Viruses

[Grifter]

Since Sunday/Monday I seemed to have got a couple of viruses that are seemingly impossible to remove. They are

Win32/Ramnit.A virus
Win32/Olmarik.ACH trojan

Eset seems to just about keep it down but can't get rid of it. Earlier in the week it was impossible to log in to anything needing a password like paypal or google analytics etc. After running malwarebytes I seem to be able to get on the net but am getting constant warnings from eset saying detected and cleaned, especially the top one. Then my hotmail got hacked today too.

Does anyone have any ideas about getting rid of these. Especially the top one.

[seamus]

scotserve would be the man to ask about this, he's rather good with fixing this kinda thing,

*awaits scotties advice*

[scotserve]

The top one is pretty serious as it creates a back door on to your system
http://www.threatexpert.com/report.aspx?md5=a2cc13e4a91b2555d76365975182c819

Is your eset up to date ?

As a security precaution you should not log into anything while this is still on your machine and once removed you should change all passwords including FTP

Can you do a rollback?

[Grifter]

I thought I'd managed to get rid of it but no. Looks like it was from windows movie maker. I couldn't delete it but when in safe mode I managed to delete the files but not the folder. It seems to attach itself to all the windows programs like media player.exe and wordpad.exe. More worringly one of the dlll's for Rapport which is the banking. When it was in full flow eset was protecting me but it prevented me doing anything. Everytime I tried to access something with a password Eset blocked it because remote access was trying to intervene. Seems really clever because nothing will shift it.

Looking at Eset logs it's back again today. Not as prevalant as before but there still.

As for system restore I find it useless. I've tried it on this computer and a couple of laptops maybe 30 times and not once has it succeeded. It does it's thing for an hour or two and then finally says unsuccessful. The only option is to do a factory reset again which I abhor because I lose everything again. I lost all my music last time (last summer) and when I went to download the music again the uk tightened up the regulations and made it tougher on file sharing sites. However, it is these file sharing sites that bring the trouble so I can't complain.

System reset methinks...

[pure-wicked]

Grifter

Am i right in thinking that Rapport is for Natwest ?

Have you mentioned this to Natwest ? they should be quick to find a way to protect against this and maybe its an option to not have to reset ?

Just a thought but maybe worth having a word with your manager etc and seeing what they say.

Hope this helps.

Regards Dave

[Sassy]

Hi Love sorry you're still having a bit of a mare with your virus's.

I saw your post on the forum, so just out of curiosity and for my own info, should this happen to me, I did a google on them.

Here are a few links with a bit of info. Not sure if they’re of any help but, they’re very indepth and techy, so I thought it was worth letting you have a gander just in case.

http://forums.techguy.org/virus-other-malware-removal/938626-win32-ramnit-worm-hijack-log.html

http://forums.techarena.in/antivirus-software/1354606.htm

http://forums.majorgeeks.com/showthread.php?t=220591

http://forums.majorgeeks.com/forumdisplay.php?f=35

Majorgeeks appear to have a malware removal specialist, so maybe worth a post on there hun.

speak soon

Annie

Posted to your e-mail too just in case!

[Grifter]

Thanks Annie I'll have a look at the geeks site more closely tomorrow as I'm too drunk at mo and it seems gobblygook. This virus is a killer, I've got it right toned down from where i started but here's todays log:

09/08/2010 22:11:20   Real-time file system protection   file   C:\Program Files\Windows NT\Accessories\wordpad.exe   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
09/08/2010 22:11:19   Real-time file system protection   file   C:\Program Files\Windows Media Player\wmplayer.exe   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
09/08/2010 22:11:18   Real-time file system protection   file   C:\Program Files\Windows Media Player\mpvis.dll   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
09/08/2010 22:08:41   Real-time file system protection   file   C:\Program Files\Outlook Express\msoe.dll   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
09/08/2010 20:15:28   Real-time file system protection   file   C:\Program Files\Windows NT\Accessories\wordpad.exe   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
09/08/2010 20:15:27   Real-time file system protection   file   C:\Program Files\Windows Media Player\wmplayer.exe   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
09/08/2010 20:15:26   Real-time file system protection   file   C:\Program Files\Windows Media Player\mpvis.dll   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
09/08/2010 20:12:49   Real-time file system protection   file   C:\Program Files\Outlook Express\msoe.dll   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
09/08/2010 18:19:54   Real-time file system protection   file   C:\Program Files\Windows NT\Accessories\wordpad.exe   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
09/08/2010 18:19:53   Real-time file system protection   file   C:\Program Files\Windows Media Player\wmplayer.exe   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
09/08/2010 18:19:51   Real-time file system protection   file   C:\Program Files\Windows Media Player\mpvis.dll   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
09/08/2010 16:13:40   Real-time file system protection   file   C:\Program Files\Windows NT\Accessories\wordpad.exe   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 16:13:39   Real-time file system protection   file   C:\Program Files\Windows Media Player\wmplayer.exe   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 16:13:38   Real-time file system protection   file   C:\Program Files\Windows Media Player\mpvis.dll   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 15:31:11   Real-time file system protection   file   C:\Program Files\Windows NT\Accessories\wordpad.exe   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 15:31:11   Real-time file system protection   file   C:\Program Files\Windows Media Player\wmplayer.exe   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 15:31:10   Real-time file system protection   file   C:\Program Files\Windows Media Player\mpvis.dll   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 15:29:46   Real-time file system protection   file   C:\Program Files\Outlook Express\msoe.dll   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 14:48:01   Real-time file system protection   file   C:\Program Files\Windows NT\Accessories\wordpad.exe   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 14:48:00   Real-time file system protection   file   C:\Program Files\Windows Media Player\wmplayer.exe   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 14:47:59   Real-time file system protection   file   C:\Program Files\Windows Media Player\mpvis.dll   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 14:46:17   Real-time file system protection   file   C:\Program Files\Outlook Express\msoe.dll   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 14:02:04   Real-time file system protection   file   C:\Program Files\Windows NT\Accessories\wordpad.exe   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 14:02:03   Real-time file system protection   file   C:\Program Files\Windows Media Player\wmplayer.exe   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 14:02:02   Real-time file system protection   file   C:\Program Files\Windows Media Player\mpvis.dll   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 13:18:28   Real-time file system protection   file   C:\Program Files\Windows NT\Accessories\wordpad.exe   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 13:18:28   Real-time file system protection   file   C:\Program Files\Windows Media Player\wmplayer.exe   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 13:18:27   Real-time file system protection   file   C:\Program Files\Windows Media Player\mpvis.dll   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 12:36:08   Real-time file system protection   file   C:\Program Files\Windows NT\Accessories\wordpad.exe   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 12:36:07   Real-time file system protection   file   C:\Program Files\Windows Media Player\wmplayer.exe   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 12:36:07   Real-time file system protection   file   C:\Program Files\Windows Media Player\mpvis.dll   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 11:53:50   Real-time file system protection   file   C:\Program Files\Windows NT\Accessories\wordpad.exe   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 11:53:49   Real-time file system protection   file   C:\Program Files\Windows Media Player\wmplayer.exe   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 11:53:48   Real-time file system protection   file   C:\Program Files\Windows Media Player\mpvis.dll   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 11:11:21   Real-time file system protection   file   C:\Program Files\Windows NT\Accessories\wordpad.exe   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 11:11:21   Real-time file system protection   file   C:\Program Files\Windows Media Player\wmplayer.exe   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 11:11:20   Real-time file system protection   file   C:\Program Files\Windows Media Player\mpvis.dll   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 10:28:53   Real-time file system protection   file   C:\Program Files\Windows NT\Accessories\wordpad.exe   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 10:28:52   Real-time file system protection   file   C:\Program Files\Windows Media Player\wmplayer.exe   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.
09/08/2010 10:28:51   Real-time file system protection   file   C:\Program Files\Windows Media Player\mpvis.dll   Win32/Ramnit.A virus   cleaned - quarantined   DDJQMY2J\N   Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.

[Grifter]

Grifter

Am i right in thinking that Rapport is for Natwest ?

Have you mentioned this to Natwest ? they should be quick to find a way to protect against this and maybe its an option to not have to reset ?

Just a thought but maybe worth having a word with your manager etc and seeing what they say.

Hope this helps.

Regards Dave

Rapport do lots of banks. Actually, they don't  do mine. However, they do my other half's. Like much software they seem to plant continuous active files for their good. However, when a smart virus like this intervenes then "my enjoyment of perusal of the web" I doubt is their care. Could the virus be good enough to intevene and do some damage on the banking side? I really don't know and don't want to test it.

I think Eset is one of the best bits of gear you can buy. But it can't get rid of it. It will tell you it's there and protect you which is invaluable. But this seems such a cunning worm I am proud for a non-techie to reduce it's activity to my post below. You should see it in full swing. You get massive amounts of warnings from eset about unauthorised accesss from IP's like 89,, (russia?). I now have to turn my modem off manually until I decide I can sort this or go back to factory reset. Reset takes at least a day or two just to update the windows files to todays. It's a right pain but I think the only one.

[Grifter]

In fact my other half's bank reccommends and sells mcaffee. Now i know from what I've found is that only eset and microsoft essentialy security can stop this thing. Neither can get rid of it but they can protect you which is what you pay for. I've done some research and haven't found anything else that can stop it. I'm quite glad I have eset that stopped me for days doing anyting  on the internet because everytime I did it got an incoming call from russia.

I'd rather have nothing and be safe than crack on and get robbed/ I'm no techie, so when i look at geek sites thqt tell me to run software but i must disable my antivirus and other protection then I worry.

These guys are far smarter than me and knowing where to place trust online seems a dodgy game

[scotserve]

These guys are far smarter than me and knowing where to place trust online seems a dodgy game

Yep trustee meto fixee u computor - I make good websight that will remove all bad files  ( but place my own on there )

Grifter - really you should look at reformatting - get yourself a cheap USB external drive and run backup software to keep a retained backup that you can restore in the event of something like this in the future

BTW I have been preaching the virtues of Eset for about 8 years now - simply the best.

[seamus]

eset is rather good, I'v been using it for a while now, no probs so far (touch wood) 

[Sassy]

I have to agree. We used eset nod 32 on all the PC's in my estate agency and never had any problems at all.

I've just started to use it again and hope that its still as good.

Grifter and I have both accessing my cPanel recently through FTP. Could this virus have also got into my PC through the FTP connection, as its really being weird at the moment.

Its probably just kicking back in an OAP kind of way, screaming to be put to rest, but outlook won't send and receive, plus its like flogging a dead horse getting it to decide whether to open explorer, or even a document.

Gary, did you get any joy from the majorgeeks forum malware "specialist"??? Hope you're having some success love.

[Grifter]

Yeah I love eset it is brilliant for protection. I think it's a comple reformat/factory reset for me. Then it will take me all day to update windows and stuff lol. Ah well, I'm not getting any work done at the mo so I'm going to have to bite the bullet. Whenever I run firefox I get a second hidden one that opens up. I can close it with task manager but I don't know about some of the other processes have been comprised, especially the svchost ones.

I will reset tomorrow Sassy. I haven't accessed any of your stuff since I've had this. I don't think it's had much success anyway because of the protection. I'm not going to bother with the geek site thing because it only works if you turn off all protection.

[Sassy]

would turning off protection for the short duration you're running the comodofix thing (names wrong but I can't remember it right now, but similar).

What a nightmare for you love.

I send my full commiserations, as I lost everything last year and it was dreadful. I'd actually lost it once before and religiously backed up. then got busy running the agency and converting the boozer into a gastro job at the same time, so forgot to do it for a few months and POOF!!!! there it was all gone with one vile virus! Lost the lot again! The data from 2 businesses down the pan in one click!

Am definitely going to look at taking an Acronis account for full image back up of the OS and programs as well as the documents. Its on offer at £23.99 for the home version at the moment, so worth a thought for the future......... Not that you need reminding, just letting you know its on offer for when you get up and running again.

However, I'm open to suggestion if anyone knows of a cheaper option for full system back up.

[Grifter]

I don't see much point Annie. The third link you gave to major geeks forum shows how tough this thing is. They are giving specific advice to someone affected. However, I can see that I have different files affected.

Even after all the advice and some 4 different programs run there was still no fix. They ended up not even being able to boot up in safe mode.