"RAMNIT desktoplayer" Worm Removal Guide

Discussion in 'Anti-Virus' started by Trimble Bracegirdle, Feb 8, 2011.

  1. http://therachmat.blogspot.com/2011/01/ramnit-worm-removal-guide.html

    @@Will the experts here please comment on the approach given on this Web


    I had this very badly back in late summer ...My main method was with DR WEB
    CUREIT ( A Free download) told it to 'Cure' the ramnit infected files but I
    left the HTML files it detected with 'Igor' alone.

    Since then the system has seemed free until late Jan. (last week). when a
    new one got in .. Slightly different from the 1st & spread very fast though
    out my complex Win XP & Win Vista & Win 7(64bit) system.
    Infection getting into any corner.
    I stopped it (I hope) with repeated DR WEB.

    "Win32/RAMNET" Symptoms:

    A file called Desktoplayer.exe persistently re appears in C:/Program
    Fake FireFox and/or iExplore Processes are shown in Task Manager .
    These are much smaller 2Kb to 8 Kb than the real thing 80+Kb They will be
    there whether a Browser is really running or not.
    The processes are directly connected to a High, near constant,(very High)
    level of Disc Activity . Stopping the fakes in TaskMan stops this Disc

    Files with the names of actual files (always exe's ???) are created which
    are copies of that Destoplayer.exe file which is 60,416 Bytes in size & has
    the actual file name with an addition of 'Srv'
    added into it.
    Thus; Real "ProgName.exe" ...
    fake 59Kb files in same Folder,
    Etc ...etc...etc
    Trimble Bracegirdle, Feb 8, 2011
    1. Advertisements

  2. Trimble Bracegirdle

    VanguardLH Guest

    Trimble Bracegirdle wrote:

    <snip - same message MULTI-posted in alt.comp.anti-virus>

    See the same but disconnected thread you MULTI-posted half an hour later
    in the other newsgroup.
    VanguardLH, Feb 9, 2011
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.