Jump to content

ramnit removal without reinstalling?


Recommended Posts

I found that thousands of my system files across four hard (4.5tb worth) drives are all infected with win32/ramnit.a, according to malwarebytes and avira.  I tried to quarantine just my c: drive, but the virus came back, and it also resulted in ruining most of my installed programs.  Reinstalling windows would be simple enough, but is there any way to remove the virus without having to reinstall all my games?  As I have 3tb of those, which would be a huge, huge headache to reinstall.  Since I don't use the machine for internet, I'm considering just leaving the system in its infected state - I wasn't aware I even had a virus until an application refused to run with an odd error message, which I googled, and found that ramnit was the cause.

Link to post
Share on other sites

  • Root Admin

We can try to clean up the system and see.   Just as a side note - you really should be backing up your data to an external drive and once backups are done the drive should be disconnected so that in the case of an infection that backup does not get infected either.   Then never connect the drive back if you suspect the computer is infected until the computer is declared clean again.
 
This will take a LONG time to run especially if you have that much data.  You may need to prepare for it to run over 24 hours with that much data.  Once this scan starts you cannot use the computer for anything else.  You will want Dr Web to CURE everything it finds in your case and just deal with any false positives it may find.
 

Here is a good write up of the trouble with this infection and why its difficult to remove or fix for good.
MS Security Essentials detected Virus:Win32/Ramnit.AF
 
 
 
 

dr_web_cureit_zpse80d87bf.jpg

  • Please download Dr.Web CureIt! antivirus and save it to your computer. The file size is in excess of 100MB
  • NOTE: Free usage of Dr.Web CureIt! for business purposes is illegal.
  • Internet Explorer may show a warning when downloading - the file is safe to download from the provided link.
  • Shutdown your antivirus to avoid any conflicts while scanning.
  • Once the scans have completed please re-enable your antivirus.
  • If using Malwarebytes Anti-Malware PRO you can right click over the tray icon and disable the Protection Modules
  • If needed you can also temporarily disable it from starting with Windows
  • Temporarily turn off any other security add-ons or applications you may also have.
  • Once you have downloaded Dr.Web CureIt! you should right click over it and choose Properties and verify it has a Digital Signature.
  • If it does not have a Digital Signature then do not run it.
  • Close all open programs including all Web browsers and then double-click on drweb-cureit.exe to start the installer.
  • You should have your User Account Control (UAC) enabled for improved security and which should then produce a dialog box asking for approval to run the installer.
  • Click on the Yes button to start the installer.
  • Click OK to scan your computer in the Enhanced Protection Mode
  • Click on the check box to agree to participate in their software improvement program.
  • Then if needed choose your Language by clicking on the small globe like icon in the upper right corner by the wrench.
  • Then click on the Continue button and then click on the Select objects for scanning link just below the "Start scanning" button.
  • Place a check mark on all the items except for Temporary files and System restore points - those items should not have a check mark on them.
  • Then click on the Start scanning button.
  • If a threat is found you can click on the Action column in the program.
  • Your options will be Cure or Ignore
  • If you see an item that you are absolutely sure is OK, then un-check the check box for that item, otherwise keep it on Cure.
  • Then click on the Neutralize button.
  • Once completed click on the green Open Report link. It will open the report in NOTEPAD
  • Save the report to your desktop. The report will be called Cureit.log
  • Close Dr.Web Cureit!
  • Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  • After reboot, attach the log Cureit.log you saved previously in your next reply.
  • Re-Enable your antivirus and other security programs when all done.
Link to post
Share on other sites

I'm just neutrelizing everything now (it took about 14 hours) however with many of the files, I don't get an option to cure, only move.  I think because they're application dll's - I don't think I'll have the same problem with game dll's - is this normal, to not be able to cure a lot of files?

Link to post
Share on other sites

  • Root Admin

Yes, that is normal.  And again you will need to be very careful as it only takes 1 file to be missed for it to take off and do the same thing all over again.

 

When done we'll need to run some other tools as well so don't go plugging USB sticks in or sharing anything with any other computer.  At best you're certainly going to lose a lot of programs and data that cannot be fixed period.

Link to post
Share on other sites

Yes, that is normal.  And again you will need to be very careful as it only takes 1 file to be missed for it to take off and do the same thing all over again.

 

When done we'll need to run some other tools as well so don't go plugging USB sticks in or sharing anything with any other computer.  At best you're certainly going to lose a lot of programs and data that cannot be fixed period.

It's spread to my laptop as well, however every file has been cured, moved or deleted - what should I do on that one?  My desktop is still going through fixing 60,000 infections.

Link to post
Share on other sites

Also, I found out why I was getting move errors, because I ran out of space on c: so it seems I'm going to have to start the scan all over again.  However there's another problem - when the laptop finished scanning and cleaning, I didn't get the option to open up the log, is it stored somewhere automatically, or something like that?

Link to post
Share on other sites

  • Root Admin

Okay here is what I would probably try if I were in your shoes. There is no good way to get all of it back - you're going to lose some stuff period.

I'd take and format the drive on the laptop and reinstall Windows (all clean media, no contact with any of the infected data) Then I'd install Oracle VM VirtualBox and then install Windows 7 as a new virtual system on it. Then install Kaspersky antivirus on that Virtual Windows 7 install. Then update ALL the security updates for Windows on it.

Then run a Disk check on the virtual drive and defrag it both inside the VM and outside the VM. Then install Malwarebytes either the Trial or a paid PRO version and get all the updates and working with Kaspersky. Then take a SnapShot of that VM just in case something goes wrong you can go right back to that SnapShot and put the computer 100% back the way it was.

Make sure the laptop OS is also fully updated and running Kaspersky and Malwarebytes as you don't want that external drive to hook up and then attack the laptop while you're trying to hook up to the virtual computer.

Then,and only then hook up this other big drive and set it so that the Virtual Windows 7 system can see this drive and let Kaspersky do a FULL System Scan on the drive including zip and other archives. Set it to cure anything it finds.

Then assuming all went well and it completed and was able to scan the external drive and fix stuff I'd then disconnect the external drive and uninstall Kaspersky and install another Antivirus program such as Norton antivirus or BitDefender antivirus and get it updated and working with Malwarebytes as well and then again connect the drive and do another FULL system scan on that drive and have it too cure anything it finds.

Any USB sticks you have or have used lately you should clean with that Virtual system as well or format them. Again, this is a nasty deal and only takes 1 file to be missed and it can infect the entire system all over again.

Then once you're reasonable certain that the drive is now clean you need to go through and find program files that no longer work and replace them with new good versions or delete them. I've been through a Virut infection myself before on a network and out of about 1TB of data I lost about 40GB of files that simply could not be cleaned properly.

When all is said and done then you need to make sure you have methods to prevent this from happening again as well as good, solid, trusted backups of all your important data. Myself I don't worry about any games or programs as I have the CD/DVD installers for all of those if I need to reinstall them. What you need to ensure is backed up is Music, Videos, Pictures, Documents, etc... that cannot be replaced if lost or damaged. With a good backup of your data then this type of an infection would only be an annoyance rather than the heartache it currently is. One could format the drive and then restore the data and be back up and going probably the same day.

Link to post
Share on other sites

Just a question, if I were to reformat my c: drive, no other drives plugged in, antivirus and malware protection running, then plug the other infected drives is... will the antivirus stop ramnit from spreading to c:?  Because I thought I could just do that, and delete anything on the other drives that comes up with a detection, keeping in mind that avira seems to block access to executing any file infected with ramnit.  (I have clean backups of everything, I'm just trying to think of a way to keep my game installations unless they become infected)  If this method would stop a fresh windows install from becoming infected again, I'd prefer to do it like that, and keep my essential data on a non-infected machine.

Link to post
Share on other sites

  • Root Admin

In general yes it "should" but as you can see you're already in this situation because something let it in.

With a virtual setup its very easy to go back to a previous snapshot no matter what happens to the box and why I recommended it.

You're certainly welcome to try any method you want as none of them can guarantee success. In my opinion Kaspersky is ahead of the game compared to other antivirus programs when it comes to actually cleaning an infected file. It may have slow updates and some may or may not like it's interface as much as some other programs and some may be better at 0-day attacks but for actual clean up I don't think the others do as well.

Link to post
Share on other sites

In general yes it "should" but as you can see you're already in this situation because something let it in.

With a virtual setup its very easy to go back to a previous snapshot no matter what happens to the box and why I recommended it.

You're certainly welcome to try any method you want as none of them can guarantee success. In my opinion Kaspersky is ahead of the game compared to other antivirus programs when it comes to actually cleaning an infected file. It may have slow updates and some may or may not like it's interface as much as some other programs and some may be better at 0-day attacks but for actual clean up I don't think the others do as well.

I thought I had a fairly clean system for a couple of days there, avira detected no viruses, however some sprang up (not on c:, thankfully!) - if I'm happy with deleting infected files instead of cleaning, do you still recommend Kaspersky as a free antivirus?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.