Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

Imaut removal

By: a guest on Oct 10th, 2012  |  syntax: None  |  size: 4.79 KB  |  views: 43  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. > Imaut Worm Removal
  2. > Contains: Documentation of what it is
  3.                   Manual removal steps
  4.                   Helpful links
  5.  
  6. +=======[ Document #1 ]========+
  7.  
  8. >> http://www.srnmicro.com/procinfo/regsvr.htm
  9.   Path: C:\WINDOWS\Regsvr.exe   Quicklink: %WINDOWS%\Regsvr.exe
  10.   Type: Worm
  11.   Name: Worm.Win32.AutoIt
  12.   Alias: Trojan.Win32.Autoit.ci, W32/Sohana-AZ, W32/YahLover.worm, W32.Imaut, TR/Autoit.CI.14 W32/Autorun-CG, WORM_DELF.FKZ
  13.   Threat: Medium
  14.   Detials: Regsvr.exe is dropped by AutoIt worm. It spreads by copying itself to removable storage devices like pen drives. It also drops several copies of itself in the
  15.               infected system and network drives. Additionally it attempts to place autorun.inf in the root directory. So that infected file will be executed next time when the
  16.               drive is accessed. When the worm file is executed, copies itself to Windows folder with a random file name in the background. Most of the AutoIt variants drops
  17.               regsvr.exe as main file. Then it modifies registry to load automatically on the next startup. AutoIt worm creates following file in the removable drive like pen drive
  18.               <Pen Drive Root>\autorun.inf.
  19.               Several variants of AutoIt worm reported in the wild. It is also known as Trojan.Win32.Autoit.ci, W32/Sohana-AZ, W32/YahLover.worm, W32.Imaut,
  20.               TR/Autoit.CI.14 W32/Autorun-GG, WORM_DELF.FKZ.
  21.  
  22. +=======[ Document #2 ]========+
  23.  
  24. >> http://www.scanforfree.com/19/w32-imaut-remover.html
  25.   Details: W32.Imaut is a worm virus that spreads via Yahoo! and Windows Messenger and downloads mailicious programs and generates corrupt files in Windows
  26.               system directories. W32.Imaut can also spread via file-sharing games, music and movie downloads or via undesirable bulk e-mails. Once inside the system,
  27.               worm Imaut will activate corrupt regsvr.exe, regsvr.exe, winhelp.exe files and download additional malware infections onto the system.
  28.               ** W32.Imaut is a severe worm that may hijack the system and download other threats that can steal confidential data and harm vital system files! **
  29.   Common warning signs: Changed Windows desktop tray icons, shortcuts and background picture
  30.                                       Especially hard to erase Imaut manually, patch up and reinstall its files after manual deletion
  31.                                       Sluggish browser startup and Internet performance, sluggish Windows system
  32.                                       Eradicated registry, dll's and system files causing "Blue Screen" error
  33.                                       Porn advertisements pop ups appear with and without pop up blocker software
  34.                                       Browser home page, error page and search page replaced with strange website
  35.                                       Unusual Imaut running processes in the Windows task manager, can't turn off bleeping noise from tower speaker
  36.   Common hijack activities: Imaut sends login names, passwords and other secret data to hackers by avoiding anti-virus, firewalls and other security programs
  37.                                         Logs system settings, registry activity and captures browsing habits to install equivalent pop ups
  38.                                         Imaut sneaks into the Pc via browser security leaks and infect the system with mischievous adware and spyware programs
  39.  
  40. +=========[ Removal ]=========+
  41.  
  42. How to remove W32.Imaut worm manually: http://www.ethicalhackers.in/operating-systems/how-to-remove-regsvr-exe-manually.html
  43. 1) First search for autorun.inf file.It would be in Read Mode normally you need to change it by right clicking the file , selecting the properties and un-check the read only
  44.     option.
  45. 2) Now Open the file in notepad and delete everything and save it.
  46. 3) Change the file status to read only mode so that the virus could not get access again.
  47. 4) Click on Start->run and type msconfig
  48. 5) Search for regsvr and uncheck any options, click OK.
  49. 6) Now goto Control Panel -> Scheduled Tasks, and delete the At 1 task which would be listed here.
  50. 7) Now type regedit in the Run dialog to open the registry editor.
  51. 8) Select on Edit -> Find and search for regsvr.exe
  52. 9) Delete all the occurrences of regsvr.exe
  53. 10) Now browse to entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and modify the entry Shell = Explorer.exe regsvr.exe
  54.       to delete the regsvr.exe from here also.
  55. 11) Now finally goto System 32 Folder and search for regsvr.exe. But before that uncheck Hide Protected System Files and Folders for viewing it.
  56.  
  57. +=========[ Help Links ]========+
  58.  
  59. Other methods: http://www.techtipsgeek.com/re-enable-registry-editor-disabled-virus/4392/
  60. Finding other viruses: Open drive with winrar, remove the unwanted bs from the drive.