JS_DLOADER.PCT a.k.a. Email-Worm.Win32.Zhelatin zhelati.mab removal


The Worm_Zhelati.Mab is spread via emails.

Usually, it is a message from a fake classmate with a link to YouTube :

Subject: Are you kidding me? lol

MessageBody: Dude, I know that’s you: someone emailed me a link to the video. see for yourself… http://www.youtube.com/watch?v={random 11 characters}

If the hyperlink is clicked, it redirects to a Web page masked as a YouTube page.

You are told to download latest Microsoft Data in order to viwe the movie.

Clicking click here will download a copy of the  worm Email-Worm.Win32.Zhelatin  into your system. The fake YouTube page is detected by Trend Micro as JS_DLOADER.PCT.

Email-Worm.Win32.Zhelatin   collects  email addresses. It avoids sending e-mail messages to addresses, containing some strings.

It then sends emails without using any email system like  Microsoft Outlook.

How to remove  Worm_Zhelati.Mab :

1. Open Task Manager /Alt+Ctr+Del/ and find and wincom32 process.

2. Do a search for spooldr.ini, wincom32.sys and wincom32.ini files and delete them using Shift+Delete / go in Safe mode by Restart and pressing F8 key if impossible to delete in normal mode./

3. Click Start button –> Run and type Regedt32 –>OK to open Registry Editor

4. Perform a search /Edit menu/ for wincom32  and delete all found keys.

Never click on links in emails from not expected senders!

Advertisements

Trojan-Clicker.Win32 malware remove


It is alerted by popup of your antivirus program: ‘Trojan-Clicker.Win32.Agent.aig’ 

This means you are infected. This trojan /‘Trojan-Clicker.Win32’/ isn’t  very harmful but it is better to get rid over it:

1. Download the latest versions of Zone Alarm

2. Be sure you are with Admin privileges.

3. Disable System Restore:

System Restore

System Restore

4. Reboot in SAFE MODE /press F8 key during restart./

5. Run Zone Alarm

6. Perform a full Antivirus scan

7. Reboot and start Windows in normal mode.

8. Enable SystemRestore

AntiSpyCheck – yet another trojan


 

 Do you have noticed how many trojans with ‘Anti-‘ names appeared nowdays? It seems to be the last trends among virus/trojans creators. They have masked their malware code as antivirus software with colorful GUI telling you have 345247827469726482246 trojans and viruses and have to hurry to their page and buy antivirus software which is the only one to clean your computer.    
 
Anti Spy Check Description:
Anti Spy Check, or AntiSpyCheck 2.4, is a fake antispyware and antivirus program that claims to be a spyware remover, popup blocker and trojans cleaner.

AntiSpyCheck program may install without your knowledge through a Trojan Zlob.

Trojan.Zlob is a back door Trojan. It allows the hacker to perform various malicious actions on the remote computer.

Trojan.Zlob usually is masked as a needed video codec in the form of ActiveX.

Here is a typical example of it:

 

Image taken from http://www.jahewi.nl/lists/fakecodecs/fakecodecs.html

 

Anti-SpyCheck usually pops up fake security alerts trying to make you buy their software.

How can you get rid of AntiSpyCheck?
The best spyware removal tactic is to uninstall Anti Spy Check  using the “Add/Remove Programs” from the Control Panel.

If there are still files remaining after reboot, follow the steps below: /Sistem Restore has to be disabled/

1. Run the Task Manager /“Alt+Ctrl+Del“, and “Task Manager” opens/ ! ‘+’ sign means to press three keys at once- the 3 fingers rule.

2. Find the following processes: ad-protect.exe and AntiSpyCheck.exe then select one by one and press the ‘End Process’ button.

3.  Find the files above using Search and delete them.

4.  Go to “Start” button and then click on “Run”.

5. In the Run  box  type “cmd“, and then click on “OK”  button

6. Type regsvr32 /u spamdet.dll and hit Enter. This will unregister the trojan .dll library.

7. Find and Delete spamdet.dll

8. Open registry editor /Start — Run — Regedt32/ then find and delete /if any/ the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\ad-protect.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\spamdet.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{9DA1990B-9BCA-4c80-AEFB-11A40FA849F9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C628512D-A058-4BD4-B47B-B036F45FA02B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99A753C6-E429-46BD-989E-DD4A21CD059D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BBBD3E11-D201-46C9-8471-091D33159287}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2608046-DD09-A225-01BF-70C1EDD8B2E8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2C1986A-FBEC-4472-AABF-6D42F08DBC8E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D7ABE914-B8CF-4602-9145-6BDAAEDA21AA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3210E86-46A8-5973-963F-0EF4CF226A0C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{214345B8-BB69-498D-A168-29F58F15D806}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CF231820-9904-4A37-B5B0-C87EF6F6CC82}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D2C1986A-FBEC-4472-AABF-6D42F08DBC8E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F51BC478-D997-4C56-988D-79D9EEAAD1EC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FD4DCB8B-C33A-4E70-A351-6FAB7E1071A4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{32BD20FD-41FD-47FB-9BC9-28DCBD7D55D7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5AA883DB-7CFD-4737-B3C3-C671595ECCE5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ad-Protect.Addin
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ad-Protect.Addin.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ad-Protect.Server
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ad-Protect.Server.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\spamdet.SpamDetector
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\spamdet.SpamDetector.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AntiSpyCheck.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiSpyCheck
HKEY_LOCAL_MACHINE\SOFTWARE\AntiSpyCheck
HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\Addins\Ad-Protect.Addin.1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\AntiSpyCheck  

 

After restarting the computer there will be no more annoying pop ups and slowdowns.

And one advice: there is no free lunch as you know, so when watching porn and it says wou have to download something to watch more – think first before click Yes, or better – Quickly RUN of the site without thinking!