| Information on Navidad.exe (Emanuel.exe)
Taken from: http://vil.nai.com/vil/dispVirus.asp?virus_k=98881 http://vil.nai.com/vil/virusRemovalInstructions.asp?virus_k=98881 Profile
Virus Information
Removal Instructions
One trick that AVERT has discovered
is to rename the registry editing program from their original .EXE to a
.COM extension (as in REGEDIT.COM). This will by pass the limitations created
by removing the worm prior to editing the registry. This will allow you
to remove references of trojans and Internet worms.
--- Manual Removal Instructions ---
A1) Identify and note the files associated with this worm as detected by the scanner. A2) Download this UNDO.REG file, and open it. A3) Click START|RUN, type REGEDIT and hit ENTER. A4) Remove any keys that run the main worm under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
A5) Exit the Registry A6) Restart the system A7) Delete the file(s) associated with this worm Alternative Manual Instructions B1) Identify and note the files associated with this worm as detected by the scanner. B2) Click START|RUN, type COMMAND /C COPY %WINDIR%\REGEDIT.EXE
%WINDIR%\REGEDIT.COM
B4) Remove references to the trojan from these keys of the registry HKEY_CLASSES_ROOT\exefile\shell\open\command\ HKEY_LOCAL MACHINE\Software\CLASSES\exefile\shell\open\command They should contain only the value not
including brackets
B5) Remove any keys that run the main worm under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
B6) Exit the Registry B7) Restart the system B8) Delete the worm program(s). If all is well the files should be deleted OK. If you get an error message saying that windows is unable to delete the file because it is in use, then you have made an error in the above procedure and should repeat the process.
|