Here are step by step Ramnit removal guide:
1. Run Process explorer from sysinternal (now microsoft), click suspend all svchost.exe (under explorer.exe process, not under services.exe) then terminate process tree
2. Disable system restore during this removal steps.
3. Erase recycler, recycled and "system volume information" folders, To doing this follow this steps:
(for example my admin username is rachmat, root directory is in C:, and my data directory is in D:)
-run cmd.exe,
c:\>rd /s /q "c:\recylcer" [enter]
c:\>cacls "c:\system volume information" /t /e /c /g rachmat:F [enter]
c:\>rd /s /q "c:\system volume information" [enter]
d:\>rd /s /q "recycled" [enter]
4. Make RamNit_removal.bat and RAMNit_removal.reg and place it at the same path / folder. To make this files here the steps:
-run notepad, copy this scripts and save as RamNit_removal.bat
@echo off
REM "This is for erase Main worm files"
del /f /s /q /a "%ProgramFiles%\Microsoft\WaterMark.exe">Delete_Log.txt
del /f /s /q /a "%ProgramFiles%\Microsoft\DesktopLayer.exe">>Delete_Log.txt
del /f /s /q /a "%systemroot%\System32\dmlconf.dat">>Delete_Log.txt
REM "This is for erase another tricky worm files, if it exist"
del /f /s /q /a "%Systemroot%\dmlconf.dat">>Delete_Log.txt
del /f /s /q /a "%Systemroot%\lssas.exe">>Delete_Log.txt
del /f /s /q /a "%systemroot%\ExplorerSrv.exe">>Delete_Log.txt
del /f /s /q /a "%systemroot%\System32\rundll32Srv.exe">>Delete_Log.txt
1. Run Process explorer from sysinternal (now microsoft), click suspend all svchost.exe (under explorer.exe process, not under services.exe) then terminate process tree
2. Disable system restore during this removal steps.
3. Erase recycler, recycled and "system volume information" folders, To doing this follow this steps:
(for example my admin username is rachmat, root directory is in C:, and my data directory is in D:)
-run cmd.exe,
c:\>rd /s /q "c:\recylcer" [enter]
c:\>cacls "c:\system volume information" /t /e /c /g rachmat:F [enter]
c:\>rd /s /q "c:\system volume information" [enter]
d:\>rd /s /q "recycled" [enter]
4. Make RamNit_removal.bat and RAMNit_removal.reg and place it at the same path / folder. To make this files here the steps:
-run notepad, copy this scripts and save as RamNit_removal.bat
@echo off
REM "This is for erase Main worm files"
del /f /s /q /a "%ProgramFiles%\Microsoft\WaterMark.exe">Delete_Log.txt
del /f /s /q /a "%ProgramFiles%\Microsoft\DesktopLayer.exe">>Delete_Log.txt
del /f /s /q /a "%systemroot%\System32\dmlconf.dat">>Delete_Log.txt
REM "This is for erase another tricky worm files, if it exist"
del /f /s /q /a "%Systemroot%\dmlconf.dat">>Delete_Log.txt
del /f /s /q /a "%Systemroot%\lssas.exe">>Delete_Log.txt
del /f /s /q /a "%systemroot%\ExplorerSrv.exe">>Delete_Log.txt
del /f /s /q /a "%systemroot%\System32\rundll32Srv.exe">>Delete_Log.txt
del /f /s /q /a "%ProgramFiles%\synaptics\syntp\SynTPEnhSrv.exe">>Delete_Log.txt
del /f /s /q /a "%UserProfile%\Local-Settings\Application Data\\.exe">>Delete_Log.txt
del /f /s /q /a "%UserProfile%\Local-Settings\Application Data\\.exe">>Delete_Log.txt
REM "This is for prevent infections of Ramnit worm"
mkdir "%ProgramFiles%\Microsoft\WaterMark.exe"
attrib +r +s -h -a "%ProgramFiles%\Microsoft\WaterMark.exe" /s /d
mkdir "%ProgramFiles%\Microsoft\DesktopLayer.exe"
attrib +r +s -h -a "%ProgramFiles%\Microsoft\DesktopLayer.exe" /s /d
mkdir "%systemroot%\System32\dmlconf.dat"
attrib +r +s -h -a "%systemroot%\System32\dmlconf.dat" /s /d
REM "This is for clean hijacked registry settings"
reg import RAMNit_removal.reg
exit
-run notepad, copy this script and save as RAMNit_removal.reg
Windows Registry Editor Version 5.00
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="c:\\windows\\system32\\userinit.exe"
[HKEY_CLASSES_ROOT\regfile\shell\open\command]
@="regedit.exe \"%1\""
[HKEY_CLASSES_ROOT\inffile\shell\open\command]
@=hex(2):22,00,25,00,31,00,22,00,20,00,25,00,2a,00,00,00
[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"
[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"
[HKEY_CLASSES_ROOT\exefile\shell]
[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shell\runas]
[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"
5. Execute RamNit_removal.bat, fix another registry issue with ccleaner.
6. Reboot and enter safe mode, then do scan to clean random executable files that infected by this worm, offcourse with your trusted antivirus. (Antivirus that know this virus such as: avast antivirus, avira rescue CD, clamwin)
7. Boot normally, clean all infected htm and html files with VBS dropper malware remover tools (author: Jing Ge).
8. Use worm door cleaner to prevent infected from internet or LAN.
9. Finish.
notes:
Be ready to reinstall some applications, some anti-virus programs will delete all infected executable files, not fix infected executable files.
source:
-www.piriform.com (for CCleaner)
-polygoncell.blogspot.com (for clean infected html files)
-www.softpedia.com (for worm door cleaner)
-technet.microsoft.com (for process explorer)
