My Anti Spyware

Trojan Vundo/Virtumonde turns a good file into a Trojan-Dropper

VirusList posted about new variant Trojan Vundo/Virtumonde. Vundo Authors are now using file infection so Virtumonde checks which files run at Windows startup and tries to infect them. Effectively this means that Virtumonde turns the original host file into a Trojan-Dropper.

Dropper code is prepended to the original host file, with a copy of Virtumonde being appended to the same file. When the infected file is launched it drops the original host file to %temp% and the Virtumonde file to the system directory.

Although Virtumonde is using an infection marker to prevent re-infecting the same file over and over again, this doesn’t always work. There are samples of already infected files being re-infected and the host file then won’t run. However, re-infection doesn’t prevent Virtumonde itself from running.

Read more: Virtumonde/Vundo goes file infector

Found some new fake codecs

Sunbelt blog reported about some new fake codecs:

codechq - codechq(dot)net
Pushes both Windows and Mac TrojanDNSChanger. Sample binaries: Mac: codechq(dot)net/download/codechq(dot)dmg; Windows: codechq(dot)net/download/codechq(dot)exe.

vplprocedure - vplprocedure(dot)com
Sample binary vplprocedure(dot)com/download.php?id=10581

codectime - codectime(dot)com
Pushes both Windows and Mac TrojanDNSChanger. Sample binaries: Mac: codectime(dot)com(dot)/download/codectime(dot)dmg; Windows: codectime(dot)com(dot)/download/codectime(dot)exe

If you cannot remove fake codecs follow the steps in the topic Spyware removal - Read Before Posting.

VundoFix - freeware removal tool for Trojan.Vundo

VundoFix is a freeware removal tool for many of the known variants of Trojan.Vundo, Trojan.Conhook and other similar infections.

Usually when infected with Vundo the user is bombarded with popups for WinFixer, Amaena, WinAntiVirus, ErrorSafe, SystemDoctor and DriveCleaner. Downloading and running these Fraudware applications will result in a fake scan telling you that you are infected with malware then telling you that you need to buy their program to remove the malware that it found. DO NOT BUY THESE PROGRAMS. They are scams and will not remove anything but could possibly make your infection worse.
A slowdown in PC performance may also be noticed when Vundo is running as well as the possibility of random BSOD’s.

Usage for Removal:

Download VundoFix to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it’s done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from “Click the Scan for Vundo button.” when VundoFix appears at reboot.

If you encounter a variant of Vundo that VundoFix does not detect or cannot remove follow the steps outlined in the topic linked below:
Spyware removal - Read Before Posting

Vundofix homepage, Download VundoFix.

Some new fake codecs

Fake codec is actually a trojan download installer, It will change your home page to one a scam site. It produces unwanted popup to sell rough security software.

These sites hosted codecs:

gneprogram(dot)com
ndcperformance(dot)com
mzdsoftware(dot)com
pkbsolution(dot)com
zerocodec(dot)com

Also zangcodec, playcodec. They Pushes Windows and Mac TrojanDNSChanger.

Block them now! Use for that any hosts file manager.

Read more at Sunbeltblog - New fake codec: playcodec, New fake codec site: zangcodec, Some more fake codec sites

the binaries are hidden and getting them depends on where the developer hides them. With certain sites, you can often get a sample through /download/(sitename).exe (there are always more binaries in the same directory as well, each numbered for affiliates). For other codec sites, /download.php?id=4082 will get a binary (that number is just an affiliate ID — other numbers work as well). If you are hunting for Mac fake codecs, remember to change your user agent to a Mac. And please — don’t touch these binaries unless you know what you’re doing, as they are live Trojans.

SDFix free trojan remover tool

The fixtool removes big amount Trojan Variants (Listed using Trend Micro’s - HijackThis)

Backdoor (IRCBot) Trojans:

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\accwiz.exe
F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\astra32.exe
F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\Avsynmgr.exe
F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\BTStack.exe
F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\BTTray.exe
F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\ctfmon.exe
F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\czsrv.exe
…

Trojan Ranky/Ranck:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\config\svchost.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\etc\services.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\NT\nrcs.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\1.tmp
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\mbti.exe
…

Misc’ - Downloader/Dropper, Proxy, Backdoor, PWStealer Trojans:

F2 - REG:system.ini: Shell=explorer.exe %Temp%\cryptfg.exe
F2 - REG:system.ini: Shell=Explorer.exe boot
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\alg32.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\MSACCESS.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\system\lsass.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\explorer..exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
…

HackerDefender:

O23 - Service: MSDN Driver (msdndr) - Unknown owner - C:\WINDOWS\system32\msdndr.pif
O23 - Service: MSDV Driver (msdvdr) - Unknown owner - C:\WINDOWS\system32\msdvdr.pif
O23 - Service: ro0 Service (ro0Srv) - Unknown owner - C:\WINDOWS\system32\ro0\ro0.exe
O23 - Service: Time Service (TIME) - Unknown owner - C:\WINDOWS\system32\(RandomName).exe

Trojan/Rootkit Components:

__oddysee.sys
asc355.sys
asc355O.sys
asc3550a.sys
asc3550o.sys
asc3550p.sys
asc3550u.sys
asc3550v.sys
backsys.sys
core.sys
…

Notes:
If this error message is displayed when running SDFix:

The command prompt has been disabled by your administrator. Press any key to continue . . .
Please goto Start Menu > Run > then copy and paste the following line: %systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press OK then run SDFix again

If the Command Prompt window flashes on then off again on XP or Windows2000

Please goto Start Menu > Run > then copy and paste the following line: %systemdrive%\SDFix\apps\FixPath.exe /Q Reboot and then run SDFix again

If SDFix still doesnt run check the %comspec% variable

Goto Start Menu > Right click My Computer > click properties > click Advanced Click Environment Variables and check that the ComSpec variable points to cmd.exe %SystemRoot%\system32\cmd.exe

SDFix uses ERUNT to create a registry backup in this location: %SystemRoot%\ERUNT\SDFix\

Download SDFix

How to remove trojan dns/changer

Trojan DNSChanger (both Windows and Mac versions) hijacking your DNS settings and then redirecting you to malicious websites, stealing personal identities, killing your dog and even crank-calling your grandmother with naughty messages.

Read more A little bit of de-fudding on the DNS changing Trojan

The HijackThis shows trojan dns/changer:

O17 - HKLM\System\CCS\Services\Tcpip\..\{1F5A3FA3-74FB-41DD-AD5B-F8C6C8B3D0EC}: NameServer = 85.255.116.86,85.255.112.157

For remove the infection, please follow these instructions step by step:

Please download FixWareout.
Save it to your desktop and run it. Click Next, then Install, then make sure “Run fixit” is checked and click Finish. The fix will begin, follow the prompts.
You will be asked to reboot your computer, please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Open C:\fixwareout\report.txt, if Fixwareout found infection you found some lines:
…
KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
“nameserver”=”85.255.116.86 85.255.112.157″ value cleared.
…

It`s ok.

Also this trojan can download another malware, for check you PC and remove scam, download and run Smitfraudfix

Your computer should now be free of the infection.

If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below Spyware removal - Read Before Posting.

Fake codecs story continue … found some new fake codecs

Fake codec is actually a trojan download installer, It will change your home page to one a scam site. It produces unwanted popup to sell rough security software.

The codecs also install one of the Anti-spyware rogues currently AntiVirGen. They give false positives along with alert bubbles to scare users into buying their software which they own the online billing sites used so you would be giving your credit card number to the same people who infected you.

These sites hosted codecs:

zsvcompany.com
bcnproduction.com
mojtechnology.com
vaulimited.com

block them now! Use for that any hosts file manager.

Read more at Sunbeltblog - Some new fake codecs

For remove fake codecs from your PC try smitfraudfix

Found fake microsoft update popup

Many individuals reported to the MySpace abuse team about very realistic fake update popup.

This thing is quite realistic. And if you click “Download”, you get an offer to install a nasty little Trojan.
The trojan, “updateKB890830.exe”, downloads from a site that looks like a Microsoft url, so it’s all quite realistic to the user.

For protect your PC check twice before install any updates.
Also add liveupdatesnet.com, pcsecuritylab.com to your blocklist.

Read more: Seen on MySpace — very realistic fake update popup

Found trojan that attempts to steal money by selling a fake iPhone

Sunbelt team reported about new trojan that attempts to steal money by selling a fake iPhone. The malware produces a popup, triggered by going to yahoo.com or google.com. There are multiple types of popups, including one saying “supported by Google” and one “supported by Yahoo”.

Normally, when you go to iPhone.com, you get redirected to Apple’s site — http://www.apple.com/iphone/. On an infected system, you get directed to a custom “iphone.com” which actually is a fake site. The Trojan is pulling content from your local disk in a file that has been created in %system%\confg.xml and creating BHO (Browser Helper Object)

BHO: {AA7F2000-EA05-489d-900C-3C7C0A5497A3} - C:\WINDOWS\system32\rwera21s1.dll

They are using this BHO to inject code into Internet Explorer to make it appear as if you are on a website owned by Apple. The same technique is used by malware to target banking websites.

Read more: iPhone madness: This hot phone now sold through malware

Automatic removal HaxDoor trojan

This trojan allows others to access the computer, drops more malware, installs itself in the Registry.

For check your PC, Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.

Now you need to run HijackThis and click “Do a system scan only”. If your found any simulat entry

O20 - Winlogon Notify: pptp32 - C:\WINDOWS\SYSTEM32\pptp32.dll
O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll

then you have HaxDoor trojan infection!

For remove the serious infection, please follow these instructions step by step.

Download haxfix.exe. Save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
Checkmark “Create a desktop icon”.
Click “Next”.
When the installation is completed, make sure that the checkmark “Launch HaxFix” is placed.
Click “Finish”.
A red “dos window” (dos box) will open.

Select option 2. Run auto fix by typing 2, and then pressing Enter.
If an infection is found, you’ll get a message to close all other open windows.
Close them, except the red dos window from haxfix and then press Enter.
The computer will reboot.

Haxdoor can drops more malware, also if you are still having problems with your PC , then please follow the steps outlined in the topic linked below Spyware removal - Read Before Posting

Trojan Zlob spreading on MySpace

F-Secure labs found something new spreading on MySpace. It ends up modifying existing profiles, overlaying the content with a message like this:

If you follow the link, you’ll end up with a download. This is a Zlob variant.

Zlob is a Trojan. Zlob attempts to hiddenly download and run other files from remote web sites and shows fake error messages. Zlob copies itself to the Windows folder and changes startup and search pages of Internet Explorer.

Read more: New MySpace Nasty

Putin’s death can kill your computer

Viruslist reported about new spam message.

Subject: ATTENTION !!! President of Russia has dead.Attention!!!
Vladimir Putin has dead. Visit immediately to http://news.bbc.co.uk/go/click/rss/1.0/-/8/hi/russia/********.stmBBC, BBC World and their respective logos are trade marks of the British Broadcasting Corporation, Logos © 1996

The link in this ‘sensational’ message appears to lead to the BBC site - an organization with a worldwide reputation. But if the user clicks on the link, s/he will be sent to a Russian site which has nothing at all to do with the BBC. This is made possible by the use of HTML in the message - although the user sees one link, there’s another, invisible link underneath, which leads to a totally different site.

And what’s the point? After all, the message isn’t selling anything. Well, according to our virus analysts, when you visit this site, Exploit.JS.ADODB.Stream.o is used to download a Trojan-Downloader (Trojan-Downloader.Win32.Agent.uj) onto your machine. And once a Trojan-Downloader is on your machine, it will probably start downloading other malicious programs…

In other words, curiosity can kill your computer. And put your personal data at risk.

SpamThru Trojan - malware who detects and removes another malware

Like many viruses and trojans, SpamThru attempts to prevent installed anti-virus software from downloading updates by adding entries into the %sysdir%\drivers\etc\hosts file pointing the AV update sites to the localhost address. In the past, we’ve also seen malware which tries to uproot other competing malware on an infected system by killing its processes, removing its registry keys, or setting up mutexes which fool the other malware into thinking it is already running and then exiting at start.

SpamThru takes the game to a new level, actually using an antivirus engine against potential rivals. At startup, SpamThru requests and loads a DLL from the control server. This DLL in turn downloads a pirated copy of Kaspersky AntiVirus for WinGate from the control server into a concealed directory on the infected system. It patches the license signature check in-memory in the Kaspersky DLL in order to avoid having Kaspersky refuse to run due to an invalid or expired license. Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation. Any other malware found on the system is then set up to be deleted by Windows at the next reboot.

Read more about SpamThru Trojan : SpamThru Trojan Analysis

SMS text messages used to spread malware/keylogger

CA has received reports of Win32/Bambo.CF being distributed via SMS text messages sent to mobile phones, enticing people to visit a malicious website. The messages may contain the following:

Thanks for subscribing to *****.com dating service. If you don’t unsubscribe you will be charged $2 per day.

The text message then directs the recipient to visit a website in order to unsubscribe from the service and avoid being charged. This website contains a fake dating service page, which entices users to enter their phone number, at which point it attempts to load an executable file called “unregister.exe“. The web page instructs users to click the “Run”
button on each warning page that Windows displays, to allow the program to execute. If the program is run, it installs the Win32/Bambo.CF trojan.

Please see below for examples of fake dating service pages displayed by the malicious website.

Anyone loading the webpage and following the instructions in the message will pick up the trojan, which CA has named Win32/Bambo.CF. The keylogger looks for passwords and other information which it sends via emails and perhaps through other means.

Thanks CA SecurityAdvisor.

More fake codecs - nvidcodec, media-codec

Sunbeltblog reported about new fake codec - nvidcodec. Some AV vendors detected the codec as Trojan.Downloader.Zlob

Homepage for the codec - nvidcodec[dot]com have not link to terms of use (EULA). For read them, i have downloaded and run nvidcodec for install. Install manager open windows with term of use, and what i have found:

SOFTWARE INSTALLATION: Components bundled with our software may report to Licensor and/or its affiliates the installation status of certain marketing offers, such as toolbars, and also generalized installation information, such as language preference and operating system version, to assist Licensor in its product development. No personal information will be communicated to PORNMAGPASS or its affiliates during this process. Licensor may change homepage on user’s computer and may offer additional components through our version of checking/update system. These components include: toolbar, popup ads manager, advertisements messenger, pc protection software, shortcuts manager.

Read EULA from my previous post: Pornmagpass - free pass to get popups, rogue antispyware, toolbar.

Also i have found link to them main site - media-codec[dot]com, it site also have simular Term of use:

… Licensor may change homepage on user’s computer and may offer additional components through our version of checking/update system. These components include: toolbar, popup ads manager, advertisements messenger, pc protection software, shortcuts manager….

After that, i have checked whois info for media-codec[dot]com, nvidcodec[dot]com, pornmagpass[dot]com

whois media-codec[dot]com:

Registration Service Provided By: ESTDOMAINS
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: MEDIA-CODEC.COM

Registrant:
n/a
Lemos Adamantios (lemos@securitywarnings.net)
aktis 119, vouliagmeni
athens
,n/a
GR
Tel. +030.2108960081

Creation Date: 08-Apr-2006
Expiration Date: 08-Apr-2007

Domain servers in listed order:
ns2.media-codec.com
ns1.media-codec.com

Administrative Contact:
n/a
Lemos Adamantios (lemos@securitywarnings.net)
aktis 119, vouliagmeni
athens
,n/a
GR
Tel. +030.2108960081

whois nvidcodec[dot]com:

Registration Service Provided By: ESTDOMAINS
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: NVIDCODEC.COM

Registrant:
na
Zuska Karel (zuska@needupdate.com)
Trebanska 764, Revnice
Praha
,11776
CZ
Tel. +420.257720734

Creation Date: 25-Apr-2006
Expiration Date: 25-Apr-2007

Domain servers in listed order:
ns2.nvidcodec.com
ns1.nvidcodec.com

Administrative Contact:
na
Zuska Karel (zuska@needupdate.com)
Trebanska 764, Revnice
Praha
,11776
CZ
Tel. +420.257720734

whois pornmagpass[dot]com:

Registration Service Provided By: ESTDOMAINS
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: PORNMAGPASS.COM

Registrant:
-
Mario Maxime (nt@chmails.com)
88 r Duhesme
Paris
null,75018
FR
Tel. +7.9219745516

Creation Date: 27-Mar-2006
Expiration Date: 27-Mar-2007

Domain servers in listed order:
ns2.pornmagpass.com
ns1.pornmagpass.com

Administrative Contact:
-
Mario Maxime (nt@chmails.com)
88 r Duhesme
Paris
null,75018
FR
Tel. +7.9219745516

As you can see, all domains have one owner.

In the whois info i have found one domain: needupdate[dot]com, Some months ago, i have posted about: Needupdate hijacker

For protect your PC, add these all domains in the your blocklist.

Pornmagpass - free pass to get popups, rogue antispyware, toolbar.

Sunbeltblog reported about new adware - pornmagpass. There’s a new adware detected some AV engines as trojan:

AVG - Downloader.Zlob.AOI
ClamAV - Trojan.Downloader.Zlob-471
EtrustVet - Win32/Beovens.FT
Fortinet - suspicious
Ikarus - Trojan-Downloader.Win32.Zlob.ni

The EULA says:

SOFTWARE INSTALLATION: Components bundled with our software may report to Licensor and/or its affiliates the installation status of certain marketing offers, such as toolbars, and also generalized installation information, such as language preference and operating system version, to assist Licensor in its product development. No personal information will be communicated to PORNMAGPASS or its affiliates during this process. Licensor may change homepage on user’s computer and may offer additional components through our version of checking/update system. These components include: toolbar, popup ads manager, advertisements messenger, pc protection software, shortcuts manager.

After run, this trojan will install rogue antispyware SpywareQuake and adds a new IE Toolbar called “Safety Bar”.

As a final note, pornmagpass malware site hosted by Intercage, the Best Friend Ever of all malware authors.

Read more: PornMagPass — your pass to hell

Spam emails and fake Microsoft patch

Internet Storm Center have received samples of an e-mail which is being actively spammed at the moment. The e-mail purports to be from Microsoft and it is notifying the recipient of “a new vulnerability [that] has been discovered in the Microsoft WinLogon Service”. It further states that the vulnerability can allow an attacker access to the unpatched system.

Of course, the user is advised to install the patch which can be downloaded from the included link.

As the e-mail body is an HTML message, the displayed link (http://www.microsoft.com/patches-win-logon-critical/winlogon_patchV1.12.exe) is not where the user will really be sent:

http:// www.redcallao.com/ [REMOVED] / winlogon_patchV1.12.exe

AV detection although a better then first time when we tried it, is still pretty bad. Only 8 products from VirusTotal detected this:

AntiVir 6.34.1.34 05.29.2006 Heuristic/Crypted.Modified
BitDefender 7.2 05.30.2006 Trojan.BeastPWS.C
Kaspersky 4.0.2.24 05.30.2006 Trojan-Spy.Win32.Delf.jq
NOD32v2 1.1566 05.30.2006 Win32/Spy.Delf.NBR
Panda 9.0.0.4 05.29.2006 Suspicious file
Sophos 4.05.0 05.30.2006 Troj/BeastPWS-C
Symantec 8.0 05.30.2006 Infostealer

Update:

Kaspersky Lab also reported about  fake Microsoft patch. They released an urgent update for Trojan-PSW.Win32.Sinowal.u.Sinowal is a family of password stealing Trojans which steals usernames/passwords entered via forms in an internet browser. It particularly targets certain banking domains and also has the ability to steal other locally stored passwords.

Sinowal has a special trick: when an infected user visits certain banking domains Sinowal inserts some of its own HTML code into the page. This is done to create a customized pop up which asks the user for personal info.

Sinowal variants are normally downloaded by Trojan-Downloaders which are installed by visiting certain websites which exploit security vulnerabilities in the browser or operating system.

Today the authors decided to try something different by spamming .de email addresses with an email that pretends to be from Microsoft Windows Update.

The email looks like this:

From: MS Windows Update [msrobot_donotreply|trickthespider|windowsupdate.com]
Subject: Achtung! Wichtige Nachrichten von Microsoft Windows Update!

Achtung! Wichtige Nachrichten von Microsoft Windows Update!

Sehr geehrte Benutzer Microsoft Windows XP!

Gestern haben unbekannte Hacker den neuen Wurm-Virus eingesetzt. Nachdem er ins system reingreift, wird er von sich selbst nach Ihrer mailadressenliste ausgesendet, und alle Ihren Kontakte werden angesteckt. Nach der Ansteckung fängt das System instabil zu arbeiten, und der Komputer “hängt” genau nach einer Minute nach dem nächsten Hochfahren.

Um die Benutzer des Systems Microsoft Windows XP zu schützen, haben unsere
Sicherheitsspezialisten eine Erneuerung fur das System entwickelt.

Sie sollen die an den E-Mail angehängte Datei offnen damit das System erneut
wird und vollständig von neuem Wurm geschützt wird.

Mit freundlichen Grüßen,

Windows Update

As you hopefully know Microsoft never sends executables along with their emails. So social engineering attempts like these can be spotted easily, at least in theory.

And don’t forget, if you got infected with Sinowal, even if you have cleaned your system you still have to change your passwords.

Found new fake codec - emcodec

Emcodec is a Trojan horse that drops and executes a copy of Trojan-Zlob-J, a back door Trojan that allows the remote attacker to perform various malicious actions on the compromised computer.

The Trojan is an installer for eMediaCodec that is a codec for Windows Media Player.

If you can`t uninstall or remove, post to spyware removal forum about your problem.

How to remove Trojan Vundo (VirtuMonde, WindowsUpd, Adware.VirtuMonde, TrojanDownloader.Win32.Agent.e, ADW_TARGETSOFT.A)

For last week Vundo at second place in the top 10 spyware by Sunbelt.

DesktopScam 1,646 3%
Virtumonde 1,194 2%
Vcodec 915 2%
Hotbar 872 2%
SpyAxe 833 2%
WhenU.SaveNow 832 2%
Looking-For.Home Search Assist… 810 2%
EliteMedia 749 1%
NewDotNet 746 1%
CmdService 728 1%

Vundo (VirtuMonde, WindowsUpd, Adware.VirtuMonde, TrojanDownloader.Win32.Agent.e, ADW_TARGETSOFT.A) is an adware program that downloads and displays popup advertisements. It also offers to install other potentially unwanted software.

Standart symptoms:

computer work slow
pop ups from Adult Friend Finder
you have found rogue anti-spyware

If you found Vundo (VirtuMonde, WindowsUpd, Adware.VirtuMonde, TrojanDownloader.Win32.Agent.e, ADW_TARGETSOFT.A) on your computer, read these steps. If you have problems with your computer and don`t know WHY, read also

Also you can use CounterSpy for automatic removal Vundo.

Download VundoFix and save the file to your desktop.

Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.

Double-click VundoFix.exe to run it.

Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it’s done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

Now you need to run HijackThis and click “Do a system scan only.” Place a check next to the following entries (if they are still there):

O2 - BHO: WTLHelper Object - {75DC57F8-D831-4AB8-86B7-4F826F4A0873} - C:\WINDOWS\system32\*****.dll
O20 - Winlogon Notify: ***** - C:\WINDOWS\system32\*****.dll

Where ***** is a random name, BUT all names are identical.

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below: Spyware removal - Read Before Posting

Trojan Horse keylogger steal end-user information for popular online games.

Websense® Security Labs™ has received reports of a malicious website, which is hosting a Trojan Horse keylogger. This keylogger is designed to steal end-user information for popular online games. The malicious code’s filename is main_n80.scr and was discovered on a site, which appears to be a fraudulent version of the Nokia Taiwan website.
The site uses a cousin domain name and simply has an image screenshot of the real Nokia Taiwan website. It is hosted in Hong Kong and appears to have been registered with fraudulent information.

The main_80.scr file is an SFX self-extracting executable file that contains four files:
* download.exe
* winlogin.exe
* server.exe
* error.jpg
When the main_80.scr file is executed, it will use download.exe to copy the extracted files to the system32 dir and execute its version of run32dll.exe. The rundll32.exe file will show error.jpg. Once the user closes the .jpg file,rundll32.exe will execute the rest of the extracted .exe files.
These extracted .exe files modify the registry, as detailed below, to ensure that it starts on restart, and checks for the existence of the application Lineage.
* Modifies or creates files and stores in system32 directory
* Kerne0110.exe is a copy of winlogin.exe
* Rundll32.exe is a copy of download.exe
* gg.bat is created
* _2dll.dll is created
* microsoftie0110.dll is created
* msabc.dll is created
* pKerme123.dll is created
* RegistryInfo.dll is created