How to detect and remove Ramnit

Ramnit is malware that’s infecting PCs running Microsoft Windows. When a PC has been infected, the malware will disable a series of Windows security features (Windows Defender, Windows Firewall, User Account Control), Windows Update, and remove the ability to install other antivirus software. Once a PC is infected, the malware will use it to collect account information for a series of online services (financial, banking, social, professional) by creating fake copies of legitimate websites. Once your account information is collected, malware owners will have access to those sites and the services within them. This malware affects all versions of Windows. This malware isn't coming from any part of Windows or Microsoft services, but rather an organization trying to collect information from within your computer.

How to check if your PC is infected

If your PC is still running but you suspect it might be infected, refer to the information in My PC starts normally. If you can’t turn on your PC or you see a blue screen after you turn on your PC, refer to the information in, My PC won’t turn on or I see a blue screen.

Show all

My PC starts normally

If your PC is infected, you'll see one of more of the following indicators:

  • Your antivirus software is disabled and can’t be turned on or used (for example, you can’t run Windows Defender). To check your PC, see "Run your antivirus software."

  • Windows Update can’t check for updates. To check your PC, see "Check for updates."

  • Windows Firewall can’t be turned on. To check your PC, see "Turn on Windows Firewall."

Follow the steps below to verify if these conditions exist on your PC.

Show all

Run your antiviurs software

If you have Windows Defender on your PC, follow the steps below. Otherwise follow the instructions from your antivirus software manufacturer for performing a full scan.

If you're using Symantec antivirus software, you can find more information on how to detect and remove the virus from your PC in this blog on Symantec’s website.

To scan your PC with Windows Defender

  1. Open Windows Defender by going to Control Panel, clicking System and Security, and then clicking Windows Defender.

  2. Click Full scan.

  3. If Windows Defender won’t run, you'll receive an error message that the service has been stopped and to restart your PC.

  4. If you restart your PC, and Windows Defender still won’t run, your PC has been infected.

Follow the steps in How to remove the Ramnit virus.

Check for updates

For PCs running Windows 8.1 or Windows 8

  1. Open Windows Update by swiping in from the right edge of the screen (or, if you're using a mouse, pointing to the lower-right corner of the screen and moving the mouse pointer up), tapping or clicking Settings, tapping or clicking Change PC settings, and then tapping or clicking Update and recovery.

  2. Tap or click Check now, and then wait while Windows looks for the latest updates for your PC.

For PCs running Windows 7 or Windows Vista

  1. Open Windows Update by clicking the Start button. In the search box, type Update, and then, in the list of results, click Windows Update.

  2. In the left pane, click Check for updates.

If you aren’t able to check for updates and are prompted to restart your PC, your PC has been infected. Follow the steps in How to remove the Ramnit virus.

Turn on Windows Firewall

For PCs running Windows 8.1 or Windows 8

  1. Open Windows Firewall by swiping in from the right edge of the screen, tapping Search (or if you're using a mouse, pointing to the upper-right corner of the screen, moving the mouse pointer down, and then clicking Search), entering firewall in the search box, and then tapping or clicking Windows Firewall.

  2. Tap or click Turn Windows Firewall on or off. You might be asked for an admin password or to confirm your choice.

  3. Tap or click Turn on Windows Firewall.

For PCs running Windows 7 or Windows Vista

  1. Open Windows Firewall by clicking the Start button. In the search box, type Firewall, and then, in the list of results, click Windows Firewall.

  2. In the left pane, click Turn Windows Firewall on or off.

  3. Click Turn on Windows Firewall.

If you can’t turn Windows Firewall on or you get a message that the service can’ be started, your PC has been infected. Follow the steps in How to remove the Ramnit virus.

My PC won't turn on or I see a blue screen

If you see a blue screen when your PC turns on, look for an error message or technical information on the screen. If you see code 0x000000F4, or one of the following: 0x00000003, 0x865B5D40, 0x865B5EAC, 0x82E5ECE0, your PC is infected. You'll need to take your PC to a retailer that offers data recovery services and tell them that you need a full recovery of your PC including all of your files. It is likely that your files will be recoverable.

If your PC won’t turn on you'll need to take it to a PC retailer that offers data recovery services and tell them that you need a full recovery of your PC including all of your files. It is likely that your files will be recoverable.

How to remove the Ramnit virus

If your PC is infected with the Ramnit virus but starts normally, you can remove it from your PC by following these steps:

  1. Open the Microsoft Safety Scanner website.

  2. Click the blue Download now button.

  3. After the tool is downloaded, click Run.

  4. Accept the terms of agreement.

  5. Click Run a quick scan.

  6. If the Microsoft Safety Scanner finds the Ramnit virus it will display Ramnit within the scanner dialog box.

  7. Click Clean all files to remove Ramnit and any other malware that the Microsoft Safety Scanner finds.

The malware will be removed and Windows Defender, Windows Firewall, Windows Update, and User Account Control will be set to their original settings.