PDA

View Full Version : Manual Removal Guide for Web-Nexus


Friday
2008-11-28, 18:05
The following instructions have been created to help you to get rid of "Web-Nexus" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).

Threat Details:

Categories:
malware

Description:
Uses hidden processes, adds its files to systemstart and winlogon thus enabling it to start at any windows session. Web-Nexus is also able to reinstall itself without user consent if parts of it are disabled or removed. Very persistent.
Removal Instructions:

Autorun:

Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.

Entries named "ewlned" and pointing to "<$SYSDIR>\ffhvff.exe*".
Entries named "btsog" and pointing to "<$SYSDIR>\ffhvff.exe*".
Entries named "winsync" and pointing to "*exe reg_run*".
Entries named "winsync" and pointing to "<$WINDIR>\*exe reg_run*".

Important: There are more autorun entries that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.

Products that have a key or property named "6bc7c80f5ec8".
Products that have a key or property named "AdBehavior".
Products that have a key or property named "WebNexus".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

A file with an unknown location named "dmonwv.dll".
The file at "<$SYSDIR>\voxaf.exe".
The file at "<$SYSDIR>\gkfepkx.exe".
The file at "<$SYSDIR>\ffhvff.exe".
The file at "<$SYSDIR>\dmonwv.dll".
The file at "<$WINDIR>\unwn.exe".
The file at "<$WINDIR>\installer_252.exe".
A file with an unknown location named "installerwebnex.exe".
The file at "c:\installerwebnex.exe".
The file at "<$WINDIR>\tctin.dll".
The file at "<$SYSDIR>\auanosp.dll".
The file at "<$SYSDIR>\lklwe.dll".
The file at "<$SYSDIR>\cbcdsvd.exe".
The file at "<$PROGRAMFILES>\installer.exe".
A file with an unknown location named "installer.exe".
The file at "<$SYSDIR>\wuauclt.dll".
The file at "<$SYSDIR>\installer216.exe".
The file at "<$SYSDIR>\vgactl.cpl".
The file at "<$WINDIR>\pwpqoe.dat".
The file at "<$SYSDIR>\browselc.exe".
The file at "<$SYSDIR>\comaddin.exe".
The file at "<$DESKTOP>\Advance Your Career.url".
The file at "<$DESKTOP>\Casino games.url".
The file at "<$DESKTOP>\Find Your Dream Date Now!.url".
The file at "<$DESKTOP>\Guaranteed Approval!!.url".
The file at "<$FAVORITES>\Get out of Debt!.url".
The file at "<$FAVORITES>\Meet Someone Special.url".
The file at "<$FAVORITES>\You're Approved!!.url".
The file at "<$WINDIR>\unq32.dat".
The file at "<$SYSDIR>\auanosp.dll".
The file at "<$LOCALSETTINGS>\Temp\f4440250.exe".
The file at "<$SYSDIR>\vyvka.dat".
The file at "<$WINDIR>\tctin.dll".
The file at "<$SYSDIR>\auanosp.dll".
The file at "<$SYSDIR>\auanosp.dll.tmp".
The file at "<$SYSDIR>\cbcdsvd.exe".
The file at "<$SYSDIR>\lklwe.dll".
The file at "<$SYSDIR>\conres.cpl".
The file at "<$SYSDIR>\vyvka.dat".
The file at "<$SYSDIR>\vyvka.dat".
The file at "<$SYSDIR>\datadx.dll".
The file at "<$SYSDIR>\gbgrinh.dll".
The file at "<$SYSDIR>\ucuipyo.dll".
A file with an unknown location named "rnkrrr.exe".
A file with an unknown location named "kvkrua.exe".
Make sure you set your file manager to display hidden and system files. If Web-Nexus uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

Remove "<$SYSDIR>\voxaf.exe" from registry value "Shell" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\".
Remove "gkfepkx.exe" from registry value "Userinit" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\".
Delete the registry key "{CE3A44D8-BC88-4D62-A890-42D96245F8D6}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{CE3A44D8-BC88-4D62-A890-42D96245F8D6}" at "HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\".
Delete the registry key "{4ABF810A-F11D-4169-9D5F-7D274F2270A1}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\".
Delete the registry key "{d306b84a-d720-4cd2-a24c-d74a5be24b1c}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{900316f5-9e2e-4568-b9cf-077b0435eabb}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{734e5f6f-7da5-4fb9-8bbd-6eff69e666fd}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "InProcServer32" at "HKEY_CLASSES_ROOT\CLSID\{48bae78e-c408-4a2f-8eb0-244182dbd58d}\".
Delete the registry key "{09295e67-cff0-46d7-bd03-31f28e8b4ca2}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "InProcServer32" at "HKEY_CLASSES_ROOT\CLSID\{d93095ee-3908-4413-8a34-f96f373616ae}\".
Delete the registry key "InProcServer32" at "HKEY_CLASSES_ROOT\CLSID\{5bc043bd-c24c-4b4e-a286-bc2ce0051ada}\".
Delete the registry key "InProcServer32" at "HKEY_CLASSES_ROOT\CLSID\{5dc5c416-c1e8-40ba-9bf5-151182c43077}\".
Delete the registry key "InProcServer32" at "HKEY_CLASSES_ROOT\CLSID\{eec72e68-ca10-4aa0-9143-f856fdcf78ac}\".
Delete the registry key "InProcServer32" at "HKEY_CLASSES_ROOT\CLSID\{9fceacb0-1e64-4144-af4b-c52c9201ac4c}\".
Delete the registry key "InProcServer32" at "HKEY_CLASSES_ROOT\CLSID\{963f6c0c-8069-4f1b-a2c9-20aa2f7175e4}\".
Delete the registry key "InProcServer32" at "HKEY_CLASSES_ROOT\CLSID\{72305156-d302-44bb-85a4-c88be1dd7451}\".
Delete the registry key "InProcServer32" at "HKEY_CLASSES_ROOT\CLSID\{734e5f6f-7da5-4fb9-8bbd-6eff69e666fd}\".
Delete the registry key "InProcServer32" at "HKEY_CLASSES_ROOT\CLSID\{77d19fcd-4936-43b3-bd3c-e96725d92b6a}\".
Delete the registry key "{85912e13-3a47-4651-8a96-b17cd071c321}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{315ae455-6902-4ae1-a72e-8d0a8e5cde42}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{6EC11407-5B2E-4E25-8BDF-77445B52AB37}" at "HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\".
Delete the registry key "{9E248641-0E24-4DDB-9A1F-705087832AD6}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\".
Delete the registry key "{c9517365-7113-4309-b53c-33dda7517386}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{9b4a1ac0-9aee-4e25-9ee1-9b2f7e17050f}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{0339bff1-bfb6-4f11-967d-6afbc4e1993e}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{873510aa-6d4a-4dbe-8840-82b942464278}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "tutold" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\".
Delete the registry key "qstat" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "{d93095ee-3908-4413-8a34-f96f373616ae}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{46E0807E-D421-4D67-BA84-E13E187AE3DA}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{5dc5c416-c1e8-40ba-9bf5-151182c43077}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{bc14d6a3-17f6-407f-a75c-fe7e8d722d86}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{9fceacb0-1e64-4144-af4b-c52c9201ac4c}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{4e9314b4-65c5-4f05-9e72-e5add1a155e6}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "484769567" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "qkqxnstn" at "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\".
Delete the registry key "{054354ce-22e9-48b1-ab89-8bee4dc28bb9}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{4bd76cc3-e307-48de-96ef-75f5e1f17636}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{4f48e5fb-cf5d-450b-a587-e6909c06e1b1}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{52643952-a87f-4d8c-89a0-0b84ac74d5f1}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{56019f5e-1071-4285-8e9e-ab94aae2e4e5}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{6EC11407-5B2E-4E25-8BDF-77445B52AB37}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{86d7d6ec-458b-4e2d-b607-6e9ce5aa93a9}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{9a4873a1-eb0f-4c32-9f61-fdadd3edc986}" at "HKEY_CLASSES_ROOT\CLSID\".
If Web-Nexus uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.