In the past time, Network Administrator has received hundreds of emails from readers asking about the computer infected with the virus called www.35best. com. This virus causes many annoyances for computer users even infected it with Yahoo Messenger. We learned that BKAV was able to kill this virus with updated version 593.
To remove this W32.Elirt virus you need to follow these steps:
. Download software: Click here to download Bkav595 (324 KB)
If you use Windows Me or XP, you must turn off the function System Restore of the operating system.
. If your computer has installed other anti-virus programs such as NAV, McAffe must be temporary Turn off the Auto Protect function of those programs.
. Running Bkav, Select to scan all files, all drives I have not run Bkav yet but use Windows TaskManager to close process & quot; Explore.exe & quot ;. Then scan with bkav as usual. (Or call: 8683583 for advice).
Restart computer.
If your computer is still virus-free, you can do the following:
Close the Explorer.exe process in Windows 2000 / XP:
- Right-click on Taskbar and select Task Manager (or you can use shortcut key Ctrl + Shift + Esc to open Task Manager).
- In the Task Manager window, select the & quot; Processes & quot;
- Look in the & quot; Image Name & quot; Process name & quot; explorer.exe & quot ;, right-click here and select & quot; End Process & quot ;.
After closing the process & quot; explorer.exe & quot ;, all windows will be gone (including the Taskbar). Do not worry, on the screen at this point left the window & quot; Windows Task Manager & quot ;, choose & quot; File & quot ;, select & quot; New Task & quot ;, click Browse and then find the run file of BKAV (new version Mostly, the program running BKAV will be located at Program filesBKAV2002 . Then you proceed to kill the virus as usual.
When the virus is complete, you restart the computer is finished work.
If you still have this virus problem, you can call us directly to our phone number: 04 8683583 for assistance.
Some features of the W32.Elirt virus
The virus was written for the purpose of promoting the site 53best.com, which originated in China, written in Delphi. The phenomenon of a computer infected with this virus is: When users use Yahoo Messenger, the strange characters with links to 53best.com are sent to the dialog window is activated. If the person receiving this type of message clicks on the link, the W32.Elirt virus will trigger and infect their machine. It also acts as a keylogger to steal passwords of users.
Copy the virus to the% System% directory with the following names
-
msapi.exe
-
msapi.dll
-
msapi 1 AzSoft_watermark_big.png AzSoft_watermark_small.png cong-nghe?p=1 des.txt en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label:Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com www.securityfocus.com .exe (& quot; 1 AzSoft_watermark_big.png AzSoft_watermark_small.png cong-nghe?p=1 des.txt en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label:Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com www.securityfocus.com & quot; are random numbers)
-
down1.exe
-
snet.exe
When the virus is executed, the msapi.exe file is embedded in the Explorer.exe process as part of the window explorer, so that it can be thoroughly eradicated. You need to read step 6 again in the antivirus guide above.
Generate key run:
Shell = ......% System% msapi.exe
in HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon
Therefore, the virus is loaded at boot time.
Check for the existence and closing of the following processes in the machine:
-
Symantec AntiVirus
-
RavMon.exe
-
AloneAlarm
-
Iparmor.exe
-
MAILMON.EXE
-
KAVPFW.EXE
It also tests and closes seven other Chinese antivirus programs
Gather information on the victim machine and send it back via mail to the virus writer.
