View PC Secure Product
This page is a copy of part of the help file for Special Agent PC Secure.

Special Instructions for Spyware Removal

The Fix-It tool can be started by right Clicking the PC Secure Icon in the system tray and selecting "Start Fix_It Agent"

Your files where placed in the following files in the My Documents folder, Demo.als and EncryptedFiles.als. The password for the EncryptedFiles.als file is: mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw, The password for the Demo.als file is: kw9fjwfielaifuw1u3fw3brue2180w3hfse2

You will need to select a new Screen Saver for your desktop. This Trojan replaced the screen saver entry in the Registry. Right click your desktop and select Properties.

You will need to run a virus scanner to fix all infected files.

This malware is a virus. You may need to manaully replace the file Windows\System32\Kernel32.dll and Wininet.dll by copying the files Windows\System32\oldkrn.tmp to Kernel32.dll and oldwin.tmp to Wininet.dll, using the Recovery Console or MSDOS. PC Secure will make an attempt to replace them but the Kernel32 will need to be replaced manually. These tmp files are copies of the original files.

This worm is known to delete backups of the Windows Registry. It deletes the file in your Windows Repair folder on Windows XP and 2000. If you have a hard drive or System State backup you should restore this files.

This worm overwrites the file c:\Autoexec.bat with batch script that deletes the entire directory tree of drives f, g, h, and i.

Blackmal may have altered some Keys at HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses, it is recommended that you restore the Registry with a backup. It may have also deleted your anti virus software; you will need to reinstall it.

Dupator! is memory resistent. You will need to run a virus scanner to fix all infected files.

Dagonit: For Windows XP, 2000, and 2003 use the Fix-It tool to replace the file %Windir%\System32\Winspool.exe. The following services have been set to automatically start: TelNet, Terminal Services, RPCSS, and Server
the following Registry Key has been modified: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
the setting that have been altered are:

Replace the files

  • %Windir%\System32\dllcache\winlogon.exe & %Windir%\System32\winlogon.exe
  • %Windir%\System32\dllcache\termsrv.dll & %Windir%\System32\termsrv.dll
  • %Windir%\System32\dllcache\mstscax.dll & %Windir%\System32\mstscax.dll

  • For Windows 98 and ME replace the file %Windir%\System\Winspool.exe.
    delete the Registry Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
    Replace the files if they exist:

  • %Windir%\System\winlogon.exe
  • %Windir%\System\termsrv.dll
  • %Windir%\System\mstscax.dll
  • Danrit:
    This Trojan has added several tasks to the Task Scheduler. Remove all tasks you have not set yourself.

    Feebs may have created %System%\MS[RANDOM].exe, %System%\MS[RANDOM], %System%\MS[RANDOM]32.DLL. And an entry "MS[RANDOM CHARACTERS]" = "%System%\MS[RANDOM CHARACTERS]32.dll" to the following registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

    You need to open the Network setting applet in the Control Panel. Reset your adapter. Clear or change the DNS servers. This Trojan has set them to and

    After removing the file from the LSP list. be sure to delete the value "PackedCatalogItem" = "%System%\abcedg21.dll" from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2\ParametersProtocol_Catalog9\Catalog_Entries\000000[TWO RANDOM DIGITS]

    Click here to view the list of files that may have become renamed. To make repairs simply rename any of the files in the list back to the orginal file name.

    This virus attempts to infect every .exe file on the computer. You will need to run a virus scanner to kill the virus. You should also replace all .exe files on your computer.

    On Windows XP, 2000, and 2003, the file %system%\Lsass.exe should be replaced. This malware has modified this file

    You will need to open RegEdit, Go to the Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder. In the right pane right click the entry "List", select Modify and delete the entry MSNetSvc

    ProBot Activity Monitor:
    Go to
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, the value you want to delete is [8 random characters] = %system Folder%\[8 random characters].exe. Then go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunSerivces, the value you want to delete is [8 random characters] = %system Folder%\[8 random characters].exe. Also go to SYSTEM\CurrentControlSet\Services\[8 random characters] the ImagePath value will point to %System Folder%\drivers\[8 random characters].sys

    Upon excution of this malware, it will search the Registry Key HKEY_CLASSES_ROOT\CLSID for the following files: shell32.dll, ole32.dll, oleaut32.dll, fm20.dll, thumbvw.dll, mshtml.dll, sdocvw.dll, browseui.dll
    If there is a number of entries in CLSID Key related to the above 8 dll files, the worm creates the same number of dll files in the Windows system folder and replaces all the values in the registry.
    It creates the file %System%\[RANDOM].dll and replaces registry entries under HKEY_CLASSES_ROOT\CLSID with the name of the dll file. A backup Registry should be installed.

    Redirect Trojan-kdzbf:
    This file is started with the bootup of Windows. If Windows starts this file before PC Secure can be started it will not be deleted. You will need to use the Recovery Console or MSDOS to manually delete it. It is located in your System32 folder. For Windows ME/9x it is in your System folder.

    The file
    %Windir%\notepad.exe has been replaced by this Ttrojan. Use the Fix-It utility to replace it.

    This Trojan may have deleted some of you system files and registry setting. You may need to reinstall Windows or replace the deleted file and registry from a backup.
    If the current system date is the 2nd, 4th, 17th, 24th, or 31st of the month:

    The file Userinit.exe has been changed. This Trojan had copied itself to the file %windir%\System32\Userinit.exe in Windows XP, 2000, and 2003 or %windir%\System\Userinit.exe in Window 98 ME. You need to replace this file as PC Secure has deleted it. You may find the original file in %windir%\System\Userinit.exe in Windows XP, 2000, and 2003 or %windir%\System32\Userinit.exe in Window 98 ME.
    It may have also modified the original %System%\sfc_os.dll or sfc.dll file and its backup in %Windir%\dllcache in order to disable System File Protection

    Open RegEdit and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
    right-click the LEGACY_SCAGENT subkey, choose ‘Permissions...’ / ‘Allow’ / ‘Everyone’ / ‘Full access’.
    Then click OK and delete LEGACY_SCAGENT.

    You will need to delete the Registry value: [RANDOM NAME] = "rundll32 "[Windir]\Downloaded Program Files\[RANDOM NAME].dll""
    at the Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Also delete the file that this value points to. This folder is protected by Windows, in order to delete this file use PC Secure's Fix-It Agent to delete the file. You will need to type in then "Open" window: %Windir%\Downloaded Program Files in order to see the files in this folder.

    Shop At Home:
    You may need to use the LSPFixIt tool to restore your network connections. If the file LSP.dll is in the windows select it to be removed.

    On XP, 2000 and 2003, the file TCPIP.sys may have been altered by the worm. Located in %system%\Drivers and %system%\Dllcache
    Note: The worm is able to patch different versions of the TCPIP.SYS file (build 2180,2505, 2631, 2685) by modifying the checksum of the file and changing the number of allowed half-open connections (a security fix introduced by Microsoft Security Bulleting MS05-019).This change alters the normal functioning of TCP/IP protocol and may cause Network problems.

    You can view and edit trusted sites using the Remover Agents interface.

    Web Event Logger - Troj/Padodor:
    When this Trojan installed, it reset your system date to the date of your Windows files to make it hard to detect . It may not have changed it back.

    This worm has changed your Registered User name and the name of your computer. Reset the value "RegisteredOwner" at the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion. Reset the value "ComputerName" at the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName and then reboot.

    On Windows XP, 2000, 2003 the file Hal.dll located in your System32 folder. If you get the message "Genes don't contain any record of humain history, you'll NEVER catch me!(Agent Hacker - Bazzi)" you will need to replace hal.dll

    This is a virus that will infect any exe, dll, scr file it finds. You should use a virus scanner to disinfect or replace the files it finds.

    You will need to replace Scanregw.exe, Internet.exe, Taskmon.exe and Rundll32.exe before rebooting. These files may have been deleted because they contained the Trojan and cannot be cleaned. You can review the Spy Cleaner log to see what files where deleted.


    Files rename by Imav.A:

  • ashAvast.exe is renamed to 1ashAvast.exe
  • ashDisp.exe is renamed to 1ashDisp.exe
  • ashEnhcd.exe is renamed to 1ashEnhcd.exe
  • ashPopWz.exe is renamed to 1ashPopWz.exe
  • ashShA64.dll is renamed to 1ashShA64.dll
  • ashSimpl.exe is renamed to 1ashSimpl.exe
  • ashSkPck.exe is renamed to 1ashSkPck.exe
  • ashWebSv.exe is renamed to 1ashWebSv.exe
  • AUPDATE.EXE is renamed to 1AUPDATE.EXE
  • Avconsol.exe is renamed to 1Avconsol.exe
  • avgcc.exe is renamed to 1avgcc.exe
  • AVGCMSG.DLL is renamed to 1AVGCMSG.DLL
  • avgemc.exe is renamed to 1avgemc.exe
  • AVGNT.EXE is renamed to 1AVGNT.EXE
  • AVSCHED32.DLL is renamed to 1AVSCHED32.DLL
  • AVSCHED32.EXE is renamed to 1AVSCHED32.EXE
  • Avsynmgr.exe is renamed to 1Avsynmgr.exe
  • AVWUPD32.EXE is renamed to 1AVWUPD32.EXE
  • BCGCB59.dll is renamed to 1BCGCB59.dll
  • bdmcon.exe is renamed to 1bdmcon.exe
  • bdnews.exe is renamed to 1bdnews.exe
  • bdsubmit.exe is renamed to 1bdsubmit.exe
  • bdswitch.exe is renamed to 1bdswitch.exe
  • cafix.exe is renamed to 1cafix.exe
  • ccApp.exe is renamed to 1ccApp.exe
  • CCEVTMGR.EXE is renamed to 1CCEVTMGR.EXE
  • ccl30.dll is renamed to 1ccl30.dll
  • CCSETMGR.EXE is renamed to 1CCSETMGR.EXE
  • ccvrtrst.dll is renamed to 1ccvrtrst.dll
  • ClamTray.exe is renamed to 1ClamTray.exe
  • ClamWin.exe is renamed to 1ClamWin.exe
  • CMGrdian.exe is renamed to 1CMGrdian.exe
  • D2htls32.dll is renamed to 1D2htls32.dll
  • drwadins.exe is renamed to 1drwadins.exe
  • drweb32w.exe is renamed to 1drweb32w.exe
  • drwebscd.exe is renamed to 1drwebscd.exe
  • drwebupw.exe is renamed to 1drwebupw.exe
  • FFJMPWEB.DLL is renamed to 1FFJMPWEB.DLL
  • freshclam.exe is renamed to 1freshclam.exe
  • GUARDEVT.DLL is renamed to 1GUARDEVT.DLL
  • GUARDGUI.EXE is renamed to 1GUARDGUI.EXE
  • GUARDMSG.DLL is renamed to 1GUARDMSG.DLL
  • GuardNT.exe is renamed to 1GuardNT.exe
  • IksysT32.dll is renamed to 1IksysT32.dll
  • INETUPD.EXE is renamed to 1INETUPD.EXE
  • InocIT.exe is renamed to 1InocIT.exe
  • InoOEM.dll is renamed to 1InoOEM.dll
  • InoOption.dll is renamed to 1InoOption.dll
  • InoUpTNG.exe is renamed to 1InoUpTNG.exe
  • isafe.exe is renamed to 1isafe.exe
  • KAV.exe is renamed to 1KAV.exe
  • kavmm.exe is renamed to 1kavmm.exe
  • KAVPF.exe is renamed to 1KAVPF.exe
  • LUALL.EXE is renamed to 1LUALL.EXE
  • LUINSDLL.DLL is renamed to 1LUINSDLL.DLL
  • Luupdate.exe is renamed to 1Luupdate.exe
  • Mcshield.exe is renamed to 1Mcshield.exe
  • NAVAPSVC.EXE is renamed to 1NAVAPSVC.EXE
  • nod32.exe is renamed to 1nod32.exe
  • nod32api.dll is renamed to 1nod32api.dll
  • nod32kui.exe is renamed to 1nod32kui.exe
  • NPFMNTOR.EXE is renamed to 1NPFMNTOR.EXE
  • npfmsg.exe is renamed to 1npfmsg.exe
  • Nvccf0D.dll is renamed to 1Nvccf0D.dll
  • Nvcevlog.dll is renamed to 1Nvcevlog.dll
  • Nvcod.exe is renamed to 1Nvcod.exe
  • Nvcte.exe is renamed to 1Nvcte.exe
  • Nvcut.exe is renamed to 1Nvcut.exe
  • OCONNDLG.DLL is renamed to 1OCONNDLG.DLL
  • OCOOKDLG.DLL is renamed to 1OCOOKDLG.DLL
  • outpost.exe is renamed to 1outpost.exe
  • pccguide.exe is renamed to 1pccguide.exe
  • PcCtlCom.exe is renamed to 1PcCtlCom.exe
  • python23.dll is renamed to 1python23.dll
  • QHPF.EXE is renamed to 1QHPF.EXE
  • Realmon.exe is renamed to 1Realmon.exe
  • RuLaunch.exe is renamed to 1RuLaunch.exe
  • schface.dll is renamed to 1schface.dll
  • SNDSrvc.exe is renamed to S1NDSrvc.exe
  • SPBBCSvc.exe is renamed to S1PBBCSvc.exe
  • spiderml.exe is renamed to s1piderml.exe
  • symlcsvc.exe is renamed to s1ymlcsvc.exe
  • T2w32.dll is renamed to T12w32.dll
  • Tmntsrv.exe is renamed to T1mntsrv.exe
  • TmPfw.exe is renamed to Tm1Pfw.exe
  • tmproxy.exe is renamed to tm1proxy.exe
  • Up2Date.exe is renamed to U1p2Date.exe
  • upgrepl.exe is renamed to u1pgrepl.exe
  • Vba32ifs.exe is renamed to V1ba32ECM.exe
  • vba32ldr.exe is renamed to V1ba32ifs.exe
  • Vba32PP3.exe is renamed to v1ba32ldr.exe
  • vbaifps.dll is renamed to V1ba32PP3.exe
  • vetredir.dll is renamed to vb1aifps.dll
  • Vshwin32.exe is renamed to v1etredir.dll
  • VsStat.exe is renamed to Vs1hwin32.exe
  • vsvault.dll is renamed to Vs1Stat.exe
  • XT1922.dll is renamed to vs1vault.dll
  • Vba32ECM.exe is renamed to XT11922.dll
  • zatutor.exe is renamed to za1tutor.exe
  • zlavscan.dll is renamed to zla1vscan.dll
  • zlclient.exe is renamed to zl1client.exe
  • zonealarm.exe is renamed to zo1nealarm.exe