Not sure if its new or not, but I found it to be a pain to figure out how to remove, so I thought I would share my findings.
This infection will create popups to StopGuard , VIPFaires , and WinPopUpGuard
Link to example log can be found here:
O4 - HKLM\..\Run: [*JAVAAD] C:\WINDOWS\APPPATCH\JAVAAD.EXE
O4 - HKLM\..\RunOnce: [*JAVAAD] C:\WINDOWS\APPPATCH\JAVAAD.EXE rerun
O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\TASKS\PLAY.EXE ren
Notice that it now is set to run in Safe mode as well.
The javaad file seems to be the master exe that stay static through reboots. It constantly monitors its registry keys and will recreate them if they are missing. On exit, or randomly (not sure on this) it calls itself so the process launches again, and also calls the c:\windows\system32\hostx.exe file that will reinstate its entry as well. If the hostx file does not exist it will download on reboot and when you kill the process:
When hostx starts it connects to www.virtumonde.com and does a POST to /. Not exactly sure what it is doing there but maybe its for statistics. If you delete the hostx.exe file, it will be recreated by the master .exe.
The play.exe is a random file name and is installed in a random location. I believe when it is first downloaded it will download as bkinst.exe. When it is run with the ren flag, the file will copy itself to a new location and change the RunOnce entry to point to the new file. If it sees that the master exe is missing it will download a new one.
It will copy regshape.exe to arandom name/location and introduce entries to start them in the registry. Because this file is in the registry with the ren argument it will change its name/location every time you reboot.
With testing on my pc I have found the easiest way to remove this infection is to use killbox to kill all four files and then reboot.
Steps to remove are:
- Download and run killbox
- Add the 4 files (2xO4,c:\windows\system32\hostx.exe,BHO) into killbox and set it to delete on reboot. Do not, though, have it reboot until all four files are queued for deletion on reboot.
- When all four files are added, have them reboot and then fix the HJT entries.
This is a self-help guide. Use at your own risk.
BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum.
If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.