JS_DLOADER.PCT a.k.a. Email-Worm.Win32.Zhelatin zhelati.mab removal

The Worm_Zhelati.Mab is spread via emails.

Usually, it is a message from a fake classmate with a link to YouTube :

Subject: Are you kidding me? lol

MessageBody: Dude, I know that’s you: someone emailed me a link to the video. see for yourself… http://www.youtube.com/watch?v={random 11 characters}

If the hyperlink is clicked, it redirects to a Web page masked as a YouTube page.

You are told to download latest Microsoft Data in order to viwe the movie.

Clicking click here will download a copy of the  worm Email-Worm.Win32.Zhelatin  into your system. The fake YouTube page is detected by Trend Micro as JS_DLOADER.PCT.

Email-Worm.Win32.Zhelatin   collects  email addresses. It avoids sending e-mail messages to addresses, containing some strings.

It then sends emails without using any email system like  Microsoft Outlook.

How to remove  Worm_Zhelati.Mab :

1. Open Task Manager /Alt+Ctr+Del/ and find and wincom32 process.

2. Do a search for spooldr.ini, wincom32.sys and wincom32.ini files and delete them using Shift+Delete / go in Safe mode by Restart and pressing F8 key if impossible to delete in normal mode./

3. Click Start button –> Run and type Regedt32 –>OK to open Registry Editor

4. Perform a search /Edit menu/ for wincom32  and delete all found keys.

Never click on links in emails from not expected senders!

Trojan-Clicker.Win32 malware remove

It is alerted by popup of your antivirus program: ‘Trojan-Clicker.Win32.Agent.aig’ 

This means you are infected. This trojan /‘Trojan-Clicker.Win32’/ isn’t  very harmful but it is better to get rid over it:

1. Download the latest versions of Zone Alarm

2. Be sure you are with Admin privileges.

3. Disable System Restore:

System Restore

4. Reboot in SAFE MODE /press F8 key during restart./

5. Run Zone Alarm

6. Perform a full Antivirus scan

7. Reboot and start Windows in normal mode.

8. Enable SystemRestore

Trojan Horse SHEUR.AFJ Detected

If you receive such a message from your antivirus program, don’t panic.

First, you maybe using AVG – it is the anti-virus program that generates this FALSE positive virus message.

And second: it alerts for fake trojans mainly at Quickbooks, AdobeRdr, DNA.exe, WDSync files.

If you have downloaded them from producer site, you can ask their support to confirm it is not infected.

The name of false trojan detected is always  SHEUR but extension may vary.

Cannot change Screensaver

If you cannot change screensaver because the tab is missing in Properties window, this is a sign you may be infected by Vundo trojan/ MS Juan ./

Also the wallpaper cannot be changed because the wallpaper tab is missing.

Also your screensaver may be changed to  Windous “Blue screen”

Another sign are many pop-ups – with ads of fake antivirus programs.

Do not click on this ads! They all are scam!

Here is a good program made especially to fight Vundo virus: http://vundofix.atribune.org/ 

Vundofix is free.  You can read about Vundofix program here: http://en.wikipedia.org/wiki/VundoFix

Windows cannot find svchost.exe error message

If the following message appears:
“Windows cannot find ‘c:/windows/system/programas/svchost.exe’. Make sure you typed the name correctly, and then try again.”  – this means your computer is infected by trojans, viruses or worms.

This is so called  ‘temp1.exe’  or  ‘copy.exe’ or ‘svohost.exe’ virus.
You can got infected opening an email attachment from unknown sender or from infected executable file you have downloaded.
The original Svchost.exe file is  important Windows generic host process . It works for running DLL services and is placed in folder %SystemRoot%\System32.

 The Svchost.exe process can not be stopped from TaskManager.
Because it is very important Windows file, svchost.exe is a target for many viruses and Trojans.

Worms like MSBlaster usually exploit a bug in svhost.exe.

If the worm manage to implement in the file, it causes svhost.exe to crash. Then follows a reboot and after restarting, Windows is infectes . The worm has masked itself in same folder /system32/ and has similar name.
Another sign you are infected – loosing CopyPaste functionality.

Cleaning the worm/virus is hard to do.
The best way is first to delete all the cookies and temporaly files /menu Tools –> Internet Options –> Browsing history –> Delete/
Then disable System Restore because the worm may be hidden there and waiting to attack again.

System Restore

At the end you may use the program: ccleaner – it is popular among the ‘victims’ of that virus.
After that : use Firewall.
Install and an antivirus program.
And DO NOT open email attachments from unknown people/organisations.

Micro Antivirus 2009

Micro Antivirus 2009 is very similar to famous fake anti-spyware programs  MS Antivirus,  Vitae Antivirus 2008 and Vista Antivirus.

MicroAntivirus can be distributed by Trojans that are masked as fake video codecs.

If you try to install them, the trojan is activated. 

Then trojans issue fake security alerts.

To get rid on it you have to find in registry editor /Rubn regedt32/ all keys containing MicroAntivirus in their name and delete.

Then search computer for files containing MicroAntivirus in their name and delete them too.

Use firewall and antivirus software from wellknown and original brands /NOD32, Symantec, Panda, Kaspersky, AVG./

Antispywaremaster.com Virus

Yet another Myspace virus. It can be seen on Myspace forums. Pop ups offer you to download Antispywaremaster.com software telling you are infected with thousands of trojans and viruses. It is similar to WindowsAntivirus 2008 and AntispywareDeluxe.

The standard message is:

“Warning! xx suspicious files found! Potentially dangerous files were found on your system during the last scan! IT is highly recommended to remove them as soon as possible…
Remove Now!”

DO NOT CLICK ON THE AD!!!

The pop up is impossible to close, so you have to close the Myspace malicious page as soon as possible and use popup blockers and firewall.

If you got infected, first stop asm.exe and/or Antispywaremaster.exe processes /Alt+Ctrl+Del/ to open Task Manager, find processes and delete them.

Then run regedt32 and find and delete the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\AntiSpywareDeluxe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiSpywareDeluxe_is1
HKEY_LOCAL_MACHINE\SOFTWARE\AntispywareD
HKEY_CURRENT_USER\Software\AntiSpywareMaster
HKEY_CURRENT_USER\Software\{5222008A-DD62-49c7-A735-7BD18ECC7350}

/Hint – try Edit menu –> search from the root ‘MyComputer’ for ‘AntiSpyware’ and delete all results found/

At the end, find and delete the following files:

AntiSpywareMaster 7.3.url
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiSpywareMaster.lnk
%UserProfile%\Desktop\AntiSpywareMaster.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster\AntiSpywareMaster.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster\Uninstall AntiSpywareMaster.lnk

/Hint – try Search console –> search ‘MyComputer’ for word ‘AntiSpyware’ as file name and delete all files  found/

Myspace Possible_HiFrm Virus

Myspace Possible_HiFrm Virus is detected by Trend Micro mainly in login pages.

It means this is a possible malicious software using iframes to redirect your browser.

Myspase itself is not spreading viruses. This is done by users who have put some corrupted scripts in their profiles.

If you are visiting unknown Myspace page and your anti-virus program alerts for possible virus, it  is better to leave this site immediately.

The Suspicious MySpace pages contain malicious javascripts that are detected as JS_DIRESEX.A.

The script is programmed to invisibly connect you to a pornsite. If such site which pops up unexpectedly – you have been infected.

As advice in case your computer behavies strange when visited some MS pages, you have to use pop up blocker, firewall, anti-virus programs /of course./ You have to delete temporaly Internet files and restore to earlier point.

JavaScript injection

JavaScript injection become a very popylar hacking method nowdays.

As Javascript is enabled by default in web browsers, it is easy to become a victim.

The malicious websites use installing of ActiveX controls to get control.

The way to avoid JavaScript injection is not to visit unknown sites, especially those offering pirated software. Update Windows regularry and apply the critical patches. Disable active Javascript in IE. 

And main: use firewall and anti-virus software. 

Here is a link with a list with malware sites: http://malwaredomains.com/?tag=sql-injection

It is often updated and one can see how fast is growing their number every day.

What is COH32.exe Windows Process

Today I found for first time a strange process named COH32.exe.

I was loading a huge file /250MB/ in Notepad+ and hit Alt+Ctrl+Del to open Task manager and watch Memory usage.

Then I suddenly saw it – after couple of seconds COH32.exe disappeared from my Task Manager.

I made a search and found it is a Symantec Security Center file. Can be found in \Program Files\Common Files\Symantec Shared\COH

The good news it is not harmful. The COH32.exe is Symantec digitaly signed and is used from my antivirus program for proactive scanning.

If you have this process running too and use Symantec, perhaps it is their file.

But some trojans and viruses may be named same way. The difference is they can be found in Windows or Windows\System32 folders instead of Symantek folder. So, make a search in this folders for COH32.exe.

Net-Worm.Win32.Koobface net worm infects Myspace and Facebook users

There is a new virus spreading among both Facebook and Muspace uswers – Net-Worm.Win32.Koobface.

It has two variants: Net-Worm.Win32.Koobface.a. /for Myspace/  and Net-Worm.Win32.Koobface.b /for  Facebook/

In  their malicious action, the net worms transform victim computers  into zombie computers to form botnets.

What is a Botnet – http://en.wikipedia.org/wiki/Botnet 

The Net-Worm.Win32.Koobface.a. /for Myspace/ worm creates many commentaries to friends’ accounts.

 The Net-Worm.Win32.Koobface.b /targets Facebook users/ creates many spam messages and sends them to the infected users’friends via the Facebook.

Messages and comments can include ‘Paris Hilton Tosses Dwarf On The Street’; ‘Examiners Caught Downloading Grades From The Internet’; ‘Hello’;’ You must see it!!! LOL. My friend catched you on hidden cam’;’ Is it really celebrity? Funny Moments’ and many others.

Messages and comments include links to http://youtube     .pl.

If you click on this link, you are redirected to http://youtube      .ru,  – a site which contains a video clip.

If the user wants to watch it, a message pops up reading that you need the latest version of Flash Player to watch the funny clip.

Of course, instead of the latest version of Flash Player, a malicious file called codecsetup.exe is downloaded to  victimcomputer; this file is also a network worm.

Worm.Win32.GetCodec infects MP3 audio files

This worm was reported in July and is a new step in worms and viruses development.

The new is it converts the mp3 file into WMA file and embeds in it. When the file is opened, the Worm.Win32.GetCodec worm opens a web page telling you to download a new codec.

NEVER download and install codecs from unknown sites! It is 99% sure they are worms/trojans.

 If you agree to install the ‘codec’ file, a Trojan – known as Trojan-Proxy.Win32.Agent.arp is downloaded to your  computer, giving the hackers control of the victim’s PC.

if you got infected, use http://www.pctools.com/spyware-doctor/ to clean the worm.

AntiSpyCheck – yet another trojan

 

 Do you have noticed how many trojans with ‘Anti-‘ names appeared nowdays? It seems to be the last trends among virus/trojans creators. They have masked their malware code as antivirus software with colorful GUI telling you have 345247827469726482246 trojans and viruses and have to hurry to their page and buy antivirus software which is the only one to clean your computer.    
 
Anti Spy Check Description:
Anti Spy Check, or AntiSpyCheck 2.4, is a fake antispyware and antivirus program that claims to be a spyware remover, popup blocker and trojans cleaner.

AntiSpyCheck program may install without your knowledge through a Trojan Zlob.

Trojan.Zlob is a back door Trojan. It allows the hacker to perform various malicious actions on the remote computer.

Trojan.Zlob usually is masked as a needed video codec in the form of ActiveX.

Here is a typical example of it:

 

Image taken from http://www.jahewi.nl/lists/fakecodecs/fakecodecs.html

 

Anti-SpyCheck usually pops up fake security alerts trying to make you buy their software.

How can you get rid of AntiSpyCheck?
The best spyware removal tactic is to uninstall Anti Spy Check  using the “Add/Remove Programs” from the Control Panel.

If there are still files remaining after reboot, follow the steps below: /Sistem Restore has to be disabled/

1. Run the Task Manager /“Alt+Ctrl+Del“, and “Task Manager” opens/ ! ‘+’ sign means to press three keys at once- the 3 fingers rule.

2. Find the following processes: ad-protect.exe and AntiSpyCheck.exe then select one by one and press the ‘End Process’ button.

3.  Find the files above using Search and delete them.

4.  Go to “Start” button and then click on “Run”.

5. In the Run  box  type “cmd“, and then click on “OK”  button

6. Type regsvr32 /u spamdet.dll and hit Enter. This will unregister the trojan .dll library.

7. Find and Delete spamdet.dll

8. Open registry editor /Start — Run — Regedt32/ then find and delete /if any/ the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\ad-protect.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\spamdet.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{9DA1990B-9BCA-4c80-AEFB-11A40FA849F9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C628512D-A058-4BD4-B47B-B036F45FA02B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99A753C6-E429-46BD-989E-DD4A21CD059D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BBBD3E11-D201-46C9-8471-091D33159287}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2608046-DD09-A225-01BF-70C1EDD8B2E8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2C1986A-FBEC-4472-AABF-6D42F08DBC8E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D7ABE914-B8CF-4602-9145-6BDAAEDA21AA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3210E86-46A8-5973-963F-0EF4CF226A0C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{214345B8-BB69-498D-A168-29F58F15D806}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CF231820-9904-4A37-B5B0-C87EF6F6CC82}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D2C1986A-FBEC-4472-AABF-6D42F08DBC8E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F51BC478-D997-4C56-988D-79D9EEAAD1EC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FD4DCB8B-C33A-4E70-A351-6FAB7E1071A4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{32BD20FD-41FD-47FB-9BC9-28DCBD7D55D7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5AA883DB-7CFD-4737-B3C3-C671595ECCE5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ad-Protect.Addin
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ad-Protect.Addin.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ad-Protect.Server
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ad-Protect.Server.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\spamdet.SpamDetector
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\spamdet.SpamDetector.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AntiSpyCheck.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiSpyCheck
HKEY_LOCAL_MACHINE\SOFTWARE\AntiSpyCheck
HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\Addins\Ad-Protect.Addin.1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\AntiSpyCheck  

 

After restarting the computer there will be no more annoying pop ups and slowdowns.

And one advice: there is no free lunch as you know, so when watching porn and it says wou have to download something to watch more – think first before click Yes, or better – Quickly RUN of the site without thinking!

Google involved in spreading XP Antivirus 2009 and Vista Antivirus 2009

As my last post made a hudge interest, I made a quick research regarding those trojan which has so wide spreaded.

Almost all of my search keywords are “How to remove XP Antivirus 2008”

About removing of the trojan I have written before. Write to me if you have more questions or problems – I will try to help with advices.

If I dont know something, I ask Google.

And the irony in this case is Google told me that Google is was spreading malware via its AdWords links.

If you don’t know – AdWords is an advertising program of Google. They get paid to put ads in some pages and in main search results page too.

Some of those advertising links belonged to hackers. They had redirected the user who had clicked on their link to a trojan downloader page. This way many web users become infected with viruses just surfing the web.

The good news is Google have identified and canceled AdWords accounts which displayed malicious ads re-directing users to hacker sites.

More info can find at the official Google AdWords blog 

http://adwords.blogspot.com/2007/04/protecting-your-security-online.html

XP Antivirus 2008 is a Trojan!

I had surfing the net when a red alert in Tray menu started to appear. It read Windows Seciruty has to be updated.

It offered me a site with “XP Antivirus 2008”

As I tought it is Microsoft security center alert, entered the site  http://s c a n n e r . a n v i-s c a n n e r . c o m / 3 4 /? a d v i d  =  0 0 0 0 0 0 4 6 8 3 & H T T &  /Attention – better do not try to open/

When I saw the fake system scanning and $20 price to “clean my system” I quickly left but was too late.

Then Avira Antivir  started to alert about viruses detected. The computer became very slow.

I restarted in Safe Mode /F8/ and  ran Spyware Doctor – it found more than 20 viruses and 30 infected files. Spyware Doctor cleaned them. I had disabled System Restore in advance. /Important!/

Then ran Avira Antivir again and cleaned  17 trojans.

Open Task manager /alt+ctrl+del/ and stop the following processes:

vav.exe
XPAntivirus.exe
XPAntivirusUpdate.exe
xpa.exe
xpa2008.exe

Then Remove following XP Antivirus 2008 Registry Values:

HKEY_USERS\Software\XP antivirus
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run smrhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\rhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\rhc7nsj0e57c displayname
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\rhc7nsj0e57c uninstallstring
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c advid
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c automaticallyupdates
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c backgroundscan
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c backgroundscantimeout
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c databaseversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c daysinterval
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c domain
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c engineversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c guiversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c installdir
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c minimizeonstart
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c programversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c proxyname
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c proxyport
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c registrationdiscurl
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run smrhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c registrationurl
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c scandepth
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c scanpriority
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c scansystemonstartup
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c softid

This way I cleaned my system from that annoying malware.