Dell latop infected with WIN32 RAMNIT B WORM!!! Will this method work?

superman909

Hi there..... Basically yesterday I clicked a link out of naivety which infected my Dell M101z laptop with a nasty worm virus called WIN32 RAMNIT B I think. Anyway, it is beginning to spread on my system, not sure how bad the damage is, but since I have no Windows 7 disc from Dell, so I can reformat, is the Dell Factory Image option just as good, or could the virus have already infected that file as I know it is a pretty.nasty one, infecting all kinds of files. Is this factory image restore likely yo work even if it is extremely serious? Also, is the ADrive site reliable to upload any documents I want to back up - I have over 25GB worth of stuff I need to backup before I restore. The laptop is over one year old, out of warranty.

macman

Doing a Factory Restore will give you a clean system. But of course you willl lose all your data.
You probably don't want to hear this, but the time to back up is before you get infected or suffer hard drive failure.
If you can get the files off first then you'll need to ensure that they are clean before you reinstall them, ot you'll be back to square one.
I'd try and clean up with MalwareBytes first before restoring.

superman909

macman wrote: »

Doing a Factory Restore will give you a clean system. But of course you willl lose all your data.
You probably don't want to hear this, but the time to back up is before you get infected or suffer hard drive failure.
If you can get the files off Hfirst then you'll need to ensure that they are clean before you reinstall them, ot you'll be back to square one.
I'd try and clean up with MalwareBytes first before restoring.

Hi Macman.... Thanks very much for the reply. I'm aware.of Malwarebytes but apparently it isn't too good with this particular worm virus. I am happy about losing all other files apart from photos and about 30 or so Word documents/pdfs which I definitely need - could these be infected?? As you.said it would have been wise to.backup before infection- I did maybe a month ago but obviously since then.I jave some new.documents which I can't afford to lose. Generally, would you expext yhe jpeg photos , some family videos and Word documents to be safe? I will bebacking them up online.with ADrive, have you.heard of them? Thanks again.

macman

It's impossible to say what might or might not be infected-you have to assume that anything could be.
What AV program are you using?
Backups need to be done at least weekly, or there is no point.

dogmaryxx

Have a read of Post 4 on this thread at Bleeping Computer

waddler_8

superman909 wrote: »

I'm aware.of Malwarebytes but apparently it isn't too good with this particular worm virus.

Malwarebytes doesn't have the ability (like an antivirus does) to disinfect legitimate files infected with viral code - it can only delete the file.

superman909 wrote: »

I am happy about losing all other files apart from photos and about 30 or so Word documents/pdfs which I definitely need - could these be infected??

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fRamnit

Win32/Ramnit infects Windows executable files with a file extension of ".EXE", ".DLL" and ".SCR". The infected executables may be detected as Virus:VBS/Ramnit.A or by another similar detection name.

Win32/Ramnit infects HTML document files with ".HTML" or ".HTM" extension. The infected HTML files may be detected as Virus:VBS/Ramnit.A or by another similar detection name. The infected HTML files have an appended VBScript. When the infected HTML file is loaded by web browser, the VBScript may drop a copy of Win32/Ramnit as "%temp%\svchost.exe", then execute it.

Win32/Ramnit also infects Microsoft Office OLE document files with ".DOC", ".DOCX" or ".XLS" file extensions. The infected document may be detected as Virus:O97M/Ramnit. The infected document contain a macro which will attempt to run when the document is opened. The macro may drop a copy of Win32/Ramnit as "%temp%\wdexplore.exe", then execute it.

superman909

macman wrote: »

It's impossible to say what might or might not be infected-you have to assume that anything could be.
What AV program are you using?
Backups need to be done at least weekly, or there is no point.

I'm using Avast Antivirus which detected quite a lot when the PC first acquired the worm. It moved the files to a chest, obviously it is incredibly hard to permanently get rid of it, maybe even impossible, so the reformat seems like the only option. In future I will definitely backup regularly but as I definitely can't afford to lose these files, mainly jpegs, some videos though, whats the best way to scan for infection whwn I recover these files after reformat?

macman

Have you done a full manual scan using Avast? If it it has already found and quarrantined them, then what are you concerned about?

waddler_8

Another important point to remember is that Ramnit steals data & allows backdoor remote access to the PC which allows data to be uploaded & downloaded.

You have to be confident yourself that the PC is clean - especially if you bank online or use CC cards etc.

Files can also become corrupted during disinfection, which would mean possibly re-installing programs and the OS anyway. I've seen one recent thread on here where malwarebytes removed hundreds of files including ones for MS office.

closed

https://forums.moneysavingexpert.com/discussion/3609217

the laptop may have the means to create window7 discs, possibly to an external dvd drive.

clean the infection with a boot cd and avast boot scan, try and recover data, then reinstall windows

superman909

closed wrote: »

https://forums.moneysavingexpert.com/discussion/3609217

the laptop may have the means to create window7 discs, possibly to an external dvd drive.

clean the infection with a boot cd and avast boot scan, try and recover data, then reinstall windows

Hi closed, and everyone else who replied, please could you explain this in a bit more detail, what do you mean exactly by clean the infection with a boot CD and avast boot scan? How do I go about this? Bear in mind I don't have a CD drive in my Dell M101z laptop.

Does the following sound quite logical:

Since I have spotted this infection quite early on, and at the moment isn't causing many noticeable issues, should I upload all my photos, word documents, videos and pdf files to ADrive (a free online data storage system, which has some decent reviews, especially since you get 50GB of free storage - it's funded by ads I believe, so it's free)?

I am taking the chance that since the PC acquired the virus yesterday, and no major issues are evident as of yet, then uploading these now, should be okay, especially since the most commonly targeted files seem to be program files, any executables, etc?

Anyway, if I do that, then what do you mean about the boot CD clean? Could I just run the Avast bootscan, then reformat Windows 7 (wipe clean) using Dell's factory image restore - both reformat and reinstall Windows 7?

Please correct me if you read anything you spot that might be a big issue. Bear in mind I don't have an external/internal DVD drive. I could theoretically buy one if it means a more effective way of treating the problem. I couldn't care less about losing any other files, so long as I can keep all my photos, videos and Word documents. I don't have anything else important that I would miss to be honest.

Many thanks in advance (I am a noob with this PC's).