Manual Removal of Backdoor.Win32.Rbot.genTrojan

Manual Removal of Backdoor.Win32.Rbot.gen Trojan.

Backdoor.Win32.Rbot.gen is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 6, 2009.
Other names of W32/Rbot Trojan:
This trojan is also known as W32/Rbot-Fam, W32.Randex.gen, Backdoor.Win32.Rbot.gen

Damage Level : Medium/High
Distribution Level: Medium

No Removal Tool for Backdoor.Win32.Rbot.gen Trojan
Can Remove Using Spyware Doctor Download Now
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• Delete The Following Files after ending Active Running process
  
• %Windows\xpupdate.exe [ Kill the Process ]
  
• %Windows\50cent.exe [ Kill the Process ]
  
• %Windows\files.ini
• %Windows\nav32sp.exe [ Kill the Process ]
  
• %Windows\oi00r1z.dll
• %Windows\prot.exe [ Kill the Process ]
  
• %Windows\~5c.exe [ Kill the Process ]
  
• %Windows\Isasss.exe [ Kill the Process, Use Killbox if your Access Denied ]
  
  
  • If you have any of these files in running process from task manger, end the process before removal.
  • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
  • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
    

Trojan Entries Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.

• Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
• After booting into the Safe Mode or VGA Mode
• Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\system32
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\system32
HKEY_LOCAL_MACHINE\software\FolderA\FolderB\KeyName1
HKEY_LOCAL_MACHINE\software\FolderA\FolderB\KeyName2\
Delete right side Values, or Delete the FolderA

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
xpupdate.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-
xpupdate.exe
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run
xpupdate.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-
xpupdate.exe

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)

Manual Removal of W32.Randex.genTrojan

Manual Removal of W32.Randex.gen Trojan.

W32.Randex.gen is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 6, 2009.
Other names of W32/Rbot Trojan:
Backdoor.Win32.Rbot.gen [Kaspersky Lab]
Worm.RBot.Gen.8 [PC Tools]

Damage Level : Medium/High
Distribution Level: Medium

No Removal Tool for W32/Rbot Trojan
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• The Following Files Can be Infected with W32.Randex.gen Trojan
  
• %System\agguvj.exe
• %System\bnmveqfts.exe
• %System\dllcache\winlogon.exe
• %System\dlp.exe
• %System\eejxdf.exe
• %System\explorer.exe
• %System\exuamw.exe
• %System\hostlogin.exe
• %System\iexplorer7.exe
• %System\ihost.exe
• %System\imchemaoa.exe
• %System\lexplore.exe
• %System\llass.exe
• %System\msconf.exe
• %System\msconfg.exe
• %System\msconfig.exe
• %System\msgfix.exe
• %System\mslogon.exe
• %System\msupdate.exe
• %System\mtwfdhx.exe
• %System\nvmbanr.exe
• %System\pdxfcasrq.exe
• %System\phjxqnp.exe
• %System\postalc.exe
• %System\quwsgbs.exe
• %System\regsvcd.exe
• %System\rejaww.exe
• %System\rundll32.dll
• %System\smlogsvcc.exe
• %System\spoolsrv.exe
• %System\svchosts.exe
• %System\syadpon.exe
• %System\system.exe
• %System\system32i.exe
• %System\thiskz.exe
• %System\txp\ntdzm.exe
• %System\windowantasdivri.exe
• %System\windows_update.exe
• %System\winexplore.exe
• %System\winmgr.exe
• %System\winrundll.exe
• %System\winup.exe
• %System\winupdate.exe
• %System\winupdatr.exe
• %Temp\nzm.exe
• %Windows\config\lsass.exe
• %Windows\nzm.exe
  
  • If you have any of these files in running process from task manger, end the process before removal.
  • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
  • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
    

Trojan Entries Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.

• Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
• After booting into the Safe Mode or VGA Mode
• Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)

Manual Removal of W32/Rbot Trojan

Manual Removal of W32/Rbot Trojan.

W32/Rbot is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 6, 2009.
Other names of W32/Rbot Trojan:
This trojan is also known as W32/Rbot-Fam, W32.Randex.gen, Backdoor.Win32.Rbot.gen

Damage Level : Medium/High
Distribution Level: Medium

No Removal Tool for W32/Rbot Trojan
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• %Windows\System\lqyuuxrvz.exe
  
  • If you have any of these files in running process from task manger, end the process before removal.
  • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
  • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
    

Trojan Entries Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.

• Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
• After booting into the Safe Mode or VGA Mode
• Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)

Manual Removal of Win32.Agent.wvu Trojan-Dropper

Manual Removal of Win32.Agent.wvu Trojan-Dropper.

W32/Agent.WVU is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 5, 2009.
Other names of W32/Agent.WVU Trojan:
This trojan is also known as W32.Spybot.Worm, Backdoor.Win32.Agent.wvu.

Damage Level : Medium/High
Distribution Level: Unknown

No Removal Tool for Win32.Agent.wvu Trojan-Dropper
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• %Temp%\1
• %ProgramFiles%\CNNIC
• %ProgramFiles%\CNNIC\Cdn
• %ProgramFiles%\CNNIC\Cdn\Images
• %Temp%\1\cdn.dll
• %ProgramFiles%\CNNIC\Cdn\cdnaux.dll
• %ProgramFiles%\CNNIC\Cdn\cdnforie.dll
• %ProgramFiles%\CNNIC\Cdn\cdnprh.dll
• %System%\cdnprot.dat
• %System%\drivers\cdnprot.sys
• %ProgramFiles%\CNNIC\Cdn\cdnunins.exe
• %ProgramFiles%\CNNIC\Cdn\cdnup.exe
• %ProgramFiles%\CNNIC\Cdn\cdnvers.dat
• %ProgramFiles%\CNNIC\Cdn\idnconvs.dll
• %Temp%\1\setup.exe
• %ProgramFiles%\CNNIC\Cdn\src.dat
  
  • Above Files under Programfiles also Copied to %Temp\1\
  [ FXSTALLER.EXE can also use the following File Names ] 04172258.DAT, 59465376.DAT, BBPHOTO[1].EXE, PACK.EXE, 03932762.EXE, FXSTALLER.MSNFIX, LACOSTES.EXE, ERASEME_78156.EXE, MARINA[n].COM, LACOSTES(n).EXE, LACOSTES[n].EXE, 26863612.COM, 39847305.EXE, 15451429.EXE, 76765953.EXE, HOUSEGIRL.EXE, STH4NSBA.EXE, DD1.EXE, HOUSEGIRL.COM, 39026582.EXE, 11162921.EXE, 40619004.COM, HACKEDMSN.EXE, HACKEDMSN[n].COM, BURIMI.EXE, 96195105.EXE, 60362081.DAT
  The following file size has been seen:
  37,376 bytes, 52,786 bytes, 39,936 bytes, 44,554 bytes, 60,938 bytes, 48,690 bytes
  
  • If you have any of these files in running process from task manger, end the process before removal.
  • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
  • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
    

Trojan Entries Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.

• Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
• After booting into the Safe Mode or VGA Mode
• Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\COMMAND
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RIGHT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\AUTOUPDATE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\COLLECT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\POPUP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CdnClient
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZSXZ
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\Common
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\Display
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\InstallInfo
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\RunAct
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\Update
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdnprot
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdnprot\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdnprot\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdnprot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdnprot\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdnprot\Enum
HKEY_CURRENT_USER\Software\CNNIC
HKEY_CURRENT_USER\Software\CNNIC\CdnClient
HKEY_CURRENT_USER\Software\CNNIC\CdnClient\Restore

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\VersionIndependentProgID
(Default) = "CdnForIE.IEHlprObj"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\ProgID
(Default) = "CndForIE.IEHlprObj.1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\InprocServer32
(Default) = "C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll"
ThreadingModel = "Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
(Default) = "CdnForIE Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\TypeLib
(Default) = "{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}"
Version = "1.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\ProxyStubClsid
(Default) = "{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}
(Default) = "IIEHlprObj"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\0\win32
(Default) = "C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\HELPDIR
(Default) = "C:\PROGRA~1\CNNIC\Cdn\"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\FLAGS
(Default) = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0
(Default) = "CdnForIE 1.0 Type Library"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj\CurVer
(Default) = "CndForIE.IEHlprObj.1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj
(Default) = "CndForIE Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj.1\CLSID
(Default) = "{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj.1
(Default) = "CndForIE Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RIGHT
HKeyRoot = 0x80000001
RegPath = "Software\Microsoft\Internet Explorer\MenuExt\Access Internet Keyword"
Type = "checkbox"
CheckedValue = 0x0000007F
DefaultValue = 0x0000007F
UncheckedValue = 0x00000000
Text = "Right click add "access Internet Keyword""
ValueName = "Contexts"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000001
UncheckedValue = 0x00000000
Text = "Enable Internet Keyword"
ValueName = "EnableKw"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000001
UncheckedValue = 0x00000000
Text = "Enable Chinese Domain Name"
ValueName = "EnableIdn"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000000
UncheckedValue = 0x00000000
Text = "Display hints under the address bar"
ValueName = "EnableAddrHint"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000001
UncheckedValue = 0x00000000
Text = "Display Keyword in the Address Bar Droplist"
ValueName = "EnableKwDisp"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\COMMAND
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000000
UncheckedValue = 0x00000000
Text = "Activate Chinese Domain Name Command Line Support"
ValueName = "EnableIdnCmdEx"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\POPUP
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000001
UncheckedValue = 0x00000000
Text = "Auto-update when new version is detected"
ValueName = "EnableTaskPopup"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\COLLECT
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000000
UncheckedValue = 0x00000000
Text = "Permit the system to collect users' records"
ValueName = "EnableCollect"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\AUTOUPDATE
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000001
UncheckedValue = 0x00000000
Text = "Pop up news information"
ValueName = "AutoUpdate"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE
Bitmap = "C:\WINNT\system32\inetcpl.cpl,4497"
Text = "Update"
Type = "group"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW
Bitmap = "C:\WINNT\system32\inetcpl.cpl,4497"
Text = "Chinese Domain Name and Internet Keyword"
Type = "group"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT]
Bitmap = "C:\WINNT\system32\inetcpl.cpl,4497"
Text = "Chinese Navigation"
Type = "group"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
Default Visible = "Yes"

Modified Registry Value
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
SearchAssistant="http://client.jogo.cn/cdn/browser/sidesearch/sidesearch-en.html"
CustomizeSearch="http://client.jogo.cn/cdn/browser/customsearch/customsearch-en.html"

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)

Manual Removal of W32/Agent.WVU Trojan

Manual Removal of W32/Agent.WVU Trojan.

W32/Agent.WVU is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 5, 2009.
Other names of W32/Agent.WVU Trojan:
This trojan is also known as W32.Spybot.Worm, Backdoor.Win32.Agent.wvu.
FXSTALLER.EXE has been seen to perform the following behavior:
The Process is packed and/or encrypted using a software packing process
Automatically changes your firewall settings to allow itself or other programs to communicate over the internet
Disables the Windows Built in Firewall enabling rogue processes to access the internet without your knowledge or permission
Disables the Windows Security Center Service
Disables Windows Automatic Updates including Security Updates and Patches
Executes a Process
Writes to another Process's Virtual Memory (Process Hijacking)
Adds a Registry Key (RUN) to auto start Programs on system start up
This Process Deletes Other Processes From Disk
This process creates other processes on disk
Creates system tray popups, messages, errors and security warnings
Opens browser pop ups
The Process is polymorphic and can change its structure
Registers a Dynamic Link Library File
Can communicate with other computer systems using HTTP protocols
Executes Processes stored in Temporary Folders
FXSTALLER.EXE has been the subject of the following behavior:
Added as a Registry auto start to load Program on Boot up
Created as a process on disk
Has code inserted into its Virtual Memory space by other programs
Executed as a Process
Terminated as a Process
Copied to multiple locations on the system
Created as a new Background Service on the machine
Deleted as a process from disk
Executed by Internet Explorer
Executed from Temporary Folders

Damage Level : Medium/High
Distribution Level: Unknown

No Removal Tool for W32/Agent.WVU Trojan
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• %Windows\fxstaller.exe
• %Temp%\ixp000.tmp\aa.exe
• %Temp%\ixp000.tmp\buri.exe
• %Temp%\ixp000.tmp\burimi.exe
• %Temp%\ixp000.tmp\fapack.exe
• %Temp%\ixp000.tmp\image.exe
• %Temp%\ixp000.tmp\pa.exe
• %Temp%\ixp000.tmp\pack.exe
• %Temp%\ixp000.tmp\pr.exe
• %Temp%\ixp000.tmp\test.exe
• %Temp%\ixp001.tmp\burimi.exe
  [ FXSTALLER.EXE can also use the following File Names ] 04172258.DAT, 59465376.DAT, BBPHOTO[1].EXE, PACK.EXE, 03932762.EXE, FXSTALLER.MSNFIX, LACOSTES.EXE, ERASEME_78156.EXE, MARINA[n].COM, LACOSTES(n).EXE, LACOSTES[n].EXE, 26863612.COM, 39847305.EXE, 15451429.EXE, 76765953.EXE, HOUSEGIRL.EXE, STH4NSBA.EXE, DD1.EXE, HOUSEGIRL.COM, 39026582.EXE, 11162921.EXE, 40619004.COM, HACKEDMSN.EXE, HACKEDMSN[n].COM, BURIMI.EXE, 96195105.EXE, 60362081.DAT
  The following file size has been seen:
  37,376 bytes, 52,786 bytes, 39,936 bytes, 44,554 bytes, 60,938 bytes, 48,690 bytes
  
  • If you have any of these files in running process from task manger, end the process before removal.
  • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
  • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
    

Trojan Entries Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.

• Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
• After booting into the Safe Mode or VGA Mode
• Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

W32.Spybot.Worm Entries
Delete the Following Keys
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BoolTern
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BOOLTERN
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdriv
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_RDRIV
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
In the right pane, reset the original value, if known:
"EnableDCOM" = "N"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
In the right pane, reset the original value, if known:
"DoNotAllowXPSP2" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\
parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
In the right pane, reset the original values, if known:
"AutoShareWks" = "0"
"AutoShareServer" = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
In the right pane, reset the original value, if known:
"restrictanonymous" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger
In the right pane, reset the original value, if known:
"Start" = "4"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_CURRENT_USER\Software\Microsoft\OLE
In the right pane, delete any values that refer to the file names that were detected.

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)

Manual Removal of W32/QQPass.DCG.PSW Trojan

Manual Removal of W32/QQPass.DCG.PSW Trojan.

W32/QQPass.DCG.PSW is a Trojan. The Trojan will infect Windows systems.
The Trojan may be dropped by other malware or may be downloaded from remote website by other malware.
It may also be downloaded unknowingly by a user while visiting malicious Website.
This Trojan first appeared on October 24, 2008.
Other names of W32/QQPass.DCG.PSW Trojan:
This Trojan is also known as Mal/Heuri-E, TROJ_DROPPER.BZM, Trojan-PSW.Win32.QQPass.dcg.

Damage Level : Medium/High
Distribution Level: Unknown

No Removal Tool for W32/QQPass.DCG.PSW Trojan
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• %Windows\hjbh.exe
• %Windows\bxfq.exe
• %Windows\dfll.exe
• %Windows\goti.exe
• %Windows\gzei.exe
• %Windows\jdzd.exe
• %Windows\jvcn.exe
• %Windows\ouyf.exe
• %Windows\tlqi.exe
• %Windows\wgon.exe
• %Windows\wkxi.exe
• %Windows\wwny.exe
• %Windows\ybea.exe
  
  • If you have any of these files in running process from task manger, end the process before removal.
  • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
  • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
    

Trojan Entries Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.

• Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
• After booting into the Safe Mode or VGA Mode
• Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

UNKNOWN

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)

Manual Removal of W32/Nugg.W Worm

Manual Removal of W32/Nugg.W Worm.

W32/Nugg.W is a worm. The worm will infect Windows systems.
This worm first appeared on January 2, 2009.
Other names of W32/Nugg.W Worm:
This worm is also known as PSW.OnlineGames.BIYV, P2P-Worm.Win32.Nugg.w

Damage Level : Medium/High
Distribution Level: Unknown

No Removal Tool for W32/Nugg.W Worm
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• %Windows\System\danim32.dll
  
  
  • If you have any of these files in running process from task manger, end the process before removal.
  • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
  • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
    

Unregister DLL Files Using Windows Command Prompt

• To open the Windows Command Prompt, go to Start > Run > type cmd and then click the "OK" button.
• Type "cd" in order to change the current directory,
• Press the "space" button, enter the full path to where you believe the Program DLL file is located press the "Enter" button on your keyboard.
• If you don't know where Program DLL file is located, use the "dir" command to display the directory's contents.
• To unregister a "Program" DLL file,
• Type in the exact directory path + "regsvr32 /u" + [ DLL_NAME ]
• Example [ C:\Windows\System\ regsvr32 /u name.dll ] and press the "Enter" button.
• A message will pop up that says you successfully unregistered the file.
  

Trojan Entries Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.

• Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
• After booting into the Safe Mode or VGA Mode
• Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)

Manual Removal of W32/Onlinegames.Lov.PSW Trojan

Manual Removal of W32/Onlinegames.Lov.PSW Trojan.

W32/Onlinegames.Lov.PSW is a trojan. The trojan will infect Windows systems.
The trojan attempts to steal passwords from infected systems.
This trojan first appeared on December 27, 2007.
Other names of W32/Onlinegames.Lov.PSW Trojan:
This trojan is also known as Trojan-PSW.Win32.OnLineGames.lov.

Damage Level : Medium/High
Distribution Level: Unknown

No Removal Tool for W32/Onlinegames.Lov.PSW Trojan
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• %Windows\System\amvo.exe
• %Windows\System\amvo1.dll
• %Documents and Settings\help[1].exe
• %Documents and Settings\ro.dll
  • If you have any of these files in running process from task manger, end the process before removal.
  • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
  • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
    

Unregister DLL Files Using Windows Command Prompt

• To open the Windows Command Prompt, go to Start > Run > type cmd and then click the "OK" button.
• Type "cd" in order to change the current directory,
• Press the "space" button, enter the full path to where you believe the Program DLL file is located press the "Enter" button on your keyboard.
• If you don't know where Program DLL file is located, use the "dir" command to display the directory's contents.
• To unregister a "Program" DLL file,
• Type in the exact directory path + "regsvr32 /u" + [ DLL_NAME ]
• Example [ C:\Windows\System\ regsvr32 /u name.dll ] and press the "Enter" button.
• A message will pop up that says you successfully unregistered the file.
  

Trojan Entries Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

• Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
  
  • Download and run this UnHookExec.inf, and then continue with the removal.
  • Save it to your Windows desktop. Do not run it at this time, download it only.
  • After booting into the Safe Mode or VGA Mode
  • Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
    

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

Entries Unknown

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)

Manual Removal of W32/Onlinegames.Isb.PSW Trojan

Manual Removal of W32/Onlinegames.Isb.PSW Trojan.

W32/Onlinegames.Isb.PSW is a trojan. The trojan will infect Windows systems.
This trojan first appeared on December 18, 2007.
Other names of W32/Onlinegames.Isb.PSW Trojan:
This trojan is also known as Trojan-PSW.Win32.OnLineGames.isb.

Damage Level : Medium/High
Distribution Level: Unknown

No Removal Tool for W32/Onlinegames.Isb.PSW Trojan
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• %Windows\MsPrint32D.exe
• %Windows\System\MsPrint32D.dll
• %Windows\Prefetch\ABTPKQ.EXE-06512A47.pf
• %Unknown\ABTPKQ.EXE [ Search this file name and delete the File ]
  
  • If you have any of these files in running process from task manger, end the process before removal.
  • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
  • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
    

Unregister DLL Files Using Windows Command Prompt

• To open the Windows Command Prompt, go to Start > Run > type cmd and then click the "OK" button.
• Type "cd" in order to change the current directory,
• Press the "space" button, enter the full path to where you believe the Program DLL file is located press the "Enter" button on your keyboard.
• If you don't know where Program DLL file is located, use the "dir" command to display the directory's contents.
• To unregister a "Program" DLL file,
• Type in the exact directory path + "regsvr32 /u" + [ DLL_NAME ]
• Example [ C:\Windows\System\ regsvr32 /u name.dll ] and press the "Enter" button.
• A message will pop up that says you successfully unregistered the file.
  

Trojan Entries Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.

• Download and run this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop.
• Do not run it at this time, download it only.
• After booting into the Safe Mode or VGA Mode
• Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
  

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Delete the Unknown Entries

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)

Manual Removal of W32/OnLineGames.TOB Trojan

Manual Removal of W32/OnLineGames.TOB Trojan.

W32/OnLineGames.TOB is a trojan. The trojan will infect Windows systems.
This trojan first appeared on December 31, 2008.
Other names of W32/OnLineGames.TOB Trojan:
This trojan is also known as WORM_ONLINEG.EWH, Trojan.Win32.OnLineGames.TOB.

Damage Level : Medium/High
Distribution Level: Unknown

No Removal Tool for W32/OnLineGames.TOB Trojan
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• %Windows\System\kavo.exe
• %Windows\System\kavo0.dll
• %Documents and Settings\Default User\Local Settings\Temp\gxylc.dll
  • If you have any of these files in running process from task manger, end the process before removal.
  • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
  • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
    

Unregister DLL Files Using Windows Command Prompt

• To open the Windows Command Prompt, go to Start > Run > type cmd and then click the "OK" button.
• Type "cd" in order to change the current directory,
• Press the "space" button, enter the full path to where you believe the Program DLL file is located press the "Enter" button on your keyboard.
• If you don't know where Program DLL file is located, use the "dir" command to display the directory's contents.
• To unregister a "Program" DLL file,
• Type in the exact directory path + "regsvr32 /u" + [ DLL_NAME ]
• Example [ C:\Windows\System\ regsvr32 /u name.dll ] and press the "Enter" button.
• A message will pop up that says you successfully unregistered the file.
  

Trojan Entries Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

• Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
  
  • Download and run this UnHookExec.inf, and then continue with the removal.
  • Save it to your Windows desktop. Do not run it at this time, download it only.
  • After booting into the Safe Mode or VGA Mode
  • Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
    

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_USER\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-XXXX\Software\Microsoft\Windows\CurrentVersion\Run

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)