu and click Folder Options.
* After the new window appears select the View tab.
* Put a checkmark in the checkbox labeled Display the contents of system folders.
* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
* Remove the checkmark from the checkbox labeled Hide protected operating system files.
* Press the Apply button and then the OK button and exit My Computer.
* Now your computer is configured to show all hidden files.


[Online tutorial covering both of the above: http://www.bleepingc...utorial62.html]

Then open My Computer and look at the drive the SD is in and if you see Autorun.inf and it is a Folder and not a file then you are OK.

I have one client who appears to have been able to remove it with Avast's boot scan but he had to set the size of the chest to a much bigger size than the default and it removed a ton of files.

Ron
  • 0

#5
skinnypig

skinnypig

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
I can't see that 'autorun' file :D
and after runing Flash Disinfector several times I still can't see it! I've set up the view hidden files exactly as you discribed and checked that this was working by looking for autorun.inf on a previousely treated usb stick (I found it straight away!)

I've run Malwarebytes on both the SD card and one of the other machines that it has since come in to contact with and it came up with nothing! Dose this mean I'm ok as far as spreading the infection to other machines is concerned?

I've burnt the F-secure disk booted up with it; but chickend out from running the scan; as it said it would automaticaly re-name any infected files; and that if any important windows system files were involved the machine would fail to start up again.

this would not be such a big deal as I should just be able to re-install windows if the worst came to the worst; execpet I can't do this as none of my machines were suplied with windows discs!

I've found some instructions at http://www.howtohave...setupdisk.shtml about how to make a bootable Windows XP setup disk wich I would like to do prior to risking loosing windows altogether. Is this a sensible precaution or should I just bite the bulet and run the F-secure scan?

thanks
  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,139 posts
  • MVP
Any CD you make with the current infected system would surely be infected so no point. The longer you wait with a Ramnit infected system the more files you will lose. If this is an HP, Compaq or Dell it may have the system files stored in a hidden partition. Without knowing the make and model I can't say for sure.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP