HT Logs. Tips, FAQs, Analyze.

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: sfc
Filename: sfc.sys
Registry key:

KEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SFC

Command: C:\WINDOWS\system32\drivers\sfc.sys
Startup Type: Driver
Combofix/RSIT Line:

S4 sfc;sfc; C:\WINDOWS\system32\drivers\sfc.sys

Description: trojan Win32.Agent

How to remove: try Malwarebytes` Anti-malware or ask for help at Spyware removal forum.

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: kj32
Filename: kj32.dll
Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6458C00E-EF7F-4f06-9E06-49EA923386FD}

Command: C:\WINDOWS\System32\kj32.dll
CLSID: {6458C00E-EF7F-4f06-9E06-49EA923386FD}
Startup Type: BHO
HijackThis Category: O2
HijackThis Line:

O2 – BHO: pl – {6458C00E-EF7F-4f06-9E06-49EA923386FD} – C:\WINDOWS\System32\kj32.dll

Description: trojan bho

How to remove: use HijackThis + use Malwarebytes` Anti-malware

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: _ex-68
Filename: _ex-68.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | PromoReg

Command: C:\WINDOWS\Temp\_ex-68.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKLM\..\Run: [PromoReg] C:\WINDOWS\Temp\_ex-68.exe

Description: unknown trojan component, that installed with rogue antispyware programs

How to remove: use HijackThis + use Malwarebytes Antimalware

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: rncsys32
Filename: rncsys32.exe
Startup Type: Startup folder
HijackThis Category: O4
HijackThis Line:

O4 – Startup: rncsys32.exe

Description: trojan [Downloader-BRM]. Read more here.

How to remove: use HijackThis

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: Cleanup
Filename: Cleanup.exe
Startup Type: Startup folder
HijackThis Category: O4
HijackThis Line:

O4 – Global Startup: Cleanup.exe

Description: trojan component [Trojan.Win32.Zapchast]

How to remove: use HijackThis + use Malwarebytes Antimalware

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: twext
Filename: twext.exe
Command: C:\WINDOWS\system32\twext.exe
Startup Type: system.ini
HijackThis Category: F2
HijackThis Line:

F2 – REG:system.ini: UserInit=c:\windows\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,

Description: trojan Infostealer.Banker, also known as Zbot, PWS-Zbot.gen.c, Mal/EncPk-CZ

How to remove: Malwarebytes Antimalware

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: oembios
Filename: oembios.exe
Command: C:\WINDOWS\system32\oembios.exe
Startup Type: HKUS->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\system32\oembios.exe (User ‘SYSTEM’)
O4 – HKUS\.DEFAULT\..\Run: [userinit] C:\WINDOWS\system32\oembios.exe (User ‘Default user’)

Description: trojan Zbot, also known as Infostealer.Banker, PWS-Zbot.gen.c, Mal/EncPk-CZ

How to remove: use Malwarebytes Antimalware

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: paumrt32
Filename: paumrt32.exe
Registry key:

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ho29RhH5e

CLSID: startupreg
Startup Type:
Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ho29RhH5e]
paumrt32.exe

Description: Unknown trojan

These ip addresses that uses DNSChanger trojan.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

HijackThis Category: O17
HijackThis Line:

O17 – HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.117,85.255.112.121

Description: 85.255.112.117 and 85.255.112.121 are ip addresses that uses trojan DNSChanger

How to remove: use these trojan DNSChanger removal instructions

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: net
Filename: net.net
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | net

Command: C:\WINDOWS\system32\net.net
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [net] “C:\WINDOWS\system32\net.net”

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“net”=C:\WINDOWS\system32\net.net

Description: unknown trojan, usually installed with rogue antispyware software

How to remove: use HijackThis