Author Topic: ZHELATIN worm  (Read 4802 times)

0 Members and 1 Guest are viewing this topic.

simsar

  • Guest
ZHELATIN worm
« on: June 07, 2009, 12:28:08 PM »
My system has picked up a worm called the zhelatin ( which i think is a win32 type) when I do a system scan it does not pick it up and states no problems when I know I am infected. I have checked the avast data base and they have them on there record why is it not detecting it and removing it. can anybody help

CharleyO

  • Guest
Re: ZHELATIN worm
« Reply #1 on: June 07, 2009, 12:33:43 PM »
***

1 - How do you know your computer has zhelatin?

2 - What are the symptoms that your computer is having?

3 - What is the OS of your computer?

4 - What other security software is on your computer?


***

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33999
  • malware fighter
Re: ZHELATIN worm
« Reply #2 on: June 07, 2009, 04:50:02 PM »
Hi simsar,

If effectively infected through the Zhelatin worm, here the description how you became infected and the manual removal instructions vor the various flaws of this malcode:
The most common reason for becoming infected with Zhelatin is a lack of advanced anti-spyware protection.

These are just a few of the ways spyware can infect your PC:

1. P2P (Peer-to-Peer) Networks

P2P networks have become increasingly popular over the years.
As P2P popularity has increased, so have the risks associated with using these networks.
When you install a P2P application or download a file from a P2P network,
it is not uncommon for spyware to be bundled in with the files and the software.

2. Freeware and Shareware

Many computer users discover the hard way that freeware and shareware aren't really free at all.
Many of these "free" applications come bundled with spyware,
which may very well be how the application ended up on your PC.

3. Malicious Websites

Not all websites are innocent.
In fact, some are designed with malicious intent. If you visit one of these websites,
spyware may automatically install on your hard drive without your knowledge or consent.

Now the manual removal routine for the various flaws of Zhelatin are as follows:

Step 1 : Use Windows File Search Tool to Find Email-Worm.Zhelatin.is Path

   1. Go to Start > Search > All Files or Folders.
   2. In the "All or part of the the file name" section, type in "Email-Worm.Zhelatin.is" file name(s).
   3. To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
   4. When Windows finishes your search, hover over the "In Folder" of "Email-Worm.Zhelatin.is", highlight the file and copy/paste the path into the address bar. Save the file's path on your clipboard because you'll need the file path to delete Email-Worm.Zhelatin.is in the following manual removal steps.

Step 2 : Use Windows Task Manager to Remove Email-Worm.Zhelatin.is Processes

   1. To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
   2. Click on the "Image Name" button to search for "Email-Worm.Zhelatin.is" process by name.
   3. Select the "Email-Worm.Zhelatin.is" process and click on the "End Process" button to kill it.
   4. Remove the "Email-Worm.Zhelatin.is" processes files: nisdisa.exe

Step 3 : Detect and Delete Other Email-Worm.Zhelatin.is Files

   1. To open the Windows Command Prompt, go to Start > Run > type cmd and then press the "OK" button.
   2. Type in "dir /A name_of_the_folder" (for example, C:\Spyware-folder), which will display the folder's content even the hidden files.
   3. To change directory, type in "cd name_of_the_folder".
   4. Once you have the file you're looking for type in "del name_of_the_file".
   5. To delete a file in folder, type in "del name_of_the_file".
   6. To delete the entire folder, type in "rmdir /S name_of_the_folder".
   7. Select the "Email-Worm.Zhelatin.is" process and click on the "End Process" button to kill it.
   8. Remove the "Email-Worm.Zhelatin.is" processes files: nisdisa                                                     
                                                                              nisdisa.exe

   8.b. Locate and delete the following Worm.Zhelatin.GG files:
      ecard[1].exe
      ecard[2].exe

Step 4: Stop Worm.Zhelatin.HS Processes

   1. To open Task Manager, use CTRL+ALT+DEL or CTRL+SHIFT+ESC.

   2. Go to Image Name to find “Worm.Zhelatin.HS” processes by name.

   3. Find and stop the “Worm.Zhelatin.HS” processes listed below.
      sysvcoy.exe
      syscwin.exe

Step 4.b Stop the following Worm.Zhelatin.GG processes:
      ecard[1].exe
      ecard[2].exe

Step 5. Find and Remove Zhelatin registry values:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List@^C:\WINDOWS\msserv.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run@^adirka
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run@^strkjhk
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List@^C:\WINDOWS\bdir\sdflkj4.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@^lnwin.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@^sysrestore32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@^SystemSv1221
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@^DriveSystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@^SystemDrive
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run@^kavir
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List@^C:\WINDOWS\kavir.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run@^fastsmell
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List@^C:\WINDOWS\fastsmell.exe

Step 6. Find and Remove Zhelatin registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysrest
HKEY_CLASSES_ROOT\AppID\BHO_MyJavaCore.DLL
HKEY_CLASSES_ROOT\AppID\{80EF304A-B1C4-425C-8535-95AB6F1EEFB8}
HKEY_CLASSES_ROOT\BHO_MyJavaCore.Mjcore
HKEY_CLASSES_ROOT\BHO_MyJavaCore.Mjcore.1
HKEY_CLASSES_ROOT\CLSID\{D88E1558-7C2D-407A-953A-C044F5607CEA}
HKEY_CLASSES_ROOT\Interface\{17E44256-51E0-4D46-A0C8-44E80AB4BA5B}
HKEY_CLASSES_ROOT\TypeLib\{E0F01490-DCF3-4357-95AA-169A8C2B2190}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sysfldr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D88E1558-7C2D-407A-953A-C044F5607CEA}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550p

Stepm 6.b. Find and Stop Zhelatin Processes:

flash postcard.exe


polonus




Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

CharleyO

  • Guest
Re: ZHELATIN worm
« Reply #3 on: June 08, 2009, 02:58:55 AM »
***

Hi Polonus,

Zhelatin worm is also being spread by email.

http://www.f-secure.com/v-descs/email-worm_w32_zhelatin_cq.shtml


***