TechSpot

Cleanup after Ramnit?

By shamharga
May 31, 2011
  1. Hi,

    I got a fairly severe case of the ramnit virus on my desktop. The desktop has two disks (c and d). It was a nightmare, but I backed up my data from c to d and re-installed XP onto c. All appears ok now. However MSE is detecting infected html and .exe on the D Drive. It says that is has resolved these (removed/dis-infected). Can I be sure that MSE has effectively cleaned this up? Is deletnig the infected files a suitable soluiton? Incidentally the C disk with the XP OS is coming up clean after repeated MSE scans.

    Thanks in advance for your advice.
     
  2. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Ramnit is not curable, so you better delete those infected files on drive D.

    I also suggest, you scan both drives with online Eset scanner, which is good with detecting Ramnit infection.
    http://www.eset.com/onlinescan/]ESET Online Scanner
     
  3. shamharga

    shamharga TS Rookie Topic Starter

    Many thanks for your reply Broni...your advice is really appreciated!
    MSE found infections in htlm, exe files and also files in sys_vol_information on d:\
    For all found, MSE reported that that they were dis-infected or removed.
    None the less I deleted the htmls and exe's that I didnt need to retain. (I have thus far retained some however)
    I also deleted all but the last system restore points from D (I cant figure out how to delete the last one).
    A full mbam scan found nothing on either c or d.
    As recomended by yourself i ran ESET. This too came back clean on both c and d.
    Can I trust MSE when it says that it resolved the found infections or should I delete anyway.?
    Is it just html and exe files that are likely to be infected? are other files such as jpegs ok?
    out of interest - how will ramnit 'activate' from D:\? Will it only activate if an infected file is opened or can it activate without interaction from the user?

    Thanks again Broni!
     
  4. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    You should disable system restore for drive D altogether.

    Either by you, or by some program, so you have to be 100% sure, there is nothing malicious on drive D.

    I'd delete any finding.

    Any executable file may be affected:

    ADE - Microsoft Access Project Extension
    ADP - Microsoft Access Project
    BAS - Visual Basic Class Module
    BAT - Batch File
    CHM - Compiled HTML Help File
    CMD - Windows NT Command Script
    COM - MS-DOS Application
    CPL - Control Panel Extension
    CRT - Security Certificate
    DLL - Dynamic Link Library
    DO* - Word Documents and Templates
    EXE - Application
    HLP - Windows Help File
    HTA - HTML Applications
    INF - Setup Information File
    INS - Internet Communication Settings
    ISP - Internet Communication Settings
    JS - JScript File
    JSE - JScript Encoded Script File
    LNK - Shortcut
    MDB - Microsoft Access Application
    MDE - Microsoft Access MDE Database
    MSC - Microsoft Common Console Document
    MSI - Windows Installer Package
    MSP - Windows Installer Patch
    MST - Visual Test Source File
    OCX - ActiveX Objects
    PCD - Photo CD Image
    PIF - Shortcut to MS-DOS Program
    POT - PowerPoint Templates
    PPT - PowerPoint Files
    REG - Registration Entries
    SCR - Screen Saver
    SCT - Windows Script Component
    SHB - Document Shortcut File
    SHS - Shell Scrap Object
    SYS - System Config/Driver
    URL - Internet Shortcut (Uniform Resource Locator)
    VB - VBScript File
    VBE - VBScript Encoded Script File
    VBS - VBScript Script File
    WSC - Windows Script Component
    WSF - Windows Script File
    WSH - Windows Scripting Host Settings File
    XL* - Excel Files and Templates
     
  5. shamharga

    shamharga TS Rookie Topic Starter

    Thanks Broni.
    Have now turned off sys restore for D
    I will also delete all the findings as you recommend.
    However, i do have lots of the executables files such as .doc, so I suppose I will just have to take my chances
    Thanks again!
    Cheers
    Sham
     
  6. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    As long, as MSE and ESET say, those are healthy files, you should be OK.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...