Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I'm infected with "Virus.Ramnit.I"


  • Please log in to reply
12 replies to this topic

#1 KasperHV

KasperHV

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 28 March 2012 - 10:07 AM

Hey You guys...


I think I'm infected with "Virus.Ramnit.I". And I think I have been for some time.
I do a lot of searching on the internet and I've just come across a program that I needed to watch movies online, the program was a codec so I thought oh lets go for it, well knowing that some of the things you download and install could have vira in it. Nothing happend and I watched the movie.
The next day however, when I tried to remove it, something strange happend. My programs in the start/All programs, as in the folders, suddenly got removed. Just by trying to un-install the codec called "Codec-C".
I then tried to get "another antivirus program", (Ive got Norton 360 Premier Edition). So I downloaded the program called Spyhunter 4, and during the search it found out that I had many vira called "Virus.Ramnit.I" under this exe: "AEADISRV.EXE" - So I tried to delete them my self, not knowing what would happen. As my own antivirus program didnt notice anything.

So thats the history, here is where it gets interesting. Yesterday i formatted my pc to get rid of the vira or so I thought. I just found out that on the same program "Spyhunter 4" found 42 vira on my pc... The same name as the files I manually deleted my self. This time though, they have been "located" inside my Windows/System32 folder. And thats something I dont want to mess about with.


Any ideas or thoughts how to get rid of this?


Kind regards
Kasper

Posted Image

Edited by KasperHV, 28 March 2012 - 10:13 AM.


BC AdBot (Login to Remove)

 


#2 TheForgottenGod

TheForgottenGod

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:56 AM

Posted 28 March 2012 - 10:20 AM

Looks like you download the same software everyone else was complaing about yesterday. Never download codec-c, but same out come of all desktop and start menu items missing. Hopefully a moderatore will know more about removing codec-c, also I never used spy hunter or heard of it. Download Malwarebytes and superAntiSpyware. Those two are highly recommended. Also try to see if you can uninstall codec-c with revo uninstaller. If that dosnt work, wait for the moderatore to further help you.

Edited by boopme, 28 March 2012 - 11:50 AM.


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:56 AM

Posted 28 March 2012 - 11:52 AM

I'm afraid I have very bad news.

Win32/Ramnit (and related variants) is a dangerous file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A or VBS/Generic. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of damage can vary.


Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection. However, a variant called the Ramnit worm targets Facebook users....can bypass two-factor authentication and transaction signing systems, gain remote access to financial institutions and compromise online banking.

In my opinion, Ramnit is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what security expert miekiemoes has to say: Virut and other File infectors - Throwing in the Towel?

If I guide someone with Virut (or any other File Infector) present and their Antivirus cannot properly disinfect it, then I recommend a format and reinstall...dealing with such infections is a waste of time and that's why I prefer the fastest and safest solution - which is a format and reinstall...After all, I think it would be irresponsible to let the malware "stew" (download/spread/run more malware) for another couple of days/weeks if you already know it's a lost case.


This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 KasperHV

KasperHV
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 28 March 2012 - 03:18 PM

Really ?

Well it seems that my motherboards sound driver called "Soundblaster" is infected from ASUS.COM or ASUS.DK with that virus... So either I dont install my sound card which "sucks" or I do and get virus.

#5 KasperHV

KasperHV
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 28 March 2012 - 03:21 PM

Looks like you download the same software everyone else was complaing about yesterday. Never download codec-c, but same out come of all desktop and start menu items missing. Hopefully a moderatore will know more about removing codec-c, also I never used spy hunter or heard of it. Download Malwarebytes and superAntiSpyware. Those two are highly recommended. Also try to see if you can uninstall codec-c with revo uninstaller. If that dosnt work, wait for the moderatore to further help you.



I already formatted my pc, which means that I dont have the Codec-C anylonger, now I'm just stuck with the virus... Which you can see on the screenshot that is located in the system32 folder.
So yeah, I'm in trouble if I've got to format my pc once more. I can do it all the time, but as long as I install the "SoundBlaster soundcard" I'll be sure to get the virus again. And the motherboard cd doesnt work as its not compatible with Windows 7.

#6 TheForgottenGod

TheForgottenGod

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:56 AM

Posted 28 March 2012 - 03:21 PM

hi, for a helpful program to help protect you next time you search online or watching movies use sandboxie

Intro to software

Tired of dealing with rogue software, spyware and malware?


Spent too many hours removing unsolicited software?


Worried about clicking unfamiliar Web links?


Introducing Sandboxie

Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.

Posted Image

Posted Image

The red arrows indicate changes flowing from a running program into your computer. The box labeled Hard disk (no sandbox) shows changes by a program running normally. The box labeled Hard disk (with sandbox) shows changes by a program running under Sandboxie. The animation illustrates that Sandboxie is able to intercept the changes and isolate them within a sandbox, depicted as a yellow rectangle. It also illustrates that grouping the changes together makes it easy to delete all of them at once.

Benefits of the Isolated Sandbox

  • Secure Web Browsing: Running your Web browser under the protection of Sandboxie means that all malicious software downloaded by the browser is trapped in the sandbox and can be discarded trivially.
  • Enhanced Privacy: Browsing history, cookies, and cached temporary files collected while Web browsing stay in the sandbox and don't leak into Windows.
  • Secure E-mail: Viruses and other malicious software that might be hiding in your email can't break out of the sandbox and can't infect your real system.
  • Windows Stays Lean: Prevent wear-and-tear in Windows by installing software into an isolated sandbox.

Download Sandboxie now and give it a try!



#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:56 AM

Posted 28 March 2012 - 07:45 PM

Tha malware will infect ALL exe's as it progresses. That is why the reformat and reinstall of everything fresh after the format.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 KasperHV

KasperHV
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 29 March 2012 - 04:34 AM

Tha malware will infect ALL exe's as it progresses. That is why the reformat and reinstall of everything fresh after the format.



Question. :)


What if I format my pc and reinstalls it again... Wont I have the same problem when the soundblaster / soundmax drivers are infected from Asus.com/dk?
And is there some sort of registry that I can use to see if that .exe "aeadisrv.exe" is a virus, trojan, spyware, adware?
Also I scanned my pc with Norton Power Eraser last night, and it found a systemfile called Command"" which it repaired.
And SuperAntiSpyware also found something last night (and a big load of cookies), but not the malware/trojan I was hoping for.

Also, I have this problem with something called "SweetIM". It seems like i uninstalled it not using Revo uninstaller (bad mistake) but it keeps hanging in my google chrome, firefox and IE.


Kind regards
Kasper

Edited by KasperHV, 29 March 2012 - 05:07 AM.


#9 KasperHV

KasperHV
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 29 March 2012 - 06:02 AM

Ehm I was thinking. When i do reformat and reinstall, should I install the antispyware program called "Spyhunter 4" to check for malware/spyware to see if the Ramnit.I virus have returned or not ? - I wont install the soundcard and will just let windows 7 search for it and install it on its own.
What do you think about this matter ?

#10 KasperHV

KasperHV
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 29 March 2012 - 07:57 AM

An update to this problem.

I talked with Symantec about their product Norton 360. And they said that when a program like "Spyhunter 4" wants money to fix the problems, then the program is an antirogue virus program. Meaning it says you have virus/vira when you might not have any at all.
I did wonder about this situation because Norton 360 didnt notice anything.
However, Symantec said that Norton 360 is their best antivirus program and its well known with all these vira so it's unlikely that I have virus.

However I am going to reformat and reinstall my pc just to be safe and secure.


Thanks for helping.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:56 AM

Posted 29 March 2012 - 09:27 AM

After you wipe the drive and reinstall the OS all is clean .. The infection was attacking the .exe files on the pC. They will be removed and the new exe files will be reinstalled.
If you backed up files ,scan them first prior to reinstalling.

If you need security tools.. Please down load an antivirus and anti malware from our link here. I suggest Avira,Malwarebytes and Superantispyware.

http://www.bleepingcomputer.com/forums/topic366982.html

Edited by boopme, 08 April 2012 - 11:04 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 KasperHV

KasperHV
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 08 April 2012 - 05:27 AM

After you wipe the drive and reinstall the OS all i clean .. The infection was attacking the .exex files on the pC. They will be removed and the new exe files will be reinstalled.
If you backed up files ,scan them first prior to reinstalling.

If you need security tools.. Please down load an antivirus and anti malware from our link here. I suggest Avira,Malwarebytes and Superantispyware.

http://www.bleepingcomputer.com/forums/topic366982.html



After I backed up my files, scanned them of cause with Norton 360 Premier Edition (witch is the best anti-virus program that Symantec have in store).
And they told me that the "SpyHunter 4" program that I installed thinking it was just another anti-virus program like Norton 360, and it gave me the virus that was explained as above, well yeah it wasn't. As it turned out after I had a chat with Norton 360 support they told me that "SpyHunter 4" which is an Anti-Rogue virus program... So the virus that I thought was real wasn't.

So it's all fixed and there's nothing to worry about. But anyhow, thank you guys for all your help.
I installed "Sandboxie" and it's a great program ones I got to know it.

Regards

KasperHV

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:56 AM

Posted 08 April 2012 - 10:25 PM

Thanks for the update~~
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users