WinPC Defender is a new rogue anti-spyware program discovered by security analyst S!Ri and is a clone of the programs named XP Police Antivirus and IE Security. Like its predecessors, this program is installed and advertised through the use of Trojans that display fake security alerts on your computer. These security alerts state that your computer is infected and that you should click on them in order to download software that will protect you. Once you click on these alerts, the Trojan will automatically download and install the program on your computer.

There guide is linked to below:

How to remove WinPC Defender

Description:

W32.SillyFDC.BAY is a removable media worm that spreads through infected flash drives, external hard drives, and other USB storage devices.  Once infected, your computer will then infect any other removable devices that become inserted into your computer. When infected, the worm will create the C:\Program Files\Common Files\xSafe.exe file and then add the following registry key so that it runs automatically when you start Windows:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”xSafe” = “%ProgramFiles%\Common Files\xSafe.exe”

Manual Removal Instructions for W32.SillyFDC.BAY:

End these processes if they exist:
Learn how to end processes

xSafe.exe

Delete these files if they exist:
Lean how to remove files

C:\Program Files\Common Files\xSafe.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”xSafe”

Description:

W32.SillyFDC.BBA is a worm that spreads through removable media devices such as flash drives, external hard drives, and other USB storage devices.  Once infected, your computer will then infect any other removable devices that become inserted into your computer. When infected, the worm will create the SystemDrive%\SYSTEM\[SID]\Perfume.exe file and then add the following registry key so that it runs automatically when you start Windows:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-22CX3C644241}

Manual Removal Instructions for W32.SillyFDC.BBA:

End these processes if they exist:
Learn how to end processes

Perfume.exe

Delete these files if they exist:
Lean how to remove files

%SystemDrive%\SYSTEM\[SID]\Perfume.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-22CX3C644241}

Description:

Troj/Banker-EPN is a Trojan that attempts to steal accounts, passwords, and other online banking related information.  This infection listens to the traffic that you send to online banking web sites, and when it finds certain information, records it and sends it to a remote location.  This information is then used to either perform identify theft or to sell it to those who will.

Once this infection is installed, it will create the C:\Windows\wmiprevse.exe file and then add the following registry key so that it runs automatically when you start Windows:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”wmiprevse” = “C:\Windows\wmiprevse.exe”

If this infection is found on your computer, it is strongly suggested that you contact all of your banks and have your account information changed immediately.  Also by explaining the situation they can have your accounts monitored for illicit activity.

Manual Removal Instructions for Troj/Banker-EPN:

End these processes if they exist:
Learn how to end processes

wmiprevse.exe

Delete these files if they exist:
Lean how to remove files

C:\Windows\wmiprevse.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”wmiprevse”

Description:

The Troj/MalHost-Trojan pretends to be a video, but in reality is malware that changes your Windows HOSTS file that will redirect your web browser to further malicious sites. While the infection’s video is being shown on your desktop, the Trojan modifies your Windows HOSTs files to redirect popular web sites to malicious services under the malware writer’s control.  These web sites will instead attempt to infect you with further malware.

When infected, this Trojan will create the C:\Program Files\QuickTime_.exe file and then create the following registry key to start itself automatically when Windows starts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”Apple Inc.” = “C:\Program Files\QuickTime_.exe -atboottime”

Manual Removal Instructions for Troj/MalHost-B

End these processes if they exist:
Learn how to end processes

QuickTime_.exe

Delete these files if they exist:
Lean how to remove files

C:\Program Files\QuickTime_.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”Apple Inc.”

Description:

Troj/Agent-JBX is a Trojan that attempts to connect to the Internet in order to transmit and receive information.  This Trojan is typically bundled with other malware.

Once infected, this Trojan will create the C:\Windows\System32\updmngr.exe file and then create the following registry key to start itself automatically:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows “load” = “C:\Windows\System32\updmngr.exe”

Manual Removal Instructions for Troj/Agent-JBX

End these processes if they exist:
Learn how to end processes

updmngr.exe

Delete these files if they exist:
Lean how to remove files

C:\Windows\System32\updmngr.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows “load” = “C:\Windows\System32\updmngr.exe”

Description:

W32/AutoRun-ZX is a removable media worm that spreads by infecting devices such as flash drives, external hard drives, and other removable media.  Once an infected media is inserted into a clean machine, the clean computer will autplay the media and infect itself.

Once infected, the worm will create the file C:\RESTORE\k-1-3542-4232123213-7676767-8888886\Ogard.exe.  It will then create the follow registry key to start itself automatically:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-00WE-AAX5-77EF1D187322}

Manual Removal Instructions for W32/AutoRun-ZX

End these processes if they exist:
Learn how to end processes

Ogard.exe

Delete these files if they exist:
Lean how to remove files

C:\RESTORE\k-1-3542-4232123213-7676767-8888886\Ogard.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-00WE-AAX5-77EF1D187322}

Description:

W32/Autorun-AAI is a worm that targets removable media.  This worm typically spreads to your computer when you insert removable media such as flash drives, external hard drives, etc that have this infection on them.  Once these devices are inserted, your computer will autoplay the autorun.inf and the worm will run, infecting your computer.  Then if you insert any clean flash drives into your computer, the worm will infect those as well.

Once infected, the worm will create the file C:\Windows\Winbows.exe.  It will then create the follow registry key to start itself automatically:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”windows” = “winbows.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”windows” = “imege.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”windows” = “picture.exe”

Manual Removal Instructions for W32/Autorun-AAI

End these processes if they exist:
Learn how to end processes

winbows.exe
picture.exe
imege.exe

Delete these files if they exist:
Lean how to remove files

C:\Windows\winbows.exe
C:\Windows\imege.exe
C:\Windows\picture.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”windows”

I am running out, but I just read that BleepingComputer.com is reporting that a new rogue has been released that is advertised by the Vundo Trojan.  The Vundo Trojan is a wide spread Trojan that can be quite difficult to remove.  It is also know for causing large-scale installations of various rogues such as Antivirus 360.

BleepingComputer.com’s removal guide uses Malwarebytes’ Anti-malware to remove it.  The guide can be found below:

Learn how to remove Malware Defender 2009 (Removal Guide)