HT Logs. Tips, FAQs, Analyze.

5DR8ZAD8GX is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Filename: {RANDOM:3}.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | 5DR8ZAD8GX

Command: %Temp%\{RANDOM}.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [5DR8ZAD8GX] C:\DOCUME~1\User\LOCALS~1\Temp\Lrn.exe

DDS Line:

uRun: [5DR8ZAD8GX] C:\DOCUME~1\User\LOCALS~1\Temp\Lrn.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“5DR8ZAD8GX”=C:\DOCUME~1\User\LOCALS~1\Temp\Lrn.exe

Description: trojan FakeAlert that also known as Mal/FakeAV-CX [Sophos], TrojanDownloader:Win32/Renos.KF [Microsoft], Win-Trojan/Variant.183296.B [AhnLab]

How to remove: use HijackThis + Malwarebytes` Anti-malware or the steps below.

1. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“5DR8ZAD8GX”=-

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

2. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

TG0PTF86JH is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Filename: {RANDOM:3}.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | TG0PTF86JH

Command: %Temp%\{RANDOM}.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [TG0PTF86JH] C:\DOCUME~1\User\LOCALS~1\Temp\Lrm.exe

DDS Line:

uRun: [TG0PTF86JH] C:\DOCUME~1\User\LOCALS~1\Temp\Lrm.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“TG0PTF86JH”=C:\DOCUME~1\User\LOCALS~1\Temp\Lrm.exe

Description: trojan FakeAlert that also known as Mal/FakeAV-CX [Sophos], TrojanDownloader:Win32/Renos.KF [Microsoft], Win-Trojan/Variant.183296.B [AhnLab]

How to remove: use HijackThis + Malwarebytes` Anti-malware or the steps below.

1. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“TG0PTF86JH”=-

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

2. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

releaseversion70700.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: releaseversion70700
Filename: releaseversion70700.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | releaseversion70700.exe

Command: %AppData%\{RANDOM}\releaseversion70700.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [releaseversion70700.exe] C:\Documents and Settings\User\Application Data\C862095CAD4A9F25A18E662AC2B1D9CF\releaseversion70700.exe

DDS Line:

uRun: [releaseversion70700.exe] C:\Documents and Settings\User\Application Data\C862095CAD4A9F25A18E662AC2B1D9CF\releaseversion70700.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“releaseversion70700.exe”=C:\Documents and Settings\User\Application Data\C862095CAD4A9F25A18E662AC2B1D9CF\releaseversion70700.exe

Description: core component of Antimalware Doctor. Antimalware Doctor is a rogue antispyware program.

How to remove: use the Antimalware Doctor removal instructions or the steps below.

1. Download HijackThis from here and save it to your desktop.
2. Run HijackThis. Main menu opens. Click to “Do a system scan only” button. After HijackThis completes the system scan, check the box to the left of the following items:

O4 – HKCU\..\Run: [releaseversion70700.exe] C:\Documents and Settings\User\Application Data\C862095CAD4A9F25A18E662AC2B1D9CF\releaseversion70700.exe

Please be very careful, do NOT check any other boxes! Next, click on Fix checked on the bottom left side of the HijackThis screen. Close HijackThis.
3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

setupupdate70700.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: setupupdate70700
Filename: setupupdate70700.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | setupupdate70700.exe

Command: %AppData%\{Random}\setupupdate70700.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [setupupdate70700.exe] C:\Users\User\AppData\Roaming\1D0B0458FAB4EE3E8D598664B5E13C71\setupupdate70700.exe

DDS Line:

mRun: [setupupdate70700.exe] C:\Users\User\AppData\Roaming\1D0B0458FAB4EE3E8D598664B5E13C71\setupupdate70700.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“setupupdate70700.exe”=C:\Users\User\AppData\Roaming\1D0B0458FAB4EE3E8D598664B5E13C71\setupupdate70700.exe [2010-07-25 1051136]

Description: core component of Antimalware Doctor. Antimalware Doctor is a rogue antispyware program.

How to remove: use HijackThis + Malwarebytes` Anti-malware

upd_debug.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: upd_debug
Filename: upd_debug.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | *upd_debug.exe

Command: %AppData%\{RANDOM}\upd_debug.exe
Startup Type: HKLM->RunOnce
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\RunOnce: [*upd_debug.exe] “C:\Documents and Settings\user\Application Data\5E61DD380A45D30866E01CB0F8ECDE89\upd_debug.exe”

DDS Line:

mRunOnce: [*upd_debug.exe] “C:\Documents and Settings\user\Application Data\5E61DD380A45D30866E01CB0F8ECDE89\upd_debug.exe”

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“*upd_debug.exe”=C:\Documents and Settings\user\Application Data\5E61DD380A45D30866E01CB0F8ECDE89\upd_debug.exe

Description: core component of Antimalware Doctor (rogue antispyware)

How to remove: use HijackThis + Malwarebytes` Anti-malware

XA5RJ9EADJ is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Filename: {random:3}.exe
Registry key:

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run | XA5RJ9EADJ
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | XA5RJ9EADJ

Command: C:\WINDOWS\TEMP\Sb2.exe
Startup Type: HKUS->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKUS\S-1-5-18\..\Run: [XA5RJ9EADJ] C:\WINDOWS\TEMP\Sb2.exe (User ‘SYSTEM’)
O4 – HKUS\.DEFAULT\..\Run: [XA5RJ9EADJ] C:\WINDOWS\TEMP\Sb2.exe (User ‘Default user’)

Combofix/RSIT Line:

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
“XA5RJ9EADJ”=”C:\WINDOWS\TEMP\Sb2.exe”
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“XA5RJ9EADJ”=”C:\WINDOWS\TEMP\Sb2.exe”

Description: trojan FakeAlert that also known as Mal/FakeAV-CX [Sophos], TrojanDownloader:Win32/Renos.KF [Microsoft], Win-Trojan/Variant.183296.B [AhnLab]

How to remove: use HijackThis + Malwarebytes` Anti-malware or the steps below.

1. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“XA5RJ9EADJ”=-

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

2. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

wmiprves is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Filename: {RANDOM}.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | wmiprves

Command: %Temp%\{RANDOM}.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [wmiprves] C:\DOCUME~1\User\LOCALS~1\Temp\qh0foylxn.exe

DDS Line:

mRun: [wmiprves] C:\DOCUME~1\User\LOCALS~1\Temp\qh0foylxn.exe

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“wmiprves”=C:\DOCUME~1\User\LOCALS~1\Temp\qh0foylxn.exe

Description: trojan that also known as Trojan-Downloader.Win32.Murlo.gvs [Kaspersky Lab], Virus.Win32.Delf.HTI [Ikarus]
Notes: installed with l84alx.exe, msgciutr.dll

How to remove: use HijackThis + Malwarebytes` Anti-malware + Kaspersky virus removal tool

msgciutr.dll is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: msgciutr
Filename: msgciutr.dll
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | tghlig

Command: RUNDLL32.EXE C:\WINDOWS\system32\msgciutr.dll,w
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [tghlig] RUNDLL32.EXE C:\WINDOWS\system32\msgciutr.dll,w

DDS Line:

mRun: [tghlig] RUNDLL32.EXE C:\WINDOWS\system32\msgciutr.dll,w

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“tghlig”=RUNDLL32.EXE C:\WINDOWS\system32\msgciutr.dll,w

Description: trojan that also known as Trojan-PSW.Wowcraft [PCTools], Infostealer.Wowcraft [Symantec], Trojan-GameThief.Win32.WOW.abah [Kaspersky Lab], Mal/Behav-170 [Sophos], PWS:Win32/Frethog.MK [Microsoft], PWS.Win32 [Ikarus], Win-Trojan/Onlinegamehack.36865.EI [AhnLab]
Notes: installed with l84alx.exe

How to remove: use HijackThis + Malwarebytes` Anti-malware + Kaspersky virus removal tool

l84alx.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: l84alx
Filename: l84alx.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | tcyz46

Command: %Temp%\l84alx.exe
Startup Type: HKLM->Policies\Explorer\Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Policies\Explorer\Run: [tcyz46] C:\DOCUME~1\User\LOCALS~1\Temp\l84alx.exe

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
“tcyz46″=C:\DOCUME~1\User\LOCALS~1\Temp\l84alx.exe

Description: trojan also known as Trojan.Gen [PCTools], Trojan.Gen [Symantec], Backdoor.Win32.VB.lvn [Kaspersky Lab], Mal/VB-CF [Sophos], Trojan:Win32/Neop [Microsoft], Backdoor.Win32.VB [Ikarus]

How to remove: use HijackThis + Malwarebytes` Anti-malware + Kaspersky virus removal tool

W34BCG2GRJ is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Filename: {random:5}.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | W34BCG2GRJ

Command: C:\WINDOWS\Ycupia.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [W34BCG2GRJ] C:\WINDOWS\Ycupia.exe

DDS Line:

uRun: [W34BCG2GRJ] C:\WINDOWS\Ycupia.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“W34BCG2GRJ”=C:\WINDOWS\Ycupia.exe

Description: Trojan.Win32.Monder.djia [Kaspersky Lab], Gen.Variant [Ikarus]

How to remove: use HijackThis + Malwarebytes` Anti-malware or the steps below.

1. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“W34BCG2GRJ”=-

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

2. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).