Win32/RAMNIT.A Continued ...ANT are you there ?

Discussion in 'Anti-Virus' started by Trimble Bracegirdle, Aug 25, 2010.

  1. Back in the sprawling mess of a thread with this name starting around 27
    July
    which I can not see the beginning of.
    You said Re this very nasty Win32/RAMNIT.A

    " If the registry key HKEY_LOCAL_MACHINE\Software\WASAntidot is present
    and has a value named "disable" it will skip the infection process and
    pop up a messagebox: "Antidot is activate". However, it will still try
    to call home and possibly download stuff."

    Can you comment on that further please ?
    How is the 'disable' value entered ?
    I have not seen that suggestion given any where else.

    I have this 'Nasty' under the name, in DR WEB CUREIT, of "Win32/RAMNET"

    Symptoms:
    A file called Desktoplayer.exe persistently re appears in C:/Program Files/
    Microsoft
    Fake FireFox or iExplore Processes are shown in Task Manager .
    These are much smaller 2Kb to 8 Kb than the real thing 80+Kb They will be
    there
    whether a Browser is really running or not.
    The processers are directly connected to a High, near constant,
    (very High) level of Disc Activity . Stopping the fakes in TaskMan stops
    this Disc activity.

    Files with the names of actual files (always exe's ???) are created which
    are copies of that Destoplayer.exe file which is 60,416 Bytes in size & has
    the actual file name with an addition of 'Srv'
    added into it.
    Thus; Real "ProgName.exe" ...
    fake 59Kb files in same Folder,
    "ProgNameSrv.exe""ProgNameSrvSrv.exe""ProgNameSrvSrvSrv.exe"
    Etc ...etc...etc
    @@@Mouse@@@
     
    Trimble Bracegirdle, Aug 25, 2010
    #1
    1. Advertisements

  2. From: "Trimble Bracegirdle" <>

    | Back in the sprawling mess of a thread with this name starting around 27
    | July
    | which I can not see the beginning of.
    | You said Re this very nasty Win32/RAMNIT.A

    | " If the registry key HKEY_LOCAL_MACHINE\Software\WASAntidot is present
    | and has a value named "disable" it will skip the infection process and
    | pop up a messagebox: "Antidot is activate". However, it will still try
    | to call home and possibly download stuff."

    | Can you comment on that further please ?
    | How is the 'disable' value entered ?
    | I have not seen that suggestion given any where else.

    | I have this 'Nasty' under the name, in DR WEB CUREIT, of "Win32/RAMNET"

    | Symptoms:
    | A file called Desktoplayer.exe persistently re appears in C:/Program Files/
    | Microsoft
    | Fake FireFox or iExplore Processes are shown in Task Manager .
    | These are much smaller 2Kb to 8 Kb than the real thing 80+Kb They will be
    | there
    | whether a Browser is really running or not.
    | The processers are directly connected to a High, near constant,
    | (very High) level of Disc Activity . Stopping the fakes in TaskMan stops
    | this Disc activity.

    | Files with the names of actual files (always exe's ???) are created which
    | are copies of that Destoplayer.exe file which is 60,416 Bytes in size & has
    | the actual file name with an addition of 'Srv'
    | added into it.
    | Thus; Real "ProgName.exe" ...
    | fake 59Kb files in same Folder,
    | "ProgNameSrv.exe""ProgNameSrvSrv.exe""ProgNameSrvSrvSrv.exe"
    | Etc ...etc...etc


    I told you how to clean your PC in the original thread. Have you begun to do what I
    suggested ?
     
    David H. Lipman, Aug 26, 2010
    #2
    1. Advertisements

  3. Probably some sort of vestigal software switch used by the developers.
     
    FromTheRafters, Aug 26, 2010
    #3
  4. Dave's Quote "Have you done what I told you to ?" (sooo nice, polite n
    caring)

    @@@@
    I have spent the greater part of some 10 days running various Ant-Virus
    programs.

    My busy home system consists of an 80Gb Win XP install which is my main
    O'S for years, with very, very many programs installed & vast numbers of
    Games
    from 15 + years.
    also on 250GB & a 1TB drive (200 GB is used.)
    There is also an Install of Windows 7 64 bit which I am using now.

    There are 2 separate installs of VISTA 32 bit, not used anymore.
    And a backup 2nd install of XP.
    Over a couple of months have been progressively
    transferring my main installation OS to that Win 7 & intending to move
    everything to that newly brought 1TB drive
    & then use the older 80Gbg & 250GB for backup .
    This "Nasty" has caught me at a very bad time.

    At the present time I am getting some success with DR WEB CUREIT which
    detects the many ....thousands... of infected files & 'Cures' them rather
    than
    automatically deleting or moving to a Quarantine .
    I spent 2 nightmare days with VIPRE Scanner program, it deleted to
    Quarantine
    some 3000 items . Every corner of whole system was wrecked. I got it back by
    restoring those items from a Barely working Safe Mode Win 7.
    AND for all that it hadn't detected this 'NAstY' anyway !!
    Ad-Aware doesn't find it ither. (ether even)

    I cannot sensibly use any of those programs your excellent
    http://www.claymania.com/removal-trojan-adware.html Web page gives unless I
    can be
    certain that they list ALL items at the end of a scan so I can choose the
    action to take.
    There's no point in cleaning away every bad file if the Bloody thing don't
    work at all afterwards.

    Most Anti-Virus, Anti-Malware (or whatever its called) doesn't detect this
    at all
    or in the case of my usual favourite Malwarebytes' Anti-Malware detects one
    or 2 files &
    the Registry entries. COMBOFIX got some stuff out in XP.

    I'm querying the Poster 'ANT' in this group as his posts show a greater
    understanding of this 'ThINg'
    than I have seen any elsewhere ..& I am really looking... lots Googleing
    ....forums ..I am
    in regular contact with a Malwarebytes' Anti-Malware Administrator who has
    been advising me.
    (he's about given up tho)
    @@@@mouse@@@
     
    Trimble Bracegirdle, Aug 26, 2010
    #4
  5. From: "Trimble Bracegirdle" <>

    | Dave's Quote "Have you done what I told you to ?" (sooo nice, polite n
    | caring)

    | @@@@
    | I have spent the greater part of some 10 days running various Ant-Virus
    | programs.

    | My busy home system consists of an 80Gb Win XP install which is my main
    | O'S for years, with very, very many programs installed & vast numbers of
    | Games
    | from 15 + years.
    | also on 250GB & a 1TB drive (200 GB is used.)
    | There is also an Install of Windows 7 64 bit which I am using now.

    | There are 2 separate installs of VISTA 32 bit, not used anymore.
    | And a backup 2nd install of XP.
    | Over a couple of months have been progressively
    | transferring my main installation OS to that Win 7 & intending to move
    | everything to that newly brought 1TB drive
    | & then use the older 80Gbg & 250GB for backup .
    | This "Nasty" has caught me at a very bad time.

    | At the present time I am getting some success with DR WEB CUREIT which
    | detects the many ....thousands... of infected files & 'Cures' them rather
    | than
    | automatically deleting or moving to a Quarantine .
    | I spent 2 nightmare days with VIPRE Scanner program, it deleted to
    | Quarantine
    | some 3000 items . Every corner of whole system was wrecked. I got it back by
    | restoring those items from a Barely working Safe Mode Win 7.
    | AND for all that it hadn't detected this 'NAstY' anyway !!
    | Ad-Aware doesn't find it ither. (ether even)

    | I cannot sensibly use any of those programs your excellent
    | http://www.claymania.com/removal-trojan-adware.html Web page gives unless I
    | can be
    | certain that they list ALL items at the end of a scan so I can choose the
    | action to take.
    | There's no point in cleaning away every bad file if the Bloody thing don't
    | work at all afterwards.

    | Most Anti-Virus, Anti-Malware (or whatever its called) doesn't detect this
    | at all
    | or in the case of my usual favourite Malwarebytes' Anti-Malware detects one
    | or 2 files &
    | the Registry entries. COMBOFIX got some stuff out in XP.

    | I'm querying the Poster 'ANT' in this group as his posts show a greater
    | understanding of this 'ThINg'
    | than I have seen any elsewhere ..& I am really looking... lots Googleing
    | ...forums ..I am
    | in regular contact with a Malwarebytes' Anti-Malware Administrator who has
    | been advising me.
    | (he's about given up tho)
    | @@@@mouse@@@


    This is a virus. As such you would best to clean the system by NOT running anti malware
    within the infected system.

    If you did not understand what I wrote...
    "Use a surrogate PC to scan the hard disk of the infected computer using a good anti virus
    application such that it will remove the virus from infected files."

    That means to remove the hard disk from the infected computer.

    Use a USB to SATA or USB to IDE conversion kit (depends on if the drive is SATA or IDE)
    such that you can now connect the infected drive to a different PC, a surrogate, such that
    it is now an external hard disk (such as drive "E:"). Then using the anti virus
    application of the surrogate computer, scan the external hard disk (such as drive "E:").

    MBAM does NOT target viruses and can NOT remove a virus from an infected file.

    Who at Malwarebytes is assisting you ?
     
    David H. Lipman, Aug 26, 2010
    #5
  6. Unfortunately, the advice often given is flatten and rebuild which in
    your situation doesn't appear to be a desired option.

    You have to scan without any active malware components running, that is
    why Dave's suggestion was to scan the drive(s) in a surrogate PC.

    ....although I'm not sure why it wouldn't be possible to boot from clean
    media without a surrogate PC.
     
    FromTheRafters, Aug 26, 2010
    #6
  7. From: "FromTheRafters" <>



    < snip >

    | ...although I'm not sure why it wouldn't be possible to boot from clean
    | media without a surrogate PC.

    That's another alternative such as...
    http://dlpro.antivir.com/package/rescue_system/common/en/rescue_system-common-en.iso

    From the ISO one can create a boot disk and scan the infected computer. However, it would
    be *best* performed using a second computer.
     
    David H. Lipman, Aug 26, 2010
    #7
  8. Thanks all for comments / help.

    As I wrote the machine has an Win XP on one HD & in W 7 on another.
    We can forget about the VISTA's & Win Xp 2nd copy.

    I boot into one or another by selecting it in the BIOS . They
    do not share a Boot Manager . All the system parts shows signs of infection
    with
    this 'NasTy' .
    I am scanning with DR WEB Win 7 from the XP & XP from Win 7.
    I am carefully not running any App. from outside the immediate System Disc.
    It seems to me certain that this got into The XP around 3 weeks ago (not
    more)
    & has spread around all the O/S's from there including those that have not
    been run
    in that time.

    I have already entered Ant's ('Mighty God O wicked Bugs') suggestion
    into Win 7's Registry & rebooted .
    I guessed right & entered it as Ant has said here. Thanks.
    Though regedit also shows a 'Default' not set value, which can not be
    deleted,
    created in that new Key .

    This Win 7 is feeling progressively healthier today as DR Web goes over it
    repeatedly.
    So its difficult to tell any difference . But for the first day in many
    reboots
    I can not find the main tell tall signs :
    c:/Program files (x86) /Microsoft ..is empty
    There are no fake FireFox or iExplore processes in Task Manager after some
    hours of use.
    Or the excessive Disc activity that goes with them (when'NAsTy') is hunting
    & infecting files
    any & everywhere.
    There are no weird short nonsense named Folders in
    C:\Users\mouse\AppData\Roaming
    e.g. "xyfr" with little similar sounding nonsense files in side sometimes
    only.
    which get listed in Windows Firewall. They have odd, old Creation Dates.
    However DesktopLayer.exe is still coming up listed in the Registry in
    Userint.
    Though not in Start Up programs (That I can see).

    This is Windows 7 64bit. slightly different path names in Windows XP.

    Now That Win XP Pro is a tougher problem with those symptom re appearing
    after many Cleaning sessions. It will be interesting to see if that Registry
    entry
    of Ant's ('The Mighty Understanding one') has any effect.
    But that will have to be tomorrow (yawn) as its 4 something Am in the very
    wet UK.

    Thanks Ant, sorry for the silliness but your description is the only one
    showing
    a good understanding of this 'ThINg' (it does not deserve a proper name)
    any Net place.
    I have seen no sign of anyone beating this yet. Those who think they have
    find its reappears.
    @@@ Mouse (sleepy one)@@@
     
    Trimble Bracegirdle, Aug 26, 2010
    #8
  9. I have spent some 6 hours today in that very messy Win XP Pro &
    have seen no signs at all of this Horrid Thing. (Hooray & crossed fingers)
    After 10 + days of struggling.

    That XP Svc Pk 3, has had to have 3 Repair re Installs ,
    3 or 4 DR WEB with cure files selected , full scans, many Malwarebytes
    Anti-Malware scans
    from both outside from another O/S & from within.
    I think (not certain) that the Registry entry given here by ANT has help as
    well.
    I'm surprised XP is working at all ..but with a few file omissions mostly
    in utilities
    I have been able to reinstall it seems OK .
    I have run a number of games. OBLIVION is the only one found so far that so
    messed
    up I will have to reinstall. Both the Bad Bug & the Cleaners really seemed
    to like
    chewing into that ?
    @@@Mouse@@@
     
    Trimble Bracegirdle, Aug 27, 2010
    #9
  10. Trimble Bracegirdle

    Peter Foldes Guest

    BD

    You are clueless and why put your nose into something that you are completely lost
    with.

    --
    Peter

    Please Reply to Newsgroup for the benefit of others
    Requests for assistance by email can not and will not be acknowledged.
    http://www.microsoft.com/protect
     
    Peter Foldes, Aug 27, 2010
    #10
  11. Burn???

    ....only BoaterDave would resort to such drastic measures.
    As I recall, he has four or five OSes each on separate drives and uses
    the BIOS to determine which one to boot from/to. Do you understand this
    complication?
     
    FromTheRafters, Aug 27, 2010
    #11
  12. I've used fdisk for choosing which "partition" to make active/bootable.
    After installing Mandrake 7.0, I always used "grub" one of the Linux OS
    choosers for all of my multi-boot systems. Never had that many "disks",
    else I suppose I might have gone that route too (better isolation) and
    my Packard-Bell computer had a SAS that brought up the CMOS setup
    program.
    No doubt.
    Thanks (grumble grumble).
     
    FromTheRafters, Aug 28, 2010
    #12
  13. Trimble Bracegirdle

    Peter Foldes Guest

    David

    I have six in front of me David. Each one is for a certain use. As a matter of fact
    4 of them are running at present and the other 2 will kick in sometime overnight and
    join them. At that time all six will work at the same time.
    Now, does that get your pants into a frizzy? Do not ask me why I have six because I
    will not tell you.
    OS's used which are all Servers with the exception of XP

    W2K3 and W2K8
    Windows XP and Win 2000
    Linux Red Hat and Mandrake
    All six is running from a Hub on a T Line

    You think the above is a sign of a Bad Guy or a Terrorist as you have branded me
    before and still are?

    --
    Peter

    Please Reply to Newsgroup for the benefit of others
    Requests for assistance by email can not and will not be acknowledged.
    http://www.microsoft.com/protect
     
    Peter Foldes, Aug 29, 2010
    #13
  14. No, just the one.
    Did you ever try to network one computer?
     
    FromTheRafters, Aug 29, 2010
    #14
  15. I did say back up this thread a bit..
    My busy home system consists of an 80Gb Win XP install which is my main
    O'S for years, with very, very many programs installed & vast numbers of
    Games from 15 + years.
    also on 250GB & a 1TB drive (200 GB is used.)
    There is also an Install of Windows 7 64 bit which I am using now.

    There are 2 separate installs of VISTA 32 bit, not used anymore.
    And a backup 2nd install of XP.
    Over a couple of months have been progressively
    transferring my main installation OS to that Win 7 & intending to move
    everything to that newly brought 1TB drive
    & then use the older 80Gbg & 250GB for backup .
    This "Nasty" has caught me at a very bad time.
    (\__/)
    (='.'=) This is Bunny. Copy and paste Bunny into your
    (")_(") signature to help him gain world domination.
     
    Trimble Bracegirdle, Aug 29, 2010
    #15
  16. 2 days of things working.
    'Bad Bug' reappeared once.
    DR WEB found a section of game folders with it I must have missed.
    That of cause is the big worry. I might run OK for months then happen to
    run some infected Prog. & it will all start up again
    Soooo ! my clean it route leaves me constantly on edge watching Task Manager
    for symptoms.

    I'm finding a fair number of my many many Games are damaged..
    as likely by the various Cleaner Progs I've been using as the 'Bad Bug'
    Strangely the most recent Games seem to be the most affected ?
    With the Main exe's & starter Dll's damaged . (Quake 1st Lives!!)

    Finding a replacement DLL or running the Games most recent Patch
    seems to be curing them fairly easily. Neverwinter Nights II is a chewed up
    mess what with its 2 add-on packs & vast numbers of patches that have to be
    downloaded. 'Big Bad Bug' seems to know which Progs to pick for maximum
    mess.

    If I was advising some other user I would also say 'Reformat & reinstall
    everything'
    (\__/)
    (='.'=)
    (")_(") mouse
     
    Trimble Bracegirdle, Aug 29, 2010
    #16
  17. Trimble Bracegirdle

    Peter Foldes Guest

    You are a Troll. Needless CROSSPOSTING REMOVED

    --
    Peter

    Please Reply to Newsgroup for the benefit of others
    Requests for assistance by email can not and will not be acknowledged.
    http://www.microsoft.com/protect
     
    Peter Foldes, Aug 29, 2010
    #17
  18. Trimble Bracegirdle

    Aardvark Guest

    'Bad guys' have always used the most modern technology to their own ends.
    Technology has always had to catch up to stymie their plans.

    Why do you appear to think it has ever been otherwise, and why do you
    search out 'bad guys' in all the wrong places?
     
    Aardvark, Aug 29, 2010
    #18
  19. ~BD~ wrote, in
    Then quit being one yourself. Keep your stupid crossposting out of real,
    technical groups.

    (crosspost allowed for this reminder.)
     
    Beauregard T. Shagnasty, Aug 29, 2010
    #19
  20. Trimble Bracegirdle

    Aardvark Guest

    Hey, Beau. Haven't seen you in 24 for a while.
     
    Aardvark, Aug 29, 2010
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.