PCBugSquad

Description:

The Troj/MalHost-Trojan pretends to be a video, but in reality is malware that changes your Windows HOSTS file that will redirect your web browser to further malicious sites. While the infection’s video is being shown on your desktop, the Trojan modifies your Windows HOSTs files to redirect popular web sites to malicious services under the malware writer’s control.  These web sites will instead attempt to infect you with further malware.

When infected, this Trojan will create the C:\Program Files\QuickTime_.exe file and then create the following registry key to start itself automatically when Windows starts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”Apple Inc.” = “C:\Program Files\QuickTime_.exe -atboottime”

Manual Removal Instructions for Troj/MalHost-B

End these processes if they exist:
Learn how to end processes

QuickTime_.exe

Delete these files if they exist:
Lean how to remove files

C:\Program Files\QuickTime_.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”Apple Inc.”

Description:

Troj/Agent-JBX is a Trojan that attempts to connect to the Internet in order to transmit and receive information.  This Trojan is typically bundled with other malware.

Once infected, this Trojan will create the C:\Windows\System32\updmngr.exe file and then create the following registry key to start itself automatically:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows “load” = “C:\Windows\System32\updmngr.exe”

Manual Removal Instructions for Troj/Agent-JBX

End these processes if they exist:
Learn how to end processes

updmngr.exe

Delete these files if they exist:
Lean how to remove files

C:\Windows\System32\updmngr.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows “load” = “C:\Windows\System32\updmngr.exe”

I am running out, but I just read that BleepingComputer.com is reporting that a new rogue has been released that is advertised by the Vundo Trojan.  The Vundo Trojan is a wide spread Trojan that can be quite difficult to remove.  It is also know for causing large-scale installations of various rogues such as Antivirus 360.

BleepingComputer.com’s removal guide uses Malwarebytes’ Anti-malware to remove it.  The guide can be found below:

Learn how to remove Malware Defender 2009 (Removal Guide)

The WORM_KOOBFACE.D worm is malware that spreads itself through the online social site called Facebook.  When a user becomes infected with this worm, it will install a copy of itself as C:\Windows\fbtre6.exe and then further download the following files:

• C:\5465465465463.BAT
• C:\Windows\fmark2.dat

When fbtre6.exe is run it will display the following message in Windows:

Error installing Codec. Please contact support.

It is important to note that this infection will delete itself if it detects that you have not used Facebook.com on the infected computer.  If Facebook cookies are found, though, it will add a link to a location where it can be downloaded in the infected user’s Facebook profile.  It is through these links in infected user’s profiles that the infection spreads.

Automatic Removal Method

If you are infected with this malware, then we suggest you use Trend Micro antivirus to remove this infection. It is know to be able to remove this malware and it is included in its current virus definitions.

Download Trend Micro Antivirus to scan your computer

Manual Removal Instructions for

End these processes:

Learn how to end processes

fbtre6.exe

Delete these files:
Lean how to remove files

C:\Windows\fbtre6.exe
C:\5465465465463.BAT
C:\Windows\fmark2.dat

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
sysftray = “C:\Windows\fbtre6.exe”

The TROJ_POPHOT.O Trojan is installed form other malware downloaded off of the Internet.  When run, this Trojan will install the following files on your computer:

• C:\Windows\System32\inf\scsys16_080725.dll
• C:\Windows\System32\inf\sppdcrs080725.scr
• C:\Windows\System32\inf\svchosd.exe
• C:\Windows\dcbdcatys32_080725a.dll
• C:\Windows\system\sgcxcxxaspf080725.exe
• C:\Windows\tawisys.ini
• C:\Windows\wftadfi16_080725a.dll

The Trojan will also add a registry entry to start itself every time you restart this computer. This registry entry will start C:\Windows\System32\inf\svchosd.exe, which is actually a renamed rundll32.exe, which will be used to load the code found in the wftadfi16_080725a.dll DLL file.

Automatic Removal Method

If you are infected with this malware, then we suggest you use Trend Micro antivirus to remove this infection. It is know to be able to remove this malware and it is included in its current virus definitions.  A big thumbs up for Trend Micro for being able to remove this infection so quickly.

Download Trend Micro Antivirus to scan your computer

Manual Removal Instructions for

End these processes:

Learn how to end processes

svchosd.exe

Delete these files:
Lean how to remove files

C:\Windows\System32\inf\scsys16_080725.dll
C:\Windows\System32\inf\sppdcrs080725.scr
C:\Windows\System32\inf\svchosd.exe
C:\Windows\dcbdcatys32_080725a.dll
C:\Windows\system\sgcxcxxaspf080725.exe
C:\Windows\tawisys.ini
C:\Windows\wftadfi16_080725a.dll

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\policies\Explorer\run
initnyuser = “%System%\inf\svchosd.exe %WINDOWS%\wftadfi16_080725a.dll tanlt88″

The Proscks Trojan modifies files on the compromised computer and connects to a remote server. Once infected you will be shown pop-up advertisements on your computer.

When infected the Trojan.Proscks.C malware will create the following files:

• %Temp%\RarSFX0\IPHOST.DLL
• %Temp%\RarSFX0\iphy.dll
• %Temp%\RarSFX0\xExe.dll
• %Temp%\RarSFX0\loaderSvc.exe
• %System%\IPHOST.DLL
• %System%\_proxy.dll
• %System%\iphy.dll
• %System%\fhpatch.dll
• %System%\fiplock.dll
• %System%\IpSvchostF.dll

Next, the Trojan copies the file %System%\svchost.exe to the following location:

%System%\[EIGHT RANDOM CHARACTERS]

It then modifies %System%\svchost.exe so that the following file is executed every time Windows starts:

%System%\IPHOST.DLL

The Trojan then downloads a .dll file from a remote location and saves it as %System%\IPHACTION.dll.

Automatic Removal Method

If you are infected with this malware, then we suggest you use Symantec Antivirus to remove this infection. The current definitions for Symantec Antivirus contains methods of removing this virus.

Download Symantec Antivirus to scan your computer for free

Manual Removal Instructions for

End these processes:

Learn how to end processes

loaderSvc.exe

Delete these files:

Lean how to remove files

%Temp%\RarSFX0\IPHOST.DLL
%Temp%\RarSFX0\iphy.dll
%Temp%\RarSFX0\xExe.dll
%Temp%\RarSFX0\loaderSvc.exe
%System%\IPHOST.DLL
%System%\_proxy.dll
%System%\iphy.dll
%System%\fhpatch.dll
%System%\fiplock.dll
%System%\IpSvchostF.dll

A new variant of the Troj_Renos.ACO infection was discovered that installs a file called lphc3pgj0e3ct.exe into your C:WindowsSystem32folder. This infection is installed on your computer by one of the following three methods:

• This Trojan may be downloaded from remote site(s) by other malware.
• It may be dropped by other malware.
• It may be downloaded unknowingly by a user when visiting malicious Web site(s).

When started, the infection will connect to a remote web site to download and run another file that is also detected as Troj_Renos.ACO.  It then copies itself to C:WindowsSystem32lphc3pgj0e3ct.exe and adds a entry into the Windows Registry to start the file everytime you boot your computer.

This infection will also change your Windows desktop wallpaper to look like:

Trojan Renos Wallpaper

Automatic Removal Method

If you are infected with this malware, then we suggest you use Trend Micro antivirus to remove this infection. It is know to be able to remove this malware and it is included in its current virus definitions.  A big thumbs up for Trend Micro for being able to remove this infection so quickly.

Download Trend Micro Antivirus to scan your computer

Manual Removal Instructions for

End these processes:

Learn how to end processes

lphc3pgj0e3ct.exe

Delete these files:
Lean how to remove files

C:WindowsSystem32lphc3pgj0e3ct.exe
C:WindowsSystem32phc3pgj0e3ct.bmp
C:WindowsSystem32blphc3pgj0e3ct.scr

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_LOCAL_MACHINESOFTWAREMicrosoft
WindowsCurrentVersionRun
lphc3pgj0e3ct = “%System%lphc3pgj0e3ct.exe”

THe USS.exe Trojan is an executable that gets installed on your computer along with other malware.  This infection will also install a service called wasfsd that uses the filename C:\Windows\System32\drivers\System32. When running, this Trojan will display fake alerts that state your computer is being attacked or is infected with particular infections.  It will then ask if you would like to block or fix these infections, and if you specify yes, will open up an Internet Explorer window where it prompts you to buy Trusted Antivirus.

Fake alerts from USS.exe

Automatic Removal Method

We recommend that you install Spyware Doctor from PCTools in order to remove USS.exe Trojan from your computer. Spyware Doctor has an incredible track record for removing and detecting the latest malware.

Download Spyware Doctor to scan your computer for free

Manual Removal Instructions for

End these processes:

Learn how to end processes

USS.exe

Delete these files:
Lean how to remove files

c:\END
c:\Program Files\USS
c:\Program Files\USS\unins000.dat
c:\Program Files\USS\unins000.exe
c:\Program Files\USS\USS.exe
c:\Program Files\USS\#agents
c:\Program Files\USS\#agents\53
c:\Program Files\USS\#agents\53\#startup
c:\Program Files\USS\#monitors
c:\Program Files\USS\#monitors\DirMonitor
c:\Program Files\USS\#monitors\FileMonitor
c:\Program Files\USS\#monitors\RegMonitor
c:\Program Files\USS\{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F}
c:\Program Files\USS\{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F}\GESPlugin.dll
c:\Program Files\USS\{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F}\GESPlugin.xml
c:\Program Files\USS\{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F}\kernel.dll
c:\Program Files\USS\{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F}\unins000.dat
c:\Program Files\USS\{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F}\unins000.exe
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\AMPlugin.dll
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\AMPlugin.xml
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\AsAgents.dll
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\AsAgents.xml
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\msvcp71.dll
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\msvcr71.dll
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\unins000.dat
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\unins000.exe
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\wasffNT.exe
c:\Program Files\USS\{EC572088-91C7-4293-93F9-93D40B0E0B36}
c:\Program Files\USS\{EC572088-91C7-4293-93F9-93D40B0E0B36}\GSCRPlugin.dll
c:\Program Files\USS\{EC572088-91C7-4293-93F9-93D40B0E0B36}\unins000.dat
c:\Program Files\USS\{EC572088-91C7-4293-93F9-93D40B0E0B36}\unins000.exe
c:\WINDOWS\system32\drivers\wasfsd.sys

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_CURRENT_USER\Software\USLst
HKEY_CURRENT_USER\Software\USS
HKEY_CLASSES_ROOT\CLSID\{ABCD4567-76B5-4bc7-AAC5-396D70925B22}
HKEY_CLASSES_ROOT\Interface\{ABCD4567-4D73-43E9-85E5-53A2DBD95422}
HKEY_CLASSES_ROOT\Interface\{ABCD4567-D8E8-4DF1-A3EA-D0AA72F42622}
HKEY_CLASSES_ROOT\TypeLib\{ABCD4567-7437-43EF-AB74-4AB1D3A37422}
HKEY_CLASSES_ROOT\wasfsd.CreationNotifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USS_{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F}_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USS_{D1957FF4-EA22-4b4a-81A1-C62068479DED}_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USS_{EC572088-91C7-4293-93F9-93D40B0E0B36}_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USS_is1
HKEY_LOCAL_MACHINE\SOFTWARE\USS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wasfsd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wasfsd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run => USS