Browse » Home » , » Manual Removal Virus Shortcut Ramnit Runmit W32

Manual Removal Virus Shortcut Ramnit Runmit W32

  • Run Process explorer from sysinternal (Download Here), click suspend all svchost.exe (under explorer.exe process, not under services.exe) then terminate process tree
  • Disable system restore during this removal steps.
  • Erase recycler, recycled and "system volume information" folders, To doing this follow this steps: (for example my admin username is Ponselkom, root directory is in C:)
run cmd.exe, 
c:\>rd /s /q "c:\recylcer" [enter]
c:\>cacls "c:\system volume information" /t /e /c /g Ponselkom:F [enter]
c:\>rd /s /q "c:\system volume information" [enter]
d:\>rd /s /q "recycled" [enter]

  •  Make RamNit_removal.bat and RAMNit_removal.reg and place it at the same path / folder. To make this files here the steps:
run notepad, copy this scripts and save as RamNit_removal.bat

@echo off
REM "This is for erase Main worm files"
del /f /s /q /a "%ProgramFiles%\Microsoft\WaterMark.exe">Delete_Log.txt
del /f /s /q /a "%ProgramFiles%\Microsoft\DesktopLayer.exe">>Delete_Log.txt
del /f /s /q /a "%systemroot%\System32\dmlconf.dat">>Delete_Log.txt

REM "This is for erase another tricky worm files, if it exist"
del /f /s /q /a "%Systemroot%\dmlconf.dat">>Delete_Log.txt
del /f /s /q /a "%Systemroot%\lssas.exe">>Delete_Log.txt
del /f /s /q /a "%systemroot%\ExplorerSrv.exe">>Delete_Log.txt
del /f /s /q /a "%systemroot%\System32\rundll32Srv.exe">>Delete_Log.txt
del /f /s /q /a "%ProgramFiles%\synaptics\syntp\SynTPEnhSrv.exe">>Delete_Log.txt
del /f /s /q /a "%UserProfile%\Local-Settings\Application Data\\.exe">>Delete_Log.txt


REM "This is for prevent infections of Ramnit worm"
mkdir "%ProgramFiles%\Microsoft\WaterMark.exe"
attrib +r +s -h -a "%ProgramFiles%\Microsoft\WaterMark.exe" /s /d
mkdir "%ProgramFiles%\Microsoft\DesktopLayer.exe"
attrib +r +s -h -a "%ProgramFiles%\Microsoft\DesktopLayer.exe" /s /d
mkdir "%systemroot%\System32\dmlconf.dat"
attrib +r +s -h -a "%systemroot%\System32\dmlconf.dat" /s /d
REM "This is for clean hijacked registry settings"
reg import RAMNit_removal.reg
exit
run notepad, copy this script and save as RAMNit_removal.reg

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="c:\\windows\\system32\\userinit.exe"
[HKEY_CLASSES_ROOT\regfile\shell\open\command]
@="regedit.exe \"%1\""
[HKEY_CLASSES_ROOT\inffile\shell\open\command]
@=hex(2):22,00,25,00,31,00,22,00,20,00,25,00,2a,00,00,00
[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"
[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"
[HKEY_CLASSES_ROOT\exefile\shell]
[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shell\runas]
[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"

  • Execute RamNit_removal.bat, fix another registry issue with ccleaner.
  • Reboot and enter safe mode, then do scan to clean random executable files that infected by this worm, offcourse with your trusted antivirus. (Antivirus that know this virus such as: avast antivirus, avira rescue CD, clamwin)
  • Boot normally, clean all infected htm and html files with VBS dropper malware remover tools (author: Jing Ge).
  • Use worm door cleaner to prevent infected from internet or LAN.
  • Finish.

notes:
Be ready to reinstall some applications, some anti-virus programs will delete all infected executable files, not fix infected executable files.
Diposting oleh ponselkom
Label: ,

0 komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)

Article on same category :