Manual Removal of W32.Versie.A Trojan.
W32.Versie.A is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 7, 2009.
Other names of W32/Agent.XRB Trojan:
This trojan is also known as Trojan-Downloader.Win32.Agent.xrb, W32.Versie.A
The worm checks for the presence of %System%\drivers\klick.sys and if found, sets the date to 1981 and pings 127.0.0.1.
The worm opens a back door on the compromised computer that connects to jackie.crwoo.com on TCP port 1986 and awaits further commands that allows a remote attacker to perform some of following actions:
Log keystrokes typed
Download and execute additional files
Shut down the compromised computer
The worm may download the following file:
%ProgramFiles%\Common Files\Microsoft Shared\MSInfo\Beizhu.txt (log files)
It creates custom Internet Favorites by dropping URL links in the following folder:
%UserProfile%\Favourites
The worm disables encryption for Tencent Messenger by deleting the file npkcrypt.sys from the application installation folder.
Note: The default installation folder is usually C:\Program Files\Tencent\QQ\.
The worm sends the following system information to the remote attacker:
CPU speed
Memory available
OS version
Service Packs installed
This trojan first appeared on January 7, 2009.
Other names of W32/Agent.XRB Trojan:
This trojan is also known as Trojan-Downloader.Win32.Agent.xrb, W32.Versie.A
The worm checks for the presence of %System%\drivers\klick.sys and if found, sets the date to 1981 and pings 127.0.0.1.
The worm opens a back door on the compromised computer that connects to jackie.crwoo.com on TCP port 1986 and awaits further commands that allows a remote attacker to perform some of following actions:
Log keystrokes typed
Download and execute additional files
Shut down the compromised computer
The worm may download the following file:
%ProgramFiles%\Common Files\Microsoft Shared\MSInfo\Beizhu.txt (log files)
It creates custom Internet Favorites by dropping URL links in the following folder:
%UserProfile%\Favourites
The worm disables encryption for Tencent Messenger by deleting the file npkcrypt.sys from the application installation folder.
Note: The default installation folder is usually C:\Program Files\Tencent\QQ\.
The worm sends the following system information to the remote attacker:
CPU speed
Memory available
OS version
Service Packs installed
Damage Level : Medium/High
Distribution Level: Medium
Distribution Level: Medium
No Removal Tool for W32.Versie.A Trojan
Removal instructions from Symantec
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
Removal instructions from Symantec
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal
End the Following Active Process Before Removal
- [ Kill the Process, Use Killbox if your Access Denied ]
- %System%\_1.exe
- %System%\_autorun.exe
- %System%\_command.exe
- %System%\_ctfne.exe
- %System%\_kaspersky.exe
- %System%\_rejoice082.exe
- %System%\_server.exe
- %System%\360rtyy.exe
- %System%\system.exe
- %System%\wupdmgrv.exe
- %Temp%\ixp000.tmp\2.exe
- %Windir%\userinit.exe
- c:\autorun.exe
- c:\ctfne.exe
- c:\kaspersky.exe
- %ProgramFiles%\Common Files\Microsoft Shared\MSInfo\_[RANDOM NAME1].exe
- %System%\[RANDOM NAME1].exe
- It copies itself to the root of fixed and removable drives as the following files:
- %Drive\[RANDOM NAME1].exe
- %Drive\Autorun.inf
- Service name: LocalSystem
- Display name: Windows Rnljm MingZai
- Description: Foundation network connection
- Image Path: %System%\rnljm.exe [ Kill the Process, Use Killbox if your Access Denied ]
- Startup Type: Automatic
To Stop Service, start run, services.msc press enter, Find Display Name, Open Proterties, Press Stop, then Change Automatically to Disabled, Ok - iexplore.exe [ Kill the Process, Use Killbox if your Access Denied ]
- svchost.exe [ Kill the Process, Use Killbox if your Access Denied ]
Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
Trojan Entries Manual Removal From Registry
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
- Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
- After booting into the Safe Mode or VGA Mode
- Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:
It registers itself to run as a service by creating the following registry subkey:
It registers itself to run as a service by creating the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows\
[RANDOM NAME1]\[RANDOM NAME2]
The worm sets the following registry key to enable autorun on mapped drives:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoDriveTypeAutoRun" = "0"
It disables Start Page protection for Internet Explorer by setting the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\"Homepage" = "1"
The worm modifies the following registry subkey to change the Internet Explorer Start Page:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page
It also modifies the following registry entries to change the user's desktop wallpaper:
HKEY_CURRENT_USER\Control Panel\Desktop\"TileWallpaper" = "0"
HKEY_CURRENT_USER\Control Panel\Desktop\"Wallpaper" = "[PATH TO DOWNLOADED WALLPAPER]"
It modifies the following registry entry to disable the Windows Remote Assistance facility:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\"fDenyTSConections" = "0"
[RANDOM NAME1]\[RANDOM NAME2]
The worm sets the following registry key to enable autorun on mapped drives:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoDriveTypeAutoRun" = "0"
It disables Start Page protection for Internet Explorer by setting the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\"Homepage" = "1"
The worm modifies the following registry subkey to change the Internet Explorer Start Page:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page
It also modifies the following registry entries to change the user's desktop wallpaper:
HKEY_CURRENT_USER\Control Panel\Desktop\"TileWallpaper" = "0"
HKEY_CURRENT_USER\Control Panel\Desktop\"Wallpaper" = "[PATH TO DOWNLOADED WALLPAPER]"
It modifies the following registry entry to disable the Windows Remote Assistance facility:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\"fDenyTSConections" = "0"
Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.
Edit Menu - Find, enter Keyword and remove all value that find in search.
Exit the Registry Editor,
Restart your Computer.
Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Killbox (Freeware)
No comments :
Post a Comment
Comment on this Post!!