View PC Secure Product
This page is a copy of part of the help file for Special Agent PC Secure.

Special Instructions for Spyware Removal

The Fix-It tool can be started by right Clicking the PC Secure Icon in the system tray and selecting "Start Fix_It Agent"

Archiveus:
Your files where placed in the following files in the My Documents folder, Demo.als and EncryptedFiles.als. The password for the EncryptedFiles.als file is: mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw, The password for the Demo.als file is: kw9fjwfielaifuw1u3fw3brue2180w3hfse2

Antiman.E:
You will need to select a new Screen Saver for your desktop. This Trojan replaced the screen saver entry in the Registry. Right click your desktop and select Properties.

Bacalid:
You will need to run a virus scanner to fix all infected files.

Bankpatch:
This malware is a virus. You may need to manaully replace the file Windows\System32\Kernel32.dll and Wininet.dll by copying the files Windows\System32\oldkrn.tmp to Kernel32.dll and oldwin.tmp to Wininet.dll, using the Recovery Console or MSDOS. PC Secure will make an attempt to replace them but the Kernel32 will need to be replaced manually. These tmp files are copies of the original files.

Banish.A:
This worm is known to delete backups of the Windows Registry. It deletes the file in your Windows Repair folder on Windows XP and 2000. If you have a hard drive or System State backup you should restore this files.

Besam:
This worm overwrites the file c:\Autoexec.bat with batch script that deletes the entire directory tree of drives f, g, h, and i.

Blackmal.E:
Blackmal may have altered some Keys at HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses, it is recommended that you restore the Registry with a backup. It may have also deleted your anti virus software; you will need to reinstall it.

Dupator! is memory resistent. You will need to run a virus scanner to fix all infected files.

Dagonit: For Windows XP, 2000, and 2003 use the Fix-It tool to replace the file %Windir%\System32\Winspool.exe. The following services have been set to automatically start: TelNet, Terminal Services, RPCSS, and Server
the following Registry Key has been modified: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
the setting that have been altered are:

• fDenyTSConnections" = "0" (Normal setting is 1)
• "TSAdvertise" = "1" (Normal setting is 0)
• "IdleWinStationPoolCount" = "1" (Normal setting is 0)
• "TSAppCompat" = "1" (Normal setting is 0)
• "TSEnabled" = "1" (Normal setting is 0)
• "TSUserEnabled" = "1" (Normal setting is 0)

Replace the files

For Windows 98 and ME replace the file %Windir%\System\Winspool.exe.
delete the Registry Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
Replace the files if they exist:

Danrit:
This Trojan has added several tasks to the Task Scheduler. Remove all tasks you have not set yourself.

Feebs:
Feebs may have created %System%\MS[RANDOM].exe, %System%\MS[RANDOM], %System%\MS[RANDOM]32.DLL. And an entry "MS[RANDOM CHARACTERS]" = "%System%\MS[RANDOM CHARACTERS]32.dll" to the following registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

Flush.E:
You need to open the Network setting applet in the Control Panel. Reset your adapter. Clear or change the DNS servers. This Trojan has set them to 195.95.218.4 and 85.255.112.9

Homutex:
After removing the file from the LSP list. be sure to delete the value "PackedCatalogItem" = "%System%\abcedg21.dll" from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2\ParametersProtocol_Catalog9\Catalog_Entries\000000[TWO RANDOM DIGITS]

Imav.A:
Click here to view the list of files that may have become renamed. To make repairs simply rename any of the files in the list back to the orginal file name.

Kiner:
This virus attempts to infect every .exe file on the computer. You will need to run a virus scanner to kill the virus. You should also replace all .exe files on your computer.

Lassrv.B:
On Windows XP, 2000, and 2003, the file %system%\Lsass.exe should be replaced. This malware has modified this file

Maroot:
You will need to open RegEdit, Go to the Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder. In the right pane right click the entry "List", select Modify and delete the entry MSNetSvc

ProBot Activity Monitor:
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, the value you want to delete is [8 random characters] = %system Folder%\[8 random characters].exe. Then go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunSerivces, the value you want to delete is [8 random characters] = %system Folder%\[8 random characters].exe. Also go to SYSTEM\CurrentControlSet\Services\[8 random characters] the ImagePath value will point to %System Folder%\drivers\[8 random characters].sys

Rahack.H:
Upon excution of this malware, it will search the Registry Key HKEY_CLASSES_ROOT\CLSID for the following files: shell32.dll, ole32.dll, oleaut32.dll, fm20.dll, thumbvw.dll, mshtml.dll, sdocvw.dll, browseui.dll
If there is a number of entries in CLSID Key related to the above 8 dll files, the worm creates the same number of dll files in the Windows system folder and replaces all the values in the registry.
It creates the file %System%\[RANDOM].dll and replaces registry entries under HKEY_CLASSES_ROOT\CLSID with the name of the dll file. A backup Registry should be installed.

Redirect Trojan-kdzbf:
This file is started with the bootup of Windows. If Windows starts this file before PC Secure can be started it will not be deleted. You will need to use the Recovery Console or MSDOS to manually delete it. It is located in your System32 folder. For Windows ME/9x it is in your System folder.

RedPlut:
The file %Windir%\notepad.exe has been replaced by this Ttrojan. Use the Fix-It utility to replace it.

Rudelen:
This Trojan may have deleted some of you system files and registry setting. You may need to reinstall Windows or replace the deleted file and registry from a backup. If the current system date is the 2nd, 4th, 17th, 24th, or 31st of the month:

Satiloler:
The file Userinit.exe has been changed. This Trojan had copied itself to the file %windir%\System32\Userinit.exe in Windows XP, 2000, and 2003 or %windir%\System\Userinit.exe in Window 98 ME. You need to replace this file as PC Secure has deleted it. You may find the original file in %windir%\System\Userinit.exe in Windows XP, 2000, and 2003 or %windir%\System32\Userinit.exe in Window 98 ME. It may have also modified the original %System%\sfc_os.dll or sfc.dll file and its backup in %Windir%\dllcache in order to disable System File Protection

SCAgent:
Open RegEdit and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
right-click the LEGACY_SCAGENT subkey, choose ‘Permissions...’ / ‘Allow’ / ‘Everyone’ / ‘Full access’.
Then click OK and delete LEGACY_SCAGENT.

SearchNet:
You will need to delete the Registry value: [RANDOM NAME] = "rundll32 "[Windir]\Downloaded Program Files\[RANDOM NAME].dll""
at the Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Also delete the file that this value points to. This folder is protected by Windows, in order to delete this file use PC Secure's Fix-It Agent to delete the file. You will need to type in then "Open" window: %Windir%\Downloaded Program Files in order to see the files in this folder.

Shop At Home:
You may need to use the LSPFixIt tool to restore your network connections. If the file LSP.dll is in the windows select it to be removed.

Sober.S:
On XP, 2000 and 2003, the file TCPIP.sys may have been altered by the worm. Located in %system%\Drivers and %system%\Dllcache
Note: The worm is able to patch different versions of the TCPIP.SYS file (build 2180,2505, 2631, 2685) by modifying the checksum of the file and changing the number of allowed half-open connections (a security fix introduced by Microsoft Security Bulleting MS05-019).This change alters the normal functioning of TCP/IP protocol and may cause Network problems.

Trojan.Regger.A:
You can view and edit trusted sites using the Remover Agents interface.

Web Event Logger - Troj/Padodor:
When this Trojan installed, it reset your system date to the date of your Windows files to make it hard to detect . It may not have changed it back.

W32.Elitper:
This worm has changed your Registered User name and the name of your computer. Reset the value "RegisteredOwner" at the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion. Reset the value "ComputerName" at the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName and then reboot.

W32.Envid:
On Windows XP, 2000, 2003 the file Hal.dll located in your System32 folder. If you get the message "Genes don't contain any record of humain history, you'll NEVER catch me!(Agent Hacker - Bazzi)" you will need to replace hal.dll

Wisfc:
This is a virus that will infect any exe, dll, scr file it finds. You should use a virus scanner to disinfect or replace the files it finds.

WinNuke.Trojan:
You will need to replace Scanregw.exe, Internet.exe, Taskmon.exe and Rundll32.exe before rebooting. These files may have been deleted because they contained the Trojan and cannot be cleaned. You can review the Spy Cleaner log to see what files where deleted.

Files rename by Imav.A: