Black Worm or My Wife Removal Steps

 

W32.Blackmal.E@mm is a mass-mailing worm that attempts to spread through network shares and lower security settings. On the third day of every month it attempts to rewrite files with certain extensions with custom text.

Also Known As : CME-24, Win32.Blackmal.F [Computer Associates], Email-Worm.Win32.Nyxem.e [F-Secure], Email-Worm.Win32.Nyxem.e [Kaspersky], W32/MyWife.d@MM [McAfee], W32/MyWife.d@MM!M24 [McAfee], Win32/Mywife.E@mm [Microsoft], W32/Small.KI@mm [Norman], Tearec.A [Panda Software], W32/Nyxem-D [Sophos], WORM_GREW.{A, B} [Trend Micro]

Displays the following icon in the Windows Task Bar when it detects the presence of antivirus software:



Note: The text "Update Please wait" is displayed when a user hovers over the icon.

How to Tell If Your Computer Is Infected

Win32/Mywife.E@mm creates copies of itself with the following icon, which resembles the icon for WinZip files: 

Removal Instructions :

1. Disable System Restore (Windows Me/XP).

2. Boot into Safe Mode and Run MSCONFIG. Disable All STARTUP items. Then Reboot in Normal Mode.

3. Using task manager, look for any of the following process names and kill them if present:
    Update.exe
    Winzip.exe
    scanregw.exe
    WINZIP_TMP.exe
   "Winzip Quick Pick.exe"

4. Download Removal Tools a) Symantec Black Worm Removal Tool

                                         b) Panda Tearec.A Removal Tool

5. Run A Full System Scan with the Above Mentioned Tools.

6. Click Start > Run.

    Type regedit

    Click OK.

Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value: "ScanRegistry" = "scanregw.exe /scan"

Navigate to the subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
In the right pane, reset the values to the original values, if applicable: "WebView" = "0"
                                                                                                    "ShowSuperHidden" = "0"

Navigate to the subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState
In the right pane, reset the value to the original value, if applicable: "FullPath" = "0"

Exit The Registry Editor

7. Delete the following files if present on your system:
    C:\WINZIP_TMP.exe
    %windir%\WINZIP_TMP.exe
    %windir%\system32\Winzip.exe
    %windir%\system32\Update.exe
    %windir%\system32\scanregw.exe
    "C:\Documents and Settings\All Users\Start Menu\Programs\Winzip Quick Pick.exe"
 
Note that the files under %windir%\system32 will be marked read-only and hidden.  To delete these from the command prompt, use (for example):

del /f /a:h %windir%\system32\Winzip.exe