HT Logs. Tips, FAQs, Analyze.

dfmcd21.dll is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: dfmcd21
Filename: dfmcd21.dll
Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0098EFCC-12D6-4B0C-B566-E133F6B4941B}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{77D30FCF-771E-4EF4-9DCD-69056CA0B517}

Command: C:\WINDOWS\system32\dfmcd21.dll
CLSID: {0098EFCC-12D6-4B0C-B566-E133F6B4941B}, {77D30FCF-771E-4EF4-9DCD-69056CA0B517}
Startup Type: BHO, Microsoft active setup
HijackThis Category: O2
HijackThis Line:

O2 – BHO: – {0098EFCC-12D6-4B0C-B566-E133F6B4941B} – C:\WINDOWS\system32\dfmcd21.dll

DDS Line:

BHO: : {0098EFCC-12D6-4B0C-B566-E133F6B4941B} – C:\WINDOWS\system32\dfmcd21.dll
mASetup: {77D30FCF-771E-4EF4-9DCD-69056CA0B517} – C:\WINDOWS\system32\dfmcd21.dll

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0098EFCC-12D6-4B0C-B566-E133F6B4941B}]
2010-07-14 07:39:17 51200 —-a-w- C:\WINDOWS\system32\dfmcd21.dll
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{77D30FCF-771E-4EF4-9DCD-69056CA0B517}]
2010-07-14 07:39:17 51200 —-a-w- C:\WINDOWS\system32\dfmcd21.dll

Description: malware

How to remove: use the steps below.

1. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0098EFCC-12D6-4B0C-B566-E133F6B4941B}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{77D30FCF-771E-4EF4-9DCD-69056CA0B517}]

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

2. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

drwat32.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: drwat32
Filename: drwat32.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | Dr.Watson

Command: %WinDir%\system32\drwat32.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Policies\Explorer\Run: [Dr.Watson] C:\WINDOWS\system32\drwat32.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
“Dr.Watson”=C:\WINDOWS\system32\drwat32.exe

Description: malware

How to remove: use HijackThis + Malwarebytes` Anti-malware + Kaspersky virus removal tool

microsft.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: microsft
Filename: microsft.exe
Registry key:

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C77088EB-52B1-173B-F6D5-36B5619926BD}

Command: %Program Files%\whyu\microsft.exe
CLSID: {C77088EB-52B1-173B-F6D5-36B5619926BD}
Startup Type: Microsoft active setup
DDS Line:

mASetup: {C77088EB-52B1-173B-F6D5-36B5619926BD} – C:\Program Files\whyu\microsft.exe s

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C77088EB-52B1-173B-F6D5-36B5619926BD}]
C:\Program Files\whyu\microsft.exe s

Description: malware also known as Mal/VB-Z [Sophos]

How to remove: Registry editor + Kaspersky virus removal tool

apocalyps32.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: apocalyps32
Filename: apocalyps32.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | apocalyps32

Command: C:\Windows\apocalyps32.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [apocalyps32] C:\Windows\apocalyps32.exe

DDS Line:

mRun: [apocalyps32] C:\Windows\apocalyps32.exe

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“apocalyps32″=C:\Windows\apocalyps32.exe

Description: malware also known as Mal/Behav-328, Mal/Dropper-G, Mal/Behav-053 [Sophos]

How to remove: use HijackThis + Kaspersky virus removal tool

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: PrestoTuneUp
Filename: PrestoTuneUp.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | Presto TuneUp

Command: C:\Documents and Settings\All Users\Application Data\b1529a0\PrestoTuneUp.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [Presto TuneUp] “C:\Documents and Settings\All Users\Application Data\b1529a0\PrestoTuneUp.exe” /s /d

Description: Presto Tuneup is a scareware program that uses false system errors to trick you into buying the software.

How to remove: use Malwarebytes Antimalware

This is an harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: diarprof
Filename: diarprof.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [bo0pRSZ3e] diarprof.exe

Description: Unknown malware component

How to remove: Use HijackThis

This is an harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: distus40
Filename: distus40.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [qFrf32V] distus40.exe

Description: Unknown malware component

How to remove: Use HijackThis

This is an harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: xivop
Filename: xivop.exe
Command: C:\WINDOWS\xivop.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [xivop] C:\WINDOWS\xivop.exe

Description: component of unknown malware

How to remove: Use HijackThis

This is an harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: qwbqgkxr
Filename: qwbqgkxr.exe
Command: C:\WINDOWS\qwbqgkxr.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [MaG78PfJs] C:\WINDOWS\qwbqgkxr.exe

Description: component of unknown malware

How to remove: Use HijackThis

This is an harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

CLSID: {69135BDE-5FDC-4B61-98AA-82AD2091BCCC}
Startup Type: BHO
HijackThis Category: O2
HijackThis Line:

O2 – BHO: (no name) – {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} – (no file)

Combofix/RSIT Line:
Description: part of SPYW_IMISERV.C, looks here

How to remove: Use HijackThis