Archive for the 'O4' Category

What is 5DR8ZAD8GX, How to remove 5DR8ZAD8GX

Wednesday, July 28th, 2010

5DR8ZAD8GX is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Filename: {RANDOM:3}.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | 5DR8ZAD8GX

Command: %Temp%\{RANDOM}.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [5DR8ZAD8GX] C:\DOCUME~1\User\LOCALS~1\Temp\Lrn.exe

DDS Line:

uRun: [5DR8ZAD8GX] C:\DOCUME~1\User\LOCALS~1\Temp\Lrn.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“5DR8ZAD8GX”=C:\DOCUME~1\User\LOCALS~1\Temp\Lrn.exe

Description: trojan FakeAlert that also known as Mal/FakeAV-CX [Sophos], TrojanDownloader:Win32/Renos.KF [Microsoft], Win-Trojan/Variant.183296.B [AhnLab]

How to remove: use HijackThis + Malwarebytes` Anti-malware or the steps below.

1. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“5DR8ZAD8GX”=-

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

2. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is TG0PTF86JH, How to remove TG0PTF86JH

Wednesday, July 28th, 2010

TG0PTF86JH is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Filename: {RANDOM:3}.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | TG0PTF86JH

Command: %Temp%\{RANDOM}.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [TG0PTF86JH] C:\DOCUME~1\User\LOCALS~1\Temp\Lrm.exe

DDS Line:

uRun: [TG0PTF86JH] C:\DOCUME~1\User\LOCALS~1\Temp\Lrm.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“TG0PTF86JH”=C:\DOCUME~1\User\LOCALS~1\Temp\Lrm.exe

Description: trojan FakeAlert that also known as Mal/FakeAV-CX [Sophos], TrojanDownloader:Win32/Renos.KF [Microsoft], Win-Trojan/Variant.183296.B [AhnLab]

How to remove: use HijackThis + Malwarebytes` Anti-malware or the steps below.

1. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“TG0PTF86JH”=-

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

2. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is releaseversion70700.exe, How to remove releaseversion70700.exe

Wednesday, July 28th, 2010

releaseversion70700.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: releaseversion70700
Filename: releaseversion70700.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | releaseversion70700.exe

Command: %AppData%\{RANDOM}\releaseversion70700.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [releaseversion70700.exe] C:\Documents and Settings\User\Application Data\C862095CAD4A9F25A18E662AC2B1D9CF\releaseversion70700.exe

DDS Line:

uRun: [releaseversion70700.exe] C:\Documents and Settings\User\Application Data\C862095CAD4A9F25A18E662AC2B1D9CF\releaseversion70700.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“releaseversion70700.exe”=C:\Documents and Settings\User\Application Data\C862095CAD4A9F25A18E662AC2B1D9CF\releaseversion70700.exe

Description: core component of Antimalware Doctor. Antimalware Doctor is a rogue antispyware program.

How to remove: use the Antimalware Doctor removal instructions or the steps below.

1. Download HijackThis from here and save it to your desktop.
2. Run HijackThis. Main menu opens. Click to “Do a system scan only” button. After HijackThis completes the system scan, check the box to the left of the following items:

O4 – HKCU\..\Run: [releaseversion70700.exe] C:\Documents and Settings\User\Application Data\C862095CAD4A9F25A18E662AC2B1D9CF\releaseversion70700.exe

Please be very careful, do NOT check any other boxes! Next, click on Fix checked on the bottom left side of the HijackThis screen. Close HijackThis.
3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is setupupdate70700.exe, How to remove setupupdate70700.exe

Sunday, July 25th, 2010

setupupdate70700.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: setupupdate70700
Filename: setupupdate70700.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | setupupdate70700.exe

Command: %AppData%\{Random}\setupupdate70700.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [setupupdate70700.exe] C:\Users\User\AppData\Roaming\1D0B0458FAB4EE3E8D598664B5E13C71\setupupdate70700.exe

DDS Line:

mRun: [setupupdate70700.exe] C:\Users\User\AppData\Roaming\1D0B0458FAB4EE3E8D598664B5E13C71\setupupdate70700.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“setupupdate70700.exe”=C:\Users\User\AppData\Roaming\1D0B0458FAB4EE3E8D598664B5E13C71\setupupdate70700.exe [2010-07-25 1051136]

Description: core component of Antimalware Doctor. Antimalware Doctor is a rogue antispyware program.

How to remove: use HijackThis + Malwarebytes` Anti-malware

What is upd_debug.exe, How to remove upd_debug.exe

Sunday, July 25th, 2010

upd_debug.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: upd_debug
Filename: upd_debug.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | *upd_debug.exe

Command: %AppData%\{RANDOM}\upd_debug.exe
Startup Type: HKLM->RunOnce
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\RunOnce: [*upd_debug.exe] “C:\Documents and Settings\user\Application Data\5E61DD380A45D30866E01CB0F8ECDE89\upd_debug.exe”

DDS Line:

mRunOnce: [*upd_debug.exe] “C:\Documents and Settings\user\Application Data\5E61DD380A45D30866E01CB0F8ECDE89\upd_debug.exe”

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“*upd_debug.exe”=C:\Documents and Settings\user\Application Data\5E61DD380A45D30866E01CB0F8ECDE89\upd_debug.exe

Description: core component of Antimalware Doctor (rogue antispyware)

How to remove: use HijackThis + Malwarebytes` Anti-malware

What is XA5RJ9EADJ, How to remove XA5RJ9EADJ

Sunday, July 25th, 2010

XA5RJ9EADJ is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Filename: {random:3}.exe
Registry key:

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run | XA5RJ9EADJ
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | XA5RJ9EADJ

Command: C:\WINDOWS\TEMP\Sb2.exe
Startup Type: HKUS->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKUS\S-1-5-18\..\Run: [XA5RJ9EADJ] C:\WINDOWS\TEMP\Sb2.exe (User ‘SYSTEM’)
O4 – HKUS\.DEFAULT\..\Run: [XA5RJ9EADJ] C:\WINDOWS\TEMP\Sb2.exe (User ‘Default user’)

Combofix/RSIT Line:

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
“XA5RJ9EADJ”=”C:\WINDOWS\TEMP\Sb2.exe”
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“XA5RJ9EADJ”=”C:\WINDOWS\TEMP\Sb2.exe”

Description: trojan FakeAlert that also known as Mal/FakeAV-CX [Sophos], TrojanDownloader:Win32/Renos.KF [Microsoft], Win-Trojan/Variant.183296.B [AhnLab]

How to remove: use HijackThis + Malwarebytes` Anti-malware or the steps below.

1. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“XA5RJ9EADJ”=-

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

2. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is wmiprves, How to remove wmiprves

Sunday, July 25th, 2010

wmiprves is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Filename: {RANDOM}.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | wmiprves

Command: %Temp%\{RANDOM}.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [wmiprves] C:\DOCUME~1\User\LOCALS~1\Temp\qh0foylxn.exe

DDS Line:

mRun: [wmiprves] C:\DOCUME~1\User\LOCALS~1\Temp\qh0foylxn.exe

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“wmiprves”=C:\DOCUME~1\User\LOCALS~1\Temp\qh0foylxn.exe

Description: trojan that also known as Trojan-Downloader.Win32.Murlo.gvs [Kaspersky Lab], Virus.Win32.Delf.HTI [Ikarus]
Notes: installed with l84alx.exe, msgciutr.dll

How to remove: use HijackThis + Malwarebytes` Anti-malware + Kaspersky virus removal tool

What is msgciutr.dll, How to remove msgciutr.dll

Sunday, July 25th, 2010

msgciutr.dll is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: msgciutr
Filename: msgciutr.dll
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | tghlig

Command: RUNDLL32.EXE C:\WINDOWS\system32\msgciutr.dll,w
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [tghlig] RUNDLL32.EXE C:\WINDOWS\system32\msgciutr.dll,w

DDS Line:

mRun: [tghlig] RUNDLL32.EXE C:\WINDOWS\system32\msgciutr.dll,w

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“tghlig”=RUNDLL32.EXE C:\WINDOWS\system32\msgciutr.dll,w

Description: trojan that also known as Trojan-PSW.Wowcraft [PCTools], Infostealer.Wowcraft [Symantec], Trojan-GameThief.Win32.WOW.abah [Kaspersky Lab], Mal/Behav-170 [Sophos], PWS:Win32/Frethog.MK [Microsoft], PWS.Win32 [Ikarus], Win-Trojan/Onlinegamehack.36865.EI [AhnLab]
Notes: installed with l84alx.exe

How to remove: use HijackThis + Malwarebytes` Anti-malware + Kaspersky virus removal tool

What is l84alx.exe, How to remove l84alx.exe

Sunday, July 25th, 2010

l84alx.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: l84alx
Filename: l84alx.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | tcyz46

Command: %Temp%\l84alx.exe
Startup Type: HKLM->Policies\Explorer\Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Policies\Explorer\Run: [tcyz46] C:\DOCUME~1\User\LOCALS~1\Temp\l84alx.exe

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
“tcyz46″=C:\DOCUME~1\User\LOCALS~1\Temp\l84alx.exe

Description: trojan also known as Trojan.Gen [PCTools], Trojan.Gen [Symantec], Backdoor.Win32.VB.lvn [Kaspersky Lab], Mal/VB-CF [Sophos], Trojan:Win32/Neop [Microsoft], Backdoor.Win32.VB [Ikarus]

How to remove: use HijackThis + Malwarebytes` Anti-malware + Kaspersky virus removal tool

What is W34BCG2GRJ, How to remove W34BCG2GRJ

Friday, July 23rd, 2010

W34BCG2GRJ is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Filename: {random:5}.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | W34BCG2GRJ

Command: C:\WINDOWS\Ycupia.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [W34BCG2GRJ] C:\WINDOWS\Ycupia.exe

DDS Line:

uRun: [W34BCG2GRJ] C:\WINDOWS\Ycupia.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“W34BCG2GRJ”=C:\WINDOWS\Ycupia.exe

Description: Trojan.Win32.Monder.djia [Kaspersky Lab], Gen.Variant [Ikarus]

How to remove: use HijackThis + Malwarebytes` Anti-malware or the steps below.

1. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“W34BCG2GRJ”=-

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

2. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).