HT Logs. Tips, FAQs, Analyze.

bill107.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: bill107
Filename: bill107.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | sysfbtray

Command: C:\windows\bill107.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [sysfbtray] C:\windows\bill107.exe

DDS Line:

mRun: [sysfbtray] C:\windows\bill107.exe

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“sysfbtray”=C:\windows\bill107.exe

Description: new variant of koobface worm

How to remove: use these koobface removal instructions.

mcenspc.dll is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: mcenspc
Filename: mcenspc.dll
Registry key:

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders | SecurityProviders

Command: C:\Windows\System32\mcenspc.dll
Startup Type: SecurityProviders
Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
“SecurityProviders”=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll

Description: a trojan that also known as Trojan Horse [Symantec], Trojan.Win32.Agent2.htd [Kaspersky Lab], Generic Downloader.x!a [McAfee], Troj/Agent-JNX [Sophos], TrojanDownloader:Win32/Agent.KF [Microsoft], Trojan.Win32.Agent2 [Ikarus], Win-Trojan/Agent2.58880.B [AhnLab]

How to remove: use Malwarebytes` Anti-malware + Kaspersky virus removal tool

rihd.pno is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: rihd
Filename: rihd.pno
Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell

Command: Explorer.exe, rundll32.exe rihd.pno eaoydsi
Startup Type: Winlogon->Shell
HijackThis Category: F2
HijackThis Line:

F2 – REG:system.ini: Shell=Explorer.exe, rundll32.exe rihd.pno eaoydsi

Description: component of Bredolab trojan

How to remove: use HijackThis + Malwarebytes` Anti-malware

PRAGMAd.sys is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: PRAGMAd
Filename: PRAGMAd.sys
Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PRAGMA{random}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PRAGMAd.sys

Command:

C:\WINDOWS\system32\drivers\PRAGMA{random}.sys
C:\WINDOWS\PRAGMArchxnseqxn\PRAGMAd.sys

Startup Type: hidden driver
RootRepeal shows infection:

Hidden Services
——————-
Service Name: PRAGMAd.sys
Image Path C:\WINDOWS\system32\drivers\PRAGMAewxhsvitbd.sys

Service Name: PRAGMArchxnseqxn
Image Path C:\WINDOWS\PRAGMArchxnseqxn\PRAGMAd.sys

GMER shows infection:

Service system32\drivers\PRAGMAewxhsvitbd.sys (*** hidden *** ) [SYSTEM] PRAGMAd.sys <-- ROOTKIT !!! Service C:\WINDOWS\PRAGMArchxnseqxn\PRAGMAd.sys (*** hidden *** ) [SYSTEM] PRAGMArchxnseqxn <-- ROOTKIT !!!

Description: new variant of TDSS trojan

How to remove: use these TDSS trojan removal instructions.

digprot.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: digprot
Filename: digprot.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | Digital Protection

Command: C:\Program Files\Digital Protection\digprot.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [Digital Protection] “C:\Program Files\Digital Protection\digprot.exe” -noscan

DDS Line:

uRun: [Digital Protection] C:\Program Files\Digital Protection\digprot.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Digital Protection”=C:\Program Files\Digital Protection\digprot.exe

Description: core component of Digital Protection. Digital Protection is a rogue antispyware program.

How to remove: use these Digital Protection removal instructions.

davclnt.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: davclnt
Filename: davclnt.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | davclnt.exe

Command: %Temp%\davclnt.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [davclnt.exe] C:\DOCUME~1\comp\LOCALS~1\Temp\davclnt.exe

DDS Line:

uRun: [davclnt.exe] C:\DOCUME~1\comp\LOCALS~1\Temp\davclnt.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“davclnt.exe”=C:\DOCUME~1\comp\LOCALS~1\Temp\davclnt.exe

Description: trojanFakeAlert that installed with Digital Protection. Digital Protection is a rogue antispyware program.

How to remove: use these Digital Protection removal instructions.

Antivirus Suite is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: Antivirus Suite
Filename: {random}tssd.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | {random}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | {random}

Command: %AppData%\{random}\{random}tssd.exe
Startup Type: HKLM->Run, HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [{random}] C:\Documents and Settings\user\Local Settings\Application Data\{random}\{random}tssd.exe
O4 – HKCU\..\Run: [{random}] C:\Documents and Settings\user\Local Settings\Application Data\{random}\{random}tssd.exe

DDS Line:

mRun: [valuename] file
uRun: [valuename] file

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“{random}”=C:\Documents and Settings\user\Local Settings\Application Data\{random}\{random}tssd.exe
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“{random}”=C:\Documents and Settings\user\Local Settings\Application Data\{random}\{random}tssd.exe

Description: {random}tssd.exe is a core component of Antivirus Suite. Antivirus Suite is a rogue antispyware program.

How to remove: use these Antivirus Suite removal instructions.

YVIBBBHA8C is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: YVIBBBHA8C
Filename: [random 3 characters].exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | YVIBBBHA8C

Command: %Temp%\[random 3 characters].exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [YVIBBBHA8C] C:\DOCUME~1\user\LOCALS~1\Tem\Lpw.exe

DDS Line:

uRun: [YVIBBBHA8C] C:\DOCUME~1\user\LOCALS~1\Temp\Lpw.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“YVIBBBHA8C”=C:\DOCUME~1\user\LOCALS~1\Temp\Lpw.exe

Description: a trojan that also known as Downloader-CEW [McAfee], Mal/FakeAV-CX, Mal/FakeAV-CO [Sophos]

How to remove: use HijackThis + Malwarebytes` Anti-malware

urpprot.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: urpprot
Filename: urpprot.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | Your Protection

Command: C:\Program Files\Your Protection\urpprot.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [Your Protection] “C:\Program Files\Your Protection\urpprot.exe” -noscan

DDS Line:

uRun: [Your Protection] C:\Program Files\Your Protection\urpprot.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Your Protection”=C:\Program Files\Your Protection\urpprot.exe

Description: core component of Your Protection. Your Protection is a rogue antispyware program.

How to remove: use these Your Protection removal instructions.

mplay32xe.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: mplay32xe
Filename: mplay32xe.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | mplay32xe.exe

Command: %Temp%\mplay32xe.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [mplay32xe.exe] C:\DOCUME~1\comp\LOCALS~1\Temp\mplay32xe.exe

DDS Line:

uRun: [mplay32xe.exe] C:\DOCUME~1\comp\LOCALS~1\Temp\mplay32xe.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“mplay32xe.exe”=C:\DOCUME~1\comp\LOCALS~1\Temp\mplay32xe.exe

Description: trojan FakeAlert that installed with Your Protection. Your Protection is a rogue antispyware program.

How to remove: use these Your Protection removal instructions.