10-19-2010 03:59 PM - edited 10-19-2010 04:15 PM
i've closed my browser down and am replying to you from my laptop as i had to send you the hijackthis report also malware bytes is up to date i updated it before i started the scan its running now on my pc
10-19-2010 04:27 PM
I have been looking into my theory (though only a theory at the moment) that I stated earlier
"Problem looks like Norton is not detecting a variation of "Desktoplayer" which is the infector, so as soon as Norton Cures (not Deletes) the infected .exe, .dll or .htm(l) files "Desktoplayer" just keeps re infecting the files over and over, around in circles.
Desktoplayer is self protecting, and the winlogon registry entry for desktoplayer can't be removed either."
It looks as though there is more than one "Desktoplayer.exe" around as it could be that Ramnit goes up to Variant E now, Even with my older copy of Desktoplayer.exe Symantec only sees it as a "Trojan.gen" so may not be detecting all of then and or correctly dealing with the file and Winlogon registry entry, F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,,c:\prog
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe, section is to stay.
10-20-2010 02:14 PM - edited 10-20-2010 02:30 PM
I have also over night infected My PC for 1` hour with Ramnit allowed to do what it wants for that hour.
And Not having programs open, and Desktoplayer.exe stopped as a process (under a different name) the file renamed quickly and the Winlogon entry for the Desktoplayer.exe section removed is the key. Hopefully without restarting the PC to kick it all off again possibly.
If the stage to stop "desktoplayer.exe" is not detected and not done in any way, you end up in a endless loop.
Once Desktoplayer.exe is stopped and removed without the reappearance Norton does cure the infected .exe, .dll and .htm(l) files via scan or Auto- Protect.
I'm not the only one that with my Instructions can break and clean Ramnit, Ramnit.inf and Ramnit.html, Helps that Norton can now remove the vscript from .htm(l) files instead of manually removing the vscript. Just have to work out the "desktoplayer.exe" section and Norton without hopefully Norton having to restart the PC.
Kill Process, delete file and repair the Winlogon registry entry without the restart. There are probably a few different "desktoplayer.exe" out there.
Looking though different forums I have noticed them saying to wipe or Reformat the Hard Drive(s) oh well.
10-21-2010 09:44 AM
ye a lot of websites say to reformat the hard disk but i dont understand why it's just a case of using a bit of common sense. all i did was end the process in task manager when my computer was started in safe mode with command prompt and then after ending the svchost.exe which is what it was disguised as it allowed me to delete the file on command prompt then with the cause of the virus gone i just had to treat the symptoms and thats all worked and my computer is working fine again now :)
10-21-2010 11:46 AM
ye a lot of websites say to reformat the hard disk but i dont understand why
That's because a lot of people,
a) Haven't worked how to break and remove malware like Ramnit or Virut, like I have with my 7 steps plus the likes of not using the browsers as they are .exe's or can't work out what is going on, so join a forum asking how to remove ****** like Rootkits, rogues and Ramnit
b) A lot of people online remove malware for people, but when you get to the tougher nasty ones then you see their ability, It's not just Install Malwarebytes, run now it's removed. If it was only that simple most of the time.
c) A lot of people and we have had it on this forum in the past, just wipe / reformat. SIGH
d) It's harder to do the work over a forum than a PC in front of me.
Oh and I didn't use Safe Mode or Command Prompt, Just killed the process using Hijackthis.com renamed "desktoplayer.exe" then used Hijackthis as in the instructions to fix the F2 - Winlogon entry.
The removal instructions I worked out, was awhile ago when no one else had worked out any other way to remove it, Norton would delete the .htm(l) files instead of just removing the vscript (NOW FIXED) etc. So the other night when testing myself using my own instructions, though I know it off by heart, I tested Dr Web Cureit. it still only deletes the .htm(l) files where Norton can cure / repair these files. I didn't let Dr Web Cureit to delete the .htm(l) files.
10-23-2010 04:57 PM
Did you submit the instance of Desktoplayer.exe that gave you so much trouble to Symantec? If so please provide the tracking number here and I will make sure it is appropriately detected, if not already.
11-01-2010 03:30 PM
Still a lot of reformatting going on for the removal of Ramnit on the Internet
I have even tried an infection of TDL3 +, Rogue and Ramnit, and they can still be broken even though the rogue blocks .com files and Ramnit infects .exe's.........................
11-04-2010 04:13 PM
Looks as though another file name used by a Ramnit variant is "watermark.exe"
Just replace the name of "desktoplayer.exe" with "watermark.exe" in the Ramnit Removal instructions
12-05-2010 02:17 PM
I managed to somehow (shug) to have it so Norton detects the Ramnit.inf and Ramnit.html and cleans via Auto-Protect and Full Scan.
But Norton during the Full scan with first scanning the running processes and list of threats, Norton did not detect the running 'desktoplayer.exe", later when Norton was scanning the Program Files/Microsoft folder where the file is located and running from. It still did not detect 'desktoplayer.exe" and that its a malicious flie in use.
One way to notice is that Ramnit continually accesses the A drive (Floppy drive) whether a disc is in the drive or not, so that you can hear the drive being accessed, and see the drive light going. Even with Norton having scanned up to the Windows folder
I know some of the running Ramnit .exe file variants are getting harder to shift, by not allowing the process to be stopped, and due to the file running not allowed to rename or delete the file.
I wonder what is happening where a file can be detected when dormant but not seen in a scan etc when the file is running.
So I deleted "desktoplayer.exe" on restart with Hijackthis, had Hijackthis restart the PC and Norton took care of the rest,.
None of the other steps used like Dr Web Cureit, Norton does better with all the infected files (.exe, .dll, .html) than Cureit now anyway.