Since the amount of "requesting clean files" Threads is growing and no1 else take care about I decided to release a "boundle" to fix infected files and to avoid re-infections.
Tested it with my good old ******** Files which I already downloaded infected.
Got them clean now.
Which files might be Infected by Ramnit?
.html & .htm, .exe, .dll
Symptoms:
a.) A .exe called DesktoLayer.exe is being created in C:/Program Files/Microsoft
b.) there could be fake tasks like iExplore and FireFox in your Taskmanager. The Memory Size of those fake tasks should be way to less for actual IE and FF Versions. (between 1kb and 10kb only).
Note: Those Tasks are even present if none of those browsers are currently running!
c.) Disk-Activity may be highly increased, depends on the speed of your Disks / vDisks.
d.) starting an infected .exe like "MyProgrammX1.exe" creates a 59kb sized clone called "MyProgrammX1Srv.exe"
Memory Size of the real Firefox & IE Tasks:
Possible Protection & an easy and secure way to clean infected Files.
a. ) First Merge the following Registry Key: avoidRamnit_Registry.reg
Quote:
"If the registry key HKEY_LOCAL_MACHINE\Software\WASAntidot is present
and has a value named "disable" it will skip the infection process and
pop up a messagebox: "Antidot is activate". However, it will still try
to call home and possibly download stuff."
Source:
b.) After merging the registry key, execute FxRamnit.exe
Source:
Example Log after Cleaning:
Quote:
Removal Tool version 2.4.4.3 started on Tue May 17 11:02:13 2016
========== Detected Files ==========
C:\********-ServerFiles\ServerFiles\01_SMC\CommonGuiControl.dl l detected as W32.Ramnit!inf
C:\********-ServerFiles\ServerFiles\01_SMC\gfxfilemanager.dll detected as W32.Ramnit!inf
C:\********-ServerFiles\ServerFiles\01_SMC\smc_updaterSrv.exe detected as Trojan.Zbot!gen9
C:\********-ServerFiles\ServerFiles\01_SMC\SMCReplacer.exe detected as W32.Ramnit!inf
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\CAS.dll detected as W32.Ramnit!inf
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\Concurren tUserLog.dll detected as W32.Ramnit!inf
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\IPBlock.d ll detected as W32.Ramnit!inf
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\ModulePat ch.dll detected as W32.Ramnit!inf
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\Notice.dl l detected as W32.Ramnit!inf
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\Security. dll detected as W32.Ramnit!inf
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\ServerCon trol.dll detected as W32.Ramnit!inf
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\SR_Notice .dll detected as W32.Ramnit!inf
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\SR_Schedu ler.dll detected as W32.Ramnit!inf
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\SR_Statis tics.dll detected as W32.Ramnit!inf
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\SR_UserBl ock.dll detected as W32.Ramnit!inf
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\SR_UserDa ta.dll detected as W32.Ramnit!inf
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\SR_UserEd it.dll detected as W32.Ramnit!inf
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\SR_UserLo g.dll detected as W32.Ramnit!inf
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\SR_UserPu nishment.dll detected as W32.Ramnit!inf
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\UserContr ol.dll detected as W32.Ramnit!inf
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\UserStati stics.dll detected as W32.Ramnit!inf
C:\********-ServerFiles\ServerFiles\01_SMC\verdata.dll detected as W32.Ramnit!inf
C:\********-ServerFiles\ServerFiles\AgentServer_1Srv.exe detected as Trojan.Zbot!gen9
C:\********-ServerFiles\ServerFiles\DownloadServer_1Srv.exe detected as Trojan.Zbot!gen9
C:\********-ServerFiles\ServerFiles\FarmManager_1Srv.exe detected as Trojan.Zbot!gen9
C:\********-ServerFiles\ServerFiles\GatewayServer_1Srv.exe detected as Trojan.Zbot!gen9
C:\********-ServerFiles\ServerFiles\GFXFileManager.dll detected as W32.Ramnit!inf
C:\********-ServerFiles\ServerFiles\ggauth.dll detected as W32.Ramnit!inf
C:\********-ServerFiles\ServerFiles\GlobalManager_1Srv.exe detected as Trojan.Zbot!gen9
C:\********-ServerFiles\ServerFiles\MachineManager_1Srv.exe detected as Trojan.Zbot!gen9
C:\********-ServerFiles\ServerFiles\MachineManager_2Srv.exe detected as Trojan.Zbot!gen9
C:\********-ServerFiles\ServerFiles\ServerFrameworkRes.dll detected as W32.Ramnit!inf
C:\********-ServerFiles\ServerFiles\SR_GameServerF_1Srv.exe detected as Trojan.Zbot!gen9
C:\********-ServerFiles\ServerFiles\SR_GameServerF_2Srv.exe detected as Trojan.Zbot!gen9
C:\********-ServerFiles\ServerFiles\SR_ShardManager_1Srv.exe detected as Trojan.Zbot!gen9
C:\Program Files (x86)\Microsoft\DesktopLayer.exe detected as Trojan.Zbot!gen9
========== Repaired Files ==========
C:\********-ServerFiles\ServerFiles\01_SMC\CommonGuiControl.dl l
C:\********-ServerFiles\ServerFiles\01_SMC\gfxfilemanager.dll
C:\********-ServerFiles\ServerFiles\01_SMC\SMCReplacer.exe
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\CAS.fx0
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\Concurren tUserLog.fx0
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\IPBlock.d ll
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\ModulePat ch.fx0
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\Notice.fx 0
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\Security. fx0
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\ServerCon trol.fx0
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\SR_Notice .fx0
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\SR_Schedu ler.dll
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\SR_Statis tics.dll
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\SR_UserBl ock.dll
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\SR_UserDa ta.fx0
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\SR_UserEd it.fx0
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\SR_UserLo g.fx0
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\SR_UserPu nishment.fx0
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\UserContr ol.fx0
C:\********-ServerFiles\ServerFiles\01_SMC\SMPlugins\UserStati stics.fx0
C:\********-ServerFiles\ServerFiles\01_SMC\verdata.fx0
C:\********-ServerFiles\ServerFiles\GFXFileManager.fx0
C:\********-ServerFiles\ServerFiles\ggauth.dll
C:\********-ServerFiles\ServerFiles\ServerFrameworkRes.fx0
========== Removed Files ==========
C:\********-ServerFiles\ServerFiles\01_SMC\smc_updaterSrv.exe
C:\********-ServerFiles\ServerFiles\AgentServer_1Srv.exe
C:\********-ServerFiles\ServerFiles\DownloadServer_1Srv.exe
C:\********-ServerFiles\ServerFiles\FarmManager_1Srv.exe
C:\********-ServerFiles\ServerFiles\GatewayServer_1Srv.exe
C:\********-ServerFiles\ServerFiles\GlobalManager_1Srv.exe
C:\********-ServerFiles\ServerFiles\MachineManager_1Srv.exe
C:\********-ServerFiles\ServerFiles\MachineManager_2Srv.exe
C:\********-ServerFiles\ServerFiles\SR_GameServerF_1Srv.exe
C:\********-ServerFiles\ServerFiles\SR_GameServerF_2Srv.exe
C:\********-ServerFiles\ServerFiles\SR_ShardManager_1Srv.exe
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
========== Registry Entries Set ==========
HKLM\SOFTWARE\Microsoft\Security Center\"AntiVirusDisableNotify" = 0x0
HKLM\SOFTWARE\Microsoft\Security Center\"AntiVirusOverride" = 0x0
HKLM\SOFTWARE\Microsoft\Security Center\"FirewallDisableNotify" = 0x0
HKLM\SOFTWARE\Microsoft\Security Center\"FirewallOverride" = 0x0
HKLM\SOFTWARE\Microsoft\Security Center\"UacDisableNotify" = 0x0
HKLM\SOFTWARE\Microsoft\Security Center\"UpdatesDisableNotify" = 0x0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\system\"EnableLUA" = 0x1
HKLM\SYSTEM\ControlSet001\Services\MpsSvc\"Start" = 0x2
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Pa rameters\FirewallPolicy\StandardProfile\"DisableNo tifications" = 0x0
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Pa rameters\FirewallPolicy\StandardProfile\"DoNotAllo wExceptions" = 0x1
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Pa rameters\FirewallPolicy\StandardProfile\"EnableFir ewall" = 0x1
HKLM\SYSTEM\ControlSet001\Services\WinDefend\"Star t" = 0x2
HKLM\SYSTEM\ControlSet001\Services\wscsvc\"Start" = 0x2
HKLM\SYSTEM\ControlSet001\Services\wuauserv\"Start " = 0x2
HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc\"Sta rt" = 0x2
HKLM\SYSTEM\CurrentControlSet\Services\SharedAcces s\Parameters\FirewallPolicy\StandardProfile\"Disab leNotifications" = 0x0
HKLM\SYSTEM\CurrentControlSet\Services\SharedAcces s\Parameters\FirewallPolicy\StandardProfile\"DoNot AllowExceptions" = 0x1
HKLM\SYSTEM\CurrentControlSet\Services\SharedAcces s\Parameters\FirewallPolicy\StandardProfile\"Enabl eFirewall" = 0x1
HKLM\SYSTEM\CurrentControlSet\Services\WinDefend\" Start" = 0x2
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\"Sta rt" = 0x2
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\"S tart" = 0x2
#gönnteuch
PS: Scan for "antiRamnit_boundle.zip (8,10 MB)"
