This page contains detailed analysis on W32/Ramnit.a. To get rid of this Trojan, please follow the removal guide below.
W32/Ramnit.a is a virus that is self-replicating. It usually propagates via unsecured network connection and removable USB drives including flash drive, writable CD and external hard disk drives. W32/Ramnit.a also spreads by infecting file on the system that is shared on a network environment.
Alias: Type_Win32, Win32/Zbot.A, W32/Infector.Gen2, Win32/Ramnit.A, Win32.Rmnet,
W32.Infector, W32/Patched-I, PE_RAMNIT.A
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista
When executed, W32/Ramnit.a it will drop a random-name generated file that contains the strings “Mgr.exe” or “Srv.exe.” It also executes the same file that will to infect other executable it may found on the system. This virus can also infect files that have .HTML and .HTM extension.
Once loaded and running, W32/Ramnit.a will create a backdoor and connects to a remote server to allow a remote attacker to gain control on the compromised computer. It waits for other tasks that the remote attacker may perform on the PC.
The virus can inject malicious code into default Internet browser and uses this method to bypass Windows firewall and other security programs.
Some infected machines may display an error if the Trojan’s embedded code is having conflict to other programs. Here is the sample error message.
Virus do self-replicate. Infections are commonly propagated on unsecured computer networks or transmitting the virus to a removable media devices like UDB drives, writable disc, and memory sticks. Viruses can also spread by compromising a shared system files within a network.
How to Remove W32/Ramnit.a
NOTE: We suggest that you PRINT or BOOKMARK this guide. There are steps that we may have to restart the computer in order to successfully remove the threat.
Step 1 : Run a scan with your antivirus program
1. First thing you should do is reboot the computer in Safe Mode with Networking to avoid W32/Ramnit.a from loading at start-up.
Remove all media such as Memory Card, cd, dvd, and USB devices. Then, restart the computer and please do the following:
Boot in Safe Mode on Windows XP, Windows Vista, and Windows 7 system
a) Before Windows begins to load, press F8 on your keyboard.
b) It will display the Advanced Boot Options menu. Select Safe Mode.
Start computer in Safe Mode using Windows 8 and Windows 10
a) Close any running programs on your computer.
b) Get ready to Start Windows. On your keyboard, Press and Hold Shift key and then, click on Restart button.
c) It will prompt you with options, please click on Troubleshoot icon.
d) Under Troubleshoot window, select Advanced Options.
e) On next window, click on Startup Settings icon.
f) Lastly, click on Restart button on subsequent window.
g) When Windows restarts, present startup options with numbers 1 - 9. Select "Enable Safe Mode with Networking" or number 5.
h) Windows will now boot on Safe Mode with Networking. Proceed with virus scan as the next step.
2. Once Windows is running under Safe Mode with Networking, open your antivirus program and download the most recent update. This method ensures that your antivirus program can detect even newer variants of W32/Ramnit.a.
Updating your antivirus software is a one-click process. Please refer to your software manual for complete instructions.
3. Once updating is finished, run a full system scan. After the scan, delete all infected items. If unable to clean or delete, better place the threat in quarantine.
Step 2: Run another test with Norton Power Eraser
1. Click on the button below to download Norton Power Eraser from official web site. Save it to your desktop or any location of your choice.
4. Once the file is downloaded, navigate its location and double-click on the icon (NPE.exe) to launch the program.
5. Norton Power Eraser will run. If it prompts for End User License Agreement, please click on Accept.
6. On NPE main window, click on Advanced. We will attempt to remove W32/Ramnit.a components without restarting the computer.
7. On next window, select System Scan and click on Scan now to perform standard scan on your computer.
8. NPE will proceed with the scan. It will search for Trojans, viruses, and malware like W32/Ramnit.a. This may take some time, depending on the number of files currently stored on the computer.
9. When scan is complete. All detected risks are listed. Remove them and restart Windows if necessary.
Alternative Removal Methods for W32/Ramnit.a
Option 1 : Use Windows System Restore to return Windows to previous state
During an infection, W32/Ramnit.a drops various files and registry entries. The threat intentionally hides system files by setting options in the registry. With these rigid changes, the best solution is to return Windows to previous working state is through System Restore.
To verify if System Restore is active on your computer, please follow the instructions below to access this feature.
Access System Restore on Windows XP, Windows Vista, and Windows 7
a) Go to Start Menu, then under 'Run' or 'Search Program and Files' field, type rstrui.
b) Then, press Enter on the keyboard to open System Restore Settings.
Open System Restore on Windows 8
a) Hover your mouse cursor to the lower left corner of the screen and wait for the Start icon to appear.
b) Right-click on the icon and select Run from the list. This will open a Run dialog box.
c) Type rstrui on the 'Open' field and click on OK to initiate the command.
If previous restore point is saved, you may proceed with Windows System Restore. Click here to see the full procedure.