Archive for the 'Winlogon\Shell' Category

What is palladium.exe, How to remove palladium.exe

Tuesday, January 4th, 2011

palladium.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: palladium
Filename: palladium.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | “Shell” = “%AppData%\palladium.exe”

Command: %AppData%\palladium.exe
Startup Type: HKCU->Winlogon->Shell
Description: core component of Palladium Pro. Palladium Pro is a fake security program (rogue antispyware).

How to remove: use the fake Palladium Pro removal instructions.

What is hotfix.exe, How to remove hotfix.exe

Wednesday, September 22nd, 2010

hotfix.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: hotfix
Filename: hotfix.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | “Shell” = “%UserProfile%\Application Data\hotfix.exe”

Command: %AppData%\hotfix.exe
Startup Type: HKCU->Winlogon->Shell
Description: core component of Microsoft Security Essentials FakeAlert trojan

How to remove: use the fake Microsoft Security Essentials Alert removal instructions.

What is ntload.exe, How to remove ntload.exe

Friday, August 27th, 2010

ntload.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: ntload
Filename: ntload.exe
Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | rundll32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell

Command: %Windir%\system32\ntload.exe
Startup Type: Winlogon->Shell, HKLM->Run
HijackThis Category: F2, O4
HijackThis Line:

F2 – REG:system.ini: Shell=explorer.exe C:\WINDOWS\system32\ntload.exe
O4 – HKLM\..\Run: [rundll32] C:\WINDOWS\system32\ntload.exe

Description: component of Advanced Security Tool 2010 (rogue antispyware)

How to remove: use the Advanced Security Tool 2010 removal guide or or the steps below.

1. Download HijackThis from here and save it to your desktop. Most important, in the Save dialog, rename HijackThis.exe to iexplore.exe !!!
2. Run HijackThis. Main menu opens. Click to “Do a system scan only” button. After HijackThis completes the system scan, check the box to the left of the following items:

F2 – REG:system.ini: Shell=explorer.exe C:\WINDOWS\system32\ntload.exe
O4 – HKLM\..\Run: [rundll32] C:\WINDOWS\system32\ntload.exe

Please be very careful, do NOT check any other boxes! Next, click on Fix checked on the bottom left side of the HijackThis screen. Close HijackThis.
3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is AVDefender 2011, How to remove AVDefender 2011

Thursday, August 26th, 2010

AVDefender 2011 is a malicious program.

remove It is a malware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Filename: {RANDOM}.exe
Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell = “%AppData%\{RANDOM}\{RANDOM}.exe”

Command: %AppData%\{RANDOM}\{RANDOM}.exe
Startup Type: Winlogon->Shell
Description: rogue antivirus program

How to remove: use the AVDefender 2011 removal instructions

What is antispy.exe, How to remove antispy.exe

Thursday, August 26th, 2010

antispy.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: antispy
Filename: antispy.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | Shel”

Command: %UserProfile%\Application Data\antispy.exe
Startup Type: HKCU->Winlogon->Shell
Description: core component of one of Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit, AntiSpySafeguard (rogue antivirus programs). It is installed by Microsoft Security Essentials Alert trojan.

How to remove: use the Microsoft Security Essentials Alert trojan removal instructions

What is srnh.lto, How to remove srnh.lto

Wednesday, May 19th, 2010

srnh.lto is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: srnh
Filename: srnh.lto
Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell

Command: Explorer.exe rundll32.exe srnh.lto iqfnr
CLSID: clsid
Startup Type: Winlogon->Shell
HijackThis Category: F2
HijackThis Line:

F2 – REG:system.ini: Shell=Explorer.exe rundll32.exe srnh.lto iqfnr

Description: component of Win32/Oficla trojan

How to remove: use HijackThis + Malwarebytes` Anti-malware

What is hspe.uvo, How to remove hspe.uvo

Wednesday, April 21st, 2010

hspe.uvo is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: hspe
Filename: hspe.uvo
Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell

Command: Explorer.exe, rundll32.exe hspe.uvo bnjpid
Startup Type: Winlogon->Shell
HijackThis Category: F2
HijackThis Line:

F2 – REG:system.ini: Shell=Explorer.exe, rundll32.exe hspe.uvo bnjpid

Description: component of a trojan that also known as Backdoor.Bredolab [PCTools], Mal/EncPk-NS, Mal/FakeAV-BW, Mal/FakeAV-DF, Mal/FakeAV-BW [Sophos], packed with: PE_Patch.UPX [Kaspersky Lab]

How to remove: use HijackThis + Malwarebytes` Anti-malware

What is awxm.vho, How to remove awxm.vho

Monday, April 19th, 2010

awxm.vho is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: awxm
Filename: awxm.vho
Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell

Command: Explorer.exe rundll32.exe awxm.vho rlvgf
Startup Type: Winlogon->Shell
HijackThis Category: F2
HijackThis Line:

F2 – REG:system.ini: Shell=Explorer.exe rundll32.exe awxm.vho rlvgf

Description: component of a trojan that also known as Backdoor.Bredolab [PCTools], Mal/EncPk-NS, Mal/FakeAV-BW, Mal/FakeAV-DF, Mal/FakeAV-BW [Sophos], packed with: PE_Patch.UPX [Kaspersky Lab]

How to remove: use HijackThis + Malwarebytes` Anti-malware

What is ngts.vao, How to remove ngts.vao

Friday, April 16th, 2010

ngts.vao is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: ngts
Filename: ngts.vao
Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell

Command: Explorer.exe rundll32.exe ngts.vao uvibls
Startup Type: Winlogon->Shell
HijackThis Category: F2
HijackThis Line:

F2 – REG:system.ini: Shell=Explorer.exe rundll32.exe ngts.vao uvibls

Description: component of a trojan that also known as Backdoor.Bredolab [PCTools], Mal/EncPk-NS, Mal/FakeAV-BW, Mal/FakeAV-DF, Mal/FakeAV-BW [Sophos], packed with: PE_Patch.UPX [Kaspersky Lab]

How to remove: use HijackThis + Malwarebytes` Anti-malware

What is rihd.pno, How to remove rihd.pno

Tuesday, April 13th, 2010

rihd.pno is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: rihd
Filename: rihd.pno
Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell

Command: Explorer.exe, rundll32.exe rihd.pno eaoydsi
Startup Type: Winlogon->Shell
HijackThis Category: F2
HijackThis Line:

F2 – REG:system.ini: Shell=Explorer.exe, rundll32.exe rihd.pno eaoydsi

Description: component of Bredolab trojan

How to remove: use HijackThis + Malwarebytes` Anti-malware