Identifying the Malware Program

To remove this malware, first identify the malware program.

1. Scan your system with your Trend Micro antivirus product.
2. NOTE the path and file name of all files detected as TROJ_ALEMOD

Trend Micro customers need to download the latest virus pattern file before scanning their system. Other users can use Housecall, the Trend Micro online virus scanner.

Restarting in Safe Mode

• On Windows 98 and ME

1. Restart your computer.
2. Press the CTRL key until the startup menu appears.
3. Choose the Safe Mode option then press Enter.

• On Windows NT (VGA mode)

1. Click Start>Settings>Control Panel.
2. Double-click the System icon.
3. Click the Startup/Shutdown tab.
4. Set the Show List field to 10 seconds and click OK to save this change.
5. Shut down and restart your computer.
6. Select VGA mode from the startup menu.

• On Windows 2000

1. Restart your computer.
2. Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

• On Windows XP

1. Restart your computer.
2. Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

• On Windows Server 2003

1. Restart your computer.
2. When you are prompted to select the operating system to start, press F8.
3. On the Windows Advanced Option menu, use the arrow keys to select Safe Mode, and then press Enter.

Editing the Registry

This malware modifies the system's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

1. HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows ME
2. HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
3. HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
4. HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

If the registry entry below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
   HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
   Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry:
   Intell32.exe = "%System%\intell32.exe"
   (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003.)
4. Close Registry Editor.

Deleting the Malware File(s)

1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
2. In the Named input box, type the file name detected earlier.
3. In the Look In drop-down list, select the drive that contains Windows, then press Enter.
4. Once located, select the file then press Delete.
5. Repeat the above instructions for multiple files.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure set(s).

Running Trend Micro Antivirus

If you are currently running on safe mode, please restart your system normally before performing the following solution.

Scan your system with Trend Micro antivirus and delete files detected as TROJ_ALEMOD. To do this, Trend Micro customers must download the latest virus pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's online virus scanner.