Special Sponsor

Friday, September 28, 2007

W32.Imaut.BA

W32.Imaut.BA propagates through messaging applications such as Yahoo! Instant Messenger, AOL Instant Messenger, Windows Live Messenger and Windows Messenger.

W32.Imaut.BA will

* Set the main start page of internet explorer to following address http://eyejuice.net
* Create and run svchost32.exe it when user try to launch Yahoo! Instant Messenger
* Buzz ym user and tell to go to following address http://eyejuice.net
* Disable Windows Task Manager
* Disable Registry Editor Tools



How to remove

1. Restart the computer using the Windows Recovery Console

After starting in Recovery Console. Proceed with these commands:

a) Type cd windows
b) Type del system\svchost32.exe
c) Press Enter
d) Type del system\cmd.exe
e) Press Enter
f) Type del system\svchost.exe
g) Type exit
h) Press Enter. The computer will now restart automatically.it


2. After the computer restart, temporarily Disable System Restore (Windows Me/XP).
3. Update the virus definitions.
4. Reboot computer in SafeMode
5. Run a full system scan and disinfect all infected files.
6. Delete/Modify any values added to the registry.


Navigate to and delete the following registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
\"Task Manager" = "%Windir%\system\svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
\"Yahoo Messenger" = "%Windir%\system\svchost32.exe"

Navugate to and restore the following registry entries to their original values, if required:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\
Main\"Start Page" = "http://eyejuice.net/"

HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_buzz\
"content url" = "http://eyejuice.net/"

HKEY_CURRENT_USER\Software\Yahoo\pager\View\
YMSGR_Launchcast\"content url" = "http://eyejuice.net/"

HKEY_CURRENT_USER\Software\Policies\Microsoft\
Internet Explorer\Control Panel\"Homepage" = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\System
\"DisableTaskMgr" = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\System
\"DisableRegistryTools" = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer\"NoRun" = "1"

Posted by nazri at 6:30 AM

Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)