Manual Removal of W32/Nugg.W Worm

Manual Removal of W32/Nugg.W Worm.

W32/Nugg.W is a worm. The worm will infect Windows systems.
This worm first appeared on January 2, 2009.
Other names of W32/Nugg.W Worm:
This worm is also known as PSW.OnlineGames.BIYV, P2P-Worm.Win32.Nugg.w

Damage Level : Medium/High
Distribution Level: Unknown

No Removal Tool for W32/Nugg.W Worm
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• %Windows\System\danim32.dll
  
  
  • If you have any of these files in running process from task manger, end the process before removal.
  • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
  • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
    

Unregister DLL Files Using Windows Command Prompt

• To open the Windows Command Prompt, go to Start > Run > type cmd and then click the "OK" button.
• Type "cd" in order to change the current directory,
• Press the "space" button, enter the full path to where you believe the Program DLL file is located press the "Enter" button on your keyboard.
• If you don't know where Program DLL file is located, use the "dir" command to display the directory's contents.
• To unregister a "Program" DLL file,
• Type in the exact directory path + "regsvr32 /u" + [ DLL_NAME ]
• Example [ C:\Windows\System\ regsvr32 /u name.dll ] and press the "Enter" button.
• A message will pop up that says you successfully unregistered the file.
  

Trojan Entries Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.

• Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
• After booting into the Safe Mode or VGA Mode
• Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)

Manual Removal of W32/Onlinegames.Lov.PSW Trojan

Manual Removal of W32/Onlinegames.Lov.PSW Trojan.

W32/Onlinegames.Lov.PSW is a trojan. The trojan will infect Windows systems.
The trojan attempts to steal passwords from infected systems.
This trojan first appeared on December 27, 2007.
Other names of W32/Onlinegames.Lov.PSW Trojan:
This trojan is also known as Trojan-PSW.Win32.OnLineGames.lov.

Damage Level : Medium/High
Distribution Level: Unknown

No Removal Tool for W32/Onlinegames.Lov.PSW Trojan
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• %Windows\System\amvo.exe
• %Windows\System\amvo1.dll
• %Documents and Settings\help[1].exe
• %Documents and Settings\ro.dll
  • If you have any of these files in running process from task manger, end the process before removal.
  • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
  • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
    

Unregister DLL Files Using Windows Command Prompt

• To open the Windows Command Prompt, go to Start > Run > type cmd and then click the "OK" button.
• Type "cd" in order to change the current directory,
• Press the "space" button, enter the full path to where you believe the Program DLL file is located press the "Enter" button on your keyboard.
• If you don't know where Program DLL file is located, use the "dir" command to display the directory's contents.
• To unregister a "Program" DLL file,
• Type in the exact directory path + "regsvr32 /u" + [ DLL_NAME ]
• Example [ C:\Windows\System\ regsvr32 /u name.dll ] and press the "Enter" button.
• A message will pop up that says you successfully unregistered the file.
  

Trojan Entries Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

• Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
  
  • Download and run this UnHookExec.inf, and then continue with the removal.
  • Save it to your Windows desktop. Do not run it at this time, download it only.
  • After booting into the Safe Mode or VGA Mode
  • Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
    

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

Entries Unknown

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)

Manual Removal of W32/Onlinegames.Isb.PSW Trojan

Manual Removal of W32/Onlinegames.Isb.PSW Trojan.

W32/Onlinegames.Isb.PSW is a trojan. The trojan will infect Windows systems.
This trojan first appeared on December 18, 2007.
Other names of W32/Onlinegames.Isb.PSW Trojan:
This trojan is also known as Trojan-PSW.Win32.OnLineGames.isb.

Damage Level : Medium/High
Distribution Level: Unknown

No Removal Tool for W32/Onlinegames.Isb.PSW Trojan
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• %Windows\MsPrint32D.exe
• %Windows\System\MsPrint32D.dll
• %Windows\Prefetch\ABTPKQ.EXE-06512A47.pf
• %Unknown\ABTPKQ.EXE [ Search this file name and delete the File ]
  
  • If you have any of these files in running process from task manger, end the process before removal.
  • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
  • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
    

Unregister DLL Files Using Windows Command Prompt

• To open the Windows Command Prompt, go to Start > Run > type cmd and then click the "OK" button.
• Type "cd" in order to change the current directory,
• Press the "space" button, enter the full path to where you believe the Program DLL file is located press the "Enter" button on your keyboard.
• If you don't know where Program DLL file is located, use the "dir" command to display the directory's contents.
• To unregister a "Program" DLL file,
• Type in the exact directory path + "regsvr32 /u" + [ DLL_NAME ]
• Example [ C:\Windows\System\ regsvr32 /u name.dll ] and press the "Enter" button.
• A message will pop up that says you successfully unregistered the file.
  

Trojan Entries Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.

• Download and run this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop.
• Do not run it at this time, download it only.
• After booting into the Safe Mode or VGA Mode
• Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
  

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Delete the Unknown Entries

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)

Manual Removal of W32/OnLineGames.TOB Trojan

Manual Removal of W32/OnLineGames.TOB Trojan.

W32/OnLineGames.TOB is a trojan. The trojan will infect Windows systems.
This trojan first appeared on December 31, 2008.
Other names of W32/OnLineGames.TOB Trojan:
This trojan is also known as WORM_ONLINEG.EWH, Trojan.Win32.OnLineGames.TOB.

Damage Level : Medium/High
Distribution Level: Unknown

No Removal Tool for W32/OnLineGames.TOB Trojan
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• %Windows\System\kavo.exe
• %Windows\System\kavo0.dll
• %Documents and Settings\Default User\Local Settings\Temp\gxylc.dll
  • If you have any of these files in running process from task manger, end the process before removal.
  • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
  • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
    

Unregister DLL Files Using Windows Command Prompt

• To open the Windows Command Prompt, go to Start > Run > type cmd and then click the "OK" button.
• Type "cd" in order to change the current directory,
• Press the "space" button, enter the full path to where you believe the Program DLL file is located press the "Enter" button on your keyboard.
• If you don't know where Program DLL file is located, use the "dir" command to display the directory's contents.
• To unregister a "Program" DLL file,
• Type in the exact directory path + "regsvr32 /u" + [ DLL_NAME ]
• Example [ C:\Windows\System\ regsvr32 /u name.dll ] and press the "Enter" button.
• A message will pop up that says you successfully unregistered the file.
  

Trojan Entries Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

• Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
  
  • Download and run this UnHookExec.inf, and then continue with the removal.
  • Save it to your Windows desktop. Do not run it at this time, download it only.
  • After booting into the Safe Mode or VGA Mode
  • Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
    

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_USER\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-XXXX\Software\Microsoft\Windows\CurrentVersion\Run

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)

Manual Removal of W32/Vaklik.ASM Trojan

Manual Removal of W32/Vaklik.ASM Trojan.

W32/Vaklik.ASM is a trojan. The trojan will infect Windows systems.
This trojan first appeared on December 30, 2008.
Other names of W32/Vaklik.ASM Trojan:
This trojan is also known as WORM_ONLINEG.EWH, Trojan.Win32.Vaklik.asm.

Damage Level : Medium
Distribution Level: Unknown

No Removal Tool for W32/Vaklik.ASM Trojan
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• %Windows\System\jvvo.exe
• %Windows\System\jvvo0.dll
• %Documents and Settings\Default User\Local Settings\Temp\f5pcgu.dll
  • If you have any of these files in running process from task manger, end the process before removal.
  • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
  • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
    

Unregister DLL Files Using Windows Command Prompt

• To open the Windows Command Prompt, go to Start > Run > type cmd and then click the "OK" button.
• Type "cd" in order to change the current directory,
• Press the "space" button, enter the full path to where you believe the Program DLL file is located press the "Enter" button on your keyboard.
• If you don't know where Program DLL file is located, use the "dir" command to display the directory's contents.
• To unregister a "Program" DLL file,
• Type in the exact directory path + "regsvr32 /u" + [ DLL_NAME ]
• Example [ C:\Windows\System\ regsvr32 /u name.dll ] and press the "Enter" button.
• A message will pop up that says you successfully unregistered the file.
  

Trojan Entries Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

• Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
  
  • Download and run this UnHookExec.inf, and then continue with the removal.
  • Save it to your Windows desktop. Do not run it at this time, download it only.
  • After booting into the Safe Mode or VGA Mode
  • Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
    

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_USER\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-XXXX\Software\Microsoft\Windows\CurrentVersion\Run

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)

Manual Removal of W32/VirtualBouncer.C Trojan

Manual Removal of W32/VirtualBouncer.C Trojan.

W32/VirtualBouncer.C is a Trojan. The trojan will infect Windows systems.
The trojan installs itself as an antivirus software and scans the system.
Once scanning is completed it takes to a website for registration.
This trojan first appeared on December 29, 2008.
Other names of W32/VirtualBouncer.C Trojan:
This trojan is also known as DR/VirtualBouncer.C.5,Troj/FakeAle-BP.

Damage Level : Medium
Distribution Level: Unknown

No Removal Tool for W32/VirtualBouncer.C Trojan

Trojan Worm Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• %Program Files\myCleanerPC\myCleanerPC.exe [ 876544 Bytes ]
  
• %Program Files\myCleanerPC\DNRProject.dll [ 774144 Bytes ]
  
• %Program Files\myCleanerPC\mcpcuninstaller1_25.EXE
• %Program Files\myCleanerPC\Setup.INI
• %Program Files\myCleanerPC\clean.swf
• %Program Files\myCleanerPC\clean1.swf
• %Documents and Settings\[USER]\Application Data\myCleanerPC
• %Documents and Settings\[USER]\Start Menu\Programs\myCleanerPC
• %Documents and Settings\[USER]\Application Data\myCleanerPC\history.dat
• %Documents and Settings\[USER]\Application Data\myCleanerPC\error.log
• 
  
• %Documents and Settings\[USER]\Application Data\myCleanerPC\CleanerDefs.css
• %Documents and Settings\[USER]\Application Data\myCleanerPC\schedule.dat
• %Documents and Settings\[USER]\Application Data\myCleanerPC\Signatures.dat
• %Documents and Settings\[USER]\Application Data\myCleanerPC\stats.log
• %Documents and Settings\[USER]\Application Data\myCleanerPC\user.dat
• %Documents and Settings\[USER]\Start Menu\Programs\myCleanerPC\About myCleanerPC.lnk
• %Documents and Settings\[USER]\Start Menu\Programs\myCleanerPC\MyCleanerPC.lnk
• %Documents and Settings\[USER]\Start Menu\Programs\myCleanerPC\Uninstall myCleanerPC.lnk 
  • If you have any of these files in running process from task manger, end the process before removal.
  • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
  • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
    

Unregister DLL Files Using Windows Command Prompt

• To open the Windows Command Prompt, go to Start > Run > type cmd and then click the "OK" button.
• Type "cd" in order to change the current directory,
• Press the "space" button, enter the full path to where you believe the Program DLL file is located press the "Enter" button on your keyboard.
• If you don't know where Program DLL file is located, use the "dir" command to display the directory's contents.
• To unregister a "Program" DLL file,
• Type in the exact directory path + "regsvr32 /u" + [ DLL_NAME ]
• Example [ C:\Windows\System\ regsvr32 /u name.dll ] and press the "Enter" button.
• A message will pop up that says you successfully unregistered the file.
  

Trojan Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

• Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
  
  • Download and run this UnHookExec.inf, and then continue with the removal.
  • Save it to your Windows desktop. Do not run it at this time, download it only.
  • After booting into the Safe Mode or VGA Mode
  • Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
    

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\myCleanerPC
HKEY_USER\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-XXXX\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\MyCleanerPC

HKEY_LOCAL_USERS\SOFTWARE\MyCleanerPC

41765812-F0D1-4837-9662-5FBCD9CC2DEE
4F81B064-E53B-48CD-98DD-84ABD18D4CBE
72556741-56FD-45A8-93DA-EE5EE41B908A
9BD6A9A7-7D88-4658-8BE4-1AA69174F8AF
A582B627-CE65-4BA7-B44F-8B9609193C32
AB9F5DD2-427A-4CE3-9522-3756BF2F0048
AE94BD95-408C-4506-BA90-2FAACB173927
B6B86368-2787-49B2-9054-F32B4B839AF1
F30973B1-DD06-4885-8C39-EE3CED95061F
DNRProject.cCookie
DNRProject.cErrorLog
DNRProject.cHistory
DNRProject.cRegistryRoutines
DNRProject.cScheduler
DNRProject.cSignature
DNRProject.cThreatLevel
DNRProject.cUserSettings
DNRProject.DNRDirector
1295E3D3-FDC8-4A3E-8E60-C6031601D08D
472FA6ED-4A44-49BA-8241-7CA38806C618
7265B88D-C685-4290-8B25-3659F8626031
14627BD3-6C96-4B5F-AA47-941CB370BB94
244DB87B-7310-46DB-A7B8-651B8AEC8648
FC912F2E-A101-4015-B822-7D2D71D15545
908099C8-E0C7-4787-B084-96F915383598
26953A7A-BC68-496E-A479-AE975B0BFC6A
DBA4C028-544C-4D46-8D96-87E12B655CDD
FA6EEA37-5D54-490F-801E-DC0AD91C1045
AF6015BD-186A-4E60-A08E-0FC1C53324D9
BC978724-6C36-4F11-9A63-E85834BA344F
CC03D597-A404-4B95-8544-FD215925B677

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)

Manual Removal of W32/Sohanad.AS Worm

Manual Removal of W32/Sohanad.AS Worm.

W32/Sohanad.AS is a worm. The worm will infect Windows systems.
The worm arrives either as a file downloaded from remote sites by other malware or downloaded unknowingly by a user when visiting malicious Web sites.
The worm also modifies the Windows Registry to disable Registry Editor and Task Manager.
It attempts to connect to certain Web sites to download the possible malicious files.
The worm creates a scheduled task to execute its dropped copies.
It then uses Windows Task Scheduler to schedule task that automatically executes at 9 o'clock everyday.
This worm first appeared on August 22, 2007.
Other names of W32/Sohanad.AS Worm:
This Worm is also known as IM-Worm.Win32.Sohanad.as, W32/YahLover.worm, W32.Imaut.A , DR/Sohanad.AS.1, W32/SillyFDC-AE.

Damage Level : High/Medium
Distribution Level: Unknown

Auto Removal Tools for W32/Sohanad.AS Worm

Sergiwa Sohanad Removal Tool

Download From Download.com Sohanad Removal Tool 1.0 (SRT.EXE) Contains Malware Multi-Packed

Download Kaspersky Removal Tool
Worm Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• %Windows\SCVVHSOT.exe
• %Windows\System\BLASTCLNNN.EXE
• %Windows\System\SCVVHSOT.exe
• %System%\autorun.ini
  It also copies autorun.ini in the Windows System folder, which contains the following lines:
  Open=SCVVHSOT.exe
  Shellexe cute=SCVVHSOT.exe
  Shell\Open\command = SCVVHSOT.exe
  Shell=Open
  To Delete, Open the file using Notepad, then delete whole content inside the file, then File Save, Close notepad, Right click on the File, Select properties, Check readonly, Apply, Ok, Close, then delete.
  
  
  • If you have any of these files in running process from task manger, end the process before removal.
  • Note: if task manager is disabled
    Download the following file[ Right click and select "Save Target as" ]
    Click to Download - Enable Registry.reg
    
  • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
    

Worm Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

• Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
  Download and run this UnHookExec.inf, and then continue with the removal.
  Save it to your Windows desktop. Do not run it at this time, download it only.
  After booting into the Safe Mode or VGA Mode
  Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
  

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

The worm adds the following registry key, so that the malicious file is accesible to all users within the network:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)

Manual Removal of W32/SystemAntivirus.A Trojan

Manual Removal of W32/SystemAntivirus.A Trojan.

W32/SystemAntivirus.A is a trojan. The trojan will infect Windows systems.
The Trojan may be dropped by other malware or may be downloaded from remote website by other malware.
It may also be downloaded unknowingly by a user while visiting malicious Website.
This Trojan first appeared on October 11, 2008.
Other names of W32/SystemAntivirus.A Trojan:
This Trojan is also known as Win32/FakeSecSen, Mal/FakeAV-E, TROJ_FAKEAV.NN.

Damage Level : Unknown
Distribution Level: Unknown

Removal Tool for W32/SystemAntivirus.A
Rogue System Antivirus 2008 REMOVER 1.0
Download Malicious Software Removal Tool from the Microsoft Download Center

Trojan Worm Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• %Windows\System\lsasrv.dll
• %Program Files\SAV 
• %Program Files\SAV\sav.cpl [ Control Panel Entry ]
• %Program Files\SAV\sav.exe  [ End Process ]
• %Program Files\SAV\sav0.dat
• %Program Files\SAV\sav1.dat 
• %WINDOWS\system32\sav.cpl [ Control Panel Entry ]
  
• %Documents and Settings\User Name\Desktop\System Antivirus 2008.lnk
  • If you have any of these files in running process from task manger, end the process before removal.
  • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
  • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
    

Unregister DLL Files Using Windows Command Prompt

• To open the Windows Command Prompt, go to Start > Run > type cmd and then click the "OK" button.
• Type "cd" in order to change the current directory,
• Press the "space" button, enter the full path to where you believe the System Antivirus 2008 DLL file is located press the "Enter" button on your keyboard.
• If you don't know where System Antivirus 2008 DLL file is located, use the "dir" command to display the directory's contents.
• To unregister "System Antivirus 2008" DLL file,
• Type in the exact directory path + "regsvr32 /u" + [DLL_NAME]
• (C:\Windows\System\ regsvr32 /u lsasrv.dll) and press the "Enter" button.
• A message will pop up that says you successfully unregistered the file.
  

Trojan Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

• Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
  
  • Download and run this UnHookExec.inf, and then continue with the removal.
  • Save it to your Windows desktop. Do not run it at this time, download it only.
  • After booting into the Safe Mode or VGA Mode
  • Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
    

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
[ Do Not Delete the Services Folder instead remove the System Antivirus Service Entry ]

HKEY_CLASSES_ROOT\.key
HKEY_CURRENT_USER\Software\AntiVirus
HKEY_CURRENT_USER\Software\SAV
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"Antivirus"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Antivirus"

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)