cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 3

How to remove W32/Ramnit totally?

My computer had infected by W32/Ramnit. Our McAfee has removed many files of that virus. But until now, in my computer still has W32/Ramnit. Every I plug USB to my computer, McAfee always detects virus files of W32/Ramnit that will enter to my USB. In C:\Program Files\ there is folder with random name and that folder cannot deleted, every I will deleted that folder, Windows appear alert "Error deleting: this folder is not empty", whereas if I enter to that folder, there is no files in that folder.

In fact, all virus files in that folder has deleted with McAfee. In my computer. There is also two processes with name firefox.exe in Task Manager, but that processes aren't  from C:\Program Files\Mozilla Firefox\ but from a folder in C:\WINDOWS\WinSxS\, and if I open that folder, there is no file.

I very confuse with this problem.

McAfee detects that virus as pws-zbot.gen.cn

There is solution for my problem?

Below is a log file and pictures on my computer:


Message was edited by: mBlaus on 03/05/11 00:48:19 CDT
2 Replies
Highlighted

Re: How to remove W32/Ramnit totally?

Hello

The Ramnit virus is a very bad version - we had such infections too and McAfee does not detect all variants.

We have submitted more new samples from infected systems - also network drives are affected !

My suggestion is to reinstall the system - to be clean. Today no Virusscan Program can know all

current active viruses ! Only a fresh installed PC is 100 % clean.

best reagrds

                    Michael

Highlighted
Level 9
Report Inappropriate Content
Message 3 of 3

Re: How to remove W32/Ramnit totally?

Yep, this is one of the nasty ones. You can view all the details from McAfee's Virus info page, I pasted below the registry keys it creates to give you more insight on what is happening.

http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=360918#none

or all the variants:

http://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=PWS-Zbot

Upon execution, the Trojan copies itself into the following location and it connects to the site "repl[removed].com" to perform malicious activity.

    • %UserProfile%\Start Menu\Programs\Startup\vdbcqreb.exe
    • %ProgramFiles%\eeZUgoIuò„¨ÉËvdbcqreb.exe\vdbcqreb.exe

And it drops the following file

    • %ProgramFiles%\\Mozilla Firefox\dmlconf.dat

The Trojan opens a default browser instance and injects malicious code into to it and it registers itself as an authorized application with the Windows Firewall by adding the following values to the registry keys.

The following registry values have been added to the system

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
      %ProgramFiles%\Mozilla Firefox\firefox.exe: "%ProgramFiles%\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
      %ProgramFiles%\Mozilla Firefox\firefox.exe: "%ProgramFiles%\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"

The following registry values have been modified

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
      Userinit = "%WinDir%\system32\userinit.exe,, %ProgramFiles%\eeZUgoIuò„¨ÉËvdbcqreb.exe\vdbcqreb.exe

The above registry entry confirms that, the Trojan executes every time when windows starts.

The Trojan opens TCP port and connects to a remote site "repl[removed].com", to receive commands from an attacker. Instructions could include downloading and executing arbitrary malware.

The following folder has been added

    • %ProgramFiles%\eeZUgoIuò„¨ÉËvdbcqreb.exe

[Note:  %ProgramFiles%\ - C:\Program Files, %WinDir%- C:\WINDOWS]

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community