Quads
Bot Obliterator
Quads
Posts: 13,942
Registered: ‎07-21-2008
Re: W32.Ramnit

‎12-05-2010 02:17 PM

I managed to somehow (shug) to have it so Norton detects the Ramnit.inf and Ramnit.html and cleans via Auto-Protect and Full Scan.

But Norton during the Full scan with first scanning the running processes and list of threats, Norton did not detect the running 'desktoplayer.exe", later when Norton was scanning the Program Files/Microsoft folder where the file is located and running from. It still did not detect 'desktoplayer.exe" and that its a malicious flie in use.

 

One way to notice is that Ramnit continually accesses the A drive (Floppy drive) whether a disc is in the drive or not, so that you can hear the drive being accessed, and see the drive light going.  Even with Norton having scanned up to the Windows folder

 

I know some of the running Ramnit .exe file variants are getting harder to shift,  by not allowing the process to be stopped, and due to the file running not allowed to rename or delete the file.

I wonder what is happening where a file can be detected when dormant but not seen in a scan etc when the file is running.

 

So I deleted "desktoplayer.exe" on restart with Hijackthis, had Hijackthis restart the PC and Norton took care of the rest,.

 

None of the other steps used like Dr Web Cureit,  Norton does better with all the infected files (.exe, .dll, .html) than Cureit now anyway.

 

Quads

 

Report Inappropriate Content
(1,365 Views)