email-worm.win32.agent.gfm is a mass-mailing application that propagates from one system to another by creating a new email message, attaching itself and then sending the message without user’s consent.

email-worm.win32.agent.gfm removal - remove email-worm.win32.agent.gfm:

1. Temporarily Disable System Restore, Reboot computer in SafeMode;

2.Find and delete the following files in the folder:

%Temp%\pmnonnKC.bat

%System%\juschd.exe

 %System%\mf.exe

 %System%\pmnllllK.dll

3. Delete or modify the following registry keys and values:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CabinetFileStateAVG
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmnllllK
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\00cd0861
  • HKEY_CURRENT_USER\Software\Microsoft\cs41275
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32]
    • (Default) = “%System%\pmnllllK.dll”
    • ThreadingModel = “Both”
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings]
    • Time = 20 4D 6A E4 13 7E C9 01 00 00 00 00
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    • {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} = “”
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    • AVG Email Security = “%System%\juschd.exe”

    so that juschd.exe runs every time Windows starts

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmnllllK]
    • Asynchronous = 0×00000001
    • DllName = “pmnllllK.dll”
    • Impersonate = 0×00000000
    • Logon = “o”
    • Logoff = “f”

    so that pmnllllK.dll is installed as a Winlogon notification package

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\00cd0861]
    • (Default) = “C647265BDDCB456E8CFD49FECDC55D56&”
  • [HKEY_CURRENT_USER\Software\Microsoft\Installer]
    • (Default) = B0 9C EA F2 13 7E C9 01

4. Scan your computer completely using antivirus software(AVG,Malwarebytes,CCleaner,etc.).

Bookmark and Share