February 23rd, 2010 
O4, Policies\Explorer\Run, Run, Worm
jjdrive32.exe is a harmful program.
Name: jjdrive32
Filename: jjdrive32.exe
Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | Microsoft Update Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run | Microsoft Update Setup
Command: %Windir%\jjdrive32.exe
Startup Type: HKLM->Run, HKLM->Policies\Explorer\Run
HijackThis Category: O4
HijackThis Line:
O4 – HKLM\..\Run: [Microsoft Update Setup] C:\Windows\jjdrive32.exe
O4 – HKLM\..\policies\Explorer\Run: [Microsoft Update Setup] C:\Windows\jjdrive32.exe
DDS Line:
mRun: [Microsoft Update Setup] C:\Windows\jjdrive32.exe
Combofix/RSIT Line:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“Microsoft Update Setup”=C:\Windows\jjdrive32.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
“Microsoft Update Setup”=C:\Windows\jjdrive32.exe
Description: worm also known as Net-Worm.Spybot [PCTools], W32.Spybot.Worm [Symantec], Net-Worm.Win32.Kolab.fem [Kaspersky Lab], W32/Kolab [McAfee], Mal/Generic-A [Sophos], Worm:Win32/Pushbot.OF [Microsoft]
How to remove: use HijackThis + Kaspersky virus removal tool
February 23rd, 2010 File associations, Rogue Antispyware/Antivirus
av.exe is a harmful program.
Name: av
Filename: av.exe
Registry key:
HKEY_CURRENT_USER\Software\Classes\.exe
HKEY_CURRENT_USER\Software\Classes\secfile
HKEY_CLASSES_ROOT\secfile
HKEY_CLASSES_ROOT\.exe\shell\open\command
Command: %Appdata%\av.exe
Description: core component of XP AntiSpyware 2010, XP Antivirus Pro 2010. XP AntiSpyware 2010, XP Antivirus Pro 2010 – names of one program, that is a rogue antispyware application.
How to remove: use these XP AntiSpyware 2010, XP Antivirus Pro 2010 removal instructions.
February 21st, 2010 O4, Policies\Explorer\Run, Trojan
spoo1sv.exe is a harmful program.
Name: spoo1sv
Filename: spoo1sv.exe
Registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | spoo1sv
Startup Type:HKCU->Policies\Explorer\Run
HijackThis Category: O4
HijackThis Line:
O4 – HKCU\..\Policies\Explorer\Run: [spoo1sv] spoo1sv.exe
Combofix/RSIT Line:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
“spoo1sv”=spoo1sv.exe
Description: trojan
How to remove: use HijackThis + Malwarebytes` Anti-malware
February 21st, 2010 O4, Startup folder, Trojan
monnid32.exe is a harmful program.
Name: monnid32
Filename: monnid32.exe
Command: %userProfile%\start menu\programs\startup\monnid32.exe
Startup Type: Startup Folder
HijackThis Category: O4
HijackThis Line:
O4 – S-1-5-18 Startup: monnid32.exe (User ‘SYSTEM’)
O4 – .DEFAULT Startup: monnid32.exe (User ‘Default user’)
O4 – Startup: monnid32.exe
DDS Line:
StartupFolder: c:\documents and settings\user\start menu\programs\startup\monnid32.exe
Combofix/RSIT Line:
C:\Documents and Settings\user\Start Menu\Programs\Startup
monnid32.exe
Description: Trojan.Bredolab
How to remove: use HijackThis + Malwarebytes` Anti-malware
February 20th, 2010 O4, Rogue Antispyware/Antivirus, Run
Virus Protector is a harmful program.
Name: [RANDOM]
Filename: [RANDOM].exe
Registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | Virus Protector
Command: [Path]\[RANDOM].exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:
O4 – HKCU\..\Run: [Virus Protector] [Path]\[RANDOM].exe
DDS Line:
uRun: [Virus Protector] [Path]\[RANDOM].exe
Combofix/RSIT Line:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Virus Protector”=[Path]\[RANDOM].exe
Description: component of Virus Protector. Virus Protector is a rogue antispyware program.
How to remove: use these Virus Protector removal instructions.
February 20th, 2010 F2, Rogue Antispyware/Antivirus, Winlogon\UserInit
Antispyware.exe is a harmful program.
Name: Antispyware.exe
Filename: Antispyware.exe
Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Userinit
Command: C:\Program Files\Def Group\PC Defender\Antispyware.exe
Startup Type: Winlogon\UserInit
HijackThis Category: F2
HijackThis Line:
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,”C:\Program Files\Def Group\PC Defender\Antispyware.exe”
Description: core component of PC Defender. PC Defender is a rogue antispyware program.
How to remove: use these PC Defender removal instructions.
February 20th, 2010 O4, Rogue Antispyware/Antivirus, Run
Antimalware Doctor.exe is a harmful program.
Name: Antimalware Doctor
Filename: Antimalware Doctor.exe
Registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | Antimalware Doctor.exe
Command: C:\Windows\System32\Antimalware Doctor.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:
O4 – HKCU\..\Run: [Antimalware Doctor.exe] C:\Windows\System32\Antimalware Doctor.exe
DDS Line:
uRun: [Antimalware Doctor.exe] C:\Windows\System32\Antimalware Doctor.exe
Combofix/RSIT Line:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Antimalware Doctor.exe”=C:\Windows\System32\Antimalware Doctor.exe
Description: core component of Antimalware Doctor. Antimalware Doctor is a rogue antispyware program.
How to remove: use these Antimalware Doctor removal instructions.
February 19th, 2010 O4, Run, Trojan
eventcreatexp.exe is a harmful program.
Name: eventcreatexp
Filename: eventcreatexp.exe
Registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | eventcreatexp.exe
Command: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\eventcreatexp.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:
O4 – HKCU\..\Run: [eventcreatexp.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\eventcreatexp.exe
DDS Line:
uRun: [eventcreatexp.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\eventcreatexp.exe
Combofix/RSIT Line:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“eventcreatexp.exe”=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\eventcreatexp.exe
Description: trojan FakeAlert that installed with Paladin Antivirus. Paladin Antivirus is a rogue antispyware program.
How to remove: use these Paladin Antivirus removal instructions.
February 16th, 2010 O4, Rogue Antispyware/Antivirus, Run
SysShield.exe is a harmful program.
Name: SysShield
Filename: SysShield.exe
Registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | Windows applications server
Command: C:\Program Files\Personal Anti Malware\SysShield.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:
O4 – HKCU\..\Run: [Windows applications server] C:\Program Files\Personal Anti Malware\SysShield.exe
DDS Line:
uRun: [Windows applications server] C:\Program Files\Personal Anti Malware\SysShield.exe
Combofix/RSIT Line:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Windows applications server”=C:\Program Files\Personal Anti Malware\SysShield.exe
Description: trojan FakeAlert, component of Personal Anti Malware. Personal Anti Malware is a rogue antispyware program.
How to remove: use these Personal Anti Malware removal inbstructions.
February 16th, 2010 O4, Rogue Antispyware/Antivirus, Run
PAM.exe is a harmful program.
Name: PAM
Filename: PAM.exe
Registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | Personal Anti Malware
Command: C:\Program Files\Personal Anti Malware\PAM.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:
O4 – HKCU\..\Run: [Personal Anti Malware] C:\Program Files\Personal Anti Malware\PAM.exe
DDS Line:
uRun: [Personal Anti Malware] C:\Program Files\Personal Anti Malware\PAM.exe
Combofix/RSIT Line:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Personal Anti Malware”=C:\Program Files\Personal Anti Malware\PAM.exe
Description: core component of Personal Anti Malware. Personal Anti Malware is a rogue antispyware program.
How to remove: use these Personal Anti Malware removal instructions.
