Discovered: January 19, 2010
Type: Removal Information
This tool is designed to remove the infections of W32.Ramnit
How to download and run the W32.Ramnit removal tool.
Important: Selecting "Run as administrator" will result in an incomplete repair. You must be logged in to the Administrator account and all other users must be logged out in order for the tool to work correctly.
Note for network administrators: If you are running MS Exchange 2000 Server, we recommend that you exclude the M drive from the scan by running the tool from a command line, with the Exclude switch. For more information, please read the following Microsoft Knowledge Base article: Issues caused by a back up or a scan of the Exchange 2000 M drive
Follow these steps to download and run the tool:
- Download FxRamnit.exe, which works for both 32-bit and 64-bit computers.
- Save the file to a convenient location, such as your Windows desktop.
- If you are certain that you are downloading this tool from the Symantec Security Response website, you can skip this step. If you are not sure, or are a network administrator and need to authenticate the files before deployment, follow the steps in the Digital Signature section before proceeding with step 4.
- Close all the running programs.
- If you are running Windows XP, turn off System Restore. For instructions on how to turn off System Restore, read your Windows documentation
- Double-click FxRamnit.exe to start the removal tool
- Click “I Accept” to accept the End User License Agreement (EULA) and then click “Start” to begin to run the removal tool.
- Once the tool has finished running, you will see a message prompting you to check the log file (FxRamnit.log) for results, which will be located in the same directory as the fixtool.
- In some instances you may be asked to restart the computer to remove all Ramnit instances.
What the tool does
The Removal Tool does the following:
- Terminates processes associated with Ramnit
- Repairs infected files
- Resets the following registry keys to the following values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"AntiVirusOverride" = “0”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"FirewallDisableNotify" = “0”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"FirewallOverride" = “0”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"UacDisableNotify" = “0”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"UpdatesDisableNotify" = “0”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = “1”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"DisableNotifications" = “0”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"DoNotAllowExceptions" = “1”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"EnableFirewall" = “1”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\"Start" = “2”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinDefend\"Start" = “2”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\"Start" = “2”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv\"Start" = “2”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"DisableNotifications" = “0”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"DoNotAllowExceptions" = “1”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"EnableFirewall" = “1”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MpsSvc\"Start" = “2”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WinDefend\"Start" = “2”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wscsvc\"Start" = “2”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wuauserv\"Start" = “2”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"DisableNotifications" = “0”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"DoNotAllowExceptions" = “1”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"EnableFirewall" = “1”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\"Start" = “2”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend\"Start" = “2”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\"Start" = “2”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\"Start" = “2”
The following switches are designed for use by network administrators:
- Display help message: /HELP, /H, /?
- Enable silent mode: /SILENT, /S
- Prevent the computer from restarting when silent mode has been enabled: /NOSILENTREBOOT
- Create a log file where the removal tool’s output is stored in [PATH NAME]: /LOG=[PATH NAME]
By default, this switch creates the log file in the same folder that the removal tool was executed from.
- Scan mapped network drives: /MAPPED
(Symantec does not recommend using this switch)
It is important to note that using the /MAPPED switch does not ensure the complete removal of W32.Ramnit on the compromised remote computer. This is because scanning mapped drives only scans the mapped folders, which may not include all folders on the remote computer. This can lead to missed detections. If a viral file is detected on the mapped drive, the repair may fail if a program on the remote computer uses that file.
On Windows Vista or Windows 7 computers, a scan of mapped drives may fail if the account that’s running the removal tool is not the administrator account, even if it is a member of the Administrator group. In these cases, the mapped drive will appear as disconnected after scanning with the removal tool. Please see the following Microsoft Knowledge Base article for more information: Programs may be unable to access some network locations after you turn on User Account Control in Windows Vista or newer operating systems
We advise that you run the removal tool on every computer.
For security purposes, the removal tool is digitally signed. Symantec recommends that you only use copies of the removal tool that have been directly downloaded from the Symantec Security Response website. If you are not sure, or are a network administrator and need to authenticate files before deployment, check the authenticity of the digital signature by following these steps:
- Go to http://www.wmsoftware.com/free.htm.
- Download and save the Chktrust.exe file to the same folder in which you saved the removal tool.
Note: Many of the following steps are performed through command prompt. If you downloaded the removal tool to the Windows desktop, move the tool to the root of the system drive and save the Chktrust.exe file to this location too. Step 3 assumes that both the removal tool and Chktrust.exe are in the root of the system drive.
- Click “Start” and then click “Run”
- Type “cmd” and then click “OK”
- In the command window, type the following and press “Enter” after each line:
chktrust -i FixTool.exe
- You should see one of the following messages, depending on your operating system:
Windows XP SP2: The Trust Validation Utility window will appear. Under “Publisher”, click the Symantec Corporation link and the following digital signature details will appear.
Verify the contents of the following fields to ensure that the tool is authentic:
Name: Symantec Corporation
Signing Time: 24th February 2015
All other operating systems: The following message will appear:
Do you want to run this software?
Name: Symantec Removal Tool
Publisher: Symantec Corporation
Note: The date and time in the digital signature are based on Pacific Time. They will be adjusted for your computer's time zone and regional options settings. If you are using Daylight Saving Time, the displayed time will be exactly one hour earlier.
If this dialog box does not appear, it may be because the removal tool is not from Symantec. Unless you are sure that the removal tool is legitimate and that you downloaded it from the legitimate Symantec website, do not run it.
- Click “Yes” or “Run” to close the dialog box
- Type “exit”, and then press “Enter” to close the MS-DOS session
- You can also verify that the MD5 of the fixtool is the following: ADBB748C0AB3275B06686F4EC4500A99