Win32/Nuqel.E
Win32/Nuqel.E is a worm that may disable certain Windows utility programs such as Folder Options, Task Manager, Registry Editor and Control Panel to prevent users from manually removing the threat. Win32/Nuqel.E propagates on unsecured network shares and send spam messages on contacts via the chat program Yahoo! Messenger.
Recently, this detection was intentionally displayed on computer by a rogue program Spyware Protect 2009. This detection does not guarantee that Win32/Nuqel.E is present on computer. It was rather a trick use by rogue security program to mislead computer users to purchase the registered version.
Critical Information:
Alias:WORM_IMAUT.E, W32.Imaut.N, Worm:Win32/Sohanad.F, Troj/Tiotua-D, W32/YahLover.worm
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
Win32/Nuqel.E Removal Procedures
Manual Removal:
1. Stop Win32/Nuqel.E process by pressing Ctrl+Alt+Del. Windows Task Manager will open. Look for the following process:
SVICHOSSST.exe
2. Update your installed anti-virus program.
3. Run a full system scan and clean/delete all detected infected file(s). A manual removal of virus-related files should also be performed.
4. Edit Windows registry and delete Win32/Nuqel.E entries. [how to edit registry]
5. Exit registry editor.
6. Remove Win32/Nuqel.E start-up entry by going to Start > Run, type msconfig on the “Open” dialog box. System Configuration Utility will open. Go to Startup tab and uncheck the following Startup item(s):
SVICHOSSST.exe
7. Click Apply and restart Windows.
Win32/Nuqel.E Removal Tool:
In order to completely remove the threat, click here to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected machine.
Online Virus Scanner:
Another way to remove a virus without the need to install additional anti-virus application is to perform a thorough scan with free Online Virus Scanner that can be found here or on websites of legitimate anti-virus and security provider.
Technical Details and Additional Information:
Win32/Nuqel.E attempts to connect to a remove host server where it will download settings to %System%\setting.ini that will point the computer to another host, update the worm and get new URL and text content to be sent to Yahoo Messenger users.
Malicious Files Added by Win32/Nuqel.E:
%System%\SVICHOSSST.exe
%System%\autorun.ini
Win32/Nuqel.E Registry Entries:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = “Explorer.exe SVICHOSSST.exe”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = “%System%\SVICHOSSST.exe”
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\share = “< location >\New Folder.exe”
Brian
Aug 16, 2010 @ 19:16:07
Inmy brother’s computer the worm had progressed to the point where task manager wouldn’t work. He had to format and reinstall to remove.
sherry
Jan 15, 2011 @ 23:28:02
Thank you for posting this solution to the Win32/Nuqel.E virus.
I also could not start the task manager but I was able to redirect my internet to the web by changing my LAN connection settings.
After sucessfully connecting to the internet, I was able to download an antivirus program and fix my daughter’s computer.
Thank you again.
av
Jan 21, 2011 @ 06:40:43
Sherry, could you please tell me which free software you downloaded? I am currently having the same problem and am unable to open task manager,
Thank you!