Remove W32.Preavi

Posted on: April 15th, 2009


Discovered: April 12, 2009
Updated:

April 12, 2009 2:20:10 PM
Type:

Worm
Systems Affected:

Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Recommended Action:
In order to remove Remove W32.Preavi you need to Download
the ‘No Adware’ remover software. Based on our testing this was the best peforming remover of JS.Twettir..


No Adware Review

Technical Details:

When the worm is executed, it creates the following file:
%System%\pretec.dat

The worm infects executable files that exist under the following registry subkeys:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current

Version\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Run

It does not infect files that have the following file names:

* igfxtray.exe
* ccApp.exe

* Skype.exe
* qip.exe
* avgnt.exe

The worm may then create the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectShov

The threat may then search the computer for the following file:
C:\Documents and Settings\All Users\Application Data\Avira\AVWIN.INI file

If the above file is present, the worm modifies it so that it can avoid being
detected.

It then contacts the following locations in order to download files:

* [http://]systemadlink.com
* [http://]mswindowsxpupd.com

The worm spreads by copying itself as the following file on removable drives
of the compromised computer:

%DriveLetter%\RECYCLER\[EIGHT RANDOM CHARACHTERS].exe

It also creates the following file so that it executes whenever the drive is
accessed: %DriveLetter%\autorun.inf
Action Steps:
FREE SCAN: NoAdware can remove W32.Preavi. Click the

link below for your free download & scan your PC now.

MANUAL REMOVAL: Please click here for manual removal instructions.

Posted on Wednesday, April 15th, 2009 at 1:22 pm - filed under Blog, Worm.