June 28th, 2009 
O4, Rogue Antispyware/Antivirus, Run
This is a harmful program.
Name: Installer
Filename: Installer.exe
Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | AntivirusBEST
Command: C:\Documents and Settings\All Users\Application Data\AB\Installer.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:
O4 – HKLM\..\Run: [AntivirusBEST] C:\Documents and Settings\All Users\Application Data\AB\Installer.exe
Combofix/RSIT Line:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“AntivirusBEST”=C:\Documents and Settings\All Users\Application Data\AB\Installer.exe [2009-06-26 78848]
Description: main file of AntivirusBEST (rogue antispyware program)
How to remove: use these AntivirusBEST removal instructions
June 27th, 2009 adware, ShellIconOverlayIdentifiers
This is a harmful program.
Name: AdSubscribe
Filename: AdSubscribe.dll
Registry key:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AdSubscribe
HKEY_CLASSES_ROOT\CLSID\{82C885EE-6B87-4D51-9EF4-0CFE9FADA900}
Command: shelliconoverlayidentifiers
CLSID: clsid
Startup Type:
Combofix/RSIT Line:
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AdSubscribe]
@=”{82C885EE-6B87-4D51-9EF4-0CFE9FADA900}”
[HKEY_CLASSES_ROOT\CLSID\{82C885EE-6B87-4D51-9EF4-0CFE9FADA900}]
2009-06-23 21:11 750080 —-a-w- c:\documents and settings\user\Application Data\AdSubscribe\AdSubscribe.dll
2009-06-23 21:11 . 2009-06-23 21:11 ——– d—–w- c:\documents and settings\user\Application Data\AdSubscribe
2009-06-23 21:11 . 2009-06-23 21:11 807424 —-a-w- c:\documents and settings\user\Application Data\AdSubscribe\Uninstall.exe
2009-06-23 21:11 . 2009-06-23 21:11 750080 —-a-w- c:\documents and settings\user\Application Data\AdSubscribe\AdSubscribe.dll
Description: adware also known as AdWare.FearAds, Trojan-Downloader.Win32.Adload.fib, Worm.Win32.Malware.gen
How to remove: ask help at Spyware removal forum.
June 27th, 2009 startupreg
This is a harmful program.
Name: sysmonnt
Filename: sysmonnt.exe
Registry key:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysmonnt
Command: C:\WINDOWS\System32\sysmonnt
Startup Type: startupreg
Combofix/RSIT Line:
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysmonnt]
C:\WINDOWS\System32\sysmonnt
Description: spyware component
June 27th, 2009 startupreg, Trojan
This is a harmful program.
Name: paumrt32
Filename: paumrt32.exe
Registry key:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ho29RhH5e
CLSID: startupreg
Startup Type:
Combofix/RSIT Line:
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ho29RhH5e]
paumrt32.exe
Description: Unknown trojan
June 27th, 2009 O17, Trojan
These ip addresses that uses DNSChanger trojan.
HijackThis Category: O17
HijackThis Line:
O17 – HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.117,85.255.112.121
Description: 85.255.112.117 and 85.255.112.121 are ip addresses that uses trojan DNSChanger
How to remove: use these trojan DNSChanger removal instructions
June 27th, 2009 O4, Run, Trojan
This is a harmful program.
Name: net
Filename: net.net
Registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | net
Command: C:\WINDOWS\system32\net.net
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:
O4 – HKCU\..\Run: [net] “C:\WINDOWS\system32\net.net”
Combofix/RSIT Line:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“net”=C:\WINDOWS\system32\net.net
Description: unknown trojan, usually installed with rogue antispyware software
How to remove: use HijackThis
June 27th, 2009 O4, Run, Trojan
This is a harmful program.
Name: liser
Filename: liser.exe
Registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | kell
Command: c:\program Files\Manson\liser.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:
O4 – HKUS\S-1-5-18\..\Run: [kell] C:\Program Files\Manson\liser.exe (User ‘SYSTEM’)
O4 – HKUS\.DEFAULT\..\Run: [kell] C:\Program Files\Manson\liser.exe (User ‘Default user’)
O4 – HKCU\..\Run: [kell] c:\program Files\Manson\liser.exe
Combofix/RSIT Line:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“kell”=c:\program Files\Manson\liser.exe
Description: trojan that installed with rogue antivirus/antispyware apps.
How to remove: use Malwarebytes Antimalware
June 27th, 2009 AppInit DLLs, O20, Trojan
This is a harmful program.
Name: liser
Filename: liser.dll
Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLS
Command: c:\progra~1\Manson\liser.dll
Startup Type: AppInit DLL
HijackThis Category: O20
HijackThis Line:
O20 – AppInit_DLLs: c:\progra~1\Manson\liser.dll
Combofix/RSIT Line:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
“AppInit_DLLS”=”c:\progra~1\Manson\liser.dll”
Description: trojan agent [Malwarebytes Anti-malware]
How to remove: use Malwarebytes Antimalware
June 27th, 2009 Service, SvcHost, Trojan
This is a harmful program.
Name: msncache
Startup Type: Service (svchost)
Combofix/RSIT Line:
R2 msncache;msncache; C:\WINDOWS\system32\svchost.exe [2004-08-18 14336]
Description: Unknown trojan component
June 27th, 2009 O23, Service, Virus
This is a harmful program.
Name: sopidkc
Filename: sopidkc.exe
Command: C:\WINDOWS\system32\sopidkc.exe
Startup Type: Service
HijackThis Category: O23
HijackThis Line:
O23 – Service: sopidkc Service (sopidkc) – Elecard Lt – C:\WINDOWS\system32\sopidkc.exe
Combofix/RSIT Line:
R2 sopidkc;sopidkc Service; C:\WINDOWS\system32\sopidkc.exe [2004-08-18 124928]
Description: Virus, identified as Backdoor:Win32/Refpron.gen!C [Microsoft], Troj/Comsa-C [Sophos], New Win32 [McAfee], Packed.Win32.Koblu.b [Kaspersky Lab]
