Forum Discussion

petercgoh's avatar
petercgoh
Level 2
14 years ago

help needed - How to remove w32.ramnit!html

I've followed the instructions on how to remove this virus from the symantec website, but it still keeps popping up in my auto protect.The website says disable auto update, get the latest virus definitions, and run a scan...but after restart, within a few minutes the auto protect comes on giving a list of files which are infected by this. Please HELP!!!

I am using NAV corporate edition v10

General Veritas
Inside Veritas
Security Risks
Windows

6 Replies

Sort By
  • Thomas_K's avatar
    Thomas_K
    Level 6
    14 years ago

    First download the latest rapid release definitions. http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

    Then boot into safe mode and running a Disk Cleanup (right-click the C drive, Properties, Disk Cleanup) - that will delete all the files that are in these temporary locations, as well as IE's temporary files, etc. Perform a full system scan in safe mode.


    If that fails to remove the threat try using the Norton Power Eraser tool.

    http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default

    Because the Norton Power Eraser uses aggressive methods to detect these threats, there is a risk that it can select some legitimate programs for removal. You should use this tool very carefully, and only after you have exhausted other options.

    Please keep us posted on your progress.

    Thomas

  • petercgoh's avatar
    petercgoh
    Level 2
    14 years ago
    Thomas,

    My company has updated the NAV corp edition to Symantec Endpoint Protection V11.. but the virus stiill showed up...

    I did your steps assuming that it will also work the same way, but as soon as i logged on, the virus showed up again. Should i now proceed with the Norton Power Eraser tool? Or are there other ways?

    I've attached the typical message i get...
  • Thomas_K's avatar
    Thomas_K
    Level 6
    14 years ago
    Be sure to disable System Restore -

    http://www.symantec.com/security_response/writeup.jsp?docid=2010-012006-3513-99&tabid=3

    Since you are running SEP 11, I would download and run the Power Eraser from the SEP Support Tool.

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008071709480648

    Check out the video here - https://www-secure.symantec.com/connect/videos/power-eraser-overview

    The Load Point Analysis is another great too for finding threats and is included in the SEP Support download.

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009092215125548


  • petercgoh's avatar
    petercgoh
    Level 2
    14 years ago
    All the Power eraser did was to remove several drivers that controled my power management on my thinkpad and my touchpad.. i had to reinstall the drivers... again..

    The virus is still there, as the popups still apear...
  • Thomas_K's avatar
    Thomas_K
    Level 6
    14 years ago

    The Symantec Endpoint Recovery Tool (SERT) is another tool that is offered to SEP users.

    SERT is not located on the SEP 11 DVD. Using your product serial number, you can download the tool from FileConnect (https://fileconnect.symantec.com). Please download this Symantec Endpoint Recovery Tool .iso file onto a computer that has a CD burner and is not infected.

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010041515464348

    Video - https://www-secure.symantec.com/connect/videos/symantec-endpoint-recovery-tool-sert



    Thomas
  • Blake_Canaday's avatar
    Blake_Canaday
    14 years ago

    I have a client that has this worm on it as well.  Seems there is no solution that will work that is faster than rebuilding the machine.

    I am running SEP 11.

    ~ Blake