Your best source of information and news about drivers, winvista and windows on the internet

Vista ARTICLES TOP 50 Spyware Virus Vista SOFT Vista HELP

fxstaller.exe

You are currently browsing the articles from MS Windows Vista Compatible Software matching the category fxstaller.exe.

Manual Removal of W32/SDBot.JTU Trojan

Manual Removal of W32/SDBot.JTU Trojan
W32/SDBot.JTU is a trojan. The trojan will infect Windows systems.
This Worm Copies its files to Windows\System Folder as hidden files.
This trojan information updated on April 27, 2009.
Other names of W32/SDBot.JTU Trojan:
This trojan is also known as Backdoor.Win32.SdBot.jtu, Backdoor.Sdbot, Agent_r.HR.
Damage Level : Medium/High
Distribution Level: Medium
W32/SDBot.JTU Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal
  • [ Kill the Process, Use Killbox if your Access Denied ]
Download W32/SDBot.JTU Trojan Known File Removal Tool

[In Windows Vista Run As Administrator, After Execution System Will Restart]

  • %Windows\fxstaller.exe
    [ No Exact Information about Files, search above related files in Program files Folder ]
    If you have any of these files in running process from task manger, end the process before removal.
    Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg [ Right Click - Save Target As/Linked Content As ]
    Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
W32/SDBot.JTU Trojan Entries Manual Removal From Registry
Click Start, Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
  • Download this UnHookExec.inf, [ Right Click - Save Target As/Linked Content As ]
     and then continue with the removal. Save it to your Windows desktop. Do not run it at this time, download it only.
  • After booting into the Safe Mode or VGA Mode
  • Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
The W32/SDBot.JTU Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:
Delete The Entries
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Delete file entries from right side
Search Registry For W32/SDBot.JTU Trojan File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,
Restart your Computer.

Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Killbox (Freeware)
Ultimate Links PC Tips

Written by FireFly on May 1st, 2009 with no comments.
Read more articles on fxstaller.exe and W32/SDBot.JTU and manual removal and removal of trojan and otherSoftware and Windows.

Manual Removal of Win32.CeeInject Trojan

Manual Removal of Win32.CeeInject Trojan.
Win32.CeeInject Trojan is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 15, 2009.
Other names of Win32.CeeInject Trojan:
This trojan is also known as Trojan-Downloader.Win32.QQHelper.gfg, W32/Pushbot,Trojan-Downloader:W32/QQHelper.XC.
Damage Level : Medium/High
Distribution Level: Unknown
No Removal Tool for Win32.CeeInject Trojan
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal
  • %Windows\fxstaller.exe [ 311.296 KByte ] [ Kill the Process, Use Killbox if your Access Denied ]
  • %ProgramFiles%\bifrost\server.exe
  • %ProgramFiles%\java\msn.exe
  • %ProgramFiles%\massenger live\server.exe
  • %System%\avs.exe
  • %System%\bifrost\server.exe
  • %System%\cmd32.exe
  • %System%\mldmm.exe
  • %System%\msn\system.exe
  • %System%\progrmas\server.exe
  • %System%\rbjeivpetkbayv.exe
  • %System%\scuccccmunafgb.exe
  • %System%\service.exe
  • %System%\system\windows.exe
  • %System%\twext.exe
  • %Temp%\ixp000.tmp\act.exe
  • %Temp%\ixp000.tmp\burimi.exe
  • %Temp%\ixp000.tmp\pa.exe
  • %Temp%\ixp000.tmp\pack.exe
  • %Temp%\ixp000.tmp\service.exe
  • %Temp%\ixp001.tmp\1.exe
  • %Temp%\rarsfx0\1.exe
  • %Windir%\bifrost\server.exe
  • %Windir%\cftmon32.exe
  • %Windir%\config\polcmd32.exe
  • %Windir%\libsrv32.exe
  • %Windir%\service.exe
  • %Windir%\shvhost.exe
  • %Windir%\sqihost32.exe
  • %Windir%\sqlhostt32.exe
  • c:\ed.exe
    • If you have any of these files in running process from task manger, end the process before removal.
    • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
    • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
Trojan Entries Manual Removal From Registry
Click Start, Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
  • Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
  • After booting into the Safe Mode or VGA Mode
  • Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
fxstaller.exe
Delete this Entry

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,
Restart your Computer.

Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Killbox (Freeware)

Written by FireFly on January 15th, 2009 with no comments.
Read more articles on burimi and Cmd32.exe and ixp000.tmp and W32/QQHelper.GFG and fxstaller.exe and Win32.Agent.wvu Trojan-Dropper and removal of trojan and manual removal and W32/Agent.WVU and otherSoftware.

Manual Removal of W32/QQHelper.GFG Trojan

Manual Removal of W32/QQHelper.GFG Trojan.
W32/QQHelper.GFG is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 15, 2009.
Other names of W32/QQHelper.GFG Trojan:
This trojan is also known as Trojan-Downloader.Win32.QQHelper.gfg, W32/Pushbot,Trojan-Downloader:W32/QQHelper.XC.
Damage Level : Medium/High
Distribution Level: Unknown
No Removal Tool for W32/QQHelper.GFG Trojan
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal
  • %Windows\fxstaller.exe [ 311.296 KByte ] [ Kill the Process, Use Killbox if your Access Denied ]
  • %Documents and Settings\Default User\Local Settings\Temp\IXP001.TMP
  • %Documents and Settings\Default User\Local Settings\IXP001.TMP\burimi.exe [ 311.296 KByte ]
  • %Documents and Settings\Default User\Local Settings\IXP000.TMP\burimis.exe [ 118.784 KByte ]
  • These ports were open in the system
  • Prot -1033 Protocol - TCP - Process - fxstaller.exe (%Windows\fxstaller.exe)
  • Prot -1034 Protocol - TCP - Process - fxstaller.exe (%Windows\fxstaller.exe)
    • If you have any of these files in running process from task manger, end the process before removal.
    • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
    • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
Trojan Entries Manual Removal From Registry
Click Start, Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
  • Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
  • After booting into the Safe Mode or VGA Mode
  • Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]
The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
fxstaller.exe
Delete this Entry

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,
Restart your Computer.

Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Killbox (Freeware)

Written by FireFly on January 15th, 2009 with no comments.
Read more articles on Win32.Agent.wvu Trojan-Dropper and fxstaller.exe and W32/QQHelper.GFG and W32/Agent.WVU and manual removal and otherSoftware and removal of trojan and Windows.

Manual Removal of Win32.Agent.wvu Trojan-Dropper

Manual Removal of Win32.Agent.wvu Trojan-Dropper.
W32/Agent.WVU is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 5, 2009.
Other names of W32/Agent.WVU Trojan:
This trojan is also known as W32.Spybot.Worm, Backdoor.Win32.Agent.wvu.
Damage Level : Medium/High
Distribution Level: Unknown
No Removal Tool for Win32.Agent.wvu Trojan-Dropper
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal
  • %Temp%\1
  • %ProgramFiles%\CNNIC
  • %ProgramFiles%\CNNIC\Cdn
  • %ProgramFiles%\CNNIC\Cdn\Images
  • %Temp%\1\cdn.dll
  • %ProgramFiles%\CNNIC\Cdn\cdnaux.dll
  • %ProgramFiles%\CNNIC\Cdn\cdnforie.dll
  • %ProgramFiles%\CNNIC\Cdn\cdnprh.dll
  • %System%\cdnprot.dat
  • %System%\drivers\cdnprot.sys
  • %ProgramFiles%\CNNIC\Cdn\cdnunins.exe
  • %ProgramFiles%\CNNIC\Cdn\cdnup.exe
  • %ProgramFiles%\CNNIC\Cdn\cdnvers.dat
  • %ProgramFiles%\CNNIC\Cdn\idnconvs.dll
  • %Temp%\1\setup.exe
  • %ProgramFiles%\CNNIC\Cdn\src.dat
    • Above Files under Programfiles also Copied to %Temp\1\

    [ FXSTALLER.EXE can also use the following File Names ] 04172258.DAT, 59465376.DAT, BBPHOTO[1].EXE, PACK.EXE, 03932762.EXE, FXSTALLER.MSNFIX, LACOSTES.EXE, ERASEME_78156.EXE, MARINA[n].COM, LACOSTES(n).EXE, LACOSTES[n].EXE, 26863612.COM, 39847305.EXE, 15451429.EXE, 76765953.EXE, HOUSEGIRL.EXE, STH4NSBA.EXE, DD1.EXE, HOUSEGIRL.COM, 39026582.EXE, 11162921.EXE, 40619004.COM, HACKEDMSN.EXE, HACKEDMSN[n].COM, BURIMI.EXE, 96195105.EXE, 60362081.DAT
    The following file size has been seen:
    37,376 bytes, 52,786 bytes    , 39,936 bytes, 44,554 bytes, 60,938 bytes, 48,690 bytes

    • If you have any of these files in running process from task manger, end the process before removal.
    • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
    • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
Trojan Entries Manual Removal From Registry
Click Start, Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
  • Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
  • After booting into the Safe Mode or VGA Mode
  • Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\COMMAND
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RIGHT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\AUTOUPDATE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\COLLECT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\POPUP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CdnClient
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZSXZ
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\Common
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\Display
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\InstallInfo
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\RunAct
HKEY_LOCAL_MACHINE\SOFTWARE\CNNIC\CdnClient\Update
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdnprot
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdnprot\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cdnprot\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdnprot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdnprot\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdnprot\Enum
HKEY_CURRENT_USER\Software\CNNIC
HKEY_CURRENT_USER\Software\CNNIC\CdnClient
HKEY_CURRENT_USER\Software\CNNIC\CdnClient\Restore

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\VersionIndependentProgID
(Default) = “CdnForIE.IEHlprObj”HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\ProgID
(Default) = “CndForIE.IEHlprObj.1″
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}\InprocServer32
(Default) = “C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll”
ThreadingModel = “Apartment”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
(Default) = “CdnForIE Class”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\TypeLib
(Default) = “{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}”
Version = “1.0″
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\ProxyStubClsid32
(Default) = “{00020424-0000-0000-C000-000000000046}”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}\ProxyStubClsid
(Default) = “{00020424-0000-0000-C000-000000000046}”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5C3853CD-C7E0-4946-B3FA-1ABDB6F48108}
(Default) = “IIEHlprObj”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\0\win32
(Default) = “C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\HELPDIR
(Default) = “C:\PROGRA~1\CNNIC\Cdn\”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0\FLAGS
(Default) = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5C3853CE-C7E0-4946-B3FA-1ABDB6F48108}\1.0
(Default) = “CdnForIE 1.0 Type Library”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj\CurVer
(Default) = “CndForIE.IEHlprObj.1″
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj
(Default) = “CndForIE Class”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj.1\CLSID
(Default) = “{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CdnForIE.IEHlprObj.1
(Default) = “CndForIE Class”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RIGHT
HKeyRoot = 0×80000001
RegPath = “Software\Microsoft\Internet Explorer\MenuExt\Access Internet Keyword”
Type = “checkbox”
CheckedValue = 0×0000007F
DefaultValue = 0×0000007F
UncheckedValue = 0×00000000
Text = “Right click add “access Internet Keyword”"
ValueName = “Contexts”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW
HKeyRoot = 0×80000001
RegPath = “SOFTWARE\CNNIC\CdnClient\Console”
Type = “checkbox”
CheckedValue = 0×00000001
DefaultValue = 0×00000001
UncheckedValue = 0×00000000
Text = “Enable Internet Keyword”
ValueName = “EnableKw”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN
HKeyRoot = 0×80000001
RegPath = “SOFTWARE\CNNIC\CdnClient\Console”
Type = “checkbox”
CheckedValue = 0×00000001
DefaultValue = 0×00000001
UncheckedValue = 0×00000000
Text = “Enable Chinese Domain Name”
ValueName = “EnableIdn”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT
HKeyRoot = 0×80000001
RegPath = “SOFTWARE\CNNIC\CdnClient\Console”
Type = “checkbox”
CheckedValue = 0×00000001
DefaultValue = 0×00000000
UncheckedValue = 0×00000000
Text = “Display hints under the address bar”
ValueName = “EnableAddrHint”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY
HKeyRoot = 0×80000001
RegPath = “SOFTWARE\CNNIC\CdnClient\Console”
Type = “checkbox”
CheckedValue = 0×00000001
DefaultValue = 0×00000001
UncheckedValue = 0×00000000
Text = “Display Keyword in the Address Bar Droplist”
ValueName = “EnableKwDisp”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\COMMAND
HKeyRoot = 0×80000001
RegPath = “SOFTWARE\CNNIC\CdnClient\Console”
Type = “checkbox”
CheckedValue = 0×00000001
DefaultValue = 0×00000000
UncheckedValue = 0×00000000
Text = “Activate Chinese Domain Name Command Line Support”
ValueName = “EnableIdnCmdEx”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\POPUP
HKeyRoot = 0×80000001
RegPath = “SOFTWARE\CNNIC\CdnClient\Console”
Type = “checkbox”
CheckedValue = 0×00000001
DefaultValue = 0×00000001
UncheckedValue = 0×00000000
Text = “Auto-update when new version is detected”
ValueName = “EnableTaskPopup”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\COLLECT
HKeyRoot = 0×80000001
RegPath = “SOFTWARE\CNNIC\CdnClient\Console”
Type = “checkbox”
CheckedValue = 0×00000001
DefaultValue = 0×00000000
UncheckedValue = 0×00000000
Text = “Permit the system to collect users’ records”
ValueName = “EnableCollect”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\AUTOUPDATE
HKeyRoot = 0×80000001
RegPath = “SOFTWARE\CNNIC\CdnClient\Console”
Type = “checkbox”
CheckedValue = 0×00000001
DefaultValue = 0×00000001
UncheckedValue = 0×00000000
Text = “Pop up news information”
ValueName = “AutoUpdate”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE
Bitmap = “C:\WINNT\system32\inetcpl.cpl,4497″
Text = “Update”
Type = “group”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW
Bitmap = “C:\WINNT\system32\inetcpl.cpl,4497″
Text = “Chinese Domain Name and Internet Keyword”
Type = “group”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT]
Bitmap = “C:\WINNT\system32\inetcpl.cpl,4497″
Text = “Chinese Navigation”
Type = “group”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}
Default Visible = “Yes”

Modified Registry Value
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
SearchAssistant=”http://client.jogo.cn/cdn/browser/sidesearch/sidesearch-en.html”
CustomizeSearch=”http://client.jogo.cn/cdn/browser/customsearch/customsearch-en.html”

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,
Restart your Computer.

Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Killbox (Freeware)

Written by FireFly on January 5th, 2009 with 1 comment.
Read more articles on Win32.Agent.wvu Trojan-Dropper and fxstaller.exe and W32/Agent.WVU and manual removal and removal of trojan and otherSoftware.

Manual Removal of W32/Agent.WVU Trojan

Manual Removal of W32/Agent.WVU Trojan.
W32/Agent.WVU is a trojan. The trojan will infect Windows systems.
This trojan first appeared on January 5, 2009.
Other names of W32/Agent.WVU Trojan:
This trojan is also known as W32.Spybot.Worm, Backdoor.Win32.Agent.wvu.
FXSTALLER.EXE has been seen to perform the following behavior:
The Process is packed and/or encrypted using a software packing process
Automatically changes your firewall settings to allow itself or other programs to communicate over the internet
Disables the Windows Built in Firewall enabling rogue processes to access the internet without your knowledge or permission
Disables the Windows Security Center Service
Disables Windows Automatic Updates including Security Updates and Patches
Executes a Process
Writes to another Process’s Virtual Memory (Process Hijacking)
Adds a Registry Key (RUN) to auto start Programs on system start up
This Process Deletes Other Processes From Disk
This process creates other processes on disk
Creates system tray popups, messages, errors and security warnings
Opens browser pop ups
The Process is polymorphic and can change its structure
Registers a Dynamic Link Library File
Can communicate with other computer systems using HTTP protocols
Executes Processes stored in Temporary Folders
FXSTALLER.EXE has been the subject of the following behavior:
Added as a Registry auto start to load Program on Boot up
Created as a process on disk
Has code inserted into its Virtual Memory space by other programs
Executed as a Process
Terminated as a Process
Copied to multiple locations on the system
Created as a new Background Service on the machine
Deleted as a process from disk
Executed by Internet Explorer
Executed from Temporary Folders
Damage Level : Medium/High
Distribution Level: Unknown
No Removal Tool for W32/Agent.WVU Trojan
Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal
  • %Windows\fxstaller.exe
  • %Temp%\ixp000.tmp\aa.exe
  • %Temp%\ixp000.tmp\buri.exe
  • %Temp%\ixp000.tmp\burimi.exe
  • %Temp%\ixp000.tmp\fapack.exe
  • %Temp%\ixp000.tmp\image.exe
  • %Temp%\ixp000.tmp\pa.exe
  • %Temp%\ixp000.tmp\pack.exe
  • %Temp%\ixp000.tmp\pr.exe
  • %Temp%\ixp000.tmp\test.exe
  • %Temp%\ixp001.tmp\burimi.exe
    [ FXSTALLER.EXE can also use the following File Names ] 04172258.DAT, 59465376.DAT, BBPHOTO[1].EXE, PACK.EXE, 03932762.EXE, FXSTALLER.MSNFIX, LACOSTES.EXE, ERASEME_78156.EXE, MARINA[n].COM, LACOSTES(n).EXE, LACOSTES[n].EXE, 26863612.COM, 39847305.EXE, 15451429.EXE, 76765953.EXE, HOUSEGIRL.EXE, STH4NSBA.EXE, DD1.EXE, HOUSEGIRL.COM, 39026582.EXE, 11162921.EXE, 40619004.COM, HACKEDMSN.EXE, HACKEDMSN[n].COM, BURIMI.EXE, 96195105.EXE, 60362081.DAT
    The following file size has been seen:
    37,376 bytes, 52,786 bytes    , 39,936 bytes, 44,554 bytes, 60,938 bytes, 48,690 bytes

    • If you have any of these files in running process from task manger, end the process before removal.
    • Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg
    • Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.
Trojan Entries Manual Removal From Registry
Click Start, Run,Type regedit,Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor.
  • Download this UnHookExec.inf, and then continue with the removal.Save it to your Windows desktop. Do not run it at this time, download it only.
  • After booting into the Safe Mode or VGA Mode
  • Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it.]

The Trojan modifies registry at the following locations to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

W32.Spybot.Worm Entries
Delete the Following Keys
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BoolTern
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BOOLTERN
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdriv
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_RDRIV
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
In the right pane, reset the original value, if known:
“EnableDCOM” = “N”
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
In the right pane, reset the original value, if known:
“DoNotAllowXPSP2″ = “1″
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\
parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
In the right pane, reset the original values, if known:
“AutoShareWks” = “0″
“AutoShareServer” = “0″
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
In the right pane, reset the original value, if known:
“restrictanonymous” = “1″
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger
In the right pane, reset the original value, if known:
“Start” = “4″

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_CURRENT_USER\Software\Microsoft\OLE
In the right pane, delete any values that refer to the file names that were detected.

Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.

Exit the Registry Editor,
Restart your Computer.

Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Killbox (Freeware)

Written by FireFly on January 5th, 2009 with no comments.
Read more articles on W32/Agent.WVU and fxstaller.exe and manual removal and removal of trojan and otherSoftware and run and Windows.