JS_DLOADER.PCT a.k.a. Email-Worm.Win32.Zhelatin zhelati.mab removal

The Worm_Zhelati.Mab is spread via emails.

Usually, it is a message from a fake classmate with a link to YouTube :

Subject: Are you kidding me? lol

MessageBody: Dude, I know that’s you: someone emailed me a link to the video. see for yourself… http://www.youtube.com/watch?v={random 11 characters}

If the hyperlink is clicked, it redirects to a Web page masked as a YouTube page.

You are told to download latest Microsoft Data in order to viwe the movie.

Clicking click here will download a copy of the  worm Email-Worm.Win32.Zhelatin  into your system. The fake YouTube page is detected by Trend Micro as JS_DLOADER.PCT.

Email-Worm.Win32.Zhelatin   collects  email addresses. It avoids sending e-mail messages to addresses, containing some strings.

It then sends emails without using any email system like  Microsoft Outlook.

How to remove  Worm_Zhelati.Mab :

1. Open Task Manager /Alt+Ctr+Del/ and find and wincom32 process.

2. Do a search for spooldr.ini, wincom32.sys and wincom32.ini files and delete them using Shift+Delete / go in Safe mode by Restart and pressing F8 key if impossible to delete in normal mode./

3. Click Start button –> Run and type Regedt32 –>OK to open Registry Editor

4. Perform a search /Edit menu/ for wincom32  and delete all found keys.

Never click on links in emails from not expected senders!

Trojan-Clicker.Win32 malware remove

It is alerted by popup of your antivirus program: ‘Trojan-Clicker.Win32.Agent.aig’ 

This means you are infected. This trojan /‘Trojan-Clicker.Win32’/ isn’t  very harmful but it is better to get rid over it:

1. Download the latest versions of Zone Alarm

2. Be sure you are with Admin privileges.

3. Disable System Restore:

System Restore

System Restore

4. Reboot in SAFE MODE /press F8 key during restart./

5. Run Zone Alarm

6. Perform a full Antivirus scan

7. Reboot and start Windows in normal mode.

8. Enable SystemRestore

Trojan Horse SHEUR.AFJ Detected

If you receive such a message from your antivirus program, don’t panic.

First, you maybe using AVG – it is the anti-virus program that generates this FALSE positive virus message.

And second: it alerts for fake trojans mainly at Quickbooks, AdobeRdr, DNA.exe, WDSync files.

If you have downloaded them from producer site, you can ask their support to confirm it is not infected.

The name of false trojan detected is always  SHEUR but extension may vary.

Cannot change Screensaver

If you cannot change screensaver because the tab is missing in Properties window, this is a sign you may be infected by Vundo trojan/ MS Juan ./

Also the wallpaper cannot be changed because the wallpaper tab is missing.

Also your screensaver may be changed to  Windous “Blue screen”

Another sign are many pop-ups – with ads of fake antivirus programs.

Do not click on this ads! They all are scam!

Here is a good program made especially to fight Vundo virus: http://vundofix.atribune.org/ 

Vundofix is free.  You can read about Vundofix program here: http://en.wikipedia.org/wiki/VundoFix

Windows cannot find svchost.exe error message

If the following message appears:
“Windows cannot find ‘c:/windows/system/programas/svchost.exe’. Make sure you typed the name correctly, and then try again.”  – this means your computer is infected by trojans, viruses or worms.
This is so called  ‘temp1.exe’  or  ‘copy.exe’ or ‘svohost.exe’ virus.
You can got infected opening an email attachment from unknown sender or from infected executable file you have downloaded.
The original Svchost.exe file is  important Windows generic host process . It works for running DLL services and is placed in folder %SystemRoot%\System32.
 The Svchost.exe process can not be stopped from TaskManager.
Because it is very important Windows file, svchost.exe is a target for many viruses and Trojans.
Worms like MSBlaster usually exploit a bug in svhost.exe.
If the worm manage to implement in the file, it causes svhost.exe to crash. Then follows a reboot and after restarting, Windows is infectes . The worm has masked itself in same folder /system32/ and has similar name.
Another sign you are infected – loosing CopyPaste functionality.

Cleaning the worm/virus is hard to do.
The best way is first to delete all the cookies and temporaly files /menu Tools –> Internet Options –> Browsing history –> Delete/
Then disable System Restore because the worm may be hidden there and waiting to attack again.

System Restore

System Restore

At the end you may use the program: ccleaner – it is popular among the ‘victims’ of that virus.
After that : use Firewall.
Install and an antivirus program.
And DO NOT open email attachments from unknown people/organisations.

Antispywaremaster.com Virus

Yet another Myspace virus. It can be seen on Myspace forums. Pop ups offer you to download Antispywaremaster.com software telling you are infected with thousands of trojans and viruses. It is similar to WindowsAntivirus 2008 and AntispywareDeluxe.

The standard message is:

Warning! xx suspicious files found! Potentially dangerous files were found on your system during the last scan! IT is highly recommended to remove them as soon as possible…
Remove Now!”


The pop up is impossible to close, so you have to close the Myspace malicious page as soon as possible and use popup blockers and firewall.

If you got infected, first stop asm.exe and/or Antispywaremaster.exe processes /Alt+Ctrl+Del/ to open Task Manager, find processes and delete them.

Then run regedt32 and find and delete the following registry keys:


/Hint – try Edit menu –> search from the root ‘MyComputer’ for ‘AntiSpyware’ and delete all results found/

At the end, find and delete the following files:

AntiSpywareMaster 7.3.url
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiSpywareMaster.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster\AntiSpywareMaster.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\AntiSpywareMaster\Uninstall AntiSpywareMaster.lnk

/Hint – try Search console –> search ‘MyComputer’ for word ‘AntiSpyware’ as file name and delete all files  found/

What is COH32.exe Windows Process

Today I found for first time a strange process named COH32.exe.

I was loading a huge file /250MB/ in Notepad+ and hit Alt+Ctrl+Del to open Task manager and watch Memory usage.

Then I suddenly saw it – after couple of seconds COH32.exe disappeared from my Task Manager.

I made a search and found it is a Symantec Security Center file. Can be found in \Program Files\Common Files\Symantec Shared\COH

The good news it is not harmful. The COH32.exe is Symantec digitaly signed and is used from my antivirus program for proactive scanning.

If you have this process running too and use Symantec, perhaps it is their file.

But some trojans and viruses may be named same way. The difference is they can be found in Windows or Windows\System32 folders instead of Symantek folder. So, make a search in this folders for COH32.exe.