According to McAfee.com, this is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.
Also Known As
PWS-Mmorpg!tz
Win32:BHO-ACI [Trj]
Generic19.BQGM (Trojan horse)
TR/BHO.Gen
HEUR:Trojan.Win32.Generic
Generic.Onlinegames.17.2D78E58F
Trojan.DownLoader.origin
W32/FakeGame.A.gen!Eldorado
W32/BHO.NZI!tr
Trojan:Win32/BHO.CV
Trojan.Gen
Win32/BHO.NZI trojan (variant)
New unknown virus W32/Obfuscated.DR!genr
Trj/Lineage.LOE
Trojan.Win32.Generic.124EA8B7
Troj/Darbyen-A
TROJ_BHO.SMA
Trojan.Onlinegames!YAPUTiAk1+c (trojan)
Stopping the Generic19.BQGM (Trojan horse) Virus
Stopping the Generic19.BQGM (Trojan horse) virus from starting up is the best method from being infected. Process Lock is a program that stops programs from running if they have not been authorized by the management client. Process Lock monitors all active processes and reports what is running. What's so easy about it, is that they offer a feature called "Kill All Not Acknowledged". This allows you to set what you want to be able to run, and what you do not. Therefore, a process that the virus tries to start will be denied before it has a chance to infect your system.
Process Lock is not just a process blocker, but it is also a computer monitoring solution. Process Lock has the ability to record computer sessions, block specific programs, watch children and spouse activity and so much more. Check out their site at http://www.cloudteksoftware.com/software.html
Removing the Generic19.BQGM (Trojan horse) Virus
In order to completely remove the threat from a computer, it is best to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected computer.
To thoroughly clean a computer, it is best to do a separate scan of another security program so that other infected files not detected by anti-virus application can be remove as well. Download and run SuperAntiSpyware Portable Scanner.
A free removal tool from Norton Antivirus was developed to remove unfamiliar threats without using the traditional AV signatures. Download the tool and start scanning with Norton Power Eraser.
Wednesday, May 18, 2011
Thursday, May 12, 2011
Win32/Kryptik.NBQ trojan (variant)
This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.
Also Known As
Win32:Renosa-D
TR/Kazy.20990.8
Trojan.Win32.FakeAv.cufv
Gen:Variant.Kazy.20990
Trojan.Fakealert.20509
W32/FakeAV.BTQ!tr
rogue:win32/fakerean
Trojan.Fakeav
Win32/Kryptik.NBQ trojan (variant)
Mal/FakeAV-JR
Stopping the Win32/Kryptik.NBQ trojan (variant) Virus
Stopping the Win32/Kryptik.NBQ trojan (variant) virus from starting up is the best method from being infected. Process Lock is a program that stops programs from running if they have not been authorized by the management client. Process Lock monitors all active processes and reports what is running. What's so easy about it, is that they offer a feature called "Kill All Not Acknowledged". This allows you to set what you want to be able to run, and what you do not. Therefore, a process that the virus tries to start will be denied before it has a chance to infect your system.
Process Lock is not just a process blocker, but it is also a computer monitoring solution. Process Lock has the ability to record computer sessions, block specific programs, watch children and spouse activity and so much more. Check out their site at http://www.cloudteksoftware.com/software.html
Removing the Win32/Kryptik.NBQ trojan (variant) Virus
In order to completely remove the threat from a computer, it is best to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected computer.
To thoroughly clean a computer, it is best to do a separate scan of another security program so that other infected files not detected by anti-virus application can be remove as well. Download and run SuperAntiSpyware Portable Scanner.
A free removal tool from Norton Antivirus was developed to remove unfamiliar threats without using the traditional AV signatures. Download the tool and start scanning with Norton Power Eraser.
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.
Also Known As
Win32:Renosa-D
TR/Kazy.20990.8
Trojan.Win32.FakeAv.cufv
Gen:Variant.Kazy.20990
Trojan.Fakealert.20509
W32/FakeAV.BTQ!tr
rogue:win32/fakerean
Trojan.Fakeav
Win32/Kryptik.NBQ trojan (variant)
Mal/FakeAV-JR
Stopping the Win32/Kryptik.NBQ trojan (variant) Virus
Stopping the Win32/Kryptik.NBQ trojan (variant) virus from starting up is the best method from being infected. Process Lock is a program that stops programs from running if they have not been authorized by the management client. Process Lock monitors all active processes and reports what is running. What's so easy about it, is that they offer a feature called "Kill All Not Acknowledged". This allows you to set what you want to be able to run, and what you do not. Therefore, a process that the virus tries to start will be denied before it has a chance to infect your system.
Process Lock is not just a process blocker, but it is also a computer monitoring solution. Process Lock has the ability to record computer sessions, block specific programs, watch children and spouse activity and so much more. Check out their site at http://www.cloudteksoftware.com/software.html
Removing the Win32/Kryptik.NBQ trojan (variant) Virus
In order to completely remove the threat from a computer, it is best to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected computer.
To thoroughly clean a computer, it is best to do a separate scan of another security program so that other infected files not detected by anti-virus application can be remove as well. Download and run SuperAntiSpyware Portable Scanner.
A free removal tool from Norton Antivirus was developed to remove unfamiliar threats without using the traditional AV signatures. Download the tool and start scanning with Norton Power Eraser.
Wednesday, May 11, 2011
BackDoor-CEP.gen.cq Virus Removal / Precautions
According to McAfee.com, this is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.
Also Known As
Rootkit-Pakes.BF (Trojan horse)
TR/Koutodoor.psa
HEUR:Trojan.Win32.Generic
Gen:Variant.Koutodoor.15
Trojan.Dropper-27717
Trojan.MulDrop.origin
W32/Koutodoor.N.gen!Eldorado
W32/Koutodoor.KWD!tr.bdr
Trojan:Win32/Koutodoor.E
Trojan.Koutodoor
Win32/Koutodoor.HM trojan (variant)
W32/Koutodoor.CUS.dropper
Trj/CI.A
Trojan.Win32.Generic.127F033C
Troj/Kouto-D
TROJ_DLOADR.SMOM
Backdoor.Koutodoor.odu
What It Attempts To Do
Stopping the BackDoor-CEP.gen.cq Virus
Stopping the BackDoor-CEP.gen.cq virus from starting up is the best method from being infected. Process Lock is a program that stops programs from running if they have not been authorized by the management client. Process Lock monitors all active processes and reports what is running. What's so easy about it, is that they offer a feature called "Kill All Not Acknowledged". This allows you to set what you want to be able to run, and what you do not. Therefore, a process that the virus tries to start will be denied before it has a chance to infect your system.
Process Lock is not just a process blocker, but it is also a computer monitoring solution. Process Lock has the ability to record computer sessions, block specific programs, watch children and spouse activity and so much more. Check out their site at http://www.cloudteksoftware.com/software.html
Removing the BackDoor-CEP.gen.cq Virus
In order to completely remove the threat from a computer, it is best to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected computer.
To thoroughly clean a computer, it is best to do a separate scan of another security program so that other infected files not detected by anti-virus application can be remove as well. Download and run SuperAntiSpyware Portable Scanner.
A free removal tool from Norton Antivirus was developed to remove unfamiliar threats without using the traditional AV signatures. Download the tool and start scanning with Norton Power Eraser.
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.
Also Known As
Rootkit-Pakes.BF (Trojan horse)
TR/Koutodoor.psa
HEUR:Trojan.Win32.Generic
Gen:Variant.Koutodoor.15
Trojan.Dropper-27717
Trojan.MulDrop.origin
W32/Koutodoor.N.gen!Eldorado
W32/Koutodoor.KWD!tr.bdr
Trojan:Win32/Koutodoor.E
Trojan.Koutodoor
Win32/Koutodoor.HM trojan (variant)
W32/Koutodoor.CUS.dropper
Trj/CI.A
Trojan.Win32.Generic.127F033C
Troj/Kouto-D
TROJ_DLOADR.SMOM
Backdoor.Koutodoor.odu
What It Attempts To Do
- Attempts to connect to a high risk domain that could pose a security risk.
- Attempts to write to a memory location of a Windows system process.
- Enumerates many system files and directories.
- Adds or modifies Internet Explorer cookies
Stopping the BackDoor-CEP.gen.cq Virus
Stopping the BackDoor-CEP.gen.cq virus from starting up is the best method from being infected. Process Lock is a program that stops programs from running if they have not been authorized by the management client. Process Lock monitors all active processes and reports what is running. What's so easy about it, is that they offer a feature called "Kill All Not Acknowledged". This allows you to set what you want to be able to run, and what you do not. Therefore, a process that the virus tries to start will be denied before it has a chance to infect your system.
Process Lock is not just a process blocker, but it is also a computer monitoring solution. Process Lock has the ability to record computer sessions, block specific programs, watch children and spouse activity and so much more. Check out their site at http://www.cloudteksoftware.com/software.html
Removing the BackDoor-CEP.gen.cq Virus
In order to completely remove the threat from a computer, it is best to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected computer.
To thoroughly clean a computer, it is best to do a separate scan of another security program so that other infected files not detected by anti-virus application can be remove as well. Download and run SuperAntiSpyware Portable Scanner.
A free removal tool from Norton Antivirus was developed to remove unfamiliar threats without using the traditional AV signatures. Download the tool and start scanning with Norton Power Eraser.
Tuesday, May 10, 2011
Generic.bfr!ca!3E1EC7FCD90F Virus Removal / Precautions
According to McAfee.com, this is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.
Also Known As:
Trojan-Dropper.Win32.Agent.airs
Gen:Variant.Kazy.658
W32/Bredolab.O.gen!Eldorado
w32/obfuscated.c1!genr
Worm.Rebhip.Gen.2
Stopping the Generic.bfr!ca!3E1EC7FCD90F Virus
Stopping the Generic.bfr!ca!3E1EC7FCD90F Virus from starting up is the best method from being infected. Process Lock is a program that stops programs from running if they have not been authorized by the management client. Process Lock monitors all active processes and reports what is running. What's so easy about it, is that they offer a feature called "Kill All Not Acknowledged". This allows you to set what you want to be able to run, and what you do not. Therefore, a process that the virus tries to start will be denied before it has a chance to infect your system.
Process Lock is not just a process blocker, but it is also a computer monitoring solution. Process Lock has the ability to record computer sessions, block specific programs, watch children and spouse activity and so much more. Check out their site at http://www.cloudteksoftware.com/software.html
Removing the Generic.bfr!ca!3E1EC7FCD90F Virus
In order to completely remove the threat from a computer, it is best to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected computer.
To thoroughly clean a computer, it is best to do a separate scan of another security program so that other infected files not detected by anti-virus application can be remove as well. Download and run SuperAntiSpyware Portable Scanner.
A free removal tool from Norton Antivirus was developed to remove unfamiliar threats without using the traditional AV signatures. Download the tool and start scanning with Norton Power Eraser.
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.
Also Known As:
Trojan-Dropper.Win32.Agent.airs
Gen:Variant.Kazy.658
W32/Bredolab.O.gen!Eldorado
w32/obfuscated.c1!genr
Worm.Rebhip.Gen.2
Stopping the Generic.bfr!ca!3E1EC7FCD90F Virus
Stopping the Generic.bfr!ca!3E1EC7FCD90F Virus from starting up is the best method from being infected. Process Lock is a program that stops programs from running if they have not been authorized by the management client. Process Lock monitors all active processes and reports what is running. What's so easy about it, is that they offer a feature called "Kill All Not Acknowledged". This allows you to set what you want to be able to run, and what you do not. Therefore, a process that the virus tries to start will be denied before it has a chance to infect your system.
Process Lock is not just a process blocker, but it is also a computer monitoring solution. Process Lock has the ability to record computer sessions, block specific programs, watch children and spouse activity and so much more. Check out their site at http://www.cloudteksoftware.com/software.html
Removing the Generic.bfr!ca!3E1EC7FCD90F Virus
In order to completely remove the threat from a computer, it is best to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected computer.
To thoroughly clean a computer, it is best to do a separate scan of another security program so that other infected files not detected by anti-virus application can be remove as well. Download and run SuperAntiSpyware Portable Scanner.
A free removal tool from Norton Antivirus was developed to remove unfamiliar threats without using the traditional AV signatures. Download the tool and start scanning with Norton Power Eraser.
Clean This / CleanThis Virus Removal / Precautions
Victims may suffer from obstruction in using the PC when Clean This virus starts to display excessive alerts and taskbar warning messages. It will also block any programs from running and declared that the file is infected. An advise to clean the computer will constantly pop-up, if executed, a new browser window will open and suggest to buy the registration key of Clean This by paying using credit card information. Don’t get deceived by this rogue application, start scanning the computer with the recommended security application below. This was known to remove any forms of malicious software including Clean This virus.
Stopping the Clean This / CleanThis Virus
Stopping the Clean This / CleanThis Virus from starting up is the best method from being infected. Process Lock is a program that stops programs from running if they have not been authorized by the management client. Process Lock monitors all active processes and reports what is running. What's so easy about it, is that they offer a feature called "Kill All Not Acknowledged". This allows you to set what you want to be able to run, and what you do not. Therefore, a process that the virus tries to start will be denied before it has a chance to infect your system.
Process Lock is not just a process blocker, but it is also a computer monitoring solution. Process Lock has the ability to record computer sessions, block specific programs, watch children and spouse activity and so much more. Check out their site at http://www.cloudteksoftware.com/software.html
Removing the Clean This / CleanThis Virus
In order to completely remove the threat from a computer, it is best to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected computer.
To thoroughly clean a computer, it is best to do a separate scan of another security program so that other infected files not detected by anti-virus application can be remove as well. Download and run SuperAntiSpyware Portable Scanner.
A free removal tool from Norton Antivirus was developed to remove unfamiliar threats without using the traditional AV signatures. Download the tool and start scanning with Norton Power Eraser.
Win 7 Internet Security 2011 Removal / Precautions
Win 7 Internet Security 2011 is considered as member of the rogue anti-virus program family because it was found out that a Trojan is being utilized to spread it on computers connected to Internet. Win 7 Internet Security 2011 virus may enter the computer freely by spotting security weaknesses. It can install itself without the need of users permission. Once inside the system, Win 7 Internet Security 2011 will cause several annoyances including frequent display of forged warning messages that attempts to make users believe of infections held on the computer. A fake virus scan also claims that system files were infected and advise users for immediate removal.
Before any of the classified threats can be taken out from the system, Win 7 Internet Security 2011 will tell users to obtain the registered version first. This is carried out in the form of pop-ups and task bar alerts. Additionally, Internet browsers is redirected to an online payment processing web site that force users to give out credit card information to purchase the full version of the rogue application. Remove Win 7 Internet Security 2011 and other computer threats and virus only with a legitimate application. Having a paid version of useless program will not help resolve computer issues.
Also Known As: XP Internet Security 2011, Vista Internet Security 2011
Known To Affect: Windows 9x, 2000, XP, Vista, Windows 7
Stopping the Win 7 Internet Security 2011 Virus
Stopping the Win 7 Internet Security 2011 Virus from starting up is the best method from being infected. Process Lock is a program that stops programs from running if they have not been authorized by the management client. Process Lock monitors all active processes and reports what is running. What's so easy about it, is that they offer a feature called "Kill All Not Acknowledged". This allows you to set what you want to be able to run, and what you do not. Therefore, a process that the virus tries to start will be denied before it has a chance to infect your system.
Process Lock is not just a process blocker, but it is also a computer monitoring solution. Process Lock has the ability to record computer sessions, block specific programs, watch children and spouse activity and so much more. Check out their site at http://www.cloudteksoftware.com/software.html
To thoroughly clean a computer, it is best to do a separate scan of another security program so that other infected files not detected by anti-virus application can be remove as well. Download and run SuperAntiSpyware Portable Scanner.
A free removal tool from Norton Antivirus was developed to remove unfamiliar threats without using the traditional AV signatures. Download the tool and start scanning with Norton Power Eraser.
Before any of the classified threats can be taken out from the system, Win 7 Internet Security 2011 will tell users to obtain the registered version first. This is carried out in the form of pop-ups and task bar alerts. Additionally, Internet browsers is redirected to an online payment processing web site that force users to give out credit card information to purchase the full version of the rogue application. Remove Win 7 Internet Security 2011 and other computer threats and virus only with a legitimate application. Having a paid version of useless program will not help resolve computer issues.
Also Known As: XP Internet Security 2011, Vista Internet Security 2011
Known To Affect: Windows 9x, 2000, XP, Vista, Windows 7
Stopping the Win 7 Internet Security 2011 Virus
Stopping the Win 7 Internet Security 2011 Virus from starting up is the best method from being infected. Process Lock is a program that stops programs from running if they have not been authorized by the management client. Process Lock monitors all active processes and reports what is running. What's so easy about it, is that they offer a feature called "Kill All Not Acknowledged". This allows you to set what you want to be able to run, and what you do not. Therefore, a process that the virus tries to start will be denied before it has a chance to infect your system.
Process Lock is not just a process blocker, but it is also a computer monitoring solution. Process Lock has the ability to record computer sessions, block specific programs, watch children and spouse activity and so much more. Check out their site at http://www.cloudteksoftware.com/software.html
Win 7 Internet Security 2011 Removal Procedures
In order to completely remove the threat from a computer, it is best to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected computer.To thoroughly clean a computer, it is best to do a separate scan of another security program so that other infected files not detected by anti-virus application can be remove as well. Download and run SuperAntiSpyware Portable Scanner.
A free removal tool from Norton Antivirus was developed to remove unfamiliar threats without using the traditional AV signatures. Download the tool and start scanning with Norton Power Eraser.
Win32/Zafi.B Worm Removal / Precautions
W32/Zafi-B is a peer-to-peer (P2P) and email worm that will copy itself to the Windows system folder as a randomly named EXE file. This worm will test for the presence of an internet connection by attempting to connect to www.google.com or www.microsoft.com.
W32/Zafi-B collects email addresses from files which have the following extensions:
HTM, WAB, TXT, DBX, TBB, ASP, PHP, SHT, ADB, MBX, EML and PMR.
The worm stores the collected email addresses in randomly named files with a DLL extension in the Windows system folder. W32/Zafi-B attempts to include itself as an attachment in email messages sent to addresses collected from the local machine.
The worm will also copy itself into shared P2P folders as either 'WINAMP 7.0 FULL_INSTALL.EXE' or
'TOTAL COMMANDER 7.0 FULL_INSTALL.EXE'.
Stopping the Win32/Zafi.B Worm
Stopping the Win32/Zafi.B Worm from starting up is the best method from being infected. Process Lock is a program that stops programs from running if they have not been authorized by the management client. Process Lock monitors all active processes and reports what is running. What's so easy about it, is that they offer a feature called "Kill All Not Acknowledged". This allows you to set what you want to be able to run, and what you do not. Therefore, a process that the virus tries to start will be denied before it has a chance to infect your system.
Process Lock is not just a process blocker, but it is also a computer monitoring solution. Process Lock has the ability to record computer sessions, block specific programs, watch children and spouse activity and so much more. Check out their site at http://www.cloudteksoftware.com/software.html
Removing the Win32/Zafi.B Worm
All antivirus vendors had protection for the Zafi.B worm with their latest updates. Symantec has a removal tool, and you could also use these free online scanners. Trend Micro's free online scanner, Housecall, McAfee's Stinger tool, or Panda Software's ActiveScan. F-secure has a removal tool available in several formats.
Because Zafi.B may disable or overwrite existing antivirus products on infected machines, users may need to use one of the removal utilities or scanners mentioned above. If your antivirus has been overwritten, you will need to reinstall it when your system is free of Zafi.
The main infection is removed by deleting files in the Windows system folder and removing registry entries. If you're not familiar with the Registry editor, you should probably use one of the removal tools mentioned above. While we highly recommend that you back up your registry before editing, you should be aware that the backup you make contains entries associated with Zafi.B. Since the files are deleted, you may get errors if you restore from the backup at a future date. Once your system has been cleaned, and is operating properly, you may want to delete the backup that has Zafi.B entries in it.
1. Turn off System Restore if you're using Windows ME or XP. When you make changes to your system, Windows does a restoration checkpoint. If it does this while the system is infected, it may come back to re-infect later.
2. Restart the computer in Safe Mode. Since the Zafi.B worm creates running processes, and Windows doesn't allow you to delete files connected with running processes, restarting is necessary. Using Safe mode prevents Windows from loading drivers and auto run entries so your system boots relatively clean. In addition, Zafi.B blocks the use of Regedit which is required below.
3. Run a full system scan with an updated antivirus scanner (or one of the online scanners mentioned above). If your scanner does not remove everything, follow the next few steps.
4. Your antivirus software should, during detection, produce a list of files associated with the W32/Zafi.B or W32/Erkez virus (depends on scanner). The files will be copies of the worm stored in the Windows system folder and shared folders mentioned above. You should set your antivirus to delete them. If not, delete them manually.
5. Make a backup of the registry before you edit. Delete the Run entries associated with Zafi.B from the registry. These will be:
7. Re-enable System Restore, reboot machine.
8. Re-scan to be sure all files are clean.
W32/Zafi-B collects email addresses from files which have the following extensions:
HTM, WAB, TXT, DBX, TBB, ASP, PHP, SHT, ADB, MBX, EML and PMR.
The worm stores the collected email addresses in randomly named files with a DLL extension in the Windows system folder. W32/Zafi-B attempts to include itself as an attachment in email messages sent to addresses collected from the local machine.
The worm will also copy itself into shared P2P folders as either 'WINAMP 7.0 FULL_INSTALL.EXE' or
'TOTAL COMMANDER 7.0 FULL_INSTALL.EXE'.
Stopping the Win32/Zafi.B Worm
Stopping the Win32/Zafi.B Worm from starting up is the best method from being infected. Process Lock is a program that stops programs from running if they have not been authorized by the management client. Process Lock monitors all active processes and reports what is running. What's so easy about it, is that they offer a feature called "Kill All Not Acknowledged". This allows you to set what you want to be able to run, and what you do not. Therefore, a process that the virus tries to start will be denied before it has a chance to infect your system.
Process Lock is not just a process blocker, but it is also a computer monitoring solution. Process Lock has the ability to record computer sessions, block specific programs, watch children and spouse activity and so much more. Check out their site at http://www.cloudteksoftware.com/software.html
Removing the Win32/Zafi.B Worm
All antivirus vendors had protection for the Zafi.B worm with their latest updates. Symantec has a removal tool, and you could also use these free online scanners. Trend Micro's free online scanner, Housecall, McAfee's Stinger tool, or Panda Software's ActiveScan. F-secure has a removal tool available in several formats.
Because Zafi.B may disable or overwrite existing antivirus products on infected machines, users may need to use one of the removal utilities or scanners mentioned above. If your antivirus has been overwritten, you will need to reinstall it when your system is free of Zafi.
The main infection is removed by deleting files in the Windows system folder and removing registry entries. If you're not familiar with the Registry editor, you should probably use one of the removal tools mentioned above. While we highly recommend that you back up your registry before editing, you should be aware that the backup you make contains entries associated with Zafi.B. Since the files are deleted, you may get errors if you restore from the backup at a future date. Once your system has been cleaned, and is operating properly, you may want to delete the backup that has Zafi.B entries in it.
1. Turn off System Restore if you're using Windows ME or XP. When you make changes to your system, Windows does a restoration checkpoint. If it does this while the system is infected, it may come back to re-infect later.
2. Restart the computer in Safe Mode. Since the Zafi.B worm creates running processes, and Windows doesn't allow you to delete files connected with running processes, restarting is necessary. Using Safe mode prevents Windows from loading drivers and auto run entries so your system boots relatively clean. In addition, Zafi.B blocks the use of Regedit which is required below.
3. Run a full system scan with an updated antivirus scanner (or one of the online scanners mentioned above). If your scanner does not remove everything, follow the next few steps.
4. Your antivirus software should, during detection, produce a list of files associated with the W32/Zafi.B or W32/Erkez virus (depends on scanner). The files will be copies of the worm stored in the Windows system folder and shared folders mentioned above. You should set your antivirus to delete them. If not, delete them manually.
5. Make a backup of the registry before you edit. Delete the Run entries associated with Zafi.B from the registry. These will be:
- Find HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and delete the key: "_Hazafibb"="%system%\.exe"
- Find HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\_Hazafibb and delete the key
7. Re-enable System Restore, reboot machine.
8. Re-scan to be sure all files are clean.
Subscribe to:
Posts (Atom)