Embed Size (px)
Citation preview
Worm.Autoit.ADEC Removal Instruction (Free online spyware scan)
Worm.Autoit.ADEC is one of the Windows illegal malicious programs which may occupy system resources and slow down
computers. Some of such malicious programs may frequently pop up advertising messages to interrupt computer users, while
more severely they may destroy the data in computers. The followings are instructions on how to manually remove malicious
spyware programs. (Free online spyware scan)
The Major Damages of Computer Threats:(Free online spyware scan)1. The breakout of PC threats can directly destroy computer data.
When breaking out, PC threats can destroy important computer data by formatting hard disk, changing file allocation table and
directory section, deleting essential files or overwriting your files with useless junk data, as well as ruining the CMO5 settings.
2. Occupy hard disk space illegally.
Once sneaking into your computer, threats that are parasitic on hard disk always take up a part of the disk space.
3. Take up system resources.
Except for some PC threats such as VIENNA and CASPER, other threats usually stay in RAM under dynamic status. This will
take up a part of system resources and affect your PC running eventually. For example, some programs installed on your PC
may not launch as usual because of the less memory. Besides, PC threats may also occupy the Interrupt to disturb your system
running, as most functions of an operating system are realized through the Interrupt Transfer technology. In order to infect and
break out, PC threats usually change associated Interrupt addresses by adding malicious codes, which results in the abnormal
running of a system.
4. Affect your computer running speed gravely.
Once intruding into your system memory, PC threats will not only affect your system running, but also make your PC run like a
crawl and grind to a halt finally.
How to Remove Worm.Autoit.ADEC Manually?1. Remove the registry entries hidden by Worm.Autoit.ADEC (Free online spyware scan)
If you notice that the programs on your computer are running abnormally, please check the following entries in the Registry, and
directly delete the spyware-related registry entries if found.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE \Software \Microsoft \Windows \CurrentVersion \RunServicesOnce
HKEY_CURRENT_USER/Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER \Software \Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer\Run
HKEY_CURRENT_USER\ Software\ Microsoft \Windows\ CurrentVersion
Explorer/ShellFolders Startup="C:\windows/start menu/programs\startup
2. It is possibly a way to load the "Worm.Autoit.ADEC" malicious programs, by hiding within the system WIN.INI file and
the strings "run=" and "load=", so this must be carefully checked.
3. Clean up “IE Temporary File folder” where the original carrier of spyware threats is likely stored.
How to Remove Worm.Autoit.ADEC Instantly?
First you need to download and install SpyDig. (Free online spyware scan)
Run SpyDig and scan your system.
If the threat "Worm.Autoit.ADEC" is detected, click "Remove" to delete this malicious item.
If the malicious program has not been completely removed, please process the threat removal in Safe Mode.
If the threat cannot be removed by the method above, please run the Analysis function of SpyDig and send us the Analysis
Report. Our technicians of SpyDig Security Center will analyze your analysis report and provide you with a proper solution.
Ways to Get Rid of Worm.Autoit.ADEC
Manually remove Worm.Autoit.ADEC with step-by-step instructions.
Download SpyDig to automatically remove Worm.Autoit.ADEC.
You can download the award-winning, anti-malware software SpyDig to easily remove Worm.Autoit.ADEC. Want to
know why I dig SpyDig? Read my review.
How to Remove the Win32 Heur Virus
June 12th, 2010admin Leave a comment Go to comments
Win32 Heur Virus is a dangerous Trojan worm that can infect your computer via a number of different methods, including visiting questionable websites and clicking on advertisements, peer to peer software sharing and downloading, as well as downloading shareware and freeware programs.
After the malicious software installs itself on your computer, it can then download additional spyware and malware, bombard your computer with popups, and slow it down to a crawl.
But that is not the worst of it.
The main goal of Trojans such as the Win32 Heur Virus is to gain access to your personal information such as passwords, bank accounts, and credit cards and send that information to the cyber hacker on the back end who wrote the software so that he can steal your identity.
This is exactly why 9 million people per year become victims of identity theft each and every year in the United States alone.
All of this being said, it is imperative that you take the necessary steps to remove the Win32 Heur Virus immediately and then protect your computer form being infected again.
Unfortunately, because of its hybrid nature meaning it exhibits characteristics of both a virus as well as of spyware, Wni32 Heur Virus removal has proven to be nearly impossible. However with the recent release of a sophisticated removal tool that can detect and remove both viruses and spyware as well as provide real time protection from active threats that has changed.
And the software is so easy to use, all that you need to do is allow it to run a full scan of your computer to detect all malicious software – viruses, adware, and spyware – and when the scan is finished you tell it to remove all the threats with one simple mouse click.
On top of that, the tool will also automatically begin monitoring your computer for threats with its sophisticated real time protection agent and will block all future malware infection attempts at the source before they get a chance to infect your computer.
http://www.spywarecuretips.com/win32-heur-virus-removal-show-me-how-to-remove-the-win32-heur-virus/
What is the Win32-Heur Virus?
The Win32-Heur Virus is a lethal computer virus which can infect your computer without you knowing that anything
has happened. This virus is capable of changing between various different forms which makes it difficult to detect.
It's a Trojan horse virus and often infects computers through file sharing applications.
The Win32-Heur virus affects computers in a number of different ways. You might be redirected to strange and un-
trusted websites. You might also notice that your internet is very slow or that your browser closes by itself. Some
users may have their desktop wallpaper change automatically.
If you get this virus on your computer then it can be very scary mainly because it could potentially expose your
personal information. All of your information is recorded including which sites you visit on the internet. This means
that it can display suitable popup ads.
Getting Rid of the Win32-Heur Virus
If you suspect you are suffering from the Win32 Heur virus then it is important you get rid of it as quickly as possible.
You should use antivirus, antispyware and registry cleaning software to do this. The antivirus application can scan
your computer's hard drive identifying threats and helping to remove them.
A registry cleaner will also help to clear out all traces of the virus so that it doesn't reemerge in your computer
again. The registry is a very important component of your computer and you need to look after it well. A registry
scanner should also optimize your computer and make it work much quicker.
There are also individual Win32-Heur virus removal tools just in case your virus scanner can't detect this threat.
These are normally available from the leading antivirus companies. If you do use these then ensure they are from a
trustworthy site.
If you don't already have a virus scanner on your computer then it is essential you get one straight away. You also
need to make sure that your virus scanner and operating system is updated on a regular basis. Run windows
update to close any security holes in your operating system.
Learn To Remove Win32 Heur Virus From Your CPU
Computer infected with a virus? People often ask me what is Win32 Heur? Win32 Heur or Win32/Heur is actually a deadly trojan virus that releases a firestorm of malicious activity throughout your computer. If you have come under the attack of this virus then you need to remove Win32 Heur as soon as possible.
A trojan virus is a malicious file or program that gets onto your system by pretending to be benign or desirable. These can be acquired several ways. Among them are:
• Through online P2P networks. Be very careful when downloading files from programs like Bearshare and Limewire. Try to avoid any exe files and video codec installers. These are the most frequent methods of infection.
• Installing any free or low cost programs and applications. Very often these programs are free for a reason. They come bundled with spyware, adware, and viruses. Always perform a quick scan of your computer after installing new software off the net.
• Visiting a website that had planted viruses or browser hijackers that force infected your computer. You are probably well aware of this problem as a bunch of pop ups appear and your browser is redirected. Without excellent real time virus and spyware protection, malware like the Win32 Heur virus can sneak onto your system.
Once your computer is infected, viruses can do a couple of dangerous things that can cause a lot of damage. First they use spyware and keyloggers to record private information like passwords, credit card, and bank account numbers. This is why identity fraud is the fastest growing crime on the internet. Don’t allow yourself to become the next victim.
The other dangerous side effect is the corruption of your registry and possible collapse of your computer. The virus can inhabit your registry and alters vital system files. This can cause computer crashing, the windows blue screen, and other malfunctions. It could cost hundreds or even thousands to get it repaired or buy a new system.
In order to remove the virus you need a Win32 Heur removal program. Fortunately I have found one that can not only remove Win32 but also provide real time protection to protect you against future threats. Scan your computer for free below!
Want to squash those annoying pop up ads and get your PC running like new? Come get your free scan at Spyware Fix and eliminate spyware and viruses today!
Jim Marshall is an expert computer technician with fifteen years of experience in the industry. Since his own computer was destroyed by malicious software, he has been studying anti-spyware, adware, and malware systems for years.
http://www.spyware-fix.net
http://tech-seeker.com/blog/learn-to-remove-win32-heur-virus-from-your-cpu/
Virus.Win32.Alman.a
RISK LEVEL:2
Virus.Win32.Alman.a
This virus infects Windows executable files. It is a Windows PE EXE file.
Installation
When launching, the virus extracts the following files from its body:
%WinDir%\AppPatch\deamon.dll – this file is 3 072 bytes in size;%WinDir%\c_126.nls - this file is 31744 bytes in size.
It creates the following registry key:
[HKCR\CLSID\{C111980D-B372-44b4-8095-1B6060E8C647}]
which contains a link to the virus executable file.
The virus infects all write accessible Windows executable files (PE-EXE) onall disks on the victim computer and in accessible network folders. The virusdoes not infect files with the following names:
wooolcfg.exewoool.exeztconfig.exepatchupdate.exetrojankiller.exexy2player.exeflyff.exexy2.exeau_unins_web.execabal.execabalmain9x.execabalmain.exemeteor.exepatcher.exemjonline.execonfig.exezuonline.exeuserpic.exemain.exedk2.exeautoupdate.exedbfsupdate.exeasktao.exesealspeed.exexlqy2.exegame.exewb-service.exenbt-dragonraja2006.exedragonraja.exemhclient-connect.exehs.exemts.exegc.exezfs.exeneuz.exemaplestory.exensstarter.exenmcosrv.execa.exenmservice.exekartrider.exeaudition.exezhengtu.exe
The virus writes its executable file to the beginning of the file being infected,displacing the original contents of the file downwards.
In order to infect files located in network folders, the virus attempts toconnect to remote machines using the Administrator account and one of the followingpasswords:
zxcvqazwsxqazqwer!@#$%^&*()!@#$%^&*(!@#$%^&*!@#$%^&!@#$%^!@#$%aasdf sdfgh!@#$654321123456123451234123111
The virus also sends information to the remote malicious user's site aboutthe amount of free space on the C disk, the operating system and Internet Explorerversions on the victim machine, and about the presence of drivers in the systemwhich have one of the names listed below:
HooksysKWatch3KregExKLPFNaiAvFilter1NAVAPAVGNTMGRAvgTdinod32drvPavProtectTMFilterBDFsDrvVETFDDNT
This information is sent in the following request to the remote malicioususer's site:
http://****mrw0rldwide.com/co.asp?action=post&HD=<amount of free space>&OT=<operating system version> &IV=<version of Internet Explorer>&AV=<installed drivers>
The virus also gets a list of files to be downloaded from the following link:
http://****mrw0rldwide.com/z.dat
It then downloads files from the list, saves them to the Windows temporarydirectory and launches them for execution.
At the time of writing, the virus downloaded files from the following links:
http://down****net/css.jpghttp://down****net/wow.jpg
and saved them as shown below:
%Temp%\css.jpg - this file is 62 792 bytes in size. It will be detected by KasperskyAnti-Virus as Trojan-PSW.Win32.OnLineGames.afd;
%Temp%\wow.jpg - this file is 40 241 bytes in size. It will be detected by KasperskyAnti-Virus as Trojan-PSW.Win32.WOW.sv.
If your computer does not have an up-to-date antivirus, or does not have anantivirus solution at all, follow the instructions below to delete the maliciousprogram:
1. Use TaskManager to terminate the malicious process.2. Delete the original virus file (the location will depend on howthe program originally penetrated the victim machine).3. Delete the following parameter from the system registry (seeWhatis a system registry and how do I use it for details
on how to edit the registry).[HKCR\CLSID\{C111980D-B372-44b4-8095-1B6060E8C647}]
4. Delete the following files:%WinDir%\AppPatch\deamon.dll%WinDir%\c_126.nls%Temp%\css.jpg%Temp%\wow.jpg
5. Delete all copies of the virus from the hard disk:6. Update your antivirus databases and perform a full scan of thecomputer (download a trial version of Kaspersky Anti-
Virus).
Printed From:http://www.viruslist.com/en/viruses/encyclopedia?virusid=156642
Summary
A program that secretly and maliciously integrates itself into program or data files. It spreads by integrating itself into more files each time the host program is run.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Details
Process Changes Creates these mutexes:
• __DL5EX__ • __DL_CORE_MUTEX__ • ACPI#PNP0D0D#1#Amd_DL5
Registry Modifications Creates these keys:
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RioDrvs DisplayName = "RioDrvs Usb Driver" ImagePath = "system32\Drivers\RioDrvs.sys"
Additional Details
Virus:W32/Alman.A infects all executable files in the system. The virus propagates over a network. It also has rootkit capabilities and is capable of contacting a remote server to forward information about the infected system.
A later variant of this virus, Virus:W32/Alman.B, is also in the wild.
Variants of this family may be detected by the Generic Detection, Virus:W32/Alman.gen!A.
Infection
Alman.A infects all .EXE files in the affected system. It appends its code to the target file and sets this as an additional code section. It searches for files to infect in all fixed, shared, and removable drives.
It skips infecting files located in the following directories:
• Local Settings\Temp • Windows • WinNT
It also skips infecting files matching the following names:
• ó»°Î÷ÓÎ.exe • asktao.exe • au_unins_web.exe • audition.exe • autoupdate.exe • ca.exe • cabal.exe • cabalmain.exe • cabalmain9x.exe • config.exe • dbfsupdate.exe • dk2.exe • dragonraja.exe • flyff.exe • game.exe • gc.exe • hs.exe • kartrider.exe • main.exe • maplestory.exe • meteor.exe • mhclient-connect.exe • mjonline.exe • mts.exe • nbt-dragonraja2006.exe • neuz.exe • nmcosrv.exe • nmservice.exe • nsstarter.exe • patcher.exe • patchupdate.exe • sealspeed.exe • trojankiller.exe • userpic.exe • wb-service.exe • woool.exe • wooolcfg.exe • xlqy2.exe • xy2.exe • xy2player.exe • zfs.exe • zhengtu.exe • ztconfig.exe
• zuonline.exe
Execution
Upon execution, this network-propagating virus drops the following files:
• [Windows Directory]\linkinfo.dll - infector component • [Windows System Directory]\drivers\DKIS6.sys - rootkit component • [Windows System Directory]\drivers\RioDrvs.sys - rootkit component
The dropped file RioDrvs.sys is registered as a service. The file linkinfo.dll is injected into explorer.exe and is hidden by the rootkit components.
This virus terminates processes with names that match the following strings:
• c0nime.exe • cmdbcs.exe • ctmontv.exe • explorer.exe • fuckjacks.exe • iexpl0re.exe • iexplore.exe • internat.exe • logo_1.exe • logo1_.exe • lsass.exe • lying.exe • msdccrt.exe • msvce32.exe • ncscv32.exe • nvscv32.exe • realschd.exe • rpcs.exe • run1132.exe • rundl132.exe • smss.exe • spo0lsv.exe • spoclsv.exe • ssopure.exe • svch0st.exe • svhost32.exe • sxs.exe • sysbmw.exe • sysload3.exe • tempicon.exe • upxdnd.exe • wdfmgr32.exe • wsvbs.exe
However, the path of the files associated with the above mentioned processes should not contain the following strings:
• \com\ • \program files\ • \system\ • \windows\ • \winnt\
Once the process is terminated, the corresponding file is also deleted.
Propagation
The virus accesses network shares using the Administrator account name and one of the following passwords:
• !@#$ • !@#$% • !@#$%^ • !@#$%^& • !@#$%^&* • !@#$%^&*( • !@#$%^&*() • 1 • 111 • 123 • 1234 • 12345 • 123456 • 654321 • admin • asdf • asdfgh • qaz • qazwsx • qwer • zxcv
Once connected, it drops a copy of itself as C$\Ins.exe. The dropped file is executed as a service with the service name DLAN.
This virus will attempt to connect to the following site to update itself or send data regarding the infected system:
• http://tj.imrw0rldwide.com/[...].asp
http://www.f-secure.com/v-descs/virus_w32_alman_a.shtml
Virus:W32/Alman.BName : Virus:W32/Alman.B
Detection Names :Virus.Win32.Alman.bWin32.Almanahe.D
Category: MalwareType: VirusType: Net-Worm, RootkitPlatform: W32
Summary
A program that secretly and maliciously integrates itself into program or data files. It spreads by integrating itself into more files each time the host program is run.
Disinfection
Alman.B is a network virus/worm with rootkit features, so it requires specific disinfection instructions:
1. Stop all network sharing or completely disconnect from the network2. Set disinfection action for real-time scanner to "Disinfect Automatically"3. Perform a full computer scan with F-Secure product that has a BlackLight engine4. Select "Disinfect" action for all infected files5. Files that can not be disinfected should be quarantined or deleted (select appropriate action manually)6. Files, dropped by the virus: "linkinfo.dll", "nvmini.sys" and "IsDrv118.sys" should be deleted or quarantined7. Broken infected files should be restored from a backup8. After disinfection restart a computer9. After restart perform a full scan again to make sure that no infection is left10. Enable sharing or reconnect the network ONLY after ALL computers are disinfected, otherwise a single infected workstation can re-infect the whole network11. Make sure that all network shares have strong passwords12. After disinfection set the default disinfection action for real-time scanner to "Ask After Scan" if needed
Additional Details
Virus:W32/Alman.B infects all executable files in the system. The virus propagates over a network. It also has rootkit capabilities.
An earlier variant of this virus, Virus:W32/Alman.A, is also in the wild.
Variants of this family may be detected by the Generic Detection, Virus:W32/Alman.gen!A.
Infection
The virus infects EXE files that are not protected by Windows System File Check on local, removable, and remote drives. The virus does not infect files with these names:
• asktao.exe • au_unins_web.exe • audition.exe • autoupdate.exe • ca.exe • cabal.exe • cabalmain.exe • cabalmain9x.exe • config.exe • dbfsupdate.exe • dk2.exe • dragonraja.exe • flyff.exe
• game.exe • gc.exe • hs.exe • kartrider.exe • main.exe • maplestory.exe • meteor.exe • mhclient-connect.exe • mjonline.exe • mts.exe • nbt-dragonraja2006.exe • neuz.exe • nmcosrv.exe • nmservice.exe • nsstarter.exe • patcher.exe • patchupdate.exe • sealspeed.exe • trojankiller.exe • userpic.exe • wb-service.exe • woool.exe • wooolcfg.exe • xlqy2.exe • xy2.exe • xy2player.exe • zfs.exe • zhengtu.exe • ztconfig.exe • zuonline.exe
The virus also doesn't infect files located in the following folders:
• \LOCAL SETTINGS\TEMP\ • \QQ • \WINDOWS\ • \WINNT\
Payload
After the infected file is started the virus decrypts its body and drops two files:
• %WinDir%\linkinfo.dll • %WinSysDir%\drivers\IsDrv118.sys
The DLL is the main virus component. The SYS file is a rootkit component that hides certain files and Registry keys.
The dropped DLL file is injected into Windows Explorer process and runs with system privileges.
The virus terminates the following processes:
• c0nime.exe • cmdbcs.exe • ctmontv.exe • explorer.exe • fuckjacks.exe • iexpl0re.exe
• iexpl0re.exe • iexplore.exe • internat.exe • logo_1.exe • logo1_.exe • lsass.exe • lying.exe • msdccrt.exe • msvce32.exe • ncscv32.exe • nvscv32.exe • realschd.exe • rpcs.exe • run1132.exe • rundl132.exe • smss.exe • spo0lsv.exe • spoclsv.exe • ssopure.exe • svch0st.exe • svhost32.exe • sxs.exe • sysbmw.exe • sysload3.exe • tempicon.exe • upxdnd.exe • wdfmgr32.exe • wsvbs.exe
If the files that belong to terminated processes are located in specific folders, they are deleted.
Propagation
To spread in a network the virus tries to connect to the IPC$ share with login "Administrator" and performs a dictionary attack on the admin password using these values:
• admin • aaa • !@#$ • asdf • asdfgh • !@#$% • !@#$%^ • !@#$%^& • !@#$%^&* • !@#$%^&*( • !@#$%^&*() • qwer • admin123 • love • test123 • owner • mypass123 • root • letmein • qwerty • abc123 • password • monkey • password1
• 1 • 111 • 123 • 12345 • 654321 • 123456789
If connection is successful, the virus copies itself as "Setup.exe" file to the root of the system drive and starts the copied file as a service.
Detection
F-Secure Anti-Virus detects this malware with the following updates:[FSAV_Database_Version]Version = 2007-06-06_03.
http://www.f-secure.com/v-descs/virus_w32_alman_b.shtml
Aliases: • Symantec: W32.Almanahe.B • Mcafee: W32/Almanahe.c virus • Kaspersky: Virus.Win32.Alman.b • TrendMicro: PE_CORELINK.C-1 • F-Secure: Virus.Win32.Alman.b • Sophos: W32/Alman-C • Panda: W32/Almanahe.C • Grisoft: Win32/Alman • VirusBuster: Win32.Alman.B • Eset: Win32/Alman.NAB virus • Bitdefender: Win32.Almanahe.D
Platforms / OS: • Windows 95 • Windows 98 • Windows 98 SE • Windows NT • Windows ME • Windows 2000 • Windows XP • Windows 2003
Side effects: • Drops malicious files • Makes use of software vulnerability
Files The following files are created:
– %WINDIR%\linkinfo.dll Further investigation pointed out that this file is malware, too. Detected as: W32/Rectix.A
– %SYSDIR%\drivers\IsDrv118.sys Further investigation pointed out that this file is malware, too. Detected as: Rkit/Agent.GA
– %SYSDIR%\drivers\nvmini.sys Further investigation pointed out that this file is malware, too. Detected as: Rkit/Agent.GA
Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.
It uses the following login information in order to gain access to the remote machine:
– The following username: • Administrator
– The following list of passwords:
• admin; aaa; !@; $; asdf; asdfgh; !@; $%; !@; $%^; !@; $%^&; !@; $%^&*; !@; $%^&*(; !@; $%^&*(); qwer; admin123; love; test123; owner; mypass123; root; letmein; qwerty; abc123; password; monkey; password1; 1; 111; 123; 12345; 654321; 123456789
Process termination List of processes that are terminated: • c0nime.exe; cmdbcs.exe; ctmontv.exe; explorer.exe; fuckjacks.exe; iexpl0re.exe; iexpl0re.exe; iexplore.exe; internat.exe; logo_1.exe; logo1_.exe; lsass.exe; lying.exe; msdccrt.exe; msvce32.exe; ncscv32.exe; nvscv32.exe; realschd.exe; rpcs.exe; run1132.exe; rundl132.exe; smss.exe; spo0lsv.exe; spoclsv.exe; ssopure.exe; svch0st.exe; svhost32.exe; sxs.exe; sysbmw.exe; sysload3.exe; tempicon.exe; upxdnd.exe; wdfmgr32.exe; wsvbs.exe
http://www.avira.com/en/support-threats-description/tid/4344/tlang/en
