Archive for the 'Startup Type' Category

What is AV Antivirus Suite, How to remove AV Antivirus Suite

Tuesday, June 29th, 2010

AV Antivirus Suite is a rogue antispyware program.

remove It is a fake security program (rogu antispyware) from the same family of malware as Av Security Suite, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Command: %UserProfile%\Local Settings\Application Data\{RANDOM}\{RANDOM}.exe
Startup Type: O4
HijackThis Category: R1, O4
HijackThis Line:

R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1
O4 – HKLM\..\Run: [{RANDOM}] %UserProfile%\Local Settings\Application Data\{RANDOM}\{RANDOM}.exe
O4 – HKCU\..\Run: [{RANDOM}] %UserProfile%\Local Settings\Application Data\{RANDOM}\{RANDOM}.exe

Description: rogue antispyware program

How to remove: use the AV Antivirus Suite removal guide or the steps below.

1. Download HijackThis from here and save it to your desktop. Most important, in the Save dialog, rename HijackThis.exe to iexplore.exe !!! If you can`t download HijackThis, then: a) boot your PC in Safe mode with networking and try once again; b) reset proxy settings of your browser (this malware hijacked them) by doing: run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK and click OK again.

2. Run HijackThis. Main menu opens. Click to “Do a system scan only” button. After HijackThis completes the system scan, check the box to the left of the following items:

R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1
O4 – HKLM\..\Run: [{random}] C:\Documents and Settings\user\Local Settings\Application Data\{random}\{random}.exe
O4 – HKCU\..\Run: [{random}] C:\Documents and Settings\user\Local Settings\Application Data\{random}\{random}.exe

Please be very careful, do NOT check any other boxes! Next, click on Fix checked on the bottom left side of the HijackThis screen. Close HijackThis.

3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is QNB2EB90WX, How to remove QNB2EB90WX

Monday, June 28th, 2010

QNB2EB90WX is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Filename: {random:3}.exe, example: Ufr.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | QNB2EB90WX

Command: %Temp%\{random:3}.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [QNB2EB90WX] C:\DOCUME~1\username\LOCALS~1\Temp\Ufr.exe

DDS Line:

uRun: [QNB2EB90WX] C:\DOCUME~1\username\LOCALS~1\Temp\Ufr.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“QNB2EB90WX”=C:\DOCUME~1\username\LOCALS~1\Temp\Ufr.exe

Description: trojan FakeAlert, also known as Mal/FakeAV-CX [Sophos], TrojanDownloader:Win32/Renos.KF [Microsoft], Win-Trojan/Variant.183296.B [AhnLab]

How to remove: use HijackThis + Malwarebytes` Anti-malware or the steps below.

1. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“QNB2EB90WX”=-

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

2. Download Malwarebytes Anti-malware. Install and perform a scan.

What is autmgr32.exe, How to remove autmgr32.exe

Monday, June 28th, 2010

autmgr32.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: autmgr32
Filename: autmgr32.exe
Registry key:

HKEY_CLASSES_ROOT\exefile\shell\open\command | @=”\”C:\DOCUME~1\user\LOCALS~1\Temp\autmgr32.exe\” /START \”%1\” %*”

Command: %Temp%\autmgr32.exe
Startup Type: File associations
Combofix/RSIT Line:

.exe – open – “C:\DOCUME~1\comp\LOCALS~1\Temp\autmgr32.exe” /START “%1″ %*

Description: autmgr32.exe (located in Temp folder) is a trojan FakeAlert that uses to install Defense Center (rogue antispyware). Legitimate autmgr32.exe located in C:\WINDOWS\system32\ folder.

How to remove: use the defcnt.exe, autmgr32.exe, wscsvc32.exe malware removal instructions or the steps below.

1. Download fix.zip from here, unzip it. Double Click fix.reg and click YES for confirm.

2. Download TDSSKiller from here and unzip to your desktop. Open tdsskiller folder and right click to TDSSKiller, select Rename. Type something like 123myname and press Enter. Double click it and follow the prompts.

3. Download Malwarebytes Anti-malware. Install and perform a scan and let it remove what it found. Reboot afterwards (important).

What is AVSuite.exe, How to remove AVSuite.exe

Monday, June 28th, 2010

AVSuite.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: AVSuite
Filename: AVSuite.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | AVSuite

Command: C:\Program Files\AV Security Suite Basic\AVSuite.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [AVSuite] C:\Program Files\AV Security Suite Basic\AVSuite.exe /tray

DDS Line:

uRun: [AVSuite] C:\Program Files\AV Security Suite Basic\AVSuite.exe /tray

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“AVSuite”=C:\Program Files\AV Security Suite Basic\AVSuite.exe /tray

Description: component of rogue antispyware program called AV Security Suite Basic

How to remove: use HijackThis + Malwarebytes` Anti-malware

What is dsoqq.exe, How to remove dsoqq.exe

Thursday, June 24th, 2010

dsoqq.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: dsoqq
Filename: dsoqq.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | dso32

Command: %Temp%\dsoqq.exe
Startup Type: HKCU->Run
HijackThis Category: O4

O4 – HKCU\..\Run: [dso32] %Temp%\dsoqq.exe

DDS Line:

uRun: [dso32] %Temp%\dsoqq.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“dso32″=%Temp%\dsoqq.exe

Description: autorun.inf trojan, a component of Infostealer.Gampass [Symantec], Worm.Win32.AutoRun.bijz [Kaspersky Lab], Win-Trojan/Onlinegamehack.114688.L [AhnLab]

How to remove: use these autorun.inf trojans removal instructions

What is cgaqyi.exe, How to remove cgaqyi.exe

Thursday, June 24th, 2010

cgaqyi.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: cgaqyi
Filename: cgaqyi.exe
Command: c:\cgaqyi.exe
Startup Type: autorun.inf
Notes: a trojan that uses autorun.inf file to run itself

How to remove: use the autorun.inf trojan removal instructions

What is EBUNWVLUMV, How to remove EBUNWVLUMV

Wednesday, June 23rd, 2010

EBUNWVLUMV is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Filename: {random}.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | EBUNWVLUMV

Command: %Temp%\{random}.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [EBUNWVLUMV] C:\Users\username\AppData\Local\Temp\Mrh.exe

DDS Line:

uRun: [EBUNWVLUMV] C:\Users\username\AppData\Local\Temp\Mrh.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“EBUNWVLUMV″=C:\Users\username\AppData\Local\Temp\Mrh.exe

Description: trojan FakeAlert, also known as Mal/FakeAV-CX [Sophos]

How to remove: use HijackThis + Malwarebytes` Anti-malware or the steps below.

1. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“EBUNWVLUMV”=-

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

2. Download Malwarebytes Anti-malware. Install and perform a scan.

What is nettir32.exe, How to remove nettir32.exe

Thursday, June 17th, 2010

nettir32.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: nettir32
Filename: nettir32.exe
Command: %userProfile%\start menu\programs\startup\nettir32.exe
Startup Type: Startup folder
HijackThis Category: O4
HijackThis Line:

O4 – Startup: nettir32.exe

DDS Line:

StartupFolder: c:\documents and settings\user\start menu\programs\startup\nettir32.exe

Combofix/RSIT Line:

C:\Documents and Settings\user\Start Menu\Programs\Startup
nettir32.exe

Description: trojan

How to remove: use HijackThis + Kaspersky virus removal tool

What is Siszpe32.exe, How to remove Siszpe32.exe

Tuesday, June 15th, 2010

Siszpe32.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: Siszpe32
Filename: Siszpe32.exe
Command: %userProfile%\start menu\programs\startup\siszyd32.exe
Startup Type: Startup folder
HijackThis Category: O4
HijackThis Line:

O4 – Startup: siszpe32.exe

DDS Line:

StartupFolder: c:\documents and settings\user\start menu\programs\startup\Siszpe32.exe

Combofix/RSIT Line:

C:\Documents and Settings\user\Start Menu\Programs\Startup
Siszpe32.exe

Description: trojan

How to remove: use HijackThis + Kaspersky virus removal tool or the steps below.

What is defcnt.exe, How to remove defcnt.exe

Saturday, June 12th, 2010

defcnt.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: defcnt
Filename: defcnt.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | Defense Center

Command: C:\Program Files\Defense Center\defcnt.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [Defense Center] “C:\Program Files\Defense Center\defcnt.exe” -noscan

DDS Line:

uRun: [Defense Center] C:\Program Files\Defense Center\defcnt.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Defense Center”=C:\Program Files\Defense Center\defcnt.exe

Description: core component of Defense Center. Defense Center is a rogue antispyware program.

How to remove: use these Defense Center removal guide or the steps below.

1. Download fix.zip from here, unzip it. Double Click fix.reg and click YES for confirm.

2. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Defense Center”=-

:files
C:\Program Files\Defense Center

Click the red Moveit! button. Close OTM.

3. Download TDSSKiller from here and unzip to your desktop. Open tdsskiller folder and right click to TDSSKiller, select Rename. Type something like 123myname and press Enter. Double click it and follow the prompts.

4. Download Malwarebytes Anti-malware. Install and perform a scan and let it remove what it found. Reboot afterwards (important).