HT Logs. Tips, FAQs, Analyze.

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: gitabiga
Filename: gitabiga.dll
Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | derijidob
hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler | {e826441e-0920-4e05-9b2c-84189ccd7cba}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | gefiraled

Command: c:\windows\system32\gitabiga.dll
CLSID: {e826441e-0920-4e05-9b2c-84189ccd7cba}
Startup Type: HKLM->Run, SharedTaskScheduler, ShellServiceObjectDelayLoad
HijackThis Category: O4, O21, O22
Combofix/RSIT Line:

2009-09-19 01:46 . 2009-06-19 01:46 88576 –sha-w- c:\windows\system32\gitabiga.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“derijidob”=”c:\windows\system32\gitabiga.dll” [2009-09-19 88576]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
“{e826441e-0920-4e05-9b2c-84189ccd7cba}”= “c:\windows\system32\gitabiga.dll” [2009-09-19 88576]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
“gefiraled”= {e826441e-0920-4e05-9b2c-84189ccd7cba} – c:\windows\system32\gitabiga.dll [2009-09-19 88576]

Description: trojan Vundo

How to remove: use Malwarebytes` Anti-malware

ise32.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: ise32
Filename: ise32.exe
Registry key:

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dac57b3a-30d1-11dd-ad23-0008a1a9244d}

Command: E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
CLSID: {dac57b3a-30d1-11dd-ad23-0008a1a9244d}
Startup Type: autorun.inf
Combofix/RSIT Line:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dac57b3a-30d1-11dd-ad23-0008a1a9244d}]
shell\AutoRun\command – E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
shell\open\command – E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe

Description: autorun.inf trojan also known as Trojan-DDoS.Win32.Agent

How to remove: use these autorun.inf trojans removal instructions + use Kaspersky virus removal tool

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: dwshd
Filename: dwshd.sys
Command: C:\WINDOWS\System32\drivers\dwshd.sys
Startup Type: Driver
Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dwshd.sys]
S4 dwshd;dwshd; C:\WINDOWS\System32\drivers\dwshd.sys []

Description: trojan also known as trojan.Win32Agent.

How to remove: use Kaspersky virus removal tool

mradll.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: mradll
Filename: mradll.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | RANDOM CHARACTERS

Command: C:\Documents and Settings\All Users\Application Data\gra\mradll.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [RANDOM CHARACTERS] C:\Documents and Settings\All Users\Application Data\gra\mradll.exe

Description: component of Green AV also known as Green Antivirus (rogue antispyware program)

How to remove: use these Green AV removal instructions

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: rwg
Filename: rwg.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | RANDOM CHARACTERS

Command: C:\Documents and Settings\All Users\Application Data\gwr\rwg.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [RANDOM CHARACTERS] C:\Documents and Settings\All Users\Application Data\gwr\rwg.exe

Description: component of Green AV rogue antivirus program

How to remove: use these Green AV removal instructions

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: WStech
Filename: WStech.dll
Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5DBD8CB-DF8A-4992-A655-B155216F6AFB}

Command: C:\Documents and Settings\All Users\Application Data\gra\WStech.dll
CLSID: {A5DBD8CB-DF8A-4992-A655-B155216F6AFB}
Startup Type: BHO
HijackThis Category: O2
HijackThis Line:

O2 – BHO: WStechB – {A5DBD8CB-DF8A-4992-A655-B155216F6AFB} – C:\Documents and Settings\All Users\Application Data\gra\WStech.dll

Description: trojan FakeAlert that installed by Green AV rogue antispyware program

How to remove: use these Green AV removal instructions

TrustWarrior.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: TrustWarrior
Filename: TrustWarrior.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | TrustWarrior

Command: C:\Program Files\TrustWarrior Software\TrustWarrior\TrustWarrior.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [TrustWarrior] C:\Program Files\TrustWarrior Software\TrustWarrior\TrustWarrior.exe -min

Description: main component of TrustWarrior rogue antispyware software that detects false scan results and displays fake security alerts as a method of scaring you into buying the software.

How to remove: use these TrustWarrior removal instructions.

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: WIa5bc
Filename: WIa5bc.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | Windows PC Defender

Command: C:\Documents and Settings\All Users\Application Data\a5bc4e8\WIa5bc.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [Windows PC Defender] “C:\Documents and Settings\All Users\Application Data\a5bc4e8\WIa5bc.exe” /s /d

Description: WIa5bc.exe is a component of Windows PC Defender rogue antispyware program.

How to remove: use these Windows PC Defender removal instructions.

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: _ex-08
Filename: _ex-08.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | PromoReg

Command: C:\WINDOWS\Temp\_ex-08.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [PromoReg] C:\WINDOWS\Temp\_ex-08.exe

Description: Trojan.Agent

How to remove: use MalwareBytes Anti-malware.

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: lsp
Filename: lsp.dll
Command: C:\WINDOWS\system32\lsp.dll
Description: trojan FakeAlert, also known as Trojan-Proxy.Win32.

How to remove: use Kaspersky Virus Removal tool.