Trace Sweeper screen shot

Automatic Removal Method

If you are infected with this malware, then we suggest you use Symantec Antivirus to remove this infection. The current definitions for Symantec Antivirus contains methods of removing this virus.

Download Symantec Antivirus to scan your computer for free

Manual Removal Instructions for

End these processes:

Learn how to end processes

tracesweeper.exe

Delete these files:
Lean how to remove files

c:\Program Files\Trace Sweeper
c:\Program Files\Trace Sweeper\tracesweeper.exe
c:\Program Files\Trace Sweeper\tracesweeper.url
c:\Program Files\Trace Sweeper\unins000.dat
c:\Program Files\Trace Sweeper\unins000.exe
c:\Documents and Settings\All Users\Start Menu\Programs\Trace Sweeper
c:\Documents and Settings\All Users\Start Menu\Programs\Trace Sweeper\Trace Sweeper on the Web.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Trace Sweeper\Trace Sweeper.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Trace Sweeper\Uninstall Trace Sweeper.lnk

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly. Please edit the Registry only if you know what you are doing. Otherwise, please use the automated removal method above.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”tracesweeper”
=”C:\Program Files\Trace Sweeper\tracesweeper.exe”

• C:\5465465465463.BAT
• C:\Windows\fmark2.dat

When fbtre6.exe is run it will display the following message in Windows:

Error installing Codec. Please contact support.

It is important to note that this infection will delete itself if it detects that you have not used Facebook.com on the infected computer.  If Facebook cookies are found, though, it will add a link to a location where it can be downloaded in the infected user’s Facebook profile.  It is through these links in infected user’s profiles that the infection spreads.

Automatic Removal Method

If you are infected with this malware, then we suggest you use Trend Micro antivirus to remove this infection. It is know to be able to remove this malware and it is included in its current virus definitions.

Download Trend Micro Antivirus to scan your computer

Manual Removal Instructions for

End these processes:

Learn how to end processes

fbtre6.exe

Delete these files:
Lean how to remove files

C:\Windows\fbtre6.exe
C:\5465465465463.BAT
C:\Windows\fmark2.dat

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
sysftray = “C:\Windows\fbtre6.exe”

• C:\Windows\dc.exe
• C:\Windows\SVIQ.EXE
• C:\Windows\System\Fun.exe

Once running, the worm will read your Outlook address book and spam all of the addresses in your address book with emails containing the attachments:

• dc.exe
• Fun.exe

Automatic Removal Method

If you are infected with this malware, then we suggest you use Trend Micro antivirus to remove this infection. It is know to be able to remove this malware and it is included in its current virus definitions.  A big thumbs up for Trend Micro for being able to remove this infection so quickly.

Download Trend Micro Antivirus to scan your computer

Manual Removal Instructions for

End these processes:

Learn how to end processes

dc.exe
sviq.exe
fun.exe

Delete these files:
Lean how to remove files

C:\Windows\dc.exe
C:\Windows\SVIQ.EXE
C:\Windows\System\Fun.exe

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
dc = “C:\Windows\dc.exe”
dc2k5 = “C:\Windows\SVIQ.EXE”
Fun = “C:\Windows\System\Fun.exe”

• C:\Windows\System32\inf\scsys16_080725.dll
• C:\Windows\System32\inf\sppdcrs080725.scr
• C:\Windows\System32\inf\svchosd.exe
• C:\Windows\dcbdcatys32_080725a.dll
• C:\Windows\system\sgcxcxxaspf080725.exe
• C:\Windows\tawisys.ini
• C:\Windows\wftadfi16_080725a.dll

The Trojan will also add a registry entry to start itself every time you restart this computer. This registry entry will start C:\Windows\System32\inf\svchosd.exe, which is actually a renamed rundll32.exe, which will be used to load the code found in the wftadfi16_080725a.dll DLL file.

Automatic Removal Method

If you are infected with this malware, then we suggest you use Trend Micro antivirus to remove this infection. It is know to be able to remove this malware and it is included in its current virus definitions.  A big thumbs up for Trend Micro for being able to remove this infection so quickly.

Download Trend Micro Antivirus to scan your computer

Manual Removal Instructions for

End these processes:

Learn how to end processes

svchosd.exe

Delete these files:
Lean how to remove files

C:\Windows\System32\inf\scsys16_080725.dll
C:\Windows\System32\inf\sppdcrs080725.scr
C:\Windows\System32\inf\svchosd.exe
C:\Windows\dcbdcatys32_080725a.dll
C:\Windows\system\sgcxcxxaspf080725.exe
C:\Windows\tawisys.ini
C:\Windows\wftadfi16_080725a.dll

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\policies\Explorer\run
initnyuser = “%System%\inf\svchosd.exe %WINDOWS%\wftadfi16_080725a.dll tanlt88″

When infected the Trojan.Proscks.C malware will create the following files:

• %Temp%\RarSFX0\IPHOST.DLL
• %Temp%\RarSFX0\iphy.dll
• %Temp%\RarSFX0\xExe.dll
• %Temp%\RarSFX0\loaderSvc.exe
• %System%\IPHOST.DLL
• %System%\_proxy.dll
• %System%\iphy.dll
• %System%\fhpatch.dll
• %System%\fiplock.dll
• %System%\IpSvchostF.dll

Next, the Trojan copies the file %System%\svchost.exe to the following location:

%System%\[EIGHT RANDOM CHARACTERS]

It then modifies %System%\svchost.exe so that the following file is executed every time Windows starts:

%System%\IPHOST.DLL

The Trojan then downloads a .dll file from a remote location and saves it as %System%\IPHACTION.dll.

Automatic Removal Method

If you are infected with this malware, then we suggest you use Symantec Antivirus to remove this infection. The current definitions for Symantec Antivirus contains methods of removing this virus.

Download Symantec Antivirus to scan your computer for free

Manual Removal Instructions for

End these processes:

Learn how to end processes

loaderSvc.exe

Delete these files:

Lean how to remove files

%Temp%\RarSFX0\IPHOST.DLL
%Temp%\RarSFX0\iphy.dll
%Temp%\RarSFX0\xExe.dll
%Temp%\RarSFX0\loaderSvc.exe
%System%\IPHOST.DLL
%System%\_proxy.dll
%System%\iphy.dll
%System%\fhpatch.dll
%System%\fiplock.dll
%System%\IpSvchostF.dll

This software is a scam and should be avoided as you will only be wasting your money and not actually cleaning your computer.

Secure Expert Cleaner

Automatic Removal Method

We recommend that you install Spyware Doctor from PCTools in order to remove Secure Expert Cleaner from your computer. Spyware Doctor has an incredible track record for removing and detecting the latest malware.

Download Spyware Doctor to scan your computer for free

Manual Removal Instructions

End these processes:

Learn how to end processes

SEC.exe

Delete these files:
Lean how to remove files

c:\Documents and Settings\All Users\Application Data\SEC
c:\Documents and Settings\All Users\Start Menu\Programs\SecureExpertCleaner
<userprofile>\Local Settings\Temp\is-ROV72.tmp
c:\Program Files\SecureExpertCleaner
c:\Program Files\SecureExpertCleaner\Microsoft.VC80.CRT
c:\Documents and Settings\All Users\Desktop\Launch SecureExpertCleaner.lnk
c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Thumbs.db
c:\Documents and Settings\All Users\Start Menu\Programs\SecureExpertCleaner\Launch SecureExpertCleaner.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\SecureExpertCleaner\Uninstall SecureExpertCleaner.lnk
<userprofile>\Application Data\Microsoft\Internet Explorer\Quick Launch\SecureExpertCleaner.lnk
c:\Program Files\SecureExpertCleaner\mfc80.dll
c:\Program Files\SecureExpertCleaner\Microsoft.VC80.MFC.manifest
c:\Program Files\SecureExpertCleaner\Reminder.exe
c:\Program Files\SecureExpertCleaner\SEC.exe
c:\Program Files\SecureExpertCleaner\SEC.ico
c:\Program Files\SecureExpertCleaner\SEC.xml
c:\Program Files\SecureExpertCleaner\unins.ico
c:\Program Files\SecureExpertCleaner\unins000.dat
c:\Program Files\SecureExpertCleaner\unins000.exe
c:\Program Files\SecureExpertCleaner\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\Program Files\SecureExpertCleaner\Microsoft.VC80.CRT\msvcp80.dll
c:\Program Files\SecureExpertCleaner\Microsoft.VC80.CRT\msvcr80.dll

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_CURRENT_USER\Software\SEC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3P_USEC_is1
HKEY_LOCAL_MACHINE\SOFTWARE\SEC

• %System%\Windows 3d.scr
• %System%\commandprompt.sysm
• %System%\desktop.sysm
• %UserProfile%\application data\Microsoft\[4 RANDOM LETTERS].exe

It will then create the following folders:

It also creates the following folders:

• %UserProfile%\applications data\excel
• %UserProfile%\applications data\media player
• %UserProfile%\applications data\Microsoft
• %UserProfile%\applications data\office
• %UserProfile%\applications data\Windows
• %UserProfile%\applications data\word

It then creates the following Windows Registry entry so that it starts automatically when the computer boots up:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”VisualStyle” = “%System%\desktop.sysm”

When a computer is infected with this virus they will find that their computer runs slower than normal and tends to crash.

Automatic Removal Method

If you are infected with this malware, then we suggest you use Symantec Antivirus to remove this infection. The current definitions for Symantec Antivirus contains methods of removing this virus.

Download Symantec Antivirus to scan your computer for free

Manual Removal Instructions for

End these processes:

Learn how to end processes

desktop.sysm

Delete these files:
Lean how to remove files

• %System%\Windows 3d.scr
• %System%\commandprompt.sysm
• %System%\desktop.sysm
• %UserProfile%\application data\Microsoft\[4 RANDOM LETTERS].exe

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”VisualStyle” = “%System%\desktop.sysm”

• This Trojan may be downloaded from remote site(s) by other malware.
• It may be dropped by other malware.
• It may be downloaded unknowingly by a user when visiting malicious Web site(s).

When started, the infection will connect to a remote web site to download and run another file that is also detected as Troj_Renos.ACO.  It then copies itself to C:WindowsSystem32lphc3pgj0e3ct.exe and adds a entry into the Windows Registry to start the file everytime you boot your computer.

This infection will also change your Windows desktop wallpaper to look like:

Trojan Renos Wallpaper

Automatic Removal Method

If you are infected with this malware, then we suggest you use Trend Micro antivirus to remove this infection. It is know to be able to remove this malware and it is included in its current virus definitions.  A big thumbs up for Trend Micro for being able to remove this infection so quickly.

Download Trend Micro Antivirus to scan your computer

Manual Removal Instructions for

End these processes:

Learn how to end processes

lphc3pgj0e3ct.exe

Delete these files:
Lean how to remove files

C:WindowsSystem32lphc3pgj0e3ct.exe
C:WindowsSystem32phc3pgj0e3ct.bmp
C:WindowsSystem32blphc3pgj0e3ct.scr

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_LOCAL_MACHINESOFTWAREMicrosoft
WindowsCurrentVersionRun
lphc3pgj0e3ct = “%System%lphc3pgj0e3ct.exe”

• Shows false results
• Won’t let you remove any supposed infections unless you first purchase the software.
• Hijacks the Internet Explorer Start page.
• Makes your computer slower.
• Provides no way of contacting the developers of the software.

Overall, this software is a scam and should be avoided at all cost.  Please use the automated or manual removal instructions below to remove this infection.

XLGuarder or XLG Security Center image

Automatic Removal Method

If you are infected with this malware, then we suggest you use Symantec Antivirus to remove this infection. It is know to be able to remove this malware and XLG Security Center is included in its current virus definitions.  A big thumbs up for Symantec adding this to removal definitions so quickly!

Download Symantec Antivirus to scan your computer for free

Manual Removal Instructions for

End these processes:

Learn how to end processes

sysutil.exe

Delete these files:
Lean how to remove files

<userprofile>Start MenuProgramsProtection
c:windowssysutils
c:windowssysutilswarning
c:windowssysutilssounds
c:windowssysutilssettings.ini
c:windowssysutilssysutil.exe
c:windowssysutilssysutil_s.exe
c:windowssysutilsuninstall.exe
c:windowssysutilswinsystip.exe
c:windowssysutilssounds�1.wav
c:windowssysutilssounds�2.wav
c:windowssysutilssounds�3.wav
c:windowssysutilswarningalertpage.jpg
c:windowssysutilswarningspacer.gif
c:windowssysutilswarningwarningpage.html
<userprofile>Start MenuProgramsProtectionUninstall XLG.lnk
c:windowsiebho.dll

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_CLASSES_ROOTCLSID{D032570A-5F63-4812-A094-87D007C23012}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{D032570A-5F63-4812-A094-87D007C23012}
HKEY_CURRENT_USERSoftwaresysutils
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallsysutils

As part of this announcement, Dan asked that no other security researchers publicly speculate as to the vulnerability in order to not give any black hats, or hackers, the ability to figure the flaw out and use it.  He asked this in order to provide all of the ISPs and companies in the world to update their DNS servers to versions that do not have this flaw.  It turns out, though that another researcher named Halvar Flake may have figured it out.

I wont try to explain it, but you may want to read the blog post i linked above.