Posts Tagged ‘trojan’
Posted by zlatipln on September 25, 2008
The Worm_Zhelati.Mab is spread via emails.
Usually, it is a message from a fake classmate with a link to YouTube :
Subject: Are you kidding me? lol
MessageBody: Dude, I know that’s you: someone emailed me a link to the video. see for yourself… http://www.youtube.com/watch?v={random 11 characters}
If the hyperlink is clicked, it redirects to a Web page masked as a YouTube page.
You are told to download latest Microsoft Data in order to viwe the movie.
Clicking click here will download a copy of the worm Email-Worm.Win32.Zhelatin into your system. The fake YouTube page is detected by Trend Micro as JS_DLOADER.PCT.
Email-Worm.Win32.Zhelatin collects email addresses. It avoids sending e-mail messages to addresses, containing some strings.
It then sends emails without using any email system like Microsoft Outlook.
How to remove Worm_Zhelati.Mab :
1. Open Task Manager /Alt+Ctr+Del/ and find and wincom32 process.
2. Do a search for spooldr.ini, wincom32.sys and wincom32.ini files and delete them using Shift+Delete / go in Safe mode by Restart and pressing F8 key if impossible to delete in normal mode./
3. Click Start button –> Run and type Regedt32 –>OK to open Registry Editor
4. Perform a search /Edit menu/ for wincom32 and delete all found keys.
Never click on links in emails from not expected senders!
Posted in AntiSpyCheck, Registry, Windows, malware, trojan, virus | Tagged: JS_DLOADER.PCT, remove, trojan, virus, Worm_Zhelati.Mab | Leave a Comment »
Posted by zlatipln on September 25, 2008
It is alerted by popup of your antivirus program: ‘Trojan-Clicker.Win32.Agent.aig’
This means you are infected. This trojan /‘Trojan-Clicker.Win32′/ isn’t very harmful but it is better to get rid over it:
1. Download the latest versions of Zone Alarm
2. Be sure you are with Admin privileges.
3. Disable System Restore:
System Restore
4. Reboot in SAFE MODE /press F8 key during restart./
5. Run Zone Alarm
6. Perform a full Antivirus scan
7. Reboot and start Windows in normal mode.
8. Enable SystemRestore
Posted in AntiSpyCheck, malware, trojan, virus, zone alarm | Tagged: malware remove, safe mode, system restore, trojan, Trojan-Clicker.Win32, virus, zone alarm | Leave a Comment »
Posted by zlatipln on September 25, 2008
If you receive such a message from your antivirus program, don’t panic.
First, you maybe using AVG – it is the anti-virus program that generates this FALSE positive virus message.
And second: it alerts for fake trojans mainly at Quickbooks, AdobeRdr, DNA.exe, WDSync files.
If you have downloaded them from producer site, you can ask their support to confirm it is not infected.
The name of false trojan detected is always SHEUR but extension may vary.
Posted in Software, malware, trojan, virus | Tagged: avg, false positive, sheur, sheur.afj, trojan, virus | Leave a Comment »
Posted by zlatipln on September 25, 2008
If the following message appears:
“Windows cannot find ‘c:/windows/system/programas/svchost.exe’. Make sure you typed the name correctly, and then try again.” - this means your computer is infected by trojans, viruses or worms.
This is so called ‘temp1.exe’ or ‘copy.exe’ or ’svohost.exe’ virus.
You can got infected opening an email attachment from unknown sender or from infected executable file you have downloaded.
The original Svchost.exe file is important Windows generic host process . It works for running DLL services and is placed in folder %SystemRoot%\System32.
The Svchost.exe process can not be stopped from TaskManager.
Because it is very important Windows file, svchost.exe is a target for many viruses and Trojans.
Worms like MSBlaster usually exploit a bug in svhost.exe.
If the worm manage to implement in the file, it causes svhost.exe to crash. Then follows a reboot and after restarting, Windows is infectes . The worm has masked itself in same folder /system32/ and has similar name.
Another sign you are infected – loosing CopyPaste functionality.
Cleaning the worm/virus is hard to do.
The best way is first to delete all the cookies and temporaly files /menu Tools –> Internet Options –> Browsing history –> Delete/
Then disable System Restore because the worm may be hidden there and waiting to attack again.
System Restore
At the end you may use the program:
ccleaner – it is popular among the ‘victims’ of that virus.
After that :
use Firewall.
Install and an
antivirus program.
And DO NOT open email attachments from unknown people/organisations.
Posted in Windows, malware, trojan, virus | Tagged: no copypaste, svchost.exe, svchost.exe error message, trojan, virus, worm | Leave a Comment »
Posted by zlatipln on September 24, 2008
Yet another Myspace virus. It can be seen on Myspace forums. Pop ups offer you to download Antispywaremaster.com software telling you are infected with thousands of trojans and viruses. It is similar to WindowsAntivirus 2008 and AntispywareDeluxe.
The standard message is:
“Warning! xx suspicious files found! Potentially dangerous files were found on your system during the last scan! IT is highly recommended to remove them as soon as possible…
Remove Now!”
DO NOT CLICK ON THE AD!!!
The pop up is impossible to close, so you have to close the Myspace malicious page as soon as possible and use popup blockers and firewall.
If you got infected, first stop asm.exe and/or Antispywaremaster.exe processes /Alt+Ctrl+Del/ to open Task Manager, find processes and delete them.
Then run regedt32 and find and delete the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\AntiSpywareDeluxe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiSpywareDeluxe_is1
HKEY_LOCAL_MACHINE\SOFTWARE\AntispywareD
HKEY_CURRENT_USER\Software\AntiSpywareMaster
HKEY_CURRENT_USER\Software\{5222008A-DD62-49c7-A735-7BD18ECC7350}
/Hint – try Edit menu –> search from the root ‘MyComputer’ for ‘AntiSpyware’ and delete all results found/
At the end, find and delete the following files:
AntiSpywareMaster 7.3.url
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiSpywareMaster.lnk
%UserProfile%\Desktop\AntiSpywareMaster.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster\AntiSpywareMaster.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster\Uninstall AntiSpywareMaster.lnk
/Hint – try Search console –> search ‘MyComputer’ for word ’AntiSpyware’ as file name and delete all files found/
Posted in AntiSpywareMaster 7.3, Internet, Software, Windows, malware, myspace, trojan, virus | Tagged: AntiSpywareMaster, Antispywaremaster.com, Antivirus2009, myspace, trojan, virus | Leave a Comment »
Posted by zlatipln on August 26, 2008
There is a new virus spreading among both Facebook and Muspace uswers – Net-Worm.Win32.Koobface.
It has two variants: Net-Worm.Win32.Koobface.a. /for Myspace/ and Net-Worm.Win32.Koobface.b /for Facebook/
In their malicious action, the net worms transform victim computers into zombie computers to form botnets.
What is a Botnet – http://en.wikipedia.org/wiki/Botnet
The Net-Worm.Win32.Koobface.a. /for Myspace/ worm creates many commentaries to friends’ accounts.
The Net-Worm.Win32.Koobface.b /targets Facebook users/ creates many spam messages and sends them to the infected users’friends via the Facebook.
Messages and comments can include ’Paris Hilton Tosses Dwarf On The Street’; ‘Examiners Caught Downloading Grades From The Internet’; ‘Hello’;’ You must see it!!! LOL. My friend catched you on hidden cam’;’ Is it really celebrity? Funny Moments’ and many others.
Messages and comments include links to http://youtube .pl.
If you click on this link, you are redirected to http://youtube .ru, - a site which contains a video clip.
If the user wants to watch it, a message pops up reading that you need the latest version of Flash Player to watch the funny clip.
Of course, instead of the latest version of Flash Player, a malicious file called codecsetup.exe is downloaded to victimcomputer; this file is also a network worm.
Posted in Internet, Software, Windows, computer, malware, trojan, virus | Tagged: codecsetup.exe, Facebook, flash player, myspace, net worm, Net-Worm.Win32.Koobface, trojan, virus, worm | 3 Comments »
Posted by zlatipln on August 26, 2008
This worm was reported in July and is a new step in worms and viruses development.
The new is it converts the mp3 file into WMA file and embeds in it. When the file is opened, the Worm.Win32.GetCodec worm opens a web page telling you to download a new codec.
NEVER download and install codecs from unknown sites! It is 99% sure they are worms/trojans.
If you agree to install the ‘codec’ file, a Trojan – known as Trojan-Proxy.Win32.Agent.arp is downloaded to your computer, giving the hackers control of the victim’s PC.
if you got infected, use http://www.pctools.com/spyware-doctor/ to clean the worm.
Posted in Internet, Software, Windows, malware, trojan, virus | Tagged: mp3 codec, spyware, trojan, Trojan-Proxy.Win32.Agent.arp, worm, Worm.Win32.GetCodec | Leave a Comment »
Posted by zlatipln on August 19, 2008
I had surfing the net when a red alert in Tray menu started to appear. It read Windows Seciruty has to be updated.
It offered me a site with “XP Antivirus 2008″
As I tought it is Microsoft security center alert, entered the site http://s c a n n e r . a n v i-s c a n n e r . c o m / 3 4 /? a d v i d = 0 0 0 0 0 0 4 6 8 3 & H T T & /Attention – better do not try to open/
When I saw the fake system scanning and $20 price to “clean my system” I quickly left but was too late.
Then Avira Antivir started to alert about viruses detected. The computer became very slow.
I restarted in Safe Mode /F8/ and ran Spyware Doctor – it found more than 20 viruses and 30 infected files. Spyware Doctor cleaned them. I had disabled System Restore in advance. /Important!/
Then ran Avira Antivir again and cleaned 17 trojans.
Open Task manager /alt+ctrl+del/ and stop the following processes:
vav.exe
XPAntivirus.exe
XPAntivirusUpdate.exe
xpa.exe
xpa2008.exe
Then Remove following XP Antivirus 2008 Registry Values:
HKEY_USERS\Software\XP antivirus
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run smrhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\rhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\rhc7nsj0e57c displayname
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\rhc7nsj0e57c uninstallstring
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c advid
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c automaticallyupdates
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c backgroundscan
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c backgroundscantimeout
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c databaseversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c daysinterval
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c domain
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c engineversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c guiversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c installdir
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c minimizeonstart
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c programversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c proxyname
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c proxyport
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c registrationdiscurl
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run smrhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c registrationurl
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c scandepth
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c scanpriority
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c scansystemonstartup
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c softid
This way I cleaned my system from that annoying malware.
Posted in Internet, Registry, Software, Windows, XP Antivirus 2008, computer, malware, trojan, virus | Tagged: antivirus, Antivirus 2008, antivirus 2009, safe mode, spyware, trojan, virus, vista antivirus 2008, XP Antivirus 2008 | 2 Comments »
Posted by zlatipln on August 14, 2008
Today a friend of mine was happy to receive a personal message from admin@microsoft.com
He opened it quickly. Then his antivirus program started to scream his computer is infected but it was too late.
It is a new kind of troian masked as email from Microsoft.
It is not from them, of course, only hackers are using email spoofing.
So, generally, it is important not to open emails you do not expect even from admin@microsoft.com, ebay, paypal, etc.
Posted in Windows, admin@microsoft.com, computer, trojan, virus | Tagged: admin@microsoft.com, trojan, virus | Leave a Comment »
Posted by zlatipln on July 8, 2008
I think everyone has received such messages. They insist to download and install a trojan cleaning software. Instead of this, they will install other trojans, spyware and other malware on your computer.
So, NEVER click no OK neither Cancel buttons. Better fire this window from Task Manager /ALT+CTRL+DEL./
The fact you received that message is a sign you already have some kind of malicious software.
To clean it in early stage download MalwareBytes program /it is FREE/, update and make full scan.
Hope this will fix your problem.
Posted in IE, Internet, Software, Windows | Tagged: Internet Explorer, malware, trojan | Leave a Comment »
