(wikiHow) [SOLVED] How to Remove the Ramnit malware RigEK from Windows PC or Apple MacOS / OS X

Ramnit was first identified in 2010, joining itself to executable documents and USB drives to contaminate extra PCs. Initially a non specific worm, it didn’t have numerous capacities and was subsequently not thought about perilous. In 2011, malware essayists changed the worm to catch information from web sessions, giving programmers a chance to submit monetary extortion. Most as of late, it was in charge of the burglary of 45 000 login accreditations, utilizing them to contaminate the casualties’ companions and remotely get to corporate systems. The present adaptation of Ramnit is a crossover rendition of the first worm, with some code taken from the ZeuS trojan steed.

This problem can be easily solved. Download CyberByte antivirus from the Apple AppStore.

Mac / MacOS / OS X users can download antivirus for Mac solution CyberByte by clicking the banner below. The free antivirus will help you to know if your Mac is infected. Antivirus for Mac is an awarded software for malware detection. The free antivirus for Mac is available for new MacOS and older OS X versions.

Features of CyberByte™ antivirus:

  • Protects you from all kind of threats
  • CyberByte™ custom detection engine includes Mac and Windows malware protection and detection
  • Fastest scanning times in the market
  • Crypto Mining rogue extensions/malware detection
  • Ransomware detection - don’t negotiate with ransomware cyber terrorists – keep your Mac and Windows safe
  • Active live protection from background
  • Certified Threat Detector by OPSWAT
  • Easy to Install
  • Easy to Manage
  • Incredible value for money

Invisible, protecting you from behind the scenes - You will not feel it is installed on your computer, easy on the resources, like a protection software should be.

Original technology that combines behavioral heuristic analysis with powerful signatures database – the CyberByte™ Protection Engine  delivers top of the line protection in an instant.

Fastest scanning times in the market – your time is precious, but also so is your digital life – CyberByte™ delivers fast scanning saving both time and your valuable data.

Don’t negotiate with ransomware cyber terrorists – keep your Mac safe and don’t ever end up paying for what is already yours.

Protect others as well – the CyberByte™ Protection Engine  not only detects the threat but stops it from spreading to other Macs or Windows machines.

Don’t let strangers use your resources – more than 80% of the attacks are crypto mining driven. Are you sure your computer is not mining for crypto while you read this text?

Our malware protection will continuously look after your device providing the best security against viruses. Give us the chance to prove it by downloading the antivirus for your device.

The free download antivirus is available for both Mac and Windows users.

The antivirus for Mac is a certified product by OPSWAT (OPSWAT is a San Francisco-based software company that provides solutions to secure and manage IT infrastructure. Founded in 2002, OPSWAT delivers solutions that provide manageability of endpoints and networks, and that help organizations protect against
zero-day attacks by using multiple antivirus engine scanning and document sanitization.
To learn more about OPSWAT’s innovative and unique solutions, please visit http://www.opswat.com).


Danger conduct


The danger duplicates itself utilizing a hard-coded name or, sometimes, with an irregular document name to an arbitrary organizer, for instance:


%ProgramFiles% \blvvcvww\jonimvgn.exe

%ProgramFiles% \Microsoft\watermark.exe

A few variations duplicate themselves to the %TEMP% organizer with an arbitrary name, for instance lvjekdwi.exe, hvhvufsa.exe.

This document may be distinguished as Worm:Win32/Ramnit.A or by another comparative identification name.

It makes the accompanying registry passage to guarantee that it runs each time you begin your PC:

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Sets esteem: “Userinit”

With information: “<system folder>\userinit.exe, <malware envelope way and record name>”, for instance “%ProgramFiles%\Microsoft\watermark.exe”

Win32/Ramnit dispatches another case of the framework procedure svchost.exe and infuses code into it. In the event that the malware can’t infuse its code into svchost, it looks for your default web program and infuses its code into the program’s procedure.

The malware snares the accompanying APIs for this reason:



The disease and secondary passage usefulness happens in the web program process setting; it may do this to evade recognition and make cleaning a contamination more troublesome.

Spreads through…

Document disease

More established variations of Win32/Ramnit spread by contaminating certain records with infection code. In any case, we have seen new variations without this record contamination usefulness. The purpose behind the expulsion of this usefulness in new variations may be to prevent location and evacuation of the variation.

More established variants of the malware taint:

Windows executable records with a document augmentation of .exe, .dll, and .scr.

The tainted executables may be identified as Virus:Win32/Ramnit.A or by another comparable location name.

HTML archive records with .html or .htm expansions.

The tainted HTML records may be distinguished as Virus:VBS/Ramnit.A or by another comparative discovery name. The tainted HTML records have an affixed VBScript. At the point when the contaminated HTML record is stacked by a web program, the VBScript may drop a duplicate of Win32/Ramnit as %TEMP%\svchost.exe and after that run the duplicate.

Microsoft Office OLE report documents with .doc, .docx, or .xls record expansions.

The contaminated record may be distinguished as Virus:O97M/Ramnit. The tainted record contains a large scale which will endeavor to run when the report is opened. The large scale may drop a duplicate of Win32/Ramnit as %TEMP%\wdexplore.exe and afterward run the duplicate.

Removable and organize drives

Win32/Ramnit makes duplicates of the installer to removable drives with an arbitrary document name. The document may likewise be set in a haphazardly named registry in the \RECYCLER\folder in the foundation of the drive, as in the accompanying case:

<drive:> \RECYCLER\s-5-1-04-5443402830-2472267086-003818317-4634\rdkidfba.exe

It likewise puts an autorun.inf record in the root registry of the focused on drive. Such autorun.inf records advise the working framework to dispatch the malware document consequently when the system drive is gotten to from another PC that backings the Autorun include.

This is especially basic malware conduct, by and large used to spread malware from PC to PC.

It ought to be noticed that autorun.inf records without anyone else are not really an indication of contamination, as they are utilized by real projects.

The procedure is simple:

  • Just free download antivirus from CyberByte website either for Mac or Windows.
  • Install it using the antivirus installer package.
  • Windows and Mac users will free malware scan their devices. The scan duration depends on how many files the end user has.
  • CyberByte antivirus will show if any files are infected after the scan is finished.


• port 80 – pumpme.ga – GET / (gate used by this campaign)
• port 443 – pumpme.ga – HTTPS traffic
• port 80 – – Rig EK
• port 443 – jr753gey6528iyehd.com – attempted TCP connections caused by Ramnit, but no response from the server
• port 443 – mdgoixkousej.com – encrypted traffic caused by Ramnit
• port 443 – jinrdvvggkqsbafam.com – encrypted traffic caused by Ramnit
• port 80 – – GET /prink.exe (AZORult follow-up malware)
• port 80 – doueven.click – POST /gate.php (AZORult callback)
•DNS query for gtlijnbttxtstnisew.com – response: No such name (SOA a.gtld-servers.net)
•DNS query for hndhysdogmddmlbms.com – response: No such name (SOA a.gtld-servers.net)
•DNS query for jblciykrcfxyymxwgdd.com – response: No such name (SOA a.gtld-servers.net)
•DNS query for okqigyiadj.com – response: No such name (SOA a.gtld-servers.net)
•DNS query for rgaonnkejei.com – response: No such name (SOA a.gtld-servers.net)
•DNS query for scihytydbukstbtwok.com – response: No such name (SOA a.gtld-servers.net)
•DNS query for xegrplmhtvfevx.com – response: No such name (SOA a.gtld-servers.net)
•DNS query for xvlaykoevuesourj.com – response: No such name (SOA a.gtld-servers.net)
•DNS query for yxvcjnrx.com – response: No such name (SOA a.gtld-servers.net)

Our CyberByte Antivirus and Internet Security solution can help you to protect your Mac or PC


Mac users can free download mac antivirus CyberByte.
Windows users can free download windows antivirus CyberByte.
The free antivirus version is available with limited features.


Companies can protect them from hacking by using the best hosting and web hosting service available with the best cybersecurity.