CriticalRamnit worm Infection Symptoms
* Google, Yahoo Searches are redirected. Desktop background image and Browser homepage settings are changed. This is a common symptom of a very serious Ramnit worm infection.
* Ramnit worm slows down your computer considerably and you will feel like your computer is stuck. This includes opening programs, shutting down your computer, and slow Internet.
* You will get many unwanted pop ups. Ramnit worm corrupts your windows registry and uses it to deploy annoying pop up ads out of nowhere.
W32.Ramnit.B is a windows-based virus that spreads by making copies of itself via network and removable USB drives. It accomplishes this by creating an Autorun.inf file on the root directory of the compromised drive/s, making W32.Ramnit.B run when accessing or opening a flash drive or a network drive. Once the worm is awakened, it scans the targeted drive for .exe, .dll and .html files to infect.
Warming: WORM/Ramnit.A.20.worm is nothing to shrug off or ignore: it is quite a malicious item crafted to allow remote access to your PC or laptop to largely occupy precious system resource, trace your Internet habits and record/steal your passwords and other personal information.
Ok, so what do you do?
• 1 Disable System Restore (Windows ME and XP users only) Right click My Computer → Properties → System Restore tab → Put a check mark on Turn off system restore on all drives box → Restart Computer
• 2 Terminate the following Processes files (Right click taskbar → open Task Manager → click Processes tab → right click on the identified worm → End Process)
%DriveLetter%\RECYCLER\S-6-8-78-6074043183-3137731366-826674213-1246\PdCMovQB.exe
%ProgramFiles%\Microsoft\WaterMark.exed\
• 3 Delete the worm added registry value (Start → run → type regedit → User Account Control (UAC) will ask you if you want to allow the following program to make changes to the computer → click Yes)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_
24C2&SUBSYS_013A1028&REV_01\3&172e68dd&0&E8\Device Parameters\”DetectedLegacyBIOS” = “1″
• 4 Restore the original registry value
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Userinit” = “%system%\userinit.exe,,c%ProgramFiles%\microsoft\watermark.exe”
{Disclaimer: Registry modification is done at your own risk. Backup the registry before making any changes!}
• 5 Show Hidden Files and Folders (Open My Computer → Tools → Folder Options → View Tab → click show hidden folders, files and drives. Uncheck hide operating systems files. Click OK)
• 6 Delete the listed Infected Files
%DriveLetter%\Copy of Shortcut to (4).lnk
%DriveLetter%\Copy of Shortcut to (3).lnk
%DriveLetter%\Copy of Shortcut to (2).lnk
%DriveLetter%\Copy of Shortcut to (1).lnk
%DriveLetter%\autorun.inf
%DriveLetter%\RECYCLER\S-6-8-78-6074043183-3137731366-826674213-1246\tYZldSpD.cpl
%DriveLetter%\RECYCLER\S-6-8-78-6074043183-3137731366-826674213-1246\PdCMovQB.exe
%System%\dmlconf.dat
%ProgramFiles%\Microsoft\WaterMark.exe
• 7 Reboot your machine!
INTERNET EXPLORER USERS :::
- It is possibly for WORM/Ramnit.A.20.worm to load by hiding within the system WIN.INI file and the strings "run=" and "load=". So you must check carefully in order to thoroughly remove it from your computer.
- It is necessary for you t clean the IE temporary files where the original carrier may store.
2 comments:
I never really understood why some people create viruses to cause grief to others. Thank you for sharing, this is the first time I have heard of this one!
infecting by W32.Ramnit.B is annoying but if our windows have one of big kind of antivirus brand, i think that can protect our windwos before that be more bad later.
Post a Comment