Malware name: Trojan Banload
Newest version detection rate: 2/43
Detected by Malwarebytes: No
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll


Introduction:

Trojan Banload is a malware that downloads various other malware and it is used to steal passwords, usually for facebook.
It also creates a fake browser resembling internet explorer which then connects to a fake facebook site.
Because the browser is fake, it says that the URL is www.facebook.com and has the exact same login screen as the real site but if you place your information in the login, it will be sent to the hacker.


Symptoms:

Opens a fake browser to facebook.com
Presence of the files/folders below.

Files created:

(Creates the folder C:\winsys if it doesn't exist already.)
C:\winsys\libeay32.dll
C:\winsys\secman.dll
C:\winsys\ssleay32.dll
C:\winsys\wmi.dll
C:\winsys\BROWN.exe
C:\winsys\facee.exe
C:\winsys\faces.exe
C:\winsys\hots.exe
C:\winsys\wmita.exe
C:\winsys\wmsan.exe
C:\winsys\wne.exe
C:\winsys\wsan.exe
C:\winsys\Msn.exe
C:\winsys\wb.exe
C:\winsys\iff.txt
C:\winsys\atualiza.txt


Running Processes:

C:\winsys\wmita.exe
C:\winsys\wmsan.exe
C:\winsys\Msn.exe
C:\winsys\facee.exe


Registry key created:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wmita.exe
{c:\winsys\wmita.exe}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\facee.exe
{c:\winsys\facee.exe}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\msn.exe
{c:\winsys\msn.exe}


Removal:

Removal is quite simple.
For manual removal, press ctrl+alt+delete and open the task manager.
Go in the process tab and end task to the process mentioned above.
Note, if you have Msn installed, make sure you end task to the right one, or just end task to both to make sure.
If wmita keeps poping-up with wmsan after you end task to it, rightclick wmita.exe in the process list and click on End Process Tree.

After this, we will need to delete all the files created by this malware.
Open My computer and navigate to c:\winsys\
Delete every file in that folder and delete the folder itself.
Remember to empty the recycle bin after.

Then we will need to delete the registry keys.
Click on start - run and type regedit then press enter.
Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Find the keys on the right called wmita.exe facee.exe and msn.exe (make sure they're all in the winsys folder, you can check by double clicking the keys)
Delete those keys by rightclicking them and selecting delete.

It's always good to do a full anti-virus and anti-malware scan to make sure nothing else malicious has been installed on your computer.


Additional information:

When you type www.facebook.com in your normal browser (real ie,firefox,chrome, etc) it will close the browser and open the fake one at the same time.
The fake browser also executes when that word is in a folder, file, website or pretty much anything containing the word facebook.

Malware name: Worm.Esfury-G
Newest version detection rate: 30/43
Detected by Malwarebytes: Yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll



Introduction:

This worm copies itself to removable drives and creates an autorun.inf on that drive.
It will also hide your files on your USB and make a shortcut to the malware on the USB with the same file name as those hidden.
In addition, this worm can send messages to your contact list on MSN (if you have it installed) with links to download a music player (which is actually the worm itself).
It also connects to multiple servers to download and execute arbitrary files.


Symptoms:

Unable to open files, getting error "Another program is currently using this file".
Process closing right after you've opened them.
Having more than one winlogon.exe in your process tab.
Internet not working properly.
Homepage/start page/etc.. changed to malicious links.
Firewall, system restore and automatic updates gets disabled.
cmd prompt, task manager, registry editor and many more programs disabled.
Modified hosts file.


Files created:

C:\Documents and Settings\Administrator\"random"\winlogon.exe
C:\Documents and Settings\Administrator\"random"\"random".exe
C:\Documents and Settings\Administrator\"random"\"random".exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\winlogon.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\winlogon.exe
C:\Documents and Settings\Administrator\Start Menu\winlogon.exe
C:\Documents and Settings\NetworkService\Winlogon.exe

(USB Drive):\Autorun.inf
(USB Drive):\"random"\"random".exe
(USB Drive):\"random"\Desktop.ini (makes it redirect to your recycle bin so you can't see the executable)
(USB Drive):\"file".lnk (shortcut to (USB Drive):\"random"\"random".exe)
Where "file" is any legitimate file that you placed on your USB.
Note that it will not delete anything on your USB but only hide the files.
It also chooses a random icon for the file.lnk.

Creates multiple folders in %temp%\"random" and places many copies of the worm in them, they are usually named "


Registry key created:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"random"
{C:\Documents and Settings\Administrator\"random"\winlogon.exe}

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"random"
{C:\Documents and Settings\Administrator\"random"\winlogon.exe}


Removal:

I was unable to find out a way to remove this worm manually since it's so defensive so we will need to download a few programs to remove it fully.
First, download gmer.exe here:
http://www.gmer.net/
Scroll down a bit and click on Download EXE.
Save the program on your desktop and open it.
(Note, if your browser keeps closing when visiting the webpage, you'll probably need to download it on another computer then use a USB to place it on the infected computer. Make sure if you do this that you clean the USB after by following the rest of the guide)
You can also try downloading it from another link like on downloads.com:
http://download.cnet.com/GMER/3000-8022_4-11921203.html

After you've executed gmer, click on the > > > tab then on the Processes tab.
Find C:\Documents and Settings\Administrator\"random"\winlogon.exe (there should be 2 of them) and click on them once then click Kill Process.
Then click on the Files tab and find C:\Documents and Settings\Administrator\"random"\ Delete everything in that folder by clicking the files and clicking Delete.

After this close gmer and open My Computer. Delete winlogon.exe at the following 4 places:
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\winlogon.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\winlogon.exe
C:\Documents and Settings\Administrator\Start Menu\winlogon.exe
C:\Documents and Settings\NetworkService\Winlogon.exe

To remove the rest of the components and to enable everything that this malware disabled, do a quickscan with Malwarebytes Anti-Malware:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
When the scan is complete, click on Remove selected then restart your computer.

Now to clean your USB or removable devices, simply rightclick the drive in My Computer and scan it with Malwarebytes or your anti-virus.
You can also delete the files manually but first you'll need to do the following:
Click on start - control panel - folder options - view tab - show hidden files and folders + uncheck hide protected system operating files.
Then go on your removable device and delete the files mentioned above including the .lnk files.


Additional information:

It can also detect what you've typed in search engines/URL bar and if it matches with a list that the virus made, it will close the process of the browser/application.
Example, I tried to type Avast in google and it closed my firefox immediately.

I've tried many times to try and kill the process/delete the files manually but it was near impossible.
Task manager and regedit was disabled and taskkill said the process couldn't be killed because it is a critical system process (because of it's name, even if i tried to kill the PID)
It kept closing all the Property windows so I couldn't change the properties of the folders or enable regedit/task manager in gpedit.msc.
It also removed Folder options from control panel and prevent access from it.
The worm also runs in safemode so you can't do anything in there as well.

Malware name: Windows Personal Doctor (rogue anti-virus)
Newest version detection rate: 10/43
Detected by Malwarebytes: Yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll


Introduction:

This rogue anti-virus or fake anti-virus, like most rogue anti-virus program, will force you to buy their product by displaying multiple error messages, fake detection of malware and will block some programs saying it's been infected.


Symptoms:

Unable to use your browser and some programs.
Constant error messages.
Cannot open, file has been infected by "xxx" errors.
Registry editor and task manager not working properly.


Files created:

C:\Documents and settings\Administrator\Application Data\Protector-ibg.exe


Registry key created:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector
{C:\Documents and Settings\Administrator\Application Data\Protector-ibg.exe}

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit
{0}

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\"program"
Closes the task of that program and it will open the rogue anti-virus.
There are about 700 keys hijacked, most of them are for anti-viruses and anti-malware programs.


Removal:

The removal of this rogue anti-virus is very simple because of a big flaw in its design.
First, press ctrl+alt+delete and select task manager.
It will not open the default windows task manager, but a fake task manager from the fake anti-virus.
Here is a screenshot of what it should look like:



Scroll to the bottom and you'll see a process named Protector-ibg.exe. It will also give you the location on the file, take note of these.
Since the normal task manager has been hijacked, we will need to use the taskkill function in command prompt.
1.Open command prompt (start - run - type "cmd" without the quotes and press enter)
2.Type in "Taskkill /F /IM Protector-ibg.exe" without the quotes and press enter.

After ending the task, go where the Protector-ibg.exe file was located, in my case it was C:\Documents and settings\Administrator\Application Data\Protector-ibg.exe
To view this folder, you'll need to go in control panel - folder options - view tab - show hidden files and folders.
Rightclick the file and delete it. (make sure to empty the recycle bin afterwards)
Now the application won't block your browser and you'll be able to download Malwarebytes Anti-Malware to fix the rest of the registry keys and to remove the rest of the files. Download it here:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

Install and update it, then click on Quick scan.
The scan should take a few minutes and it should detect around 700 threats, but don't be alarmed, most of them are infected registry keys.
Click on Fix selected items and it should take a few minutes to fix all the infected registry items, then simply restart your computer once it asks you to.


Tips:

You should never buy a registration code or activate their product with your credit card. That program is designed to scam your money and to potentionally steal your credit card information.
Even if you bought a registration code, the program will still stay on your computer and block your browser/applications and the scanner will detect nothing.

Malware name: Trojan Virut
Newest version detection rate: 22/43
Detected by Malwarebytes: No
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll



Introduction:

This virus is a botnet that's extremely hard to remove since it hides itself extremely well against anti-viruses with rootkit and polymorphism techniques.
It also infects all .exe and .scr files including the ones in your windows, system32 and dllcache folder.
It hooks multiple functions in ntdll.dll which transfers control to the virus every time any of those funtions are made.
The functions include NTCreateFile, NtCreateProcess, NtCreateProcessEx, NtOpenFile and NtQueryInformationProcess. (ty Avast for this information)
Some variations can download other malware or infect your USB devices by placing an autorun.inf and a hidden executable.
There are some malfunctioning versions of this virus which can corrupt your files while infecting them which can make your computer unable to boot. (You'll need to reformat in this case.)


Symptoms:

Many program gives error code 0x00000005 when opening it. (the first few minutes that the virus executed)
Multiple other error codes when first executing the virus, this is caused by the buggy injection code.
BSOD when trying to start in safemode with error 0x0000007B.
Unable to visit anti-virus sites and many other security sites.
Anti-viruses and anti-malware programs not working properly.


Files created:

%temp%\"random".exe (deleted immediately after executing)
C:\windows\"random"\"random" (used to keep track/delete the original executable) (it does not create a folder, it simply creates the file in any folder in the windows directory)
C:\windows\System32\drivers\"random".sys

Some variant:
USBdevice:\autorun.inf
USBdevice:\"computer name"\"computer name"\"computer name".exe
USBdevice:\"computer name"\"computer name"\desktop.ini (used to hide the folder and show it as a recycle bin.(it redirects to the recycle bin if you try to enter the folder))


Registry key created:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\"random" (this key is deleted after the first reboot)
{%temp%\cetrdedva.exe}

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\"random"
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\"random"


Services created:

"random" (runs "random".sys)
Mine was hsclvua (runs jnoaate.sys in the C:\windows\System32\drivers folder)


Removal:

As previously said, this virus is extremely hard to remove with normal anti-viruses or anti-malware programs.
This virus can usually corrupt all your .exe files and make them incurable because of some faulty coding so even specialized removal programs can't remove it or cure the files

Kaspersky created a removal tool for this virus called VirutKiller.
Download VirutKiller here:
http://support.kaspersky.com/viruses/solutions?qid=208280756
Note: this trojan will block access to the kaspersky website so you will need to download it on another computer and use a USB key to transfer it to the infected computer.
While it scans, do not open any programs and wait for it to finish then restart your computer.

If it does not remove it, you may also try the following programs:
Dr.Web Cure-it can help removing this virus:
http://www.freedrweb.com/cureit/?lng=en
Open the program and run the scan.
It should tell you that XXXXX.exe is infected with virut and will ask you to cure it, click on Yes to all.
Let the scan finish then restart your computer.

If that doesn't detect anything, try the following other programs:
Avg's virut remover:
http://free.avg.com/ca-en/virus-removal
Once again, you might need to download it on another computer then put it on a usb key and transfer it on the infected computer.
It should be the first program on that page.
Run the scan and reboot your computer once its finished.

Next, try Synematic's virut removal tool here:
http://www.symantec.com/security_response/writeup.jsp?docid=2009-022016-4444-99
Click on Download removal tool.
You'll need to run this program in safemode, to do this, restart your computer and press f8 before your computer boots then use the arrow keys to navigate to Safemode.
Run the scan and it let finish then restart your computer.

For me, none of the programs above removed it completely, Avast still detected all of my .exe files as infected but couldn't cure them.
If this is the case, it would probably be best to backup all of your files (excluding your executable .exe and .scr files) and do a complete reformat of your computer.


Tips:

To stop it from blocking some websites, you'll need to delete the malicious services.
To do this, you'll need to search the registry editor (start - cmd - type regedit) for the following key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\"random"
With the following subkeys:


Another way of finding this service is to download tdsskiller by Kaspersky (download it on another computer and transfer it to the infected computer)
Open the program and click on Change parameters and check all of the boxes then click on Start scan.
It should detect one unsigned file, it's the same name as the key in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
Once you find the key, it should show which driver it uses on the right side, you can find it in c:\windows\system32\drivers
Delete the driver and delete the registry key by rightclicking it and clicking delete.
Or you can click on Cure after the scan with tdsskiller and restart your computer.


If you get a Blue screen of death every time you try and boot in safemode, it's caused by a missing/deleted registry key (safeboot)
To fix this do the following:
Download Sality_RegKeys.zip on this page (scroll down a bit)
http://support.kaspersky.com/faq/?qid=208279889
There should be 5 registry files (.reg), choose the one corresponding to your operating system and double click it then press OK on the warning message.


Since this is a botnet, it usually steals passwords and credit card information, make sure to change them on a non-infected computer.
Also, make sure if you successfully remove the virus, to do a full scan with an anti-virus and anti-malware to make sure it didn't download anything else malicious.

Malware name: Worm Dorkbot
Newest version detection rate: 14/43
Detected by Malwarebytes: Yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll


Introduction:

This worm spreads using USB devices connected to the infected computer.
It can also send itself to your contacts on your instant messengers like MSN, mIRC, etc...
It creates a backdoor to an IRC server from where the hacker can execute a list of commands.
These commands may include modifying system files, stealing passwords, infect remote ftp websites with iframes, download other malware and a lot more.


Symptoms:

Recycle bin folder on your USB
Unable to connect to some websites (mostly anti-virus sites)


Files created:

C:\Documents and Settings\Administrator\Application Data\"random".exe (Hidden rootkit)

"Drive":\Recycler\470a1245.exe "hidden"
"Drive":\Recycler\desktop.ini (to show the folder as the recycle bin and to redirect you there if you open it)
"Drive":\Recycler.lnk (shortcut with command line that opens the .exe on the usb and opens the recycle bin to disguise it)
Where "Drive" is the location of your usb device.


Registry key created:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"random" (Hidden rootkit)
{C:\Documents and Settings\Administrator\Application Data\"random".exe}

All the "random" are the same name, including the file. Mine was Yagygw.


Removal:

This worm hides most of its files and registry keys with hook functions so we will need programs to remove them.

Method #1
First, download gmer.exe here:
http://www.gmer.net/
Click on Download EXE then Open the program and it should do a quickscan automatically, wait till it's finished then click on the > > > tab.
Then click on the Files tab and double click on c:\Documents and Settings\"user"\Application Data\ where "user" is your username.
There should be a red file, click it and click on Delete on the top right corner of gmer.

After this, restart your computer. (the worm will still be in the memory if you don't restart and you won't be able to see the registry key)
Click on start - run and type "regedit" without the quotes
Double click on HKEY_CURRENT_USER then Software\Microsoft\Windows\CurrentVersion\Run
On the right side, there should be a key with the same name as the file that you deleted with gmer. Rightclick the key and select Delete.

To clean your USB if you had one connected, simply go in start - control panel - folder options - view - show hidden files and folders
Then open your USB and delete both the recycler folder and the recycler shortcut.


Method #2 (quicker but it might not remove everything)
You can also download Malwarebytes to remove this worm.
You'll need to download it here since the main Malwarebytes site will be blocked by the worm:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
Make sure to run a full scan so it also deletes the malicious files on your USB device.

It's recommended to do a full anti-virus scan after this infection since it may download other malware on your computer.


Extra information:

When the worm is active on your computer, it will hide every file or registry key from windows explorer/regedit with the same name as itself.
Example, the name of the executable when i tested it was Yagygw.exe, if I make a legit file named the same on my desktop, it would be hidden from windows explorer and most programs.

After executing, it injects itself into most processes so even after deleting the file, it will still hide the registry key, block the sites, etc...
You'll need to restart your computer after deleting the file to fix this.

To view the content in the recycler folder on the USB (not recommended), you can open command prompt and type "del "USBDrive":\recycler\desktop.ini" without the quotes then press enter.
The desktop.ini is the same as the one in your c:\recycler folder.

Malware name: Backdoor:Win32/Fynloski.A / Backdoor.Bancodor
Newest version detection rate: 36/43
Detected by Malwarebytes: Yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll


Introduction:

This malware is a backdoor that connects to a remote host which he can preform many functions on your computer.
The most common functions include downloading and executing files, record keystrokes and steal passwords from common applications or games.


Symptoms:

Having 2 explorer.exe process opened.
Mouse or keyboard being controlled by someone else.
Different background on desktop.


Files created:

C:\Windupdt\winupdate.exe


Registry key created:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winupdater
{C:\Windupdt\winupdate.exe}


Registry key modified:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Original: {userinit.exe,}
Modified: {userinit.exe,C:\Windupdt\winupdate.exe}


Process created:

C:\windows\Explorer.exe (used for the backdoor)


Removal:

The removal is quite simple.
Click on start - control panel - folder options - view tab - show hidden files and folders.
Open My Computer and locate C:\Windupdt\winupdate.exe. Rightclick and delete the file.
You may also delete the folder (Winupdt) if nothing else is in it.

Then we will need to delete the registry key.
Click on start - run - type "regedit" without the quotes and press enter.
Double click on HKEY_CURRENT_USER then on Software, Microsoft, Windows, CurrentVersion,Run then on the right side, search for winupdater.
Rightclick and delete this registry key.

Then to edit the modified registry key.
Again in the registry editor, go in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
On the right side, double click on Userinit and delete the text "C:\Windupdt\winupdate.exe" (leave userinit.exe,)
Then press OK.

Now we will need to end task to the process (the backdoor explorer.exe)
Simply press ctrl+alt+delete and open task manager.
Go in the process tab and end task to explorer.exe (usually the malicious one is the one that has less memory usage)
You can end task to both just to make sure then click on File - New task (run...) and type explorer.exe


Additional information:

This backdoor can download other malware on your computer so it's always good to do a full scan with an anti-virus and anti-malware program.

Malware name: Backdoor.Win32.Ceckno.cmz
Newest version detection rate: 6/42
Detected by Malwarebytes: No
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll



Introduction:

This malware is a rootkit designed to download other malware.
It usually gets installed by a trojan program that can also place adware and spyware on your computer.


Symptoms:

Computer staying at the blue Welcome screen after reboot


Files created:

C:\Windows\System32\svch0st.exe
C:\Windows\System32\Drivers\BFDDOS.Sys
C:\Documents and settings\Administrator\Application Data\Y.exe (backdoor dropper)


Registry key created:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Run\(Default)
{%SystemRoot%\svch0st.exe}


Removal:

The removal is quite simple.
First, open My Computer and go in C:\Windows\System32 and delete the file named svch0st.exe (make sure it's a zero).
Then go in C:\Windows\System32\Drivers and locate BFDDOS.SYS and delete it also. (it may also be named gthook.sys)

Next, click on start - run and type "regedit" without the quotes then press enter.
Double click on HKEY_LOCAL_MACHINE then Software\Microsoft\Windows\CurrentVersion\Policies\Run
Now on the right side, there should be a key named (default) double click it and delete the text in the value data then press OK.

You might also need to do a scan with an anti-virus and anti-malware program since this is a trojan downloader.


Tips:

If your computer is staying at the blue welcome screen, you can boot in safemode by pressing the f8 key before windows boots up and use the arrow keys to select Safemode.
Then try the removal guide above.

Malware name: Trojan.Win32.Jorik.IRCbot.kqc
Newest version detection rate: 9/43
Detected by Malwarebytes: No
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll


Introduction:

This malware connects to an IRC server which the hacker can execute a list of commands to your computer like downloading other malware or stealing your passwords.
IRC bots, like this one, are usually installed on your computer by exploits or trojan downloaders.


Symptoms:

None


Files created:

%temp%\t7f17ib.exe (trojan dropper)
C:\Windows\Rundll32.exe
C:\Documents and Settings\LocalService\Application Data\Microsoft\1


Registry key created:

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Windows Host Process

HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Windows Host Process

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Windows Host Process


Services created:

Windows Host Process (stopped)


Removal:

Few anti-viruses and anti-malware programs can actually detect this malware at this time. This is why I'll only post the manual removal.

First, we need to kill the process. Press ctrl+alt+delete and open task manager.
Go in the process tab and end task to rundll32.exe
If there are more than one rundll32.exe and you want to make sure you end task to the correct one, you can download process explorer here:
http://technet.microsoft.com/en-us/sysinternals/bb896653
It's the same thing as task manager. To find the malicious rundll32.exe, hover your mouse over them and it should say that the path is C:\Windows\rundll32.exe. Rightclick it and select kill process.

Then, we will need to delete the files.
Click on Start - Control panel - Folder options - View tab - check Show hidden files and folders
Then, open My Computer and go in C:\Windows and find the file called rundll32.exe (make sure it's in C:\windows and not the system32 folder) then delete it.
Next, go in C:\Documents and Settings\LocalService\Application Data\Microsoft\ and find the file named 1 (the file shouldn't have an extention) and delete it.
Again in My Computer, type in %temp% in the location bar and delete the file named t7f17ib.exe. (the name can vary)

Next, we will need to delete the service.
Click on start - run - type "regedit" without the quotes and press enter.
Double click on HKEY_LOCAL_MACHINE then System\ControlSet001\Services and delete the key called "Windows Host Process" by rightclicking it and selecting delete.
The other 2 registry keys will delete themselves automatically after doing this.

It's recommended to do a full scan with an anti-virus and anti-malware program in case it downloaded other malware on your computer.


Additional information:

C:\Documents and Settings\LocalService\Application Data\Microsoft\1 is only a backup for rundll32.exe. The service copys the file to C:\windows if it's deleted/modified when starting your computer.

The service (Windows Host Process) says that it's stopped but it will still do it's job properly, this is why you need to remove it.
That service will make sure rundll32.exe runs every time you restart your computer and will replace the file if it ever gets deleted/modified.

Malware name: Bagle worm \ Worm:Win32/Bagle.Gen!C (microsoft)
Newest version detection rate: 33/42
Detected by Malwarebytes: yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll


Introduction:

This malware has evolved into a botnet that will also download and install multiple other malware on your computer and will also mail the worm to your emails contact list.
It will execute one of the programs in the shared folder that it created in application data. The program is a rootkit that will hide all of the files/registry keys/services of this worm.
It also compares strings in all programs with a list. If a program that you opened contains a string from that list, it will either close the program, crash it or give errors which result in the program not being able to start.
Most of the words in the list are anti-viruses and anti-malware programs or sites.
Because of this, it will also disable most anti-virus programs.
This makes the removal of this malware pretty hard.


Symptoms:

Slow internet connection
Lag spikes
Applications (usually anti-viruses) closing or can't start.
Weird program opening and saying Error: CPU has encountered an illegal instruction
Computer randomly restarting
Disabled anti-viruses and services
BSOD when accessing safemode.


Files created:

All the files below are hidden by the rootkit.
C:\Documents and settings\Administrator\Application data\M\flec006.exe - trojan downloader
C:\Documents and settings\Administrator\Application data\M\list.oct
C:\Documents and settings\Administrator\Application data\M\data.oct
C:\Documents and settings\Administrator\Application data\M\hldrrr.exe
C:\Documents and settings\Administrator\Application data\M\srvlist.oct
C:\Documents and settings\Administrator\Application data\shared - Contains multiple malicious files (187 Mb) downloaded from flec006.exe
C:\Documents and settings\Administrator\Application data\drivers\downld\ - contains around 100 executable randomly named.
C:\Documents and settings\Administrator\Application data\drivers\winupgro.exe
C:\windows\System32\wfsintwq.sys
C:\windows\System32\srosa2.sys


Process created:

Winupgro.exe (Hidden rootkit)


Registry key created:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\srosaJ (Hidden rootkit)
HKEY_LOCAL_MACHINE\System\Controlset003\Enum\Root\SystemJ (Hidden rootkit)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\run\flec006 (Hidden rootkit)
{C:\Documents and settings\Administrator\Application data\M\flec006.exe}


Services created:

srosa (Hidden rootkit)


Removal:

There are only a few anti-malware programs that won't get terminated by this worm. The one that I found that worked the best is combofix.

To remove this worm with combofix, download the program here:
http://download.cnet.com/Combofix/3000-8022_4-75221073.html
Before opening the program, you must rename it to something random or else it will give you an error saying that it's not a valid win32 application.
You also need to disable all anti-viruses and close any other program on your computer like your browser.
The scan should take 10-20 minutes and it should restart your computer.
Once it's done, it should have created a log file of everything that it deleted. You can compare with the files/registry keys above to see if it removed it all.
You can also do a scan with your anti-virus/anti-malware once combofix has completed because it will remove the malicious process that prevented you from opening your programs.
A good free anti-malware is Malwarebytes Anti-malware that you can download here:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
The quick scan will remove all the remaining files if there are any.


Additional information:

Even if you rename, lets say Malwarebytes Anti-malware, to another name like 123.exe, the bagle worm will still terminate the process if you open the program. I still haven't found a way to get around this, it's probably not possible.

Malware name: Live Security Platinum (Rogue anti-virus)
Newest version detection rate: 4/42
Detected by Malwarebytes: Yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll


Introduction:

This malware is a fake anti-virus which will display numerous amounts of fake error messages saying that your computer is infected with malware.
The main function of this malware is to force or scare the user onto buying a registration code for the fake anti-virus with your credit card.
This fake anti-virus is usually installed by the Blackhole exploit kit. To avoid getting it, make sure your browser/add-ons and anti-virus program are up to date.


Symptoms:

Unable to open any program.
Anti-virus or anti-malware not working properly.
Message saying all sites are harmful to your computer when browsing on internet explorer.
Constant pop-up warning that your computer is infected by malware like these ones:



Files created:

C:\Documents and settings\All User\Administrator\"random"\"random".exe
C:\Documents and settings\All User\Administrator\"random"\"random" (no file extension)
C:\Documents and settings\Administrator\Desktop\Live Security Platinum.lnk (Shortcut file)


Registry key created:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\"random"
{C:\Documents and settings\All User\Administrator\"random"\"random".exe}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum
(yes, it has an uninstall feature in add/remove programs, but if you try to uninstall it in the add/remove program, it will just start the fake anti-virus and not uninstall it)


Removal:

Since this fake anti-virus doesn't block process named Explorer.exe or Iexplorer.exe, the removal is quite simple.
First, open My Computer and go in C:\Windows\System32\ and locate the file named Taskmgr.exe
Make a copy of it on your desktop and rename it Iexplore.exe then open it.
Click on the process tab and end task to the weird process name (mine was 529C53F6512C2CDD5FD646952830AC72.exe)

Next, with the process ended, you may either download Malwarebytes anti-malware with your browser here:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
And do the quickscan which will remove all the infected files and registry keys.

Or, remove the files/registry keys manually by doing the following:
Open My Computer and go to C:\Documents and settings\All User\Administrator\"random"\ and delete all the malicious files mentionned above and the folder itself.
You may also delete the shortcut created on your desktop, simply rightclick it and select delete.
Next, click on start - run - type "regedit" without the quotes and press enter.
Doubleclick on HKEY_CURRENT_USER then Software\Microsoft\Windows\CurrentVersion\RunOnce\
Rightclick and delete the key with the random numbers/letters
Do the same for HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum


Extra information:

It's also possible to enter an activation code to disable the error messages but this isn't enough to remove this rogue, it may still block applications.

Buying a registration code may result in your credit card being stolen and used by criminals.
If you have done this, contact your credit card company as soon as possible.