HT Logs. Tips, FAQs, Analyze.

winupdate86.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: winupdate86
Filename: winupdate86.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | winupdate86.exe

Command: C:\WINDOWS\system32\winupdate86.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“winupdate86.exe”=C:\WINDOWS\system32\winupdate86.exe

Description: trojan agent that installed with winhelper86.dll, winlogon86.exe trojans and Advanced Virus Remover (rogue antispyware program) and shows fake spyware alerts

How to remove: use these winhelper86.dll, winupdate86.exe, winlogon86.exe removal instructions.

AVR.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: AVR
Filename: AVR.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | Advanced Virus Remover

Command: C:\Program Files\AdvancedVirusRemover\AVR.exe
CLSID: clsid
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [Advanced Virus Remover] C:\Program Files\AdvancedVirusRemover\AVR.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Advanced Virus Remover”=C:\Program Files\AdvancedVirusRemover\AVR.exe

Description: core part of Advanced Virus Remover. Advanced Virus Remover is a rogue anti-spyware program.

How to remove: use these Advanced Virus Remover removal instructions.

Winsecurepro2009.microsoft.com is a malicious website

The site was created to spread Antivirus System Pro. If your browser is redirected to Winsecurepro2009.microsoft.com, then you should immediately check your PC using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

IP Address: 91.212.127.227
Site addess: Winsecurepro2009.microsoft.com
HijackThis Category: O1
HijackThis Line:

O1 – Hosts: 91.212.127.227 winsecurepro2009.microsoft.com

Description: Winsecurepro2009.microsoft.com is not related with Microsoft company and can only be seen on infected computers. The site used to promote the rogue antispyware program called Antivirus System Pro.

How to remove: use these Antivirus System Pro removal instructions in order to remove this infection.

freddy75.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: freddy75
Filename: freddy75.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | sysfbtray

Command: C:\windows\freddy75.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [sysfbtray] C:\windows\freddy75.exe

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“sysfbtray”=C:\windows\freddy75.exe

Description: component of Koobface worm.

How to remove: use these Koobface removal instructions.

esysprotector2009.microsoft.com is a malicious website

The site was created to spread Antivirus System Pro. If your browser is redirected to esysprotector2009.microsoft.com, then you should immediately check your PC using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

IP Address: 91.212.127.227
Site addess: esysprotector2009.microsoft.com
HijackThis Category: O1
HijackThis Line:

O1 – Hosts: 91.212.127.227 esysprotector2009.microsoft.com

Description: esysprotector2009.microsoft.com is not related with Microsoft company and can only be seen on infected computers. The site used to promote the rogue antispyware program called Antivirus System Pro.

How to remove: use these Antivirus System Pro removal instructions in order to remove this infection.

AntiVirus Plus.1.dll is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: AntiVirus Plus.1
Filename: AntiVirus Plus.1.dll
Registry key:

Command: %UserProfile%\Application Data\AntiVirus Plus\AntiVirus Plus.1.dll
CLSID: {C2B5AAB8-2183-4be7-81A6-F11493C45872}
Startup Type:
HijackThis Category:
HijackThis Line:

O2 – BHO: Antivirus Plus BHO – {C2B5AAB8-2183-4be7-81A6-F11493C45872} – C:\Documents and Settings\comp\Application Data\AntiVirus Plus\AntiVirus Plus.1.dll
O4 – HKLM\..\Run: [AntiVirus Plus] “C:\WINDOWS\system32\rundll32.exe” “C:\Documents and Settings\comp\Application Data\AntiVirus Plus\AntiVirus Plus.1.dll”, start 1
O4 – HKCU\..\Run: [AntiVirus Plus] “C:\WINDOWS\system32\rundll32.exe” “C:\Documents and Settings\comp\Application Data\AntiVirus Plus\AntiVirus Plus.1.dll”, start 1

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C2B5AAB8-2183-4be7-81A6-F11493C45872}]
Antivirus Plus BHO – C:\Documents and Settings\user\Application Data\AntiVirus Plus\AntiVirus Plus.1.dll [2009-11-19 2453504]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“AntiVirus Plus”=C:\Documents and Settings\user\Application Data\AntiVirus Plus\AntiVirus Plus.1.dll [2009-11-19 2453504]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“AntiVirus Plus”=C:\Documents and Settings\user\Application Data\AntiVirus Plus\AntiVirus Plus.1.dll [2009-11-19 2453504]

Description: component of AntiVirus Plus. AntiVirus Plus is a rogue antispyware program.

How to remove: use these AntiVirus Plus removal instructions.

SecureKeeper.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: SecureKeeper
Filename: SecureKeeper.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | SecureKeeper

Command: C:\Program Files\SecureKeeper Software\SecureKeeper\SecureKeeper.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [SecureKeeper] C:\Program Files\SecureKeeper Software\SecureKeeper\SecureKeeper.exe -min

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“SecureKeeper”=C:\Program Files\SecureKeeper Software\SecureKeeper\SecureKeeper.exe -min

Description: core part of SecureKeeper. SecureKeeper is a rogue antispyware program.

How to remove: use these SecureKeeper removal instructions.

WinESuite.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: WinESuite
Filename: WinESuite.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | WES

Command: C:\Documents and Settings\All Users\Application Data\1817442\WinESuite.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [WES] “C:\Documents and Settings\All Users\Application Data\1817442\WinESuite.exe” /s

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“WES”=C:\Documents and Settings\All Users\Application Data\1817442\WinESuite.exe /s

Description: component of Enterprise Suite. Enterprise Suite is a rogue antispyware program.

How to remove: use these Enterprise Suite removal instructions.

freddy74.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: freddy74
Filename: freddy74.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | sysfbtray

Command: C:\windows\freddy74.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [sysfbtray] C:\windows\freddy74.exe

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“sysfbtray”=C:\windows\freddy74.exe

Description: part of Koobface worm

How to remove: use HijackThis +Malwarebytes` Anti-malware

wow64main.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: wow64main
Filename: wow64main.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | wow64main.exe

Command: %Temp%\wow64main.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [wow64main.exe] %Temp%\wow64main.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“wow64main.exe”=%Temp%\wow64main.exe [2009-10-25 1146880]

Description: trojan that installed with rogue antispyware programs

How to remove: use HijackThis + Malwarebytes` Anti-malware