RAMNIT Worm Removal Guide

|














Yesterday ago my father PC's got infected by worm VBS dropper.
This worm known as RAMNIT by Clamwin antivirus signatures.
The badnews are He plug-in his usb flash disk to my PC's and executed some files that maybe contains virus and worms.
I think realtime protection of clamwin is fair, not much help against this worms and my PC's also got infected by this worms.
Searching in internet no complete guide removal for healing this Ramnit worm.
After learning the characters of this worm, finally I wrote this article.
Here are step by step Ramnit removal guide:

1. Run Process explorer from sysinternal (now microsoft), click suspend all svchost.exe (under explorer.exe process, not under services.exe) then terminate process tree
2. Disable system restore during this removal steps.
3. Erase recycler, recycled and "system volume information" folders, To doing this follow this steps:
(for example my admin username is rachmat, root directory is in C:, and my data directory is in D:)
-run cmd.exe,
c:\>rd /s /q "c:\recylcer" [enter]
c:\>cacls "c:\system volume information" /t /e /c /g rachmat:F [enter]
c:\>rd /s /q "c:\system volume information" [enter]
d:\>rd /s /q "recycled" [enter]

4. Make RamNit_removal.bat and RAMNit_removal.reg and place it at the same path / folder. To make this files here the steps:
-run notepad, copy this scripts and save as RamNit_removal.bat
@echo off
REM "This is for erase Main worm files"
del /f /s /q /a "%ProgramFiles%\Microsoft\WaterMark.exe">Delete_Log.txt
del /f /s /q /a "%ProgramFiles%\Microsoft\DesktopLayer.exe">>Delete_Log.txt
del /f /s /q /a "%systemroot%\System32\dmlconf.dat">>Delete_Log.txt

REM "This is for erase another tricky worm files, if it exist"
del /f /s /q /a "%Systemroot%\dmlconf.dat">>Delete_Log.txt
del /f /s /q /a "%Systemroot%\lssas.exe">>Delete_Log.txt
del /f /s /q /a "%systemroot%\ExplorerSrv.exe">>Delete_Log.txt
del /f /s /q /a "%systemroot%\System32\rundll32Srv.exe">>Delete_Log.txt

del /f /s /q /a "%ProgramFiles%\synaptics\syntp\SynTPEnhSrv.exe">>Delete_Log.txt
del /f /s /q /a "%UserProfile%\Local-Settings\Application Data\\.exe">>Delete_Log.txt

REM "This is for prevent infections of Ramnit worm"
mkdir "%ProgramFiles%\Microsoft\WaterMark.exe"
attrib +r +s -h -a "%ProgramFiles%\Microsoft\WaterMark.exe" /s /d
mkdir "%ProgramFiles%\Microsoft\DesktopLayer.exe"
attrib +r +s -h -a "%ProgramFiles%\Microsoft\DesktopLayer.exe" /s /d
mkdir "%systemroot%\System32\dmlconf.dat"
attrib +r +s -h -a "%systemroot%\System32\dmlconf.dat" /s /d
REM "This is for clean hijacked registry settings"
reg import RAMNit_removal.reg
exit

-run notepad, copy this script and save as RAMNit_removal.reg

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="c:\\windows\\system32\\userinit.exe"
[HKEY_CLASSES_ROOT\regfile\shell\open\command]
@="regedit.exe \"%1\""
[HKEY_CLASSES_ROOT\inffile\shell\open\command]
@=hex(2):22,00,25,00,31,00,22,00,20,00,25,00,2a,00,00,00
[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"
[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"
[HKEY_CLASSES_ROOT\exefile\shell]
[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shell\runas]
[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"

5. Execute RamNit_removal.bat, fix another registry issue with ccleaner.
6. Reboot and enter safe mode, then do scan to clean random executable files that infected by this worm, offcourse with your trusted antivirus. (Antivirus that know this virus such as: avast antivirus, avira rescue CD, clamwin)

7. Boot normally, clean all infected htm and html files with VBS dropper malware remover tools (author: Jing Ge).

8. Use worm door cleaner to prevent infected from internet or LAN.
9. Finish.

notes:
Be ready to reinstall some applications, some anti-virus programs will delete all infected executable files, not fix infected executable files.

source:
-therachmat.blogspot.com (ramnit worm removal guide)
-www.piriform.com (for CCleaner)
-polygoncell.blogspot.com (for clean infected html files)
-www.softpedia.com (for worm door cleaner)
-technet.microsoft.com (for process explorer)

Thanks for reading my article about RAMNIT Worm Removal Guide, any advice to complete this article I will appreciate.
If Your'e C++ programmer, please help me to create snippet / codes about how to delete n last lines or some text from exe files.

8 comments:

rachmat said...

special thanks for Jing Ge that release tools for repair infected htm files

rachmat said...

don't forget to turn on your firewall while surfing on internet

Anonymous said...

Thanks a lot for all that hard work.
I had this very badly back in late summer ...My main method was with DR WEB CUREIT ( A Free download) told it to 'Cure' the ramnit infected files but I left the HTML files it detected with 'Igor' alone.

Since then the system has seemed free until late Jan. (last week). when a new one got in .. Slightly different from the 1st & spread very fast though out my complex Win XP & Win Vista & Win 7(64bit).
Infection into any corner.
I stopped it (I hope) with repeated DR WEB.
I'm now trying your routines as given here .
I will run them on each of my Windows installs.

I have no sign of that"WaterMark.exe"
@@@Thanks@@@

Anonymous said...

"Win32/RAMNET" Symptoms I have:

A file called Desktoplayer.exe persistently re appears in C:/Program Files/Microsoft.
Fake FireFox and/or iExplore Processes are shown in Task Manager .
These are much smaller 2Kb to 8 Kb than the real thing 80+Kb They will be there whether a Browser is really running or not.
The processes are directly connected to a High, near constant,(very High) level of Disc Activity . Stopping the fakes in TaskMan stops
this Disc activity.

Files with the names of actual files (always exe's ???) are created which are copies of that Destoplayer.exe file which is 60,416 Bytes in size & has
the actual file name with an addition of 'Srv'
added into it.
Thus; Real "ProgName.exe" ...
fake 59Kb files in same Folder,
"ProgNameSrv.exe""ProgNameSrvSrv.exe""ProgNameSrvSrvSrv.exe"
Etc ...etc...etc
@@@@@@

rachmat said...

@Anonymous, U're welcome, thanks also 4 your comments, RAMNIT or RAMNET has various version .A .B .G etc, each different version has it own characters, yes always infect .exe and htm files. ProgNameSrv.exe is a marker that ProgName.exe already infected by this worm.
RAMNIT in my case always created ProgNameManager.exe as a marker.

rachmat said...

@anonymous, If U use vista or win 7, right click batch script (RamNit_removal.bat) to run as administrator

Worm Removel said...

thanks for this information.I think u do hard work in collecting this data.But really this is beneficial for every one..

Anonymous said...

thx **************+10

Post a Comment

leave comment here, thanks for visiting
[Friends Link] [Facebook] [Twitter]