JS_DLOADER.PCT a.k.a. Email-Worm.Win32.Zhelatin zhelati.mab removal


The Worm_Zhelati.Mab is spread via emails.

Usually, it is a message from a fake classmate with a link to YouTube :

Subject: Are you kidding me? lol

MessageBody: Dude, I know that’s you: someone emailed me a link to the video. see for yourself… http://www.youtube.com/watch?v={random 11 characters}

If the hyperlink is clicked, it redirects to a Web page masked as a YouTube page.

You are told to download latest Microsoft Data in order to viwe the movie.

Clicking click here will download a copy of the  worm Email-Worm.Win32.Zhelatin  into your system. The fake YouTube page is detected by Trend Micro as JS_DLOADER.PCT.

Email-Worm.Win32.Zhelatin   collects  email addresses. It avoids sending e-mail messages to addresses, containing some strings.

It then sends emails without using any email system like  Microsoft Outlook.

How to remove  Worm_Zhelati.Mab :

1. Open Task Manager /Alt+Ctr+Del/ and find and wincom32 process.

2. Do a search for spooldr.ini, wincom32.sys and wincom32.ini files and delete them using Shift+Delete / go in Safe mode by Restart and pressing F8 key if impossible to delete in normal mode./

3. Click Start button –> Run and type Regedt32 –>OK to open Registry Editor

4. Perform a search /Edit menu/ for wincom32  and delete all found keys.

Never click on links in emails from not expected senders!