HT Logs. Tips, FAQs, Analyze.

alphaantivir.com is a malicious website

The site was created to spread Antispyware Soft. If your browser is redirected to alphaantivir.com, then you should immediately check your PC using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

IP Address: 79.135.152.5
Site addess: alphaantivir.com
Description: alphaantivir.com is not related with legitimate security company and can only be seen on infected computers. The site used to promote the rogue antispyware program called Antispyware Soft.

How to remove: use these Antispyware Soft removal instructions in order to remove this infection.

Fortress-software.net is a malicious website

The site was created to spread Antispyware Soft. If your browser is redirected to Fortress-software.net, then you should immediately check your PC using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

IP Address: 79.135.152.5
Site addess: Fortress-software.net
Description: Fortress-software.net is not related with legit security company and can only be seen on infected computers. The site used to promote the rogue antispyware program called Antispyware Soft.

How to remove: use these Antispyware Soft removal instructions in order to remove this infection.

ngts.vao is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: ngts
Filename: ngts.vao
Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell

Command: Explorer.exe rundll32.exe ngts.vao uvibls
Startup Type: Winlogon->Shell
HijackThis Category: F2
HijackThis Line:

F2 – REG:system.ini: Shell=Explorer.exe rundll32.exe ngts.vao uvibls

Description: component of a trojan that also known as Backdoor.Bredolab [PCTools], Mal/EncPk-NS, Mal/FakeAV-BW, Mal/FakeAV-DF, Mal/FakeAV-BW [Sophos], packed with: PE_Patch.UPX [Kaspersky Lab]

How to remove: use HijackThis + Malwarebytes` Anti-malware

bill107.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: bill107
Filename: bill107.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | sysfbtray

Command: C:\windows\bill107.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [sysfbtray] C:\windows\bill107.exe

DDS Line:

mRun: [sysfbtray] C:\windows\bill107.exe

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“sysfbtray”=C:\windows\bill107.exe

Description: new variant of koobface worm

How to remove: use these koobface removal instructions.

mcenspc.dll is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: mcenspc
Filename: mcenspc.dll
Registry key:

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders | SecurityProviders

Command: C:\Windows\System32\mcenspc.dll
Startup Type: SecurityProviders
Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
“SecurityProviders”=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll

Description: a trojan that also known as Trojan Horse [Symantec], Trojan.Win32.Agent2.htd [Kaspersky Lab], Generic Downloader.x!a [McAfee], Troj/Agent-JNX [Sophos], TrojanDownloader:Win32/Agent.KF [Microsoft], Trojan.Win32.Agent2 [Ikarus], Win-Trojan/Agent2.58880.B [AhnLab]

How to remove: use Malwarebytes` Anti-malware + Kaspersky virus removal tool

rihd.pno is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: rihd
Filename: rihd.pno
Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell

Command: Explorer.exe, rundll32.exe rihd.pno eaoydsi
Startup Type: Winlogon->Shell
HijackThis Category: F2
HijackThis Line:

F2 – REG:system.ini: Shell=Explorer.exe, rundll32.exe rihd.pno eaoydsi

Description: component of Bredolab trojan

How to remove: use HijackThis + Malwarebytes` Anti-malware

PRAGMAd.sys is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: PRAGMAd
Filename: PRAGMAd.sys
Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PRAGMA{random}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PRAGMAd.sys

Command:

C:\WINDOWS\system32\drivers\PRAGMA{random}.sys
C:\WINDOWS\PRAGMArchxnseqxn\PRAGMAd.sys

Startup Type: hidden driver
RootRepeal shows infection:

Hidden Services
——————-
Service Name: PRAGMAd.sys
Image Path C:\WINDOWS\system32\drivers\PRAGMAewxhsvitbd.sys

Service Name: PRAGMArchxnseqxn
Image Path C:\WINDOWS\PRAGMArchxnseqxn\PRAGMAd.sys

GMER shows infection:

Service system32\drivers\PRAGMAewxhsvitbd.sys (*** hidden *** ) [SYSTEM] PRAGMAd.sys <-- ROOTKIT !!! Service C:\WINDOWS\PRAGMArchxnseqxn\PRAGMAd.sys (*** hidden *** ) [SYSTEM] PRAGMArchxnseqxn <-- ROOTKIT !!!

Description: new variant of TDSS trojan

How to remove: use these TDSS trojan removal instructions.

avprocess.com is a malicious website

The site was created to spread Antivirus Suite. If your browser is redirected to avprocess.com, then you should immediately check your PC using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

IP Address: 193.33.115.92
Site addess: avprocess.com
Description: avprocess.com is not related with legit security company and can only be seen on infected computers. The site used to promote the rogue antispyware program called Antivirus Suite.

How to remove: use these Antivirus Suite removal instructions in order to remove this infection.

Avfortress.com is a malicious website

The site was created to spread Antivirus Suite. If your browser is redirected to Avfortress.com, then you should immediately check your PC using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

IP Address: 79.135.152.5
Site addess: Avfortress.com
Description: Avfortress.com is not related with legitimate security company and can only be seen on infected computers. The site used to promote the rogue antispyware program called Antivirus Suite.

How to remove: use these Antivirus Suite removal instructions in order to remove this infection.

Firm-av.com is a malicious website

The site was created to spread Antivirus Suite. If your browser is redirected to Firm-av.com, then you should immediately check your PC using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

IP Address: 193.33.115.88
Site addess: Firm-av.com
Description: Firm-av.com is not related with Microsoft company and can only be seen on infected computers. The site used to promote the rogue antispyware program called Antivirus Suite.

How to remove: use these Antivirus Suite removal instructions in order to remove this infection.