Jump to content

Everything is being detected and quarantined as Virus.Ramnit

Recommended Posts

  • Root Admin

Please see the following.

If you are definitely infected with W32 Ramnit.A then it is bad news,  read the following script, especially the four links at the end.
Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll  and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.
With this particular infection the safest solution and only sure way to remove it effectively is to Reformat and reinstall the OS.
Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.
Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a vast variety of malware and are a major source of system infection.
In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.
Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
When should I re-format? How should I reinstall?
Where to draw the line? When to recommend a format and reinstall?
Backdoors and what they mean to you
The only way forward with this infection is to re-format your hard drive and re-install your system.

Link to post
Share on other sites

Thanks for the reply. So I reformatted and transferred some stuff into my external hdd. I did a final scan on my external hdd and removed anything that was infected, which was around 4, and I kept scanning three times after that to make sure nothing was infected. I reformatted and the first thing I did was install Malwarebytes. I'm not sure the exact point in time but after I reformatted Windows Defender detected 3 items and quarantined them instantly. I checked them instantly and they were virus.ramnit. After that I scanned multiple times using malwarebytes and windows defender, and all those times after that were clean.


Is this safe enough, or should I do another reformat? Also should I completely wipe my external hdd? I include my external hdd in my scans as well and Malwarebytes hasn't detected anything since.

Link to post
Share on other sites

Ramnit is a virus.  Reformatting is NOT the only solution.  It is only part of it.  This is why it is important to differentiate between a true virus and the common faux perception that everything malicious is a "virus".
All media that is Read/Write must be scanned from a clean system.  The clean system should have AutoRun/AutoPlay disabled.  If the media was written to while the computer was infected or if it was written to at a time in proximate knowledge of it being infected it must be considered as being possibly carrying Ramnit infected files.
Think of it like the condition of the Ebola infection in Dallas Texas.  They had to test all individuals who came in contact with the infected person, isolate them if needed and they even quarantined the ambulance for decontamination.
All Flash Drives, Memory Cards, external Hard disks, etc.,  must  be checked from a clean system running a good 1Anti Virus with AutoRun/AutoPlay disabled.  Any CDROM or DVD data discs that may have been created when the PC was infected should be scanned and if Ramnit is found, destroy the discs.  You can NOT reinstall the OS until the environment is checked, and double checked, and verified clean or you will re-infect.
** Unfortunately this is as far as the advice that will be given in this sub-forum.  All Malware Removal advice and queries must be made in the Malware Removal Help sub-forum as per Forum policy.
1.  Malwarebytes' Anti-Malware (MBAM) is not an anti virus application and known good ones for this situation are products from;  Symantec/Norton, McAfee, Eset, Kaspersky, Avira, Alwil and Grisoft (not a complete list) which are real anti virus applications.  A true anti virus application is defined, in terms of this situation, as being capable of removing the malicious code that Ramnit infected files with and then bring them back to, as close as possible, to the file's state prior to being infected.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.