Remove W32.Rixobot

Posted on: January 11th, 2010

Discovered: January 5, 2010
Updated:

January 5, 2010 6:52:53 PM
Type:

Worm
Systems Affected:

Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
Recommended Action:
In order to Remove W32.Rixobot you need to Download the ‘No Adware’ remover software. Based on our testing this was the best peforming remover of W32.Rixobot.. Read our full No Adware Review

No Adware Review

Technical Details:

This program must be manually installed.

When the program is executed, it creates the following folders:

* %ProgramFiles%\Zwunzi
* C:\Documents and Settings\All Users\Application Data\Zwunzi

It drops the following files:

* %ProgramFiles%\Zwunzi\uninstall.exe

* %ProgramFiles%\Zwunzi\zwunzi.dll
* %ProgramFiles%\Zwunzi\zwunzi.exe
* C:\Documents and Settings\All Users\Application Data\Zwunzi\zwunzi128
.exe

Then, the program creates the following registry entries:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current

Version\Uninstall\Zwunzi\"DisplayName" = "Zwunzi 1.0 build 128"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\Zwunzi\"UninstallString" = "%ProgramFiles%\Zwunzi\uninstall.

exe"
* HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi\"Cid" = "466705c153
4b4aee8c896579946b055f"
* HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi\"DllPath = "%Progra

mFiles%\Zwunzi\zwunzi.dll"
* HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi\"Initial" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi\"Partner" = "ZWUN

ZI128"
* HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi\"Primary" = "f403"
* HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi\"ShowBarSign" = "
0"

* HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi\"ShowToolbarButto
n" = "0"
* HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi\"Src" = "zwunzi"

* HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi\"Version" = "1001
c"

The program creates a new service with the following characteristics:
Service Name: Zwunzi Service
Display Name: Zwunzi Service

Startup Type: Automatic

It registers the service by creating the following registry subkeys:

* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root
\LEGACY_ZWUNZI_SERVICE
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\
LEGACY_ZWUNZI_SERVICE\0000

* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\L
EGACY_ZWUNZI_SERVICE\0000\Control
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Z
wunzi Service
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Zw
unzi Service\Enum

* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Z
wunzi Service\Security
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Ro
ot\LEGACY_ZWUNZI_SERVICE
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Ro
ot\LEGACY_ZWUNZI_SERVICE\0000

* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Roo
t\LEGACY_ZWUNZI_SERVICE\0000\Control
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\Zwunzi Service
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Zwunzi Service\Enum

* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Zwunzi Service\Security

The program is installed as a Browser Search Plugin for Internet Explorer
and Mozilla Firefox and redirects user searches to the following location:
zwunzi.com
Action Steps:
FREE SCAN: NoAdware can Remove W32.Rixobot. Click the link below for your free download & scan your PC now.

Please click here for manual removal instructions.

Posted on Monday, January 11th, 2010 at 4:12 am - filed under Blog, Worm.