Archive for the 'O4' Category

What is JDK5SWFMZY, How to remove JDK5SWFMZY

Monday, July 19th, 2010

JDK5SWFMZY is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Filename: {random:3}.exe, example: Ipa.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | JDK5SWFMZY

Command: %Temp%\{random:3}.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [JDK5SWFMZY] C:\DOCUME~1\username\LOCALS~1\Temp\Ipa.exe

DDS Line:

uRun: [JDK5SWFMZY] C:\DOCUME~1\username\LOCALS~1\Temp\Ipa.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“JDK5SWFMZY”=C:\DOCUME~1\username\LOCALS~1\Temp\Ipa.exe

Description: trojan FakeAlert, also known as Mal/FakeAV-CX [Sophos], TrojanDownloader:Win32/Renos.KF [Microsoft], Win-Trojan/Variant.183296.B [AhnLab]

How to remove: use HijackThis + Malwarebytes` Anti-malware or the steps below.

1. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“JDK5SWFMZY”=-

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

2. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is Antivir Solution Pro, How to remove Antivir Solution Pro

Tuesday, July 13th, 2010

Antivir Solution Pro is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Command: %UserProfile%\Local Settings\Application Data\{RANDOM}\{RANDOM}.exe
Startup Type: HKLM->Run, HKCU->Run
HijackThis Category: R1, O4
HijackThis Line:

R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1
O4 – HKLM\..\Run: [{RANDOM}] %UserProfile%\Local Settings\Application Data\{RANDOM}\{RANDOM}.exe
O4 – HKCU\..\Run: [{RANDOM}] %UserProfile%\Local Settings\Application Data\{RANDOM}\{RANDOM}.exe

Description: rogue antispyware program

How to remove: use the Antivir Solution Pro removal guidelines or the steps below.

1. Download HijackThis from here and save it to your desktop. Most important, in the Save dialog, rename HijackThis.exe to iexplore.exe !!! If you can`t download HijackThis, then: a) boot your PC in Safe mode with networking and try once again; b) reset proxy settings of your browser (this malware hijacked them) by doing: run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK and click OK again.

2. Run HijackThis. Main menu opens. Click to “Do a system scan only” button. After HijackThis completes the system scan, check the box to the left of the following items:

R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1
O4 – HKLM\..\Run: [{random}] C:\Documents and Settings\user\Local Settings\Application Data\{random}\{random}.exe
O4 – HKCU\..\Run: [{random}] C:\Documents and Settings\user\Local Settings\Application Data\{random}\{random}.exe

Please be very careful, do NOT check any other boxes! Next, click on Fix checked on the bottom left side of the HijackThis screen. Close HijackThis.

3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is EWABQAF7KL, How to remove EWABQAF7KL

Wednesday, July 7th, 2010

EWABQAF7KL is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Filename: {random:3}.exe, example: Qgd.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | EWABQAF7KL

Command: %Temp%\{random:3}.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [EWABQAF7KL] C:\DOCUME~1\UserName\LOCALS~1\Temp\Qgd.exe

DDS Line:

uRun: [EWABQAF7KL] C:\DOCUME~1\UserName\LOCALS~1\Temp\Qgd.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“EWABQAF7KL”=C:\DOCUME~1\UserName\LOCALS~1\Temp\Qgd.exe

Description: trojan FakeAlert, also known as Mal/FakeAV-CX [Sophos], TrojanDownloader:Win32/Renos.KF [Microsoft], Win-Trojan/Variant.183296.B [AhnLab]

How to remove: use HijackThis +Malwarebytes` Anti-malware or the steps below.

1. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“EWABQAF7KL”=-

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

2. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is AntivirusGT.exe, How to remove AntivirusGT.exe

Monday, July 5th, 2010

AntivirusGT.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: AntivirusGT
Filename: AntivirusGT.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | AVGT

Command: C:\Program Files\AVGT\AntivirusGT.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [AVGT] C:\Program Files\AVGT\AntivirusGT.exe

DDS Line:

uRun: [AVGT] C:\Program Files\AVGT\AntivirusGT.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“AVGT″=C:\Program Files\AVGT\AntivirusGT.exe

Description: core component of AntivirusGT. AntivirusGT is a rogue antispyware program.

How to remove: use the AntivirusGT removal instructions or the steps below.

1. Run Internet Explorer, open Tools menu and select Manage Add-ons option. Select UpdateCheck.dll addon and click disable. Click Ok and OK again. Close Internet Explorer.

2. Right click to Task bar and select Task Manager. In the list of processes, select AntivirusGT.exe and click End process button to stop it. Click Yes to confirm it. Close task Manager.

3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is iexplarer.exe, How to remove iexplarer.exe

Thursday, July 1st, 2010

iexplarer.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: iexplarer
Filename: iexplarer.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | {RANDOM}

Command: %Temp%\iexplarer.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [sdr8gdrgdrgke49orkgsjkjfjhsd] C:\Users\username\AppData\Local\Temp\iexplarer.exe

DDS Line:

uRun: [sdr8gdrgdrgke49orkgsjkjfjhsd] C:\Users\username\AppData\Local\Temp\iexplarer.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“sdr8gdrgdrgke49orkgsjkjfjhsd”=C:\Users\username\AppData\Local\Temp\iexplarer.exe

Description: trojan downloader

How to remove: use HijackThis + Malwarebytes` Anti-malware.

What is 070700Setup.exe, How to remove 070700Setup.exe

Wednesday, June 30th, 2010

070700Setup.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: 070700Setup
Filename: 070700Setup.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | 070700Setup.exe

Command: %AppData%\{RANDOM}\070700Setup.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [070700Setup.exe] C:\Users\username\AppData\Roaming\00AC8B93A187B065AEDCFB93602343CB\070700Setup.exe

DDS Line:

uRun: [070700Setup.exe] C:\Users\username\AppData\Roaming\00AC8B93A187B065AEDCFB93602343CB\070700Setup.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“070700Setup.exe”=C:\Users\username\AppData\Roaming\00AC8B93A187B065AEDCFB93602343CB\070700Setup.exe

Description: core component of Antimalware doctor. Antimalware doctor is a rogue antispyware application.

How to remove: use HijackThis + Malwarebytes` Anti-malware or the steps below.

1. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“070700Setup.exe”=-

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

2. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is AV Antivirus Suite, How to remove AV Antivirus Suite

Tuesday, June 29th, 2010

AV Antivirus Suite is a rogue antispyware program.

remove It is a fake security program (rogu antispyware) from the same family of malware as Av Security Suite, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Command: %UserProfile%\Local Settings\Application Data\{RANDOM}\{RANDOM}.exe
Startup Type: O4
HijackThis Category: R1, O4
HijackThis Line:

R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1
O4 – HKLM\..\Run: [{RANDOM}] %UserProfile%\Local Settings\Application Data\{RANDOM}\{RANDOM}.exe
O4 – HKCU\..\Run: [{RANDOM}] %UserProfile%\Local Settings\Application Data\{RANDOM}\{RANDOM}.exe

Description: rogue antispyware program

How to remove: use the AV Antivirus Suite removal guide or the steps below.

1. Download HijackThis from here and save it to your desktop. Most important, in the Save dialog, rename HijackThis.exe to iexplore.exe !!! If you can`t download HijackThis, then: a) boot your PC in Safe mode with networking and try once again; b) reset proxy settings of your browser (this malware hijacked them) by doing: run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK and click OK again.

2. Run HijackThis. Main menu opens. Click to “Do a system scan only” button. After HijackThis completes the system scan, check the box to the left of the following items:

R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1
O4 – HKLM\..\Run: [{random}] C:\Documents and Settings\user\Local Settings\Application Data\{random}\{random}.exe
O4 – HKCU\..\Run: [{random}] C:\Documents and Settings\user\Local Settings\Application Data\{random}\{random}.exe

Please be very careful, do NOT check any other boxes! Next, click on Fix checked on the bottom left side of the HijackThis screen. Close HijackThis.

3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is QNB2EB90WX, How to remove QNB2EB90WX

Monday, June 28th, 2010

QNB2EB90WX is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Filename: {random:3}.exe, example: Ufr.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | QNB2EB90WX

Command: %Temp%\{random:3}.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [QNB2EB90WX] C:\DOCUME~1\username\LOCALS~1\Temp\Ufr.exe

DDS Line:

uRun: [QNB2EB90WX] C:\DOCUME~1\username\LOCALS~1\Temp\Ufr.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“QNB2EB90WX”=C:\DOCUME~1\username\LOCALS~1\Temp\Ufr.exe

Description: trojan FakeAlert, also known as Mal/FakeAV-CX [Sophos], TrojanDownloader:Win32/Renos.KF [Microsoft], Win-Trojan/Variant.183296.B [AhnLab]

How to remove: use HijackThis + Malwarebytes` Anti-malware or the steps below.

1. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“QNB2EB90WX”=-

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

2. Download Malwarebytes Anti-malware. Install and perform a scan.

What is AVSuite.exe, How to remove AVSuite.exe

Monday, June 28th, 2010

AVSuite.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: AVSuite
Filename: AVSuite.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | AVSuite

Command: C:\Program Files\AV Security Suite Basic\AVSuite.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [AVSuite] C:\Program Files\AV Security Suite Basic\AVSuite.exe /tray

DDS Line:

uRun: [AVSuite] C:\Program Files\AV Security Suite Basic\AVSuite.exe /tray

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“AVSuite”=C:\Program Files\AV Security Suite Basic\AVSuite.exe /tray

Description: component of rogue antispyware program called AV Security Suite Basic

How to remove: use HijackThis + Malwarebytes` Anti-malware

What is dsoqq.exe, How to remove dsoqq.exe

Thursday, June 24th, 2010

dsoqq.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: dsoqq
Filename: dsoqq.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | dso32

Command: %Temp%\dsoqq.exe
Startup Type: HKCU->Run
HijackThis Category: O4

O4 – HKCU\..\Run: [dso32] %Temp%\dsoqq.exe

DDS Line:

uRun: [dso32] %Temp%\dsoqq.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“dso32″=%Temp%\dsoqq.exe

Description: autorun.inf trojan, a component of Infostealer.Gampass [Symantec], Worm.Win32.AutoRun.bijz [Kaspersky Lab], Win-Trojan/Onlinegamehack.114688.L [AhnLab]

How to remove: use these autorun.inf trojans removal instructions