Enter your Keyword, Search here,

Manual Removal of W32/Agent.WVU Trojan

Manual Removal of W32/Agent.WVU Trojan.
W32/Agent.WVU is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 5, 2009.
Other names of W32/Agent.WVU Trojan:
This trojan is also known as W32.Spybot.Worm, Backdoor.Win32.Agent.wvu.
FXSTALLER.EXE has been seen to perform the following behavior:
The Process is packed and/or encrypted using a software packing process
Automatically changes your firewall settings to allow itself or other programs to communicate over the internet
Disables the Windows Built in Firewall enabling rogue processes to access the internet without your knowledge or permission
Disables the Windows Security Center Service
Disables Windows Automatic Updates including Security Updates and Patches
Executes a Process
Writes to another Process's Virtual Memory (Process Hijacking)
Adds a Registry Key (RUN) to auto start Programs on system start up
This Process Deletes Other Processes From Disk
This process creates other processes on disk
Creates system tray popups, messages, errors and security warnings
Opens browser pop ups
The Process is polymorphic and can change its structure
Registers a Dynamic Link Library File
Can communicate with other computer systems using HTTP protocols
Executes Processes stored in Temporary Folders

FXSTALLER.EXE has been the subject of the following behavior:
Added as a Registry auto start to load Program on Boot up
Created as a process on disk
Has code inserted into its Virtual Memory space by other programs
Executed as a Process
Terminated as a Process
Copied to multiple locations on the system
Created as a new Background Service on the machine
Deleted as a process from disk
Executed by Internet Explorer
Executed from Temporary Folders

Damage Level : Medium/High
Distribution Level: Unknown
No Removal Tool for W32/Agent.WVU Trojan
Trojan Manual Removal Instructions

Recommend Removal from Safe Mode:

How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal
  • %Windows\fxstaller.exe
  • %Temp%\ixp000.tmp\aa.exe
  • %Temp%\ixp000.tmp\buri.exe
  • %Temp%\ixp000.tmp\burimi.exe
  • %Temp%\ixp000.tmp\fapack.exe
  • %Temp%\ixp000.tmp\image.exe
  • %Temp%\ixp000.tmp\pa.exe
  • %Temp%\ixp000.tmp\pack.exe
  • %Temp%\ixp000.tmp\pr.exe
  • %Temp%\ixp000.tmp\test.exe
  • %Temp%\ixp001.tmp\burimi.exe
    [ FXSTALLER.EXE can also use the following File Names ] 04172258.DAT, 59465376.DAT, BBPHOTO[1].EXE, PACK.EXE, 03932762.EXE, FXSTALLER.MSNFIX, LACOSTES.EXE, ERASEME_78156.EXE, MARINA[n].COM, LACOSTES(n).EXE, LACOSTES[n].EXE, 26863612.COM, 39847305.EXE, 15451429.EXE, 76765953.EXE, HOUSEGIRL.EXE, STH4NSBA.EXE, DD1.EXE, HOUSEGIRL.COM, 39026582.EXE, 11162921.EXE, 40619004.COM, HACKEDMSN.EXE, HACKEDMSN[n].COM, BURIMI.EXE, 96195105.EXE, 60362081.DAT
    The following file size has been seen:
    37,376 bytes, 52,786 bytes
    , 39,936 bytes, 44,554 bytes, 60,938 bytes, 48,690 bytes
    • If you have any of these files in running process from task manger, end the process before removal.
    • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
    • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
Trojan Entries Manual Removal From Registry
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
  • Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
  • After booting into the Safe Mode or VGA Mode
  • Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:


W32.Spybot.Worm Entries
Delete the Following Keys

In the right pane, reset the original value, if known:
"EnableDCOM" = "N"
In the right pane, reset the original value, if known:
"DoNotAllowXPSP2" = "1"
In the right pane, reset the original values, if known:
"AutoShareWks" = "0"
"AutoShareServer" = "0"

In the right pane, reset the original value, if known:
"restrictanonymous" = "1"
In the right pane, reset the original value, if known:
"Start" = "4"

In the right pane, delete any values that refer to the file names that were detected.

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find
, enter Keyword and remove all value that find in search.

Exit the Registry Editor,
Restart your Computer.

Recommended Removal Tools:
Killbox (Freeware)

No comments :

Post a Comment

Comment on this Post!!

More Posts that you may be interested...