HT Logs. Tips, FAQs, Analyze.

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: liser
Filename: liser.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | kell

Command: c:\program Files\Manson\liser.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKUS\S-1-5-18\..\Run: [kell] C:\Program Files\Manson\liser.exe (User ‘SYSTEM’)
O4 – HKUS\.DEFAULT\..\Run: [kell] C:\Program Files\Manson\liser.exe (User ‘Default user’)
O4 – HKCU\..\Run: [kell] c:\program Files\Manson\liser.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“kell”=c:\program Files\Manson\liser.exe

Description: trojan that installed with rogue antivirus/antispyware apps.

How to remove: use Malwarebytes Antimalware

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: liser
Filename: liser.dll
Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLS

Command: c:\progra~1\Manson\liser.dll
Startup Type: AppInit DLL
HijackThis Category: O20
HijackThis Line:

O20 – AppInit_DLLs: c:\progra~1\Manson\liser.dll

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
“AppInit_DLLS”=”c:\progra~1\Manson\liser.dll”

Description: trojan agent [Malwarebytes Anti-malware]

How to remove: use Malwarebytes Antimalware

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: msncache
Startup Type: Service (svchost)
Combofix/RSIT Line:

R2 msncache;msncache; C:\WINDOWS\system32\svchost.exe [2004-08-18 14336]

Description: Unknown trojan component

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: wingenocx
Filename: wingenocx.dll
Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}

Command: C:\WINDOWS\system32\wingenocx.dll
CLSID: {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}
Startup Type: BHO
HijackThis Category: O2
HijackThis Line:

O2 – BHO: BhoApp – {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} – C:\WINDOWS\system32\wingenocx.dll

Description: trojan BHO that installed with Protection System (rogue antispyware software)

How to remove: use Malwarebytes Antimalware

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: podmena
Filename: podmena.sys
Command: c:\program files\podmena\podmena.sys
Startup Type: driver

R1 podmenadrv;podmenadrv;c:\program files\podmena\podmena.sys [6/8/2009 11:31 AM 9472]
R2 podmena;podmena;c:\windows\system32\svchost.exe -k podmena [8/10/2004 14336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
podmena REG_MULTI_SZ podmena

Description: Trojan.Downloader

How to remove: use these podmena.sys removal instructions

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: poswin
Filename: poswin.dll
Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F60777DA-D6A6-40F6-B665-6F361C1017B6}

Command: C:\WINDOWS\poswin.dll
CLSID: {F60777DA-D6A6-40F6-B665-6F361C1017B6}
Startup Type: BHO
HijackThis Category: O2
HijackThis Line:

O2 – BHO: PLAsim plugin – {F60777DA-D6A6-40F6-B665-6F361C1017B6} – C:\WINDOWS\poswin.dll

Description: trojan FakeAlert

How to remove: use HijackThis + use Malwarebytes Antimalware

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: rs32net
Filename: rs32net.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | rs32net

Command: C:\WINDOWS\System32\rs32net.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe

Combofix/RSIT Line:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“rs32net”=C:\WINDOWS\System32\rs32net.exe

Description: rs32net.exe is TrojanDropper, also known as Mal/Pushdo-A [Sophos], Trojan.Pandex [Symantec], FakeAlert-AG.gen.c [McAfee],

How to remove: Use HijackThis

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: ati3xmxx
Filename: ati3xmxx.sys
Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati3xmxx.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ati3xmxx.sys

Startup Type: SafeBoot
Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati3xmxx.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ati3xmxx.sys]

Description: unknown trojan

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: brzycg
Filename: brzycg.exe
Registry key:

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\ {fd700ec2-fc05-11dd-b448-001fd00766ec}

CLSID: {fd700ec2-fc05-11dd-b448-001fd00766ec}
Startup Type: autorun.inf
Combofix/RSIT Line:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd700ec2-fc05-11dd-b448-001fd00766ec}]
shell\AutoRun\command – brzycg.exe
shell\explore\command – brzycg.exe
shell\open\command – brzycg.exe

Description: an autorun.inf trojan

How to remove: read the article – How to remove trojans that uses autorun.inf file

This is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: MSIVXserv
Driver name: MSIVXserv.sys
Command: uses random file name (%windir%\system32\drivers\MSIVXvquesrhnkoyrrnpgwdkuydpqnmoxfqba.sys)
Startup Type: hidden driver
Description: trojan that uses rootkit techniques in order to hide itself.

How to remove: use these MSIVXserv.sys removal instructions.