W32.Yaha.L@mm

Symantec Security Response - W32.Yaha.L@mm
(securityresponse.symantec.com/avcenter/venc/data/w32.yaha.l@mm.html)

W32.Yaha.L@mm is a worm that is a variant of W32.Yaha.K@mm. The differences between the variants do not visibly manifest themselves, so the characteristics of each will be the same.

Type: Worm
Infection Length: 34,304 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux

technical details

W32.Yaha.L@mm performs the same actions as W32.Yaha.K@mm, but it contains some unused code. For more details, refer to the W32.Yaha.K@mm writeup.

removal instructions

NOTE: If the worm has not run, and your Symantec antivirus product detects W32.Yaha.L@mm either in an email message, or when the worm attempts to run, delete it.

If the worm has run, do the following:

• 
  1. Download the updated virus definitions using the Intelligent Updater, but do not install them.
  2. Restart the computer in Safe mode.
  3. Copy Regedit.exe to Reg.com.

1. Edit the registry and reverse the changes the worm made.

• 
  2. Restart the computer in Normal mode.
  3. Start your Symantec antivirus software. If it does not start or properly function, re-install it.
  4. Install the Intelligent Updater virus definitions you downloaded earlier.
  5. Run a full system scan and delete the files detected as W32.Yaha.L@mm.

4. Editing the registry and reversing the changes the worm made

CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

• 
  1. Navigate to and select the following key:
  
  HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open
  ommand
  
  CAUTION: The HKEY_LOCAL_MACHINE\Software\Classes key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with an .exe extension from running. Make sure that you browse all the way along this path until you reach the
  ommand subkey.
  
  Modify the HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open
  ommand subkey, shown in the following figure:
  
  http://home.mindspring.com/~randybell2/Yaha.J_2.gif<<=== NOTE: Modify this key.
  
  2. In the right pane, double-click the (Default) value.
  3. Delete the current value data, and then type: "%1" %* (That is, type the following characters: quote-percent-one-quote-space-percent-asterisk.)
  
  NOTES:
  • On Windows 95/98/Millenium and Windows NT systems, the Registry Editor automatically encloses the value within quotation marks. When you click OK, the (Default) value should look exactly like:
    
    ""%1" %*"
    
  • On Windows 2000/XP systems, the additional quotation marks will not appear. When you click OK, the (Default) value should look exactly like:
    
    "%1" %*
    
  • Make sure that you completely delete all the value data in the command key before you type the correct data. If you leave a space at the beginning of the entry, any attempt to run the program files will result in the error message, "Windows cannot find .exe." If this occurs, restart at the beginning of this document, and make sure that you completely remove the current value data.
  4. Navigate in turn to each of the following keys:
  
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\RunServices
  
  NOTE: The RunServices key may not exist on all the systems.
  
  5. In the right pane, delete the value
  
  WinServices C:\%System%\WinServices.exe
  
  6. Restart the computer.

 

McAfee: W32/Yaha.L

McAfee Security - W32/Yaha.L

Name: W32/Yaha.L
Risk Assessment
- Home Users: Low
- Corporate Users: Low
Date Discovered: 12/30/2002
Date Added: 12/31/2002
Origin: Unknown
Length: 34,304 bytes
Type: Virus
SubType: E-mail worm
DAT Required: 4240

Virus Characteristics

The 4239 DAT files will detect this threat as W32/Yaha.gen. Exact detection of W32/Yaha.l was included in the 4240 DAT files. This worm propagates via email using its own built-in SMTP engine. It terminates specific processes if they are running (AV/security related), and contains code to deliver a denial of service attack against a remote machine (the target is hard-coded within the worm).


The worm arrives as an attachment to a message formatted as follows:

Subject: (chosen from the following list

• Are you a Soccer Fan ?
• Are you beautiful
• Are you the BEST
• Check it out
• Demo KOF 2002
• Feel the fragrance of Love
• Freak Out
• Free Demo Game
• Free rAVs Screensavers
• Free Screenavers of Love
• Free Screensavers
• Free Screensavers 4 U
• Free Win32 API source
• Free XXX
• Hardcore Screensavers 4 U
• I Love You..
• Jenna 4 U
• Learn SQL 4 Free
• Lovers Corner
• Need money ??
• One Hacker's Love
• One Virus Writer's Story
• Patch for Elkern.gen
• Patch for Klez.H
• Play KOF 2002 4 Free
• Project Sample Screensavers
• Sample KOF 2002
• Sample Playboy
• Screensavers from Club Jenna
• Sexy Screensavers 4 U
• The King of KOF Wanna Brawl ??
• Things to note
• Visit us
• Wanna be a HE-MAN
• Wanna be friends ?
• Wanna be friends ?
• Wanna be like a stone ?
• Wanna be my sweetheart ??
• Wanna Hack ??
• Wanna Rumble ??
• We want peace
• Whats up
• Who is your Valentine
• World Tour
• WWE Screensavers
• XXX Screensavers 4 U

Attachment: Possible filenames include:

• Beautifull.scr
• Body_Building.scr
• Britney_Sample.scr
• Codeproject.scr
• Cupid.scr
• FixElkern.com
• FixKlez.com
• FreakOut.exe
• Free_Love_Screensavers.scr
• Hacker.scr
• Hacker_The_LoveStory.scr
• Hardcore4Free.scr
• I_Love_You.scr
• Jenna_Jemson.scr
• King_of_Figthers.exe
• KOF.exe
• KOF_Demo.exe
• KOF_Fighting.exe
• KOF_Sample.exe
• KOF_The_Game.exe
• KOF2002.exe
• Love.scr
• My_Sexy_Pic.scr
• MyPic.scr
• MyProfile.scr
• Notes.exe
• Peace.scr
• Playboy.scr
• Plus2.scr
• Plus6.scr
• Project.exe
• Ravs.scr
• Real.scr
• Romantic.scr
• Romeo_Juliet.scr
• Screensavers.scr
• Services.scr
• Sex.scrSoccer.scr
• Sexy_Jenna.scr
• SQL_4_Free.scr
• Stone.scr
• Sweetheart.scr
• The_Best.scr
• THEROCK.scr
• up_life.scr
• Valentines_Day.scr
• VXer_The_LoveStory.scr
• Ways_To_Earn_Money.exe
• World_Tour.scr
• xxx4Free.scr
• zDenka.scr
• zXXX_BROWSER.exe

Message Body: Strings within the virus suggest multiple possible message body contents (body contents and attachment filename chosen together):

hey,
did u always dreamnt of hacking ur friends hotmail account..
finally i got a hotmail hack from the internet that really works..
ur my best friend thats why sending to u..
check it..just run it..enter victim's address and u will get the pass.

hi,
check the attached love screensaver
and feel the fragrance of true love..

Hi,
check the attached screensaver..
its really wonderfool..
i got it from freescreensavers.com

Hi,
check ur friends circle using the attached friendship screensaver..
check the attached screensaver
and if u like it send it to all those you consider
to be true friends... if it comes back to you then
you will know that you have a circle of friends..

Hi,
check the attached screensaver
and enjoy the world of friendship..

Hi,
are u in a rocking mood...
check the attached scrennsaver and start shaking..

Hi,
Check the attached screensaver..

Hi,
Are you lonely ??..
check the attached screensaver and
forget the pain of loneliness

Hi,
Looking for online pals..
check the attached friend finder software..

Hi,
sending you a screensaver..
checkit and let me know how it is...

Hi,
Check the attached screensaver
and feel the fragrance of true love...

Hey,
I just got this wonderfull screensaver from freescreensaver.com..
Just check it out and let me know how it is..

Hi,? I just came across it.. check out..??=====================================================================
Are you one of those unfortunate human beings who are desperately
looking for friends.. but still not getting true friends with whom
you can share your everything..

anyway you wont feel down any more cause GC Chat Network has brought
up a global chat and online match making system using its own GC
Messenger. Attached is the fully functional free version of GC
Instant Messenger and Match Making client..
Just install, register an account with us and find thousands of online
pals all over the world..
You can also search for friends by specific country,city,region etc.

Regards Admin,
GC Global Chat Network System..

Hi,
So you think you are in love..
is it true love ? you may think right now that you are in
true love but it is certainly possible that it is nothing
but a mere infatuation to you..

anyway to know yourself better than you have ever known check
the attached screensaver and feel the fragrance of true love..

Hey pal,
you know friendship is like a business...
to get something you need to give something..
though its not that harsh as business but to
get love and care from your friends you need to give
love,care and respect to your friends.. right{BR>
check the attached screensaver and you will learn how to
make your friends happy..

Hi,
Its quite obvious that in our life we have numerous friends
but.. BUT Best Friend can only be ONE.. right {BR>so can you decide who is your best friend {BR>i guess not.. cause mostly you will find that your best friend
wont care about u like somebody else..

anyway i found one way to find who is my best friend..
check it..
just check the attached screensaver.. answer some questions
in it and also ask your best friend to answer the questions..

..then you will know more about him..

Hey pal,
wanna have some fun in life... {BR>feel like life is too boring and monotonous..
check the attached screensaver and bring colours
to your black & white life..

Hi,
I just came across this funny screensaver..
sending it to u.. hope u like it..
check out and die laughing..

<<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>>

This E-Mail is never sent unsolicited. If you receive this
E-Mail then it is because you have subscribed to the official
newsletter at the KOF ONLINE website.

King Of Fighters is oneof the greatest action game ever made.
Now after the mind boggling sucess of KOF 2001 SNK proudly
presents to you KOF 2002 with 4 new charecters.

Even though we need no publicity for our product but this
time we have decided to give away a fully functional trial
version of KOF 2002. So check out the attached trial version
of KOF 2002 and register at our official website toget a free
copy of KOF2002 original version

Best Regards,
Admin,KOF ONLINE..

<<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>>

Hello,
I just came across your email ID while searching in the Yahoo profiles.
Actually I want a true friend 4 life with whom I can share my everything.
So if you areinterested in being my friend 4 life then mail me.

If you wanna know about me, attached is my profile along with some of my
pics. You can check and if you like it then do mail me.
I will be waiting for your mail.

Best Wishes,
Your Friend..

Hello,
Looking for some Hardcore mind boggling action ?
Install the attached browser software and browse
across millions of paid hardcore sex sites for free.
Using the software you can safely and easily browse
across most of the hardcore XXX paid sites across the
internet for free. Using it you can also clean all
traces of your web browsing from your computer.

Note:The attached browser software is made exclusivley
for demo only. You can use the software for a limited
time of 35 days after which you have to register it
at our official website for its furthur use.

Regards,
Admin.

Klez.H is the most common world-wide spreading worm.It's very dangerous by corrupting your files.

Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.

We developed this free immunity tool to defeat the malicious virus.

You only need to run this tool once,and then Klez will never come into your PC

Hello,
The attached product is send as a part of our official campaign
for the popularity of our product.
You have been chosen to try a free fully functional sample of our
product.If you are satifiedthen you can send it to your friends.
All you have to do is to install the software and register an account
with us using the links provided in the software. Then send this software
to your friends using your account ID and for each person who registers
with us through your account, we will pay you $1.5.Once your account reaches
the limit of $50, your payment will be send to your registration address by
check or draft.

Please note that the registration process is completely free which means
by participating in this program you will only gain without loosing anything.

Best Regards,
Admin,

The virus contains the following strings (similar to previous Yaha variants):

?teRminAtioN oF aV + FireWaLL f0r sUrvIvaL.
?tImE dEfiNed tRigErRinG.. jUst f0r fUn.. n0 paYloaD.
?c0ntAinS bUg iN rEpliCation c0de.. no tIme t0 fiX.

Indications of Infection

The virus copies itself into the Windows System directory (eg. C:\WINDOWS\SYSTEM) multiple times, using the following filenames:

• NAV32_LOADER.EXE
• TCPSVS32.EXE
• WINSERVICES.EXE

System startup is hooked by adding the following Registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"WinServices"= C:\WINDOWS\SYSTEM\WinServices.exe


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
"WinServices" = C:\WINDOWS\SYSTEM\WinServices.exe

The subsequent execution of EXE files is also hooked, via modifying the following key:

HKEY_CLASSES_ROOT\exefile\shell\open
ommand "(Default)"
which is changed from:

"%1" %*
to:

"C:\WINDOWS\SYSTEM\nav32_loader.exe""%1"%*

In testing on NT/2000 systems, the virus was observed to make copies of itself in the Windows System directory using a filename from the following list:

• hotmail_hack.exe
• friendship.scr
• world_of_friendship.scr
• shake.scr
• Sweet.scr
• Be_Happy.scr
• Friend_Finder.exe
• I_Like_You.scr
• love.scr
• dance.scr
• GC_Messenger.exe
• True_Love.scr
• Friend_Happy.scr
• Best_Friend.scr life.scr
• colour_of_life.scr
• friendship_funny.scr
• funny.scr

The virus terminates processes those matching the following (the list is hard-coded within the virus):

• _AVP32
• _AVPCC
• _AVPM
• ACKWIN32
• ALERTSVC
• AMON.EXE
• ANTIVIR
• ATRACK
• AVCONSOL
• AVP.EXE
• AVP32
• AVPCC.EXE
• AVPM.EXE
• AVSYNMGR
• CFINET
• CFINET32
• ESAFE.EXE
• F-AGNT95
• F-PROT95
• F-STOPW
• FP-WIN
• FRW.EXE
• IAMAPP
• IAMSERV.EXE
• ICMON
• IOMON98
• LOCKDOWN2000
• LOCKDOWNADVANCED
• LUALL
• LUCOMSERVER
• MCAFEE
• N32SCANW
• NAVAPSVC
• NAVAPW32
• NAVLU32
• NAVRUNR
• NAVW32
• NAVWNT
• NISSERV
• NISUM
• NMAIN
• NOD32
• NORTON
• NPSSVC
• NRESQ32
• NSCHED32
• NSCHEDNT
• NSPLUGIN
• NVC95
• PCCIOMON
• PCCMAIN
• PCCWIN98
• PCFWALLICON
• POP3TRAP
• PVIEW
• PVIEW95
• REGEDIT
• RESCUE32
• RMVTRJANSAFEWEB
• SCAN32
• SWEEP95
• SYMPROXYSVC
• TDS2-98
• TDS2-NT
• VET95
• VETTRAY
• VSECOMR
• VSHWIN32
• VSSTAT
• WEBSCANX
• WEBTRAP
• ZONEALARM

Method of Infection

The virus installs itself on the victim machine upon execution. It terminates various processes (AV and security product related).

The virus tries to gather email addresses from MAILTO links within *ht*, and *HoTMaiL* files, the Windows Address Book, MSN Messenger contacts, Yahoo Pager contacts. Messages are sent to the addresses found as mentionned above, using SMTP. The default SMTP server is retrieved from the registry:

[*]HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts

Removal Instructions

Use current engine and DAT files for detection and removal.

Once infected, VirusScan may not be able to run as the virus can terminate the process before any scanning/removal is accomplished.

This can make the removal of the virus more difficult for users. As such, AVERT has released a removal tool to assist infected users with this virus.

Alternatively, the following steps will circumvent the virus and allow for proper VirusScan scanning/removal, by using the command-line scanner.

• 
  1. Ensure that you are using the minimum DAT (specified above) or higher
  2. Close all running applications
  3. Disconnect the system from the network
  4. Click START | RUN, type command and hit ENTER
  5. Change to the VirusScan engine directory:
  
  • Win9x/ME - Type cd \progra~1
    ommon~1\networ~1\viruss~1\40~1.xx and hit ENTER
  • WinNT/2K/XP - Type cd \progra~1
    ommon~1\networ~1\viruss~1\4.0.xx and hit ENTER
  
  6. Type scan.exe /adl /clean and hit ENTER
  7. After scanning and removal is complete, reboot the system and reconnect to the network

Additional Windows ME/XP removal considerations

Aliases
I-Worm.Lentin.j (AVP), W32.Yaha.L@mm (Symantec), W32/Lentin.L (Panda), W32/Yerh.A (F-Prot)

 

THANK YOU, Randy. I read your posts before I checked my email, and found 8 in my mailbox, either the K or L version.

More than likely my AV would have caught them had I opened the attachments, from a close friend, but I played it safe and deleted them. Next step is to email the friend and tell her that might have a bug in her system.

Thank you again, and keep up the good work and warnings.
Chuck

 

Panda: W32/Lentin.L

Panda Virus Encyclopedia - W32/Lentin.L

Common name: Lentin.L
Technical name: W32/Lentin.L
Threat level: Very low
Type: Worm
Effects: It terminates processes belonging to antivirus programs and firewalls, among others.
Systems affected: Windows XP/2000 Pro/NT/Me/98/95
First appeared on: Dec. 29, 2002
In circulation? No

Brief Description

Lentin.L is a worm that reaches computers in a file attached to an e-mail message with variable characteristics.

The effects of Lentin.L are considered dangerous because:

• 
  It spreads rapidly via e-mail.
  It terminates several processes in affected computers, which causes, among others, antivirus programs and firewalls to stop.

Visible Symptoms

There is no clear indication that Lentin.L has reached your computer.

It is also difficult to identify the messages carrying Lentin.L, as their characteristics vary each time. The name of the attached file that carries out the infection is selected at random from a list and has an SRC, EXE or COM extension.

For a list of the possible names of the attached file carrying Lentin.L, click here.

Effects

Lentin.L terminates several processes corresponding to antivirus programs and Firewalls in affected computers, if they are active. The processes are:

_AVP32, _AVPCC, _AVPM, ACKWIN32, ALERTSVC, AMON.EXE, ANTIVIR, TRACK, AVCONSOL, AVP.EXE, AVP32, AVPCC.EXE, AVPM.EXE, AVSYNMGR, CFINET, CFINET32, ESAFE.EXE, F-AGNT95, F-PROT95, FP-WIN, FRW.EXE, F-STOPW, IAMAPP, IAMSERV.EXE, ICMON, IOMON98, LOCKDOWN2000, LOCKDOWNADVANCED, LUALL, LUCOMSERVER, MCAFEE, N32SCANW, NAVAPSVC, NAVAPW32, NAVLU32, NAVRUNR, NAVW32, NAVWNT, NISSERV, NISUM, NMAIN, NOD32, NORTON, NPSSVC, NRESQ32, NSCHED32, NSCHEDNT, NSPLUGIN, NVC95, PCCIOMON, PCCMAIN, PCCWIN98, PCFWALLICON, POP3TRAP, PVIEW, PVIEW95, REGEDIT, RESCUE32, RMVTRJANSAFEWEB, SCAN32, SWEEP95, SYMPROXYSVC, TDS2-98, TDS2-NT, VET95, VETTRAY, VSECOMR, VSHWIN32, VSSTAT, WEBSCANX, WEBTRAP, ZONEALARM.

Means of infection

Lentin.L creates the following files in the Windows system directory:

• 
  WINSERVICES.EXE.
  NAV32_LOADER.EXE
  TCPSVS32.EXE

These files contain the worm’s code.

Lentin.L also creates copies of itself in the Windows system directory under names selected at random from the following list:

• 
  BE_HAPPY.SCR
  BEST_FRIEND.SCR
  COLOUR_OF_LIFE.SCR
  DANCE.SCR
  FRIEND_FINDER.EXE
  FRIEND_HAPPY.SCR
  FRIENDSHIP.SCR
  FRIENDSHIP_FUNNY.SCR
  FUNNY.SCR
  GC_MESSENGER.EXE
  HOTMAIL_HACK.EXE
  I_LIKE_YOU.SCR
  LIFE.SCR
  LOVE.SCR
  SHAKE.SCR
  SWEET.SCR
  TRUE_LOVE.SCR
  WORLD_OF_FRIENDSHIP.SCR

Lentin.L creates the following entries in the Windows Registry:

• 
  HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run WinServices.exe C:\ %System%\ WinServices.exe
  HKEY_LOCAL_MACHINE\ Software\Microsoft\ Windows\ CurrentVersion\ RunServices WinServices.exe C:\ %System%\ WinServices.exe

With this entry, Lentin.L ensures that it is run every time Windows is started.

• 
  HKEY_LOCAL_MACHINE\ Software\ Classes\ exefile\ shell\ open\ command

The following value is applied to this entry: %System%\ WinServices.exe"%1 %*. By doing this, Lentin.L configures itself every time a file with an EXE extension is run.

Means of transmission

Lentin.L mainly uses e-mail to spread. Lentin.L reaches computers hidden in an e-mail message with variable characteristics:

• 
  Subject: Variable. For a list of the possible subjects of the e-mail messages carrying Lentin.L, click here.
  Message: Variable. For a list of the possible content of the e-mail messages carrying Lentin.L, click here.
  Attachments: Variable. For a list of the possible names of the files carrying Lentin.L, click here.
  Sender: Variable. For a list of the possible senders of the e-mail messages carrying Lentin.L, click here.

Lentin.L uses it own SMTP engine to send infected e-mail messages to all the contacts in the Windows, MSN Messenger, .NET Messenger and Yahoo Pager Address Books, and the addresses it finds in the files with an HT extension.

Lentin.L tries to use the default SMTP server address in the infected computer to send out the e-mail messages, but if it does not find the necessary information, it uses one of the many SMTP server addresses contained in its code.

Other Details

Lentin.L is written in the programming language C++. The file that carries out the infection is compressed with UPX and is 34,304 bytes in size.


Is my computer infected by Lentin.L?

In order to make absolutely sure that Lentin.L has not infected your computer, you have the following options:

A. Carry out a full scan of your computer using Panda Antivirus, after checking that it is updated. If it isn't and you are a registered Panda Software client, update it by clicking here.

B. Check the computer with Panda ActiveScan, Panda Software's free, online scanner, which will quickly detect any possible viruses.

How to remove Lentin.L

Above all, if you have received a message with any of the characteristics described in the section Means of transmission, do not run the attached file and delete the message, making sure that you also delete it from the Deleted Items folder.

If your Panda Antivirus or Panda ActiveScan detects Lentin.L during the scan, it will automatically offer you the option of deleting it. Do this by following the programs instructions.

In order to restore the original configuration of your computer, follow the steps below:

• Delete the entries that this worm has inserted in the Windows Registry:
  
  • 
    HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    WinServices.exe C:\ %System%\ WinServices.exe
    
    HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ RunServices
    WinServices.exe C:\ %System%\ WinServices.exe
    
    HKEY_LOCAL_MACHINE\ Software\ Classes\ exefile\ shell\ open\ command
    %System%\ WinServices.exe"%1 %*
  
  If you cannot access the Windows Registry, restart your computer in safe mode, then, rename the REGEDIT.EXE and call it REGEDIT.COM. Run REGEDIT.COM and delete the entries that the worm has inserted in the Windows Registry. Finally changes the file name back to REGEDIT.EXE.
  
• Restart your computer.

Additional notes:

• 
  For instructions on how to modify the Windows Registry, click here.
  
  If your computer has Windows Millennium or Windows XP installed, click here to permanently remove all trace of the virus.

How to protect your computer from Lentin.L

In order to keep your computer protected, bear the following tips in mind:

• If you have filtering tools installed, configure them to reject messages with the characteristics described in the section Means of transmission. If, in spite of doing this, you receive the message that contains the virus: do not open it, do not run the attached file and delete it, making sure that you also delete it from the Deleted Items folder.
  
• Install a good antivirus in your computer. Click here to get the Panda antivirus solution that best suits your needs.
  
• Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
  
• Keep your permanent antivirus protection enabled at all times.

For more detailed information about how to protect your computer against viruses, click here.