I am running on windows XP 32 bit service pack 3 and i have been infected with the w32.ramnit worm. i have followed the instructions that say to disable system restore and run a scan in safe mode. i have done this and the virus still shows up in norton. norton has quarantined certain files which i don't know how to delete and i am having problems with the removal of the virus itself, i cannot empty my recycle bin as it must have a copy in there, i also cannot delete the desktoplayer.exe that the virus installs itself with. i would appreciate some help on this matter.
ok i have norton internet security 2010, also i have been able to delete desktoplayer.exe by starting in safe mode, ending the svchost it was using and deleting it in safe mode using command prompt, i need to cure the dll, htm(l) and .exe files, norton has removed some of them but has quarantined the others. ii dont know whether deleting desktoplayer has purged the source of the virus or whether i need to keep looking, i am running scans now with norton. i ran a scan earlier using hijack this i willattach the results
running a scan now with anti-malware bytes
Wanting to do things on your own, and play around means you are good enough to clean it yourself?? For a start your browser was open at the time which is a.exe .
Although Norton Removes or Repairs the files and places copies of it in the Quarantine it is still not deleting as if you get Norton to restore it will alert you to the fact there is already a file of that name and do you want to replace it??
Malwarebytes, haven't got there yet, and you need to make sure the Definition database is up to date (in Malwarebytes it the update Tab.)
Quads
I am not going to do anything else as I have no idea where the instructions are coming from, the Hijackthis step was not completed,
Running at a pace before walking.
Quads
sorry i didnt realise i needed to have all .exe files are closed ive retried the scan with everything closed here are the new results.
See you have had to use the browser to post again if you are posting from the infected PC Not using the browser has nothing to do with Hijackthis but something else.
Good Luck
Quads
i am following your instructions i had a friend come around to help me as i have been trying to get rid of this virus for a whileand had no luck. we decided to get rid of the desktoplayer.exe as i was having trouble removing it.
10-16-2010 09:54 PM
Read carefully and slowly
Ramnit.
Infects all drives connected to the the PC using an autorun.inf file on Flash drives also. The files infected are .htm(l), dll, and .exe files I have infected my PC on purpose with this ann been able to break the infection then remove the infections from the .exe's and .dll's.
After that I manually removed the "vscript" from the .htm(l) files as the last thing to do, by opening htm(l) files with Notepad and deleting the vscript section and saving the .htm(l) without the vscript. Norton will now remove the vscript without deleting the whole file
I did this, simply put and since some scanners may be updated to also break Ramnit, not just do the cleanup, step 3 may not be required if the service is not there
Programs used:
Hijackthis run with the name of "Hijackthis.com" so it doesn't get infected, instead of the usual Hijackthis.exe that would get infected.
Combofix, To be used under supervision, may not be needed if no step 3 is required.
Malwarebytes Installed if needed to, and updated by the update tab to make sure the definitions are up to date. Used to scan and remove the renamed infector and checked for others
Dr Web Cureit which runs without installing, used to cure the .exe and .dll files, detected as "W32.Rmnet"
1. Downloaded all the programs, Installed if needed, and updated them Now do not use browsers and take Flash Drives and CD/ DVD's out.
Do Not use browsers until after step 7.
2. Looked at Hijackthis output. Saw this entry "Service: Net Logon Z12 (netlogonz12) - Unknown owner - C:\WINDOWS\system32\lpqs.exe" (used Hijackthis as "Hijackthis.com" executable)
3. Ran Combofix with Script as Combofix without script doesn't remove it.
killall::
driver::
netlogonz12
Combofix restarted PC to remove it.
4. Turned off System Restore
5. Used Hijackthis to stop the Browser process that is actually for "DesktopLayer.exe" In playing with this step I had either IEXPLORE.EXE or Chrome.exe, you may see firefox.exe, You will see by the MBAM entries below I tested this step 3 times.
Then quickly, before it reloads, renamed the "DesktopLayer.exe", after I used Hijackthis to remove the Winlogon entry (F2)
6. Ran a Full Scan with the Updated Malwarebytes
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\Microsoft\Desktop.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft\Desktop1.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft\DesktopLay.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\ExplorerSrv.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
G:\RECYCLER\S-3-1-03-2277013152-6508142413-324572255-2073\oAeaoUSB.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lpqs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
7. Ran a Complete scan with Dr Web Cure-it and then had it cure the "W32.Rmnet" entries. It won't cure the .htm(l) entries. but will delete the .htm(l) files as "Trojan.Icor" so don't select those as some programs need the html files to run correctly
Quads
PS. that is why specialist Malware removal boards and trained people are required for some of this
the problem is notbeing able to fully understand a lot about removing a virus i decided to remove the virus program too see if this fixed the problem, norton has since stopped popping up saying there's an infection.
I am running on windows XP 32 bit service pack 3 and i have been infected with the w32.ramnit worm. i have followed the instructions that say to disable system restore and run a scan in safe mode. i have done this and the virus still shows up in norton. norton has quarantined certain files which i don't know how to delete and i am having problems with the removal of the virus itself, i cannot empty my recycle bin as it must have a copy in there, i also cannot delete the desktoplayer.exe that the virus installs itself with. i would appreciate some help on this matter.
i've closed my browser down and am replying to you from my laptop as i had to send you the hijackthis report also malware bytes is up to date i updated it before i started the scan its running now on my pc
For all,
I have been looking into my theory (though only a theory at the moment) that I stated earlier
"Problem looks like Norton is not detecting a variation of "Desktoplayer" which is the infector, so as soon as Norton Cures (not Deletes) the infected .exe, .dll or .htm(l) files "Desktoplayer" just keeps re infecting the files over and over, around in circles.
Desktoplayer is self protecting, and the winlogon registry entry for desktoplayer can't be removed either."
It looks as though there is more than one "Desktoplayer.exe" around as it could be that Ramnit goes up to Variant E now, Even with my older copy of Desktoplayer.exe Symantec only sees it as a "Trojan.gen" so may not be detecting all of then and or correctly dealing with the file and Winlogon registry entry, F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe so that the infected files are getting Cured, Removed, Repaired (not deleted) but with desktoplayer still running the PC just gets re infected as quick as you like.
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe, section is to stay.
Quads
i managaed to beat the virus. all scans are clean
That's Good 
I have also over night infected My PC for 1` hour with Ramnit allowed to do what it wants for that hour.
And Not having programs open, and Desktoplayer.exe stopped as a process (under a different name) the file renamed quickly and the Winlogon entry for the Desktoplayer.exe section removed is the key. Hopefully without restarting the PC to kick it all off again possibly.
If the stage to stop "desktoplayer.exe" is not detected and not done in any way, you end up in a endless loop.
Once Desktoplayer.exe is stopped and removed without the reappearance Norton does cure the infected .exe, .dll and .htm(l) files via scan or Auto- Protect.
I'm not the only one that with my Instructions can break and clean Ramnit, Ramnit.inf and Ramnit.html, Helps that Norton can now remove the vscript from .htm(l) files instead of manually removing the vscript. Just have to work out the "desktoplayer.exe" section and Norton without hopefully Norton having to restart the PC.
Kill Process, delete file and repair the Winlogon registry entry without the restart. There are probably a few different "desktoplayer.exe" out there.
Looking though different forums I have noticed them saying to wipe or Reformat the Hard Drive(s) oh well.
Quads
ye a lot of websites say to reformat the hard disk but i dont understand why it's just a case of using a bit of common sense. all i did was end the process in task manager when my computer was started in safe mode with command prompt and then after ending the svchost.exe which is what it was disguised as it allowed me to delete the file on command prompt then with the cause of the virus gone i just had to treat the symptoms and thats all worked and my computer is working fine again now :)
Teknix wrote:ye a lot of websites say to reformat the hard disk but i dont understand why
That's because a lot of people,
a) Haven't worked how to break and remove malware like Ramnit or Virut, like I have with my 7 steps plus the likes of not using the browsers as they are .exe's or can't work out what is going on, so join a forum asking how to remove ****** like Rootkits, rogues and Ramnit
b) A lot of people online remove malware for people, but when you get to the tougher nasty ones then you see their ability, It's not just Install Malwarebytes, run now it's removed. If it was only that simple most of the time.
c) A lot of people and we have had it on this forum in the past, just wipe / reformat. SIGH
d) It's harder to do the work over a forum than a PC in front of me.
Oh and I didn't use Safe Mode or Command Prompt, Just killed the process using Hijackthis.com renamed "desktoplayer.exe" then used Hijackthis as in the instructions to fix the F2 - Winlogon entry.
The removal instructions I worked out, was awhile ago when no one else had worked out any other way to remove it, Norton would delete the .htm(l) files instead of just removing the vscript (NOW FIXED) etc. So the other night when testing myself using my own instructions, though I know it off by heart, I tested Dr Web Cureit. it still only deletes the .htm(l) files where Norton can cure / repair these files. I didn't let Dr Web Cureit to delete the .htm(l) files.
Quads
Teknix,
Did you submit the instance of Desktoplayer.exe that gave you so much trouble to Symantec? If so please provide the tracking number here and I will make sure it is appropriately detected, if not already.
Thanks,
JohnM
Still a lot of reformatting going on for the removal of Ramnit on the Internet
Hahaha,
I have even tried an infection of TDL3 +, Rogue and Ramnit, and they can still be broken even though the rogue blocks .com files and Ramnit infects .exe's.........................
Quads
Looks as though another file name used by a Ramnit variant is "watermark.exe"
Just replace the name of "desktoplayer.exe" with "watermark.exe" in the Ramnit Removal instructions
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\microsoft\watermark.exe"
Quads
I managed to somehow (shug) to have it so Norton detects the Ramnit.inf and Ramnit.html and cleans via Auto-Protect and Full Scan.
But Norton during the Full scan with first scanning the running processes and list of threats, Norton did not detect the running 'desktoplayer.exe", later when Norton was scanning the Program Files/Microsoft folder where the file is located and running from. It still did not detect 'desktoplayer.exe" and that its a malicious flie in use.
One way to notice is that Ramnit continually accesses the A drive (Floppy drive) whether a disc is in the drive or not, so that you can hear the drive being accessed, and see the drive light going. Even with Norton having scanned up to the Windows folder
I know some of the running Ramnit .exe file variants are getting harder to shift, by not allowing the process to be stopped, and due to the file running not allowed to rename or delete the file.
I wonder what is happening where a file can be detected when dormant but not seen in a scan etc when the file is running.
So I deleted "desktoplayer.exe" on restart with Hijackthis, had Hijackthis restart the PC and Norton took care of the rest,.
None of the other steps used like Dr Web Cureit, Norton does better with all the infected files (.exe, .dll, .html) than Cureit now anyway.
Quads