Trojan.Win32.Agent.neshvq removal guide

The Trojan.Win32.Agent.neshvq is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.

DOWNLOAD NOW

6-day free trial available.

What Trojan.Win32.Agent.neshvq virus can do?

• SetUnhandledExceptionFilter detected (possible anti-debug)
• Behavioural detection: Executable code extraction – unpacking
• Yara rule detections observed from a process memory dump/dropped files/CAPE
• Creates RWX memory
• Guard pages use detected – possible anti-debugging.
• Dynamic (imported) function loading detected
• At least one IP Address, Domain, or File Name was found in a crypto call
• Starts servers listening on 127.0.0.1:0
• Reads data out of its own binary image
• A process created a hidden window
• CAPE extracted potentially suspicious content
• Drops a binary and executes it
• The binary likely contains encrypted or compressed data.
• Authenticode signature is invalid
• Uses Windows utilities for basic functionality
• Behavioural detection: Injection (Process Hollowing)
• Executed a process and injected code into it, probably while unpacking
• Attempts to remove evidence of file being downloaded from the Internet
• Tries to suspend Cuckoo threads to prevent logging of malicious activity
• Behavioural detection: Injection (inter-process)
• Behavioural detection: Injection with CreateRemoteThread in a remote process
• Created a process from a suspicious location
• Collects and encrypts information about the computer likely to send to C2 server
• Installs itself for autorun at Windows startup
• Exhibits behavior characteristic of Nanocore RAT
• CAPE detected the NanoCore malware family
• Collects information to fingerprint the system

How to determine Trojan.Win32.Agent.neshvq?

File Info:
name: B6C7CA69911F8FE56D9F.mlw
path: /opt/CAPEv2/storage/binaries/d6374c6549de498926460b9bb75e2c19421ecf95ad2dd7ec7cacdf15f38686ad
crc32: 0E11F272
md5: b6c7ca69911f8fe56d9fbea6eb898c12
sha1: b7a8d6e4d6c26e6b00c88e15fe325e08f3203856
sha256: d6374c6549de498926460b9bb75e2c19421ecf95ad2dd7ec7cacdf15f38686ad
sha512: feebbfbe090869b1fd9375071ce8d6ae9301cdfb92885317e2569db53c92cec5b512c02946ed619a907a8bb74a4868e641dc94244ee42c154e77ee5eef821139
ssdeep: 98304:tHxdC1DkJtEXwhfi+D6Lfqlx8u/V+kcKGTCWGXY:tRckHJi+b5HhG+Wt
type: PE32+ executable (GUI) x86-64, for MS Windows
tlsh: T11626334363DEC683FAB227B8D4F151779293BDE2777C109D2218B4951233AE09876F92
sha3_384: 708d41a7233ab1bd25cf36db470fa752355f0ab1f1c7c9f1f02c6aeb7773363739c2f7c5cf5fb761795c1a9cff75ef19
ep_bytes: 4883ec28e84f0900004883c428e90600
timestamp: 2013-08-22 11:30:31

Version Info:
Comments: This installation was built with Inno Setup.
CompanyName:                                                             
FileDescription: The Amazing Spider Man 2 Bundle Setup                       
FileVersion:                     
LegalCopyright:                                                                                                     
ProductName: The Amazing Spider Man 2 Bundle                             
ProductVersion:                     
Translation: 0x0000 0x04b0

Trojan.Win32.Agent.neshvq also known as:

How to remove Trojan.Win32.Agent.neshvq?

• Download and install GridinSoft Anti-Malware.
• Open GridinSoft Anti-Malware and perform a “Standard scan“.
• “Move to quarantine” all items.
• Open “Tools” tab – Press “Reset Browser Settings“.
• Select proper browser and options – Click “Reset”.
• Restart your computer.