Manual Removal of W32/Agent.WVU Trojan.
W32/Agent.WVU is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 5, 2009.
Other names of W32/Agent.WVU Trojan:
This trojan is also known as W32.Spybot.Worm, Backdoor.Win32.Agent.wvu.
FXSTALLER.EXE has been seen to perform the following behavior:
The Process is packed and/or encrypted using a software packing process
Automatically changes your firewall settings to allow itself or other programs to communicate over the internet
Disables the Windows Built in Firewall enabling rogue processes to access the internet without your knowledge or permission
Disables the Windows Security Center Service
Disables Windows Automatic Updates including Security Updates and Patches
Executes a Process
Writes to another Process's Virtual Memory (Process Hijacking)
Adds a Registry Key (RUN) to auto start Programs on system start up
This Process Deletes Other Processes From Disk
This process creates other processes on disk
Creates system tray popups, messages, errors and security warnings
Opens browser pop ups
The Process is polymorphic and can change its structure
Registers a Dynamic Link Library File
Can communicate with other computer systems using HTTP protocols
Executes Processes stored in Temporary Folders
FXSTALLER.EXE has been the subject of the following behavior:
Added as a Registry auto start to load Program on Boot up
Created as a process on disk
Has code inserted into its Virtual Memory space by other programs
Executed as a Process
Terminated as a Process
Copied to multiple locations on the system
Created as a new Background Service on the machine
Deleted as a process from disk
Executed by Internet Explorer
Executed from Temporary Folders
This trojan first appeared on January 5, 2009.
Other names of W32/Agent.WVU Trojan:
This trojan is also known as W32.Spybot.Worm, Backdoor.Win32.Agent.wvu.
FXSTALLER.EXE has been seen to perform the following behavior:
The Process is packed and/or encrypted using a software packing process
Automatically changes your firewall settings to allow itself or other programs to communicate over the internet
Disables the Windows Built in Firewall enabling rogue processes to access the internet without your knowledge or permission
Disables the Windows Security Center Service
Disables Windows Automatic Updates including Security Updates and Patches
Executes a Process
Writes to another Process's Virtual Memory (Process Hijacking)
Adds a Registry Key (RUN) to auto start Programs on system start up
This Process Deletes Other Processes From Disk
This process creates other processes on disk
Creates system tray popups, messages, errors and security warnings
Opens browser pop ups
The Process is polymorphic and can change its structure
Registers a Dynamic Link Library File
Can communicate with other computer systems using HTTP protocols
Executes Processes stored in Temporary Folders
FXSTALLER.EXE has been the subject of the following behavior:
Added as a Registry auto start to load Program on Boot up
Created as a process on disk
Has code inserted into its Virtual Memory space by other programs
Executed as a Process
Terminated as a Process
Copied to multiple locations on the system
Created as a new Background Service on the machine
Deleted as a process from disk
Executed by Internet Explorer
Executed from Temporary Folders
Damage Level : Medium/High
Distribution Level: Unknown
Distribution Level: Unknown
No Removal Tool for W32/Agent.WVU Trojan
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal
End the Following Active Process Before Removal
- %Windows\fxstaller.exe
- %Temp%\ixp000.tmp\aa.exe
- %Temp%\ixp000.tmp\buri.exe
- %Temp%\ixp000.tmp\burimi.exe
- %Temp%\ixp000.tmp\fapack.exe
- %Temp%\ixp000.tmp\image.exe
- %Temp%\ixp000.tmp\pa.exe
- %Temp%\ixp000.tmp\pack.exe
- %Temp%\ixp000.tmp\pr.exe
- %Temp%\ixp000.tmp\test.exe
- %Temp%\ixp001.tmp\burimi.exe
[ FXSTALLER.EXE can also use the following File Names ] 04172258.DAT, 59465376.DAT, BBPHOTO[1].EXE, PACK.EXE, 03932762.EXE, FXSTALLER.MSNFIX, LACOSTES.EXE, ERASEME_78156.EXE, MARINA[n].COM, LACOSTES(n).EXE, LACOSTES[n].EXE, 26863612.COM, 39847305.EXE, 15451429.EXE, 76765953.EXE, HOUSEGIRL.EXE, STH4NSBA.EXE, DD1.EXE, HOUSEGIRL.COM, 39026582.EXE, 11162921.EXE, 40619004.COM, HACKEDMSN.EXE, HACKEDMSN[n].COM, BURIMI.EXE, 96195105.EXE, 60362081.DAT
The following file size has been seen:
37,376 bytes, 52,786 bytes, 39,936 bytes, 44,554 bytes, 60,938 bytes, 48,690 bytes
- If you have any of these files in running process from task manger, end the process before removal.
- Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
- Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
Trojan Entries Manual Removal From Registry
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
- Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
- After booting into the Safe Mode or VGA Mode
- Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
W32.Spybot.Worm Entries
Delete the Following Keys
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BoolTern
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BOOLTERN
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdriv
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_RDRIV
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
In the right pane, reset the original value, if known:
"EnableDCOM" = "N"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
In the right pane, reset the original value, if known:
"DoNotAllowXPSP2" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\
parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
In the right pane, reset the original values, if known:
"AutoShareWks" = "0"
"AutoShareServer" = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
In the right pane, reset the original value, if known:
"restrictanonymous" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger
In the right pane, reset the original value, if known:
"Start" = "4"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_CURRENT_USER\Software\Microsoft\OLE
In the right pane, delete any values that refer to the file names that were detected.
W32.Spybot.Worm Entries
Delete the Following Keys
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BoolTern
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BOOLTERN
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdriv
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_RDRIV
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
In the right pane, reset the original value, if known:
"EnableDCOM" = "N"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
In the right pane, reset the original value, if known:
"DoNotAllowXPSP2" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\
parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
In the right pane, reset the original values, if known:
"AutoShareWks" = "0"
"AutoShareServer" = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
In the right pane, reset the original value, if known:
"restrictanonymous" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger
In the right pane, reset the original value, if known:
"Start" = "4"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_CURRENT_USER\Software\Microsoft\OLE
In the right pane, delete any values that refer to the file names that were detected.
Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.
Edit Menu - Find, enter Keyword and remove all value that find in search.
Exit the Registry Editor,
Restart your Computer.
Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Killbox (Freeware)
No comments :
Post a Comment
Comment on this Post!!