April 2, 2010

How to remove virus W32.Difupat ?

W32.Difupat is a computer virus that infects Windows system. It deletes IEXPLORER.EXE inside "c:\Program Files\Internet Explorer\"
and place a new infected IEXPLORER.EXE. W32.Difupat places reinstall.exe inside "C:\Windows\system32\".

How to remove W32.Difupat ?


1. Perform standard procedure for Virus removal.
** Standard procedure for Virus removal

2. Remove the following entries from windows registry
** Use at your own risk

** How to edit windows registry ?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\getpass\"DllName" = "bootloader.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\getpass\"Logon" = "OnEventShutDown"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\getpass\"Shutdown" = "OnEventShutDown"

Remove these file if exist.


c:\Program Files\Internet Explorer\bootloader.dll
c:\Program Files\Internet Explorer\detoured.dll
c:\Program Files\Internet Explorer\funcition.dll
c:\Program Files\Internet Explorer\funcition.ini
c:\Program Files\Internet Explorer\install.exe
c:\Program Files\Internet Explorer\pserver.exe
c:\Program Files\Internet Explorer\pserver.ini
C:\Windows\system32\Internet Explorer\bootloader.dll
C:\Windows\system32\Internet Explorer\detoured.dll
C:\Windows\system32\Internet Explorer\funcition.dll
C:\Windows\system32\Internet Explorer\funcition.ini
C:\Windows\system32\Internet Explorer\iexplore.exe
C:\Windows\system32\Internet Explorer\install.exe
C:\Windows\system32\Internet Explorer\pserver.exe
C:\Windows\system32\Internet Explorer\pserver.ini


No comments: