Win32/RAMNIT.A Anyone? - Page 10

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: Win32/RAMNIT.A Anyone?




| For Gods sake !!!.
| This thread is supposed to be Re: Win32/RAMNIT.A
| which I have a nasty dose of & want info / advice.
| I'm having a Hell of a trouble finding that in
| all this O/T chat.

| If you want to have this very interesting & informative discussion Re:
| Computer Servicing start up an OT thread on that.
| @@@@ Mouse (irritable one) @@@

Advice:

Use a surrogate PC to scan the hard disk of the infected computer using a good
anti virus
application such that it will remove the virus from infected files.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Win32/RAMNIT.A Anyone?



Quoted text here. Click to load it

That happens a lot, it is often best to just create a new post describing
your problem in detail and your computing environment where relevant.

That is not to say that it isn't advisable for a poster to read the group
before posting, just that a discussion for one persons ramnit.a problem
might not be exactly what is needed for another person's ramnit.a problem.
This file infecting worm can be a bugger.

Quoted text here. Click to load it

Going against the grain by being reasonable and expecting it of others won't
get you far here.




Re: Win32/RAMNIT.A Anyone?



On Wed, 25 Aug 2010 22:03:42 -0400, in
@nomail.afraid.org> wrote:

Quoted text here. Click to load it

Best bet is to search for answers with Google Groups before posting,
and after posting to separate (the little) wheat from (lots of) chaff.

Quoted text here. Click to load it

Sad but true.

--
John

"Usenet is like a herd of performing elephants with diarrhea - massive,
difficult to redirect, awe inspiring, entertaining, and a source of mind
boggling amounts of excrement when you least expect it." --Gene Spafford

Re: Win32/RAMNIT.A Anyone?




| On Wed, 25 Aug 2010 22:03:42 -0400, in
| @nomail.afraid.org> wrote:

Quoted text here. Click to load it



| Best bet is to search for answers with Google Groups before posting,
| and after posting to separate (the little) wheat from (lots of) chaff.

Actually - No.

Many searches are poisoned so one can end up downloading more malware.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Win32/RAMNIT.A Anyone?




Quoted text here. Click to load it

I've yet to see any case of that.  Proof?

--
John

"Assumption is the mother of all screw ups."
[Wetherns Law of Suspended Judgement]

Re: Win32/RAMNIT.A Anyone?




< snip >

Quoted text here. Click to load it



| I've yet to see any case of that.  Proof?

http://www.bluecoat.com/blog/google-image-searches-lead-malware

http://www.infosecurity-magazine.com/blog/2010/6/30/red-button-seo-poisoning-and-malware-campaign/180.aspx

http://www.downloadsquad.com/2010/04/20/gray-powells-unfortunate-legacy-seo-poisoning-and-malware /




--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Win32/RAMNIT.A Anyone?




Quoted text here. Click to load it


There's nothing wrong with Google.
These are just the usual malware sites.
You might as well just give up on the Internet.

--
John

"Assumption is the mother of all screw ups."
[Wetherns Law of Suspended Judgement]

Re: Win32/RAMNIT.A Anyone?



John Navas wrote:
Quoted text here. Click to load it

If the objective is to compromise my machine,
the internet might as well give up on me.

Re: Win32/RAMNIT.A Anyone?






Quoted text here. Click to load it







| There's nothing wrong with Google.
| These are just the usual malware sites.
| You might as well just give up on the Internet.

The point is through SEO poisoning the infected user won't be able "...separate
(the
little) wheat from (lots of) chaff".

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Win32/RAMNIT.A Anyone?




Quoted text here. Click to load it

No such problems here.

"The lad doth protest too much, methinks!"  [with apologies to WS]

--
John

"Assumption is the mother of all screw ups."
[Wetherns Law of Suspended Judgement]

Re: Win32/RAMNIT.A Anyone?



On Thu, 26 Aug 2010 13:49:05 -0700, in

Quoted text here. Click to load it

p.s.  "SEO poisoning" doesn't even apply to the kind of Google Groups
search (not Web search) I suggested.

--
John

"Assumption is the mother of all screw ups."
[Wetherns Law of Suspended Judgement]

Re: Win32/RAMNIT.A Anyone?



On 8/26/2010 1:34 PM, David H. Lipman wrote:

Quoted text here. Click to load it

The uninfected Win32/RAMNIT.A user will be equally able or unable to do
that.

Re: Win32/RAMNIT.A Anyone?



Quoted text here. Click to load it

I haven't checked headers, but that could be exactly how he got here.
Many finding this thread in their web searches and/or usenet archive
searches might be expecting 'web forum' type ettiquette instead of
Usenet ettiquette.

[...]




Re: Win32/RAMNIT.A Anyone?




Quoted text here. Click to load it

Indeed.  Of course, this is what I've always done before posting about such
things.  Unfortunately, I'm often/usually on the frontlines of malware
infestations, so there's often not much to go on when I first see something
I'm not familiar with.



Re: Win32/RAMNIT.A Anyone?



Thanks for protocol advice :)
This group is no where as Bitchy Bad & deranged as alt.windows7.general.
Looks as tho I need to make myself liked here as this Rmnet thing looks
like it will take a lot of work.
@@@mouse @@@
  

Re: Win32/RAMNIT.A Anyone?



On 8/25/2010 2:06 PM, Trimble Bracegirdle wrote:
Quoted text here. Click to load it

The short answer is one that you probably don't want to hear, but by now
you've likely already came to the same conclusion. There is no way to
remove it. You will have to reformat and reinstall.

After the re-install, be very careful about plugging in USB keys that
may still be infected.

Re: Win32/RAMNIT.A Anyone?

wrote:

Quoted text here. Click to load it

I hardly *never* get viral/trojan crap on my system, but Ramnit.E
somehow snuck into my main home workstation, a XP Pro box... along
with a 0day trojan downloader, and a few friends, a couple nights ago.
A pass of Microsoft Security Essentials and a pass of MalwareBytes,
then another psas of MSE to clean out more detrius, then full scans by
both tools came up clean, after that I ran a couple standalone (bootCD
based) malware scanners and all came up clean.

AFAIK, the virus came in from a hijacked website that popped up on an
obscure technical Google query. seconds minute later, MSE went off and
started complaining about viral activity.     One piece of it added a
javascript exploit to a bunch(!) of .html files in places like
c:\cygwin\usr\share\...


Re: Win32/RAMNIT.A Anyone?




[...]

Quoted text here. Click to load it

Funny, I was led to believe it used the recycle bin.

Quoted text here. Click to load it

How is it, that a folder remains inaccesible to a scanner?

Quoted text here. Click to load it

It is better to clean the malware off the computer, then purge the
system restore thingy. The malware can't act against you actively, when
it is not running. Use drive imaging software, system restore be-damned.



Re: Win32/RAMNIT.A Anyone?



On 7/29/2010 3:56 PM, FromTheRafters wrote:
Quoted text here. Click to load it

      It's entirely possible as they probably have 30 different
variants of the same worm.

Quoted text here. Click to load it

     It won't allow the removal of the malware because the
folder is read only. It will detect but not clean.

Quoted text here. Click to load it

  Sometimes the way to remove the malware is to remove the
system restore folders but only after a backup is made of the
entire HD.

Quoted text here. Click to load it

        I agree. But some malware needs to be running so it can
be detected and fully removed.

John

Re: Win32/RAMNIT.A Anyone?



Quoted text here. Click to load it

Yes, it's clear you have some nasty malware running. It looks like lots
of it goes undetected except the noted ramnit.a.

Quoted text here. Click to load it

If I understood the sources I've read, this malware modifies executable
files with the effect of making them "droppers". It could be a new worm
has now adopted that function and you are seeing detections of the
modified files but not the program that's modifying them.

Quoted text here. Click to load it

You were probably doomed from the get-go to have to flatten and rebuild.
Too many unknowns.



Site Timeline