Archive for the 'Threats' Category

What is IronDefender, How to remove IronDefender

Monday, September 13th, 2010

This is a harmful program.

remove It is a malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Files:

c:\Documents and Settings\All Users\Start Menu\Programs\IronDefender.lnk
%UserProfile%\Desktop\IronDefender.lnk
c:\Program Files\{RANDOM}
c:\Program Files\{RANDOM}\{RANDOM}.exe
c:\Program Files\{RANDOM}\Uninstall.exe
c:\WINDOWS\{RANDOM}.exe
c:\WINDOWS\{RANDOM}.bin
c:\WINDOWS\{RANDOM}.dll
c:\WINDOWS\{RANDOM}.cpl
c:\WINDOWS\system32\{RANDOM}.exe
c:\WINDOWS\system32\{RANDOM}.bin
c:\WINDOWS\system32\{RANDOM}.dll
c:\WINDOWS\system32\{RANDOM}.cpl

Registry keys/values:

HKEY_CURRENT_USER\Software\IronDefender
HKEY_LOCAL_MACHINE\SOFTWARE\IronDefender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IronDefender
HKEY_CURRENT_USER\Software | Install_Dir = “C:\Program Files\{RANDOM}”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | {RANDOM}.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | {RANDOM}.exe

Startup Type: HKLM->Run, HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [{RANDOM}.exe] “C:\Program Files\{RANDOM}\{RANDOM}.exe” -min
O4 – HKCU\..\Run: [{RANDOM}.exe] C:\WINDOWS\system32\{RANDOM}.exe

Description: rogue antispyware program

How to remove: use the IronDefender removal instructions.

What is mmduch.dll, How to remove mmduch.dll

Sunday, September 12th, 2010

mmduch.dll is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: mmduch
Filename: mmduch.dll
Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9429BB93-2DC8-4C12-83A6-91BF6B374D85}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | bipro

Command: %WinDir%\$NtUninstallMTF1011$\mmduch.dll
CLSID: {9429BB93-2DC8-4C12-83A6-91BF6B374D85}
Startup Type: BHO, HKLM->Run
HijackThis Category: O2, O4
HijackThis Line:

O2 – BHO: Sky-Banners Browser Enhancer mmduch – {9429BB93-2DC8-4C12-83A6-91BF6B374D85} – C:\Windows\$NtUninstallMTF1011$\mmduch.dll
O4 – HKLM\..\Run: [bipro] rundll32 “C:\Windows\$NtUninstallMTF1011$\mmduch.dll”,,Run

DDS Line:

BHO: Sky-Banners Browser Enhancer mmduch: {9429BB93-2DC8-4C12-83A6-91BF6B374D85} – C:\Windows\$NtUninstallMTF1011$\mmduch.dll
mRun: [bipro] “C:\Windows\$NtUninstallMTF1011$\mmduch.dll”,,Run

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9429BB93-2DC8-4C12-83A6-91BF6B374D85}]
Sky-Banners Browser Enhancer mmduch – C:\Windows\$NtUninstallMTF1011$\mmduch.dll
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“bipro”=”C:\Windows\$NtUninstallMTF1011$\mmduch.dll”,,Run

Description: component of Sky-Banners Browser Enhancer malware

How to remove: use HijackThis + Malwarebytes` Anti-malware or the steps below.

1. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9429BB93-2DC8-4C12-83A6-91BF6B374D85}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“bipro”=-

:files
%WinDir%\$NtUninstallMTF1011$\mmduch.dll

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

2. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is antivirpwr.com, How to remove antivirpwr.com

Sunday, September 12th, 2010

Antivirpwr.com is a malicious website

remove The site was created to spread Security Suite. If your browser is redirected to antivirpwr.com, then you should immediately check your PC using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

IP Address: 79.135.152.205
Site addess: antivirpwr.com
Description: antivirpwr.com is not related with legit security company and can be seen on infected computers. The site used to promote the rogue antispyware program called Security Suite.

How to remove: use these antivirpwr removal instructions or the steps below in order to remove this infection.

1. Reboot your computer in Safe mode with networking.

2. Reset proxy settings of your browser (this malware hijacked them) by doing: run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK and click OK again.

3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is antivircat.com, How to remove antivircat.com

Friday, September 10th, 2010

Antivircat.com is a malicious website

remove The site was created to spread Security Suite. If your browser is redirected to antivircat.com, then you should immediately check your PC using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

IP Address: 79.135.152.205
Site addess: antivircat.com
Description: antivircat.com is not related with legitimate security company and can be seen on infected computers. The site used to promote the rogue antispyware program called Security Suite.

How to remove: use these antivircat removal instructions or the steps below in order to remove this infection.

1. Reboot your computer in Safe mode with networking.

2. Reset proxy settings of your browser (this malware hijacked them) by doing: run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK and click OK again.

3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is Malware Destructor 2011, How to remove Malware Destructor 2011

Friday, September 10th, 2010

Malware Destructor 2011 is a harmful program.

remove It is a rogue antispyware program that uses misleading tactics to trick you into purchasing its full version. You should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Command: %AppData%\{RANDOM}\KB5625711.exe
Description: rogue antispyware

How to remove: use the Malware Destructor 2011 removal instructions.

What is antivirhand.com, How to remove antivirhand.com

Tuesday, September 7th, 2010

Antivirhand.com is a malicious website

remove The site was created to spread Security Suite. If your browser is redirected to antivirhand.com, then you should immediately check your PC using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

IP Address: 79.135.152.205
Site addess: antivirhand.com
Description: antivirhand.com is not related with legit security company and can be seen on infected computers. The site used to promote the rogue antispyware program called Security Suite.

How to remove: use these antivirhand removal instructions or the steps below in order to remove this infection.

1. Reboot your computer in Safe mode with networking.

2. Reset proxy settings of your browser (this malware hijacked them) by doing: run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK and click OK again.

3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is antispyfond.com, How to remove antispyfond.com

Saturday, September 4th, 2010

Antispyfond.com is a malicious website

remove The site was created to spread Security Suite. If your browser is redirected to antispyfond.com, then you should immediately check your PC using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

IP Address: 79.135.152.205
Site addess: antispyfond.com
Description: antispyfond.com is not related with legit security company and can be seen on infected computers. The site used to promote the rogue antispyware program called Security Suite.

How to remove: use these antispyfond removal instructions or the steps below in order to remove this infection.

1. Reboot your computer in Safe mode with networking.

2. Reset proxy settings of your browser (this malware hijacked them) by doing: run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK and click OK again.

3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is Win7 AV.exe, How to remove Win7 AV .exe

Saturday, September 4th, 2010

Win7 AV.exe is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Name: Win7 AV
Filename: Win7 AV.exe
Command: %ProgramFiles%\Win7 AV\Win7 AV.exe
Description: core component of Win7 AV (rogue antispyware)

How to remove: use the Win7 AV removal instructions.

What is XBV6RD5SZF, How to remove XBV6RD5SZF

Friday, September 3rd, 2010

XBV6RD5SZF is a harmful program.

remove It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

Filename: {RANDOM:3}.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | XBV6RD5SZF

Command: %Temp%\{RANDOM:3}.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [XBV6RD5SZF] C:\DOCUME~1\username\LOCALS~1\Temp\Ude.exe

DDS Line:

uRun: [XBV6RD5SZF] C:\DOCUME~1\username\LOCALS~1\Temp\Ude.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“XBV6RD5SZF”=C:\DOCUME~1\username\LOCALS~1\Temp\Ude.exe

Description: new variant of trojan FakeAlert that also known as Mal/FakeAV-CX [Sophos], TrojanDownloader:Win32/Renos.KF [Microsoft], Win-Trojan/Variant.183296.B [AhnLab]

How to remove: use HijackThis + Malwarebytes` Anti-malware or the steps below.

1. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“XBV6RD5SZF”=-

:Commands
[emptytemp]
[Reboot]

Click the red Moveit! button. If you are asked to reboot the machine choose Yes. When the tool is finished, it will produce a report for you.

2. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

What is antispyjob.com, How to remove antispyjob.com

Friday, September 3rd, 2010

Antispyjob.com is a malicious website

remove The site was created to spread Security Suite. If your browser is redirected to antispyjob.com, then you should immediately check your PC using an antivirus and antispyware program.
If that does not help, then ask us for help in the Spyware removal forum.

IP Address: 79.135.152.205
Site addess: antispyjob.com
Description: antispyjob.com is not related with legit security company and can be seen on infected computers. The site used to promote the rogue antispyware program called Security Suite.

How to remove: use these antispyjob removal instructions or the steps below in order to remove this infection.

1. Reboot your computer in Safe mode with networking.

2. Reset proxy settings of your browser (this malware hijacked them) by doing: run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK and click OK again.

3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).