Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Ramnit, VBS ExeDrpper and Win32.Starter-BH


  • This topic is locked This topic is locked

#1
Jan1959

Jan1959

    Member

  • Member
  • PipPipPip
  • 255 posts
Hi Guys,
Hope someone can help me with this? - I know that Ramnit is a nasty one...
I have got Ramnit, VBS ExeDopper,Win32.Starter BH and probably many more on my Windows XP desktop. Avast picked up this problem but is now saying that the virus vault is full at 1311 files and there is over 3000 files infected. MalwareBytes Anti-Malware has picked up 4 files but wants me to reboot the PC.
I can no longer connect to the internet on it and Avast virus vault screen is now faulting.
Do I have to try to take my computer back to factory settings or is there a chance of saving it?
There are many cherished photos on it so I would really appreciate any help
  • 0

Advertisements


#2
azarl

azarl

    GeekU Admin

  • Community Leader
  • 25,310 posts
Hi

Ramnit is a very nasty infection, it can and will infect all the machine's executable files .exe, .scr, .rar, .zip, .htm, .html. It may corrupt and damage some files beyond repair.

It also attempts to open a backdoor into your PC which could allow hackers to remotely control your computer and steal critical system information including passwords.
I recommend you take the following steps immediately:
  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. Alos change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
More Information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

This infection can possibly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

If you wish to reformat then please let me know in your next response, otherwise I'll continue with instructions for cleaning.

Firstly how do you know it is Ramnit?
  • 0

#3
Jan1959

Jan1959

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 255 posts
Hi,
I think that it is Ramnit because that was one of the names of the captured files in the Avast virus vault.

As soon as I realised what was happening, I had pulled the broadband cable out so my PC is not currently connected to the internet. I have also checked with my banks and there is no unusual activity so far but I will follow your recommendations if you feel it is necessary. I have also got Trusteer Rapport on all passworded sites - I don't know if that helps?

The PC is a Dell and it's about 6 years old now and I don't think that I have still got the windows disk that came with it.
What would you do? I'm really not sure....
  • 0

#4
azarl

azarl

    GeekU Admin

  • Community Leader
  • 25,310 posts
We can have a go at cleaning it if you like, but it's a little complicated.

Read through these instructions completely two or three times so you know exactly what you're doing

Please print out these instructions

» Step 1 «
On a clean machine, download Malwarebytes' Anti-Malware from Here or Here and save to a flash /usb disk

» Step 2 «
Please click here to download AVP Tool by Kaspersky and save to your USB disk

» Step 3 «
On a clean machine, download Avira Rescue CD from here. Follow the intructions here, to burn a bootable CD.

» Step 4 «
Insert Avira, and boot and run in the infected machine again follow the instructions from here . I suggest you print out the instructions from the Avira forum.

Once that's done, reboot your system normally, if you can (let me know if you can't before doing anything else)

» Step 5 «
Insert your flash disk into the infected machine and double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

» Step 6 «
  • Copy the AVP we downloaded in step 2 to your desktop.
  • Reboot your computer into SafeMode.

    You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
    Use your up arrow key to highlight SafeMode then hit enter
    .

  • Double click the setup file to run it.
  • Click Next to continue.
  • Accept the Licence agreement and click on next
  • It will by default install it to your desktop folder.Click Next.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.

  • Hidden Startup Objects
  • System Memory
  • Disk Boot Sectors.
  • My Computer.
  • Also any other drives (Removable that you may have)


Leave the rest of the settings as they appear as default.

  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then chooose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

    Note: This tool will self uninstall when you close it so please save the log before closing it.


  • 0

#5
Jan1959

Jan1959

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 255 posts
I have tried rebooting to the Avira Rescue disk but it won't load. I have tried booting it from the Bios but I just keep getting the message 'selected boot device not available'. The boot order in the Bios settings won't change, i.e. won't move up to No: 1 place. I have an external CD drive as well but it won't work on that either. Should I try to use a memory stick or an external hard drive instead?

Edited by Jan1959, 20 June 2011 - 02:22 PM.

  • 0

#6
azarl

azarl

    GeekU Admin

  • Community Leader
  • 25,310 posts

I have tried rebooting to the Avira Rescue disk but it won't load. I have tried booting it from the Bios but I just keep getting the message 'selected boot device not available'. I have an external CD drive as well but it won't work on that either. Should I try to use a memory stick or an external hard drive instead?

You can try from a USB - http://forum.avira.c...&threadID=94935
  • 0

#7
Jan1959

Jan1959

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 255 posts
Still not working from USB, can't change the order of boot. I tried it twice in safe mode but I just get the blue screen with an error code of 0x000007B.
Any other suggestions?
  • 0

#8
Jan1959

Jan1959

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 255 posts
Hi,
I have been reading up on Ramnit and I think that I will just say goodbye to my PC as I can't even change the bios settings. We've had a few viruses over the years and I can't help but wonder if something was laying dormant due to the speed at which Ramnit spread.
Thanks for all your help but I'm going to call it a day and get out my sledgehammer!
Cheers!
  • 0

#9
azarl

azarl

    GeekU Admin

  • Community Leader
  • 25,310 posts

Hi,
I have been reading up on Ramnit and I think that I will just say goodbye to my PC as I can't even change the bios settings. We've had a few viruses over the years and I can't help but wonder if something was laying dormant due to the speed at which Ramnit spread.
Thanks for all your help but I'm going to call it a day and get out my sledgehammer!
Cheers!

I think that's a wise move, if we can't boot we can't do anything with it
  • 0

#10
Jan1959

Jan1959

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 255 posts
Thanks for trying anyway, I really appreciate all the help you guys give so freely
  • 0

#11
azarl

azarl

    GeekU Admin

  • Community Leader
  • 25,310 posts

Thanks for trying anyway, I really appreciate all the help you guys give so freely

You're welcome, I hate it when we fail to deliver
  • 0

#12
azarl

azarl

    GeekU Admin

  • Community Leader
  • 25,310 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP