W32.Ramnit

Teknix · ‎10-19-2010

I am running on windows XP 32 bit service pack 3 and i have been infected with the w32.ramnit worm. i have followed the instructions that say to disable system restore and run a scan in safe mode. i have done this and the virus still shows up in norton. norton has quarantined certain files which i don't know how to delete and i am having problems with the removal of the virus itself, i cannot empty my recycle bin as it must have a copy in there, i also cannot delete the desktoplayer.exe that the virus installs itself with. i would appreciate some help on this matter.

Quads · ‎07-21-2008

Problem looks like Norton is not detecting a variation of "Desktoplayer" which is the infector, so as soon as Norton Cures (not Deletes) the infected .exe, .dll or .htm(l) files "Desktoplayer" just keeps re infecting the files over and over, around in circles.

Desktoplayer is self protecting, and the winlogon registry entry for desktoplayer can't be removed either.

I have to go out but will be back later, what version of Norton do you have installed??

Quads

Teknix · ‎10-19-2010

ok i have norton internet security 2010, also i have been able to delete desktoplayer.exe by starting in safe mode, ending the svchost it was using and deleting it in safe mode using command prompt, i need to cure the dll, htm(l) and .exe files, norton has removed some of them but has quarantined the others. ii dont know whether deleting desktoplayer has purged the source of the virus or whether i need to keep looking, i am running scans now with norton. i ran a scan earlier using hijack this i willattach the results

Teknix · ‎10-19-2010

running a scan now with anti-malware bytes

Quads · ‎07-21-2008

Wanting to do things on your own, and play around means you are good enough to clean it yourself?? For a start your browser was open at the time which is a.exe .

Although Norton Removes or Repairs the files and places copies of it in the Quarantine it is still not deleting as if you get Norton to restore it will alert you to the fact there is already a file of that name and do you want to replace it??

Malwarebytes, haven't got there yet, and you need to make sure the Definition database is up to date (in Malwarebytes it the update Tab.)

Quads

Quads · ‎07-21-2008

I am not going to do anything else as I have no idea where the instructions are coming from, the Hijackthis step was not completed,

Running at a pace before walking.

Quads

Teknix · ‎10-19-2010

sorry i didnt realise i needed to have all .exe files are closed ive retried the scan with everything closed here are the new results.

Quads · ‎07-21-2008

See you have had to use the browser to post again if you are posting from the infected PC Not using the browser has nothing to do with Hijackthis but something else.

Good Luck

Quads

Teknix · ‎10-19-2010

i am following your instructions i had a friend come around to help me as i have been trying to get rid of this virus for a whileand had no luck. we decided to get rid of the desktoplayer.exe as i was having trouble removing it.

10-16-2010 09:54 PM

Read carefully and slowly

Ramnit.

Infects all drives connected to the the PC using an autorun.inf file on Flash drives also. The files infected are .htm(l), dll, and .exe files I have infected my PC on purpose with this ann been able to break the infection then remove the infections from the .exe's and .dll's.

After that I manually removed the "vscript" from the .htm(l) files as the last thing to do, by opening htm(l) files with Notepad and deleting the vscript section and saving the .htm(l) without the vscript. Norton will now remove the vscript without deleting the whole file

I did this, simply put and since some scanners may be updated to also break Ramnit, not just do the cleanup, step 3 may not be required if the service is not there

Programs used:

Hijackthis run with the name of "Hijackthis.com" so it doesn't get infected, instead of the usual Hijackthis.exe that would get infected.

Combofix, To be used under supervision, may not be needed if no step 3 is required.

Malwarebytes Installed if needed to, and updated by the update tab to make sure the definitions are up to date. Used to scan and remove the renamed infector and checked for others

Dr Web Cureit which runs without installing, used to cure the .exe and .dll files, detected as "W32.Rmnet"

1. Downloaded all the programs, Installed if needed, and updated them Now do not use browsers and take Flash Drives and CD/ DVD's out.

Do Not use browsers until after step 7.

2. Looked at Hijackthis output. Saw this entry "Service: Net Logon Z12 (netlogonz12) - Unknown owner - C:\WINDOWS\system32\lpqs.exe" (used Hijackthis as "Hijackthis.com" executable)

3. Ran Combofix with Script as Combofix without script doesn't remove it.

killall::

driver::
netlogonz12

Combofix restarted PC to remove it.

4. Turned off System Restore

5. Used Hijackthis to stop the Browser process that is actually for "DesktopLayer.exe" In playing with this step I had either IEXPLORE.EXE or Chrome.exe, you may see firefox.exe, You will see by the MBAM entries below I tested this step 3 times.
Then quickly, before it reloads, renamed the "DesktopLayer.exe", after I used Hijackthis to remove the Winlogon entry (F2)

6. Ran a Full Scan with the Updated Malwarebytes

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Microsoft\Desktop.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft\Desktop1.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft\DesktopLay.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\ExplorerSrv.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
G:\RECYCLER\S-3-1-03-2277013152-6508142413-324572255-2073\oAeaoUSB.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lpqs.exe (Trojan.Agent) -> Quarantined and deleted successfully.

7. Ran a Complete scan with Dr Web Cure-it and then had it cure the "W32.Rmnet" entries. It won't cure the .htm(l) entries. but will delete the .htm(l) files as "Trojan.Icor" so don't select those as some programs need the html files to run correctly

Quads

PS. that is why specialist Malware removal boards and trained people are required for some of this

Teknix · ‎10-19-2010

the problem is notbeing able to fully understand a lot about removing a virus i decided to remove the virus program too see if this fixed the problem, norton has since stopped popping up saying there's an infection.