Archive for the 'Startup Type' Category

What is esentutl64.exe, How to remove esentutl64.exe

Saturday, June 12th, 2010

esentutl64.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: esentutl64
Filename: esentutl64.exe
Registry key:

HKEY_CLASSES_ROOT\exefile\shell\open\command | @=”\”C:\DOCUME~1\user\LOCALS~1\Temp\esentutl64.exe\” /START \”%1\” %*”

Command: %Temp%\esentutl64.exe
Startup Type: File associations
Combofix/RSIT Line:

.exe – open – “C:\DOCUME~1\comp\LOCALS~1\Temp\esentutl64.exe” /START “%1” %*

Description: trojan FakeAlert that installed with Defense Center. Defense Center is a rogue (fake) antispyware program.

How to remove: use these Defense Center removal instructions or the steps below.

1. Download fix.zip from here, unzip it. Double Click fix.reg and click YES for confirm.

2. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Defense Center”=-

:files
C:\Program Files\Defense Center

Click the red Moveit! button. Close OTM.

3. Download TDSSKiller from here and unzip to your desktop. Open tdsskiller folder and right click to TDSSKiller, select Rename. Type something like 123myname and press Enter. Double click it and follow the prompts.

4. Download Malwarebytes Anti-malware. Install and perform a scan and let it remove what it found. Reboot afterwards (important).

What is setupupdater0000.exe, How to remove setupupdater0000.exe

Wednesday, June 9th, 2010

setupupdater0000.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: setupupdater0000
Filename: setupupdater0000.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | setupupdater0000.exe

Command: command
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [setupupdater0000.exe] C:\Users\user\AppData\Roaming\05E12D033EF62454BD6741DB6F0E6554\setupupdater0000.exe

DDS Line:

uRun: [setupupdater0000.exe] C:\Users\user\AppData\Roaming\05E12D033EF62454BD6741DB6F0E6554\setupupdater0000.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“setupupdater0000.exe”=C:\Users\user\AppData\Roaming\05E12D033EF62454BD6741DB6F0E6554\setupupdater0000.exe [2010-06-08 1066496]

Description: core component of Antimalware Doctor. Antimalware Doctor is a rogue antispyware program.

How to remove: use the Antimalware Doctor removal instructions or the steps below.

1. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“setupupdater0000.exe”=-

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

2. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is antispyware-guard.net, How to remove antispyware-guard.net

Wednesday, June 2nd, 2010

antispyware-guard.net is a malicious website

remove The site was created to spread Antispyware Soft. If your browser is redirected to antispyware-guard.net, then you should immediately check your PC using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

IP Address: 91.216.73.50
Site addess: antispyware-guard.net
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [{random}] C:\Documents and Settings\user\Local Settings\Application Data\{random}\{random}tssd.exe
O4 – HKCU\..\Run: [{random}] C:\Documents and Settings\user\Local Settings\Application Data\{random}\{random}tssd.exe

Description: antispyware-guard.net is not related with legitimate security company and can only be seen on infected computers. The site used to promote the rogue antispyware program called Antispyware Soft.

How to remove: use these Antispyware Soft removal instructions or the steps below in order to remove this infections.
1. Download HijackThis from here and save it to your desktop. Most important, in the Save dialog, rename HijackThis.exe to iexplore.exe !!!
2. Run HijackThis. Main menu opens. Click to “Do a system scan only” button. After HijackThis completes the system scan, check the box to the left of the following items:

R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O4 – HKLM\..\Run: [{random}] C:\Documents and Settings\user\Local Settings\Application Data\{random}\{random}tssd.exe
O4 – HKCU\..\Run: [{random}] C:\Documents and Settings\user\Local Settings\Application Data\{random}\{random}tssd.exe

Please be very careful, do NOT check any other boxes! Next, click on Fix checked on the bottom left side of the HijackThis screen. Close HijackThis.
3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is Antispy-guide.com, How to remove Antispy-guide.com

Wednesday, June 2nd, 2010

Antispy-guide.com is a malicious website

remove The site was created to spread Antispyware Soft. If your browser is redirected to Antispy-guide.com, then you should immediately check your PC using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

IP Address: 188.65.74.166
Site addess: Antispy-guide.com
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [{random}] C:\Documents and Settings\user\Local Settings\Application Data\{random}\{random}tssd.exe
O4 – HKCU\..\Run: [{random}] C:\Documents and Settings\user\Local Settings\Application Data\{random}\{random}tssd.exe

Description: Antispy-guide.com is not related with legit security company and can only be seen on infected computers. The site used to promote the rogue antispyware program called Antispyware Soft.

How to remove: use these Antispyware Soft removal instructions or the steps below in order to remove this infections.
1. Download HijackThis from here and save it to your desktop. Most important, in the Save dialog, rename HijackThis.exe to iexplore.exe !!!
2. Run HijackThis. Main menu opens. Click to “Do a system scan only” button. After HijackThis completes the system scan, check the box to the left of the following items:

R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O4 – HKLM\..\Run: [{random}] C:\Documents and Settings\user\Local Settings\Application Data\{random}\{random}tssd.exe
O4 – HKCU\..\Run: [{random}] C:\Documents and Settings\user\Local Settings\Application Data\{random}\{random}tssd.exe

Please be very careful, do NOT check any other boxes! Next, click on Fix checked on the bottom left side of the HijackThis screen. Close HijackThis.
3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is mscdexnt.exe, How to remove mscdexnt.exe

Tuesday, June 1st, 2010

mscdexnt.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: mscdexnt
Filename: mscdexnt.exe
Registry key:

HKEY_CLASSES_ROOT\exefile\shell\open\command | @=”\”C:\DOCUME~1\user\LOCALS~1\Temp\mscdexnt.exe\” /START \”%1\” %*”

Command: %Temp%\mscdexnt.exe
Startup Type: File associations
Combofix/RSIT Line:

.exe – open – “C:\DOCUME~1\user\LOCALS~1\Temp\mscdexnt.exe” /START “%1” %*

Description: trojan FakeAlert that installed with Protection Center. Protection Center is a rogue (fake) antispyware program.

How to remove: use these Protection Center removal instructions or the steps below.

1. Download fix.zip from here, unzip it. Double Click fix.reg and click YES for confirm. Reboot your computer.

2. Download TDSSKiller from here and unzip to your desktop. Open tdsskiller folder and right click to TDSSKiller, select Rename. Type something like 123myname and press Enter. Double click it and follow the prompts.

3. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Protection Center”=-

:files
C:\Program Files\Protection Center

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

3. Download Malwarebytes Anti-malware. Install and perform a scan.

What is cntprot.exe, How to remove cntprot.exe

Tuesday, June 1st, 2010

cntprot.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: cntprot
Filename: cntprot.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | Protection Center

Command: C:\Program Files\Protection Center\cntprot.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [Protection Center] “C:\Program Files\Protection Center\cntprot.exe” -noscan

DDS Line:

uRun: [Protection Center] C:\Program Files\Protection Center\cntprot.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Protection Center”=C:\Program Files\Protection Center\cntprot.exe

Description: core component of Protection Center. Protection Center is a rogue antispyware program.

How to remove: use the Protection Center removal instructions or the steps below.

1. Download fix.zip from here, unzip it. Double Click fix.reg and click YES for confirm. Reboot your computer.

2. Download TDSSKiller from here and unzip to your desktop. Open tdsskiller folder and right click to TDSSKiller, select Rename. Type something like 123myname and press Enter. Double click it and follow the prompts.

3. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Protection Center”=-

:files
C:\Program Files\Protection Center

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is Protection Center, How to remove Protection Center

Tuesday, June 1st, 2010

Protection Center is a malicious program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Threat Type: rogue antispyware
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Protection Center

Command: C:\Program Files\Protection Center\cntprot.exe
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [Protection Center] “C:\Program Files\Protection Center\cntprot.exe” -noscan

DDS Line:

uRun: [Protection Center] C:\Program Files\Protection Center\cntprot.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Protection Center”=C:\Program Files\Protection Center\cntprot.exe

Description: Protection Center is a rogue antispyware program, which uses false scan results and fake security alerts as an attempt to trick you into buying full version of the software.

How to remove: use the Protection Center removal instructions or the steps below.

1. Download fix.zip from here, unzip it. Double Click fix.reg and click YES for confirm. Reboot your computer.

2. Download TDSSKiller from here and unzip to your desktop. Open tdsskiller folder and right click to TDSSKiller, select Rename. Type something like 123myname and press Enter. Double click it and follow the prompts.

3. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Protection Center”=-

:files
C:\Program Files\Protection Center

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

3. Download Malwarebytes Anti-malware. Install and perform a scan.

What is security-fortress.net, How to remove security-fortress.net

Thursday, May 27th, 2010

security-fortress.net is a malicious website

remove The site was created to spread Antispyware Soft. If your browser is redirected to security-fortress.net, then you should immediately check your PC using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

IP Address: 91.216.73.48
Site addess: security-fortress.net
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [{random}] C:\Documents and Settings\user\Local Settings\Application Data\{random}\{random}tssd.exe
O4 – HKCU\..\Run: [{random}] C:\Documents and Settings\user\Local Settings\Application Data\{random}\{random}tssd.exe

Description: security-fortress.net is not related with legit security company and can only be seen on infected computers. The site used to promote the rogue antispyware program called Antispyware Soft.

How to remove: use the Antispyware Soft removal instructions or the steps below.
1. Download HijackThis from here and save it to your desktop. Most important, in the Save dialog, rename HijackThis.exe to iexplore.exe !!!
2. Run HijackThis. Main menu opens. Click to “Do a system scan only” button. After HijackThis completes the system scan, check the box to the left of the following items:

R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O4 – HKLM\..\Run: [{random}] C:\Documents and Settings\user\Local Settings\Application Data\{random}\{random}tssd.exe
O4 – HKCU\..\Run: [{random}] C:\Documents and Settings\user\Local Settings\Application Data\{random}\{random}tssd.exe

Please be very careful, do NOT check any other boxes! Next, click on Fix checked on the bottom left side of the HijackThis screen. Close HijackThis.
3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is ntuser_mssec.exe, How to remove ntuser_mssec.exe

Thursday, May 27th, 2010

ntuser_mssec.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: ntuser_mssec
Filename: ntuser_mssec.exe
Command: %UserProfile%\start menu\programs\startup\ntuser_mssec.exe
Startup Type: Startup folder
HijackThis Category: O4
HijackThis Line:

O4 – Startup: ntuser_mssec.exe

DDS Line:

StartupFolder: c:\documents and settings\user\start menu\programs\startup\ntuser_mssec.exe

Combofix/RSIT Line:

C:\Documents and Settings\user\Start Menu\Programs\Startup
ntuser_mssec.exe

Description: trojan FakAlert also known as Mal/FakeAV-BT [Sophos], TrojanDownloader:Win32/Fakeinit [Microsoft], Trojan.FakeAV [Symantec], Trojan.FakeAV [PC Tools], Trojan-Downloader.Win32.FraudLoad.wxpn [Kaspersky Lab]

How to remove: use HijackThis + Malwarebytes` Anti-malware or the steps below.
1. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:files
%UserProfile%\start menu\programs\startup\ntuser_mssec.exe

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

2. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is mcexecwin, How to remove mcexecwin

Wednesday, May 26th, 2010

mcexecwin is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Filename: {random}.dll, Example: dqxpy3ww.dll
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | mcexecwin

Command: %Temp%\dqxpy3ww.dll (example: C:\Users\username\AppData\Local\Temp\dqxpy3ww.dll)
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [mcexecwin] rundll32.exe C:\Users\username\AppData\Local\Temp\dqxpy3ww.dll, RestoreWindows

DDS Line:

uRun: [mcexecwin] rundll32.exe C:\Users\username\AppData\Local\Temp\dqxpy3ww.dll, RestoreWindows

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“mcexecwin”=rundll32.exe C:\Users\username\AppData\Local\Temp\dqxpy3ww.dll, RestoreWindows

Description: component of trojan FakeAlert

How to remove: use HijackThis + Malwarebytes` Anti-malware or the steps below.
1. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“mcexecwin”=-

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

2. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).