HT Logs. Tips, FAQs, Analyze.

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: ESQULserv
Filename: uses random filenames, examples below

c:\windows\system32\drivers\ESQULpjyrxmafdndomsrumnadwoyxcbowcdul.sys
c:\windows\system32\drivers\ESQULvvmlotmovroyobfrbmltkmtttklyrqje.sys
c:\windows\system32\ESQULdfowmsoetvgoovmoowvkctgpjykiyoaq.dll
c:\windows\system32\ESQULjgxtjwkxefqrntwuekdqcwtuospqgmas.dll

Command: c:\windows\system32\drivers\ESQULfqjdadpxylqppquwnvxjkomleltuiihj.sys
Startup Type: hidden driver
Description: variant of trojan DNSChanger

How to remove: use these trojan DNSChanger removal instructions.

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: olhrwef
Filename: olhrwef.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | cdoosoft

Command: C:\WINDOWS\system32\olhrwef.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe
O4 – HKUS\S-1-5-21-527237240-113007714-854245398-1007\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe (User ‘?’)

Description: trojan that uses autorun.inf file for infecting computers.

How to remove: use these autorun.inf trojan removal instructions.

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: waw32
Filename: waw32.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | Microsoft Driver Setup
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | Microsoft Driver Setup

Command: C:\WINDOWS\waw32.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [Microsoft Driver Setup] C:\WINDOWS\waw32.exe
O4 – HKLM\..\Policies\Explorer\Run: [Microsoft Driver Setup] C:\WINDOWS\waw32.exe

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“Microsoft Driver Setup”=C:\WINDOWS\waw32.exe [2009-08-20 84992]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
“Microsoft Driver Setup”=C:\WINDOWS\waw32.exe [2009-08-20 84992]

Description: trojan-dropper, also known as Worm.Palevo

How to remove: use HijackThis + use Malwarebytes` Anti-malware

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: SaveDefenseSvc
Filename: SaveDefenseSvc.exe
Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SaveDefenseSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SaveDefenseSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SaveDefenseSvc

Command: C:\Program Files\SaveDefense Software\SaveDefense\SaveDefenseSvc.exe
Startup Type: Service
HijackThis Category: O23
HijackThis Line:

O23 – Service: SaveDefense Security Service (SaveDefenseSvc) – Unknown owner – C:\Program Files\SaveDefense Software\SaveDefense\SaveDefenseSvc.exe

Description: component of SaveDefense (rogue antispyware program)

How to remove: use these SaveDefense removal instructions.

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: SaveDefense
Filename: SaveDefense.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | SaveDefense

Command: C:\Program Files\SaveDefense Software\SaveDefense\SaveDefense.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [SaveDefense] C:\Program Files\SaveDefense Software\SaveDefense\SaveDefense.exe -min

Description: main file of SaveDefense (rogue antispyware software)

How to remove: use these SaveDefense removal instructions.

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: TrustNinjaSvc
Filename: TrustNinjaSvc.exe
Command: C:\Program Files\TrustNinja Software\TrustNinja\TrustNinjaSvc.exe
Startup Type: Service
HijackThis Category: O23
HijackThis Line:

O23 – Service: TrustNinja Security Service (TrustNinjaSvc) – Unknown owner – C:\Program Files\TrustNinja Software\TrustNinja\TrustNinjaSvc.exe

Description: component of TrustNinja (rogue antispyware program)

How to remove: use these TrustNinja removal instructions.

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: TrustNinja
Filename: TrustNinja.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | TrustNinja

Command: C:\Program Files\TrustNinja Software\TrustNinja\TrustNinja.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [TrustNinja] C:\Program Files\TrustNinja Software\TrustNinja\TrustNinja.exe -min

Description: main file of TrustNinja (rogue antispyware software)

How to remove: use these TrustNinja removal instructions.

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: SaveSoldierSvc
Filename: SaveSoldierSvc.exe
Command: C:\Program Files\SaveSoldier Software\SaveSoldier\SaveSoldierSvc.exe
Startup Type: Service
HijackThis Category: O23
HijackThis Line:

O23 – Service: SaveSoldier Security Service (SaveSoldierSvc) – Unknown owner – C:\Program Files\SaveSoldier Software\SaveSoldier\SaveSoldierSvc.exe

Description: component of SaveSoldier (rogue antispyware program)

How to remove: use these SaveSoldier removal instructions.

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: SaveSoldier
Filename: SaveSoldier.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | SaveSoldier

Command: C:\Program Files\SaveSoldier Software\SaveSoldier\SaveSoldier.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [SaveSoldier] C:\Program Files\SaveSoldier Software\SaveSoldier\SaveSoldier.exe -min

Description: main file of SaveSoldier (rogue antispyware program)

How to remove: use these SaveSoldier removal instructions.

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: brey1eza
Filename: brey1eza.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | brey1eza.exe

Command: %UserProfile%\LOCALS~1\Temp\brey1eza.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [brey1eza.exe] C:\DOCUME~1\PEDROA~1\LOCALS~1\Temp\brey1eza.exe

Description: trojan that installed with SaveSoldier (rogue antispyware program)

How to remove: use these SaveSoldier removal instructions.