Removing the W32/Mabezat worm
Posted byRecently, my laptop was infected with the W32/Mabezat worm after using a infected Flash memory Drive. I had shut down my AntiVirus software(was using nod32) to liberate some memory and forgot to restart it.
Anywayz, this worm was really bad and started replicating itself everywhere. So here’s the steps i took to remove it
1. Temporarily Disable System Restore (Windows Me/XP)
2. Update the virus definitions.
3. Reboot computer in SafeMode
4. Run a full system scan and clean/delete all infected file(s)5. Delete/Modify any values added to the registry.
Navigate to and restore the following registry entries to their
original values, if required:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
\”ShowSuperHidden” = “0?
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Download this file(UnHookExec.inf) from Symantec. Right-click the file and click install.
6. Exit registry editor.7. Find and delete the following files:
- %SystemDrive%\Documents and Settings\tazebama.dl_
- %SystemDrive%\Documents and Settings\hook.dl_
- %UserProfile%\Start Menu\Programs\Startup\zPharoh.exe
- %SystemDrive%\Documents and Settings\tazebama.dll
- [DRIVE]:\zPharaoh.exe
- [DRIVE]:\autorun
8. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.
