Free Spyware Adware Worm and Virus Trojan Horse Download Removal Tools » worm

So how do you Remove Koobface the facebook worm virus

admin — Thu, 08 Sep 2011 18:50:02 +0000

Koobface Virus threat is one that is taking by storm, specially because it uses a host such as facebook social network to spread the virus. This Koobface virus finds methods to seek into the users PC and spread malware into the computer so its considered as a worm which replicates itself within your computer. So how does KoobFace infect your PC, well its simple really, if you use facebook, and you receive a strange email, stating something along the lines of ” click here to see your face look stupid” which attracts you to click the link, once clicked, a virus code will be downloaded to your PC which will then spread the worm to your PC and start to redirect your search results from google to malicious software and websites. Simple huh?

So how do you Remove Koobface worm virus?

With anti-malware software such as melwarebytes and spybot, you might be able to remove this worm, but sometimes this is not possible and you need to manually remove it.

Using The Add Remove Program in control panel:

Go to Add\Remove in control panel
Look up for the Koobface malware to remove and uninstall it.

if you do not see the koobface there, go to registry and search for: ( if you do not know how to use your registry, you might really screw up your PC for good, so take note, this step is for advanced users who have messed around with the registry and know their way around.)

Search for “koobface” in Mycomputer using find utility.
Note down Koobface file path some where.
Press Ctrl+Alt+Del to open ‘Task Manager’
End the “Koobface” processes.

End the following processes

%SYSTEMROOT%\bolivar28.exe
che07.exe
bolivar28.exe
%WinDir%\system32\nScan\ekrn.exe
%WinDir%\system32\nScan\ecls.exe
%WinDir%\system32\splm\ncsjapi32.exe
%WinDir%\bolivar28.exe
C:\Windows\fbtre6.exe

now change Registry Files

Type ‘regedit’ in Run and press Enter.
The Registry Editor will appear, locate the above mentioned process files and delete them.
Locate “Koobface” registry entries and delete them, they are as the follows:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Intelli Mouse Pro Version 2.0B\StubPath: “%WinDir% \System32\splm\ncsjapi32.exe”
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Intelli Mouse Pro Version 2.0B*: “%WinDir% \System32\splm\ncsjapi32.exe”
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run\Intelli Mouse Pro Version 2.0B: “%WinDir% \System32\splm\ncsjapi32.exe”
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: “2″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*Intelli Mouse Pro Version 2.0B*: “%WinDir% \System32\splm\ncsjapi32.exe”
HKEY_USERS\Software\Microsoft\Windows\nScan32\ExecuteDate: “14\8\2008″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\”systray” = “c:\windows\mstre6.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\”systray” = “C:\Windows\fbtre6.exe”
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating

Now you have to unregister the dll files

Go to start and type in ‘cmd’ to open comman prompt.
First locate the following dll files using ‘dir’ command.

%WinDir%\system32\nScan\ekrnEmon.dll
%WinDir%\system32\nScan\ekrnScan.dll
%WinDir%\system32\nScan\ekrnEpfw.dll
%WinDir%\system32\nScan\ekrnAmon.dll
%WinDir%\system32\splm\lmfunit32.dll
%WinDir%\system32\splm\mcaserv32.dll
%WinDir%\system32\splm\kbdsapi.dll

Now change the current directory using ‘cd’ command leave a space after ‘cd’ and then the path of dll file, which you have located above. Press enter after this.
Now unregister dll file by typing “directory path+’regsvr32/u’+dll file name”. Press enter, the file will be unregistered.

Generic BackDoor!djf!5D41C80EA0DA malware Trojan Virus

admin — Wed, 20 Jul 2011 22:58:29 +0000

These files were added to the system:

%APPDATA%\services.exe

%TEMP%\e3c1c08557a0d0feee33b9c9d18b4e6c129b553f.exe

This Trojan will attempt to fiddle with your network conection, e.g hxxp://www.maxmind.com/app/***

Virus app’s	Detection Names
EMSI Software	Trojan.Backdoor.Ircbot!IK
avast	Win32:Ruskill-F
Kaspersky	Backdoor.Win32.IRCBot.tjd
BitDefender	Backdoor.Bot.138642
Microsoft	VirTool:Win32/CeeInject.gen!EI
Symantec	Backdoor.IRC.Bot
Eset	a variant of Win32/Injector.GLN trojan
norman	W32/Suspicious_Gen3.TYCW
Sophos	Mal/Generic-L
Trend Micro	PAK_Generic.001
vba32	Backdoor.IRCBot.tjd

How to remove Generic BackDoor!djf!5D41C80EA0DA

Removal should be easy given the fact that you are able to follow directions

First thing to do is disconnect your network or internet. Now you will need to reboot your PC and enter safe mode, if you do not know how to enter safe mode, please search above for ” how to enter safe mode”

Now you will need to do a system scan using these apps below:

1. your favorite virus app, i suggest AVG or Microsoft security essentials
2. do a system scan using Malwarebytes
3. do a system scan using spybot
4. do a system scan using hijackthis

if the virus is not letting you do these scans, you must :

1.Disable System Restore on Windows ME and windows XP only.
2.Update to current engine and DAT files for detection and removal.
3.Run a complete system scan.

This should remove the threat, this threat is a low security threat but never the less it should always be cleaned before using the world wide web.

How to remove Win32/Olmarik Trojan malware

admin — Wed, 09 Mar 2011 05:33:16 +0000

If your PC has been infected with the Win32/Olmarik Trojan virus, please download Malwarebytes’ Anti-Malware its a free app. Double click mbam-setup.exe and follow the directions and install it on your home PC. Make sure you click update Malwarebytes before you press the scan button.

What the Win32/Olmarik trojan does is it infects your PC by installing a nasty malware by falsified displaying security alerts and making the user install even more bugs. Once you click on the alert, it will start downloading anti-spyware or anti-virus tools that are useless and will infect even more of your file system structure and files in general. Take care of this trojan as soon as you can to prevent our PC from getting any worse.

Win32/Olmarik trojan virus removal

admin — Thu, 24 Feb 2011 22:34:02 +0000

To clean this nasty Win32/Olmariktrojan horse virus,

Open RootRepeal, click the Drivers tab and select Scan. Right click and select Wipe File on:

H8SRTmeyqxwbpxd.sys

Click the Files tab and select Scan. Right click and select Wipe File on any file that begins with the following:

H8SRT

Do the same for the Hidden Services tab.

Reboot your machine

Then let’s run RootRepeal again:

Double click ROOTREPEAL to start the program
Click on the Report tab at the bottom of the program window
Click the SCAN button
In the Select Scan dialog, check:
Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan

Note: The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, click the SAVE REPORT button and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program

W32/RAHack!DD10EDBD5690 Virus Removal

admin — Fri, 14 Jan 2011 20:43:40 +0000

Other Common Aliases

Company Names	Detection Names
avast	Win32:Allaple [Wrm]
AVG (GriSoft)	Worm/Allaple.B
avira	WORM/Allaple.Gen
Kaspersky	Net-Worm.Win32.Allaple.b
BitDefender	Win32.Worm.Allaple.Gen
clamav	Worm.Allaple-255
Dr.Web	Trojan.Starman
F-Prot	W32/RAHack.A.gen!Eldorado
FortiNet	W32/Allaple.gen!tr
Microsoft	worm:win32/allaple.a
Symantec	W32.Rahack.W
Eset	Win32/Kryptik.AJD trojan (variant)
norman	Allaple.gen (trojan)
panda	W32/Rahack.gen.worm
rising	Worm.Win32.Allaple.a
Sophos	W32/Allaple-F
Trend Micro	WORM_ALLAPLE.IK
vba32	OScope.Malware-Cryptor.Win32.Allaple
V-Buster	Error
Vet (Computer Associates)	Win32/Mallar.Y

The following files were analyzed:

urdvxc.exe
The following files have been added to the system:

* %COMMONPROGRAMFILES%\microsoft shared\stationery\bzqlkhrh.exe

* %COMMONPROGRAMFILES%\microsoft shared\stationery\vkjljzrn.exe

* %COMMONPROGRAMFILES%\microsoft shared\web server extensions\40\bin\1033\ebsjlbhn.exe

* %COMMONPROGRAMFILES%\microsoft shared\stationery\bhrhnkht.exe

* %PROGRAMFILES%\Adobe\Reader 9.0\rrtkrbtl.exe

* %COMMONPROGRAMFILES%\microsoft shared\stationery\elwtjnbj.exe

* %TEMP%\0A5A6FE619B07BBAFB1F9C1B5F798F7DF96745D9

* %COMMONPROGRAMFILES%\microsoft shared\stationery\bnbtzwxt.exe

* %COMMONPROGRAMFILES%\microsoft shared\stationery\bcwvzwbh.exe

* %COMMONPROGRAMFILES%\microsoft shared\stationery\ehbebsrn.exe

* %PROGRAMFILES%\msn\msncorefiles\tlbhnrlv.exe

* %PROGRAMFILES%\Microsoft Office\OFFICE11\rsrrhtck.exe

* %COMMONPROGRAMFILES%\microsoft shared\stationery\nsqjttkv.exe

* %PROGRAMFILES%\netmeeting\rsewzjqn.exe

* %COMMONPROGRAMFILES%\microsoft shared\stationery\qjllsjhl.exe

* %COMMONPROGRAMFILES%\system\ado\tsektjkj.exe

* %COMMONPROGRAMFILES%\microsoft shared\web server extensions\40\bin\brbvhsvx.exe

* %COMMONPROGRAMFILES%\microsoft shared\stationery\brvrjrke.exe

* %COMMONPROGRAMFILES%\microsoft shared\stationery\njbsvtll.exe

* %COMMONPROGRAMFILES%\microsoft shared\stationery\tlcwjrwt.exe

* %COMMONPROGRAMFILES%\microsoft shared\stationery\czjevcet.exe

* %COMMONPROGRAMFILES%\microsoft shared\stationery\xrljqjzn.exe

* %COMMONPROGRAMFILES%\microsoft shared\web server extensions\40\bin\tjnwrhns.exe

How to remove this virus.

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

W32/RAHack Worm/Allaple.A Virus Removal

admin — Fri, 17 Dec 2010 00:45:56 +0000

Other Common Detection Aliases

Company Names	Detection Names
AVG (GriSoft)	Worm/Allaple.A
Microsoft	worm:win32/allaple.a
Symantec	W32.Rahack.W
norman	Allaple.gen
panda	W32/Rahack.gen

some of the path values that have been replaced with environment variables as the location may vary with different configurations for example.

%WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
%PROGRAMFILES% = \Program Files

The following files were scanned:

urdvxc.exe

REMOVAL

Although this is a low threat virus, the removal of W32/RAHack Worm/Allaple.A Virus can be a pest but i have found that COMBFIX will remove this threat from your PC. Simply download CombFix by clicking here, save it to your desktop, double click and and press next a few times and let the program scan your PC and clean it. Very simple really, might take some time and make sure you close all browsers and applications before you run CombFix.

Or you may just use MelwareBytes to remove the W32/RAHack virus. I would scan with both apps just to make sure. Good luck

W32.SillyFDC.BDO worm clean with Webroot Spy Sweeper

admin — Wed, 01 Dec 2010 07:28:51 +0000

W32.SillyFDC.BDO is a new discovered worm that spreads by copying itself to removable drives such as external hard drivers, USB flash drivers, etc.

I was able to capture this W32.SillyFDC.BDO worm on my test machine and run a few tests to see which software did the best cleaning and its safe to say Spy Sweeper by Webroot was the winner.
Webroot AntiVirus 2010 with Spy Sweeper is one of the best apps that will protect your PC from virus threats, spyware, adware, worms and Trojans malware. One great thing i found about spy sweeper is that it protects your PC real time without bottle necking or slowing down your net speed or even your PC’s resources. Unlike Norton which really takes away a good portion of your memory and hogs your system resources.

W32.SillyFDC.BDO worm
When executed this worm copies itself as the following files:

%SystemDrive%\services.exe
%Windir%\services.exe

It then creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”ServiceControlApp” = “%SystemDrive%\services.exe”

The worm also modifies the following registry entries:

HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”ShowSuperHidden” = “0″
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”HideFileExt” = “1″

To clean this threat, simply run Webroot Spy Sweeper

Clean this threat manually:

Disable System Restore (Windows Me/XP).
Update the virus definitions.
Run a full system scan.
Delete any values added to the registry.

W32/Autorun.worm.zf.gen!F342CDD8894F Virus

admin — Wed, 27 Oct 2010 18:14:26 +0000

Viruses are self replicating which are often spread by a network or by transmission to a removable medium e.g writable CD, or USB drive. Viruses may also spread by infecting files on a network system or a file system that is shared by another users computer.

Company Names	Detection Names
AVG (GriSoft)	Packed.AutoIt
Kaspersky	Worm.Win32.Autoit.xl
BitDefender	Backdoor.Generic.434041
ClamAV	Trojan.Autoit-70
Dr.Web	Win32.HLLW.Autoruner.based
F-Prot	W32/AutoIt.M.gen!Eldorado
FortiNet	W32/AutoIt.A!worm
Microsoft	Worm:Win32/Autorun.XK
Symantec	W32.Harakit
Eset	Win32/Packed.Autoit.B.Gen (application)
Norman	Suspicious_Gen2.BFSNZ (trojan)
Panda	Trj/CI.A
Rising	Trojan.Win32.Generic.520A2FD6
Sophos	Sus/Tiotua-A (suspicious)
Trend Micro	TROJ_GEN.R99C1HD
Vba32	Trojan.Autoit.F
V-Buster	Trojan.Autoit.Gen!Pac

The applications attempted the following network connections.

77.55.21.***:80
95.211.21.***:82
95.211.21.***:80
72.233.89.***:80
hxxp://95.211.21.184:89/*****
194.71.107.**:80
95.211.21.***:89
209.190.24.**:80
95.211.21.***:85

TSPY_AGENT.WWCJ Virus Worm

admin — Tue, 20 Jul 2010 18:26:19 +0000

potential for damage, information stealing, or both, that it possesses. Specifically, it is capable of monitoring affected users browsing habits to steal sensitive information.

This spy software can be downloaded from certain remote sites.

Check if the following applications are installed on the affected system to steal login credentials:

* Ftpcommander
* SmartFTP
* Steam (an online gaming platform)

It also oversees the relevant users’ browsing habits to steal sensitive information.

Save the information gathered in a text file using the file name () Name of the team. Txt and upload to a specific Web site.

W32.Palevo.B Worm instant messaging clients

admin — Wed, 05 May 2010 09:31:49 +0000

Discovered: May 4, 2010

Updated: May 4, 2010 11:27:56 AM

Type: Worm

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

W32.Palevo.B is a worm that spreads through instant messaging clients.

Antivirus Protection Dates

Initial Rapid Release version May 4, 2010 revision 009
Latest Rapid Release version May 4, 2010 revision 020
Initial Daily Certified version May 4, 2010 revision 048
Latest Daily Certified version May 4, 2010 revision 048
Initial Weekly Certified release date May 5, 2010

Threat Assessment

Wild

Wild Level: Low
Number of Infections: 0 – 49
Number of Sites: 0 – 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy

Damage

Damage Level: Low
Payload: Spreads through instant messaging programs.

Distribution

Distribution Level: Medium