Getting rid of RAMNIT

October 2016

RAMNIT is a dangerous virus that attacks and infects exe,dll and html files. Getting rid of RAMNIT is not easy. Once a computer has been infected with RAMNIT, there may be no way to remove it, and the computer may have to be re-formatted. However, if the virus attack is in the early stages, a live CD such as Dr Web can clean out the virus completely. eScan Antivirus is another antivirus program that can eradicate the virus from the system. Both the antivirus software programs have to be run in safe mode for getting rid of RAMNIT.


RAMNIT is a virus in the same family as Virut, Sality and virtob. It attacks mainly executable files and infects those with the extensions .exe, .dll and .html


Ramnit can be identified by these types of lines in a system diagnosis using ZHPDiag:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings, ProxyServer = http=; https=;         
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar, LinksFolderName = Liens         
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe 

This infection is usually well detected on VirusTotal, on aniline diagnostics tool:

File name:               
Submission date: 2010-11-19 12:47:02 (UTC)               
Current status: queued (#8) queued (#6) analyzing finished               
Result: 30/ 43 (69.8%)               
AhnLab-V3 2010.11.19.00 2010.11.18 Win32/Ramnit               
AntiVir 2010.11.19 W32/Ramnit.C               
Antiy-AVL 2010.11.19 -               
Avast 4.8.1351.0 2010.11.19 Win32:Ramnit-F               
Avast5 5.0.594.0 2010.11.19 Win32:Ramnit-F               
AVG 2010.11.19 Win32/Zbot.G               
BitDefender 7.2 2010.11.19 Win32.Ramnit.H               
CAT-QuickHeal 11.00 2010.11.09 -               
ClamAV 2010.11.19 W32.Ramnit-1               
Command 2010.11.19 W32/Ramnit.D               
Comodo 6771 2010.11.19 Packed.Win32.MUPX.Gen               
DrWeb 2010.11.19 -               
Emsisoft 2010.11.19 Virus.Win32.Ramnit!IK               
eSafe 2010.11.18 -               
eTrust-Vet 36.1.7986 2010.11.19 Win32/Ramnit.C               
F-Prot 2010.11.19 W32/Ramnit.D               
F-Secure 9.0.16160.0 2010.11.19 Win32.Ramnit.H               
Fortinet 2010.11.18 -               
GData 21 2010.11.19 Win32.Ramnit.H               
Ikarus T3. 2010.11.19 Virus.Win32.Ramnit               
Jiangmin 13.0.900 2010.11.19 Backdoor/IRCNite.wi               
K7AntiVirus 9.68.3021 2010.11.18 Virus               
Kaspersky 2010.11.19 Virus.Win32.Nimnul.a               
McAfee 5.400.0.1158 2010.11.19 W32/NGVCK               
McAfee-GW-Edition 2010.1C 2010.11.19 W32/NGVCK               
Microsoft 1.6402 2010.11.19 Virus:Win32/Ramnit.I               
NOD32 5633 2010.11.19 Win32/Ramnit.H               
Norman 6.06.10 2010.11.19 -               
nProtect 2010-11-19.02 2010.11.19 Win32.Ramnit.H               
Panda 2010.11.18 W32/Cosmu.C               
PCTools 2010.11.19 Malware.Ramnit               
Prevx 3.0 2010.11.19 -               
Rising 2010.11.19 -               
Sophos 4.59.0 2010.11.19 W32/Ramnit-A               
SUPERAntiSpyware 2010.11.19 -               
Symantec 20101.2.0.161 2010.11.19 W32.Ramnit.B!inf               
TheHacker 2010.11.18 -               
TrendMicro 2010.11.19 PAK_Generic.001               
TrendMicro-HouseCall 2010.11.19 -               
VBA32 2010.11.18 -               
VIPRE 7350 2010.11.19 Virus.Win32.Ramnit.b (v)               
ViRobot 2010.11.19.4157 2010.11.19 -               
VirusBuster 2010.11.18 Win32.Ramnit.Gen.2               
Additional information       


It is not easy to disinfect a PC infected by RAMNIT and, in some cases, the only solution is to format your system.

Alternatively, some live CDs can overcome the infected files: DR WEB seems to be able to clean out the infection at an early stage.


  • Download Dr Web CureIt to your desktop
  • Restart in Safe Mode
  • Double click on drweb-cureit.exe and then click on Analyze
    • In Vista you will need to right click and select "Run as Admin"
  • Click "OK" when prompted for rapid analysis
    • If it finds an infection, click "Yes"
  • Note: A window will open with options to "Order" or "50% off discount", simply click on "Close"
  • When the fast scan is completed, click on "Options" > "Change Setup" > "Scan" and uncheck "Heuristic analysis"
  • Click "Ok"
  • Return to the main window and choose "Full Analysis"
  • Select all drives
  • Click the button with green arrow on the right and the scan will begin
  • Click "Yes" to any proposals prompting you to "Disinfect?"
  • When the scan is complete, take advantage of the option to quarantine any infected files
  • Go to File >Save Report to save the report to your desktop
    • It will be called DrWeb.csv and you can post it to an appropriate forum for help diagnosing your machine
  • Close Dr. Web CureIt
  • Reboot your machine

eScan Antivirus Toolkit

Step 1: Update

  • Download eScan Antivirus Toolkit to your desktop
  • Double-click mwav.exe on the desktop and unzip the files in the suggested new folder (C:\Kaspersky)
  • The program will launch automatically and you must exit
  • Double click on My Computer (Computer on Vista), then double click on the primary drive (usually C:\)
  • Double click the folder Kaspersky, then double click the file kavupd.exe
  • You will now see a DOS window appear and the update will complete in minutes
  • Once the update is completed, tap on any key to continue when prompted to do so
  • Two new directories (folders) will have been created during the update (C: \ bases and C: \ Downloads)
  • Select/copy all the files in the folder C:\Downloads, then paste them into the folder C:\Kaspersky
  • Accept the prompt to overwrite existing files

Step 2: start in safe mode

Do not run the scan yet
  • Restart the PC
  • At startup, tap F8 (F5 on some PCs) to enter the BIOS
  • In the Advanced Options menu, choose Safe Mode
  • Choose your session

Step 3: Disinfection

  • To launch EScan AntiVirus Toolkit find the file located in the C:\Kaspersky
  • Double click and the eScan interface will appear on the screen
  • It is important to check the following boxes under Scan Options: Memory, Registry, Startup Folders, System Folders and Services
  • Select the drives to be scanned and make sure the "Scan All Files" option is checked
  • Launch the scan and allow the tool to check the entire hard drive (it may take some time)
    • When finished, you will see "Scan Completed"
    • Do not exit the program yet
  • Open a new Notepad file (click "Start" > "Programs" > "Accessories" > "Notepad"), then copy/paste the entire contents of the Virus Log in the text file and save it
    • eScan also creates a full report in the folder C:\Kaspersky (....mwav.log), but it is too large to post on the forum.
  • Close the program and restart your PC in Normal Mode
  • Post (copy/paste) the report that you saved to the appropriate forum

Related :

This document entitled « Getting rid of RAMNIT » from CCM ( is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the license, as this note appears clearly.