PCBugSquad

Getting slammed in school, but wanted to post about WinPC Defender.  BleepingComputer has a new guide up for a XP Police Antivirus clone called WinPCDefender.  Here is a quote:

WinPC Defender is a new rogue anti-spyware program discovered by security analyst S!Ri and is a clone of the programs named XP Police Antivirus and IE Security. Like its predecessors, this program is installed and advertised through the use of Trojans that display fake security alerts on your computer. These security alerts state that your computer is infected and that you should click on them in order to download software that will protect you. Once you click on these alerts, the Trojan will automatically download and install the program on your computer.

There guide is linked to below:

How to remove WinPC Defender

Just stumbled on a Spyware Fighter removal guide over at BleepingComputer, so it appears that Spyware Fighter is now live.  We reported about this rogue in Feb, but at the time the malware was not live and installable.  If you become infected with Spyware Fighter be sure to visit BleepingComputer in order to remove this infection.

Description:

W32.SillyFDC.BAY is a removable media worm that spreads through infected flash drives, external hard drives, and other USB storage devices.  Once infected, your computer will then infect any other removable devices that become inserted into your computer. When infected, the worm will create the C:\Program Files\Common Files\xSafe.exe file and then add the following registry key so that it runs automatically when you start Windows:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”xSafe” = “%ProgramFiles%\Common Files\xSafe.exe”

Manual Removal Instructions for W32.SillyFDC.BAY:

End these processes if they exist:
Learn how to end processes

xSafe.exe

Delete these files if they exist:
Lean how to remove files

C:\Program Files\Common Files\xSafe.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”xSafe”

Description:

Troj/Banker-EPN is a Trojan that attempts to steal accounts, passwords, and other online banking related information.  This infection listens to the traffic that you send to online banking web sites, and when it finds certain information, records it and sends it to a remote location.  This information is then used to either perform identify theft or to sell it to those who will.

Once this infection is installed, it will create the C:\Windows\wmiprevse.exe file and then add the following registry key so that it runs automatically when you start Windows:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”wmiprevse” = “C:\Windows\wmiprevse.exe”

If this infection is found on your computer, it is strongly suggested that you contact all of your banks and have your account information changed immediately.  Also by explaining the situation they can have your accounts monitored for illicit activity.

Manual Removal Instructions for Troj/Banker-EPN:

End these processes if they exist:
Learn how to end processes

wmiprevse.exe

Delete these files if they exist:
Lean how to remove files

C:\Windows\wmiprevse.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”wmiprevse”

Description:

The Troj/MalHost-Trojan pretends to be a video, but in reality is malware that changes your Windows HOSTS file that will redirect your web browser to further malicious sites. While the infection’s video is being shown on your desktop, the Trojan modifies your Windows HOSTs files to redirect popular web sites to malicious services under the malware writer’s control.  These web sites will instead attempt to infect you with further malware.

When infected, this Trojan will create the C:\Program Files\QuickTime_.exe file and then create the following registry key to start itself automatically when Windows starts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”Apple Inc.” = “C:\Program Files\QuickTime_.exe -atboottime”

Manual Removal Instructions for Troj/MalHost-B

End these processes if they exist:
Learn how to end processes

QuickTime_.exe

Delete these files if they exist:
Lean how to remove files

C:\Program Files\QuickTime_.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”Apple Inc.”

Description:

Troj/Agent-JBX is a Trojan that attempts to connect to the Internet in order to transmit and receive information.  This Trojan is typically bundled with other malware.

Once infected, this Trojan will create the C:\Windows\System32\updmngr.exe file and then create the following registry key to start itself automatically:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows “load” = “C:\Windows\System32\updmngr.exe”

Manual Removal Instructions for Troj/Agent-JBX

End these processes if they exist:
Learn how to end processes

updmngr.exe

Delete these files if they exist:
Lean how to remove files

C:\Windows\System32\updmngr.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows “load” = “C:\Windows\System32\updmngr.exe”

Description:

W32/Autorun-AAI is a worm that targets removable media.  This worm typically spreads to your computer when you insert removable media such as flash drives, external hard drives, etc that have this infection on them.  Once these devices are inserted, your computer will autoplay the autorun.inf and the worm will run, infecting your computer.  Then if you insert any clean flash drives into your computer, the worm will infect those as well.

Once infected, the worm will create the file C:\Windows\Winbows.exe.  It will then create the follow registry key to start itself automatically:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”windows” = “winbows.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”windows” = “imege.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”windows” = “picture.exe”

Manual Removal Instructions for W32/Autorun-AAI

End these processes if they exist:
Learn how to end processes

winbows.exe
picture.exe
imege.exe

Delete these files if they exist:
Lean how to remove files

C:\Windows\winbows.exe
C:\Windows\imege.exe
C:\Windows\picture.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”windows”

I am running out, but I just read that BleepingComputer.com is reporting that a new rogue has been released that is advertised by the Vundo Trojan.  The Vundo Trojan is a wide spread Trojan that can be quite difficult to remove.  It is also know for causing large-scale installations of various rogues such as Antivirus 360.

BleepingComputer.com’s removal guide uses Malwarebytes’ Anti-malware to remove it.  The guide can be found below:

Learn how to remove Malware Defender 2009 (Removal Guide)

Description:

WORM_KOOBFACE.AZ is a worm that targets social media sites. It does this by monitoring the cookies on your computer that contain login information to various social sites.  When login information is found it will login to your account and start sending messages to your friends and contacts on the site.  For example, if you use Facebook, it will login to your account and send all your friends messages about a video they should see. These messages will contain links to the infection that will further infect the person who visits the link.

The social sites that this infection monitors are:

• facebook.com
• hi5.com
• friendster.com
• myyearbook.com
• myspace.com
• bebo.com
• tagged.com
• netlog.com
• fubar.com
• livejournal.com

Once infected, the worm will create the file C:\Windows\freddy35.exe.  This file is the main program that sends infected messages to your friends. It will then create the follow registry key to start itself automatically:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”sysftray2″ = “%WinDir%\freddy35.exe”

Manual Removal Instructions for WORM_KOOBFACE.AZ

End these processes if they exist:
Learn how to end processes

freddy35.exe

Delete these files if they exist:
Lean how to remove files

C:\Windows\freddy35.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”sysftray2″

Description:

The W32/Autorun-AAG worm is an infection that spreads through removable media devices such as flash drives, usb drives, and external hard drives.  A user becomes infected when they insert an infected device in the computer.  Once the device is inserted, your computer will autoplay the device and the infection will now spread to your computer.

During the infection process a file called olhrwef.exe will be created in your C:\Windows folder. This file will automatically start when you login into Windows. It will also create the C:\Windows\System32\nmdfgds0.dll file and add a autorun.inf file to every removable device on your computer. It will then create the follow registry key to start itself automatically:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”cdoosoft” = “%System%\olhrwef.exe”

Manual Removal Instructions for W32/Autorun-AAG

End these processes if they exist:
Learn how to end processes

olhrwef.exe

Delete these files if they exist:
Lean how to remove files

C:\Windows\olhrwef.exe
C:\Windows\System32\nmdfgds0.dll
Autorun.inf from the root of all of your removable media devices

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”cdoosoft”