Win32/RAMNIT.A Anyone? - Page 12

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: Win32/RAMNIT.A Anyone?




| What I do with this class of virus:
| 1. Turn off System Restore and delete all restore points.
| 2. Note the names and locations of infected files.
| 3. Boot from something like Ultimate Boot CD
|    <http://www.ultimatebootcd.com/ , and delete the infections.
| Turn System Restore back on when disinfected.

John, the fisrt time I have seen you post here  :-)

Actually, not a good idea as if you are dealing with a file infecting virus then
you will
have *numerous* legiimate files being deleted and thus a corrupted OS that is no
longer
bootable.

Either you use an anti virus and "clean" the infected files or, wipe and
reinstall/re-image.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Win32/RAMNIT.A Anyone?




Quoted text here. Click to load it

I was specifically referring to virus files that are _not_ part of
necessary executables.  When necessary parts of the OS are infected,
then I restore them from backup, which I think it preferable to trying
to disinfect them, all too often an imperfect process.

--
John

"Assumption is the mother of all screw ups."
[Wetherns Law of Suspended Judgement]

Re: Win32/RAMNIT.A Anyone?






Quoted text here. Click to load it




| I was specifically referring to virus files that are _not_ part of
| necessary executables.  When necessary parts of the OS are infected,
| then I restore them from backup, which I think it preferable to trying
| to disinfect them, all too often an imperfect process.

You weren't specific John so it needed qualification.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Win32/RAMNIT.A Anyone?




Quoted text here. Click to load it

I thought "this class of virus" would be specific enough,
but you're right that I should have been clearer,
and I thank you for the clarification.

--
John

"Assumption is the mother of all screw ups."
[Wetherns Law of Suspended Judgement]

Re: Win32/RAMNIT.A Anyone?





Quoted text here. Click to load it

| I thought "this class of virus" would be specific enough,
| but you're right that I should have been clearer,
| and I thank you for the clarification.

Thank you for all the networking information you have provided over the years.

BTW:  Your Thwate email cert. expired in January.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Win32/RAMNIT.A Anyone?




Quoted text here. Click to load it

Yep.  Thwate shut down that service.

--
John            FAQ for Wireless Internet: <http://wireless.navas.us
                FAQ for Wi-Fi:  <http://wireless.navas.us/wiki/Wi-Fi
           Wi-Fi How To:  <http://wireless.navas.us/wiki/Wi-Fi_HowTo
Fixes to Wi-Fi Problems:  <http://wireless.navas.us/wiki/Wi-Fi_Fixes

Re: Win32/RAMNIT.A Anyone?



Quoted text here. Click to load it

Just curious, what did you mean by 'this class of virus' and the
infection of possibly needed executables?

...and yes, if you have a good backup you're golden - much more
preferable to replace than to disinfect.



Re: Win32/RAMNIT.A Anyone?



On Mon, 9 Aug 2010 20:39:32 -0400, in


Quoted text here. Click to load it

I meant the class of virus that implants its own executable files,
and protects them from most methods of removal.  Sorry for not being
more clear.

--
John

"We have met the enemy and he is us" -Pogo

Re: Win32/RAMNIT.A Anyone?



Quoted text here. Click to load it

That's okay. You are correct that self-contained replicator files can be
deleted outright - there is nothing there that needs to be salvaged, but
Ramnit.a actually modifies (infects/trojanizes) preexisting program
files (although not with a replicant).



Re: Win32/RAMNIT.A Anyone?



On Tue, 10 Aug 2010 07:45:46 -0400, in

Quoted text here. Click to load it

That depends on the actual problem, what the anti-virus system is or is
not able to remove and disinfect on its own.  According to this report:
<http://www.threatexpert.com/report.aspx?md5=074a688443faea25c2589975069de044
Win32/RAMNIT.A modifies few essential executables.  My own experience
with Microsoft Security Essentials (cf OP) is that only non-essential
files are missed in this case.  Do you have experience to the contrary?

--
John

"Assumption is the mother of all screw ups."
[Wetherns Law of Suspended Judgement]

Re: Win32/RAMNIT.A Anyone?




| On Tue, 10 Aug 2010 07:45:46 -0400, in

Quoted text here. Click to load it






| That depends on the actual problem, what the anti-virus system is or is
| not able to remove and disinfect on its own.  According to this report:
| <http://www.threatexpert.com/report.aspx?md5=074a688443faea25c2589975069de044
| Win32/RAMNIT.A modifies few essential executables.  My own experience
| with Microsoft Security Essentials (cf OP) is that only non-essential
| files are missed in this case.  Do you have experience to the contrary?

That ThreatExpert report is insuficient.

Go back and read Ant's analysis based upon the Ramnit samples I provided him
with.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Win32/RAMNIT.A Anyone?




Quoted text here. Click to load it

In which of the 184 messages in this thread would those specifics be?

--
John

"Assumption is the mother of all screw ups."
[Wetherns Law of Suspended Judgement]

Re: Win32/RAMNIT.A Anyone?




Quoted text here. Click to load it


| In which of the 184 messages in this thread would those specifics be?




--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Win32/RAMNIT.A Anyone?




Quoted text here. Click to load it

Thank you.  That would seem to confirm what I wrote:

   It does NOT infect:-
   1) Files in the windows directory and its subdirectories.

--
John

"Assumption is the mother of all screw ups."
[Wetherns Law of Suspended Judgement]

Re: Win32/RAMNIT.A Anyone?



Quoted text here. Click to load it

No, but I think I understand what you are saying now.



Re: Win32/RAMNIT.A Anyone?



On Tue, 10 Aug 2010 20:44:55 -0400, in

Quoted text here. Click to load it

I understood what I was saying in the first post, thank you very much.

--
John

"Never argue with an idiot. He'll drag you down to his level
and then beat you with experience." -Dr. Alan Zimmerman

Re: Win32/RAMNIT.A Anyone?



Quoted text here. Click to load it

Oh, that's rich. The old "I knew what I meant".

Unfortunately, some users might consider some non-essential files as
needed files and they don't always have backups of them. Your stated
method does nothing to retain or recover them.



Re: Win32/RAMNIT.A Anyone?



On Wed, 11 Aug 2010 07:13:33 -0400, in

Quoted text here. Click to load it

Are you rude by nature, or do you have to work at it?

--
John

"Never argue with an idiot. He'll drag you down to his level
and then beat you with experience." -Dr. Alan Zimmerman

Re: Win32/RAMNIT.A Anyone?



Quoted text here. Click to load it

I took the statement "I understood what I was saying in the first post,
thank you very much." as rude and responded in kind.

Good bye.



Re: Win32/RAMNIT.A Anyone?



On Wed, 11 Aug 2010 12:04:27 -0400, in

Quoted text here. Click to load it

When you treat someone with discourtesy,
it's a bit disingenuous to complain about some mild pushback.

Quoted text here. Click to load it

Good bye to you too.

--
John

"Never argue with an idiot. He'll drag you down to his level
and then beat you with experience." -Dr. Alan Zimmerman

Site Timeline