December 3rd, 2009 
O4, Run, Virus
reader_s.exe is a harmful program.
Name: reader_s
Filename: reader_s.exe
Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | reader_s
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | reader_s
Command:
%WinDir%\System32\reader_s.exe
%UserProfile%\reader_s.exe
Startup Type: O4
HijackThis Category: O4
HijackThis Line:
O4 – HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 – HKCU\..\Run: [reader_s] C:\Documents and Settings\user\reader_s.exe
DDS Line:
mRun: [[reader_s] C:\WINDOWS\System32\reader_s.exe
uRun: [[reader_s] C:\Documents and Settings\user\reader_s.exe
Combofix/RSIT Line:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“reader_s”=C:\WINDOWS\System32\reader_s.exe
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“reader_s”=C:\Documents and Settings\user\reader_s.exe
Description: component of Virut virus also known as W32.Virut.CF [Symantec], W32/Scribble-B [Sophos], Virus.Win32.Virut.ce [Kaspersky Lab], Virus:Win32/Virut.BM [Microsoft], W32/Virut.n.gen [McAfee]
How to remove: use Kaspersky virus removal tool + Dr.Web CureIt
December 3rd, 2009 Trojan
msa.exe is a harmful program.
Name: msa
Filename: msa.exe
Command: C:\WINDOWS\msa.exe
Description: component of trojan FakeAlert
How to remove: use these trojan FakeAlert removal instructions.
December 3rd, 2009 Filter, O18, Trojan
mark_32.dll is a harmful program.
Name: mark_32
Filename: mark_32.dll
Command: C:\WINDOWS\mark_32.dll
CLSID: {7052b010-2d0f-459e-bf1b-0903f09c1836}
Startup Type: Filter
HijackThis Category: O18
HijackThis Line:
O18 – Filter hijack: text/html – {7052b010-2d0f-459e-bf1b-0903f09c1836} – C:\WINDOWS\mark_32.dll
Description: a trojan that installed with rogue antispyware programs
How to remove: use HijackThis + Malwarebytes` Anti-malware
December 3rd, 2009 O4, Trojan, Winlogon\TaskMan
This is a harmful program.
Name: winssled
Filename: winssled.exe
Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Taskman
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | shccde
Command: C:\Windows\winssled.exe
Startup Type: HKCU->Run, Winlogon\TaskMan
HijackThis Category: O4
HijackThis Line:
O4 – HKCU\..\Run: [shccde] C:\Windows\winssled.exe
DDS Line:
uRun: [shccde] C:\Windows\winssled.exe
Combofix/RSIT Line:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“shccde”=C:\Windows\winssled.exe
Description: a trojan also known as Malware.Virut [PCTools], W32.Virut.CF [Symantec], Trojan.Win32.Buzus.cqmu [Kaspersky Lab], Trojan:Win32/Lethic.B [Microsoft]
How to remove: use HijackThis + Kaspersky virus removal tool
December 3rd, 2009 O4, Rogue Antispyware/Antivirus, Run
AntiKeep.exe is a harmful program.
Name: AntiKeep
Filename: AntiKeep.exe
Registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | AntiKeep.exe
Command: C:\Program Files\AntiKeep Software\AntiKeep\AntiKeep.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:
O4 – HKCU\..\Run: [AntiKeep.exe] C:\Program Files\AntiKeep Software\AntiKeep\AntiKeep.exe
DDS Line:
uRun: [AntiKeep.exe] C:\Program Files\AntiKeep Software\AntiKeep\AntiKeep.exe
Combofix/RSIT Line:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“AntiKeep.exe”=C:\Program Files\AntiKeep Software\AntiKeep\AntiKeep.exe [2009-12-03 1638400]
Description: core component of AntiKeep. AntiKeep is a rogue antispyware program.
How to remove: use these AntiKeep removal instructions.
December 2nd, 2009 O21, ShellServiceObjectDelayLoad, Trojan
inetprovider.dll is a harmful program.
Name: inetprovider
Filename: inetprovider.dll
Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | InternetProvider
Command: C:\Documents and Settings\All Users\Microsoft PData\inetprovider.dll
CLSID: {76377D16-FC8D-4505-B8E1-237EA19C401A}
Startup Type: ShellServiceObjectDelayLoad
HijackThis Category: O21
HijackThis Line:
O21 – SSODL: InternetProvider – {76377D16-FC8D-4505-B8E1-237EA19C401A} – C:\Documents and Settings\All Users\Microsoft PData\inetprovider.dll
DDS Line:
SSODL: InternetProvider – {76377D16-FC8D-4505-B8E1-237EA19C401A} – C:\Documents and Settings\All Users\Microsoft PData\inetprovider.dll
Combofix/RSIT Line:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
InternetProvider – {76377D16-FC8D-4505-B8E1-237EA19C401A} – C:\Documents and Settings\All Users\Microsoft PData\inetprovider.dll
Description: trojan that installed with Personal Protector. Personal Protector is a rogue antispyware program.
How to remove: use HijackThis + these Personal Protector removal instructions.
December 2nd, 2009 O21, ShellServiceObjectDelayLoad, Trojan
swupdate.dll is a harmful program.
Name: swupdate
Filename: swupdate.dll
Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | SwUpdate
Command: C:\Documents and Settings\All Users\Application Data\Macromedia\SwUpdate\swupdate.dll
CLSID: {009541A0-3B00-1F1C-00F3-040224001C01}
Startup Type: ShellServiceObjectDelayLoad
HijackThis Category: O21
HijackThis Line:
O21 – SSODL: SwUpdate – {009541A0-3B00-1F1C-00F3-040224001C01} – C:\Documents and Settings\All Users\Application Data\Macromedia\SwUpdate\swupdate.dll
DDS Line:
SSODL: SwUpdate – {009541A0-3B00-1F1C-00F3-040224001C01} – C:\Documents and Settings\All Users\Application Data\Macromedia\SwUpdate\swupdate.dll
RSIT Line:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
SwUpdate – {009541A0-3B00-1F1C-00F3-040224001C01} – C:\Documents and Settings\All Users\Application Data\Macromedia\SwUpdate\swupdate.dll
Description: trojan AdClick
How to remove: use HijackThis + Malwarebytes` Anti-malware
December 1st, 2009 O4, Startup folder, Trojan
algqeh32.exe is a harmful program.
Name: algqeh32
Filename: algqeh32.exe
Command: %UserProfile%\Start Menu\Programs\Startup\algqeh32.exe
Startup Type: Startup folder
HijackThis Category: O4
HijackThis Line:
O4 – Startup: algqeh32.exe
Combofix/RSIT Line:
C:\Documents and Settings\user\Start Menu\Programs\Startup
algqeh32.exe
Description: trojan
How to remove: use HijackThis + manually remove the file.
December 1st, 2009 BHO, O2, Rogue Antispyware/Antivirus
win32extension.dll is a harmful program.
Name: win32extension
Filename: win32extension.dll
Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
Command: C:\WINDOWS\system32\win32extension.dll
CLSID: {35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
Startup Type: BHO
HijackThis Category: O2
HijackThis Line:
O2 – BHO: &Security Update – {35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC} – C:\WINDOWS\system32\win32extension.dll
DDS Line:
BHO: &Security Update: {35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC} – C:\WINDOWS\system32\win32extension.dll
RSIT Line:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}]
&Security Update – C:\WINDOWS\system32\win32extension.dll [2009-12-01 665088]
Description: component of Personal Security. Personal Security is a rogue antispyware program.
How to remove: use these Personal Security removal instructions.
December 1st, 2009 O4, Rogue Antispyware/Antivirus, Run
psecurity.exe is a harmful program.
Name: psecurity
Filename: psecurity.exe
Registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | PSecurity
Command: C:\Program Files\PSecurity\psecurity.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:
O4 – HKCU\..\Run: [PSecurity] C:\Program Files\PSecurity\psecurity.exe
DDS Line:
uRun: [PSecurity] C:\Program Files\PSecurity\psecurity.exe
Combofix/RSIT Line:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“PSecurity”=C:\Program Files\PSecurity\psecurity.exe [2009-12-01 1268224]
Description: core component of Personal Security. Personal Security is a rogue antispyware program.
How to remove: use these Personal Security removal instructions.
