Hi simsar,
If effectively infected through the Zhelatin worm, here the description how you became infected and the manual removal instructions vor the various flaws of this malcode:
The most common reason for becoming infected with Zhelatin is a lack of advanced anti-spyware protection.
These are just a few of the ways spyware can infect your PC:
1. P2P (Peer-to-Peer) Networks
P2P networks have become increasingly popular over the years.
As P2P popularity has increased, so have the risks associated with using these networks.
When you install a P2P application or download a file from a P2P network,
it is not uncommon for spyware to be bundled in with the files and the software.
2. Freeware and Shareware
Many computer users discover the hard way that freeware and shareware aren't really free at all.
Many of these "free" applications come bundled with spyware,
which may very well be how the application ended up on your PC.
3. Malicious Websites
Not all websites are innocent.
In fact, some are designed with malicious intent. If you visit one of these websites,
spyware may automatically install on your hard drive without your knowledge or consent.
Now the manual removal routine for the various flaws of Zhelatin are as follows:
Step 1 : Use Windows File Search Tool to Find Email-Worm.Zhelatin.is Path
1. Go to Start > Search > All Files or Folders.
2. In the "All or part of the the file name" section, type in "Email-Worm.Zhelatin.is" file name(s).
3. To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
4. When Windows finishes your search, hover over the "In Folder" of "Email-Worm.Zhelatin.is", highlight the file and copy/paste the path into the address bar. Save the file's path on your clipboard because you'll need the file path to delete Email-Worm.Zhelatin.is in the following manual removal steps.
Step 2 : Use Windows Task Manager to Remove Email-Worm.Zhelatin.is Processes
1. To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
2. Click on the "Image Name" button to search for "Email-Worm.Zhelatin.is" process by name.
3. Select the "Email-Worm.Zhelatin.is" process and click on the "End Process" button to kill it.
4. Remove the "Email-Worm.Zhelatin.is" processes files: nisdisa.exe
Step 3 : Detect and Delete Other Email-Worm.Zhelatin.is Files
1. To open the Windows Command Prompt, go to Start > Run > type cmd and then press the "OK" button.
2. Type in "dir /A name_of_the_folder" (for example, C:\Spyware-folder), which will display the folder's content even the hidden files.
3. To change directory, type in "cd name_of_the_folder".
4. Once you have the file you're looking for type in "del name_of_the_file".
5. To delete a file in folder, type in "del name_of_the_file".
6. To delete the entire folder, type in "rmdir /S name_of_the_folder".
7. Select the "Email-Worm.Zhelatin.is" process and click on the "End Process" button to kill it.
8. Remove the "Email-Worm.Zhelatin.is" processes files: nisdisa
nisdisa.exe
8.b. Locate and delete the following Worm.Zhelatin.GG files:
ecard[1].exe
ecard[2].exe
Step 4: Stop Worm.Zhelatin.HS Processes
1. To open Task Manager, use CTRL+ALT+DEL or CTRL+SHIFT+ESC.
2. Go to Image Name to find “Worm.Zhelatin.HS” processes by name.
3. Find and stop the “Worm.Zhelatin.HS” processes listed below.
sysvcoy.exe
syscwin.exe
Step 4.b Stop the following Worm.Zhelatin.GG processes:
ecard[1].exe
ecard[2].exe
Step 5. Find and Remove Zhelatin registry values:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List@^C:\WINDOWS\msserv.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run@^adirka
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run@^strkjhk
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List@^C:\WINDOWS\bdir\sdflkj4.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@^lnwin.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@^sysrestore32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@^SystemSv1221
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@^DriveSystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@^SystemDrive
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run@^kavir
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List@^C:\WINDOWS\kavir.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run@^fastsmell
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List@^C:\WINDOWS\fastsmell.exe
Step 6. Find and Remove Zhelatin registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysrest
HKEY_CLASSES_ROOT\AppID\BHO_MyJavaCore.DLL
HKEY_CLASSES_ROOT\AppID\{80EF304A-B1C4-425C-8535-95AB6F1EEFB8}
HKEY_CLASSES_ROOT\BHO_MyJavaCore.Mjcore
HKEY_CLASSES_ROOT\BHO_MyJavaCore.Mjcore.1
HKEY_CLASSES_ROOT\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}
HKEY_CLASSES_ROOT\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}
HKEY_CLASSES_ROOT\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sysfldr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D88E1558-7C2D-407A-953A-C044F5607CEA}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550p
Stepm 6.b. Find and Stop Zhelatin Processes:
flash postcard.exe
polonus
