You are here

Ramnit virus (...sob)

For anything relating to music-making on Windows computers, with lots of FAQs. Moderated by Martin Walker.

Ramnit virus (...sob)

Postby shufflebeat » Sat Apr 23, 2011 1:37 pm

I woke up to a bright red MSE panel warning of 56 threats of ramnit.b and BillP's Scotty Dog asking if I wanted to allow a new startup programme (lugrevak.exe).

Everything I've read so far concludes I'm looking at a reformat and reinstallation of OS (XP).

Except Symantec who seem to think it's not a biggie (I don't use Symantec, unfortunately).

Anyone have experience of Ramnit?

I'll be experimenting with eset and combofix but other testamonies don't look hopeful.

I've got all audio files backed up but not some other files. I'm wary of copying those to back up because of the way Ramnit corrupts legit files. I don't want to make paperweights out of my external drives.
shufflebeat
Jedi Poster
Posts: 4848
Joined: Sun Dec 09, 2007 1:00 am
Location: Manchester, UK
"Dancing Queen - feel the heat from the tangerine, ooh yeah!"

Do yourself a favour, wear earplugs at gigs.

Re: Ramnit virus (...sob)

Postby inderface » Sat Apr 23, 2011 1:57 pm

I found this post
http://www.overclock.net/networking-security/804294-need-help-virus-hell-ramnit.html
This is suggested
http://www.avira.com/en/support-download-avira-antivir-rescue-system
Though DO NOT use your infected machine to download it (use a friends or neighbours......
Use nero or simular to burn the iso image to a cd..
(Search burn ISO on google if you dont know how to do this.)
When you have the disk, set your computer to boot from this cd.
Follow instructions for a complete scan.

If i was you never ever have your music computer connected to the internet (unless for updates)
I have my net drive with antivirus and firewall on a seperate drive backed up.
Any major infections i just wipe the drive and restore the backup.
My music machine is on another drive that i set in the bios to boot from..when needed but never connected to the net(only for updates)

"The thread seems to say dont connect the infected machine to the net !"
Sounds like a worm (not good)
Get a good antivirus and firewall and keep it up to date(I update it every day.
Avast antivirus has a free edition likewise pctools firewall...
Hope you get it sorted.....
inderface
Regular
Posts: 133
Joined: Wed Feb 28, 2007 1:00 am

Re: Ramnit virus (...sob)

Postby Exalted Wombat » Sat Apr 23, 2011 2:30 pm

shufflebeat wrote:I woke up to a bright red MSE panel warning of 56 threats of ramnit.b and BillP's Scotty Dog asking if I wanted to allow a new startup programme (lugrevak.exe).

Everything I've read so far concludes I'm looking at a reformat and reinstallation of OS (XP).

Except Symantec who seem to think it's not a biggie (I don't use Symantec, unfortunately).

Anyone have experience of Ramnit?

I'll be experimenting with eset and combofix but other testamonies don't look hopeful.

I've got all audio files backed up but not some other files. I'm wary of copying those to back up because of the way Ramnit corrupts legit files. I don't want to make paperweights out of my external drives.

For a start, DON'T PANIC. You may be infected with ramnit.b, you may be infected with a bogus amti-malware program that is TELLING you you're infected.

Either way, first turn off System Restore for all your partitions in case nasties are lurking in a Restore Point. Then restart in Safe Mode With Networking and run ESET Online Scan. Might as well let Eset do its stuff then reboot (Safe Mode With Networking again) and run Malwarebytes. If all is still not well, run them again.

THEN panic! But I don't think you'll have to.

Don't forget to turn System Restore back on.
Exalted Wombat
Jedi Poster
Posts: 5730
Joined: Sat Feb 06, 2010 1:00 am
Location: London UK
You don't have to write songs. The world doesn't want you to write songs. It would probably prefer it if you didn't. So write songs if you want to. Otherwise, dont bore us with beefing about it. Go fishing instead.

Re: Ramnit virus (...sob)

Postby DragonLogos » Sat Apr 23, 2011 5:25 pm

While ramnit.b is a infection the exe file sounds like pure BS - also the way it popped up is very suspect - Sounds very much like Scareware, there is a lot of it going around these days, they tell you that your PC is affected (which it is not really) and then try and sell you a cure for 20 - 40 Dollars

It started off in 2008

http://news.bbc.co.uk/2/hi/technology/7779223.stm

and have been going at it in different forms

Privacy Center is a rogue security program - a fake application, which is supposed to take care of your privacy, but takes care of your money instead. This parasite typically enters the system by using the infamous trojan Zlob, which can be found in porn/warez websites disguised as a video codec. Privacy Center uses disinformation to trick the user into purchasing it’s “licensed version”, which is no more functional than the trial

http://www.2-viruses.com/remove-privacy-center

Don't active the EXE file... Try Malwarebytes - Download form www.filehippo.com
User avatar
DragonLogos
Regular
Posts: 278
Joined: Mon Oct 14, 2002 12:00 am
Location: East London

Re: Ramnit virus (...sob)

Postby DragonLogos » Sat Apr 23, 2011 5:31 pm

BTW I don't think your PC has ramnit.b - they are just using the name to scare you... still you never know

It must be a sheer lack of good entertainment that drives people into thinking up scams like this and 419's
User avatar
DragonLogos
Regular
Posts: 278
Joined: Mon Oct 14, 2002 12:00 am
Location: East London

Re: Ramnit virus (...sob)

Postby shufflebeat » Sat Apr 23, 2011 10:46 pm

DragonLogos wrote:It must be a sheer lack of good entertainment that drives people into thinking up scams like this and 419's

(Chuckle) There's got to be some kind of govt grant for musicians and studio owners in this.

Cheers for the helpful posts. Struggling on, I'll report back when I come up for air. May the balls drop off the arse who thought this one up.
shufflebeat
Jedi Poster
Posts: 4848
Joined: Sun Dec 09, 2007 1:00 am
Location: Manchester, UK
"Dancing Queen - feel the heat from the tangerine, ooh yeah!"

Do yourself a favour, wear earplugs at gigs.

Re: Ramnit virus (...sob)

Postby shufflebeat » Sun Apr 24, 2011 9:49 am

In safe mode:

Eset online scan found 155 copies of Ramnit and cleaned them out
Malwarebytes found 1 'backdoor bot' and removed it.
Spybot is running at the mo.

Spybot - all clear. MSE running (wouldn't connect to update but had done earlier this morning so no bother).

shufflebeat
Jedi Poster
Posts: 4848
Joined: Sun Dec 09, 2007 1:00 am
Location: Manchester, UK
"Dancing Queen - feel the heat from the tangerine, ooh yeah!"

Do yourself a favour, wear earplugs at gigs.

Re: Ramnit virus (...sob)

Postby Exalted Wombat » Sun Apr 24, 2011 10:08 am

shufflebeat wrote:In safe mode:

Eset online scan found 155 copies of Ramnit and cleaned them out
Malwarebytes found 1 'backdoor bot' and removed it.
Spybot is running at the mo.

Excellent! Don't forget to reboot after each program has done its scan. The actual cleanup is often done as part of the startup routine. Though, as you were in Safe Mode, Eset seems not to have had running processes to deal with, so they may well have been directly removed.

You might also want to run at least the initial setup of ComboFix. It's a convenient way of getting the Recovery Console installed as a startup option. Could make your life a lot easier if you ever get a disk problem.

Any ideas how you caught Ramnit? Like other embarassing infections, these things don't just jump up your trouser leg :-)
Exalted Wombat
Jedi Poster
Posts: 5730
Joined: Sat Feb 06, 2010 1:00 am
Location: London UK
You don't have to write songs. The world doesn't want you to write songs. It would probably prefer it if you didn't. So write songs if you want to. Otherwise, dont bore us with beefing about it. Go fishing instead.

Re: Ramnit virus (...sob)

Postby shufflebeat » Sun Apr 24, 2011 10:37 am

Cheers, Wombat. I'm pretty sure I know exactly where it came from. One of our wayward offspring sent me some tracks he'd put together for my perusal. I was expecting an audio CD but the disc included some bits and pieces of software he'd 'happened across'. As usual I respectfully declined the fruits of his generosity (his idea of internet security is CCleaner) but the disc was already running by that time.

We live and learn.
shufflebeat
Jedi Poster
Posts: 4848
Joined: Sun Dec 09, 2007 1:00 am
Location: Manchester, UK
"Dancing Queen - feel the heat from the tangerine, ooh yeah!"

Do yourself a favour, wear earplugs at gigs.

Re: Ramnit virus (...sob)

Postby shufflebeat » Tue Apr 26, 2011 12:07 am

Small update and clarification.

I've run another Eset scan in safe mode and MWB and MSE in both safe and normal. All (cross fingers and toes) went well.

I consider myself to be relatively cautious in this area and have had Microsoft Security Essentials running with auto update (daily) since it was released. I run updated MalwareBytes and Spybot S&D at least once a week. The MS firewall is always on and none of the kids are allowed anywhere near the PC (laptop).

Precautions I haven't taken include setting up and using a second user without administrator privelege and shredding on receipt any disc or file sent to me by the aforementioned loved one.

One thing that still bothers me is that, looking through my MSE history I see that among the list of about 250 detected-removed/disinfected copies of Ramnit B (and others which I find are versions of the same) there were some that were *allowed* by MSE. I don't understand that and will be contacting the MSE team accordingly.

I will be invetigating Eset's Nod32 and donating to the others again but (on advice from MajorGeeks and others) will have to consider the machine as unsafe for external drives until I manage to wipe, format and reinstall.

Thanks to all for the support and wisdom, particularly EW's "DON'T PANIC".

P.S. Also reinstalled Trusteer Rapport as recommended by my ever caring Bank. The new version has a great facility for recognising potential weaknesses in IE/Firefox/Java,etc and spelling them out in words of one syllable or less.
shufflebeat
Jedi Poster
Posts: 4848
Joined: Sun Dec 09, 2007 1:00 am
Location: Manchester, UK
"Dancing Queen - feel the heat from the tangerine, ooh yeah!"

Do yourself a favour, wear earplugs at gigs.