Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Afraid of Ramnit Infection


  • Please log in to reply
21 replies to this topic

#1 MSUProduct

MSUProduct

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 19 October 2016 - 06:47 PM

Hi all, I recently bought a new ASUS laptop back in July and it has been working great with no sign of being bogged down by anything. After my McAfee free trial expired I turned to Malwarebytes, Windows Defender, and Windows Malicious Software removal tool. 

 

Shockingly, a Windows Defender & the software removal tool found cases of vbs/ramnit.gen c on about 50 files. I quickly had this removed on both products but ever since have been incredibly concerned. After studying up on Ramnit it sounded like a truly terrifying virus/malware. I've heard it can reinfect itself on a computer and I really want to know if these were false positives or if I am actually infected.

 

I have since run full scans 3 times on Windows Defender, Windows Malicious Software Removal Tool - all 3 times finding nothing. I used Symantec's Ramnit Removal tool but it told me I do not have Ramnit on my computer - I do not know if this is because the previous programs successfully deleted it or if I never had it at all and something was false positive. I have also scanned using Norton Power Eraser, MalwareBytes (Scan for Rootkits included), ESET Online scanner, and all of these came up 100 percent clean with no signs of Ramnit.

 

If anyone could give me some advice on the current 2016 climate of Ramnit and how dangerous it is, I would appreciate it. I can provide any logs needed - I feel like I do not have any forms of Ramnit on my laptop but I am scared that it is simply going undetected or will re-infect later. Is there any surefire way to make certain that I am safe? Please help.

 

I am also not sure how the Ramnit.C variant differs from Ramnit.A or Ramnit.B - Every single infected file flagged on my PC by WD was for the C variant. Like I said, a copious amount of other full virus scans on these other platforms showed no signs of infection. But WD was the first one I did post Mcafee (which never found anything either). So I'm really not sure if Windows Defender was simply erroneously flagging a virus or if it was a legitimate virus that was properly disposed of resulting in all scans now being clean. It's a bit of a frustrating dilemma because I will never know for certain (if I was always clean and got false positives or if I was infected and got it resolved). 

 

All I can really do now is search for it and get your guidance on how to make sure I am 100 percent clean. Again the programs I used were as follows:

MalwareBytes Premium Trial Version - Full scan (rootkits included) 3 times - 100 percent clean. 

Windows Defender Original Scan found 50 cases of Ramnit.C - Three full scans after yielded clean results. Date this happened 10/15/2016

Windows Malicious Software Removal Tool found Ramnit as well. - Three full scans after yielded clean results. 

Norton Power Eraser- 3 scans - all clean

Symantec Ramnit Removal Tool - 3 scans - all said no Ramnit found on PC

ESET Online Scanner - 3 scans - all clean. 

 

 

Should I scan using anything else? Any tips would be greatly appreciated. Not sure how to achieve peace of mind on this but it hasn't yet been attained. 

 

Edit: I would also like to note that my computer has shown no symptoms or signs of being impacted by anything. It runs perfectly and has had no other problems besides a few BSOD's which were attributed to an ASUS bloatware product that once removed rectified that problem. None of my sensitive information has been compromised, at least not obviously compromised or to my knowledge. But ever since this potential Ramnit infection I've been incredibly scared to use my laptop. I have installed virtually nothing on the computer - just Google Chrome and a few games. I am very in tune with safe downloading practices and to always get products from the official website(s) they are on. I truly have no idea where I could have been infected, if it was/is legitimate. 

 

Edit 2: I'm on Windows 10, by the way.


Edited by MSUProduct, 19 October 2016 - 08:11 PM.


BC AdBot (Login to Remove)

 


#2 boooliyooo

boooliyooo

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 19 October 2016 - 10:23 PM

Hello...

 

A write-up by windows defender on Ramnit: https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Virus:VBS/Ramnit.gen!C

 

This is an old virus (year 2011) based on the same convention naming, thus I don't think you should be worrying much...

 

P.S Personally, if windows defender is able to detect, any other AV out there should be able to detect...



#3 MSUProduct

MSUProduct
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 19 October 2016 - 10:30 PM

Hello...

 

A write-up by windows defender on Ramnit: https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Virus:VBS/Ramnit.gen!C

 

This is an old virus (year 2011) based on the same convention naming, thus I don't think you should be worrying much...

 

P.S Personally, if windows defender is able to detect, any other AV out there should be able to detect...

 

Hey thanks for your reply, so among my research I had indeed come across the fact that Ramnit is pretty old. Most of the help topics I found on this forum or online were all pretty old and all seemed to recommend completely wiping the computer as a means to get rid of it. I'm not sure how much things have changed in the 4-5 years since those posts. Whether or not AV software has become better at removing it / stopping it from replicating. I think it's a good sign that since then none of my AV programs have picked up any sign of it or any other malware.

 

It just sounded like such a terrifying virus to have even if it is older. So you do not think I will have to take drastic action here and wipe the PC? 

 

I have Windows Defender always running and I run full scans every weekend to ensure no reinfection. My biggest concern stems from two factors:

 

A: Its ability to potentially reinfect + replicate 

 

and 

 

B: If my AV scanners are not picking up hidden instances of Ramnit. 

 

Perhaps some expert on this forum can answer either A or B or both for me. 

 

Really appreciate your reply though, I did come across that same page during my research and have used all 3 of those scan tools. 

 

It's weird because I'm not usually a paranoid person about my personal security on my computers. I've never been seriously harmed by any virus in my 15 years of owning a pc/laptop. However, after reading the horror stories of Ramnit, for some reason I can just not shake the fear that it's lingering on my laptop ready to cause problems. The password grabbing aspect of it was especially scary because I have a lot of sensitive information that's gone through that laptop such as banking data and financial data for work. Ultimately I figured "meh might just be your run of the mill adware/malware and something annoying but harmless" but Ramnit sounds like it can do real damage. I even read that Ramnit has been able to get through 2 factor authentication which just scared me even further. 


Edited by MSUProduct, 19 October 2016 - 10:39 PM.


#4 boooliyooo

boooliyooo

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 19 October 2016 - 11:05 PM

Hello...

 

IMO,

 

A: If your AV and malware detector are enabled with continuous monitoring, it will constantly quarantine anything that the virus does (assuming the virus signature is old and included in the database)

 

B: Virus will never be able to be contained completely as hackers are also constantly improving in weaponising on their exploits.

 

Therefore, you could take preventive action by

 

1. backing up the essentials in case anything is to happen.

2. wipe the OS just to give you back the assurance (I will think this is worth the time to get back your sanity)



#5 MSUProduct

MSUProduct
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 19 October 2016 - 11:16 PM

Hello...

 

IMO,

 

A: If your AV and malware detector are enabled with continuous monitoring, it will constantly quarantine anything that the virus does (assuming the virus signature is old and included in the database)

 

B: Virus will never be able to be contained completely as hackers are also constantly improving in weaponising on their exploits.

 

Therefore, you could take preventive action by

 

1. backing up the essentials in case anything is to happen.

2. wipe the OS just to give you back the assurance (I will think this is worth the time to get back your sanity)

 

Thanks again, your wisdom is greatly appreciated. I guess I'll wait for a second opinion just to see if anyone else has any other scanning programs they think I should utilize. 

 

My sanity is starting to return, I think I should trust in six 2016 level AV software versus a pretty old virus. I know that Europol also led a charge in which the Ramnit servers were taken over and seized, so I know the distributors themselves of the virus took a legal hit, which bodes well for me. I know the Symantec Ramnit Removal tool was created in 2015 so it's very recent in fighting Ramnit. 

 

Thanks so much for your time and effort, you have made signing up to this forum worth it! 

 

Will now just wait on any further instruction if anyone is willing to give some then we can go ahead and get this closed. 

 

Thanks again, Boo! 


Edited by MSUProduct, 19 October 2016 - 11:16 PM.


#6 boooliyooo

boooliyooo

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 19 October 2016 - 11:20 PM

Hello,

 

You're welcome! Glad that I am able to help.

 

Current threat landscape focusses more on:

Ransomeware

DDoS



#7 MSUProduct

MSUProduct
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 21 October 2016 - 01:51 PM

Still looking for a second opinion on this if possible :)



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:33 AM

Posted 22 October 2016 - 08:45 AM

Win32/Ramnit (and related variants) is a dangerous file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A or VBS/Generic. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file. Ramnit injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable.

If you are not experiencing the above symptoms, then I doubt you have the Ramnit file infector itself. Microsoft does not provide enough information explaining the VBS/Ramnit.gen!C detection so it's difficult to tell exactly what was detected.

A recommended way to determine if a file infector is present is to upload a sample of system files (i.e. winlogon.exe, userinit.exe, lsass.exe. svchost.exe) to an online services that analyzes suspicious files like Jotti's virusscan or VirusTotal.
--In the "File to Scan" (Upload or Submit) box, click the "browse" button, navigate to the C:\WINDOWS\System32\ folder and submit several of the above files for analysis. If you get a message saying "File has already been analyzed", click Reanalyze or Scan again.

You can also get a second opinion by performing a scan with Eset Online Anti-virus Scanner or the Kaspersky Virus Removal Tool.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 MSUProduct

MSUProduct
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 22 October 2016 - 04:27 PM

Thanks quietman! So heres just another interesting little tid bit. On September 16th, after acquiring the Windows Malicious Software Removal tool, according to my log history it ran a scan and it was clean, no infections found. This is interesting because from September 16th to October 15th, when the October version of WMSRT found Ramnit, I had not used my computer AT ALL. I had only downloaded Windows updates and did minimal browsing. I was on the road for much of that month. So very peculiar indeed. Perhaps a new definition for WD and WMSRT flagged something by mistake? Regardless I had the files removed just to be certain.

 

I will now proceed to do all of the steps recommended and will post my results. Thanks so much Quietman7! An ESet Online scanner came up 100 percent clean on 2 separate scans. 

 

I'm going to go ahead and scan those files and come back with the results. 



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:33 AM

Posted 22 October 2016 - 04:56 PM

Yes the detection could have been a false positive but 50 files is a lot. However, apparently whatever the scanning engine found and removed were not critical files or you would be experiencing other problems. I'm wondering if they were just temporary Internet related files in the cache which would be no big deal.

That would explain why none of your other scans are finding anything and you have not noticed any other problems with the computer.

Good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 MSUProduct

MSUProduct
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 22 October 2016 - 07:30 PM

Yes the detection could have been a false positive but 50 files is a lot. However, apparently whatever the scanning engine found and removed were not critical files or you would be experiencing other problems. I'm wondering if they were just temporary Internet related files in the cache which would be no big deal.

That would explain why none of your other scans are finding anything and you have not noticed any other problems with the computer.

Good luck.

 

Haven't had a chance to run those file scans yet but I did want to point out that a lot of those 50 files were housed in google chrome's folder - would this indicate temporary internet files do you think? I really appreciate your time & input you are putting a lot of my doubts to rest. I will run those file scans right now. A third ESET online scan just came up 100 percent clean again. 

 

Computer performance is not negatively impacted at all as far as I can tell. It is running like an absolute dream and I really have no seen any sign of an infection. That's why this all is so baffling to me. None of my other computers on any AV have ever picked up any sign of malware, so this is all quite new to me. I suppose I have been lucky to this point to never seeing a potential infection. Ramnit sounded/sounds terrifying so that is why I am making absolutely certain. Your expertise is really appreciated. I will edit that post when I virus total these files.

 

Eset= clean

 

Virus Total = Pending


Edited by MSUProduct, 22 October 2016 - 07:34 PM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:33 AM

Posted 22 October 2016 - 08:36 PM

I don't use Google Chrome but from what I read it stores all data including temporary Internet files in your user profile...%LocalAppData%\Google\Chrome\User Data\Default

Don't edit. When you do that, helpers may not always notice.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 MSUProduct

MSUProduct
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 22 October 2016 - 11:17 PM

"A recommended way to determine if a file infector is present is to upload a sample of system files (i.e. winlogon.exe, userinit.exe, lsass.exe. svchost.exe) to an online services that analyzes suspicious files like Jotti's virusscan orVirusTotal."

 

Scanned all four files on both platforms - 100 percent clean on all of them besides Winlogon.exe ClamAV simply classed it as a PUA but I think that's just a false positive. The rest were 100 percent clean being fresh scanned on both Jotti's and VirusTotal. 

 

ESet Online Scanner results, did just once more for safe measure: 100 percent clean. I made sure for it to scan for potentially unwanted programs as well and it came up with nothing.I went ahead and ran Kaspersky as well just to cover all bases and take all of your advice - That too, was clean. 

 

So ultimately, I have no clue what WD originally found or why. But everything since has come up clean and I have seen zero performance issues whatsoever. 

 

If you have any last suggestions or steps you wish for me to take let me know.

 

Again, thank you for your help. This forum is truly an excellent hub for help and information and I am happy to be a part of it. 


Edited by MSUProduct, 23 October 2016 - 12:33 AM.


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:33 AM

Posted 23 October 2016 - 05:17 AM

Nothing further to suggest other than to just monitor your system for a few days.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 MSUProduct

MSUProduct
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 23 October 2016 - 12:53 PM

Nothing further to suggest other than to just monitor your system for a few days.

 

Thanks quietman!! I believe the issue has been solved. A week since I last found it and no signs so far of reinfection and never signs - prior or after - of anything being amiss on the machine. It being a new expensive laptop, however, I felt it prudent to take it up with this forum. Glad I did, you guys are great.

 

This thread can be closed, I think this has been rectified.  :bananas:  :clapping:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users