2 Replies Latest reply on Jul 6, 2011 5:00 PM by jhall1

    How to remove W32/Ramnit totally?

      My computer had infected by W32/Ramnit. Our McAfee has removed many files of that virus. But until now, in my computer still has W32/Ramnit. Every I plug USB to my computer, McAfee always detects virus files of W32/Ramnit that will enter to my USB. In C:\Program Files\ there is folder with random name and that folder cannot deleted, every I will deleted that folder, Windows appear alert "Error deleting: this folder is not empty", whereas if I enter to that folder, there is no files in that folder.

      In fact, all virus files in that folder has deleted with McAfee. In my computer. There is also two processes with name firefox.exe in Task Manager, but that processes aren't  from C:\Program Files\Mozilla Firefox\ but from a folder in C:\WINDOWS\WinSxS\, and if I open that folder, there is no file.

      I very confuse with this problem.

      McAfee detects that virus as pws-zbot.gen.cn

      There is solution for my problem?

       

       

      Below is a log file and pictures on my computer:

       


       

      Message was edited by: mBlaus on 03/05/11 00:48:19 CDT
        • 1. Re: How to remove W32/Ramnit totally?
          finkemch

          Hello

           

          The Ramnit virus is a very bad version - we had such infections too and McAfee does not detect all variants.

          We have submitted more new samples from infected systems - also network drives are affected !

          My suggestion is to reinstall the system - to be clean. Today no Virusscan Program can know all

          current active viruses ! Only a fresh installed PC is 100 % clean.

           

          best reagrds

           

                              Michael

          • 2. Re: How to remove W32/Ramnit totally?

            Yep, this is one of the nasty ones. You can view all the details from McAfee's Virus info page, I pasted below the registry keys it creates to give you more insight on what is happening.

             

            http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=360918#none

             

            or all the variants:

             

            http://home.mcafee.com/VirusInfo/ThreatSearch.aspx?term=PWS-Zbot

             

             

             

            Upon execution, the Trojan copies itself into the following location and it connects to the site "repl[removed].com" to perform malicious activity.

              • %UserProfile%\Start Menu\Programs\Startup\vdbcqreb.exe
              • %ProgramFiles%\eeZUgoIuò„¨ÉËvdbcqreb.exe\vdbcqreb.exe

            And it drops the following file

              • %ProgramFiles%\\Mozilla Firefox\dmlconf.dat

            The Trojan opens a default browser instance and injects malicious code into to it and it registers itself as an authorized application with the Windows Firewall by adding the following values to the registry keys.

            The following registry values have been added to the system

              • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\Firewal lPolicy\StandardProfile\AuthorizedApplications\List\
                %ProgramFiles%\Mozilla Firefox\firefox.exe: "%ProgramFiles%\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
              • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Fir ewallPolicy\StandardProfile\AuthorizedApplications\List\
                %ProgramFiles%\Mozilla Firefox\firefox.exe: "%ProgramFiles%\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"

            The following registry values have been modified

              • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
                Userinit = "%WinDir%\system32\userinit.exe,, %ProgramFiles%\eeZUgoIuò„¨ÉËvdbcqreb.exe\vdbcqreb.exe

            The above registry entry confirms that, the Trojan executes every time when windows starts.

            The Trojan opens TCP port and connects to a remote site "repl[removed].com", to receive commands from an attacker. Instructions could include downloading and executing arbitrary malware.

            The following folder has been added

              • %ProgramFiles%\eeZUgoIuò„¨ÉËvdbcqreb.exe

            [Note:  %ProgramFiles%\ - C:\Program Files, %WinDir%- C:\WINDOWS]