PCBugSquad

Trace Sweeper is a rogue privacy software that when run on your computer displays fake an exaggerated results that cannot be removed unless you first purchase the software. The program is also set to run automatically when your computer starts, which will cause your computer to operate slower and create pop-ups about how you should register the software.

Trace Sweeper screen shot

Automatic Removal Method

If you are infected with this malware, then we suggest you use Symantec Antivirus to remove this infection. The current definitions for Symantec Antivirus contains methods of removing this virus.

Download Symantec Antivirus to scan your computer for free

Manual Removal Instructions for

End these processes:

Learn how to end processes

tracesweeper.exe

Delete these files:
Lean how to remove files

c:\Program Files\Trace Sweeper
c:\Program Files\Trace Sweeper\tracesweeper.exe
c:\Program Files\Trace Sweeper\tracesweeper.url
c:\Program Files\Trace Sweeper\unins000.dat
c:\Program Files\Trace Sweeper\unins000.exe
c:\Documents and Settings\All Users\Start Menu\Programs\Trace Sweeper
c:\Documents and Settings\All Users\Start Menu\Programs\Trace Sweeper\Trace Sweeper on the Web.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Trace Sweeper\Trace Sweeper.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Trace Sweeper\Uninstall Trace Sweeper.lnk

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly. Please edit the Registry only if you know what you are doing. Otherwise, please use the automated removal method above.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”tracesweeper”
=”C:\Program Files\Trace Sweeper\tracesweeper.exe”

The WORM_KOOBFACE.D worm is malware that spreads itself through the online social site called Facebook.  When a user becomes infected with this worm, it will install a copy of itself as C:\Windows\fbtre6.exe and then further download the following files:

• C:\5465465465463.BAT
• C:\Windows\fmark2.dat

When fbtre6.exe is run it will display the following message in Windows:

Error installing Codec. Please contact support.

It is important to note that this infection will delete itself if it detects that you have not used Facebook.com on the infected computer.  If Facebook cookies are found, though, it will add a link to a location where it can be downloaded in the infected user’s Facebook profile.  It is through these links in infected user’s profiles that the infection spreads.

Automatic Removal Method

If you are infected with this malware, then we suggest you use Trend Micro antivirus to remove this infection. It is know to be able to remove this malware and it is included in its current virus definitions.

Download Trend Micro Antivirus to scan your computer

Manual Removal Instructions for

End these processes:

Learn how to end processes

fbtre6.exe

Delete these files:
Lean how to remove files

C:\Windows\fbtre6.exe
C:\5465465465463.BAT
C:\Windows\fmark2.dat

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
sysftray = “C:\Windows\fbtre6.exe”

The WORM_SOHANAD.DR worm is once that propogates as an attachment to email messages that are spammed by other malware or users.  It is also possible, that this worm can be installed via other malware that download and install it on your computer.  When infected the following files will be created on your computer:

• C:\Windows\dc.exe
• C:\Windows\SVIQ.EXE
• C:\Windows\System\Fun.exe

Once running, the worm will read your Outlook address book and spam all of the addresses in your address book with emails containing the attachments:

• dc.exe
• Fun.exe

Automatic Removal Method

If you are infected with this malware, then we suggest you use Trend Micro antivirus to remove this infection. It is know to be able to remove this malware and it is included in its current virus definitions.  A big thumbs up for Trend Micro for being able to remove this infection so quickly.

Download Trend Micro Antivirus to scan your computer

Manual Removal Instructions for

End these processes:

Learn how to end processes

dc.exe
sviq.exe
fun.exe

Delete these files:
Lean how to remove files

C:\Windows\dc.exe
C:\Windows\SVIQ.EXE
C:\Windows\System\Fun.exe

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
dc = “C:\Windows\dc.exe”
dc2k5 = “C:\Windows\SVIQ.EXE”
Fun = “C:\Windows\System\Fun.exe”

The TROJ_POPHOT.O Trojan is installed form other malware downloaded off of the Internet.  When run, this Trojan will install the following files on your computer:

• C:\Windows\System32\inf\scsys16_080725.dll
• C:\Windows\System32\inf\sppdcrs080725.scr
• C:\Windows\System32\inf\svchosd.exe
• C:\Windows\dcbdcatys32_080725a.dll
• C:\Windows\system\sgcxcxxaspf080725.exe
• C:\Windows\tawisys.ini
• C:\Windows\wftadfi16_080725a.dll

The Trojan will also add a registry entry to start itself every time you restart this computer. This registry entry will start C:\Windows\System32\inf\svchosd.exe, which is actually a renamed rundll32.exe, which will be used to load the code found in the wftadfi16_080725a.dll DLL file.

Automatic Removal Method

If you are infected with this malware, then we suggest you use Trend Micro antivirus to remove this infection. It is know to be able to remove this malware and it is included in its current virus definitions.  A big thumbs up for Trend Micro for being able to remove this infection so quickly.

Download Trend Micro Antivirus to scan your computer

Manual Removal Instructions for

End these processes:

Learn how to end processes

svchosd.exe

Delete these files:
Lean how to remove files

C:\Windows\System32\inf\scsys16_080725.dll
C:\Windows\System32\inf\sppdcrs080725.scr
C:\Windows\System32\inf\svchosd.exe
C:\Windows\dcbdcatys32_080725a.dll
C:\Windows\system\sgcxcxxaspf080725.exe
C:\Windows\tawisys.ini
C:\Windows\wftadfi16_080725a.dll

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\policies\Explorer\run
initnyuser = “%System%\inf\svchosd.exe %WINDOWS%\wftadfi16_080725a.dll tanlt88″

The Proscks Trojan modifies files on the compromised computer and connects to a remote server. Once infected you will be shown pop-up advertisements on your computer.

When infected the Trojan.Proscks.C malware will create the following files:

• %Temp%\RarSFX0\IPHOST.DLL
• %Temp%\RarSFX0\iphy.dll
• %Temp%\RarSFX0\xExe.dll
• %Temp%\RarSFX0\loaderSvc.exe
• %System%\IPHOST.DLL
• %System%\_proxy.dll
• %System%\iphy.dll
• %System%\fhpatch.dll
• %System%\fiplock.dll
• %System%\IpSvchostF.dll

Next, the Trojan copies the file %System%\svchost.exe to the following location:

%System%\[EIGHT RANDOM CHARACTERS]

It then modifies %System%\svchost.exe so that the following file is executed every time Windows starts:

%System%\IPHOST.DLL

The Trojan then downloads a .dll file from a remote location and saves it as %System%\IPHACTION.dll.

Automatic Removal Method

If you are infected with this malware, then we suggest you use Symantec Antivirus to remove this infection. The current definitions for Symantec Antivirus contains methods of removing this virus.

Download Symantec Antivirus to scan your computer for free

Manual Removal Instructions for

End these processes:

Learn how to end processes

loaderSvc.exe

Delete these files:

Lean how to remove files

%Temp%\RarSFX0\IPHOST.DLL
%Temp%\RarSFX0\iphy.dll
%Temp%\RarSFX0\xExe.dll
%Temp%\RarSFX0\loaderSvc.exe
%System%\IPHOST.DLL
%System%\_proxy.dll
%System%\iphy.dll
%System%\fhpatch.dll
%System%\fiplock.dll
%System%\IpSvchostF.dll

Secure Expert Cleaner is a program that states it can make your computer secure by cleaning it of security risks.  Unfortunately, this program does not live up to its name.  Secure Expert Cleaner will scan your computer and list legitimate programs as risks and state that they are dangerous.  Then, in order to remove them, you need to first purchase the software.

This software is a scam and should be avoided as you will only be wasting your money and not actually cleaning your computer.

Secure Expert Cleaner

Automatic Removal Method

We recommend that you install Spyware Doctor from PCTools in order to remove Secure Expert Cleaner from your computer. Spyware Doctor has an incredible track record for removing and detecting the latest malware.

Download Spyware Doctor to scan your computer for free

Manual Removal Instructions

End these processes:

Learn how to end processes

SEC.exe

Delete these files:
Lean how to remove files

c:\Documents and Settings\All Users\Application Data\SEC
c:\Documents and Settings\All Users\Start Menu\Programs\SecureExpertCleaner
<userprofile>\Local Settings\Temp\is-ROV72.tmp
c:\Program Files\SecureExpertCleaner
c:\Program Files\SecureExpertCleaner\Microsoft.VC80.CRT
c:\Documents and Settings\All Users\Desktop\Launch SecureExpertCleaner.lnk
c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Thumbs.db
c:\Documents and Settings\All Users\Start Menu\Programs\SecureExpertCleaner\Launch SecureExpertCleaner.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\SecureExpertCleaner\Uninstall SecureExpertCleaner.lnk
<userprofile>\Application Data\Microsoft\Internet Explorer\Quick Launch\SecureExpertCleaner.lnk
c:\Program Files\SecureExpertCleaner\mfc80.dll
c:\Program Files\SecureExpertCleaner\Microsoft.VC80.MFC.manifest
c:\Program Files\SecureExpertCleaner\Reminder.exe
c:\Program Files\SecureExpertCleaner\SEC.exe
c:\Program Files\SecureExpertCleaner\SEC.ico
c:\Program Files\SecureExpertCleaner\SEC.xml
c:\Program Files\SecureExpertCleaner\unins.ico
c:\Program Files\SecureExpertCleaner\unins000.dat
c:\Program Files\SecureExpertCleaner\unins000.exe
c:\Program Files\SecureExpertCleaner\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\Program Files\SecureExpertCleaner\Microsoft.VC80.CRT\msvcp80.dll
c:\Program Files\SecureExpertCleaner\Microsoft.VC80.CRT\msvcr80.dll

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_CURRENT_USER\Software\SEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3P_USEC_is1
HKEY_LOCAL_MACHINE\SOFTWARE\SEC

The W32.Azero.A infection is virus that infects .exe files so that when they are run they further infect other .exe files. When a .exe file is run the virus will create the following files:

• %System%\Windows 3d.scr
• %System%\commandprompt.sysm
• %System%\desktop.sysm
• %UserProfile%\application data\Microsoft\[4 RANDOM LETTERS].exe

It will then create the following folders:

It also creates the following folders:

• %UserProfile%\applications data\excel
• %UserProfile%\applications data\media player
• %UserProfile%\applications data\Microsoft
• %UserProfile%\applications data\office
• %UserProfile%\applications data\Windows
• %UserProfile%\applications data\word

It then creates the following Windows Registry entry so that it starts automatically when the computer boots up:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”VisualStyle” = “%System%\desktop.sysm”

When a computer is infected with this virus they will find that their computer runs slower than normal and tends to crash.

Automatic Removal Method

If you are infected with this malware, then we suggest you use Symantec Antivirus to remove this infection. The current definitions for Symantec Antivirus contains methods of removing this virus.

Download Symantec Antivirus to scan your computer for free

Manual Removal Instructions for

End these processes:

Learn how to end processes

desktop.sysm

Delete these files:
Lean how to remove files

• %System%\Windows 3d.scr
• %System%\commandprompt.sysm
• %System%\desktop.sysm
• %UserProfile%\application data\Microsoft\[4 RANDOM LETTERS].exe

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”VisualStyle” = “%System%\desktop.sysm”

A new variant of the Troj_Renos.ACO infection was discovered that installs a file called lphc3pgj0e3ct.exe into your C:WindowsSystem32folder. This infection is installed on your computer by one of the following three methods:

• This Trojan may be downloaded from remote site(s) by other malware.
• It may be dropped by other malware.
• It may be downloaded unknowingly by a user when visiting malicious Web site(s).

When started, the infection will connect to a remote web site to download and run another file that is also detected as Troj_Renos.ACO.  It then copies itself to C:WindowsSystem32lphc3pgj0e3ct.exe and adds a entry into the Windows Registry to start the file everytime you boot your computer.

This infection will also change your Windows desktop wallpaper to look like:

Trojan Renos Wallpaper

Automatic Removal Method

If you are infected with this malware, then we suggest you use Trend Micro antivirus to remove this infection. It is know to be able to remove this malware and it is included in its current virus definitions.  A big thumbs up for Trend Micro for being able to remove this infection so quickly.

Download Trend Micro Antivirus to scan your computer

Manual Removal Instructions for

End these processes:

Learn how to end processes

lphc3pgj0e3ct.exe

Delete these files:
Lean how to remove files

C:WindowsSystem32lphc3pgj0e3ct.exe
C:WindowsSystem32phc3pgj0e3ct.bmp
C:WindowsSystem32blphc3pgj0e3ct.scr

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_LOCAL_MACHINESOFTWAREMicrosoft
WindowsCurrentVersionRun
lphc3pgj0e3ct = “%System%lphc3pgj0e3ct.exe”

XLGuarder, or XLG Security Center, is a rogue anti-spyware program that displays deliberate false information about infections found on your computer.  This malware is typical for its type:

• Shows false results
• Won’t let you remove any supposed infections unless you first purchase the software.
• Hijacks the Internet Explorer Start page.
• Makes your computer slower.
• Provides no way of contacting the developers of the software.

Overall, this software is a scam and should be avoided at all cost.  Please use the automated or manual removal instructions below to remove this infection.

XLGuarder or XLG Security Center image

Automatic Removal Method

If you are infected with this malware, then we suggest you use Symantec Antivirus to remove this infection. It is know to be able to remove this malware and XLG Security Center is included in its current virus definitions.  A big thumbs up for Symantec adding this to removal definitions so quickly!

Download Symantec Antivirus to scan your computer for free

Manual Removal Instructions for

End these processes:

Learn how to end processes

sysutil.exe

Delete these files:
Lean how to remove files

<userprofile>Start MenuProgramsProtection
c:windowssysutils
c:windowssysutilswarning
c:windowssysutilssounds
c:windowssysutilssettings.ini
c:windowssysutilssysutil.exe
c:windowssysutilssysutil_s.exe
c:windowssysutilsuninstall.exe
c:windowssysutilswinsystip.exe
c:windowssysutilssounds�1.wav
c:windowssysutilssounds�2.wav
c:windowssysutilssounds�3.wav
c:windowssysutilswarningalertpage.jpg
c:windowssysutilswarningspacer.gif
c:windowssysutilswarningwarningpage.html
<userprofile>Start MenuProgramsProtectionUninstall XLG.lnk
c:windowsiebho.dll

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_CLASSES_ROOTCLSID{D032570A-5F63-4812-A094-87D007C23012}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{D032570A-5F63-4812-A094-87D007C23012}
HKEY_CURRENT_USERSoftwaresysutils
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallsysutils

THe USS.exe Trojan is an executable that gets installed on your computer along with other malware.  This infection will also install a service called wasfsd that uses the filename C:\Windows\System32\drivers\System32. When running, this Trojan will display fake alerts that state your computer is being attacked or is infected with particular infections.  It will then ask if you would like to block or fix these infections, and if you specify yes, will open up an Internet Explorer window where it prompts you to buy Trusted Antivirus.

Fake alerts from USS.exe

Automatic Removal Method

We recommend that you install Spyware Doctor from PCTools in order to remove USS.exe Trojan from your computer. Spyware Doctor has an incredible track record for removing and detecting the latest malware.

Download Spyware Doctor to scan your computer for free

Manual Removal Instructions for

End these processes:

Learn how to end processes

USS.exe

Delete these files:
Lean how to remove files

c:\END
c:\Program Files\USS
c:\Program Files\USS\unins000.dat
c:\Program Files\USS\unins000.exe
c:\Program Files\USS\USS.exe
c:\Program Files\USS\#agents
c:\Program Files\USS\#agents\53
c:\Program Files\USS\#agents\53\#startup
c:\Program Files\USS\#monitors
c:\Program Files\USS\#monitors\DirMonitor
c:\Program Files\USS\#monitors\FileMonitor
c:\Program Files\USS\#monitors\RegMonitor
c:\Program Files\USS\{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F}
c:\Program Files\USS\{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F}\GESPlugin.dll
c:\Program Files\USS\{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F}\GESPlugin.xml
c:\Program Files\USS\{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F}\kernel.dll
c:\Program Files\USS\{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F}\unins000.dat
c:\Program Files\USS\{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F}\unins000.exe
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\AMPlugin.dll
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\AMPlugin.xml
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\AsAgents.dll
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\AsAgents.xml
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\msvcp71.dll
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\msvcr71.dll
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\unins000.dat
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\unins000.exe
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\wasffNT.exe
c:\Program Files\USS\{EC572088-91C7-4293-93F9-93D40B0E0B36}
c:\Program Files\USS\{EC572088-91C7-4293-93F9-93D40B0E0B36}\GSCRPlugin.dll
c:\Program Files\USS\{EC572088-91C7-4293-93F9-93D40B0E0B36}\unins000.dat
c:\Program Files\USS\{EC572088-91C7-4293-93F9-93D40B0E0B36}\unins000.exe
c:\WINDOWS\system32\drivers\wasfsd.sys

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_CURRENT_USER\Software\USLst
HKEY_CURRENT_USER\Software\USS
HKEY_CLASSES_ROOT\CLSID\{ABCD4567-76B5-4bc7-AAC5-396D70925B22}
HKEY_CLASSES_ROOT\Interface\{ABCD4567-4D73-43E9-85E5-53A2DBD95422}
HKEY_CLASSES_ROOT\Interface\{ABCD4567-D8E8-4DF1-A3EA-D0AA72F42622}
HKEY_CLASSES_ROOT\TypeLib\{ABCD4567-7437-43EF-AB74-4AB1D3A37422}
HKEY_CLASSES_ROOT\wasfsd.CreationNotifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USS_{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F}_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USS_{D1957FF4-EA22-4b4a-81A1-C62068479DED}_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USS_{EC572088-91C7-4293-93F9-93D40B0E0B36}_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USS_is1
HKEY_LOCAL_MACHINE\SOFTWARE\USS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wasfsd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wasfsd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run => USS