Free spyware removal and spyware protection
Unfortunately, defeating spyware is harder than evading conventional viruses.
Spyware is any potentially-unwanted program that makes undesirable changes to your computer and/or collects information about user activities, without consent, usually for financial gain. That definition may be fine in the abstract, but making concrete decisions about which programs are really spyware can he difficult.
Please visit the download section of this website and you will find a few simple and FREE applications written by different authors in which I have found throughout the years of facing spyware and viruses over 100 times, to be the most affective and free of course, way to keep your computer clean of worms, popups, spyware and other malicious computer bugs. ( If your computer is already affected, these programs might not completely get rid of your problem, but it will prevent from any more damage. I my self have tested these simple and free applications many times, on hundreds of PC computers, and I am happy to share my years of extensive research and trial and error to help you live a bug free pc lifestyle.
Spyware is any potentially-unwanted program that makes undesirable changes to your computer and/or collects information about user activities, without consent, usually for financial gain. That definition may be fine in the abstract, but making concrete decisions about which programs are really spyware can he difficult.
Please visit the download section of this website and you will find a few simple and FREE applications written by different authors in which I have found throughout the years of facing spyware and viruses over 100 times, to be the most affective and free of course, way to keep your computer clean of worms, popups, spyware and other malicious computer bugs. ( If your computer is already affected, these programs might not completely get rid of your problem, but it will prevent from any more damage. I my self have tested these simple and free applications many times, on hundreds of PC computers, and I am happy to share my years of extensive research and trial and error to help you live a bug free pc lifestyle.
TROJ_AGENT.HJS malicious Trojan
Thursday, January 24, 2008
This Trojan may be downloaded unknowingly by a user when visiting malicious Web sites.
It drops files also detected by Trend Micro as TROJ_AGENT.HJS.
It creates a registry entry to enable its automatic execution at every system startup.
Solution:
Important Windows ME/XP Cleaning Instructions
Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.
Users running other Windows versions can proceed with the succeeding solution set(s).
Restarting in Safe Mode
This malware has characteristics that require the computer to be restarted in safe mode. Go to this page for instructions on how to restart your computer in safe mode.
Removing Autostart Entry from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.
If the registry entry below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.
1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry:
Regscan = "%System%\regscan.exe"
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
4. Close Registry Editor.
It drops files also detected by Trend Micro as TROJ_AGENT.HJS.
It creates a registry entry to enable its automatic execution at every system startup.
Solution:
Important Windows ME/XP Cleaning Instructions
Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.
Users running other Windows versions can proceed with the succeeding solution set(s).
Restarting in Safe Mode
This malware has characteristics that require the computer to be restarted in safe mode. Go to this page for instructions on how to restart your computer in safe mode.
Removing Autostart Entry from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.
If the registry entry below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.
1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry:
Regscan = "%System%\regscan.exe"
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
4. Close Registry Editor.
WORM_IMBOT.AC memory resident worm malware
This memory-resident worm may be dropped by other malware or downloaded unknowingly by a user when visiting malicious Web sites.
It propagates via the popular instant messaging application, MSN Messenger. It does this by sending a message and a .ZIP file that contains a copy of itself to target contacts.
The message it sends may be any of the following:
• Did you see this picture, it's hilarious!!!!!
• Have I shown you this new picture of my cat :)
• Hey, check out this great photo from my trip to England
This worm also has backdoor capabilities. It connects to random TCP ports and executes the commands from a remote malicious user. It also terminates certain processes, if found running in memory.
It propagates via the popular instant messaging application, MSN Messenger. It does this by sending a message and a .ZIP file that contains a copy of itself to target contacts.
The message it sends may be any of the following:
• Did you see this picture, it's hilarious!!!!!
• Have I shown you this new picture of my cat :)
• Hey, check out this great photo from my trip to England
This worm also has backdoor capabilities. It connects to random TCP ports and executes the commands from a remote malicious user. It also terminates certain processes, if found running in memory.
SYMBOS_BESELO.A Malware Alert
This Symbian malware infects mobile devices running Symbian OS/S60 2nd Edition.
It drops a file also detected by Trend Micro as SYMBOS_BESELO.A. It also drops two other non-malicious files.
It spreads via Multimedia Messaging Service (MMS) messages. It creates an MMS message with an attached copy of the .SIS installer. These MMS messages contain a copy of the malware.
This Symbian malware also spreads via Bluetooth-enabled mobile phones. It arrives as a .SIS file, using certain file names.
It drops a file also detected by Trend Micro as SYMBOS_BESELO.A. It also drops two other non-malicious files.
It spreads via Multimedia Messaging Service (MMS) messages. It creates an MMS message with an attached copy of the .SIS installer. These MMS messages contain a copy of the malware.
This Symbian malware also spreads via Bluetooth-enabled mobile phones. It arrives as a .SIS file, using certain file names.
GPCoder.h Trojan Win32 ransomware trojan
Wednesday, January 9, 2008
This is a detection for a ransomware trojan. It encrypts files on the harddrive, creates a text-file indicating what has happened, and gives email addresses to send the ransom money to.
Aliases
* Backdoor:Win32/Kollah.D (Microsoft)
* TSPY_KOLLAH.F (TrendMicro)
* Virus.Win32.Gpcode.ai (Kaspersky)
Characteristics
-- Update July 17, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
This trojan encrypts documents, depending on the file extension, and then attempts to extort money from the victim in order for them to obtain a decryptor tool to recover the documents.
When run this trojan searches for files using the following extensions:
* .12m
* .3ds
* .3dx
* .4ge
* .4gl
* .7z
* .a
* .a86
* .abc
* .acd
* .ace
* .act
* .ada
* .adi
* .aex
* .af3
* .afd
* .ag4
* .ai
* .aif
* .aifc
* .aiff
* .ain
* .aio
* .ais
* .akf
* .alv
* .amp
* .ans
* .ap
* .apa
* .apo
* .app
* .arc
* .arh
* .arj
* .arx
* .asc
* .asm
* .ask
* .au
* .bak
* .bas
* .bb
* .bcb
* .bcp
* .bdb
* .bh
* .bib
* .bpr
* .bsa
* .btr
* .bup
* .bwb
* .bz
* .bz2
* .c
* .c86
* .cac
* .cbl
* .cc
* .cdb
* .cdr
* .cgi
* .cmd
* .cnt
* .cob
* .col
* .cpp
* .cpt
* .crp
* .cru
* .csc
* .css
* .csv
* .ctx
* .cvs
* .cwb
* .cwk
* .cxe
* .cxx
* .cyp
* .d
* .db
* .db0
* .db1
* .db2
* .db3
* .db4
* .dba
* .dbb
* .dbc
* .dbd
* .dbe
* .dbf
* .dbk
* .dbm
* .dbo
* .dbq
* .dbt
* .dbx
* .dfm
* .djvu
* .dic
* .dif
* .dm
* .dmd
* .doc
* .dok
* .dot
* .dox
* .dsc
* .dwg
* .dxf
* .dxr
* .eps
* .exp
* .f
* .fas
* .fax
* .fdb
* .fla
* .flb
* .frm
* .fm
* .fox
* .frm
* .frt
* .frx
* .fsl
* .gtd
* .gif
* .gz
* .gzip
* .h
* .ha
* .hh
* .hjt
* .hog
* .hpp
* .htm
* .html
* .htx
* .ice
* .icf
* .inc
* .ish
* .iso
* .jar
* .jad
* .java
* .jpg
* .jpeg
* .js
* .jsp
* .key
* .kwm
* .lst
* .lwp
* .lzh
* .lzs
* .lzw
* .ma
* .mak
* .man
* .maq
* .mar
* .mbx
* .mdb
* .mdf
* .mid
* .mo
* .myd
* .obj
* .old
* .p12
* .pak
* .pas
* .pdf
* .pem
* .pfx
* .php
* .php3
* .php4
* .pgp
* .pkr
* .pl
* .pm3
* .pm4
* .pm5
* .pm6
* .png
* .ppt
* .pps
* .prf
* .prx
* .ps
* .psd
* .pst
* .pw
* .pwa
* .pwl
* .pwm
* .pwp
* .pxl
* .py
* .rar
* .res
* .rle
* .rmr
* .rnd
* .rtf
* .safe
* .sar
* .skr
* .sln
* .swf
* .sql
* .tar
* .tbb
* .tex
* .tga
* .tgz
* .tif
* .tiff
* .txt
* .vb
* .vp
* .wps
* .xcr
* .xls
* .xml
* .zip
Found documents are encoded and a text file named read_me.txt is placed in the directory containing the following text:
Hello, your files are encrypted with RSA-4096 algorithm
(http://en.wikipedia.org/wiki/RSA).
You will need at least few years to decrypt these files without our
software. All your private information for last 3 months were
collected and sent to us.
To decrypt your files you need to buy our software. The price is $300.
To buy our software please contact us at: %s and provide us
your personal code %d. After successful purchase we will send
your decrypting tool, and your private information will be deleted
from our system.
If you will not contact us until 07/15/2007 your private information
will be shared and you will lost all your data.
Glamorous team
The following registry key is created to run itself at Windows login:
# HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
\winlogon\userinit = "%SysDir%\userinit.exe, %SysDir%\ntos.exe,"
(Where SysDir is the Windows System directory, e.g. C:\Windows\System32)
Symptoms
* File types mentioned previously, overwritten with "garbage" (encrypted data).
* Presence of aforementioned read_me.txt files.
Method of Infection
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Aliases
* Backdoor:Win32/Kollah.D (Microsoft)
* TSPY_KOLLAH.F (TrendMicro)
* Virus.Win32.Gpcode.ai (Kaspersky)
Characteristics
-- Update July 17, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
This trojan encrypts documents, depending on the file extension, and then attempts to extort money from the victim in order for them to obtain a decryptor tool to recover the documents.
When run this trojan searches for files using the following extensions:
* .12m
* .3ds
* .3dx
* .4ge
* .4gl
* .7z
* .a
* .a86
* .abc
* .acd
* .ace
* .act
* .ada
* .adi
* .aex
* .af3
* .afd
* .ag4
* .ai
* .aif
* .aifc
* .aiff
* .ain
* .aio
* .ais
* .akf
* .alv
* .amp
* .ans
* .ap
* .apa
* .apo
* .app
* .arc
* .arh
* .arj
* .arx
* .asc
* .asm
* .ask
* .au
* .bak
* .bas
* .bb
* .bcb
* .bcp
* .bdb
* .bh
* .bib
* .bpr
* .bsa
* .btr
* .bup
* .bwb
* .bz
* .bz2
* .c
* .c86
* .cac
* .cbl
* .cc
* .cdb
* .cdr
* .cgi
* .cmd
* .cnt
* .cob
* .col
* .cpp
* .cpt
* .crp
* .cru
* .csc
* .css
* .csv
* .ctx
* .cvs
* .cwb
* .cwk
* .cxe
* .cxx
* .cyp
* .d
* .db
* .db0
* .db1
* .db2
* .db3
* .db4
* .dba
* .dbb
* .dbc
* .dbd
* .dbe
* .dbf
* .dbk
* .dbm
* .dbo
* .dbq
* .dbt
* .dbx
* .dfm
* .djvu
* .dic
* .dif
* .dm
* .dmd
* .doc
* .dok
* .dot
* .dox
* .dsc
* .dwg
* .dxf
* .dxr
* .eps
* .exp
* .f
* .fas
* .fax
* .fdb
* .fla
* .flb
* .frm
* .fm
* .fox
* .frm
* .frt
* .frx
* .fsl
* .gtd
* .gif
* .gz
* .gzip
* .h
* .ha
* .hh
* .hjt
* .hog
* .hpp
* .htm
* .html
* .htx
* .ice
* .icf
* .inc
* .ish
* .iso
* .jar
* .jad
* .java
* .jpg
* .jpeg
* .js
* .jsp
* .key
* .kwm
* .lst
* .lwp
* .lzh
* .lzs
* .lzw
* .ma
* .mak
* .man
* .maq
* .mar
* .mbx
* .mdb
* .mdf
* .mid
* .mo
* .myd
* .obj
* .old
* .p12
* .pak
* .pas
* .pem
* .pfx
* .php
* .php3
* .php4
* .pgp
* .pkr
* .pl
* .pm3
* .pm4
* .pm5
* .pm6
* .png
* .ppt
* .pps
* .prf
* .prx
* .ps
* .psd
* .pst
* .pw
* .pwa
* .pwl
* .pwm
* .pwp
* .pxl
* .py
* .rar
* .res
* .rle
* .rmr
* .rnd
* .rtf
* .safe
* .sar
* .skr
* .sln
* .swf
* .sql
* .tar
* .tbb
* .tex
* .tga
* .tgz
* .tif
* .tiff
* .txt
* .vb
* .vp
* .wps
* .xcr
* .xls
* .xml
* .zip
Found documents are encoded and a text file named read_me.txt is placed in the directory containing the following text:
Hello, your files are encrypted with RSA-4096 algorithm
(http://en.wikipedia.org/wiki/RSA).
You will need at least few years to decrypt these files without our
software. All your private information for last 3 months were
collected and sent to us.
To decrypt your files you need to buy our software. The price is $300.
To buy our software please contact us at: %s and provide us
your personal code %d. After successful purchase we will send
your decrypting tool, and your private information will be deleted
from our system.
If you will not contact us until 07/15/2007 your private information
will be shared and you will lost all your data.
Glamorous team
The following registry key is created to run itself at Windows login:
# HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
\winlogon\userinit = "%SysDir%\userinit.exe, %SysDir%\ntos.exe,"
(Where SysDir is the Windows System directory, e.g. C:\Windows\System32)
Symptoms
* File types mentioned previously, overwritten with "garbage" (encrypted data).
* Presence of aforementioned read_me.txt files.
Method of Infection
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
