Summaries
Ultimate Links Pc Tips
You can subscribe to this blog via RSS
354 Words :
Posted 01.08.09
Manual Removal of W32/Hexzone.GII Trojan.
W32/Hexzone.GII is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 8, 2009.
Other names of W32/Hexzone.GII Trojan:
This trojan is also known as Trojan-Ransom.Win32.Hexzone.gii, DR/Ransom.Hexzone.gii
This trojan first appeared on January 8, 2009.
Other names of W32/Hexzone.GII Trojan:
This trojan is also known as Trojan-Ransom.Win32.Hexzone.gii, DR/Ransom.Hexzone.gii
Damage Level : Medium/High
Distribution Level: Medium
Distribution Level: Medium
No Removal Tool for W32/Hexzone.GII Trojan
Removal instructions from Symantec
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
Removal instructions from Symantec
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal
End the Following Active Process Before Removal
- [ Kill the Process, Use Killbox if your Access Denied ]
- %Windows\System\fbilib.dll
If you have any of these files in running process from task manger, end the process before removal.
Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
Trojan Entries Manual Removal From Registry
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
- Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
- After booting into the Safe Mode or VGA Mode
- Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.
Edit Menu - Find, enter Keyword and remove all value that find in search.
Exit the Registry Editor,
Restart your Computer.
Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Killbox (Freeware)
792 Words :
Posted 01.07.09
Manual Removal of W32.Versie.A Trojan.
W32.Versie.A is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 7, 2009.
Other names of W32/Agent.XRB Trojan:
This trojan is also known as Trojan-Downloader.Win32.Agent.xrb, W32.Versie.A
The worm checks for the presence of %System%\drivers\klick.sys and if found, sets the date to 1981 and pings 127.0.0.1.
The worm opens a back door on the compromised computer that connects to jackie.crwoo.com on TCP port 1986 and awaits further commands that allows a remote attacker to perform some of following actions:
Log keystrokes typed
Download and execute additional files
Shut down the compromised computer
The worm may download the following file:
%ProgramFiles%\Common Files\Microsoft Shared\MSInfo\Beizhu.txt (log files)
It creates custom Internet Favorites by dropping URL links in the following folder:
%UserProfile%\Favourites
The worm disables encryption for Tencent Messenger by deleting the file npkcrypt.sys from the application installation folder.
Note: The default installation folder is usually C:\Program Files\Tencent\QQ\.
The worm sends the following system information to the remote attacker:
CPU speed
Memory available
OS version
Service Packs installed
This trojan first appeared on January 7, 2009.
Other names of W32/Agent.XRB Trojan:
This trojan is also known as Trojan-Downloader.Win32.Agent.xrb, W32.Versie.A
The worm checks for the presence of %System%\drivers\klick.sys and if found, sets the date to 1981 and pings 127.0.0.1.
The worm opens a back door on the compromised computer that connects to jackie.crwoo.com on TCP port 1986 and awaits further commands that allows a remote attacker to perform some of following actions:
Log keystrokes typed
Download and execute additional files
Shut down the compromised computer
The worm may download the following file:
%ProgramFiles%\Common Files\Microsoft Shared\MSInfo\Beizhu.txt (log files)
It creates custom Internet Favorites by dropping URL links in the following folder:
%UserProfile%\Favourites
The worm disables encryption for Tencent Messenger by deleting the file npkcrypt.sys from the application installation folder.
Note: The default installation folder is usually C:\Program Files\Tencent\QQ\.
The worm sends the following system information to the remote attacker:
CPU speed
Memory available
OS version
Service Packs installed
Damage Level : Medium/High
Distribution Level: Medium
Distribution Level: Medium
No Removal Tool for W32.Versie.A Trojan
Removal instructions from Symantec
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
Removal instructions from Symantec
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal
End the Following Active Process Before Removal
- [ Kill the Process, Use Killbox if your Access Denied ]
- %System%\_1.exe
- %System%\_autorun.exe
- %System%\_command.exe
- %System%\_ctfne.exe
- %System%\_kaspersky.exe
- %System%\_rejoice082.exe
- %System%\_server.exe
- %System%\360rtyy.exe
- %System%\system.exe
- %System%\wupdmgrv.exe
- %Temp%\ixp000.tmp\2.exe
- %Windir%\userinit.exe
- c:\autorun.exe
- c:\ctfne.exe
- c:\kaspersky.exe
- %ProgramFiles%\Common Files\Microsoft Shared\MSInfo\_[RANDOM NAME1].exe
- %System%\[RANDOM NAME1].exe
- It copies itself to the root of fixed and removable drives as the following files:
- %Drive\[RANDOM NAME1].exe
- %Drive\Autorun.inf
- Service name: LocalSystem
- Display name: Windows Rnljm MingZai
- Description: Foundation network connection
- Image Path: %System%\rnljm.exe [ Kill the Process, Use Killbox if your Access Denied ]
- Startup Type: Automatic
To Stop Service, start run, services.msc press enter, Find Display Name, Open Proterties, Press Stop, then Change Automatically to Disabled, Ok - iexplore.exe [ Kill the Process, Use Killbox if your Access Denied ]
- svchost.exe [ Kill the Process, Use Killbox if your Access Denied ]
Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
Trojan Entries Manual Removal From Registry
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
- Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
- After booting into the Safe Mode or VGA Mode
- Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:
It registers itself to run as a service by creating the following registry subkey:
It registers itself to run as a service by creating the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows\
[RANDOM NAME1]\[RANDOM NAME2]
The worm sets the following registry key to enable autorun on mapped drives:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoDriveTypeAutoRun" = "0"
It disables Start Page protection for Internet Explorer by setting the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\"Homepage" = "1"
The worm modifies the following registry subkey to change the Internet Explorer Start Page:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page
It also modifies the following registry entries to change the user's desktop wallpaper:
HKEY_CURRENT_USER\Control Panel\Desktop\"TileWallpaper" = "0"
HKEY_CURRENT_USER\Control Panel\Desktop\"Wallpaper" = "[PATH TO DOWNLOADED WALLPAPER]"
It modifies the following registry entry to disable the Windows Remote Assistance facility:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\"fDenyTSConections" = "0"
[RANDOM NAME1]\[RANDOM NAME2]
The worm sets the following registry key to enable autorun on mapped drives:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoDriveTypeAutoRun" = "0"
It disables Start Page protection for Internet Explorer by setting the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\"Homepage" = "1"
The worm modifies the following registry subkey to change the Internet Explorer Start Page:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page
It also modifies the following registry entries to change the user's desktop wallpaper:
HKEY_CURRENT_USER\Control Panel\Desktop\"TileWallpaper" = "0"
HKEY_CURRENT_USER\Control Panel\Desktop\"Wallpaper" = "[PATH TO DOWNLOADED WALLPAPER]"
It modifies the following registry entry to disable the Windows Remote Assistance facility:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\"fDenyTSConections" = "0"
Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.
Edit Menu - Find, enter Keyword and remove all value that find in search.
Exit the Registry Editor,
Restart your Computer.
Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Killbox (Freeware)
745 Words :
Posted 01.07.09
Manual Removal of W32/Agent.XRB Trojan.
W32/Agent.XRB is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 7, 2009.
Other names of W32/Agent.XRB Trojan:
This trojan is also known as Trojan-Downloader.Win32.Agent.xrb, W32.Versie.A
This trojan first appeared on January 7, 2009.
Other names of W32/Agent.XRB Trojan:
This trojan is also known as Trojan-Downloader.Win32.Agent.xrb, W32.Versie.A
Damage Level : Medium/High
Distribution Level: Medium
Distribution Level: Medium
No Removal Tool for W32/Agent.XRB Trojan
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal
End the Following Active Process Before Removal
- %Windows\System\MSISERVER.exe [ 646,144 Bytes ] [ Kill the Process, Use Killbox if your Access Denied ]
- %Drive\AutoRun.inf
- %Temp%\WER4207.dir00\manifest.txt
- %Temp%\WER4207.dir00\sysdata.xml
- %Temp%\WER4207.dir00 [ Delete this Folder ]
- If you have any of these files in running process from task manger, end the process before removal.
- Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
- Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
Trojan Entries Manual Removal From Registry
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
- Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
- After booting into the Safe Mode or VGA Mode
- Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_INSTALLER3.1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_INSTALLER3.1\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Installer3.1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Installer3.1\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDOWS_INSTALLER3.1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDOWS_INSTALLER3.1\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Windows Installer3.1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Windows Installer3.1\Security
The newly created Registry Values
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_INSTALLER3.1\0000
Service = "Windows Installer3.1"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Windows Installer3.1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_INSTALLER3.1
NextInstance = 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Installer3.1\Security
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Installer3.1
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = [pathname with a string SHARE]\MSISERVER.exe"
DisplayName = "Windows Installer3.1"
ObjectName = "LocalSystem"
Description = "��ӡ��޸ĺ�ɾ���� Windows ��װ����"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDOWS_INSTALLER3.1\0000
Service = "Windows Installer3.1"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Windows Installer3.1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDOWS_INSTALLER3.1
NextInstance = 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Windows Installer3.1\Security
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Windows Installer3.1
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = [pathname with a string SHARE]\MSISERVER.exe"
DisplayName = "Windows Installer3.1"
ObjectName = "LocalSystem"
Description = "��ӡ��޸ĺ�ɾ���� Windows ��װ����"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_INSTALLER3.1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_INSTALLER3.1\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Installer3.1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Installer3.1\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDOWS_INSTALLER3.1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDOWS_INSTALLER3.1\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Windows Installer3.1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Windows Installer3.1\Security
The newly created Registry Values
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_INSTALLER3.1\0000
Service = "Windows Installer3.1"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Windows Installer3.1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_INSTALLER3.1
NextInstance = 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Installer3.1\Security
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Installer3.1
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = [pathname with a string SHARE]\MSISERVER.exe"
DisplayName = "Windows Installer3.1"
ObjectName = "LocalSystem"
Description = "��ӡ��޸ĺ�ɾ���� Windows ��װ����"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDOWS_INSTALLER3.1\0000
Service = "Windows Installer3.1"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Windows Installer3.1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDOWS_INSTALLER3.1
NextInstance = 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Windows Installer3.1\Security
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Windows Installer3.1
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = [pathname with a string SHARE]\MSISERVER.exe"
DisplayName = "Windows Installer3.1"
ObjectName = "LocalSystem"
Description = "��ӡ��޸ĺ�ɾ���� Windows ��װ����"
Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.
Edit Menu - Find, enter Keyword and remove all value that find in search.
Exit the Registry Editor,
Restart your Computer.
Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Killbox (Freeware)
463 Words :
Posted 01.06.09
Manual Removal of Backdoor.Win32.Rbot.gen Trojan.
Backdoor.Win32.Rbot.gen is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 6, 2009.
Other names of W32/Rbot Trojan:
This trojan is also known as W32/Rbot-Fam, W32.Randex.gen, Backdoor.Win32.Rbot.gen
This trojan first appeared on January 6, 2009.
Other names of W32/Rbot Trojan:
This trojan is also known as W32/Rbot-Fam, W32.Randex.gen, Backdoor.Win32.Rbot.gen
Damage Level : Medium/High
Distribution Level: Medium
Distribution Level: Medium
No Removal Tool for Backdoor.Win32.Rbot.gen Trojan
Can Remove Using Spyware Doctor Download Now
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
Can Remove Using Spyware Doctor Download Now
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal
End the Following Active Process Before Removal
- Delete The Following Files after ending Active Running process
- %Windows\xpupdate.exe [ Kill the Process ]
- %Windows\50cent.exe [ Kill the Process ]
- %Windows\files.ini
- %Windows\nav32sp.exe [ Kill the Process ]
- %Windows\oi00r1z.dll
- %Windows\prot.exe [ Kill the Process ]
- %Windows\~5c.exe [ Kill the Process ]
- %Windows\Isasss.exe [ Kill the Process, Use Killbox if your Access Denied ]
- If you have any of these files in running process from task manger, end the process before removal.
- Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
- Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
Trojan Entries Manual Removal From Registry
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
- Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
- After booting into the Safe Mode or VGA Mode
- Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\system32
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\system32
HKEY_LOCAL_MACHINE\software\FolderA\FolderB\KeyName1
HKEY_LOCAL_MACHINE\software\FolderA\FolderB\KeyName2\
Delete right side Values, or Delete the FolderA
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
xpupdate.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-
xpupdate.exe
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run
xpupdate.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-
xpupdate.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\system32
HKEY_LOCAL_MACHINE\software\FolderA\FolderB\KeyName1
HKEY_LOCAL_MACHINE\software\FolderA\FolderB\KeyName2\
Delete right side Values, or Delete the FolderA
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
xpupdate.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-
xpupdate.exe
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run
xpupdate.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-
xpupdate.exe
Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.
Edit Menu - Find, enter Keyword and remove all value that find in search.
Exit the Registry Editor,
Restart your Computer.
Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Killbox (Freeware)
495 Words :
Posted 01.06.09
Manual Removal of W32.Randex.gen Trojan.
W32.Randex.gen is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 6, 2009.
Other names of W32/Rbot Trojan:
Backdoor.Win32.Rbot.gen [Kaspersky Lab]
Worm.RBot.Gen.8 [PC Tools]
This trojan first appeared on January 6, 2009.
Other names of W32/Rbot Trojan:
Backdoor.Win32.Rbot.gen [Kaspersky Lab]
Worm.RBot.Gen.8 [PC Tools]
Damage Level : Medium/High
Distribution Level: Medium
Distribution Level: Medium
No Removal Tool for W32/Rbot Trojan
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal
End the Following Active Process Before Removal
- The Following Files Can be Infected with W32.Randex.gen Trojan
- %System\agguvj.exe
- %System\bnmveqfts.exe
- %System\dllcache\winlogon.exe
- %System\dlp.exe
- %System\eejxdf.exe
- %System\explorer.exe
- %System\exuamw.exe
- %System\hostlogin.exe
- %System\iexplorer7.exe
- %System\ihost.exe
- %System\imchemaoa.exe
- %System\lexplore.exe
- %System\llass.exe
- %System\msconf.exe
- %System\msconfg.exe
- %System\msconfig.exe
- %System\msgfix.exe
- %System\mslogon.exe
- %System\msupdate.exe
- %System\mtwfdhx.exe
- %System\nvmbanr.exe
- %System\pdxfcasrq.exe
- %System\phjxqnp.exe
- %System\postalc.exe
- %System\quwsgbs.exe
- %System\regsvcd.exe
- %System\rejaww.exe
- %System\rundll32.dll
- %System\smlogsvcc.exe
- %System\spoolsrv.exe
- %System\svchosts.exe
- %System\syadpon.exe
- %System\system.exe
- %System\system32i.exe
- %System\thiskz.exe
- %System\txp\ntdzm.exe
- %System\windowantasdivri.exe
- %System\windows_update.exe
- %System\winexplore.exe
- %System\winmgr.exe
- %System\winrundll.exe
- %System\winup.exe
- %System\winupdate.exe
- %System\winupdatr.exe
- %Temp\nzm.exe
- %Windows\config\lsass.exe
- %Windows\nzm.exe
- If you have any of these files in running process from task manger, end the process before removal.
- Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
- Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
Trojan Entries Manual Removal From Registry
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
- Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
- After booting into the Safe Mode or VGA Mode
- Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.
Edit Menu - Find, enter Keyword and remove all value that find in search.
Exit the Registry Editor,
Restart your Computer.
Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Killbox (Freeware)
346 Words :
Posted 01.06.09
Manual Removal of W32/Rbot Trojan.
W32/Rbot is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 6, 2009.
Other names of W32/Rbot Trojan:
This trojan is also known as W32/Rbot-Fam, W32.Randex.gen, Backdoor.Win32.Rbot.gen
This trojan first appeared on January 6, 2009.
Other names of W32/Rbot Trojan:
This trojan is also known as W32/Rbot-Fam, W32.Randex.gen, Backdoor.Win32.Rbot.gen
Damage Level : Medium/High
Distribution Level: Medium
Distribution Level: Medium
No Removal Tool for W32/Rbot Trojan
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal
End the Following Active Process Before Removal
- %Windows\System\lqyuuxrvz.exe
- If you have any of these files in running process from task manger, end the process before removal.
- Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
- Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
Trojan Entries Manual Removal From Registry
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
- Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
- After booting into the Safe Mode or VGA Mode
- Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.
Edit Menu - Find, enter Keyword and remove all value that find in search.
Exit the Registry Editor,
Restart your Computer.
Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Killbox (Freeware)
1408 Words :
Posted 01.05.09
Manual Removal of Win32.Agent.wvu Trojan-Dropper.
W32/Agent.WVU is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 5, 2009.
Other names of W32/Agent.WVU Trojan:
This trojan is also known as W32.Spybot.Worm, Backdoor.Win32.Agent.wvu.
This trojan first appeared on January 5, 2009.
Other names of W32/Agent.WVU Trojan:
This trojan is also known as W32.Spybot.Worm, Backdoor.Win32.Agent.wvu.
Damage Level : Medium/High
Distribution Level: Unknown
Distribution Level: Unknown
No Removal Tool for Win32.Agent.wvu Trojan-Dropper
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal
End the Following Active Process Before Removal
- %Temp%\1
- %ProgramFiles%\CNNIC
- %ProgramFiles%\CNNIC\Cdn
- %ProgramFiles%\CNNIC\Cdn\Images
- %Temp%\1\cdn.dll
- %ProgramFiles%\CNNIC\Cdn\cdnaux.dll
- %ProgramFiles%\CNNIC\Cdn\cdnforie.dll
- %ProgramFiles%\CNNIC\Cdn\cdnprh.dll
- %System%\cdnprot.dat
- %System%\drivers\cdnprot.sys
- %ProgramFiles%\CNNIC\Cdn\cdnunins.exe
- %ProgramFiles%\CNNIC\Cdn\cdnup.exe
- %ProgramFiles%\CNNIC\Cdn\cdnvers.dat
- %ProgramFiles%\CNNIC\Cdn\idnconvs.dll
- %Temp%\1\setup.exe
- %ProgramFiles%\CNNIC\Cdn\src.dat
- Above Files under Programfiles also Copied to %Temp\1\
The following file size has been seen:
37,376 bytes, 52,786 bytes, 39,936 bytes, 44,554 bytes, 60,938 bytes, 48,690 bytes
- If you have any of these files in running process from task manger, end the process before removal.
- Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
- Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
Trojan Entries Manual Removal From Registry
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
- Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
- After booting into the Safe Mode or VGA Mode
- Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\COMMAND
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RIGHT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\AUTOUPDATE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\COLLECT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\POPUP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CdnClient
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZSXZ
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\Common
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\Display
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\InstallInfo
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\RunAct
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\Update
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdnprot
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdnprot\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdnprot\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdnprot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdnprot\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdnprot\Enum
HKEY_CURRENT_USER\Software\CNNIC
HKEY_CURRENT_USER\Software\CNNIC\CdnClient
HKEY_CURRENT_USER\Software\CNNIC\CdnClient\Restore
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\VersionIndependentProgID
(Default) = "CdnForIE.IEHlprObj"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\ProgID
(Default) = "CndForIE.IEHlprObj.1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\InprocServer32
(Default) = "C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll"
ThreadingModel = "Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
(Default) = "CdnForIE Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\TypeLib
(Default) = "{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}"
Version = "1.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\ProxyStubClsid
(Default) = "{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}
(Default) = "IIEHlprObj"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\0\win32
(Default) = "C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\HELPDIR
(Default) = "C:\PROGRA~1\CNNIC\Cdn\"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\FLAGS
(Default) = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0
(Default) = "CdnForIE 1.0 Type Library"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj\CurVer
(Default) = "CndForIE.IEHlprObj.1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj
(Default) = "CndForIE Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj.1\CLSID
(Default) = "{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj.1
(Default) = "CndForIE Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RIGHT
HKeyRoot = 0x80000001
RegPath = "Software\Microsoft\Internet Explorer\MenuExt\Access Internet Keyword"
Type = "checkbox"
CheckedValue = 0x0000007F
DefaultValue = 0x0000007F
UncheckedValue = 0x00000000
Text = "Right click add "access Internet Keyword""
ValueName = "Contexts"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000001
UncheckedValue = 0x00000000
Text = "Enable Internet Keyword"
ValueName = "EnableKw"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000001
UncheckedValue = 0x00000000
Text = "Enable Chinese Domain Name"
ValueName = "EnableIdn"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000000
UncheckedValue = 0x00000000
Text = "Display hints under the address bar"
ValueName = "EnableAddrHint"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000001
UncheckedValue = 0x00000000
Text = "Display Keyword in the Address Bar Droplist"
ValueName = "EnableKwDisp"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\COMMAND
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000000
UncheckedValue = 0x00000000
Text = "Activate Chinese Domain Name Command Line Support"
ValueName = "EnableIdnCmdEx"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\POPUP
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000001
UncheckedValue = 0x00000000
Text = "Auto-update when new version is detected"
ValueName = "EnableTaskPopup"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\COLLECT
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000000
UncheckedValue = 0x00000000
Text = "Permit the system to collect users' records"
ValueName = "EnableCollect"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\AUTOUPDATE
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000001
UncheckedValue = 0x00000000
Text = "Pop up news information"
ValueName = "AutoUpdate"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE
Bitmap = "C:\WINNT\system32\inetcpl.cpl,4497"
Text = "Update"
Type = "group"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW
Bitmap = "C:\WINNT\system32\inetcpl.cpl,4497"
Text = "Chinese Domain Name and Internet Keyword"
Type = "group"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT]
Bitmap = "C:\WINNT\system32\inetcpl.cpl,4497"
Text = "Chinese Navigation"
Type = "group"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
Default Visible = "Yes"
Modified Registry Value
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
SearchAssistant="http://client.jogo.cn/cdn/browser/sidesearch/sidesearch-en.html"
CustomizeSearch="http://client.jogo.cn/cdn/browser/customsearch/customsearch-en.html"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\COMMAND
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RIGHT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\AUTOUPDATE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\COLLECT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\POPUP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CdnClient
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZSXZ
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\Common
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\Display
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\InstallInfo
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\RunAct
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\Update
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdnprot
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdnprot\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdnprot\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdnprot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdnprot\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdnprot\Enum
HKEY_CURRENT_USER\Software\CNNIC
HKEY_CURRENT_USER\Software\CNNIC\CdnClient
HKEY_CURRENT_USER\Software\CNNIC\CdnClient\Restore
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\VersionIndependentProgID
(Default) = "CdnForIE.IEHlprObj"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\ProgID
(Default) = "CndForIE.IEHlprObj.1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\InprocServer32
(Default) = "C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll"
ThreadingModel = "Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
(Default) = "CdnForIE Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\TypeLib
(Default) = "{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}"
Version = "1.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\ProxyStubClsid
(Default) = "{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}
(Default) = "IIEHlprObj"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\0\win32
(Default) = "C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\HELPDIR
(Default) = "C:\PROGRA~1\CNNIC\Cdn\"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\FLAGS
(Default) = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0
(Default) = "CdnForIE 1.0 Type Library"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj\CurVer
(Default) = "CndForIE.IEHlprObj.1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj
(Default) = "CndForIE Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj.1\CLSID
(Default) = "{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj.1
(Default) = "CndForIE Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RIGHT
HKeyRoot = 0x80000001
RegPath = "Software\Microsoft\Internet Explorer\MenuExt\Access Internet Keyword"
Type = "checkbox"
CheckedValue = 0x0000007F
DefaultValue = 0x0000007F
UncheckedValue = 0x00000000
Text = "Right click add "access Internet Keyword""
ValueName = "Contexts"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000001
UncheckedValue = 0x00000000
Text = "Enable Internet Keyword"
ValueName = "EnableKw"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000001
UncheckedValue = 0x00000000
Text = "Enable Chinese Domain Name"
ValueName = "EnableIdn"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000000
UncheckedValue = 0x00000000
Text = "Display hints under the address bar"
ValueName = "EnableAddrHint"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000001
UncheckedValue = 0x00000000
Text = "Display Keyword in the Address Bar Droplist"
ValueName = "EnableKwDisp"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\COMMAND
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000000
UncheckedValue = 0x00000000
Text = "Activate Chinese Domain Name Command Line Support"
ValueName = "EnableIdnCmdEx"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\POPUP
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000001
UncheckedValue = 0x00000000
Text = "Auto-update when new version is detected"
ValueName = "EnableTaskPopup"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\COLLECT
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000000
UncheckedValue = 0x00000000
Text = "Permit the system to collect users' records"
ValueName = "EnableCollect"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\AUTOUPDATE
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000001
UncheckedValue = 0x00000000
Text = "Pop up news information"
ValueName = "AutoUpdate"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE
Bitmap = "C:\WINNT\system32\inetcpl.cpl,4497"
Text = "Update"
Type = "group"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW
Bitmap = "C:\WINNT\system32\inetcpl.cpl,4497"
Text = "Chinese Domain Name and Internet Keyword"
Type = "group"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT]
Bitmap = "C:\WINNT\system32\inetcpl.cpl,4497"
Text = "Chinese Navigation"
Type = "group"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
Default Visible = "Yes"
Modified Registry Value
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
SearchAssistant="http://client.jogo.cn/cdn/browser/sidesearch/sidesearch-en.html"
CustomizeSearch="http://client.jogo.cn/cdn/browser/customsearch/customsearch-en.html"
Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.
Edit Menu - Find, enter Keyword and remove all value that find in search.
Exit the Registry Editor,
Restart your Computer.
Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Killbox (Freeware)
914 Words :
Posted 01.05.09
Manual Removal of W32/Agent.WVU Trojan.
W32/Agent.WVU is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 5, 2009.
Other names of W32/Agent.WVU Trojan:
This trojan is also known as W32.Spybot.Worm, Backdoor.Win32.Agent.wvu.
FXSTALLER.EXE has been seen to perform the following behavior:
The Process is packed and/or encrypted using a software packing process
Automatically changes your firewall settings to allow itself or other programs to communicate over the internet
Disables the Windows Built in Firewall enabling rogue processes to access the internet without your knowledge or permission
Disables the Windows Security Center Service
Disables Windows Automatic Updates including Security Updates and Patches
Executes a Process
Writes to another Process's Virtual Memory (Process Hijacking)
Adds a Registry Key (RUN) to auto start Programs on system start up
This Process Deletes Other Processes From Disk
This process creates other processes on disk
Creates system tray popups, messages, errors and security warnings
Opens browser pop ups
The Process is polymorphic and can change its structure
Registers a Dynamic Link Library File
Can communicate with other computer systems using HTTP protocols
Executes Processes stored in Temporary Folders
FXSTALLER.EXE has been the subject of the following behavior:
Added as a Registry auto start to load Program on Boot up
Created as a process on disk
Has code inserted into its Virtual Memory space by other programs
Executed as a Process
Terminated as a Process
Copied to multiple locations on the system
Created as a new Background Service on the machine
Deleted as a process from disk
Executed by Internet Explorer
Executed from Temporary Folders
This trojan first appeared on January 5, 2009.
Other names of W32/Agent.WVU Trojan:
This trojan is also known as W32.Spybot.Worm, Backdoor.Win32.Agent.wvu.
FXSTALLER.EXE has been seen to perform the following behavior:
The Process is packed and/or encrypted using a software packing process
Automatically changes your firewall settings to allow itself or other programs to communicate over the internet
Disables the Windows Built in Firewall enabling rogue processes to access the internet without your knowledge or permission
Disables the Windows Security Center Service
Disables Windows Automatic Updates including Security Updates and Patches
Executes a Process
Writes to another Process's Virtual Memory (Process Hijacking)
Adds a Registry Key (RUN) to auto start Programs on system start up
This Process Deletes Other Processes From Disk
This process creates other processes on disk
Creates system tray popups, messages, errors and security warnings
Opens browser pop ups
The Process is polymorphic and can change its structure
Registers a Dynamic Link Library File
Can communicate with other computer systems using HTTP protocols
Executes Processes stored in Temporary Folders
FXSTALLER.EXE has been the subject of the following behavior:
Added as a Registry auto start to load Program on Boot up
Created as a process on disk
Has code inserted into its Virtual Memory space by other programs
Executed as a Process
Terminated as a Process
Copied to multiple locations on the system
Created as a new Background Service on the machine
Deleted as a process from disk
Executed by Internet Explorer
Executed from Temporary Folders
Damage Level : Medium/High
Distribution Level: Unknown
Distribution Level: Unknown
No Removal Tool for W32/Agent.WVU Trojan
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal
End the Following Active Process Before Removal
- %Windows\fxstaller.exe
- %Temp%\ixp000.tmp\aa.exe
- %Temp%\ixp000.tmp\buri.exe
- %Temp%\ixp000.tmp\burimi.exe
- %Temp%\ixp000.tmp\fapack.exe
- %Temp%\ixp000.tmp\image.exe
- %Temp%\ixp000.tmp\pa.exe
- %Temp%\ixp000.tmp\pack.exe
- %Temp%\ixp000.tmp\pr.exe
- %Temp%\ixp000.tmp\test.exe
- %Temp%\ixp001.tmp\burimi.exe
[ FXSTALLER.EXE can also use the following File Names ] 04172258.DAT, 59465376.DAT, BBPHOTO[1].EXE, PACK.EXE, 03932762.EXE, FXSTALLER.MSNFIX, LACOSTES.EXE, ERASEME_78156.EXE, MARINA[n].COM, LACOSTES(n).EXE, LACOSTES[n].EXE, 26863612.COM, 39847305.EXE, 15451429.EXE, 76765953.EXE, HOUSEGIRL.EXE, STH4NSBA.EXE, DD1.EXE, HOUSEGIRL.COM, 39026582.EXE, 11162921.EXE, 40619004.COM, HACKEDMSN.EXE, HACKEDMSN[n].COM, BURIMI.EXE, 96195105.EXE, 60362081.DAT
The following file size has been seen:
37,376 bytes, 52,786 bytes, 39,936 bytes, 44,554 bytes, 60,938 bytes, 48,690 bytes
- If you have any of these files in running process from task manger, end the process before removal.
- Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
- Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
Trojan Entries Manual Removal From Registry
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
- Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
- After booting into the Safe Mode or VGA Mode
- Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
W32.Spybot.Worm Entries
Delete the Following Keys
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BoolTern
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BOOLTERN
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdriv
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_RDRIV
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
In the right pane, reset the original value, if known:
"EnableDCOM" = "N"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
In the right pane, reset the original value, if known:
"DoNotAllowXPSP2" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\
parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
In the right pane, reset the original values, if known:
"AutoShareWks" = "0"
"AutoShareServer" = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
In the right pane, reset the original value, if known:
"restrictanonymous" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger
In the right pane, reset the original value, if known:
"Start" = "4"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_CURRENT_USER\Software\Microsoft\OLE
In the right pane, delete any values that refer to the file names that were detected.
W32.Spybot.Worm Entries
Delete the Following Keys
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BoolTern
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BOOLTERN
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdriv
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_RDRIV
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
In the right pane, reset the original value, if known:
"EnableDCOM" = "N"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
In the right pane, reset the original value, if known:
"DoNotAllowXPSP2" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\
parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
In the right pane, reset the original values, if known:
"AutoShareWks" = "0"
"AutoShareServer" = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
In the right pane, reset the original value, if known:
"restrictanonymous" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger
In the right pane, reset the original value, if known:
"Start" = "4"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_CURRENT_USER\Software\Microsoft\OLE
In the right pane, delete any values that refer to the file names that were detected.
Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.
Edit Menu - Find, enter Keyword and remove all value that find in search.
Exit the Registry Editor,
Restart your Computer.
Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Killbox (Freeware)
408 Words :
Posted 01.04.09
Manual Removal of W32/QQPass.DCG.PSW Trojan.
W32/QQPass.DCG.PSW is a Trojan. The Trojan will infect Windows systems.
The Trojan may be dropped by other malware or may be downloaded from remote website by other malware.
It may also be downloaded unknowingly by a user while visiting malicious Website.
This Trojan first appeared on October 24, 2008.
Other names of W32/QQPass.DCG.PSW Trojan:
This Trojan is also known as Mal/Heuri-E, TROJ_DROPPER.BZM, Trojan-PSW.Win32.QQPass.dcg.
The Trojan may be dropped by other malware or may be downloaded from remote website by other malware.
It may also be downloaded unknowingly by a user while visiting malicious Website.
This Trojan first appeared on October 24, 2008.
Other names of W32/QQPass.DCG.PSW Trojan:
This Trojan is also known as Mal/Heuri-E, TROJ_DROPPER.BZM, Trojan-PSW.Win32.QQPass.dcg.
Damage Level : Medium/High
Distribution Level: Unknown
Distribution Level: Unknown
No Removal Tool for W32/QQPass.DCG.PSW Trojan
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal
End the Following Active Process Before Removal
- %Windows\hjbh.exe
- %Windows\bxfq.exe
- %Windows\dfll.exe
- %Windows\goti.exe
- %Windows\gzei.exe
- %Windows\jdzd.exe
- %Windows\jvcn.exe
- %Windows\ouyf.exe
- %Windows\tlqi.exe
- %Windows\wgon.exe
- %Windows\wkxi.exe
- %Windows\wwny.exe
- %Windows\ybea.exe
- If you have any of these files in running process from task manger, end the process before removal.
- Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
- Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
Trojan Entries Manual Removal From Registry
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
- Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
- After booting into the Safe Mode or VGA Mode
- Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:
UNKNOWN
Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.
Edit Menu - Find, enter Keyword and remove all value that find in search.
Exit the Registry Editor,
Restart your Computer.
Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
466 Words :
Posted 01.02.09
Manual Removal of W32/Nugg.W Worm.
W32/Nugg.W is a worm. The worm will infect Windows systems.
This worm first appeared on January 2, 2009.
Other names of W32/Nugg.W Worm:
This worm is also known as PSW.OnlineGames.BIYV, P2P-Worm.Win32.Nugg.w
This worm first appeared on January 2, 2009.
Other names of W32/Nugg.W Worm:
This worm is also known as PSW.OnlineGames.BIYV, P2P-Worm.Win32.Nugg.w
Damage Level : Medium/High
Distribution Level: Unknown
Distribution Level: Unknown
No Removal Tool for W32/Nugg.W Worm
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal
End the Following Active Process Before Removal
- %Windows\System\danim32.dll
- If you have any of these files in running process from task manger, end the process before removal.
- Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
- Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
Unregister DLL Files Using Windows Command Prompt
- To open the Windows Command Prompt, go to Start > Run > type cmd and then click the "OK" button.
- Type "cd" in order to change the current directory,
- Press the "space" button, enter the full path to where you believe the Program DLL file is located press the "Enter" button on your keyboard.
- If you don't know where Program DLL file is located, use the "dir" command to display the directory's contents.
- To unregister a "Program" DLL file,
- Type in the exact directory path + "regsvr32 /u" + [ DLL_NAME ]
- Example [ C:\Windows\System\ regsvr32 /u name.dll ] and press the "Enter" button.
- A message will pop up that says you successfully unregistered the file.
Trojan Entries Manual Removal From Registry
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
- Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
- After booting into the Safe Mode or VGA Mode
- Right-click the UnHookExec.inf file