March 17th, 2009 
Malware Removal Guide, Rogue Anti-Spyware
Getting slammed in school, but wanted to post about WinPC Defender. BleepingComputer has a new guide up for a XP Police Antivirus clone called WinPCDefender. Here is a quote:
WinPC Defender is a new rogue anti-spyware program discovered by security analyst S!Ri and is a clone of the programs named XP Police Antivirus and IE Security. Like its predecessors, this program is installed and advertised through the use of Trojans that display fake security alerts on your computer. These security alerts state that your computer is infected and that you should click on them in order to download software that will protect you. Once you click on these alerts, the Trojan will automatically download and install the program on your computer.
There guide is linked to below:
How to remove WinPC Defender
March 12th, 2009 Malware Removal Guide, Rogue Anti-Spyware
Just stumbled on a Spyware Fighter removal guide over at BleepingComputer, so it appears that Spyware Fighter is now live. We reported about this rogue in Feb, but at the time the malware was not live and installable. If you become infected with Spyware Fighter be sure to visit BleepingComputer in order to remove this infection.
March 11th, 2009 Malware Removal Guide, Worms
Description:
W32.SillyFDC.BAY is a removable media worm that spreads through infected flash drives, external hard drives, and other USB storage devices. Once infected, your computer will then infect any other removable devices that become inserted into your computer. When infected, the worm will create the C:\Program Files\Common Files\xSafe.exe file and then add the following registry key so that it runs automatically when you start Windows:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”xSafe” = “%ProgramFiles%\Common Files\xSafe.exe”
Manual Removal Instructions for W32.SillyFDC.BAY:
End these processes if they exist:
Learn how to end processes
xSafe.exe
Delete these files if they exist:
Lean how to remove files
C:\Program Files\Common Files\xSafe.exe
Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries
Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly. Please edit the Registry only if you know what you are doing.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”xSafe”
March 11th, 2009 Rogue Anti-Spyware, Worms
Description:
W32.SillyFDC.BBA is a worm that spreads through removable media devices such as flash drives, external hard drives, and other USB storage devices. Once infected, your computer will then infect any other removable devices that become inserted into your computer. When infected, the worm will create the SystemDrive%\SYSTEM\[SID]\Perfume.exe file and then add the following registry key so that it runs automatically when you start Windows:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-22CX3C644241}
Manual Removal Instructions for W32.SillyFDC.BBA:
End these processes if they exist:
Learn how to end processes
Perfume.exe
Delete these files if they exist:
Lean how to remove files
%SystemDrive%\SYSTEM\[SID]\Perfume.exe
Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries
Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly. Please edit the Registry only if you know what you are doing.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-22CX3C644241}
March 9th, 2009 Malware Removal Guide, Tutorial
Description:
Troj/Banker-EPN is a Trojan that attempts to steal accounts, passwords, and other online banking related information. This infection listens to the traffic that you send to online banking web sites, and when it finds certain information, records it and sends it to a remote location. This information is then used to either perform identify theft or to sell it to those who will.
Once this infection is installed, it will create the C:\Windows\wmiprevse.exe file and then add the following registry key so that it runs automatically when you start Windows:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”wmiprevse” = “C:\Windows\wmiprevse.exe”
If this infection is found on your computer, it is strongly suggested that you contact all of your banks and have your account information changed immediately. Also by explaining the situation they can have your accounts monitored for illicit activity.
Manual Removal Instructions for Troj/Banker-EPN:
End these processes if they exist:
Learn how to end processes
wmiprevse.exe
Delete these files if they exist:
Lean how to remove files
C:\Windows\wmiprevse.exe
Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries
Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly. Please edit the Registry only if you know what you are doing.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”wmiprevse”
March 9th, 2009 Malware Removal Guide, Trojan
Description:
The Troj/MalHost-Trojan pretends to be a video, but in reality is malware that changes your Windows HOSTS file that will redirect your web browser to further malicious sites. While the infection’s video is being shown on your desktop, the Trojan modifies your Windows HOSTs files to redirect popular web sites to malicious services under the malware writer’s control. These web sites will instead attempt to infect you with further malware.
When infected, this Trojan will create the C:\Program Files\QuickTime_.exe file and then create the following registry key to start itself automatically when Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”Apple Inc.” = “C:\Program Files\QuickTime_.exe -atboottime”
Manual Removal Instructions for Troj/MalHost-B
End these processes if they exist:
Learn how to end processes
QuickTime_.exe
Delete these files if they exist:
Lean how to remove files
C:\Program Files\QuickTime_.exe
Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries
Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly. Please edit the Registry only if you know what you are doing.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”Apple Inc.”
March 9th, 2009 Malware Removal Guide, Trojan
Description:
Troj/Agent-JBX is a Trojan that attempts to connect to the Internet in order to transmit and receive information. This Trojan is typically bundled with other malware.
Once infected, this Trojan will create the C:\Windows\System32\updmngr.exe file and then create the following registry key to start itself automatically:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows “load” = “C:\Windows\System32\updmngr.exe”
Manual Removal Instructions for Troj/Agent-JBX
End these processes if they exist:
Learn how to end processes
updmngr.exe
Delete these files if they exist:
Lean how to remove files
C:\Windows\System32\updmngr.exe
Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries
Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly. Please edit the Registry only if you know what you are doing.
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows “load” = “C:\Windows\System32\updmngr.exe”
March 9th, 2009 Rogue Anti-Spyware, Worms
Description:
W32/AutoRun-ZX is a removable media worm that spreads by infecting devices such as flash drives, external hard drives, and other removable media. Once an infected media is inserted into a clean machine, the clean computer will autplay the media and infect itself.
Once infected, the worm will create the file C:\RESTORE\k-1-3542-4232123213-7676767-8888886\Ogard.exe. It will then create the follow registry key to start itself automatically:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-00WE-AAX5-77EF1D187322}
Manual Removal Instructions for W32/AutoRun-ZX
End these processes if they exist:
Learn how to end processes
Ogard.exe
Delete these files if they exist:
Lean how to remove files
C:\RESTORE\k-1-3542-4232123213-7676767-8888886\Ogard.exe
Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries
Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly. Please edit the Registry only if you know what you are doing.
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-00WE-AAX5-77EF1D187322}
March 7th, 2009 Malware Removal Guide, Worms
Description:
W32/Autorun-AAI is a worm that targets removable media. This worm typically spreads to your computer when you insert removable media such as flash drives, external hard drives, etc that have this infection on them. Once these devices are inserted, your computer will autoplay the autorun.inf and the worm will run, infecting your computer. Then if you insert any clean flash drives into your computer, the worm will infect those as well.
Once infected, the worm will create the file C:\Windows\Winbows.exe. It will then create the follow registry key to start itself automatically:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”windows” = “winbows.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”windows” = “imege.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”windows” = “picture.exe”
Manual Removal Instructions for W32/Autorun-AAI
End these processes if they exist:
Learn how to end processes
winbows.exe
picture.exe
imege.exe
Delete these files if they exist:
Lean how to remove files
C:\Windows\winbows.exe
C:\Windows\imege.exe
C:\Windows\picture.exe
Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries
Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly. Please edit the Registry only if you know what you are doing.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”windows”
March 6th, 2009 Malware Removal Guide, Rogue Anti-Spyware, Trojan
I am running out, but I just read that BleepingComputer.com is reporting that a new rogue has been released that is advertised by the Vundo Trojan. The Vundo Trojan is a wide spread Trojan that can be quite difficult to remove. It is also know for causing large-scale installations of various rogues such as Antivirus 360.
BleepingComputer.com’s removal guide uses Malwarebytes’ Anti-malware to remove it. The guide can be found below:
Learn how to remove Malware Defender 2009 (Removal Guide)
