Backdoor.Riken – exploits Adobe Acrobat PDF file

Variant: Backdoor.Riken

Operating Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

Backdoor.Riken is a malicious Trojan that exploits Adobe Acrobat PDF vulnerability. Once the Trojan is activated, it will try to download and install other malware files to the already infected system. The Trojan then edits the registry to add itself to the startup list, so that every time Windows boots up, it automatically starts as well. Backdoor.Riken’s main objective is to embed snippets or coded scripts to steal PC users confidential account log-in information from online banking sites.

Step by step instructions on manual removal of  Backdoor.Riken :

• Disable system restore (Windows ME and Windows XP users only) Right click My Computer → Properties → System Restore tab → Tick  turn off system restore on all drives box → Restart Computer

Boot to Safe Mode (Press the F8 key before the Windows Logo appears then log in on an account with administrator credentials)

• Show hidden files and folders (My Computer → Tools → Folder Options → View Tab → Tick show hidden folders, files and drives → Untick hide operating systems files → OK)

• Delete Backdoor.Riken created files:

%System%\svcvc.exe
%System%\UsbStorageLog.txt

• Delete Backdoor.Riken added registry values: (Start → run → regedit → navigate and delete the listed registry entries)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”SamPs” = “C:\WINDOWS\system32\svcvc.exe”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy \StandardProfile\AuthorizedApplications\List\”C:\WINDOWS\system32\svcvc.exe”  = “C:\WINDOWS\system32\svcvc.exe:*:Enabled:svcvc.exe”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Window\”monstate” = “ID”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Window\”KeyKill” = “ID”

{Disclaimer: Registry modification is done at your own risk. Backup the registry before making any changes!}

• Update anti-virus definition files

• Run anti-virus full system scan

• Re-enable System Restore (Windows ME and XP users only) Right click My Computer → Properties → System Restore tab → Untick  turn off system restore on all drives box.

• Restart the computer

W32.Waledac.B – A season of worm infected greetings

Variant: W32.Waledac.B

Operating Systems Affected: Windows 9x, 2000, XP, Server 2003, Vista, 7


W32.Waledac.B is a newly released computer worm (January 1, 2011) that self replicates and spreads via spam email links that hosts the malware. The spam email is disguised as a legitimate Holiday Greeting E-card. Once infected with W32.Waledac.B, it creates a registry key to load itself every time Windows starts up, then it opens up backdoor ports tcp 80 and udp 445. Finally, it will attempt to connect to some specific web IP addresses for additional malware downloads to the already infected system.

Step by step manual removal guide:

• Temporarily disable system restore (Windows ME / XP) Right click My Computer → Properties → System Restore tab → Put a check mark on Turn off system restore on all drives box → Restart Computer

• Delete temp internet files (Internet Explorer 8 → Tools → Internet Options → General Tab → Delete Browsing History → new window appears → Tick Temporary Internet Files / Tick Cookies → Delete)

• Boot to safe mode with networking (Press the F8 key on Windows boot up)

• Disable startup item pertaining to the worm (Start → run → msconfig → start up tab → untick the worm startup listing → click Ok)

• Delete the following registry values: (Start → run → regedit → navigate and delete the listed registry entries)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”SmartIndex” = “PATH TO WORM”
HKEY_CURRENT_USER\Software\Google\”ID” = “HEXADECIMAL DIGITS”
HKEY_CURRENT_USER\Software\Google\”ID2″ = “HEXADECIMAL DIGITS”
HKEY_CURRENT_USER\Software\Google\”ID3″ = “HEXADECIMAL DIGITS”

{Disclaimer: Registry modification is done at your own risk. Backup the registry before making any changes!}

• Update definition files and run a full system scan for viruses

• Re-enable system restore (Windows ME / XP) Right click My Computer → Properties → System Restore tab → Untick  turn off system restore on all drives box → Restart Computer

• Restart the computer


Dialer.Dialpass – auto dials an access number leading to an adult site

Variant: Dial.Pass, Dialer-185, Dialer.Dialpass, Porn-Dialer, Dialer.Instant_Access

Operating Systems Affected: Windows 9x, ME,  XP, Vista, 7, Windows NT, 2000


Dialer.Dialpass is not a virus but is classified as a “potentially unwanted program” (PUP).  Once infected by the malware, it will hijack the computer’s modem and force the windows dialer to repeatedly dial an access number that leads to an illicit content site or provider.

Dialer.Dialpass only targets users of dialup Internet services. Those with broadband connection such as DSL, LAN or any other similar highspeed Internet access, are not affected.

Here’s how to remove  Dialer.Dialpass:

Disable System Restore (Windows ME and XP users only)

• Restart and boot under Safe Mode (Press the F8 key on boot up)

• Delete browsers internet cookies and cache (Internet Explorer 8 → Tools → Internet Options → General Tab → Delete Browsing History → Tick Temporary Internet Files / Tick Cookies → Delete)

Show hidden files and folders (Open My Computer → Tools → Folder Options → View Tab → click show hidden folders, files and drives. Uncheck hide operating systems files. Click OK)

• Navigate and Delete the Dialer.Dialpass files:

%WINDIR%\iaccess32.exe
%PROGRAMFILES%\instant access\desktopicons\nocreditcard.lnk
%PROGRAMFILES%\Instant Access\Multi\20091116181148\medias\p2e_3_3.gif
%PROGRAMFILES%\Instant Access\Multi\20091116181148\dialerexe.ini
%USERPROFILE%\Start Menu\NoCreditCard.lnk
%WINDIR%\tmlpcert2007
%PROGRAMFILES%\Instant Access\Multi\20091116181148\Common\module.php
%PROGRAMFILES%\Instant Access\Multi\20091116181148\medias\p2e_1_3.gif
%PROGRAMFILES%\Instant Access\Multi\20091116181148\medias\p2e_go_3.gif
%PROGRAMFILES%\Instant Access\Multi\20091116181148\medias\p2e_logo_2.gif
%PROGRAMFILES%\Instant Access\Multi\20091116181148\instant access.exe
%PROGRAMFILES%\Instant Access\Multi\20091116181148\medias\p2e_2_3.gif
%PROGRAMFILES%\Instant Access\Multi\20091116181148\medias\p2e.ico
%PROGRAMFILES%\instant access\center\nocreditcard.lnk
%ALLUSERSPROFILE%\desktop\nocreditcard.lnk
%WINDIR%\SYSTEM32\egaccess4_1071.dll

• Navigate and Delete the Dialer.Dialpass registry keys: (Start → run → regedit → navigate and delete the listed values)

HKEY_CURRENT_USER\SOFTWARE\EGDHTML\

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPUBLISHER\CERTIFICATES\
62119EF862C6B3A0D853419B87EB3E2F6C78640\

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE      PUBLISHING\TRUST DATABASE\

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE  PUBLISHING\TRUST DATABASE\

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\INPROCSERVER32\

{Disclaimer: Registry modification is done at your own risk. Backup the registry before making any changes!}

• Delete Dialer.Dialpass Dial up network (DUN) connection (Windows Vista / 7 → Click start → type network connections →  click view network connections → delete the Dialpass created connection)

• Update anti-virus definition files

• Run anti-virus full system scan

• Re-enable System Restore (Windows XP users only)

• Restart the computer

TROJ_ARTIEF.SM – New MS Office RTF Stack Buffer Overflow Vulnerability!

Variant: TROJ_ARTIEF.SM

Operating Systems Affected: Windows 2000, Windows XP, Windows Server 2003

TROJ_ARTIEF.SM exploits the recently discovered vulnerability in MS Office RTF Stack Buffer Overflow. It then drops and executes another malicious file called TROJ_INJECT.ART. There are 2 possible ways of infection from this threat, one is by opening or reading in a preview pane a spam email with an infected RTF file attachment thus,executing the code, the other by downloading the Trojan file without the PC user’s knowledge or consent just by visiting a malicious website.

MS security bulletin update with the download link for the Microsoft Office vulnerability patch  http://www.microsoft.com/technet/security/bulletin/ms10-087.mspx

If you’re infected with the TROJ_ARTIEF.SM, here’s how to manually remove the virus and how to make your system be protected from the MS Office vulnerability.

• Disable system restore (Windows XP users only)

Boot to Safe Mode (Press the F8 key before the Windows Logo appears then log in on an account with administrator credentials)

• Delete browsers internet cookies and cache (Internet Explorer 8 → Tools → Internet Options → General Tab → Delete Browsing History → new window appears → Tick Temporary Internet Files / Tick Cookies → Delete)

• Show hidden files and folders (My Computer → Tools → Folder Options → View Tab → Tick show hidden folders, files and drives → Untick hide operating systems files → OK)

• Navigate and Delete the Trojan file:

%User Temp%\{random}.tmp – TROJ_INJECT.ART

• Re-enable System Restore (Windows XP users only)

• Download and Install MS Office patch

http://www.microsoft.com/technet/security/bulletin/ms10-087.mspx

• Update and Run an Anti-Virus full system scan


Backdoor.Badpuck… a new backdoor Trojan

Variant: Backdoor.Badpuck

Operating Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

Backdoor.Badpuck is a newly discovered Trojan horse (December 9, 2010) that attempts to open and  connect to the infected computer by using a backdoor method. Once the computer is infected, the Trojan may perform either one or all of the following actions:  file download, file upload, execute a file, delete a file, and delete the Trojan file itself.

What’s a Backdoor?
backdoor [computer system] is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected  [Source: Wikipedia]

MANUAL REMOVAL GUIDE

• Disable system restore (Windows ME and Windows XP users only) Right click My Computer → Properties → System Restore tab → Tick  turn off system restore on all drives box → Restart Computer

Boot to Safe Mode (Press the F8 key before the Windows Logo appears then log in on an account with administrator credentials)

• Show hidden files and folders (My Computer → Tools → Folder Options → View Tab → Tick show hidden folders, files and drives → Untick hide operating systems files → OK)

• Navigate and Delete the following Trojan files:
%CurrentFolder%\version.exe
%CurrentFolder%\load.exe
%CurrentFolder%\stsdll.exe
%CurrentFolder%\iexplorer.exe

• Delete the following Trojan added registry entries: (Start → run → regedit → navigate and delete the listed values)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random]”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “[random]”

• Re-enable System Restore (Windows ME and Windows XP users only) Right click My Computer → Properties → System Restore tab → Untick  turn off system restore on all drives box → Restart Computer

• Update and Run an Anti-Virus full system scan

TSPY_ZBOT.XXT – Yes, it’s spyware! No, it’s not a Facebook tool

Variant: TSPY_ZBOT.XXT

Operating Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

[picture source: TrendMicro]

The spyware arrives as a spam email with a message and an attachment that Facebook is providing a freeware tool (FB IPsecure.exe) to stop FB user spamming. The free tool is actually the malicious file, identified as TSPY_ZBOT.XXT spyware. Once the spyware is loaded, it will modify the registry to run every time Windows starts and it will log keystrokes on monitored specific websites to steal valuable information – usernames and passwords.

Here’s how to remove TSPY_ZBOT.XXT manually:

• Disable system restore (Windows ME and Windows XP users only) Right click My Computer → Properties → System Restore tab → Tick  turn off system restore on all drives box → Restart Computer

• Boot to safe mode (Press F8 key on boot up)

• Delete browsers cookies and cache (Internet Explorer 8 → Tools → Internet Options → General Tab → Delete Browsing History → new window appears → Tick Temporary Internet Files / Tick Cookies → Delete)

• Show hidden files and folders (My Computer → Tools → Folder Options → View Tab → Tick show hidden folders, files and drives → Untick hide operating systems files → OK)

• Delete the following folders:
%Application Data%\{random1}
%Application Data%\{random2}

• Delete Registry Values: (Start → run → regedit → navigate and delete the listed values)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
{GUID of mount point of %Windows%} = %Application Data%\{random1}\{malware filename}.exe1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List
%WINDOWS%\EXPLORER.EXE = %WINDOWS%\EXPLORER.EXE:*:Enabled:Windows Explorer


 • Restart the computer

• Re-enable System Restore (Windows ME and Windows XP users only) Right click My Computer → Properties → System Restore tab → Untick  turn off system restore on all drives box → Restart Computer

• Run an Anti-Virus / Anti-Malware full system scan


WORM_FEODO.A – steals usernames and passwords

Variant: WORM_FEODO.A

Operating Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

WORM_FEODO.A is a malicious computer worm that may be downloaded without the user’s knowledge just by visiting malicious websites, it then replicates itself in all types of removable drives. The worm is known to steal confidential information, such as account usernames and passwords. If you are infected with Worm_Feodo.A it is highly advised that you removed it at once before it compromises sensitive information stored on your computer.

Here’s how to remove WORM_FEODO.A manually:

Disable System Restore (Windows ME and XP users only)

• Restart and boot under Safe Mode (Press the F8 key before the Windows Logo appears then log in on an account with administrator credentials)

• Search and Delete infected AUTORUN.INF files. (click Start → type “AUTORUN.INF” without the quotation marks on the search box then hit enter → after it finishes searching, it will show you a list of AUTORUN.INF files found on your computer and removable drive/s → open one at a time using notepad by right clicking the file → open with → choose notepad → if the INF file contains the text listed below → delete the file)

[AutoRun]
open={random folder name}\{random file name}.exe
shell\Open\Command={random folder name}\{random file name}.exe
shell\Open\Default=1
shell\Explore\Command={random folder name}\{random file name}.exe
shell\Autoplay\command={random folder name}\{random file name}.exe

Delete the worm added registry values:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
SvrWsc =

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable = 0

Delete the worm added registry keys:

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectX
MSA
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectX
MSB
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
SvrWsc

{Disclaimer: Registry modification is done at your own risk. Backup the registry before making any changes!}

• Restart the computer

• Update definition files and Run an Anti-Virus full system scan

Trojan.Gpcoder.G Attention! all your personal files are encrypted

Variant: Trojan.Gpcoder.G [Symantec], Troj/Ransom-U [Sophos], GPcoder.j [McAfee]

Operating Systems Affected: Windows 9x, 2000, ME,  XP,  NT, Windows Vista, Windows 7

Trojan.Gpcoder.G is a Trojan horse that encrypts user’s personal files on the infected computer then gives a pop-up message blackmailing the user to purchase the password to decrypt the said files. To make the threat more dramatic, it will create a text file, turns it into a .bmp file extension and sets it as your desktop wallpaper. The image will show the following message.

Attention!!!
All your personal files (photo, documents, texts, databases, certificates, kwm-files, video) have been encrypted by a very strong cypher RSA-1024. The original files are deleted. You can check this by yourself – just look for files in all folders.
There is no possibility to decrypt these files without a special decrypt program! Nobody can help you – even don’t try to find another method or tell anybody. Also after n days all encrypted files will be completely deleted and you will have no chance to get it back.
We can help to solve this task for 120$ via wire transfer (bank transfer SWIFT/IBAN). And remember: any harmful or bad words to our side will be a reason for ingoring your message and nothing will be done.
For details you have to send your request on this e-mail (attach to message a full serial key shown below in this ‘how to..’ file on desktop): xxxxxx@xxxx.xx

Listed below are the file types that the Trojan searches and encrypts then adds .ENCODED file extension.

.1cd
.3gp
.avi
.bmp
.cdr
.cer
.dbf
.doc
.doc
.docx
.docx
.dwg
.flv
.ifo
.jpeg
.jpg
.kwm
.lnk
.m2v
.max
.md
.mdb
.mdb
.mdf
.mov
.mp3
.mpeg
.mpg
.odt
.p12
.pdf
.pfx
.ppt
.pptx
.psd
.pwm
.rar
.txt
.vob
.xls
.xls
.xlsx
.xlsx
.zip

Manual removal of Trojan.Gpcoder.G is not recommended at this time but here’s an effective guide in removing the harmful Trojan using your current Anti-Virus / Anti-Malware program.

• Disable Windows System Restore (Windows ME/ XP users only)

• Boot to Safe Mode with Networking (press the F8 key before the Windows Logo appears then choose safe mode with networking → hit enter → and login on an account with Administrator credentials)

• Download and install an Anti-Virus / Anti-Malware Program (If your system doesn’t have any security software)

Update definition files and Run Anti-Virus / Anti-Malware full system scan

• Restart the computer


Adware.Clickpotato triggers annoying pop-up windows!

Variant: Adware.Clickpotato, ADSPY/AdSpy.Gen2, AdWare.AdSpy and Pinball

Operating Systems Affected: Windows 9x, 2000, ME,  XP,  NT, Windows Vista, Windows 7, Windows NT, Windows Server

Clickpotato is an adware program designed to bombard PC users with numerous advertisement pop up windows. The adware is also known as ADSPY/AdSpy.Gen2 (Avira), AdWare.AdSpy (Ikarus), and Pinball (Sunbelt Software). Once infected with the Clickpotato adware the system will experience a very sluggish performance, connectivity and processing power wise.

If you encounter the pop-up window shown above, don’t install it! If you already did, just follow the step by step removal guide itemized below.

Manual removal guide for Adware.Clickpotato:

• Disable Windows System Restore (Windows ME/ XP users only)

• Restart and Login to Safe Mode (Press the F8 key on boot up before the Windows Logo appears)

• Disable ClickPotato from browser addon (example: Internet Explorer → Tools → Internet Options → Programs Tab → Manage Add-ons → Highlight Clickpotato → disable)

• Uninstall ClickPotato (Control Panel → Add/Remove Programs → Highlight Clickpotato → Uninstall)

• Show Hidden Files and Folders

• Navigate and Delete Clickpotato adware files:

C:\Documents and Settings\All Users\Application Data\ClickPotatoLiteSA\ClickPotatoLiteSA.dat
C:\Documents and Settings\All Users\Application Data\ClickPotatoLiteSA\ClickPotatoLiteSAAbout.mht
C:\Documents and Settings\All Users\Application Data\ClickPotatoLiteSA\ClickPotatoLiteSAau_update.dat
C:\Documents and Settings\All Users\Application Data\ClickPotatoLiteSA\ClickPotatoLiteSAEULA.mht
C:\Documents and Settings\All Users\Application Data\ClickPotatoLiteSA\ClickPotatoLiteSA_kyf_update.dat
C:\Documents and Settings\All Users\Start Menu\Programs\ClickPotato\About Us.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\ClickPotato\ClickPotato Customer Support.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\ClickPotato\ClickPotato Uninstall Instructions.lnk
%ProgramFiles%\Mozilla Firefox\plugins\npclntax_ClickPotatoLiteSA.dll
%ProgramFiles%\ClickPotatoLite\bin\[VERSION NUMBER]\ClickPotatoLiteSA.exe
%ProgramFiles%\ClickPotatoLite\bin\[VERSION NUMBER]\ClickPotatoLiteSAAX.dll
%ProgramFiles%\ClickPotatoLite\bin\[VERSION NUMBER]\ClickPotatoLiteSABHO.dll
%ProgramFiles%\ClickPotatoLite\bin\[VERSION NUMBER]\ClickPotatoLiteSAHook.dll
%ProgramFiles%\ClickPotatoLite\bin\[VERSION NUMBER]\ClickPotatoLiteUninstaller.exe
%ProgramFiles%\ClickPotatoLite\bin\[VERSION NUMBER]\firefox\extensions\install.rdf
%ProgramFiles%\ClickPotatoLite\bin\[VERSION NUMBER]\firefox\extensions\plugins\npclntax_ClickPotatoLiteSA.dll

• Navigate and Delete the listed registry values:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\MenuButtonIE.DLL HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{11C27351-716B-4052-9361-E3B0A3F8221C} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1602F07D-8BF3-4c08-BDD6-DDDB1C48AEDC} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7A3D6D17-9DD5-4C60-8076-D1784DABAF8C} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AC6D819E-AA8F-4418-A3BB-D165C1B18BB5} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{30B15818-E110-4527-9C05-46ACE5A3460D} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{419EDA30-6DFF-432C-B534-E15D899ABEE4} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{618AAD04-921F-44C2-BE38-C0818AF69861} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B5D2ED96-62F9-4C2C-956D-E425B1F67337} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D3A412E8-1E4B-47D2-9B12-F88291F5AFBB} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{814BAA91-DC22-4350-87D6-0C86E93F7F08} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C55CA95C-324B-451C-B2D2-6E895AA75FEC} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClickPotatoLiteAx.Info HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClickPotatoLiteAx.Info.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClickPotatoLiteAX.UserProfiles HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ClickPotatoLiteAX.UserProfiles.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MenuButtonIE.ButtonIE HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MenuButtonIE.ButtonIE.1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B58926D6-CFB0-45d2-9C28-4B5A0F0368AE} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1602F07D-8BF3-4c08-BDD6-DDDB1C48AEDC} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{69725738-CD68-4f36-8D02-8C43722EE5DA} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{AC6D819E-AA8F-4418-A3BB-D165C1B18BB5} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B58926D6-CFB0-45D2-9C28-4B5A0F0368AE} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ClickPotatoLiteSA HKEY_LOCAL_MACHINE\SOFTWARE\ClickPotatoLite HKEY_CURRENT_USER\Software\clickpotatolitesa

{Disclaimer: Registry modification is done at your own risk. Backup the registry before making any changes!}

• Restart the computer

• Update definition files and run an Anti-Virus / Anti-Malware system scan

WORM_LAMIN.AC- an Instant Messaging worm

Variant: Worm_Lamin.AC, W32.IRCBot, Worm:Win32/Lamin.A

Operating Systems Affected: Windows 9x, 2000, ME,  XP,  NT, Windows Vista, Windows 7

Worm_Lamin.AC is a computer worm that spreads via instant messaging applications. What does the Worm_Lamin.AC do?
- It deletes or modifies registry entries related to security software and or anti-virus program.
- Disables anti-virus, firewall and security update alerts.
- Disables internet connection sharing
- Sends IM messages with a download link of the worm
- Runs automatically on windows startup

How to manually remove Worm_Lamin.AC?

• Disable System Restore (Windows ME and XP users only) Right click My Computer → Properties → System Restore tab → Put a check mark on Turn off system restore on all drives box → Restart Computer

• Restart and boot under safe mode (Press the F8 key before the Windows Logo appears then log in on an account with administrator credentials)

• Show hidden files and folders (Open My Computer → Tools → Folder Options → View Tab → click show hidden folders, files and drives. Uncheck hide operating systems files. Click OK)

• Delete the following infected files:
%Program Files%\Microsoft Office\OFFICE11\control.ini
%Program Files%\Microsoft Office\OFFICE11\Drvics32.dll
%Program Files%\Microsoft Office\OFFICE11\hjwgsd.dll
%Program Files%\Microsoft Office\OFFICE11\jwiegh.dll
%Program Files%\Microsoft Office\OFFICE11\PUB60SP.mrc
%Program Files%\Microsoft Office\OFFICE11\remote.ini
%Program Files%\Microsoft Office\OFFICE11\ruimsbbe.dll
%Program Files%\Microsoft Office\OFFICE11\yofc.dll
%Program Files%\Microsoft Office\OFFICE11\smss.exe

• Delete the listed registry keys: (Click Start → Run → regedit → Ok)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\
Svc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\
FWCFG

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WinDefend

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center

• Delete the following registry values:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell = %Program Files%\Microsoft Office\OFFICE11\WINWORD.EXE

HKEY_CLASSES_ROOT\exefile
NeverShowExt =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
EnableLUA = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{Application name}
Debugger = cmd.exe /c del

• Restore registry’s original value

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
From: SuperHidden = 0
To: SuperHidden = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
From: ShowSuperHidden = 0
To: ShowSuperHidden = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
From: Type = 4
To: Type = 20
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
From: Start = 4
To: Start = 2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
From: Type = 4
To: Type = 20
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
From: Start = 4
To: Start = 2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
From: Type = 4
To: Type = 20
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
From: Start = 4
To: Start = 2

{Disclaimer: Backup the registry before making any changes! Registry modification is done at your own risk}

• Restart the computer
• Run an Anti-Virus / Anti-Malware system scan

← Previous Entries

Next Entries →