January 12th, 2010 
O4, Rogue Antispyware/Antivirus, Run
SysDefenders.exe is a harmful program.
Name: SysDefenders
Filename: SysDefenders.exe
Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | SysDefenders
Command: C:\Program Files\SysDefenders Software\SysDefenders\SysDefenders.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:
O4 – HKLM\..\Run: [SysDefenders] C:\Program Files\SysDefenders Software\SysDefenders\SysDefenders.exe
DDS Line:
mRun: [SysDefenders] C:\Program Files\SysDefenders Software\SysDefenders\SysDefenders.exe
Combofix/RSIT Line:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“SysDefenders”=C:\Program Files\SysDefenders Software\SysDefenders\SysDefenders.exe
Description: core part of SysDefenders. SysDefenders is a rogue antispyware program.
How to remove: use these SysDefenders removal instructions.
January 10th, 2010 Driver, Rootkit, Trojan
ndisdrv.sys is a harmful program.
Name: ndisdrv
Filename: ndisdrv.sys
Registry key:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NDISDRV
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ndisdrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NDISDRV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ndisdrv
Command: c:\windows\system32\ndisdrv.sys
Startup Type: Driver
DDS/Combofix/RSIT Line:
S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys –> c:\windows\system32\ndisdrv.sys [?]
Description: trojan-rootkit also known as Mal/Rootkit-Q [Sophos]
How to remove:
Download OTM by OldTimer from here
Run OTM.
Copy, then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):
:services
ndisdrv
:files
c:\windows\system32\ndisdrv.sys
:Commands
[emptytemp]
[Reboot]
Click the red Moveit! button. When the tool is finished, it will produce a report for you.
Download and run Malwarebytes` Anti-malware
January 10th, 2010 AppCertDlls, Trojan
mshlps.dll is a harmful program.
Name: mshlps
Filename: mshlps.dll
Registry key|value:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls | AppSecDll = “C:\Windows\System32\mshlps.dll”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls | AppSecDll = “C:\Windows\System32\mshlps.dll”
Command: %WinDir%\System32\mshlps.dll
Startup Type: AppCertDlls
Description: trojan also known as Trojan.Win32.Agent.deou [Kaspersky Lab]. Its installed with kbdsock.dll trojan.
How to remove: use Windows Registry editor + Kaspersky virus removal tool
January 10th, 2010 O4, Run, Trojan
kbdsock.dll is a harmful program.
Name: kbdsock
Filename: kbdsock.dll
Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLS
Command: C:\WINDOWS\system32\kbdsock.dll
Startup Type: AppInit_DLLs
HijackThis Category: O20
HijackThis Line:
O20 – AppInit_DLLs: C:\WINDOWS\system32\kbdsock.dll
DDS Line:
AppInit_DLLs: C:\WINDOWS\system32\kbdsock.dll
Combofix/RSIT Line:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
“AppInit_DLLS”=”C:\WINDOWS\system32\kbdsock.dll”
Description: trojan also known as Trojan.Win32.Agent.deot [Kaspersky Lab]
How to remove: use HijackThis + Kaspersky virus removal tool
January 9th, 2010 AppInit DLLs, O4, Trojan
PR19.DLL is a harmful program.
Name: PR19
Filename: PR19.DLL
Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows |AppInit_DLLS
Command: C:\WINDOWS\system32\PR19.DLL
Startup Type: AppInit_Dlls
HijackThis Category: O20
HijackThis Line:
O20 – AppInit_DLLs: C:\WINDOWS\system32\PR19.DLL
DDS Line:
AppInit_DLLs: C:\WINDOWS\system32\PR19.DLL
Combofix/RSIT Line:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
“AppInit_DLLS”=”C:\WINDOWS\system32\PR19.DLL”
Description: trojan that installed with adobemedia.exe trojan.
How to remove: use HijackThis + Kaspersky virus removal tool
January 9th, 2010 AppInit DLLs, O20, Trojan
PR15.DLL is a harmful program.
Name: PR15
Filename: PR15.DLL
Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLS
Command: C:\WINDOWS\system32\PR15.DLL
Startup Type: AppInit Dlls
HijackThis Category: O20
HijackThis Line:
O20 – AppInit_DLLs: C:\WINDOWS\system32\PR15.DLL
DDS Line:
AppInit_DLLs: C:\WINDOWS\system32\PR15.DLL
Combofix/RSIT Line:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
“AppInit_DLLS”=”C:\WINDOWS\system32\PR15.DLL”
Description: trojan that installed with adobemedia.exe trojan.
How to remove: use HijackThis + Kaspersky virus removal tool
January 9th, 2010 O4, Run, Trojan
adobemedia.exe is a harmful program.
Name: adobemedia
Filename: adobemedia.exe
Registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | adobemedia.exe
Command: C:\WINDOWS\system32\adobemedia.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:
O4 – HKCU\..\Run: [adobemedia.exe] C:\WINDOWS\system32\adobemedia.exe
DDS Line:
uRun: [adobemedia.exe] C:\WINDOWS\system32\adobemedia.exe
Combofix/RSIT Line:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“adobemedia.exe”=C:\WINDOWS\system32\adobemedia.exe
Description: trojan
How to remove: use HijackThis + Kaspersky virus removal tool
January 9th, 2010 Malware, O4, Run
apocalyps32.exe is a harmful program.
Name: apocalyps32
Filename: apocalyps32.exe
Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | apocalyps32
Command: C:\Windows\apocalyps32.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:
O4 – HKLM\..\Run: [apocalyps32] C:\Windows\apocalyps32.exe
DDS Line:
mRun: [apocalyps32] C:\Windows\apocalyps32.exe
Combofix/RSIT Line:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“apocalyps32″=C:\Windows\apocalyps32.exe
Description: malware also known as Mal/Behav-328, Mal/Dropper-G, Mal/Behav-053 [Sophos]
How to remove: use HijackThis + Kaspersky virus removal tool
January 9th, 2010 O4, Rogue Antispyware/Antivirus, Run
InSysSecure.exe is a harmful program.
Name: InSysSecure
Filename: InSysSecure.exe
Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | InSysSecure
Command: C:\Program Files\InSysSecure Software\InSysSecure\InSysSecure.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:
O4 – HKLM\..\Run: [InSysSecure] C:\Program Files\InSysSecure Software\InSysSecure\InSysSecure.exe
DDS Line:
mRun: [InSysSecure] C:\Program Files\InSysSecure Software\InSysSecure\InSysSecure.exe
Combofix/RSIT Line:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“InSysSecure”=C:\Program Files\InSysSecure Software\InSysSecure\InSysSecure.exe
Description: core component of InSysSecure. InSysSecure is a rogue antispyware program.
How to remove: use these InSysSecure removal instructions.
January 8th, 2010 O4, Rogue Antispyware/Antivirus, Run
SysProtector.exe is a harmful program.
Name: SysProtector
Filename: SysProtector.exe
Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | SysProtector
Command: C:\Program Files\SysProtector Software\SysProtector\SysProtector.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:
O4 – HKLM\..\Run: [SysProtector] C:\Program Files\SysProtector Software\SysProtector\SysProtector.exe -min
DDS Line:
mRun: [SysProtector] C:\Program Files\SysProtector Software\SysProtector\SysProtector.exe -min
Combofix/RSIT Line:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“SysProtector”=C:\Program Files\SysProtector Software\SysProtector\SysProtector.exe -min
Description: core part of SysProtector. SysProtector is a rogue antispyware program.
How to remove: use these SysProtector removal instructions.
