What is sdra64.exe, How to remove sdra64.exe

January 17th, 2010 F2, Trojan, Winlogon\UserInit

sdra64.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: sdra64
Filename: sdra64.exe
Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Userinit

Command: C:\WINDOWS\system32\sdra64.exe
Startup Type: Winlogon\UserInit
HijackThis Category: F2
HijackThis Line:

F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,

Description: core component of trojan ZBot also known as Trojan-Spy.Win32.Zbot.gen [Kaspersky Lab], PWS:Win32/Zbot.gen!R [Microsoft], Mal/Zbot-O [Sophos], Infostealer.Banker.C [Symantec]

How to remove: use HijackThis + Malwarebytes` Anti-malware

What is winIogon.exe, How to remove winIogon.exe

January 17th, 2010 O4, Run, RunServices, Trojan

winIogon.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: winIogon
Filename: winIogon.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | Microsoft System Service
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices | Microsoft System Service
HKEY_CURRENT_USER\Software\Microsoft\OLE | Microsoft System Service

Command: C:\Windows\System32\winIogon.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [Microsoft System Service] winIogon.exe

DDS Line:

mRun: [Microsoft System Service] winIogon.exe

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“Microsoft System Service”=winIogon.exe

Description: trojan also known as W32/Virut.gen.a [McAfee], Backdoor:Win32/Poebot.gen [Microsoft], W32.IRCBot [Symantec], PE_VIRUT.AV [Trend Micro], W32.Virut.W [Symantec]

How to remove: use HijackThis + Kaspersky virus removal tool

What is freddy81.exe, How to remove freddy81.exe

January 17th, 2010 O4, Run, Worm

freddy81.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: freddy81
Filename: freddy81.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | sysfbtray

Command: C:\windows\freddy81.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [sysfbtray] C:\windows\freddy81.exe

DDS Line:

Run: [sysfbtray] C:\windows\freddy81.exe

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“sysfbtray”=C:\windows\freddy81.exe

Description: component of koobface worm

How to remove: use these koobface removal instructions.

What is winhlp64.exe, How to remove winhlp64.exe

January 16th, 2010 Trojan

winhlp64.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: winhlp64
Filename: winhlp64.exe
Command: %UserProfile%\Temp\winhlp64.exe
Description: component of trojan FakeAlert. This is installed with cls_pack.exe.

How to remove: use these winhlp64.exe removal instructions.

What is cls_pack.exe, How to remove cls_pack.exe

January 16th, 2010 O4, Run, Trojan

cls_pack.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: cls_pack
Filename: cls_pack.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | cls_pack.exe

Command: %UserProfile%\temp\cls_pack.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [cls_pack.exe] C:\DOCUME~1\user\LOCALS~1\Temp\cls_pack.exe

DDS Line:

uRun: [cls_pack.exe] c:\dokume~1\user\lokale~1\temp\cls_pack.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“cls_pack.exe”=c:\dokume~1\user\lokale~1\temp\cls_pack.exe

Description: component of trojan FakeAlert

How to remove: use these cls_pack.exe removal instructions.

What is freddy80.exe, How to remove freddy80.exe

January 16th, 2010 O4, Run, Worm

freddy80.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: freddy80
Filename: freddy80.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | sysfbtray

Command: C:\windows\freddy80.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [sysfbtray] C:\windows\freddy80.exe

DDS Line:

mRun: [sysfbtray] C:\windows\freddy80.exe

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“sysfbtray”=C:\windows\freddy80.exe

Description: part of Koobface worm

How to remove: use these Koobface removal instructions.

What is rarype32.exe, How to remove rarype32.exe

January 16th, 2010 O4, Startup folder, Trojan

rarype32.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: rarype32
Filename: rarype32.exe
Command: %userProfile%\start menu\programs\startup\rarype32.exe
Startup Type: O4
HijackThis Category:
HijackThis Line:

O4 – Startup: rarype32.exe

DDS Line:

StartupFolder: c:\documents and settings\user\start menu\programs\startup\rarype32.exe

Combofix/RSIT Line:

C:\Documents and Settings\user\Start Menu\Programs\Startup
rarype32.exe

Description: trojan also known as Mal/Bredo-A [Sophos]

How to remove: use HijackThis + Malwarebytes` Anti-malware + Kaspersky virus removal tool

What is DefendAPc.exe, How to remove DefendAPc.exe

January 16th, 2010 O4, Rogue Antispyware/Antivirus, Run

DefendAPc.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: DefendAPc
Filename: DefendAPc.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | DefendAPc

Command: C:\Program Files\DefendAPc Software\DefendAPc\DefendAPc.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [DefendAPc] C:\Program Files\DefendAPc Software\DefendAPc\DefendAPc.exe

DDS Line:

mRun: [DefendAPc] C:\Program Files\DefendAPc Software\DefendAPc\DefendAPc.exe

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“DefendAPc”=C:\Program Files\DefendAPc Software\DefendAPc\DefendAPc.exe

Description: core component of DefendAPc. DefendAPc is a rogue antispyware program.

How to remove: use these DefendAPc removal instructions.

What is sshnas21.dll, How to remove sshnas21.dll

January 14th, 2010 O4, Service, Trojan

sshnas21.dll is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: sshnas21
Filename: sshnas21.dll
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | LosAlamos
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | Canaveral
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SSHNAS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS

Command: C:\Windows\System32\sshnas21.dll
Startup Type: Service
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [LosAlamos] rundll32.exe C:\Windows\system32\sshnas21.dll,DllWork
O4 – HKCU\..\Run: [Canaveral] rundll32.exe C:\Users\username\AppData\Local\Temp\sshnas21.dll,BackupReadW

Combofix/RSIT Line:

S2 SSHNAS;SSHNAS; C:\WINDOWS\system32\svchost.exe

Description: this is a new version of sshnas.dll trojan (trojan FakeAlert)

How to remove: use these sshnas.dll removal instructions.

What is GhostAV.exe, How to remove GhostAV.exe

January 13th, 2010 O4, Rogue Antispyware/Antivirus, Run

GhostAV.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: GhostAV
Filename: GhostAV.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | Ghost Antivirus

Command: c:\program files\Ghost Antivirus\GhostAV.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [Ghost Antivirus] “c:\program files\Ghost Antivirus\GhostAV.exe” /s

DDS Line:

uRun: [Ghost Antivirus] “c:\program files\ghost antivirus\GhostAV.exe” /s

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Ghost Antivirus”=c:\program files\Ghost Antivirus\GhostAV.exe [2010-01-10 1608192]

Description: core component of Ghost Antivirus. Ghost Antivirus is a rogue antispyware program.

How to remove: use these Ghost Antivirus removal instructions.