dwsolo
Newbie
Posts: 31
|
 |
« on: March 12, 2011, 11:00:49 AM » |
|
My friend has been informed by Micosoft Security Essentials that she has the ramnit.v virus on her laptop (running XP home 32 bit). However MSE is not offering to disinfect.....
I gather from various sources including your forums that the best bet with such a virus is to reformat and use the backup image (which I made a week ago, luckily, using Easeus Todo), rather than attempting to disinfect.
(Even though I do have Vipre rescue, malwarebytes, and rkill ready on a memory stick and Kaspersky 10 rescue on a CD just in case....)
Given that formatting is the best way forward, my question is: should I simply set Easeus to recreate the image onto her laptop or should I reformat it first in order to ensure nothing is left of the virus?
If I should reformat first, what would be the best way to do it (given that we don't have her XP installation disk) and to ensure that the boot sector isn't damaged in the process?
I do possess a couple of Universal boot disks (Bart PE and UBD), but I have never used them for reformatting as yet... and am a little unsure how to do it.
Thanks for any advice.
She will be bringing the laptop tomorrow afternoon, so it would be great if I could have some ideas by then :-)
Thanks
David
|
|
|
|
|
Logged
|
|
|
|
|
dwsolo
Newbie
Posts: 31
|
|
« Reply #1 on: March 12, 2011, 12:00:46 PM » |
|
PS should I consider the need to wipe the disk as opposed to reformatting it? I have DBAN if it should be needed.....
|
|
|
|
|
Logged
|
|
|
|
|
Britec
|
|
« Reply #2 on: March 12, 2011, 12:04:43 PM » |
|
When you install from a image it would format drive, so I am sure there will be nothing left of the drive. Have you tried doing some cleaning before you wipe the machine? Just to see if you can clean it? I myself never like to format with trying to clean a machine first. I would try to clean it from a preinstalled environment Dr. Web will probably find a lot of infections. As long as they are not Windows system files you can probably just delete them. Try these in this order http://www.freedrweb.com/livecd/?lng=enUse UBCD4WIN environment and use Dr. Web’s CureIt! plugin also run Malwarebytes from preinstalled environment, Also check these possible areas and clean temp files Files:-%Windows%\System32\rundll32Srv.exe
%Windows%\System32\dmlconf.dat
%ProgramFiles%\Microsoft\DesktopLayer.exe
%UserProfile%\Local-Settings\Application Data\\.exeRegistry Entries:-HKEY_CURRENT_USER\Software\Microsoft \Windows\CurrentVersion\Internet Settings "Proxy Override" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ""
HKEY_CURRENT_USER\Software\AVSolutionRemember file names may be varyLook at when dates and days when files were added and modefied. Give it a bash what you got to lose, you can delete them if you have the time and patients. |
|
|
|
|
Logged
|
|
|
|
|
|
dwsolo
Newbie
Posts: 31
|
|
« Reply #3 on: March 12, 2011, 12:18:17 PM » |
|
Thanks Brian
I'll try those and report back.
Kind regards
David
|
|
|
|
|
Logged
|
|
|
|
|
x213erx
|
|
« Reply #4 on: March 12, 2011, 05:09:08 PM » |
|
i would just get a windows xp home edition cd and do a fresh clean install on xp.
|
|
|
|
|
Logged
|
|
|
|
|
Britec
|
|
« Reply #5 on: March 13, 2011, 05:16:58 AM » |
|
Yeah but even if you have to wipe the machine in the end, its learning how the virus works and its also good practice.
Far to many tech guys want to format now days, I am glad to say I am not one of them.
|
|
|
|
|
Logged
|
|
|
|
dwsolo
Newbie
Posts: 31
|
|
« Reply #6 on: March 13, 2011, 09:04:01 AM » |
|
Well, while I was waiting for the laptop to arrive I tried Dr Web on my (temporarily) offline computer. It took 16 hours or more to scan that computer (half a terabyte of storage) and in the end all it said was that it found one infection - no notification of the file it was in, what it was or whether it had been quarantined. No option to delete or quarantine was offered or anything like that. I'm not impressed with the free Dr Web CD - or else I've not understood how it is supposed to work....
(At some point I suppose I had better find out what that infected file on my (temporarily) offline computer is, but I don't want to spend another 16 hours scanning with no result at the end of it).
So when the laptop finally came I simply reinstated the Easeus backup image and all is well with it. Lucky I had the image :-) I updated MSE and malwarebytes and scanned to be sure all was well. ... and then made a fresh image just in case.
That being said, however, if I should ever need to use that Dr Web CD, how it is supposed to work?
It asked for a login, but, of course, I didn't have one:
a) I was offline so a login seemed pointless and
b) it was a free iso and didn't appear to require registering, so it never occurred to me to create a login ...
Puzzled but not in urgent need....
Kind regards
David
|
|
|
|
|
Logged
|
|
|
|
|
|
dwsolo
Newbie
Posts: 31
|
|
« Reply #8 on: March 13, 2011, 11:41:44 AM » |
|
Hi I used the version as suggested by Brian: http://www.freedrweb.com/livecd/?lng=enBut, as I say, the login question was just one problem. The main problem is simply that Dr Web didn't provide the required information - what was the infected file and whether or not it had been quarantined or how to delete it. Thanks for the other links. |
|
|
|
|
Logged
|
|
|
|
dwsolo
Newbie
Posts: 31
|
|
« Reply #9 on: March 14, 2011, 04:14:14 AM » |
|
out of interest: Avira (as per above link - thanks :-)) found no virus today. No idea what Dr Web found yesterday. Maybe it quarantined or deleted the virus that it apparently found but didn't tell me that it had done so ?
|
|
|
|
|
Logged
|
|
|
|
|
Britec
|
|
« Reply #10 on: March 14, 2011, 09:38:52 AM » |
|
So ramnit.v virus is gone?
|
|
|
|
|
Logged
|
|
|
|
dwsolo
Newbie
Posts: 31
|
|
« Reply #11 on: March 14, 2011, 10:13:32 AM » |
|
Hi Brian
The ramnit.v was on my friend's XP laptop - which I re-imaged to the beginning of the month (1st March 2011) using Easeus and returned to my friend as mentioned above. I assume that ramnit.v has therefore disappeared but I confess I didn't do a slow thorough check, just a quick scan, since I assumed that reimaging would mean that all data saved in days since the beginning of the month (including ramnit.v) would simply cease to exit, but my friend will let me know if the problem re-occurs (her partner wanted the laptop back more quickly than I could achieve with a thorough check - hmmm!).
No idea what the infection on my Vista "temporarily-offline" computer was, probably not ramnit.v since it's not been online since last month, but avira found nothing, so I assume that Dr Web either found a false positive or that it deleted or quarantined the virus without telling me it had done so.... or possibly that it found a virus which avira didn't find... Anyway my Vista "temporarily-offline" comp seems to be behaving OK at the moment.....
Cheers
David
|
|
|
|
|
Logged
|
|
|
|
RobTech Solutions
Newbie
Posts: 16
|
|
« Reply #12 on: March 20, 2011, 11:51:47 AM » |
|
hi,
i have used kaspersky in the past and has let many viruses in. i now use the norton 360 v4. and v5. theses are brillient and with spyhunter installed alongside i do not get problems. you can get 90 day trial of norton i would highly recomend this software to seek out your virus and delete it.
if not try avast.
i'm sure one of these would fix the issue.
if not then your only option is to reformat and reload windows.
Good Luck
|
|
|
|
|
Logged
|
|
|
|
dwsolo
Newbie
Posts: 31
|
|
« Reply #13 on: March 22, 2011, 10:05:13 PM » |
|
Hi RobTech
The following is not really relevant to the thread (which concerns ramnit.v and whether or not to format) but, just for information, it turn out the "virus" on my temporarily offline computer was the opencandy adware bundled in musicnotes.exe, not very problematical. I don't use musicnotes anyway so I deleted all instances of it just to be sure (I had two on my online computer and backup as well). Some sites call this a false poitive found by Eset and by MSE among others, but it is adware so I suppose it's best to delete it.
So far the reimaging on my friend's ramnit.v'ed laptop has proved successful, if there is a re-infection later on it will have come from her partner's rather extensive email activities I think (and then I'll simply reimage again and follow that with a thorough multi-antispyware scan - one at a time - just to be sure!) :-)
Thanks to all :-)
David
|
|
|
|
|
Logged
|
|
|
|
|
Britec
|
|
« Reply #14 on: March 23, 2011, 04:06:11 AM » |
|
You are right David, Norton 360, Kaspersky or Avast will not remove ramnit.v virus infection
and that goes for any other AV.
|
|
|
|
|
Logged
|
|
|
|
|
