"RAMNIT desktoplayer" Worm Removal Guide

Discussion in 'Anti-Virus' started by Trimble Bracegirdle, Feb 8, 2011.

  1. http://therachmat.blogspot.com/2011/01/ramnit-worm-removal-guide.html

    @@Will the experts here please comment on the approach given on this Web


    I had this very badly back in late summer ...My main method was with DR WEB
    CUREIT ( A Free download) told it to 'Cure' the ramnit infected files but I
    left the HTML files it detected with 'Igor' alone.

    Since then the system has seemed free until late Jan. (last week). when a
    new one got in .. Slightly different from the 1st & spread very fast though
    out my complex Win XP & Win Vista & Win 7(64bit) system.
    Infection getting into any corner.
    I stopped it (I hope) with repeated DR WEB.

    "Win32/RAMNET" Symptoms:

    A file called Desktoplayer.exe persistently re appears in C:/Program
    Fake FireFox and/or iExplore Processes are shown in Task Manager .
    These are much smaller 2Kb to 8 Kb than the real thing 80+Kb They will be
    there whether a Browser is really running or not.
    The processes are directly connected to a High, near constant,(very High)
    level of Disc Activity . Stopping the fakes in TaskMan stops this Disc

    Files with the names of actual files (always exe's ???) are created which
    are copies of that Destoplayer.exe file which is 60,416 Bytes in size & has
    the actual file name with an addition of 'Srv'
    added into it.
    Thus; Real "ProgName.exe" ...
    fake 59Kb files in same Folder,
    Etc ...etc...etc
    Trimble Bracegirdle, Feb 8, 2011
    1. Advertisements

  2. Trimble Bracegirdle

    VanguardLH Guest

    Trimble Bracegirdle wrote:

    <snip - same message MULTI-posted in alt.comp.anti-virus>

    See the same but disconnected thread you MULTI-posted half an hour later
    in the other single newsgroup.
    VanguardLH, Feb 9, 2011
    1. Advertisements

  3. http://technet.microsoft.com/en-us/library/cc512587.aspx

    Removal tools (or instructions for manual removal) are no solution to an
    infection, particularly not with malware that may download more malware
    or may give an attacker remote access. One can never be sure what else
    was modified on the system and thus can never be certain that the
    malware was removed entirely.

    F'up adjusted.

    Ansgar -59cobalt- Wiechers, Feb 9, 2011
  4. Do you have a specific question? Maybe you could start your own thread
    by making a new post where you ask your question?
    FromTheRafters, Feb 11, 2011
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.