Archive for September, 2010

What is Antivirus IS, How to remove AntivirusIS

Monday, September 20th, 2010

Antivirus IS (AntivirusIS) is a harmful program.

remove It is a fake security program, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Description: rogue antispyware program

How to remove: use the Antivirus IS (AntivirusIS) removal guide

What is RegistryClever, How to remove RegistryClever

Wednesday, September 15th, 2010

RegistryClever is a harmful program.

remove It is a fake security tool, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

RegistryClever associated files:

C:\Program Files\RegistryClever Software
C:\Program Files\RegistryClever Software\RegistryClever
C:\Program Files\RegistryClever Software\RegistryClever\Styles
C:\Documents and Settings\All Users\Start Menu\Programs\RegistryClever
C:\Documents and Settings\All Users\Application Data\RegistryClever
C:\Documents and Settings\All Users\Application Data\RegistryClever\BackupedItems
C:\Program Files\RegistryClever Software\RegistryClever\RegistryCleverTray.exe
C:\Program Files\RegistryClever Software\RegistryClever\license.txt
C:\Program Files\RegistryClever Software\RegistryClever\RegistryClever.exe
C:\Program Files\RegistryClever Software\RegistryClever\uninstall.exe
C:\Program Files\RegistryClever Software\RegistryClever\Styles\Vista.cjstyles
C:\Documents and Settings\All Users\Start Menu\Programs\RegistryClever\Homepage.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\RegistryClever\RegistryClever.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\RegistryClever\Uninstall.lnk
C:\Documents and Settings\All Users\Application Data\RegistryClever\BackupedItems\items.xml
C:\Documents and Settings\All Users\Desktop\RegistryClever.LNK

RegistryClever associated registry keys and values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegistryClever
HKEY_LOCAL_MACHINE\SOFTWARE\RegistryClever
HKEY_CURRENT_USER\Software\RegistryClever
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\trayscan

Core file: RegistryCleverTray.exe
Home folder: %ProgramFiles%\RegistryClever Software
Command: %ProgramFiles%\RegistryClever Software\RegistryClever\RegistryCleverTray.exe
HijackThis shows RegistryClever Line:

O4 – HKCU\..\Run: [TrayScan] “C:\Program Files\RegistryClever Software\RegistryClever\RegistryCleverTray.exe”

Description: fake Windows registry cleaner

How to remove: use the RegistryClever removal guide

What is dfrgsnapnt.exe, How to remove dfrgsnapnt.exe

Wednesday, September 15th, 2010

dfrgsnapnt.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: dfrgsnapnt
Filename: dfrgsnapnt.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | dfrgsnapnt.exe

Command: %TEMP%\dfrgsnapnt.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [dfrgsnapnt.exe] C:\WINDOWS\TEMP\dfrgsnapnt.exe

DDS Line:

uRun: [dfrgsnapnt.exe] C:\WINDOWS\TEMP\dfrgsnapnt.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“dfrgsnapnt.exe”=C:\WINDOWS\TEMP\dfrgsnapnt.exe

Description: trojan FakeAlert

How to remove: use HijackThis + Malwarebytes` Anti-malware

What is YXE7DXCQ37, How to remove YXE7DXCQ37

Monday, September 13th, 2010

YXE7DXCQ37 is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Filename: {RANDOM:3}.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | YXE7DXCQ37

Command: %Temp%\{RANDOM:3}.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [YXE7DXCQ37] C:\DOCUME~1\username\LOCALS~1\Temp\Rch.exe

DDS Line:

uRun: [YXE7DXCQ37] C:\DOCUME~1\username\LOCALS~1\Temp\Rch.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“YXE7DXCQ37″=C:\DOCUME~1\username\LOCALS~1\Temp\Rch.exe

Description: new variant of trojan FakeAlert that also known as Mal/FakeAV-CX [Sophos], TrojanDownloader:Win32/Renos.KF [Microsoft], Win-Trojan/Variant.183296.B [AhnLab]

How to remove: use HijackThis + Malwarebytes` Anti-malware or the steps below.

1. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“YXE7DXCQ37”=-

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

2. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is IronDefender, How to remove IronDefender

Monday, September 13th, 2010

This is a harmful program.

remove It is a malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Files:

c:\Documents and Settings\All Users\Start Menu\Programs\IronDefender.lnk
%UserProfile%\Desktop\IronDefender.lnk
c:\Program Files\{RANDOM}
c:\Program Files\{RANDOM}\{RANDOM}.exe
c:\Program Files\{RANDOM}\Uninstall.exe
c:\WINDOWS\{RANDOM}.exe
c:\WINDOWS\{RANDOM}.bin
c:\WINDOWS\{RANDOM}.dll
c:\WINDOWS\{RANDOM}.cpl
c:\WINDOWS\system32\{RANDOM}.exe
c:\WINDOWS\system32\{RANDOM}.bin
c:\WINDOWS\system32\{RANDOM}.dll
c:\WINDOWS\system32\{RANDOM}.cpl

Registry keys/values:

HKEY_CURRENT_USER\Software\IronDefender
HKEY_LOCAL_MACHINE\SOFTWARE\IronDefender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IronDefender
HKEY_CURRENT_USER\Software | Install_Dir = “C:\Program Files\{RANDOM}”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | {RANDOM}.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | {RANDOM}.exe

Startup Type: HKLM->Run, HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [{RANDOM}.exe] “C:\Program Files\{RANDOM}\{RANDOM}.exe” -min
O4 – HKCU\..\Run: [{RANDOM}.exe] C:\WINDOWS\system32\{RANDOM}.exe

Description: rogue antispyware program

How to remove: use the IronDefender removal instructions.

What is mmduch.dll, How to remove mmduch.dll

Sunday, September 12th, 2010

mmduch.dll is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: mmduch
Filename: mmduch.dll
Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9429BB93-2DC8-4C12-83A6-91BF6B374D85}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | bipro

Command: %WinDir%\$NtUninstallMTF1011$\mmduch.dll
CLSID: {9429BB93-2DC8-4C12-83A6-91BF6B374D85}
Startup Type: BHO, HKLM->Run
HijackThis Category: O2, O4
HijackThis Line:

O2 – BHO: Sky-Banners Browser Enhancer mmduch – {9429BB93-2DC8-4C12-83A6-91BF6B374D85} – C:\Windows\$NtUninstallMTF1011$\mmduch.dll
O4 – HKLM\..\Run: [bipro] rundll32 “C:\Windows\$NtUninstallMTF1011$\mmduch.dll”,,Run

DDS Line:

BHO: Sky-Banners Browser Enhancer mmduch: {9429BB93-2DC8-4C12-83A6-91BF6B374D85} – C:\Windows\$NtUninstallMTF1011$\mmduch.dll
mRun: [bipro] “C:\Windows\$NtUninstallMTF1011$\mmduch.dll”,,Run

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9429BB93-2DC8-4C12-83A6-91BF6B374D85}]
Sky-Banners Browser Enhancer mmduch – C:\Windows\$NtUninstallMTF1011$\mmduch.dll
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“bipro”=”C:\Windows\$NtUninstallMTF1011$\mmduch.dll”,,Run

Description: component of Sky-Banners Browser Enhancer malware

How to remove: use HijackThis + Malwarebytes` Anti-malware or the steps below.

1. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9429BB93-2DC8-4C12-83A6-91BF6B374D85}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“bipro”=-

:files
%WinDir%\$NtUninstallMTF1011$\mmduch.dll

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

2. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is antivirpwr.com, How to remove antivirpwr.com

Sunday, September 12th, 2010

Antivirpwr.com is a malicious website

remove The site was created to spread Security Suite. If your browser is redirected to antivirpwr.com, then you should immediately check your PC using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

IP Address: 79.135.152.205
Site addess: antivirpwr.com
Description: antivirpwr.com is not related with legit security company and can be seen on infected computers. The site used to promote the rogue antispyware program called Security Suite.

How to remove: use these antivirpwr removal instructions or the steps below in order to remove this infection.

1. Reboot your computer in Safe mode with networking.

2. Reset proxy settings of your browser (this malware hijacked them) by doing: run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK and click OK again.

3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is antivircat.com, How to remove antivircat.com

Friday, September 10th, 2010

Antivircat.com is a malicious website

remove The site was created to spread Security Suite. If your browser is redirected to antivircat.com, then you should immediately check your PC using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

IP Address: 79.135.152.205
Site addess: antivircat.com
Description: antivircat.com is not related with legitimate security company and can be seen on infected computers. The site used to promote the rogue antispyware program called Security Suite.

How to remove: use these antivircat removal instructions or the steps below in order to remove this infection.

1. Reboot your computer in Safe mode with networking.

2. Reset proxy settings of your browser (this malware hijacked them) by doing: run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK and click OK again.

3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is KB5625711.exe, How to remove KB5625711.exe

Friday, September 10th, 2010

KB5625711.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: KB5625711
Filename: KB5625711.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | KB5625711.exe

Command: %AppData%\{RANDOM}\KB5625711.exe
Startup Type: HKCU->Run, Startup Folder
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [KB5625711.exe] C:\Documents and Settings\user\Application Data\692A3AB5356E8BA8D60B237EB24238F7\KB5625711.exe
O4 – Startup: Malware Destructor.lnk = C:\Documents and Settings\user\Application Data\692A3AB5356E8BA8D60B237EB24238F7\KB5625711.exe

DDS Line:

uRun: [KB5625711.exe] C:\Documents and Settings\user\Application Data\692A3AB5356E8BA8D60B237EB24238F7\KB5625711.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“KB5625711.exe”=C:\Documents and Settings\user\Application Data\692A3AB5356E8BA8D60B237EB24238F7\KB5625711.exe

Description: core component of Malware Destructor 2011 (rogue antispyware)

How to remove: use the Malware Destructor 2011 removal guide or the steps below.

1. Download HijackThis from here and save it to your desktop.

2. Run HijackThis. Main menu opens. Click to “Do a system scan only” button. After HijackThis completes the system scan, check the box to the left of the following items:

O4 – HKCU\..\Run: [KB5625711.exe] C:\Documents and Settings\user\Application Data\692A3AB5356E8BA8D60B237EB24238F7\KB5625711.exe
O4 – Startup: Malware Destructor.lnk = C:\Documents and Settings\user\Application Data\692A3AB5356E8BA8D60B237EB24238F7\KB5625711.exe

Please be very careful, do NOT check any other boxes! Next, click on Fix checked on the bottom left side of the HijackThis screen. Close HijackThis.

3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is Malware Destructor 2011, How to remove Malware Destructor 2011

Friday, September 10th, 2010

Malware Destructor 2011 is a harmful program.

remove It is a rogue antispyware program that uses misleading tactics to trick you into purchasing its full version. You should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Command: %AppData%\{RANDOM}\KB5625711.exe
Description: rogue antispyware

How to remove: use the Malware Destructor 2011 removal instructions.