Windows PC Tips, Tricks, Tools

Manual Removal of Re_file.exe

Re_file.exe (W32.Beagle)
This worm spreads via the Internet as an attachment to infected messages. Infected messages will be sent to all email addresses harvested from the victim machine.The worm is also able to download other files from the Internet without the knowledge or consent of the user. The worm itself is a PE EXE file. The file is 40,565 bytes in size.
Damage Level: Highly Dangerous
Distribution Level: High
Removal Tools:
Tools From Bitdefender:
Win32.Bagle.A@mm - Download
Win32.Bagle.AU@mm - Download
Win32.Bagle.FO@mm - Download (recommended)
Win32.Bagle.{C-E}@mm - Download
Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names

%System%\wind2ll2.exe
%System%\re_file.exe
%WinDir%\elist.xpt
Documents and Settings%\Application Data\hidn
It then copies its body to this folder under the following names:
Documents and Settings%\Application Data\hidn\hidn2.exe
Documents and Settings%\Application Data\hidn\hldrrr.exe

Manually Remove From Registry
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Download and run this UnHookExec.inf, and then continue with the removal.

The worm deletes the following registry key, making it impossible to boot the infected computer in Safe Mode:
HKLM\System\CurrentControlSet\Control\SafeBoot

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"winshost.exe" = "%winsysdir%\winshost.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"winshost.exe" = "%winsysdir%\winshost.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"drv_st_key" = "%Documents and Settings%\Application Data\hidn\hidn2.exe"

where '%winsysdir%' represents Windows System folder. This ensures the trojan is run every time Windows starts.
When the dropped DLL is activated, it will check for the following registry value:

HKCU\Software\FirstRun
"FirstRunRR" = dword:value

If the value doesn't exist, the trojan creates it and sets it as 1. The DLL also opens MS paint (mspaint.exe) as a decoy and executes the actual payload.

Exit the Registry Editor.
Restart your Computer.

Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Manual Removal of Nvsc32.exe

Nvsc32.exe (Backdoor.IRC.Bot Trojan)
nvsc32.exe is a process which is registered as Backdoor.IRC.Bot Trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
Level of Danger: Medium
Distribution Level: Medium

Try Symantec Auto Removal Tool for Nvsc32.exe (Backdoor.IRC.Bot Trojan)
What the tool does
The W32.Bropia Removal Tool does the following:
Terminates the W32.Bropia processes
Deletes the W32.Bropia files
Deletes the registry values that W32.Bropia has added
View Instructions

Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names

nvsc32.exe
End Program Process before removal

Search registry for the above File name and remove,
Click Start, Run,Type regedit,then click OK.
Navigate to the key or Use Ctrl+f (Find Option) to find the below values:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Countrol\Lsa
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\OLE
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Countrol\Lsa

In the right pane, delete the values:

"win-xp" = "winis.exe"
"win-xp" = "nvsc32.exe"
"NvCplScan" = "nvsc32.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
NvCplScan = "nvsc32.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
NvCplScan = "nvsc32.exe"

HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run
NvCplScan = "nvsc32.exe"

HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce
NvCplScan = "nvsc32.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
NvCplScan = "nvsc32.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
NvCplScan = "nvsc32.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
NvCplScan = "nvsc32.exe"

Exit the Registry Editor.

Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Symantec (Shareware)

Manual Removal of Kazza.exe

Kazza.exe (kazza/Optix Trojan)
If a process named kazza.exe is running on your computer, you may have been infected with a strain of the Optix Trojan. kazza.exe is considered to be a security risk, not only because antivirus programs flag kazza as a trojan, but also because other sites consider it a Trojan as well. kazza is likely a Trojan and as such, presents a serious vulnerability which should be fixed immediately! Delaying the removal of kazza.exe may cause serious harm to your system and will likely cause a number of problems, loss of data, loss of control or leaking private information. The Process Server database currently registers kazza.exe to Optix Trojan.
Damage Level : High
Distribution Level: Low
Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names
Open Task Manager:

End Process in Processes tab on SVRHOST.EXE
Delete SVRHOST.EXE from %windows System folder

Search registry for the above File name and remove,
Click Start; Run,Type regedit,then click OK.delete the registry key:

"HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load"
%system%\svrhost.exe

registry keys removed from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run only:

system
msgsvr32
jijbl
service
Sentry
au.exe
d3dupdate.exe
OLE
gouday.exe
rate.exe
Taskmon
Windows Services Host
sysmon.exe
srate.exe
ssate.exe

Recommended Removal/Antivirus Protection Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Manual Removal of Java.exe

Java.exe (Java)
The process called java.exe, is used to run programs written in the Java language. Terminating this process will end any java programs that are running at the time. If you find that it is causing problems from your system, you should terminate it.java.exe is an application that does NOT appear to be a security risk.
The Process Server database currently registers java.exe to Sun Microsystems.
This is part of Java Runtime. java.exe is related to javaw.exe, jucheck.exe, jusched.exe,
Whenever you have a concern about a file like java.exe, feel free to visit our Anonymous Surfing section to help verify your file you are not giving away too much personal information.
The Process Server database is updated often, but inaccuracies may still exist, often caused by viruses named after valid files such as Java. Always verify your results just to play it safe.
Damage Level: Low
Distribution Level: High

Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names
Kill the following processes and delete the appropriate files:
Win32.MyDoom.M@mm Free Removal tool

Presence of the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
with the following value:
%WINDIR%java.exe

Presence of the following files:

%WINDIR%java.exe
%WINDIR%services.exe

The port 1034 is listening for incoming connections.
This is an internet worm that spreads trough e-mail. When it is run it adds the following registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
%WINDIR%java.exe

It copies itself to %WINDIR%java.exe
where %WINDIR% is a variable representing the Windows directory.

It drops the following file: %WINDIR%services.exe, that is detected by BitDefender as Backdoor.Mydoom.M

It tries to terminate some programs that have windows with the following names: rctrl_renwnd32, ATH_Note, IEFrame.

Close Registry Editor.
Restart your PC.

Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Hijackthis (Freeware)

Manual Removal of Jammer2nd.exe

Jammer2nd.exe (Netsky)
jammer2nd.exe is considered to be a security risk, not only because antivirus programs flag Netsky as a virus, but also because a number of users have complained about its performance.
Netsky is likely a virus and as such, presents a serious vulnerability which should be fixed immediately! Delaying the removal of jammer2nd.exe may cause serious harm to your system and will likely cause a number of problems, such as slow performance, loss of data or leaking private information to websites.

Try Bitdefender Netsky Auto Removal Tool for Jammer2nd.exe (Netsky)
Damage Level: Medium
Distribution Level: High

The W32.Netsky.Z@mm worm is a Netsky variant that scans for the email addresses on all non-CD-ROM drives on an infected computer.
Scans drives C through Z (excluding CD-ROM drives) and retrieves the email addresses from any files with the predefined extensions.
Then, the worm uses its own SMTP engine to send itself to the email addresses that it finds to jamainlbbbsdef@yahoo.com
The From line of the email is spoofed, and its Subject, Message, and Attachment vary. The attachment has a .zip extension.
Copies itself as %WinDir%\Jammer2nd.exe.
Creates a zip file containing the worm to %Windir%\PK_ZIP_ALG.LOG.
Listens on TCP port 665 for an attacker to send an executable file.
The worm will automatically run the executable when it is downloaded.
If the date of the system clock is between May 2, 2004 and May 5, 2004, the worm will attempt to perform Denial of Service (DoS) attack against the following Web sites:
- www.nibis.de
- www.medinfo.ufl.edu
- www.educa.ch

Manual Removal Instructions :

Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names

Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete the value:
"Jammer2nd" = %WinDir%\JAMMER2ND.EXE

Kill the following process:
%windir%\\Jammer2nd.exe

Delete the following files:
%windir%\\Jammer2nd.exe
%windir%\\pk_zip_alg.log
%windir%\\pk_zip1.log ,pk_zip2.log ,...,pk_zip8.log

Delete the following registry key:
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Jammer2nd

Exit the Registry Editor. Restart your PC, if it won't get Removed, let Anti-virus Engines to remove.
Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Hijackthis (Freeware)
Bitdefender (Shareware)

Manual Removal of isass.exe

isass.exe (Futro Trojan)
isass.exe is considered to be a security risk, not only because antivirus programs flag Futro Trojan as a trojan, but also because other sites consider it a Trojan as well.
Futro Trojan is likely a Trojan and as such, presents a serious vulnerability which should be fixed immediately! Delaying the removal of isass.exe may cause serious harm to your system and will likely cause a number of problems, loss of data, loss of control or leaking private information.

Download Hijackthis Auto Removal Tool for isass.exe (Sasser worm)
Other Tools for Removing Isass.exe
Microsoft Sasser Removal Tools and Instructions

Damage Level: Medium
Distribution Level: Medium

Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names
Kill the following processes and delete the appropriate files:

ISASS.EXE
issas.exe
MSHLPAPI.DLL
MSSVCHST.DLL

Delete the following malicious registry entries and\or values:

• Key: Software\Microsoft\Windows\CurrentVersion\RunOnce
Value: Anti

• Key: Software\Microsoft\Windows\CurrentVersion\RunOnce
Value: InternetSecurityAssistant

• Key: Software\Microsoft\Windows\CurrentVersion\RunOnce
Value: Isass

• Key: Software\Microsoft\Windows\CurrentVersion\RunOnce
Value: NvMsnW

• HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>RunOnce
In the right panel, locate and delete the entry or entries:
InternetSecurityAssistant "%Windows%\ISASS.EXE"

• HKEY_USERS>.Default>Software>Microsoft>Windows>CurrentVersion>RunOnce

In the right panel, locate and delete the entry or entries:
InternetSecurityAssistant "%Windows%\ISASS.EXE"

In the left panel, double-click the following:
• HKEY_CURRENT_USER>System>CurrentControlSet>Control>LSA>

In the right panel, locate and delete the entry:
WIN32 = “WIN32.exe”

In the left panel, double-click the following:
• HKEY_CURRENT_USER>Software>Microsoft>OLE>

In the right panel, locate and delete the entry:
WIN32 = “WIN32.exe”

In the left panel, double-click the following:
• HKEY_LOCAL_MACHINE>Software>Microsoft>OLE>

In the right panel, locate and delete the entry:
WIN32 = “WIN32.exe”

In the left panel, double-click the following:
• HKEY_LOCAL_MACHINE>System>CurrentControlSet>Control>LSA>

In the right panel, locate and delete the entry:
WIN32 = “WIN32.exe”

Close Registry Editor.
Restart your PC.

Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Hijackthis (Freeware)

Manual Removal of Fvprotect.exe

Fvprotect.exe (Netsky.P worm)
fvprotect.exe is considered to be a security risk, not only because antivirus programs flag Netsky.P worm as a virus, but also because a number of users have complained about its performance.
Netsky.P worm is likely a virus and as such, presents a serious vulnerability which should be fixed immediately! Delaying the removal of fvprotect.exe may cause serious harm to your system and will likely cause a number of problems, such as slow performance, loss of data or leaking private information to websites.

Try Symantec Auto Removal Tool for Fvprotect.exe (Netsky.P worm/W32.Erkez)
Damage Level: Medium
Distribution Level: Medium

Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names
It copies itself to the following location:
• %WINDIR%\fvprotect.exe

The following files are created:

Terminate the FVPROTECT.EXE process using Windows Task Manager.
Delete the following files from your Windows directory (typically c:\windows or c:\winnt):

FVPROTECT.EXE
USERCONFIG9X.DLL
BASE64.TMP
ZIP1.TMP
ZIP2.TMP
ZIP3.TMP
ZIPPED.TMP
- Delete the many copies of the worm dropped on the victim machine, with the enticing file names as described above.

%WINDIR%\userconfig9x.dll
Further investigation pointed out that this file is malware, too.

Search registry for the above File name and remove,
Click Start; Run,Type regedit,then click OK.

The following registry keys are created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Norton Antivirus AV" = %WinDir%\FVProtect.exe

Delete the "Norton Antivirus AV" value from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Search Registry for the above exe files, and remove the Registry entries.
Reboot the system

Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Symantec (Shareware)

Hijackthis (Freeware)

Manual Removal of Funny.exe

Funny.exe is a variant of Funnyust scandal.avi.exe.
If this Trojan enter your pc and allow it to run, it will take hard drive space and run your computer into deadly slow. Recommend to Remove it Fast as you can.

The Following are the File Process that associate with Funny.exe

funny.exe
killer.exe
lsass.exe (careful with this, this is also valid Microsoft process)
smss.exe
Damage Level: High
Distribution Level: High
Manual Removal of Funny.exe

Use Windows File Search Tool to Find funny.exe

Go to Start > Search > All Files or Folders.
In the "All or part of the the file name" section, type in " funny.exe" file name(s).
To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
When Windows finishes your search, hover over the "In Folder" of " funny.exe", highlight the file and copy/paste the path into the address bar. Save the file's path on your clipboard because you'll need the file path to delete funny.exe in the following manual removal steps.

Use Windows Task Manager to Remove funny.exe Processes

To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
Select the "funny.exe" process and click on the "End Process" button to kill it.
Also End Process killer.exe, isass.exe(Windows have a same file), smss.exe, Then Close Task manager. and re-openit.

If the Process are Still running, use alternative way, click here

Recommended Removal/Antivirus Protection Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Manual Removal of Drvddll.exe

Worm/Bagle.AA is an email worm of 20,767 bytes size. It copies itself in Windows system, as DRVDDLL.EXE. When activated, it shows a message box with the following text: "Can't find viewer associated with the file". Distribution By email.

There is NO Auto Removal Tool for Drvddll.exe (Worm/Bagle)
Damage Level: Low
Distribution Level: Unknown

Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names

Delete the following files:

%WinDir%\%SystemDir%\drvddll.exe
%WinDir%\%SystemDir%\drvddll.exe
%WinDir%\%SystemDir%\drvddll.exe
%WinDir%\%SystemDir%\drvddll.exe
%WinDir%\%SystemDir%\drvddll.exe

Manually Remove From Registry
Click Start; Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Download and run this UnHookExec.inf, and then continue with the removal.

* [HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run]
"drvddll.exe"="C:\\%WinDir%\\%SystemDir%\\drvddll.exe"

Restart your computer.

Recommended Removal/Virus Protection Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Manual Removal of Doriot.exe

A Trojan Dropper is a program that releases or installs malevolent code on to the user’s PC. In other words, it acts as a carriage for nasty programs that can be used to harm a computer. A Trojan Dropper often holds numerous distinct chunks of malware that may be different by performance or even written by different coders. It may also comprise of a joke or hoax program, which can divert the user from the real purpose of the Dropper; background installation of malicious code, or adware or 'pornware' programs. A Dropper is also capable of carrying Trojans as it is comparatively easy to write a dropper than a Trojan as it is cannot be detected by various anti-virus programs and is used to execute numerous tasks. It can therefore also pose security and privacy threats to one’s system.

There is NO Auto Removal Tool for doriot.exe (Ject.C/Worm/Trojan)
Damage Level: Medium
Distribution Level: Very Low
Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names

Delete the Following Files:
6be859e0ca3699cfcb1a3c8e????2d39.exe
b4b8a????4fc2e2039264e1b10b34028.exe
%windir%\system32\doriot.exe
%windir%\system32\doriot.exe
%windir%\system32\gdqfw.exe
%windir%\_re_file.exe

Search registry for the above File name and remove,
Click Start, Run, Type regedit, then click OK.

Navigate to the key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

"wersds" = "%System%\doriot.exe"

Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

"wersds" = "%System%\doriot.exe"

Exit the Registry Editor.

Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Symantec (Shareware)

Manual Removal of dl.exe

There is NO Auto Removal Tool for dl.exe (W32.Bagz@mm)
Damage Level: Low
Distribution Level: High
Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names

%sysdir%\dl.exe
dl.exe is a mass-mailing worm W32.Bagz@mm.
dl.exe tries to terminate antiviral programs installed on a user computer.
Related files:
%System%\dl.exe
%System%\syslogin.exe
%System%\jobdb.dll
%System%\ipdb.dll
%System%\wdate.dll

Adds the value:
"syslogin.exe" = "syslogin.exe"
to the Windows startup registry keys.

Search registry for the above File name and remove,

Click Start > Run,Type regedit,then click OK.

Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

"syslogin.exe" = "syslogin.exe"

Exit the Registry Editor.

Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Symantec (Shareware)

Manual Removal of cmd32.exe

Cmd32.exe is a Trojan Backdoor.Sdbot.
Cmd32.exe spreads via Internet Relay Chat (IRC).
Cmd32.exe tries to terminate antiviral programs installed on a user computer.
Cmd32.exe monitors user Internet activity and private information.
It sends stolen data to a hacker site.

There is NO Auto Removal Tool for cmd32.exe (Backdoor.Sdbot)
Damage Level: High
Distribution Level: Very Low

Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names

%ProgramFiles%\bifrost\cmd32.exe
%System%\cmd32.exe
%Windir%\cmd32.exe
%Windir%\system32:cmd32.exe

if you have any of these files in running process from task manger, end the process before removal.
Note: if task manager is disabled, Download the following file,
Click to Download - Enable Registry.reg

Related files:
%System%\Cnfgldr.exe
%System%\cthelp.exe
%System%\Sysmon16.exe
%System%\Sys3f2.exe
%System%\Syscfg32.exe
%System%\Mssql.exe
%System%\Aim95.exe
%System%\Svchosts.exe
%System%\FB_PNU.EXE
%System%\Cmd32.exe
%System%\Sys32.exe
%System%\Explorer.exe
%System%\IEXPL0RE.EXE
%System%\iexplore.exe
%System%\sock32.exe
%System%\MSTasks.exe
%System%\service.exe
%System%\Regrun.exe
%System%\ipcl32.exe
%System%\syswin32.exe
%System%\CMagesta.exe
%System%\YahooMsgr.exe
%System%\vcvw.exe
%System%\spooler.exe
%System%\MSsrvs32.exe
%System%\svhost.exe
%System%\winupdate32.exe
%System%\quicktimeprom.exe

Manually Remove From Registry
Click Start; Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Download and run this UnHookExec.inf, and then continue with the removal.
Navigate to the subkey:
Here, These are windows Startup Folders, Remove the entry of the file you untrust, Delete from Right Side only.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete any value that was detected during the scan.

Delete any of the following registry entries, if present:

"Configuration Loader" = "%System%\iexplore.exe"
"Configuration Loader" = "MSTasks.exe"
"Configuration Loader" = "aim95.exe"
"Configuration Loader" = "cmd32.exe"
"Configuration Loader"= "IEXPL0RE.EXE"
"Configuration Manager" = "Cnfgldr.exe"
"Fixnice" = "vcvw.exe"
"Internet Config" = "svchosts.exe"
"Internet Protocol Configuration Loader" = "ipcl32.exe
"MSSQL" = "Mssql.exe"
"MachineTest" = "CMagesta.exe"
"Microsoft Synchronization Manager" = "svhost.exe"
"Microsoft Synchronization Manager" = "winupdate32.exe"
"Microsoft Video Capture Controls" = "MSsrvs32.exe"
"Quick Time file manager" = "quicktimeprom.exe"
"Registry Checker" = "%System%\Regrun.exe"
"Sock32" = "sock32.exe"
"System Monitor" = "Sysmon16.exe"
"System33" = "%System%\FB_PNU.EXE"
"Windows Configuration" = "spooler.exe"
"Windows Explorer" = " Explorer.exe"
"Windows Services" = "service.exe"
"Yahoo Instant Messenger" = "Yahoo Instant Messenger"
"cthelp" = "cthelp.exe"
"stratas" = "xmconfig.exe"
"syswin32" = "syswin32.exe"

Exit the Registry Editor.
Restart your Computer.

Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Symantec (Shareware)

Manual Removal of Bling.exe

Manual Removal of Bling.exe W32.Spybot.Worm - Removal

Terminating the Malware Program

winnt.exe
bling.exe

Open Windows Task Manager.
On Windows NT, 2000, and XP, press
CTRL+SHIFT+ESC, then click the Processes tab.

In the list of running programs*, locate the malware file(s).
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.

Delete the following malicious folders:

X:\Windows\System\kazzabackupfiles\
X:\documents and settings\all users\documents\
[x denotes your windows installed Drive]

Open Registry Editor
Click Start>Run, type REGEDIT, then press Enter.

Delete the following malicious registry entries and\or values:

Key: System\ControlSet001\Services\Win32 USB2.0 Driver
Key: System\CurrentControlSet\Enum\Root\LEGACY_WIN32_USB2.0_DRIVER
Key: System\CurrentControlSet\Services\Win32 USB2.0 Driver
Key: software\microsoft\windows\currentversion\runOnce Value: Configuration Update
Key: software\microsoft\windows\currentversion\runOnce Value: nodriver
Key: software\microsoft\windows\currentversion\runOnce Value: NvCpl28Deamon
Key: Software\Microsoft\Windows\CurrentVersion\Runonce Value: OEM32 Tools
Key: software\microsoft\windows\currentversion\runOnce Value: PopUp Stopper
Key: software\microsoft\windows\currentversion\runOnce Value: TaskManager Load Module
Key: software\microsoft\windows\currentversion\runOnce Value: UpdateCheck
Key: Software\Microsoft\Windows\CurrentVersion\RunOnce Value: Win startup
Key: Software\Microsoft\Windows\CurrentVersion\RunOnce Value: Win32 USB2.0 Driver
Key: software\microsoft\windows\currentversion\runOnce Value: Winampa Agent
Key: software\microsoft\windows\currentversion\runOnce Value: Windows Logon
Key: software\microsoft\windows\currentversion\runOnce Value: Winsock2 driver
Key: software\microsoft\windows\currentversion\runOnce Value: winsockdriver

These files are also infected, to remove you need to use any antivirus program like Kaspersky, Nod32, Bitdefender, Avg or any other.

0bfe88af511af8????1426ed3158de0c.exe
0f0????d1be50b4b04f28cb0c3f6bf0c.exe
0facec44e61f248cd65b1ec3f????3cb.exe
142efb7a7cf????a0d3d7da308ee6e9c.exe
1c8467b3d3b????e770b34683aa834fc.exe
1fcc????04af6f0484dd0a10ea317b2d.exe
287b93f27195b664b7f6d????848dd10.exe
2ce4b9d369b51be7ce????9f6e25e020.exe
2d6a1e49a1d17990c6f3724b????296c.exe
326210a48b8ae????c4dae6d20fe921d.exe
33604b93dd6254892572????12dc41c3.exe
36b184????63cd65a002cc31065e4e45.exe
36b5c5de76cedd4f72c0890????85aac.exe
39863834360409913ccb8670f9????f8.exe
3b0????31ff59868657dfcee37d82642.exe
42c9f9????893d2005a62e151b7c1575.exe
4ae5d594bff????82bd18956bc500a7b.exe
4aeebc5056522dbe5b95????354d2b78.exe
4eb3a4f964b13e09ad7????e0f231c97.exe
51df311f3b5360973275f????576788d.exe
5b50bab4afbd76d180ef5????ce6e37f.exe
709b055a????a05fd4c5fbc20c798c3f.exe
7247be51????e4b71aaa9bf22fd09169.exe
729552ad51eeec0????21e5b84c5474d.exe
76ff839cc1785dddf5????f33ab4f89b.exe
77553a4544b0a47986195????3bfa598.exe
79f8b8????7894d24391f445fb8637d6.exe
7b459c739bdb83f6ce????a5a9e4202b.exe
885d0f9a33208ed13????30888e4e50e.exe
88a034dcfc4a5bca1????28a34c81a78.exe
891????e09f2d9d9aa27a268604255eb.exe
8dba0ffe????eef9d27ec4e3017246d6.exe
9183013a????4f857948d7b299d1c2bc.exe
92a1ad5bb921d59d5537????a2bde798.exe
93f6c8cb294????32bdbae5755530ba8.exe
998ea3f85e937f2cb91c08517????ea9.exe
9b5d25fb343e8c2108a????be03802e9.exe
a410ca36a2b97214e29a????a6a0fe7a.exe
a93776ce2d3ad361d8aea2????0aab7f.exe
aa1395349d19c3c00????e3fc0ee060b.exe
aa88162e????22e9a18df61563974e1e.exe
ab5234ea993????2ffb0a9d6ced65661.exe
acbce1436d2795a3980????d062a6879.exe
b1ba7b54????3b8dc784b0b49d3f8bcb.exe
b6d1f1bf5d????7f5b7e7481a62770cc.exe
b9e4a2411381????e45ba03161984593.exe
bd04dea1effe5c1340b3e549e2????32.exe
d12213fd5f946????a0e5c191c13c7cc.exe
d2c73b589336af6????5cf150c961f01.exe
d4deabaacf7d0b82fb47????697e13c3.exe
d5205d683f8eda61f????f974d1a268b.exe
dcc48b????1e27f67443576a79d96ac3.exe
ddba39e4e6f2????6e4e58879b699965.exe
e2dd82cbabe2????b9543868ea1d7c88.exe
e74c3e1212389c35df82????a06c8a6f.exe
e88450528????4a2ad22d0690d35483c.exe
e9b8c8cfa3e6641c38247????fcd1581.exe
ed4e11e7784d7????4f4810663f7a7bd.exe
efea2a6506391145f83????9eb465c18.exe
f0d2b32723052048c????ce12643ca10.exe
f27fed8c2057bb3c7b3012e3????bcdb.exe
f2b4ed????e600a5485c149ab8944785.exe
f4aa????319191f99c42d94dd4b4881d.exe
f604b64d79????98476c9a5b6ce63851.exe
f76f6b059e1f7????d1ab10278ee9626.exe
fb220e0d3975c10????ba8f1ffd3e1ca.exe
fd3488d1a6b98460c9d655b1c????fb3.exe

Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.

Open Registry Editor.

Click Start > Run. Type regedit Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Download and run this UnHookExec.inf, and then continue with the removal.

Right-click the UnHookExec.inf file and click install. (This is a small file. It does not display any notice or boxes when you run it.)

Click OK.

In the Registry Editor, navigate to the following subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_CURRENT_USER\Software\Microsoft\OLE

In the right pane, delete any values that refer to the file names that were detected.

Navigate to the subkeys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger

In the right pane, reset the original value, if known:

"Start" = "4"

Navigate to the subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

In the right pane, reset the original value, if known:

"restrictanonymous" = "1"

Navigate to the subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\
parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\
parameters

In the right pane, reset the original values, if known:

"AutoShareWks" = "0"
"AutoShareServer" = "0"

Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

In the right pane, reset the original value, if known:

"DoNotAllowXPSP2" = "1"

Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE

In the right pane, reset the original value, if known:

"EnableDCOM" = "N"

Navigate to and delete the following subkeys, if present:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BoolTern
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BOOLTERN
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdriv
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_RDRIV

Exit the Registry Editor.

Windows XP Service Pack 2
If you are running Windows XP with Service Pack 2 and are using the Windows Firewall, the operating system will alert you when the SharedAccess service is stopped, by displaying an alert balloon saying that your Firewall status is unknown. Perform the following steps to ensure that the Windows Firewall is re-enabled:
Click Start > Control Panel.

Double-click the Security Center.
Ensure that the Firewall security essential is marked ON.

Note: If the Firewall security essential is marked on, your Windows Firewall is on and you do not need to continue with these steps.

If the Firewall security essential is not marked on, click the "Recommendations" button.
Under "Recommendations," click Enable Now. A window appears telling you that the Windows Firewall was successfully turned on.
Click Close, and then click OK.
Close the Security Center.

Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

How to Remove Avserve.exe, Avserve2.exe (Sasser Worm)

What are the Symptoms of the Sasser worm?

You'll see a screen similar to the one below when you are infected, this will countdown to zero and literally shut down the system completely. The warning will state "This shutdown was initiated by NT AUTHORITY\SYSTEM".The message will state that the system process lsass.exe terminated unexpectedly.

The message may be prefaced by another message:

You can disable this shutdown by following the steps below during the countdown

Click on Start, Run
Type, shutdown -a then press enter

This will Cancel the shutdown, however in most cases the system may be to unstable to try to recover and may need to be rebooted anyway.

How Does Sasser Infect My Computer?
When W32.Sasser.Worm runs, it does the following:

Attempts to create a mutex named Jobaka3l and exits if the attempt fails. This ensures that no more than one instance of the worm can run on the computer any time.
Copies itself as to the %Windir% directory. This is usually the C:\WINDOWS or C:\WINNT directory.
Adds the value:

"avserve.exe"="%Windir%\avserve.exe"
"avserve2.exe"="%Windir%\avserve2.exe"
"skynetave.exe"= "%Windows%\skynetave.exe"

to the following registry key, so that the worm runs on Windows startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Uses the AbortSystemShutdown API to hinder attempts to shut down or restart the computer.
Starts an FTP Server
on TCP port 5554. This server is used to spread the worm to other hosts.
Iterates through all the host IP addresses, looking for addresses without any of the following:
127.0.0.1
10.x.x.x
172.16.x.x - 172.31.x.x (inclusive)
192.168.x.x
169.254.x.x
Using one of these IP addresses, the worm then generates a random IP address.
52% of the time, the IP address is completely random.
23% of the time, the last three octets are changed to random numbers.
25% of the time, the last two octets are changed to random numbers.
Because the worm can create completely random addresses, any IP range can be infected.
This process is made up of 128 threads, which demands a lot of CPU time. As a result, an infected computer may become so slow and barely usable.
Connects to the randomly generated IP address on TCP port 445 to determine if a remote computer is online.
If a connection is made to a remote computer, the worm will send shell code to it, which may cause it to open a remote shell on TCP port 9996.
Uses the shell on the remote computer to connect back to the infected computer's FTP server, running on TCP port 5554, and retrieve a copy of the worm. This copy will have a name consisting of four or five digits, followed by _up.exe. For example, 74354_up.exe.
The Lsass.exe process will crash after the worm exploits the Windows LSASS vulnerability. Windows will display the alert and shut down the system in 1 minute.
Creates a file at C:\win.log that contains the IP address of the computer that the worm most recently attempted to infect, as well as the number of infected computers.

How Can I Remove the Sasser worm?

Follow these steps in removing the Sasser worm.

Disconnect your computer from the local area network or Internet
Terminate the running program
Open the Windows Task Manager by either pressing CTRL+ALT+DEL, selecting the Processes tab or selecting Task Manager and then the process tab on WinNT/2000/XP machines.
Locate one of the following programs (depending on variation), click on it and End Task or End Process
avserve.exe
avserve2.exe
skynetave.exe
any process running with the "_up.exe" suffix
Close Task Manager
Activate the Windows XP Firewall (if running Windows XP) or another firewall to prevent the worm from shutting your system down while downloading the patches. To activate the Windows XP firewall, follow these steps.
Click on Start, Control Panel
Double-click on Networking and Internet Connections, then click on Network Connections
Right-click on the connection you use to access the Internet and choose Properties
Click on the Advanced Tab and check the box
"Protect my computer and network by limiting or preventing access to this computer from the Internet"
Click OK and close out of the Network and Control Panel
Download and Install the patches for the LSASS Vulnerability and others
Remove the Registry entries
Click on Start, Run, Regedit
In the left panel go to
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run
In the right panel, right-click and delete the following entry
"avserve.exe"="%Windir%\avserve.exe"
"avserve2.exe"="%Windir%\avserve2.exe"
"skynetave.exe"= "%Windows%\skynetave.exe"
Close the Registry Editor
Delete the infected files (for Windows ME and XP remember to turn off System Restore before searching for and deleting these files to remove infected backed up files as well)
Click Start, point to Find or Search, and then click Files or Folders.
Make sure that "Look in" is set to (C:\WINDOWS).
In the "Named" or "Search for..." box, type, or copy and paste, the file names:
avserve.exe
avserve2.exe
skynetave.exe
C:\win2.log
Click Find Now or Search Now.
Delete the displayed files.
Empty the Recycle bin
Reboot the computer and update your antivirus software, and run a Virus scan with your anti-virus program.

For Automatic Removal of Sasser, download the Symantec removal tool, you'll still need to download the patches above and install them, however this removal tool will stop the Sasser worm from running, remove the items in the registry, and delete the infected files.

PC Hell