My computer had infected by W32/Ramnit. Our McAfee has removed many files of that virus. But until now, in my computer still has W32/Ramnit. Every I plug USB to my computer, McAfee always detects virus files of W32/Ramnit that will enter to my USB. In C:\Program Files\ there is folder with random name and that folder cannot deleted, every I will deleted that folder, Windows appear alert "Error deleting: this folder is not empty", whereas if I enter to that folder, there is no files in that folder.
In fact, all virus files in that folder has deleted with McAfee. In my computer. There is also two processes with name firefox.exe in Task Manager, but that processes aren't from C:\Program Files\Mozilla Firefox\ but from a folder in C:\WINDOWS\WinSxS\, and if I open that folder, there is no file.
I very confuse with this problem.
McAfee detects that virus as pws-zbot.gen.cn
There is solution for my problem?
Below is a log file and pictures on my computer:
Message was edited by: mBlaus on 03/05/11 00:48:19 CDT
The Ramnit virus is a very bad version - we had such infections too and McAfee does not detect all variants.
We have submitted more new samples from infected systems - also network drives are affected !
My suggestion is to reinstall the system - to be clean. Today no Virusscan Program can know all
current active viruses ! Only a fresh installed PC is 100 % clean.
Yep, this is one of the nasty ones. You can view all the details from McAfee's Virus info page, I pasted below the registry keys it creates to give you more insight on what is happening.
or all the variants:
Upon execution, the Trojan copies itself into the following location and it connects to the site "repl[removed].com" to perform malicious activity.
And it drops the following file
The Trojan opens a default browser instance and injects malicious code into to it and it registers itself as an authorized application with the Windows Firewall by adding the following values to the registry keys.
The following registry values have been added to the system
The following registry values have been modified
Userinit = "%WinDir%\system32\userinit.exe,, %ProgramFiles%\eeZUgoIuò„¨ÉËvdbcqreb.exe\vdbcqreb.exe
The above registry entry confirms that, the Trojan executes every time when windows starts.
The Trojan opens TCP port and connects to a remote site "repl[removed].com", to receive commands from an attacker. Instructions could include downloading and executing arbitrary malware.
The following folder has been added
[Note: %ProgramFiles%\ - C:\Program Files, %WinDir%- C:\WINDOWS]