• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Reformatting advice.

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.
M

Matarael

Member
Joined
Dec 19, 2004
Okay. I picked up the win32/ramnit trojan from some other forum when looking for info on a visual novel because they were the top of the Google results list. I'd gotten ransomware from there before, so when I realised it was that place, I tried to close my browser, a bit late for that. But I got rid of the ransomware easily last time.

Anyway, this trojan seems to have run riot on my laptop over the last 18 hours and pretty much injected every single dll and exe that has been used since the infection.

Running MSE seems to have brought up thousands of infected registry keys and a few hundred dlls/exes, mainly relating to 10 or so programsI've actively used since yesterday and a few others.

So I think it's time for a good old fashion reformat, because if this many things are infected, God only knows what has been missed. Thankfully, I only seems to be program files.

Quick question. I have back up drives, but they're full. If I were to use partition magic, would I be able to move things I want to back up onto the new partition, reformat windows on my main partition, transfer them back and then use partition magic to merge the two back into one?

I'm currently using W7-64 OEM on a Dell XPS M1330
 
Last edited:
First go into safe mode with networking.

Download and install malewarebytes Run a full scan. Remove all infections.

Download and install combofix and run it.

open an elevated cmd and type sfc /scannow

Reboot into windows normally.

After that run one more malewarebytes in normal windows and you should be good.

WARNING: If you are missing icons and shortcuts DO NOT clear your temp files

Question: You dont have Windows Antivirus 20XX do you?
 
I've ran malwarebytes quite a few time and unfortunately the stuff it removes always comes back for more.

I've tried looking for the files manually by going through processexplorer and found the files which are hiding as svchost.exes, but they still came back after being deleted.

I'll try combofix now. I've seen it suggested a few times when looking on Google.

Not running anything other than Spybot, malwarebytes and MSE, which has been fine for the last 4 years or so.
 
Matarael said:
I've ran malwarebytes quite a few time and unfortunately the stuff it removes always comes back for more.

I've tried looking for the files manually by going through processexplorer and found the files which are hiding as svchost.exes, but they still came back after being deleted.

I'll try combofix now. I've seen it suggested a few times when looking on Google.

Not running anything other than Spybot, malwarebytes and MSE, which has been fine for the last 4 years or so.
Click to expand...

Are you in safemode? You need to be in safe mode for the bad stuff to get pulled out.

Combofix is a great tool, id place a bet that it will clean it out.
 
Yeah. Running it in safemode made no difference. I deleted the files and they'd just come back again when I started windows proper.

I'm running combofix now. Hopefully it won't be too bad...

That said. I'm not entirely sure which programs that MSE has quarantined or removed files from. So I'll probably have to do a lot of reinstallation anyway.

Thanks so far though. I'll post again in an hour or so with the results...
 
Matarael said:
Yeah. Running it in safemode made no difference. I deleted the files and they'd just come back again when I started windows proper.

I'm running combofix now. Hopefully it won't be too bad...

That said. I'm not entirely sure which programs that MSE has quarantined or removed files from. So I'll probably have to do a lot of reinstallation anyway.

Thanks so far though. I'll post again in an hour or so with the results...
Click to expand...

To be frank MSE sucks. Avast its much much better. Give it a shot, I use it on all my computers.

Could you get me the exact name of the infection?
 
As far as I know. It's Win32/Ramnit. I believe it's ramnit.d as it seems to have similar behaviour with file locations and disguising the process as svchost.exe. But MSE didn't provide details other than it being ramnit.

I wouldn't mind so much if it didn't try to inject every single exe and dll it can.
 
after combo fix make sure to run sfc /scannow it will rebuild windows files. That tool safes lives lol.

Edit try these as well:

http://about-threats.trendmicro.com/Malware.aspx?language=us&name=PE_RAMNIT.H

http://www.bitdefender.com/VIRUS-1000644-en--Win32-Ramnit-G.html < Bitdefender works well too

http://www.pcsafedoctor.com/Unknown/remove-Win32.Ramnit.H.html < Dont download the tool but you can try the manual removal

Anythings worth a shot at this point

Try combofix and sfc first though



Have you ever backed up your reg before?
 
realmadrid12 said:
after combo fix make sure to run sfc /scannow it will rebuild windows files. That tool safes lives lol.

Edit try these as well:

http://about-threats.trendmicro.com/Malware.aspx?language=us&name=PE_RAMNIT.H

http://www.bitdefender.com/VIRUS-1000644-en--Win32-Ramnit-G.html < Bitdefender works well too

http://www.pcsafedoctor.com/Unknown/remove-Win32.Ramnit.H.html < Dont download the tool but you can try the manual removal

Anythings worth a shot at this point

Try combofix and sfc first though



Have you ever backed up your reg before?
Click to expand...
Okay, I gave combofix and sfc a shot; I can't really make heads or heels out of the logs though.

sfc said that some files couldn't be repaired, but it's been like that when I've run it in the past.

Running Malwarebytes again, to see if it picks up anything. Afterwards, I'll check up

Will be another 2 hours or so before MBytes finishes. Will see if the jecfslby.exe running the fake svchost that keeps cropping up after that...

I hope it doesn't... I'll give the other tools a shot too.

Thanks again.

Edit: The only times I remember backing up my reg is when making major changes or being asked to do so, I don't think it's been backed up for a good 6 months at least though.
 
Last edited:
You can try to backup your reg now, and re import that old one. Some programs may stop working but it may shut the virus down ;)

And your welcome, let me know how it turns out!
 
It's still there.

Couldn't find any registry back ups.

I think I'm going to have to do reformat.

If the trojan is dormant in safe mode, I could transfer files to another partition/drive in that (after scanning) and then reformat my main drive without any worries, right?
 
Matarael said:
It's still there.

Couldn't find any registry back ups.

I think I'm going to have to do reformat.

If the trojan is dormant in safe mode, I could transfer files to another partition/drive in that (after scanning) and then reformat my main drive without any worries, right?
Click to expand...

Depends man, Id load up an XP machine on a crap hdd and run many scans on them with no network. Dont just smack them on any production box and scan ;)
 
Unfortunately, I don't have that liberty any more. The only machine in my possession nowadays is this laptop.

I really should change my sig... it's over 6 years old now, haha.
 
download virtual box, install XP if you need an Iso i can give you access to my ftp server for it.

get xp installed on a vm once that is done get all your maleware tools on it. make sure to disconnect the virtual nic after downloading the software

Than plug in your sata drive and mount the drive to the vm and start scanning. This isnt as safe but its as close as you can get.
 
Well, I'll see if I can free up some room on my old portables. I have a few that I've used for backing up family stuff in the past, so if it's crowded with that stuff, I'll see if I can shuffle them around a bit.
 
Matarael said:
Quick question. I have back up drives, but they're full. If I were to use partition magic, would I be able to move things I want to back up onto the new partition, reformat windows on my main partition, transfer them back and then use partition magic to merge the two back into one?

I'm currently using W7-64 OEM on a Dell XPS M1330
Click to expand...

Do not use Partition Magic on modern computers. Partition magic is for old computer systems. Partition Magic will most likely mess up your partition table and your data.

You could partition your hard drive using modern partition software but with data already on it, this is a risky and lengthy procedure. It can be done but partitioning is really best done on empty hard drives.


Which is what you should do now. Partition a new hard drive. Install only the OS and small applications on your C partition. Install large applications/games on another partition.

This way you can image your OS partition quickly and frequently. You can store the image files on another hard drive for quicker imaging/reimaging. It's really the only way to use computers nowadays. It's quicker to image/reimage than to fix even the smallest of problems.


I don't keep any documents on my OS partition so I nuke it and reimage it at least once a moth. Use Avira Antivir freeware to protect yourself in the future because its definitions are better than Avast's or Microsoft's. http://www.overclockers.com/forums/showpost.php?p=7115465&postcount=9
 
c627627 said:
Do not use Partition Magic on modern computers. Partition magic is for old computer systems. Partition Magic will most likely mess up your partition table and your data.

You could partition your hard drive using modern partition software but with data already on it, this is a risky and lengthy procedure. It can be done but partitioning is really best done on empty hard drives.


Which is what you should do now. Partition a new hard drive. Install only the OS and small applications on your C partition. Install large applications/games on another partition.

This way you can image your OS partition quickly and frequently. You can store the image files on another hard drive for quicker imaging/reimaging. It's really the only way to use computers nowadays. It's quicker to image/reimage than to fix even the smallest of problems.


I don't keep any documents on my OS partition so I nuke it and reimage it at least once a moth. Use Avira Antivir freeware to protect yourself in the future because its definitions are better than Avast's or Microsoft's. http://www.overclockers.com/forums/showpost.php?p=7115465&postcount=9
Click to expand...

Theres nothing wrong with partition magic, But there are better solutions out there like EaseUs Partition Master: http://www.filehippo.com/download_easeus_partition_master_home/

I used to use Partition magic up until a few months ago and than a co-worker showed me Partition Master. But in either case both will work perfectly fine on all NTFS drives with no issues.

EDIT: Nor would I call this risky, If your copying from one drive or partition to another there is no risk. Even if it fails your original location is fine. I use P Master almost every day when working with vCenter and its VMs. And at least see it being used once a week on physical drives.
 
I found out the hard way that Partition magic is not compatible with modern chipsets and hard drives over 1TB.

Partition Magic is used to repartition hard drives, not for copying contents of one physical hard drive to another physical hard drive, correct? Messing with partition tables of drives filled with non-backed up data is very risky.
 
I found my old Partition Magic 8.05 notes:

Partition table errors may result even if this program gets around Error 4444 on NTFS and Windows Vista partitions which can be done by scanning the Vista partition using chkdsk FROM Windows XP. [NTFS has a hidden file called $UPCASE which maps lowercase and uppercase Unicode characters. When you run Windows XP's version of chkdsk, it corrects the $UPCASE table on the Vista partition (makes it the same as XP's). The change doesn't affect Vista's operation but it allows DriveImage and PartitionMagic to work. However, unexpected partition table errors still appear later.]

Use of this program is recommended with Windows XP (and earlier versions of Windows) ONLY and hard drives smaller than 1TB.
 
You must log in or register to reply here.

Similar threads

Voodoo Rufus
Win10 - cannot reset logon PIN
Replies
6
Views
583
Voodoo Rufus
Voodoo Rufus
N
CPU unstable no matter what I do, and it's getting worse
2
Replies
25
Views
1K
mackerel
mackerel
techiemon
HDD Disk 0 Unknown Not initialized Problem after forced reboot, Help!
Replies
14
Views
717
knoober
knoober
B
8086k OC Gigabyte Mobo
Replies
5
Views
485
magellan
magellan
mackerel
Random Blackwell Thoughts
Replies
2
Views
178
mackerel
mackerel
Back