Enter your Keyword, Search here,

Manual Removal of Win32.Agent.wvu Trojan-Dropper

Manual Removal of Win32.Agent.wvu Trojan-Dropper.
W32/Agent.WVU is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 5, 2009.
Other names of W32/Agent.WVU Trojan:
This trojan is also known as W32.Spybot.Worm, Backdoor.Win32.Agent.wvu.
Damage Level : Medium/High
Distribution Level: Unknown
No Removal Tool for Win32.Agent.wvu Trojan-Dropper
Trojan Manual Removal Instructions

Recommend Removal from Safe Mode:

How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal
  • %Temp%\1
  • %ProgramFiles%\CNNIC
  • %ProgramFiles%\CNNIC\Cdn
  • %ProgramFiles%\CNNIC\Cdn\Images
  • %Temp%\1\cdn.dll
  • %ProgramFiles%\CNNIC\Cdn\cdnaux.dll
  • %ProgramFiles%\CNNIC\Cdn\cdnforie.dll
  • %ProgramFiles%\CNNIC\Cdn\cdnprh.dll
  • %System%\cdnprot.dat
  • %System%\drivers\cdnprot.sys
  • %ProgramFiles%\CNNIC\Cdn\cdnunins.exe
  • %ProgramFiles%\CNNIC\Cdn\cdnup.exe
  • %ProgramFiles%\CNNIC\Cdn\cdnvers.dat
  • %ProgramFiles%\CNNIC\Cdn\idnconvs.dll
  • %Temp%\1\setup.exe
  • %ProgramFiles%\CNNIC\Cdn\src.dat
    • Above Files under Programfiles also Copied to %Temp\1\
    [ FXSTALLER.EXE can also use the following File Names ] 04172258.DAT, 59465376.DAT, BBPHOTO[1].EXE, PACK.EXE, 03932762.EXE, FXSTALLER.MSNFIX, LACOSTES.EXE, ERASEME_78156.EXE, MARINA[n].COM, LACOSTES(n).EXE, LACOSTES[n].EXE, 26863612.COM, 39847305.EXE, 15451429.EXE, 76765953.EXE, HOUSEGIRL.EXE, STH4NSBA.EXE, DD1.EXE, HOUSEGIRL.COM, 39026582.EXE, 11162921.EXE, 40619004.COM, HACKEDMSN.EXE, HACKEDMSN[n].COM, BURIMI.EXE, 96195105.EXE, 60362081.DAT
    The following file size has been seen:
    37,376 bytes, 52,786 bytes
    , 39,936 bytes, 44,554 bytes, 60,938 bytes, 48,690 bytes
    • If you have any of these files in running process from task manger, end the process before removal.
    • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
    • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
Trojan Entries Manual Removal From Registry
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
  • Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
  • After booting into the Safe Mode or VGA Mode
  • Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\COMMAND
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RIGHT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\AUTOUPDATE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\COLLECT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\POPUP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CdnClient
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZSXZ
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\Common
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\Display
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\InstallInfo
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\RunAct
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\Update
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdnprot
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdnprot\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdnprot\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdnprot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdnprot\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdnprot\Enum
HKEY_CURRENT_USER\Software\CNNIC
HKEY_CURRENT_USER\Software\CNNIC\CdnClient
HKEY_CURRENT_USER\Software\CNNIC\CdnClient\Restore


HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\VersionIndependentProgID
(Default) = "CdnForIE.IEHlprObj"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\ProgID
(Default) = "CndForIE.IEHlprObj.1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\InprocServer32
(Default) = "C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll"
ThreadingModel = "Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
(Default) = "CdnForIE Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\TypeLib
(Default) = "{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}"
Version = "1.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\ProxyStubClsid32
(Default) = "{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\ProxyStubClsid
(Default) = "{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}
(Default) = "IIEHlprObj"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\0\win32
(Default) = "C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\HELPDIR
(Default) = "C:\PROGRA~1\CNNIC\Cdn\"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\FLAGS
(Default) = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0
(Default) = "CdnForIE 1.0 Type Library"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj\CurVer
(Default) = "CndForIE.IEHlprObj.1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj
(Default) = "CndForIE Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj.1\CLSID
(Default) = "{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj.1
(Default) = "CndForIE Class"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RIGHT
HKeyRoot = 0x80000001
RegPath = "Software\Microsoft\Internet Explorer\MenuExt\Access Internet Keyword"
Type = "checkbox"
CheckedValue = 0x0000007F
DefaultValue = 0x0000007F
UncheckedValue = 0x00000000
Text = "Right click add "access Internet Keyword""
ValueName = "Contexts"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000001
UncheckedValue = 0x00000000
Text = "Enable Internet Keyword"
ValueName = "EnableKw"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000001
UncheckedValue = 0x00000000
Text = "Enable Chinese Domain Name"
ValueName = "EnableIdn"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000000
UncheckedValue = 0x00000000
Text = "Display hints under the address bar"
ValueName = "EnableAddrHint"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000001
UncheckedValue = 0x00000000
Text = "Display Keyword in the Address Bar Droplist"
ValueName = "EnableKwDisp"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\COMMAND
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000000
UncheckedValue = 0x00000000
Text = "Activate Chinese Domain Name Command Line Support"
ValueName = "EnableIdnCmdEx"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\POPUP
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000001
UncheckedValue = 0x00000000
Text = "Auto-update when new version is detected"
ValueName = "EnableTaskPopup"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\COLLECT
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000000
UncheckedValue = 0x00000000
Text = "Permit the system to collect users' records"
ValueName = "EnableCollect"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\AUTOUPDATE
HKeyRoot = 0x80000001
RegPath = "SOFTWARE\CNNIC\CdnClient\Console"
Type = "checkbox"
CheckedValue = 0x00000001
DefaultValue = 0x00000001
UncheckedValue = 0x00000000
Text = "Pop up news information"
ValueName = "AutoUpdate"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE
Bitmap = "C:\WINNT\system32\inetcpl.cpl,4497"
Text = "Update"
Type = "group"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW
Bitmap = "C:\WINNT\system32\inetcpl.cpl,4497"
Text = "Chinese Domain Name and Internet Keyword"
Type = "group"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT]
Bitmap = "C:\WINNT\system32\inetcpl.cpl,4497"
Text = "Chinese Navigation"
Type = "group"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
Default Visible = "Yes"

Modified Registry Value
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
SearchAssistant="http://client.jogo.cn/cdn/browser/sidesearch/sidesearch-en.html"
CustomizeSearch="http://client.jogo.cn/cdn/browser/customsearch/customsearch-en.html"


Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find
, enter Keyword and remove all value that find in search.

Exit the Registry Editor,
Restart your Computer.

Recommended Removal Tools:
Killbox (Freeware)

No comments :

Post a Comment

Comment on this Post!!

More Posts that you may be interested...