From: FromTheRafters on
"David Kaye" <sfdavidkaye2(a)yahoo.com> wrote in message
news:i2nvud$mfo$4(a)news.eternal-september.org...
> "FromTheRafters" <erratic(a)nomail.afraid.org> wrote:
>
>>It's a shame he couldn't provide you with a sample. His description of
>>symptoms doesn't exactly match up with what this malware is/does. This
>>could be new malware worm dropping ramnit.a as it finds new systems.
>
> What kind of sample? A sample of the malware? I'm loathe to provide
> that; I
> don't want to be responsible for infecting any computers. I've
> already given
> some filenames and directories.

Yes, it's clear you have some nasty malware running. It looks like lots
of it goes undetected except the noted ramnit.a.

> But regardless of what names I provide, there is still something being
> launched that I'm unaware of that is rebuilding the files I see.

If I understood the sources I've read, this malware modifies executable
files with the effect of making them "droppers". It could be a new worm
has now adopted that function and you are seeing detections of the
modified files but not the program that's modifying them.

> As
> previously stated, I've removed the HD, scanned it for rootkits and
> malware
> and reinstalled it and the stuff comes back.
>
> Well, folks, thanks anyway. I'm just going to reinstall Windows,
> something I
> seldom have to do. It's got me beat and I can't spend any more time
> on this
> issue. I'm backed up in work again.

You were probably doomed from the get-go to have to flatten and rebuild.
Too many unknowns.


From: TBerk on


David,

READ & RUN ME FIRST. Malware Removal Guide
http://forums.majorgeeks.com/showthread.php?t=35407

Haven't yet found the beastie this procedure wouldn't clean w/o
reformatting a drive.

If I have time, I go though with it. if It's more expedient to wipe
the drive I just harvest data, and reinstall the OS. But I prefer the
'thrill of the hunt' so to speak.


TBerk

From: Buffalo on


David Kaye wrote:
> Roy <aa4re(a)aa4re.ampr.org> wrote:
>
>> A friend of mine that does virus removal as part of his business
>> swears by MalwareBytes
>
> I do this professionally as well. I asked *specifically* for
> comments from people who have *experience* with this threat. I used
> MalwareBytes Antimalware several times including the complete disk
> scan for 2 1/2 hours. It did not detect anything.
>
> Again, I'm interested in hearing only from people who have
> *experience* with Win32.Ramnit.A
>
> Thank you.

Well, have you tried PC Butts' Remove-it software?

Whee Haw!!!
Buffalo


From: RJK on

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:i2o47d0214h(a)news2.newsguy.com...
From: "russg" <russgilb(a)sbcglobal.net>

| snip stuff about experienced posters only.

| I come here to learn, and there are some experts here. The OP
| considers himself an expert and only wants
| talk to experts. I would say his final approach of wiping and re-
| installing the OS (which he didn't mention),
| but first trying to save .docs, mp3 and other important files, is the
| only solution. I learned that RAMNIT.A
| is a PE infector, infects other known files, like IE. Here's some
| info at sophos.com:

| http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_from=
| rss

| The OP knows the name of the malware, so he must have submitted a
| sample somewhere.

From Dave's first post...
"Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a devil of a
time removing it. The only tool the detects it consistently is MS Security
Essentials, and MSSE keeps counting it and "disinfecting" it."

He didn't submit a sample somewhere, MSE scanned the system, detected it
(Win32/RAMNIT.A ), but MSE failed to full remove and clean the system of it. Dave also
indicated he tried Avast to no avail.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Having cast my eye through this post, I think I would have given PrevX a go :-)
...and having read http://www.symantec.com/security_response/writeup.jsp?docid=2008-011517-3725-99
...I think (seeing as Sophos is armed against it), I'd try Sophos CLS from Bart PE cd :-)
regards, Richard


From: John Slade on
On 7/26/2010 9:51 PM, David Kaye wrote:
> Sorry about the crosspost to ba.internet, but I know there are malware experts
> out there.
>
> Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a devil of a
> time removing it. The only tool the detects it consistently is MS Security
> Essentials, and MSSE keeps counting it and "disinfecting" it.
>
> I'm not sure if it's a virus or a worm. MSSE says it's a virus, but I can't
> figure out what's launching it.
>
> I have eliminated one rootkit and subsequent scans show no more rootkits.
> This thing has dropped startup payloads into the StartUp folder, into the Run
> keys, into Prefetch, and it masquerades as everything from random 4-letter
> clusters to names like "Microsoft Suite", etc.
>
> It also captures the date when Windows was first installed, so I can't
> reliably search for the thing via date, either.
>
> Whenever MSSE detects a new round of infections (15, 78, all kinds of counts)
> the infections are in everything from drivers to executables in all kinds of
> directories.
>
> At the moment I'm running the computer in safe mode with no Internet and MSSE
> is not detecting any more Ramnit. I've scanned it 3 times. But as soon as I
> go back into regular mode and get an Internet connection back up it'll start
> infecting again.
>
> Oh, and I've reset the Winsock stack twice just in case there's a little
> wedgie in there. Still comes back.
>
> Any help would be most appreciated. You can reach me directly by email. The
> address is valid.
>
> Thanks.
>

You may want to try turning off "system restore" in
"system properties". Then reboot. You may also want to make
"system volume information" accessible to your malware scanner.
Then do a scan of that folder. The default setting is "read
only" and "hidden" so if it can be scanned the malware won't be
removed. The malware can reboot that last restore point over and
over and reinfecting your system over and over. A Linux based
scanner can be a way around the permissions but it's probably
better to do the scans within Windows.

John