August 7, 2008

How to remove Trojan.Spamuzle ?

Trojan.Spamuzle modifies system files to downloads malicious programs from remote sites . Trojan gathers email address from infected computer and send SPAM emails. The Trojan attempts to modify "C:\Windows\System32\user32.dll" and "C:\Windows\System32\dllcache\user32.dll". It also steals information and send it to remote site.
How to remove Trojan.Spamuzle ?

1. Perform standard procedure for Virus removal.

** Standard procedure for Virus removal

2. Remove the following entries from windows registry

** How to edit windows registry ?


  1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"[TWO RANDOM LETTERS]pInit_Dlls" = "nvrsul32"
  2. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\"st" = "1"
  3. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\"mid" = "[RANDOM LETTERS]"
  4. HKEY_LOCAL_MACHINE\SOFTWARE\3\"31C2E1E4D78E6A11B88DFA803456A1FFA5" = "0"
  5. HKEY_LOCAL_MACHINE\SOFTWARE\3\"31AC70412E939D72A9234CDEBB1AF5867B" = "[RANDOM LETTERS]"
  6. HKEY_LOCAL_MACHINE\SOFTWARE\3\"31897356954C2CD3D41B221E3F24F99BBA" = "019b9906"
  7. HKEY_LOCAL_MACHINE\SOFTWARE\2\"31C2E1E4D78E6A11B88DFA803456A1FFA5" = "0"
  8. HKEY_LOCAL_MACHINE\SOFTWARE\2\"31AC70412E939D72A9234CDEBB1AF5867B" = "[RANDOM LETTERS]"
  9. HKEY_LOCAL_MACHINE\SOFTWARE\2\"31897356954C2CD3D41B221E3F24F99BBA" = "0383e30b"
  10. HKEY_LOCAL_MACHINE\SOFTWARE\1\"31C2E1E4D78E6A11B88DFA803456A1FFA5" = "0"
  11. HKEY_LOCAL_MACHINE\SOFTWARE\1\"31AC70412E939D72A9234CDEBB1AF5867B" = "[RANDOM LETTERS]"
  12. HKEY_LOCAL_MACHINE\SOFTWARE\1\"31897356954C2CD3D41B221E3F24F99BBA" = "021365da"


Restore these registry values.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "%System%\userinit.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "%Windir%\explorer.exe"



Follow theses steps shown below only if the threat remains after a full system virus scan using an updated Antivirus in safe-mode with turned off System-restore.

Manually remove these files if it is there.

C:\Windows\Sytem32\drivers\atmapi.sys
C:\Windows\Sytem32\fre.xc
C:\Windows\Sytem32\mdfg.odl
C:\Windows\Sytem32\sfmrr.r
C:\Windows\Sytem32\nvrsul32.dll
C:\Windows\Sytem32\pla.ax
Posted by Vidhu at 8:16 AM
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)