Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Novice after reformat back up advice following virus


  • Please log in to reply
5 replies to this topic

#1 Kie_boy

Kie_boy

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 24 September 2011 - 10:49 AM

Hi. I hope I am posting this in the correct section. I am not after advice regarding the virus but advice regarding backing up and reformatting. I should add that I am a novice so any help may need to be quite 'dumbed down' for me :blink:

My computer has been infected with the ramnit virus and after spending many hours searching the internet it appears that the only way to fully be certain of having the PC safe again is to format and reinstall the hard drive. Ive had the computer for 2 years and I use it for both pleasure and running my business so I dont mind reformatting it as I have gathered a lot of rubbish over the years.

So my questions are this.
Back Up
My plan to back up the files I needed was to purchase a hard drive. However it appears after reading about the virus that it tends to spread via removable media. Ive read that I should be carefull about what files no .exe .rar etc which is fine as I mainly want to back up office documents, pictures and music that I have. I am concerned however about what I have read regarding the virus possibly adding itself to legitimate files and renaming the extension. Does this mean that a novice such as myself could easily back up a a word document or mp3 file and unknowingly be transferring the virus?
If this is the case then I would rather not take the risk and lose the data.

Reformatting

I have never reformatted and reinstalled previously however I have been in the presence of watching others do this. I have not got my original CD for XP so I have one of those on the way. I understand it will ask for a product code or similar. How can I find out this? Is it actually printed onto my computer somewhere?
Finally is this an easy enough task for a person such as myself to undertake? I gather there will be things I must do once XP is reinstalled such as install drivers and updates?

Any help will be greatly appreciated.
Thanks
Kieran

BC AdBot (Login to Remove)

 


#2 .X.

.X.

  • Members
  • 490 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:14 PM

Posted 01 October 2011 - 08:03 AM

the only way to fully be certain of having the PC safe again is to format and reinstall the hard drive

Reinstall the Operating System.



I am concerned however about what I have read regarding the virus possibly adding itself to legitimate files and renaming the extension. Does this mean that a novice such as myself could easily back up a a word document or mp3 file and unknowingly be transferring the virus?

You should set up your folder options so that file extensions are always shown. Having said that, even with the correct extension files can harbor infections. Microsoft releases updates to render these infections useless so make sure to update your computer either before or as soon as you get Windows installed and have an active network connection. You may need to install your network card drivers before you reach this point.
You should also scan all your files with a good antivirus and perhaps Malwarebytes.


I have not got my original CD for XP so I have one of those on the way. I understand it will ask for a product code or similar. How can I find out this? Is it actually printed onto my computer somewhere?

When your CD arrives it should have the key with it unless you are ordering a restore disk from your system manufacturer. In this case you would use the key that is on the Certificate of Authenticity sticker of your computer.


Finally is this an easy enough task for a person such as myself to undertake? I gather there will be things I must do once XP is reinstalled such as install drivers and updates?

It's pretty simple. The steps depend on what kind of disk you are getting. The drivers can be downloaded from your computer or hardware manufacturers website. Windows can be updated by visiting Windows Update and if Office is installed you would visit Microsoft Update. If your disk does not include SP3, you will be prompted to install that first (depending of course if your disk has at least SP1).

Edited by .X., 01 October 2011 - 08:05 AM.


#3 Kie_boy

Kie_boy
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 01 October 2011 - 08:19 AM

Thank you

The main files that I am hoping to retrieve are jpegs and office documents, is there much likely hood that these could be infected with anything malicious?

Regards

#4 hamluis

hamluis

    Moderator


  • Moderator
  • 56,565 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:07:14 PM

Posted 01 October 2011 - 08:56 AM

<<Does this mean that a novice such as myself could easily back up a a word document or mp3 file and unknowingly be transferring the virus?>>

Seems that this would be a better question for BC malware personnel...than the XP forum. We can entertain questions about backing up clean systems...but infected systems is not something that we deal with.

The only info I have on Ramnit is a statement concerning such made by one of our best malware personnel, in the form of a canned reply to those with confirmed infections. All credit to Quietman 7 for providing the following.


"I'm afraid I have very bad news.

Win32/Ramnit (and related variants) is a dangerous file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A or VBS/Generic. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of damage can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what security expert miekiemoes has to say: Virut and other File infectors - Throwing in the Towel?

If I guide someone with Virut (or any other File Infector) present and their Antivirus cannot properly disinfect it, then I recommend a format and reinstall...dealing with such infections is a waste of time and that's why I prefer the fastest and safest solution - which is a format and reinstall...After all, I think it would be irresponsible to let the malware "stew" (download/spread/run more malware) for another couple of days/weeks if you already know it's a lost case.


This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

"

Louis

#5 .X.

.X.

  • Members
  • 490 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:14 PM

Posted 01 October 2011 - 08:58 AM

jpegs not so much. Use something like IrfanView to view images and you'll be safer than native Windows apps. Office documents yes but like I said. Just patch Office(better yet, use Google Docs) and you'll be OK (barring any zero-day exploits MS is not aware off).

When you say retrieve, what do you mean. You are not planning to back them up to a 2nd physical drive?

#6 Kie_boy

Kie_boy
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 04 October 2011 - 07:25 AM

Sorry for my naive comments when it comes to terminology. By back up I just mean that I would like to keep some of the documents. So I guess just transfer them onto a flash drive or similar so that I can put them back on to the PC when I have reinstalled the OS.
Thanks for the help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users