Manual Removal of W32/VB.IDF Trojan

Manual Removal of W32/VB.IDF Trojan.

W32/VB.IDF is a Trojan. The Trojan will infect Windows systems.
This Trojan first appeared on January 9, 2009.
Other names of W32/VB.IDF Trojan:
This Trojan is also known as TROJ_VB.HBG, Trojan.Win32.VB.idf.

Damage Level : Medium/High
Distribution Level: Medium

No Removal Tool for W32/VB.IDF Trojan
Read Symantec Removal
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• [ Kill the Process, Use Killbox if your Access Denied ]
• %ProgramFiles%\common files\rising.exe
• %System%\53472fc0.exe
• %System%\rising.exe
• %Temp%\ravtmp\rising.exe
• c:\rising.exe
• %Temp%\[RANDOM 5 DIGITS].dll
• %System%\logo_1.exe
  
• %Windows Installed Drive\Recycle\RisinG.exe
• %Windows Installed Drive\recycle\x-5-4-27-2345678318-4567890223-4234567884-2341\RisinG.exe
  
• %Windows Installed Drive\recycle\x-5-4-27-2345678318-4567890223-4234567884-2341\Desktop.ini
  eg: C:\Recycle\RisinG.exe
• Removing the Folder Using Command Prompt
• Open Task Manager - End Process Explorer.exe
• in task manager - File - New Task, cmd press enter
• in Cmd, First type cd\ , to change the directory
  
• then it become c:\ , type C:\cd recycle , press enter
• then, C:\recycle\ then delete the exe file
• C:\recycle\del rising.exe , press enter to delete the file
• then type cd\ , press enter
  
• type c:\rd recycle , press enter to remove the recycle folder
• type exit , to exit command prompt
• type shutdown -r t 0 , to restart your pc
• This Trojan Can also use the following file names
  AF037A60.EXE, DC3.EXE, 9B1CC3AC.EXE, 22906838.DAT, RISING2008[1].EXE, DOWN(0).EXE, 60637142.EXE, 57597865.EXE, NEW.EXE, 13376637.SVD, ASDSDS.EXE, SDSDD.EXE, 42947858.EXE, KKKFUCKU.EXE, RISING[n].EXE, SDSDSD.EXE, RECYCLE/X-5-4-27-2345678318-4567890223-4234567884-2341/RISING.EXE
  If you have any of these files in running process from task manger, end the process before removal.
  Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
  Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
  

Trojan Entries Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.

• Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
• After booting into the Safe Mode or VGA Mode
• Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile DoNotAllowExceptions value:

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)

Manual Removal of W32/Hexzone.GII Trojan

Manual Removal of W32/Hexzone.GII Trojan.

W32/Hexzone.GII is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 8, 2009.
Other names of W32/Hexzone.GII Trojan:
This trojan is also known as Trojan-Ransom.Win32.Hexzone.gii, DR/Ransom.Hexzone.gii

Damage Level : Medium/High
Distribution Level: Medium

No Removal Tool for W32/Hexzone.GII Trojan
Removal instructions from Symantec
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• [ Kill the Process, Use Killbox if your Access Denied ]
• %Windows\System\fbilib.dll
  If you have any of these files in running process from task manger, end the process before removal.
  Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
  Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
  
  

Trojan Entries Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.

• Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
• After booting into the Safe Mode or VGA Mode
• Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)

Manual Removal of W32.Versie.A Trojan

Manual Removal of W32.Versie.A Trojan.

W32.Versie.A is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 7, 2009.
Other names of W32/Agent.XRB Trojan:
This trojan is also known as Trojan-Downloader.Win32.Agent.xrb, W32.Versie.A
The worm checks for the presence of %System%\drivers\klick.sys and if found, sets the date to 1981 and pings 127.0.0.1.
The worm opens a back door on the compromised computer that connects to jackie.crwoo.com on TCP port 1986 and awaits further commands that allows a remote attacker to perform some of following actions:
Log keystrokes typed
Download and execute additional files
Shut down the compromised computer
The worm may download the following file:
%ProgramFiles%\Common Files\Microsoft Shared\MSInfo\Beizhu.txt (log files)
It creates custom Internet Favorites by dropping URL links in the following folder:
%UserProfile%\Favourites
The worm disables encryption for Tencent Messenger by deleting the file npkcrypt.sys from the application installation folder.
Note: The default installation folder is usually C:\Program Files\Tencent\QQ\.
The worm sends the following system information to the remote attacker:
CPU speed
Memory available
OS version
Service Packs installed

Damage Level : Medium/High
Distribution Level: Medium

No Removal Tool for W32.Versie.A Trojan
Removal instructions from Symantec
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• [ Kill the Process, Use Killbox if your Access Denied ]
• %System%\_1.exe
• %System%\_autorun.exe
• %System%\_command.exe
• %System%\_ctfne.exe
• %System%\_kaspersky.exe
• %System%\_rejoice082.exe
• %System%\_server.exe
• %System%\360rtyy.exe
• %System%\system.exe
• %System%\wupdmgrv.exe
• %Temp%\ixp000.tmp\2.exe
• %Windir%\userinit.exe
• c:\autorun.exe
• c:\ctfne.exe
• c:\kaspersky.exe
• %ProgramFiles%\Common Files\Microsoft Shared\MSInfo\_[RANDOM NAME1].exe
• %System%\[RANDOM NAME1].exe
• It copies itself to the root of fixed and removable drives as the following files:
• %Drive\[RANDOM NAME1].exe
• %Drive\Autorun.inf
  
  
  • Service name: LocalSystem
  • Display name: Windows Rnljm MingZai
  • Description: Foundation network connection
  • Image Path: %System%\rnljm.exe [ Kill the Process, Use Killbox if your Access Denied ]
  • Startup Type: Automatic
    To Stop Service, start run, services.msc press enter, Find Display Name, Open Proterties, Press Stop, then Change Automatically to Disabled, Ok
  • iexplore.exe [ Kill the Process, Use Killbox if your Access Denied ]
  • svchost.exe [ Kill the Process, Use Killbox if your Access Denied ]
  If you have any of these files in running process from task manger, end the process before removal.
  Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
  Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
  
  
  

Trojan Entries Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.

• Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
• After booting into the Safe Mode or VGA Mode
• Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

It registers itself to run as a service by creating the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows\
[RANDOM NAME1]\[RANDOM NAME2]
The worm sets the following registry key to enable autorun on mapped drives:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoDriveTypeAutoRun" = "0"
It disables Start Page protection for Internet Explorer by setting the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\"Homepage" = "1"
The worm modifies the following registry subkey to change the Internet Explorer Start Page:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page
It also modifies the following registry entries to change the user's desktop wallpaper:
HKEY_CURRENT_USER\Control Panel\Desktop\"TileWallpaper" = "0"
HKEY_CURRENT_USER\Control Panel\Desktop\"Wallpaper" = "[PATH TO DOWNLOADED WALLPAPER]"
It modifies the following registry entry to disable the Windows Remote Assistance facility:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\"fDenyTSConections" = "0"

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)

Manual Removal of W32/Agent.XRB Trojan

Manual Removal of W32/Agent.XRB Trojan.

W32/Agent.XRB is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 7, 2009.
Other names of W32/Agent.XRB Trojan:
This trojan is also known as Trojan-Downloader.Win32.Agent.xrb, W32.Versie.A

Damage Level : Medium/High
Distribution Level: Medium

No Removal Tool for W32/Agent.XRB Trojan
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• %Windows\System\MSISERVER.exe [ 646,144 Bytes ] [ Kill the Process, Use Killbox if your Access Denied ]
• %Drive\AutoRun.inf
• %Temp%\WER4207.dir00\manifest.txt
• %Temp%\WER4207.dir00\sysdata.xml
• %Temp%\WER4207.dir00 [ Delete this Folder ] 
  
  • If you have any of these files in running process from task manger, end the process before removal.
  • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
  • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
    

Trojan Entries Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.

• Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
• After booting into the Safe Mode or VGA Mode
• Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_INSTALLER3.1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_INSTALLER3.1\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Installer3.1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Installer3.1\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDOWS_INSTALLER3.1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDOWS_INSTALLER3.1\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Windows Installer3.1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Windows Installer3.1\Security

The newly created Registry Values

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_INSTALLER3.1\0000
Service = "Windows Installer3.1"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Windows Installer3.1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_INSTALLER3.1
NextInstance = 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Installer3.1\Security
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Installer3.1
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = [pathname with a string SHARE]\MSISERVER.exe"
DisplayName = "Windows Installer3.1"
ObjectName = "LocalSystem"
Description = "��ӡ��޸ĺ�ɾ���� Windows ��װ����"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDOWS_INSTALLER3.1\0000
Service = "Windows Installer3.1"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Windows Installer3.1"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDOWS_INSTALLER3.1
NextInstance = 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Windows Installer3.1\Security
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Windows Installer3.1
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = [pathname with a string SHARE]\MSISERVER.exe"
DisplayName = "Windows Installer3.1"
ObjectName = "LocalSystem"
Description = "��ӡ��޸ĺ�ɾ���� Windows ��װ����"

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)

Manual Removal of Backdoor.Win32.Rbot.genTrojan

Manual Removal of Backdoor.Win32.Rbot.gen Trojan.

Backdoor.Win32.Rbot.gen is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 6, 2009.
Other names of W32/Rbot Trojan:
This trojan is also known as W32/Rbot-Fam, W32.Randex.gen, Backdoor.Win32.Rbot.gen

Damage Level : Medium/High
Distribution Level: Medium

No Removal Tool for Backdoor.Win32.Rbot.gen Trojan
Can Remove Using Spyware Doctor Download Now
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• Delete The Following Files after ending Active Running process
  
• %Windows\xpupdate.exe [ Kill the Process ]
  
• %Windows\50cent.exe [ Kill the Process ]
  
• %Windows\files.ini
• %Windows\nav32sp.exe [ Kill the Process ]
  
• %Windows\oi00r1z.dll
• %Windows\prot.exe [ Kill the Process ]
  
• %Windows\~5c.exe [ Kill the Process ]
  
• %Windows\Isasss.exe [ Kill the Process, Use Killbox if your Access Denied ]
  
  
  • If you have any of these files in running process from task manger, end the process before removal.
  • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
  • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
    

Trojan Entries Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.

• Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
• After booting into the Safe Mode or VGA Mode
• Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\system32
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices\system32
HKEY_LOCAL_MACHINE\software\FolderA\FolderB\KeyName1
HKEY_LOCAL_MACHINE\software\FolderA\FolderB\KeyName2\
Delete right side Values, or Delete the FolderA

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
xpupdate.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-
xpupdate.exe
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run
xpupdate.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-
xpupdate.exe

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)

Manual Removal of W32.Randex.genTrojan

Manual Removal of W32.Randex.gen Trojan.

W32.Randex.gen is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 6, 2009.
Other names of W32/Rbot Trojan:
Backdoor.Win32.Rbot.gen [Kaspersky Lab]
Worm.RBot.Gen.8 [PC Tools]

Damage Level : Medium/High
Distribution Level: Medium

No Removal Tool for W32/Rbot Trojan
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• The Following Files Can be Infected with W32.Randex.gen Trojan
  
• %System\agguvj.exe
• %System\bnmveqfts.exe
• %System\dllcache\winlogon.exe
• %System\dlp.exe
• %System\eejxdf.exe
• %System\explorer.exe
• %System\exuamw.exe
• %System\hostlogin.exe
• %System\iexplorer7.exe
• %System\ihost.exe
• %System\imchemaoa.exe
• %System\lexplore.exe
• %System\llass.exe
• %System\msconf.exe
• %System\msconfg.exe
• %System\msconfig.exe
• %System\msgfix.exe
• %System\mslogon.exe
• %System\msupdate.exe
• %System\mtwfdhx.exe
• %System\nvmbanr.exe
• %System\pdxfcasrq.exe
• %System\phjxqnp.exe
• %System\postalc.exe
• %System\quwsgbs.exe
• %System\regsvcd.exe
• %System\rejaww.exe
• %System\rundll32.dll
• %System\smlogsvcc.exe
• %System\spoolsrv.exe
• %System\svchosts.exe
• %System\syadpon.exe
• %System\system.exe
• %System\system32i.exe
• %System\thiskz.exe
• %System\txp\ntdzm.exe
• %System\windowantasdivri.exe
• %System\windows_update.exe
• %System\winexplore.exe
• %System\winmgr.exe
• %System\winrundll.exe
• %System\winup.exe
• %System\winupdate.exe
• %System\winupdatr.exe
• %Temp\nzm.exe
• %Windows\config\lsass.exe
• %Windows\nzm.exe
  
  • If you have any of these files in running process from task manger, end the process before removal.
  • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
  • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
    

Trojan Entries Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.

• Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
• After booting into the Safe Mode or VGA Mode
• Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)

Manual Removal of W32/Rbot Trojan

Manual Removal of W32/Rbot Trojan.

W32/Rbot is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 6, 2009.
Other names of W32/Rbot Trojan:
This trojan is also known as W32/Rbot-Fam, W32.Randex.gen, Backdoor.Win32.Rbot.gen

Damage Level : Medium/High
Distribution Level: Medium

No Removal Tool for W32/Rbot Trojan
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• %Windows\System\lqyuuxrvz.exe
  
  • If you have any of these files in running process from task manger, end the process before removal.
  • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
  • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
    

Trojan Entries Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.

• Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
• After booting into the Safe Mode or VGA Mode
• Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)

Manual Removal of Win32.Agent.wvu Trojan-Dropper

Manual Removal of Win32.Agent.wvu Trojan-Dropper.

W32/Agent.WVU is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 5, 2009.
Other names of W32/Agent.WVU Trojan:
This trojan is also known as W32.Spybot.Worm, Backdoor.Win32.Agent.wvu.

Damage Level : Medium/High
Distribution Level: Unknown

No Removal Tool for Win32.Agent.wvu Trojan-Dropper
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• %Temp%\1
• %ProgramFiles%\CNNIC
• %ProgramFiles%\CNNIC\Cdn
• %ProgramFiles%\CNNIC\Cdn\Images
• %Temp%\1\cdn.dll
• %ProgramFiles%\CNNIC\Cdn\cdnaux.dll
• %ProgramFiles%\CNNIC\Cdn\cdnforie.dll
• %ProgramFiles%\CNNIC\Cdn\cdnprh.dll
• %System%\cdnprot.dat
• %System%\drivers\cdnprot.sys
• %ProgramFiles%\CNNIC\Cdn\cdnunins.exe
• %ProgramFiles%\CNNIC\Cdn\cdnup.exe
• %ProgramFiles%\CNNIC\Cdn\cdnvers.dat
• %ProgramFiles%\CNNIC\Cdn\idnconvs.dll
• %Temp%\1\setup.exe
• %ProgramFiles%\CNNIC\Cdn\src.dat
  
  • Above Files under Programfiles also Copied to %Temp\1\
  [ FXSTALLER.EXE can also use the following File Names ] 04172258.DAT, 59465376.DAT, BBPHOTO[1].EXE, PACK.EXE, 03932762.EXE, FXSTALLER.MSNFIX, LACOSTES.EXE, ERASEME_78156.EXE, MARINA[n].COM, LACOSTES(n).EXE, LACOSTES[n].EXE, 26863612.COM, 39847305.EXE, 15451429.EXE, 76765953.EXE, HOUSEGIRL.EXE, STH4NSBA.EXE, DD1.EXE, HOUSEGIRL.COM, 39026582.EXE, 11162921.EXE, 40619004.COM, HACKEDMSN.EXE, HACKEDMSN[n].COM, BURIMI.EXE, 96195105.EXE, 60362081.DAT
  The following file size has been seen:
  37,376 bytes, 52,786 bytes, 39,936 bytes, 44,554 bytes, 60,938 bytes, 48,690 bytes
  
  • If you have any of these files in running process from task manger, end the process before removal.
  • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
  • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
    

Trojan Entries Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.

• Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
• After booting into the Safe Mode or VGA Mode
• Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\COMMAND
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RIGHT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\AUTOUPDATE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\COLLECT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\POPUP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CdnClient
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZSXZ
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\Common
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\Display
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\InstallInfo
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\RunAct
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\Update
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdnprot
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdnprot\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdnprot\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdnprot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdnprot\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdnprot\Enum
HKEY_CURRENT_USER\Software\CNNIC
HKEY_CURRENT_USER\Software\CNNIC\CdnClient
HKEY_CURRENT_USER\Software\CNNIC\CdnClient\Restore

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\VersionIndependentProgID
(Default) = "CdnForIE.IEHlprObj"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\ProgID
(Default) = "CndForIE.IEHlprObj.1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\InprocServer32
(Default) = "C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll"
ThreadingModel = "Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
(Default) = "CdnForIE Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\TypeLib
(Default) = "{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}"
Version = "1.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\ProxyStubClsid
(Default) = "{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}
(Default) = "IIEHlprObj"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\0\win32
(Default) = "C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\HELPDIR
(Default) = "C:\PROGRA~1\CNNIC\Cdn\"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\FLAGS
(Default) = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0
(Default) = "CdnForIE 1.0 Type Library"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj\CurVer
(Default) = "CndForIE.IEHlprObj.1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj
(Default) = "CndForIE Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj.1\CLSID
(Default) = "{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj.1
(Default) = "CndForIE Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RIGHT
HKeyRoot = 0x80000001
RegPath = "Software\Microsoft\Internet Explorer\MenuExt\Access Internet Keyword"
Type = "checkbox"
CheckedValue = 0x0000007F
DefaultValue = 0x0000007F
UncheckedValue = 0x00000000
Text = "Right click add "access Internet Keyword""
ValueName = "Contexts"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000001
UncheckedValue = 0x00000000
Text = "Enable Internet Keyword"
ValueName = "EnableKw"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000001
UncheckedValue = 0x00000000
Text = "Enable Chinese Domain Name"
ValueName = "EnableIdn"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000000
UncheckedValue = 0x00000000
Text = "Display hints under the address bar"
ValueName = "EnableAddrHint"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000001
UncheckedValue = 0x00000000
Text = "Display Keyword in the Address Bar Droplist"
ValueName = "EnableKwDisp"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\COMMAND
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000000
UncheckedValue = 0x00000000
Text = "Activate Chinese Domain Name Command Line Support"
ValueName = "EnableIdnCmdEx"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\POPUP
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000001
UncheckedValue = 0x00000000
Text = "Auto-update when new version is detected"
ValueName = "EnableTaskPopup"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\COLLECT
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000000
UncheckedValue = 0x00000000
Text = "Permit the system to collect users' records"
ValueName = "EnableCollect"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\AUTOUPDATE
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000001
UncheckedValue = 0x00000000
Text = "Pop up news information"
ValueName = "AutoUpdate"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE
Bitmap = "C:\WINNT\system32\inetcpl.cpl,4497"
Text = "Update"
Type = "group"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW
Bitmap = "C:\WINNT\system32\inetcpl.cpl,4497"
Text = "Chinese Domain Name and Internet Keyword"
Type = "group"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT]
Bitmap = "C:\WINNT\system32\inetcpl.cpl,4497"
Text = "Chinese Navigation"
Type = "group"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
Default Visible = "Yes"

Modified Registry Value
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
SearchAssistant="http://client.jogo.cn/cdn/browser/sidesearch/sidesearch-en.html"
CustomizeSearch="http://client.jogo.cn/cdn/browser/customsearch/customsearch-en.html"

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)

Manual Removal of W32/Agent.WVU Trojan

Manual Removal of W32/Agent.WVU Trojan.

W32/Agent.WVU is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 5, 2009.
Other names of W32/Agent.WVU Trojan:
This trojan is also known as W32.Spybot.Worm, Backdoor.Win32.Agent.wvu.
FXSTALLER.EXE has been seen to perform the following behavior:
The Process is packed and/or encrypted using a software packing process
Automatically changes your firewall settings to allow itself or other programs to communicate over the internet
Disables the Windows Built in Firewall enabling rogue processes to access the internet without your knowledge or permission
Disables the Windows Security Center Service
Disables Windows Automatic Updates including Security Updates and Patches
Executes a Process
Writes to another Process's Virtual Memory (Process Hijacking)
Adds a Registry Key (RUN) to auto start Programs on system start up
This Process Deletes Other Processes From Disk
This process creates other processes on disk
Creates system tray popups, messages, errors and security warnings
Opens browser pop ups
The Process is polymorphic and can change its structure
Registers a Dynamic Link Library File
Can communicate with other computer systems using HTTP protocols
Executes Processes stored in Temporary Folders
FXSTALLER.EXE has been the subject of the following behavior:
Added as a Registry auto start to load Program on Boot up
Created as a process on disk
Has code inserted into its Virtual Memory space by other programs
Executed as a Process
Terminated as a Process
Copied to multiple locations on the system
Created as a new Background Service on the machine
Deleted as a process from disk
Executed by Internet Explorer
Executed from Temporary Folders

Damage Level : Medium/High
Distribution Level: Unknown

No Removal Tool for W32/Agent.WVU Trojan
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

• %Windows\fxstaller.exe
• %Temp%\ixp000.tmp\aa.exe
• %Temp%\ixp000.tmp\buri.exe
• %Temp%\ixp000.tmp\burimi.exe
• %Temp%\ixp000.tmp\fapack.exe
• %Temp%\ixp000.tmp\image.exe
• %Temp%\ixp000.tmp\pa.exe
• %Temp%\ixp000.tmp\pack.exe
• %Temp%\ixp000.tmp\pr.exe
• %Temp%\ixp000.tmp\test.exe
• %Temp%\ixp001.tmp\burimi.exe
  [ FXSTALLER.EXE can also use the following File Names ] 04172258.DAT, 59465376.DAT, BBPHOTO[1].EXE, PACK.EXE, 03932762.EXE, FXSTALLER.MSNFIX, LACOSTES.EXE, ERASEME_78156.EXE, MARINA[n].COM, LACOSTES(n).EXE, LACOSTES[n].EXE, 26863612.COM, 39847305.EXE, 15451429.EXE, 76765953.EXE, HOUSEGIRL.EXE, STH4NSBA.EXE, DD1.EXE, HOUSEGIRL.COM, 39026582.EXE, 11162921.EXE, 40619004.COM, HACKEDMSN.EXE, HACKEDMSN[n].COM, BURIMI.EXE, 96195105.EXE, 60362081.DAT
  The following file size has been seen:
  37,376 bytes, 52,786 bytes, 39,936 bytes, 44,554 bytes, 60,938 bytes, 48,690 bytes
  
  • If you have any of these files in running process from task manger, end the process before removal.
  • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
  • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
    

Trojan Entries Manual Removal From Registry

Click Start, Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.

• Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
• After booting into the Safe Mode or VGA Mode
• Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

W32.Spybot.Worm Entries
Delete the Following Keys
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BoolTern
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BOOLTERN
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdriv
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_RDRIV
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
In the right pane, reset the original value, if known:
"EnableDCOM" = "N"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
In the right pane, reset the original value, if known:
"DoNotAllowXPSP2" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\
parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
In the right pane, reset the original values, if known:
"AutoShareWks" = "0"
"AutoShareServer" = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
In the right pane, reset the original value, if known:
"restrictanonymous" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger
In the right pane, reset the original value, if known:
"Start" = "4"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_CURRENT_USER\Software\Microsoft\OLE
In the right pane, delete any values that refer to the file names that were detected.

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,

Restart your Computer.

Recommended Removal Tools:

Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)

Killbox (Freeware)