Archive for August, 2009

svchasts.exe is a component of Windows Police Pro

Monday, August 31st, 2009

This is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: svchasts
Filename: svchasts.exe
Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\antippro2009_100

Command: C:\WINDOWS\svchasts.exe
Startup Type: Service
HijackThis Category: O23
HijackThis Line:

O23 – Service: AntipPro2009_100 (AntipyProex) – Unknown owner – C:\WINDOWS\svchasts.exe

Combofix/RSIT Line:

R2 AntipPro2009_100;AntipyProex; C:\WINDOWS\svchasts.exe [2009-08-31 163840]

Description: component of Windows Police Pro (rogue antispyware program)

How to remove: use these Windows Police Pro removal instructions.

desote.exe is a component of Windows Police Pro

Monday, August 31st, 2009

This is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: desote
Filename: desote.exe
Registry key:

HKEY_CLASSES_ROOT\exefile\shell\open\command

Command: c:\windows\system32\desote.exe
Startup Type: File associations

.exe – open – C:\WINDOWS\system32\desote.exe “%1″ %*

Description: component of Windows Police Pro (rogue antispyware program) that blocks ability to run any programs.

How to remove: use these Windows Police Pro removal instructions.

SM205.exe is main file of Smart Virus Eliminator

Saturday, August 29th, 2009

This is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: SM205
Filename: SM205.exe (Smart Virus Eliminator uses random file name to hide itself)
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | Smart Virus Eliminator

Command: C:\Documents and Settings\All Users\Application Data\7d189\SM205.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [Smart Virus Eliminator] “C:\Documents and Settings\All Users\Application Data\7d189\SM205.exe” /s /d

Description: main file of Smart Virus Eliminator

How to remove: use these Smart Virus Eliminator removal instructions.

DnsFilter.sys is a trojan (Trojan.DNSChanger)

Friday, August 28th, 2009

This is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: DnsFilter
Filename: DnsFilter.sys
Command: c:\windows\system32\drivers\DnsFilter.sys
Startup Type: driver, svchost
Combofix/RSIT Line:

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“8085:TCP”= 8085:TCP:ddnsfilter
R2 ddnsfilter;ddnsfilter;c:\windows\sySTEM32\SvchoSt.ExE -k ddnsfilter [7/16/2003 11:41 AM 14336]
R1 DnsFilter;DnsFilter;c:\windows\system32\drivers\DnsFilter.sys [8/23/2009 8:43 AM 38016]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
ddnsfilter REG_MULTI_SZ ddnsfilter

Description: trojan also known as Trojan.DNSChanger, Trojan.Dropper [Symantec], Trojan.Win32.Agent.cupu, [Kaspersky Lab], Trojan-Dropper [Ikarus]

How to remove: use Malwarebytes Anti-malware + use Kaspersky virus removal tool.

WIa9ca.exe is a main file of Windows Protection Suite

Friday, August 28th, 2009

This is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: WIa9ca
Filename: WIa9ca.exe (uses random filenames to hide itself)
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | Windows Protection Suite

Command: C:\Documents and Settings\All Users\Application Data\a91c29\WIa9ca.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [Windows Protection Suite] “C:\Documents and Settings\All Users\Application Data\a91c29\WIa9ca.exe” /s /d

Description: main file of Windows Protection Suite (rogue antispyware software)

How to remove: use these Windows Protection Suite removal instructions.

BlockDefenseSvc.exe is component of BlockDefense

Friday, August 28th, 2009

This is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: BlockDefenseSvc
Filename: BlockDefenseSvc.exe
Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\blockdefensesvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\blockdefensesvc

Command: C:\Program Files\BlockDefense Software\BlockDefense\BlockDefenseSvc.exe
Startup Type: Service
HijackThis Category: O23
HijackThis Line:

O23 – Service: BlockDefense Security Service (BlockDefenseSvc) – Unknown owner – C:\Program Files\BlockDefense Software\BlockDefense\BlockDefenseSvc.exe

Description: component of BlockDefense (rogue antispyware program)

How to remove: use these BlockDefense removal instructions.

BlockDefense.exe is a main file of BlockDefense

Friday, August 28th, 2009

This is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: BlockDefense
Filename: BlockDefense.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | BlockDefense

Command: C:\Program Files\BlockDefense Software\BlockDefense\BlockDefense.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [BlockDefense] C:\Program Files\BlockDefense Software\BlockDefense\BlockDefense.exe -min

Description: main file of BlockDefense (rogue antispyware program)

How to remove: use these BlockDefense removal instructions.

regedit.exe is a trojan

Thursday, August 27th, 2009

This is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: regedit
Filename: regedit.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | Regedit32

Command: C:\WINDOWS\system32\regedit.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe

Description: trojan, that installed with PC Antispyware2010 (rogue antispyware program)
Note: regedit.exe trojan located in the C:\WINDOWS\system32 folder, Windows system file regedit.exe located in the C:\WINDOWS folder !!!

How to remove: use these PC Antispyware2010 removal instructions.

hp32_nword.exe is a trojan

Thursday, August 27th, 2009

This is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: hp32_nword
Filename: hp32_nword.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | hp32_nword
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | hp32_nword

Command: C:\WINDOWS\system32\hp32_nword.exe
Startup Type: HKLM->Run, HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [hp32_nword] C:\WINDOWS\system32\hp32_nword.exe
O4 – HKCU\..\Run: [hp32_nword] C:\Documents and Settings\Michael\hp32_nword.exe

Description: trojan also known as Win-Trojan/SpamMailer, installed with PC Antispyware2010 (rogue anispyware program)

How to remove: use HijackThis + use SUPERAntiSpyware

ESQULserv.sys is a trojan DNSChanger

Thursday, August 27th, 2009

This is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: ESQULserv
Filename: uses random filenames, examples below

c:\windows\system32\drivers\ESQULpjyrxmafdndomsrumnadwoyxcbowcdul.sys
c:\windows\system32\drivers\ESQULvvmlotmovroyobfrbmltkmtttklyrqje.sys
c:\windows\system32\ESQULdfowmsoetvgoovmoowvkctgpjykiyoaq.dll
c:\windows\system32\ESQULjgxtjwkxefqrntwuekdqcwtuospqgmas.dll

Command: c:\windows\system32\drivers\ESQULfqjdadpxylqppquwnvxjkomleltuiihj.sys
Startup Type: hidden driver
Description: variant of trojan DNSChanger

How to remove: use these trojan DNSChanger removal instructions.