JS_DLOADER.PCT a.k.a. Email-Worm.Win32.Zhelatin zhelati.mab removal

The Worm_Zhelati.Mab is spread via emails.

Usually, it is a message from a fake classmate with a link to YouTube :

Subject: Are you kidding me? lol

MessageBody: Dude, I know that’s you: someone emailed me a link to the video. see for yourself… http://www.youtube.com/watch?v={random 11 characters}

If the hyperlink is clicked, it redirects to a Web page masked as a YouTube page.

You are told to download latest Microsoft Data in order to viwe the movie.

Clicking click here will download a copy of the  worm Email-Worm.Win32.Zhelatin  into your system. The fake YouTube page is detected by Trend Micro as JS_DLOADER.PCT.

Email-Worm.Win32.Zhelatin   collects  email addresses. It avoids sending e-mail messages to addresses, containing some strings.

It then sends emails without using any email system like  Microsoft Outlook.

How to remove  Worm_Zhelati.Mab :

1. Open Task Manager /Alt+Ctr+Del/ and find and wincom32 process.

2. Do a search for spooldr.ini, wincom32.sys and wincom32.ini files and delete them using Shift+Delete / go in Safe mode by Restart and pressing F8 key if impossible to delete in normal mode./

3. Click Start button –> Run and type Regedt32 –>OK to open Registry Editor

4. Perform a search /Edit menu/ for wincom32  and delete all found keys.

Never click on links in emails from not expected senders!

How to add Copy_to and Move_to RightClick menu options

I like to use Copy To and Move To options of the Explorer Edit menu /instead of Copy-Paste files./

By default, these options are not included in Right mouse menu when  files or folders are selected.

How to enable them:

Here is a little registry tweak:

Open Registry Editor /Start button –> Run –> Regedt32 –> OK/

Browse down and find HKEY_CLASSES_ROOT\AllFilesystemObjects\shellex\ContextMenuHandlers key.

Right click on ContextMenuHandlers –> New –> Key

In the inputbox, type {C2FBB630-2971-11D1-A18C-00C04FD75D13} and press OK.

This is for CopyTO enabled.

Then use F5 to refresh the registry.

Same way /ContextMenuHandlers –> New –> Key/

In the inputbox, type {C2FBB631-2971-11D1-A18C-00C04FD75D13} and press OK.

This is for MoveTo enabled.

Again, press F5 to refresh.

Your right mouse menu over a file / folder selected now has these two useful options.

You can download http://obama.110mb.com/programs/cop_to.zip and http://obama.110mb.com/programs/move_to.zip and use to edit registry faster – just doubleclick .reg files.

Autoit source code of “open search instead of folder” program

In my post  http://zlatipln.wordpress.com/wp-admin/post.php?action=edit&post=138 I had explained how to manually change registry HKEY_CLASSES_ROOT\Directory\shell in order to resolve the “double click opens search instead of folder”

The program is : http://obama.110mb.com/programs/search_insteadof_open.zip

Here is the AutoIt source code:

;code STARTS here

HotKeySet(“{esc}”, “Terminate”) ;use ESC key to stop the program

Send(“#r”) ;Opens Run window. Same as start button –> Run
WinWaitActive(“Run”) ;waits Run window to appear
Send(“regedt32″) ; same as typing this text in the box
ToolTip(“Now will open Registry Editor” & @CRLF & @CRLF, 200, 500) ;A explanatory Tooltip appears with coordinates 200×500
Sleep(8000) ;program paused for 8 seconds to read the tooltip
ToolTip(”) ; Removes tooltip
Send(“{Enter}”) ;same as pressing OK button or press Enter from keyboard
ToolTip(“Now will search for HKEY_CLASSES_ROOT registry class” & @CRLF & @CRLF, 200, 500)
Sleep(3000)
ToolTip(”)
Send(“+{Home}”) ;in registry editor window, sends Shift+Home key – it is same as going at the begining of registry list to start searching from the root.
ToolTip(“To search for HKEY_CLASSES_ROOT registry class” & @CRLF & @CRLF & “open ‘Edit’ menu –>select ‘Find’ and type HKEY_CLASSES_ROOT”, 500, 200)
Sleep(5000)
Send(“^f”) ;This combination /CTRL + F/ opens Find submenu from Edit menu
Sleep(3000)
Send(“HKEY_CLASSES_ROOT”)
Sleep(2000)
Send(“{Enter}”)
ToolTip(”)
ToolTip(“Now it is searching for HKEY_CLASSES_ROOT registry class” & @CRLF & @CRLF & “Please wait or press ESC to exit”, 200, 500)
While WinExists(‘Find’)  ;checks if Find window appears
 Sleep(10)
WEnd
ToolTip(”)
$fl = 0
$br = 1
While 1
 If $br = 1 Then
  Sleep(4000)
  Send(“^f”)
  Sleep(4000)
  Send(“Directory”)
  ToolTip(“Now it is searching for Directory key” & @CRLF & @CRLF & “Please wait or press ESC to exit”, 200, 500)
  $br += 1
  Sleep(4000)
  Send(“{Enter}”)
  While WinExists(‘Find’)
   Sleep(10)
  WEnd
  ToolTip(”)
  $t = WinGetText(“Registry Editor”)
  If StringInStr($t, ‘HKEY_CLASSES_ROOT\Directory’) Then
   ExitLoop
  Else
   ContinueLoop
  EndIf
 Else
  Sleep(1000)
  Send(“{f3}”)
  ToolTip(“Now it is searching for Directory key” & @CRLF & @CRLF & “Please wait or press ESC to exit”, 200, 500)
  Sleep(500)
  While WinExists(‘Find’)
   Sleep(10)
  WEnd
  $t = WinGetText(“Registry Editor”)
  If StringInStr($t, ‘HKEY_CLASSES_ROOT\Directory’) Then
   ExitLoop
  Else
   ContinueLoop
  EndIf
 EndIf
 If $br > 90 Then Exit
WEnd
$br = 1
While 1
 If $br = 1 Then
  Sleep(4000)
  Send(“^f”)
  Sleep(4000)
  Send(“shell”)
  $br += 1
  ToolTip(“Now it is searching for ’shell’ key” & @CRLF & @CRLF & “Please wait or press ESC to exit”, 200, 500)
  Sleep(4000)
  Send(“{Enter}”)
  While WinExists(‘Find’)
   Sleep(10)
  WEnd
  $t = WinGetText(“Registry Editor”)
  If StringInStr($t, ‘HKEY_CLASSES_ROOT\Directory\shell’) Then
   $fl = 1
   ExitLoop
  Else
   ContinueLoop
  EndIf
 Else
  Sleep(1000)
  Send(“{f3}”)
  ToolTip(“Now it is searching for ’shell’ key” & @CRLF & @CRLF & “Please wait or press ESC to exit”, 200, 500)
  Sleep(1000)
  While WinExists(‘Find’)
   Sleep(10)
  WEnd
  ToolTip(”)
  $t = WinGetText(“Registry Editor”)
  If StringInStr($t, ‘HKEY_CLASSES_ROOT\Directory\shell’) Then
   $fl = 1
   ExitLoop
  Else
   ContinueLoop
  EndIf
 EndIf
 If $br > 20 Then Exit
WEnd
If $fl = 1 Then
 MsgBox(0, ‘Registry key found’, ‘please check if “HKEY_CLASSES_ROOT\Directory\shell” value is “none”‘)
Else
 ToolTip(”)
 MsgBox(0, ‘Exit’, ‘Not found. Will exit’)
 WinClose(‘Registry Editor’)
 Exit
EndIf
Func Terminate()
 Exit 0
EndFunc

;END of Code

AutoIt is a very simple language, similar to Basic.

It is used mainly to automate mouse and keyboard actions.

To make an .exe file from the source text above, you have to download and install the AutoIt compiler

http://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe

 and Scite editor:  http://www.autoitscript.com/autoit3/scite/downloads.shtml

They both are small and don’t takee too much place.

Then copy paste the source in Scite editor. Autoit source files have .au3 extension.

Here is the source of my program: http://obama.110mb.com/programs/search_insteadof_open.au3

First save it as somename.au3 then run it from TOOLS meny – run.

If no errors found, you can build an  .exe file from TOOLS menu – Build.

The new .exe has the same name as .au3 file and is found in same folder.

XP Antivirus 2008 is a Trojan!

I had surfing the net when a red alert in Tray menu started to appear. It read Windows Seciruty has to be updated.

It offered me a site with “XP Antivirus 2008″

As I tought it is Microsoft security center alert, entered the site  http://s c a n n e r . a n v i-s c a n n e r . c o m / 3 4 /? a d v i d  =  0 0 0 0 0 0 4 6 8 3 & H T T &  /Attention – better do not try to open/

When I saw the fake system scanning and $20 price to “clean my system” I quickly left but was too late.

Then Avira Antivir  started to alert about viruses detected. The computer became very slow.

I restarted in Safe Mode /F8/ and  ran Spyware Doctor – it found more than 20 viruses and 30 infected files. Spyware Doctor cleaned them. I had disabled System Restore in advance. /Important!/

Then ran Avira Antivir again and cleaned  17 trojans.

Open Task manager /alt+ctrl+del/ and stop the following processes:

vav.exe
XPAntivirus.exe
XPAntivirusUpdate.exe
xpa.exe
xpa2008.exe

Then Remove following XP Antivirus 2008 Registry Values:

HKEY_USERS\Software\XP antivirus
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run smrhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\rhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\rhc7nsj0e57c displayname
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\rhc7nsj0e57c uninstallstring
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c advid
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c automaticallyupdates
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c backgroundscan
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c backgroundscantimeout
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c databaseversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c daysinterval
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c domain
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c engineversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c guiversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c installdir
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c minimizeonstart
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c programversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c proxyname
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c proxyport
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c registrationdiscurl
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run smrhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c registrationurl
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c scandepth
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c scanpriority
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c scansystemonstartup
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c softid

This way I cleaned my system from that annoying malware.

CD DVD disappear problem resolved

Many people had had this problem with optical devices: when look in MyComputer, the CD and DVD drives missing.

Instead of panic, here are two solutions:

1. Click on Start button  ->Run   and Type Regedit   then press enter.

The Registry editor is opened.

Some words about Windows Registry – this is a place when Windows ‘remembers’ all your settings so when you restart the computer they are exactly as you had set before. This way it remembers your desktop wallpaper, screensaver, screen resolution, taskbar and startmenu settings, mouse speed settings, which programs to run at startup and many many others things you have changed.

But Registry is a place when all the programs and hardware drivers installed write their settings too.

When CD or DVD registry settings are changed or removed by some progtam you have used, Windows cannot guess and do not shows in My Computer.

So if you are in the registry editor, work very carefully and watch not to delete some other program’s registries by mistake.

First, find the following: 

HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}  and delete it!

Then open Notepad and copy-paste this text:
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}]
“UpperFilters”=-
“LowerFilters”=-

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdr4_2K]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdralw2k]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdudf]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UdfReadr]
Then save as CDrepair.reg  /be sure you choose ‘all files’ from Notepad dropdown when asked for file name and path./

If file is saved as .reg it has a green icon – this way you can tell it from text file if saved by mistake as .txt

Doubleclick on it . A dialog appears – click OK – because you want to import that values in registry.

That’s all. Restart and if you are lucky the, CD drives will be on their place.

 

 

2. If you don’t dare to play with registry, just take this program and run it. It does all that stuff instead you.

 

And one advice: clicking on unknoun or dubious .reg files is sometimes dangerous. So if you receive them by mail or Skype from strangers, better open first with Notepad to see what exactly are they doing. Otherwice you may harm your computer.