Published May 10, 2011 | Updated Sep 15, 2017

Win32/Ramnit

Severe |Detected with Windows Defender Antivirus

Aliases: No associated aliases

Summary

Windows Defender Antivirus detects and removes this threat.

This malware family steals your sensitive information, such as your bank user names and passwords. It can also give a malicious hacker access and control of your PC, and stop your security software from running.

These threats can be installed on your PC through an infected removable drive, such as a USB flash drive.

Run antivirus or antimalware software

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find hidden malware.

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

 

NOTE: The Microsoft Windows Malicious Software Removal Tool automatically restores the default Windows security setting as it remediates this malware issue. However, if you encounter any issues, you can also manually enable the Windows functions that the malware disabled to tamper with your system and lower your Windows security.

  1. Enable the LUA (Least Privileged User Account), also known as the "administrator in Admin Approval Mode" user type, by modifying the following registry entries:                                                                                      
    • In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
      Sets value: "EnableLUA"
      With data: "1"
  2. Delete the following keys which do not exist by default:
    • HKLM\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride
    • HKLM\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify
    • HKLM\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify
    • HKLM\SOFTWARE\Microsoft\Security Center\\FirewallOverride
    • HKLM\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify
    • HKLM\SOFTWARE\Microsoft\Security Center\\UacDisableNotify
    • HKLM\SOFTWARE\Microsoft\Security Center\Svc\\AntiVirusOverride
    • HKLM\SOFTWARE\Microsoft\Security Center\Svc\\AntiVirusDisableNotify
    • HKLM\SOFTWARE\Microsoft\Security Center\Svc\\FirewallDisableNotify
    • HKLM\SOFTWARE\Microsoft\Security Center\Svc\\FirewallOverride
    • HKLM\SOFTWARE\Microsoft\Security Center\Svc\\UpdatesDisableNotify
    • HKLM\SOFTWARE\Microsoft\Security Center\Svc\\UacDisableNotify
  3. Enable the Windows Firewall by modifying the following registry entries:                                                                                                            
    • In subkey:HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
      Sets value:"EnableFirewall"
      With data: "1"
  4. In the Run command field, type services.msc to go to the Services manager console.
  5. Search for following services:
    • Security Center
    • Windows Defender Service
    • Windows Firewall
    • Windows Update
  6. Right-click, then go to Properties.
  7. Set the Startup type to Automatic
Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

Enable MAPS 

Enable the Microsoft Active Protection Service (MAPS) on your system to protect your enterprise software security infrastructure in the cloud.

  1. Check if MAPS is enabled in your Microsoft security product:

    1. Select Settings and then select MAPS.

    2. Select Advanced membership, then click Save changes. With the MAPS option enabled, your Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service

  2. Join the Microsoft Active Protection Service Community.  
Get more help

You can also ask for help from other PC users at the Microsoft virus and malware community.

If you’re using Windows XP, see our Windows XP end of support page.

Follow us