How to get rid of Win32/RAMNIT.A

[Knud]

I need help related to a malware called Win32/RAMNIT.A. Does anyone face this malware. In my system MSE has detected this virus. And it looks that it is trying to disinfect it. But I am not sure about the same. I do not have any other antivirus. Microsoft Security Essential is the only I am using. I do want to kill my system performance by adding more antivirus. I was visiting some sites and downloaded certain videos. The video text showed that I have to download a specific player to play it. I did the same and from that time the warning keeps on appearing. MSE looks to be effective here. It shows me message that the virus is removed. Still to ensure security I had checked my system properly. I had checked in startup folder, run a registry cleaner and wiped out temp files. Now after a scan it found that it keeps on detecting fresh malware. The amount has increased to 70 now. I scanned my system in Safe ode but nothing was found there.

[Vanilla]

That looks like a serious malware. If the detection list keeps on rising then the virus looks to be spreaded well in the system. Try Malwarebyte's Anti-Malware. This is the best software that you can go for wiping our malware from your system. Mostly the antivirus either clean the files or move the virus to a vault so that it cannot be spread. Install Malwarebyte's and scan in safe mode. You must keep a good antivirus installed in your system along with MSE. If nothing happens then the last option remains is running Windows XP's repair setup. That will clean the virus properly and completely.

[shawntae]

This is a complicated worm which spreads in your entire system. You must not install anything without confirming that the file is safe. To some extent is very complicated to locate each and every instance of this virus and then remove it completely. It is executed and it will run automatically and reach your folders. My friend was having a severe virus issue. He tried a number of things, but nothing worked out. The last thing I did, is removed the hard drive and connected that to my system. My system is having a paid version of Norton. I scanned the drive in safe mode a number of time. There are hundreds of virus detected and removed. It was cleaned completely.

[Chibicho]

It is a worm and it is not easy to get rid of it. It spreads quiet easily in your system. If you go on google you can find a guide to get rid of this virus. It starts from removing the registry key of this virus. The malware is complicated virus and they spread very fast. Update your antivirus or simply add AVIRA. Scan your system continuously with it a number of time and I hope it will give you the right protection. Check the below registry location of this virus. You have to get rid of each key generated and used by worm.

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings ‘WarnonBadCertRecving’ = ’0′
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ‘SelfdelNT’ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

[sbd1965]

I am too affected with this kind of infection. I am using Internet Explorer here. I do not know how does the virus entered my system, but it is working very slow. I had installed AVAST and found a number of .exe and dll files are found to be infected with some Win32.Quolko virus. I submitted the dll file to get report in fixing the issue. I am trying to locate the right logs that can give me clear information on all services running in my system. I was using Malwarebytes before, but this virus remains undetected by it. Then I added Symantec. It scanned the system in safe mode and then moved some sys in the vault. After that I am getting BSOD constantly.

[Gregoryl]

Antimalware are not a solution against serious virus. The virus are design to spread in your system. They can create their copy and reach almost every part of your system making your OS completely unstable. The only effective thing that work against a virus is powerful antivirus and that must be installed before the virus enter your system. Adding that after infection will not offer you much help.

[suhjonathan]

I need help related to IE crash. I had installed Flash 64bit IE which looks to be working fine and there was no issue. Suddenly it crashed and so the browser. I do not know the way to switch to IE 32bit here. I am it confused here also. When I double click on the IE icon it keeps me warning and does not open. I do not recall the error, but was related to some edition. Does a malware can convert 32bit to 674bit automatically. How can I locate the issue behind this.

[Borgnine]

The virus normally replicates each other causing a series of infection. According to my experience once it is spread you cannot do much in that. It is necessary that you deploy some powerful antivirus option that can provide you quiet security by moving them to vault. Download and install Kaspersky in your system. This is one of the best antivirus I had seen yet. It works quiet nicely and offer you great protection features. You can simply scan your system under safe mode and locate different viruses.

[Judy B]

If all your attempts fails you have to format your system and re-install Windows back again. As the worm is already infected your system you cannot do much in that. A virus file still remains in your system even when you think it is completely depleted. The dis-infection process can be complicated and longer to some extent.

[Javalr]

It is the problem with antivirus where it is not able to move or completely remove the virus. I had seen some articles on web that shows Win32/RAMNIT.A is capable of modifying the .exe files and it make it perform much lower. As per my experience in using MSE I found that it misses a number of files and you can do nothing in that. File permissions, registrys are the common core components which are affected and you cannot do much in that.

[ColinInYorks]

I had formatted my system at last when I was not able to do anything. I had tons of worms collect in my new hard drive and I am using Windows 7 on the same. I had installed McAfee in it and scanned the system in safe mode. The fresh installation was affected with some malicious software in my computer, that I had installed by mistake. The system went down in a week and I had no option other than formatting and re-installing each and everything back again. There are less chances that you can ignore the .exe or dll files. After a tons of scan the virus was not detected, but the system keeps on getting lower. There is a tool called Kaspersky’s TDSSKiller. This tool has ability to block the virus and then you can get rid of the same by scanning.

[Hayworth]

A malware has tons of ways to protect itself. It can be triggered through temp folder or simply through Windows Registry. I found certain information where from where the virus worked. Those locations were:

• %Temp%\svchost.exe
• %Temp%\~TM<rnd>.tmp
• [HKCR\http\shell\open\command]
• %ProgramFiles%\<rnd>\<rnd>.exe

The registry key that is affected by the same is :

• [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
• "Userinit" = "%WinDir%\system32\userinit.exe,,%ProgramFiles%\<rnd>\<rnd>.exe"

[JRA108]

I'm a newcomer to this site, but not to exectronics or computers by far. I just had to say, (after reading way too many posts on this topic,) that I have to agree with every one of your posts. You're obviously a well-seasoned tech on many levels. The only times I've resorted to replacing caps on a motherboard were for data-recovery purposes. And both times the boards had built-in RAID controllers and RAID arrays that warranted component-level work... And only as a last resort to recover the customers data...

It seems that we share many practices, goals and expierences. It's very rare to find anyone who handles technical problems quite the same way I do, and I'm very happy to see another tech whose main goal is customer satisfaction and not their wallet. Any tech who does not care enough to image their customers drives before working on them is quite foolish! Many times I've had customers specificaly tell me not to worry about the data and just format/reinstall only to have them call back a few days later with very important programs or data missing. And they are always surprised and extremely pleased when I respond: "I have a full backup, would you like that on DVD or Flash Drive?"

Personally I've found full image backups a very important step in the repair / recovery process especially when a customers drive fails during repair which has happened multiple times in my 20+ years in the field.

I've only come across this Win32/RAMNIT.A twice, and I was very lucky to notice the autorun.inf appear on my flash drive before I spread it to my own systems :) Both times I was able to erradicate the bug without a format / reinstall. It wasn't an easy task, but by scanning on a system dedicated to only virus / malware removal and by manually deleting the files affected I was able to return the systems to a clean perfectly working state.

I've since replaced my flash drive with one that has a write-protect switch right on it. Now I need not worry about any parasites hitching a ride on my drive :)

Please send me a message and let me know what state you're in, I have 2 investors looking to open up new companies in different states and I have a business plan that I believe would make a lot of customers extremely satisfied... Let me know if you have any interest! THANKS! And kudos on your technique!