How to remove Ramnit

RAMNIT is a worm spreaded out through removable drives . It attacks executables and mostly infects .EXE, .DLL and .HTML files

Ramnit is locatable on a report of zhpdiag via this kind of lines that adds Ramnit:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8888;https=127.0.0.1:8888;
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe

UsbFix also highlights it on its reports like this:

E:\Copy of Shortcut to (1).lnk
E:\Copy of Shortcut to (2).lnk
E:\Copy of Shortcut to (3).lnk
E:\Copy of Shortcut to (4).lnk
E:\Recycler\S-2-4-83-5280813113-0422248134-003777717-6617\ouLQHTjd.exe
E:\Recycler\S-2-4-83-5280813113-0422248134-003777717-6617\bCeZRQYH.cpl

Note the presence of the .cpl file in the Recyler folder. This is the easiest way for you to locate it because this file is a constant.

This infection is usually well detected, as shown by this analysis on VirusTotal, site that allows to check files with several different antivirus:

File name:
mbr.exe
Submission date: 2011-12-16 21:33:02 (UTC)
Current status: queued (#8) queued (#6) analyzing finished
Result: 30/ 43 (69.8%)

AhnLab-V3 2011.12.16.00 2011.12.15 Win32/Ramnit
AntiVir 7.10.14.39 2011-12-16 W32/Ramnit.C
Antiy-AVL 2.0.3.7 2011-12-16 -
Avast 4.8.1351.0 2011-12-16 Win32:Ramnit-F
Avast5 5.0.594.0 2011-12-16 Win32:Ramnit-F
AVG 9.0.0.851 2011-12-16 Win32/Zbot.G
BitDefender 7.2 2011-12-16 Win32.Ramnit.H
CAT-QuickHeal 11.00 2011-12-16 -
ClamAV 0.96.4.0 2011-12-16 W32.Ramnit-1
Command 5.2.11.5 2011-12-16 W32/Ramnit.D
Comodo 6771 2011.12.16 Packed.Win32.MUPX.Gen
DrWeb 5.0.2.03300 2011-12-16 -
Emsisoft 5.0.0.50 2011-12-16 Virus.Win32.Ramnit!IK
eSafe 7.0.17.0 2011-12-16 -
eTrust-Vet 36.1.7986 2011-12-16 Win32/Ramnit.C
F-Prot 4.6.2.117 2011-12-16 W32/Ramnit.D
F-Secure 9.0.16160.0 2011-12-16 Win32.Ramnit.H
Fortinet 4.2.254.0 2011.12.15 -
GData 21 2011.12.16 Win32.Ramnit.H
Ikarus T3.1.1.90.0 2011-12-16 Virus.Win32.Ramnit
Jiangmin 13.0.900 2011-12-16 Backdoor/IRCNite.wi
K7AntiVirus 9.68.3021 2011.12.15 Virus
Kaspersky 7.0.0.125 2011-12-16 Virus.Win32.Nimnul.a
McAfee 5.400.0.1158 2011-12-16 W32/NGVCK
McAfee-GW-Edition 2010.1C 2011-12-16 W32/NGVCK
Microsoft 1.6402 2011-12-16 Virus:Win32/Ramnit.I
NOD32 5633 2011-12-16 Win32/Ramnit.H
Norman 6.06.10 2016-12-11 -
nProtect 2011-12-16.02 2011-12-16 Win32.Ramnit.H
Panda 10.0.2.7 2011-12-15 W32/Cosmu.C
PCTools 7.0.3.5 2011-12-16 Malware.Ramnit
Prevx 3.0 2011-12-16 -
Rising 22.74.03.08 2011-12-16 -
Sophos 4.59.0 2011-12-16 W32/Ramnit-A
SUPERAntiSpyware 4.40.0.1006 2011-12-16 -
Symantec 20101.2.0.161 2011-12-16 W32.Ramnit.B!inf
TheHacker 6.7.0.1.086 2011-12-15 -
TrendMicro 9.120.0.1004 2011-12-16 PAK_Generic.001
TrendMicro-HouseCall 9.120.0.1004 2011.12.16 -
VBA32 3.12.14.2 2011-12-15 -
VIPRE 7350 2011-12-16 Virus.Win32.Ramnit.b (v)
ViRobot 2010.11.19.4157 2011-12-16 -
VirusBuster 13.6.48.0 2011-12-16 Win32.Ramnit.Gen.2
Additional information

Ramnit Removal

It is not easy to disinfect a RAMNIT-affected PC and in some cases formatting is mandatory if the infection has become too large.
Otherwise, some live CDs can get rid of infected files: the live CD DR WEB seems for example to be able to overcome this infection, when it is not too developed on the pc.

Kaspersky Removal Tools

Before starting the scan, set the actions automatically (otherwise you will be overwhelmed with popups)
To do this, right click on the gear icon then left Actions and check Execute action
It is imperative to do a full scan otherwise infected executables may remain.
Still in the settings menu, on the left, click on Analysis area
Check the workstation.
Start the scan then from the automatic analysis tab
Kaspersky Removal Tool should need to reboot to disable Ramnit.
Kaspersky Removal Tool will then restart at startup, complete the scan.

720*90 ads