tag:blogger.com,1999:blog-9028020630648918143.post7399480671841762900..comments2023-10-30T18:31:49.590+07:00Comments on Rachmat: RAMNIT Worm Removal Guiderachmathttp://www.blogger.com/profile/13980250206528424231noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-9028020630648918143.post-18783684593308713002013-08-01T05:41:22.669+07:002013-08-01T05:41:22.669+07:00thx **************+10thx **************+10Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9028020630648918143.post-17487165431842614152012-09-01T17:30:18.089+07:002012-09-01T17:30:18.089+07:00thanks for this information.I think u do hard work...thanks for this information.I think u do hard work in collecting this data.But really this is beneficial for every one.. Worm Removelhttp://antivirus.igennie.net/worm-removal.htmlnoreply@blogger.comtag:blogger.com,1999:blog-9028020630648918143.post-87944388474436679592011-02-09T11:08:48.476+07:002011-02-09T11:08:48.476+07:00@anonymous, If U use vista or win 7, right click b...@anonymous, If U use vista or win 7, right click batch script (RamNit_removal.bat) to run as administratorrachmathttp://therachmat.blogspot.comnoreply@blogger.comtag:blogger.com,1999:blog-9028020630648918143.post-3845304592244535572011-02-09T11:01:28.000+07:002011-02-09T11:01:28.000+07:00@Anonymous, U're welcome, thanks also 4 your c...@Anonymous, U're welcome, thanks also 4 your comments, RAMNIT or RAMNET has various version .A .B .G etc, each different version has it own characters, yes always infect .exe and htm files. ProgNameSrv.exe is a marker that ProgName.exe already infected by this worm.<br />RAMNIT in my case always created ProgNameManager.exe as a marker.rachmathttp://therachmat.blogspot.comnoreply@blogger.comtag:blogger.com,1999:blog-9028020630648918143.post-87741960996778362842011-02-09T03:16:38.369+07:002011-02-09T03:16:38.369+07:00"Win32/RAMNET" Symptoms I have:
A file ..."Win32/RAMNET" Symptoms I have:<br /><br />A file called Desktoplayer.exe persistently re appears in C:/Program Files/Microsoft.<br />Fake FireFox and/or iExplore Processes are shown in Task Manager .<br />These are much smaller 2Kb to 8 Kb than the real thing 80+Kb They will be there whether a Browser is really running or not.<br />The processes are directly connected to a High, near constant,(very High) level of Disc Activity . Stopping the fakes in TaskMan stops <br />this Disc activity.<br /><br />Files with the names of actual files (always exe's ???) are created which are copies of that Destoplayer.exe file which is 60,416 Bytes in size & has <br />the actual file name with an addition of 'Srv'<br />added into it.<br />Thus; Real "ProgName.exe" ...<br />fake 59Kb files in same Folder, <br />"ProgNameSrv.exe""ProgNameSrvSrv.exe""ProgNameSrvSrvSrv.exe"<br />Etc ...etc...etc<br />@@@@@@Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9028020630648918143.post-7183048014250295932011-02-09T03:12:01.300+07:002011-02-09T03:12:01.300+07:00Thanks a lot for all that hard work.
I had this ve...Thanks a lot for all that hard work.<br />I had this very badly back in late summer ...My main method was with DR WEB CUREIT ( A Free download) told it to 'Cure' the ramnit infected files but I left the HTML files it detected with 'Igor' alone.<br /><br />Since then the system has seemed free until late Jan. (last week). when a new one got in .. Slightly different from the 1st & spread very fast though out my complex Win XP & Win Vista & Win 7(64bit).<br />Infection into any corner.<br />I stopped it (I hope) with repeated DR WEB. <br />I'm now trying your routines as given here .<br />I will run them on each of my Windows installs.<br /><br />I have no sign of that"WaterMark.exe"<br />@@@Thanks@@@Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9028020630648918143.post-41423108385966729192011-01-26T17:43:49.020+07:002011-01-26T17:43:49.020+07:00don't forget to turn on your firewall while su...don't forget to turn on your firewall while surfing on internetrachmathttps://www.blogger.com/profile/13980250206528424231noreply@blogger.comtag:blogger.com,1999:blog-9028020630648918143.post-24156534224180532762011-01-26T17:24:15.465+07:002011-01-26T17:24:15.465+07:00special thanks for Jing Ge that release tools for ...special thanks for Jing Ge that release tools for repair infected htm filesrachmathttps://www.blogger.com/profile/13980250206528424231noreply@blogger.com