HT Logs. Tips, FAQs, Analyze.

klmdb.sys is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: klmdb
Filename: klmdb.sys
Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\klmdb.sys

Command: C:\WINDOWS\system32\drivers\klmdb.sys
Startup Type: Driver
Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\klmdb.sys]
S4 klmdb;klmdb; C:\WINDOWS\system32\drivers\klmdb.sys [2010-05-14 36488]

Description: trojan-rootkit

How to remove: use Malwarebytes` Anti-malware + Kaspersky virus removal tool or manually instructions below.

Download Avenger from here and unzip to your desktop. Run Avenger, copy,then paste the following text in Input script Box:
Drivers to delete:
klmdb

Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\klmdb.sys

Files to delete:
C:\WINDOWS\system32\drivers\klmdb.sys
Then click on ‘Execute’.

srnh.lto is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: srnh
Filename: srnh.lto
Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell

Command: Explorer.exe rundll32.exe srnh.lto iqfnr
CLSID: clsid
Startup Type: Winlogon->Shell
HijackThis Category: F2
HijackThis Line:

F2 – REG:system.ini: Shell=Explorer.exe rundll32.exe srnh.lto iqfnr

Description: component of Win32/Oficla trojan

How to remove: use HijackThis + Malwarebytes` Anti-malware

wwwzuc32.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: wwwzuc32
Filename: wwwzuc32.exe
Command: %UserProfile%\start menu\programs\startup\wwwzuc32.exe
Startup Type: Startup folder
HijackThis Category: O4
HijackThis Line:

O4 – Startup: wwwzuc32.exe

DDS Line:

StartupFolder: c:\documents and settings\user\start menu\programs\startup\wwwzuc32.exe

Combofix/RSIT Line:

C:\Documents and Settings\user\Start Menu\Programs\Startup
wwwzuc32.exe

Description: trojan downloader

How to remove: use HijackThis + Malwarebytes` Anti-malware + Kaspersky virus removal tool

QZAIB7KITK is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: {random}
Filename: {random}.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | QZAIB7KITK

Command: %Temp%\{random}.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [QZAIB7KITK] C:\DOCUME~1\user\LOCALS~1\Temp\Qfn.exe

DDS Line:

uRun: [QZAIB7KITK] C:\DOCUME~1\user\LOCALS~1\Temp\Qfn.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“QZAIB7KITK”=C:\DOCUME~1\user\LOCALS~1\Temp\Qfn.exe

Description: a trojan that also known as Mal/FakeAV-CX [Sophos], TrojanDownloader:Win32/Renos.KF [Microsoft], Trojan-Downloader.Win32.Renos [Ikarus], Win-Trojan/Fakeav.164352.AL [AhnLab]

How to remove: use HijackThis + Malwarebytes` Anti-malware

sysmon64x.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: sysmon64x
Filename: sysmon64x.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | sysmon64x.exe

Command: %Temp%\sysmon64x.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [sysmon64x.exe] C:\DOCUME~1\user\LOCALS~1\Temp\sysmon64x.exe

DDS Line:

uRun: [sysmon64x.exe] C:\DOCUME~1\user\LOCALS~1\Temp\sysmon64x.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“sysmon64x.exe”=C:\DOCUME~1\user\LOCALS~1\Temp\sysmon64x.exe

Description: trojan FakeAlert that installed with Digital Protection. Digital Protection is a rogue antispyware program.

How to remove: use these Digital Protection removal instructions.

forcedos64.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: forcedos64
Filename: forcedos64.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | forcedos64.exe

Command: %Temp%\forcedos64.exe
Startup Type: HKCU_>Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [forcedos64.exe] C:\DOCUME~1\Gemma\LOCALS~1\Temp\forcedos64.exe

DDS Line:

uRun: [forcedos64.exe] C:\DOCUME~1\comp\LOCALS~1\Temp\forcedos64.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“forcedos64.exe”=C:\DOCUME~1\comp\LOCALS~1\Temp\forcedos64.exe

Description: trojan FakeAlert that installed with Digital Protection. Digital Protection is a rogue antispyware program.

How to remove: use these Digital Protection removal instructions.

newupdate1142C.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: newupdate1142C
Filename: newupdate1142C.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | newupdate1142C.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | newupdate1142c .exe

Command:

C:\Documents and Settings\user\Application Data\961E5EF4A7D6693D789C1E7488D08864\newupdate1142C.exe
c:\documents and settings\user\application data\961e5ef4a7d6693d789c1e7488d08864\newupdate1142c .exe

Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [newupdate1142C.exe] C:\Documents and Settings\user\Application Data\961E5EF4A7D6693D789C1E7488D08864\newupdate1142C.exe
O4 – HKCU\..\Run: [newupdate1142c .exe] c:\documents and settings\user\application data\961e5ef4a7d6693d789c1e7488d08864\newupdate1142c .exe

DDS Line:

uRun: [newupdate1142C.exe] C:\Documents and Settings\user\Application Data\961E5EF4A7D6693D789C1E7488D08864\newupdate1142C.exe
uRun: [newupdate1142c .exe] c:\documents and settings\user\application data\961e5ef4a7d6693d789c1e7488d08864\newupdate1142c .exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“newupdate1142C.exe”=C:\Documents and Settings\user\Application Data\961E5EF4A7D6693D789C1E7488D08864\newupdate1142C.exe [2010-04-19 31232]
“newupdate1142c .exe”=c:\documents and settings\user\application data\961e5ef4a7d6693d789c1e7488d08864\newupdate1142c .exe [2010-04-19 31232]

Description: a trojan

How to remove: use HijackThis + Malwarebytes` Anti-malware + Kaspersky virus removal tool

geurge.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: geurge
Filename: geurge.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | ewrgetuj

Command: %Temp%\geurge.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [ewrgetuj] C:\DOCUME~1\user\LOCALS~1\Temp\geurge.exe

DDS Line:

mRun: [ewrgetuj] C:\DOCUME~1\user\LOCALS~1\Temp\geurge.exe

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“ewrgetuj”=C:\DOCUME~1\user\LOCALS~1\Temp\geurge.exe

Description: a trojan

How to remove: use HijackThis + Malwarebytes` Anti-malware + Kaspersky virus removal tool

hspe.uvo is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: hspe
Filename: hspe.uvo
Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell

Command: Explorer.exe, rundll32.exe hspe.uvo bnjpid
Startup Type: Winlogon->Shell
HijackThis Category: F2
HijackThis Line:

F2 – REG:system.ini: Shell=Explorer.exe, rundll32.exe hspe.uvo bnjpid

Description: component of a trojan that also known as Backdoor.Bredolab [PCTools], Mal/EncPk-NS, Mal/FakeAV-BW, Mal/FakeAV-DF, Mal/FakeAV-BW [Sophos], packed with: PE_Patch.UPX [Kaspersky Lab]

How to remove: use HijackThis + Malwarebytes` Anti-malware

app_dll.dll is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: app_dll
Filename: C:\Windows\System32\app_dll.dll
Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLS

Command: command
Startup Type: AppInit DLLs
HijackThis Category: O20
HijackThis Line:

O20 – AppInit_DLLs: app_dll.dll

DDS Line:

AppInit_DLLs: app_dll.dll

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
“AppInit_DLLS”=”C:\WINDOWS\system32\app_dll.dll”

Description: a trojan that also known as Trojan.Win32.Vilsel.rqn [Kaspersky Lab], Mal/Generic-A [Sophos]

How to remove: use HijackThis + Malwarebytes` Anti-malware