What is svc.exe, How to remove svc.exe

July 25th, 2010 Driver, Trojan

svc.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: svc
Filename: svc.exe
Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetLog
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETLOG

Command: %WinDir%\svc.exe
Startup Type: Driver
DDS/Combofix/RSIT Line Line:

R3 NetLog;NetLog;c:\windows\svc.exe

Description: trojan also known as Suspicious.MH690 [Symantec], New Malware.n [McAfee], Mal/EncPk-BW, Mal/EncPk-BW [Sophos], Trojan-Banker.Win32.Banker [Ikarus], Packed/Upack [AhnLab], packed with UPack [Kaspersky Lab]
Notes: installed with l84alx.exe, msgciutr.dll, wmiprves

How to remove: use the steps below.

1. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:services
NetLog

:reg
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
“tcyz46″=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“tghlig”=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“wmiprves”=-

:files
C:\WINDOWS\system32\msgciutr.dll

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

2. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is wmiprves, How to remove wmiprves

July 25th, 2010 O4, Run, Trojan

wmiprves is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Filename: {RANDOM}.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | wmiprves

Command: %Temp%\{RANDOM}.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [wmiprves] C:\DOCUME~1\User\LOCALS~1\Temp\qh0foylxn.exe

DDS Line:

mRun: [wmiprves] C:\DOCUME~1\User\LOCALS~1\Temp\qh0foylxn.exe

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“wmiprves”=C:\DOCUME~1\User\LOCALS~1\Temp\qh0foylxn.exe

Description: trojan that also known as Trojan-Downloader.Win32.Murlo.gvs [Kaspersky Lab], Virus.Win32.Delf.HTI [Ikarus]
Notes: installed with l84alx.exe, msgciutr.dll

How to remove: use HijackThis + Malwarebytes` Anti-malware + Kaspersky virus removal tool

What is msgciutr.dll, How to remove msgciutr.dll

July 25th, 2010 O4, Run, Trojan

msgciutr.dll is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: msgciutr
Filename: msgciutr.dll
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | tghlig

Command: RUNDLL32.EXE C:\WINDOWS\system32\msgciutr.dll,w
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [tghlig] RUNDLL32.EXE C:\WINDOWS\system32\msgciutr.dll,w

DDS Line:

mRun: [tghlig] RUNDLL32.EXE C:\WINDOWS\system32\msgciutr.dll,w

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“tghlig”=RUNDLL32.EXE C:\WINDOWS\system32\msgciutr.dll,w

Description: trojan that also known as Trojan-PSW.Wowcraft [PCTools], Infostealer.Wowcraft [Symantec], Trojan-GameThief.Win32.WOW.abah [Kaspersky Lab], Mal/Behav-170 [Sophos], PWS:Win32/Frethog.MK [Microsoft], PWS.Win32 [Ikarus], Win-Trojan/Onlinegamehack.36865.EI [AhnLab]
Notes: installed with l84alx.exe

How to remove: use HijackThis + Malwarebytes` Anti-malware + Kaspersky virus removal tool

What is l84alx.exe, How to remove l84alx.exe

July 25th, 2010 O4, Policies\Explorer\Run, Trojan

l84alx.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: l84alx
Filename: l84alx.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | tcyz46

Command: %Temp%\l84alx.exe
Startup Type: HKLM->Policies\Explorer\Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Policies\Explorer\Run: [tcyz46] C:\DOCUME~1\User\LOCALS~1\Temp\l84alx.exe

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
“tcyz46″=C:\DOCUME~1\User\LOCALS~1\Temp\l84alx.exe

Description: trojan also known as Trojan.Gen [PCTools], Trojan.Gen [Symantec], Backdoor.Win32.VB.lvn [Kaspersky Lab], Mal/VB-CF [Sophos], Trojan:Win32/Neop [Microsoft], Backdoor.Win32.VB [Ikarus]

How to remove: use HijackThis + Malwarebytes` Anti-malware + Kaspersky virus removal tool

What is W34BCG2GRJ, How to remove W34BCG2GRJ

July 23rd, 2010 O4, Run, Trojan

W34BCG2GRJ is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Filename: {random:5}.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | W34BCG2GRJ

Command: C:\WINDOWS\Ycupia.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [W34BCG2GRJ] C:\WINDOWS\Ycupia.exe

DDS Line:

uRun: [W34BCG2GRJ] C:\WINDOWS\Ycupia.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“W34BCG2GRJ”=C:\WINDOWS\Ycupia.exe

Description: Trojan.Win32.Monder.djia [Kaspersky Lab], Gen.Variant [Ikarus]

How to remove: use HijackThis + Malwarebytes` Anti-malware or the steps below.

1. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“W34BCG2GRJ”=-

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

2. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is antispymv.com, How to remove antispymv.com

July 22nd, 2010 Browser hijacker

antispymv.com is a malicious website

remove The site was created to spread Antivir Solution Pro. If your browser is redirected to antispymv.com, then you should immediately check your PC using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

IP Address: 79.135.152.200
Site addess: antispymv.com
Description: antispymv.com is not related with legitimate security company and can only be seen on infected computers. The site used to promote the rogue antispyware program called Antivir Solution Pro.

How to remove: use these antispymv.com removal instructions or the steps below in order to remove this infection.

1. Reboot your computer in Safe mode with networking.

2. Reset proxy settings of your browser (this malware hijacked them) by doing: run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK and click OK again.

3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is Antiviractive.net, How to remove Antiviractive.net

July 22nd, 2010 Browser hijacker

Antiviractive.net is a malicious website

remove The site was created to spread Antivir Solution Pro. If your browser is redirected to Antiviractive.net, then you should immediately check your PC using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

IP Address: 91.216.73.5
Site addess: Antiviractive.net
Description: Antiviractive.net is not related with legit security company and can only be seen on infected computers. The site used to promote the rogue antispyware program called Antivir Solution Pro.

How to remove: use these Antiviractive.net removal instructions or the steps below in order to remove this infection.

1. Reboot your computer in Safe mode with networking.

2. Reset proxy settings of your browser (this malware hijacked them) by doing: run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK and click OK again.

3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is antispysp.com, How to remove antispysp.com

July 21st, 2010 Browser hijacker

antispysp.com is a malicious website

remove The site was created to spread Antivir Solution Pro. If your browser is redirected to antispysp.com, then you should immediately check your PC using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

IP Address: 79.135.152.200
Site addess: antispysp.com
Description: antispysp.com is not related with legitimate security company and can only be seen on infected computers. The site used to promote the rogue antispyware program called Antivir Solution Pro.

How to remove: use these antispysp.com removal guide or the instructions below in order to remove this infection.

1. Download HijackThis from here and save it to your desktop. Most important, in the Save dialog, rename HijackThis.exe to iexplore.exe !!! If you can`t download HijackThis, then: a) boot your PC in Safe mode with networking and try once again; b) reset proxy settings of your browser (this malware hijacked them) by doing: run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK and click OK again.

2. Run HijackThis. Main menu opens. Click to “Do a system scan only” button. After HijackThis completes the system scan, check the box to the left of the following items:

R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1
O4 – HKLM\..\Run: [{random}] C:\Documents and Settings\user\Local Settings\Application Data\{random}\{random}.exe
O4 – HKCU\..\Run: [{random}] C:\Documents and Settings\user\Local Settings\Application Data\{random}\{random}.exe

Please be very careful, do NOT check any other boxes! Next, click on Fix checked on the bottom left side of the HijackThis screen. Close HijackThis.

3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is JDK5SWFMZY, How to remove JDK5SWFMZY

July 19th, 2010 O4, Run, Trojan

JDK5SWFMZY is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Filename: {random:3}.exe, example: Ipa.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | JDK5SWFMZY

Command: %Temp%\{random:3}.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [JDK5SWFMZY] C:\DOCUME~1\username\LOCALS~1\Temp\Ipa.exe

DDS Line:

uRun: [JDK5SWFMZY] C:\DOCUME~1\username\LOCALS~1\Temp\Ipa.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“JDK5SWFMZY”=C:\DOCUME~1\username\LOCALS~1\Temp\Ipa.exe

Description: trojan FakeAlert, also known as Mal/FakeAV-CX [Sophos], TrojanDownloader:Win32/Renos.KF [Microsoft], Win-Trojan/Variant.183296.B [AhnLab]

How to remove: use HijackThis + Malwarebytes` Anti-malware or the steps below.

1. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“JDK5SWFMZY”=-

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

2. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is Antispybox.com, How to remove Antispybox.com

July 18th, 2010 Rogue Antispyware/Antivirus

Antispybox.com is a malicious website

remove The site was created to spread Antivir Solution Pro. If your browser is redirected to Antispybox.com, then you should immediately check your PC using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

IP Address: 79.135.152.200
Site addess: Antispybox.com
Description: Antispybox.com is not related with legitimate security company and can only be seen on infected computers. The site used to promote the rogue antispyware program called Antivir Solution Pro.

How to remove: use these Antivir Solution Pro removal instructions in order to remove this infection.