1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

[Ramnit- Not curable] Infected with ramnit virus. Curable or format?

By Trabador
Feb 15, 2012
  1. Hi guys, I'm here again to find if I can get some help for the very annoying ramnit virus. Last time I was here, snowchick7669 helped me greatly so I thought there won't be a better place to get help from.

    So my problem is with ramnit virus. No matter how many times you delete watermark.exe it comes back. dmlconf.dat seems to get deleted easily but seems like it recreates itself every minute again and again.

    I've run eset online scan, it cleared the infection from almost every file and yet it comes again when you restart.

    So I'm here to find out if my situation is curable or not? If not, what method should I take to format so that it doesn't comes back since it seems like every html file and many exe's are now infected.

    I'd really appreciate it if you guys can help me out with this. Thank you. :)
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry- With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS. Here's why:

    Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer.

    Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A.

    Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

    The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

    Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with malware and a major source of system infection.

    In my opinion, Ramnit.A is not effectively curable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

    Please read:
    Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.

    I realize that this is not good news for you. But when you system has been reformatted and reinstalled, I suggest you avoid the file sharing and downloads from unsafe sites.
    Ramnit tutorial with help from Broni.

    You will find excellent reformat/reinstall instructions here:
  3. Trabador

    Trabador TS Rookie Topic Starter

    Thank you very much Bobbye. I was almost sure that it was incurable. No worries.

    I still have a few questions and I'd really appreciate if you could give me some suggestions for them. Oh and yeah I won't hold you or techspot responsible if something happens to my system by following them. :)

    1. Since files on other drives have got infected by Ramnit, will just a system format and reinstall be sufficient to remove the virus?

    2. I have always had autoplay disabled on my system for all the drives. I never double clicked on the drive icon either and always use explore to see the contents in it. I don't think the virus came through it. So can I use it to remove important data to other PC?

    3. Can you recommend to me which anti virus or anti spyware and which firewall can be installed after reinstall of the system?

    4. So i was willing to play a bit through it. Obviously I haven't reinstalled the system yet.

    I located the dmlconf.dat in system32 and edited the original values inside it to some random text '1ds' and set its attribute to 'Read Only'. Early it seemed to me that this file surely kept recreating itself every minute but after I edited it, at least that occurrence stopped. (Although I know this may have no effect or even might be some kind of foolishness I might have done.)

    Then I deleted the folder Microsoft and the files inside it i.e. Watermark.exe from program files. After that I created a same folder named Microsoft and a text file which and typed inside it 'Go...' and saved it. Then I renamed the file to 'Watermark.exe' and set its attribute to 'Read Only'.

    As I said, all this might just be my foolishness to worsen the case but can you tell me how this might affect me or not? It was just a bit of random thought so feel free to insult me (no pun intended) if I have done something I shouldn't have. :)

    Thank you for providing me with your valuable time and suggestions. Looking forward to your reply.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm running behind as usual.

    About infected files: you can reformat/reinstall the operating system. However, returning files to the system will have to be done carefully- files with these extensions should be avoided:
    ..exe, .scr, .rar, .zip, .htm, .html.

    File infectors mutate and corrupt. Their code is buggy and traditional cleaning methods do not stop or, in my opinion, remove the malware. That's why we stress to backup before you need it- so you'll have clean files to replace.

    Since Ramnit is frequently spread through movable drive, all should be disinfected although that will not guarantee the malware is gone.

    I can't do anything for the Ramnit on the system now, but I am leaving some security tips for you for after the R/R. Please keep in mind that you should change all passwords, monitor all internet financial transactions and be aware that any personal information on the system may have been compromised.

    You may find the following helpful: (Links are Bold Blue)
    Tips for added security and safer browsing:
    1. Browser Security
      [o][url="http://www.bleepingcomputer.com/tutorials/tutorial102.htm]Make Internet Explorer safer][/url]
      [o] Use a Site Advisor..
      Have layered Security:
    2. Antivirus Software(only one):
      [o] Comodo AV
      [o]Avast Free
      [o]Microsoft Security Essentials
    3. Firewall (only one)
      [o] Zone Alarm Free
      [o]Comodo Firewall Free
    4. Antispyware/Security: I recommend all of the following:
      [o]Spywareblaster:Protects against bad ActiveX.
      [o]IE/Spyad Restricts bad domains.
      [o]MVPS Hosts files Directs HOSTS file to which is your local computer.
      [o]Google Toolbar Popup Stopper
    5. Stay current on updates:
      [o] Windows Updates. You should get All updates marked Critical and the current SP updates.
      [o] Adobe Reade. Uninstall old.
      [o]Java Uninstall old.
    6. Reset Cookies to prevent Tracking Cookies:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
    7. Do regular Maintenance
      [o]To include Disc Cleanup, Defrag, Error Check/
    8. Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribuneor
    9. System Restore GuideUnderstand Restore Points> why you need to clean and set restore points and what information is in them.
      [*] Practice Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Save to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet/ Have a separate email account on free web-based mail.

    Please let me know if you find any bad links.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...