Users are advised to seek help in our Countermeasures Extraction Forum. There you can post your HijackThis! log file for me to review.

I cannot beheld responsible for users who fix things on their own and subsequently develop problems afterwards. Be sure you have the specific infection before trying a fix, the wrong fix on the wrong infection can cause a multitude of problems. Symptoms vary from infection to infection, variant to variant.

IE Defender/Files Secure/MalwareBell/IE Antivirus Codec has been update, it installs files with semi-random filenames, composed from fragment words: one, ssva, uno, nas, p, k, ek, ad, us

Files could look like: unopus.dll...

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\zfaiqwr.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{b0fdc513-46b9-46fc-8e70-d575ee546dae}"="frowardness "

It also installs Toolbar, BHO, VirusHeat Rogue software...

New set of SSH Zlob Trojan Family’s Component sites

Scam Internet Security Page:
Site Name: Safehomesite.com
IP Address: 85.255.116.211

404Errorpage Scam:
Site Name: Dns404rule.com
IP Address: 85.255.118.245

Security Guide Scam Page:
Site Name: Secureprior.com
IP Address: 85.255.118.212

Reference pages:
http://www.secureprior (dot) com/soft/?c=317378
http://www.secureprior (dot) com/test/?c=017370

Ad-Server-Gate Pages:
Site Name: Gateiv.com
IP Address: 85.255.118.213

Site Name: Gateaq.com
IP Address: 85.255.118.212

The Ad-Server-Gate pages redirects to fake Security center site Protectalerts.com which promotes Rogue security applications.

Site Name: Protectalerts.com
IP Address: 85.255.118.214

Also the following site is used in Zlob tool bar to redirect users to malicious domains.

Site Name: Toolbarusage.com
IP Address: 85.255.118.34

Zlob Trojan Distributing sites:

Site Name: Flwplayer.com
IP Address: 85.255.120.110

Site Name: Swfcompressor.com
IP Address: 85.255.118.181

DNS Changer Trojan Distributing sites:

Site Name: Demoticket.net
IP Address: 64.28.184.168

Trojan-Downloader Distributing sites:

Site Name: Onlinevideosoftex.com
IP Address: 78.129.158.225

All the above mentioned sites registrant is ESTDOMAINS, INC. Stay away from these malicious sites

A Symphony of Fake Scanner Pages
Here is a list of recently seen fake scanner pages distributing rogue security applications.

SpywareIsolator

Sites used by this rogue:

Site Name: SpywareIsolator.com
IP Address: 72.233.50.150

Site Name: SpywareIso.com
IP Address: 72.233.63.89

Site Name: SpywareIsolator2008.com
IP Address: 72.233.63.94

The installer is also pushed from the following site:

Site Name: si-download.net
IP Address: 72.233.63.95
Sample: si-download(dot)net/ landing / distrib / installer_abr.exe


VirusIsolator

Sites used by this rogue:

Site Name: VirusIsolator.com
Site Name: Virus-Isolator.org
Site Name: Virus-Isolator.us
Site Name: VirusIsolator.us
IP Address: 217.170.77.150

XP antivirus

Site Name: SecurityScannerSite.com
IP Address: 217.170.77.150

Site Name: Xpprotectionsoftware.com
IP Address: 72.233.81.234

The installer is pushed from the following site:

Site Name: XPdownloadcenter.com
IP Address: 72.233.81.234
Sample: XPdownloadcenter(dot)com/download/xpa_eng.exe

Fileshreddersoftware.com also shares the IP 72.233.81.234 which is again a crapware they are exploiting Lavasoft’s application name “File Shredder”.

AntiVirus 2008

Site Name: AntiVirus-Scanner.com
IP Address: 190.15.73.254

The rogue also uses the following site:

Site Name: AntiVirus2008x.com
IP Address: 64.28.177.250

AntiSpywareDeluxe

Site Name: AntiSpywareDeluxe.com
IP Address: 67.205.75.9

SpywareDestructor

This is a clone of AntiSpywareDeluxe rogue application.

Site Name: SpywareDestructor.com
IP Address: 67.205.75.9

PcSweeperPro

This is clone of Cleanator Rogue security application. The home page of this rogue currently comes up blank.

Site Name: PcSweeperPro.com
IP Address: 72.55.156.207

Imunizator

Site Name: Imunizator.com
IP Address: 67.205.75.10

Imunizator is a clone of MacSweeper Rogue security application, All Mac user be aware of this rogue.

Zlob Trojan Distributing sites

Site Name: Wmadirection.com
IP Address: 85.255.118.178

DNS Changer Trojan Distributing sites:

Site Name: Hqticket.com
IP Address: 64.28.184.169

Site registrant for both the sites is ESTDOMAINS, INC. Stay away from these malicious sites.

IE Defender/Files Secure/MalwareBell/IE Antivirus Codec has been update, it installs files with semi-random filenames, composed from fragment words: f, vid, pn, as, op, k, 32, 16, 64

Files could look like: vidk32.dll...

And displays alert messages.

New Zlob has been released again. It installs the following files and registry entries.

C:\Windows\System32\qdsba.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
{af73a174-ea1b-4f0b-b0b1-fe1486a6719c} = communa

Tuesday, May 6, 2008
VirusHeat 4.4
A new realease of the rogue VirusHeat has been released. This rogues looks like: VirusProtect, VirusRay, Antivir Gear, VirusProtectPro , SpyDown, SpywareQuake.

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\rtmipr.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{e89fa8e9-5c0b-45f6-a70e-f7b177bcd193}"="delayingly"

It also installs Toolbar, BHO, VirusHeat Rogue software

SmitFraud Fix targets these files.

What’s New? Well they have designed a pair on new icons that is usually placed on the desktop of the infected machine and below is the rest of the story.

Zlob Trojan Distributing sites

Site Name: Wmvtool.com
IP Address: 85.255.120.110

Site Name: Avitool.com
IP Address: 85.255.118.178

Scam Internet Security Page:
Site Name: Instantsafepage.com
IP Address: 85.255.116.212

404Errorpage Scam:
Site Name: Iednsallerror.com
IP Address: 85.255.118.242

Also the sites Dnspoles.com and 404dnspage.com shares the same ip and its also a 404Errorpage Scam component site.

Security Guide Scam Page:
Site Name: Safeshortcuts.com
IP Address: 85.255.118.210

Ad-Server-Gate Pages:
Site Name: Gategq.com
IP Address: 85.255.118.37

Site Name: Gatebm.com
IP Address: 85.255.118.38

The Ad-Server-Gate pages redirects to fake Security center site Secureinfotool.com which promotes Rogue security applications.

Site Name: Secureinfotool.com
IP Address: 85.255.118.34

Also the following site is used in Zlob tool bar to redirect users to malicious domains.

Site Name: Toolbarset.com
IP Address: 85.255.118.36

All the above mentioned sites advertise well documented Rogue security applications. Stay away from these sites.

Bharath M N

New Zlob has been released again. It installs the following files and registry entries.

C:\Windows\System32\rtmipr.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
{e89fa8e9-5c0b-45f6-a70e-f7b177bcd193} = delayingly

VideoAccessCodec has been updated. The codec installs the following files.

C:\Windows\vbksrofa.dll
C:\Windows\pvnsmfor.dll
C:\Windows\oadkxrts.exe
C:\Windows\mpfanvqg.dll

XP-Shield is bogus/rogue antispyware software recently released by the scammers.

Site Name: XP-Shield.com
IP Address: 88.214.200.140

XP-Shield uses the same standard homepage which is also used by many other scam/rogue/crapware applications.

The site XPshield.com also shares the same IP address and currently just redirects to XP-Shield.com site.

The application just does a fake scan on the system and ask user to purchase the full version to remove the fake threats detected on the system. None of the scanners on Virustotal Flags this file as malicious.

IE Defender/Files Secure/MalwareBell/IE Antivirus Codec has been update, it installs the following a file:

%WINDOWS%\iebho.dll

And displays alert messages.

VideoAccessCodec has been update, it installs the following files:

%WINDOWS%\fvowketq???.dll (where ? is a random caracter)
%WINDOWS%\pvnsmfor.dll
%WINDOWS%\mpfanvqg.dll
%WINDOWS%\vbksrofa.dll
%WINDOWS%\oadkxrts.exe
%WINDOWS%\epfg.exe

Details of two new rogues, Advanced XP Defender and XP SecurityCenter.

If you have seen any of the windows above on your computer, it is recommended that you follow these instructions. We have provided removal instructions for anybody unfortunate to have downloaded these applications.

IE Defender/Files Secure/MalwareBell/IE Antivirus Codec has been update, it installs files with semi-random filenames, composed from fragment words: ap, od, ik, sa, do, unbe, gy, ps, xu

Files could look like: iksaps.dll, apunbeps.dll, apsagy.dll ...

And displays alert messages.

KvmSecure is a new rogue Anti-Virus application. KvmSecure is a near clone of “XP antivirus” rogue application.

Site Name: KvmSecure.com
Site Name: Kvm-Secure.com
IP Address: 62.176.16.161

The rogue uses Software-payment.com site for payment processing. Beware that this site is also used by many other rogue security applications for payment processing.

Further following two sites share the same IP address with KvmSecure sites

Site Name: Sextubecodec93.com
Site Name: Sexycodecadult.com

Both these sites pushes Trojan MediaTubeCodec.

Continuing the rogue security software series I've just stumbled upon a fake PestPatrol site - pest-patrol.com (85.255.121.181) hosted at the the RBN connected Ukrtelegroup Ltd (85.255.112.0-85.255.127.255 UkrTeleGroup UkrTeleGroup Ltd. 27595 ASN ATRIVO), just like the majority of sites assessed in previous posts.

A new rogue, AdvancedXPFixer, part of the iSecurity group has been released. It is advertised by a trojan.

If you have seen any of the windows above on your computer, it is recommended that you follow these instructions. We have provided removal instructions for anybody unfortunate to have downloaded these applications.

The new version of Video Access Codec infection installs some policies that prevent Command Line execution.

It also displays a message: Virus Alert! in the Windows Clock and removes some Start Menu icons.

IE Defender/Files Secure/MalwareBell/IE Antivirus Codec has been update, it still use the same dictionary to compose the filename but it displays a new message box with the registered user name

System Antivirus 2008 is a new rogue from the SSH Zlob Trojan family. The application is a clone of Windows Antivirus 2008 rogue security application.

Site Name: Sav2008.com
IP address: 77.91.225.234

Following are the list of sites that distributes Rogue security application and shares the same IP 77.91.225.234.

Dr-protection-adv.com
Dr-protection.com
Guard-center-adv.com
Guard-center.com
Killspy-adv.com
Killspy.org
Liveantispy-adv.com
Liveantispy.com
Liveprotection-adv.net
Liveprotection.net
Online-guard-adv.net
Online-guard.net
Stopingspy-adv.com
Stopingspy.com
Winantiviruspro.net

Vista Antivirus 2008 is a yet another rogue from the SSH Zlob Trojan family. The application is a clone of Windows Antivirus 2008 rogue security application.

Site Name: Vav2008.com
IP address: 77.91.229.98

VideoAccessCodec has been update, it installs the following files:

%WINDOWS%\nogxfvbl???.dll (where ? is a random caracter)
%WINDOWS%\nmwegbsf.dll
%WINDOWS%\adgpfoxs.dll
%WINDOWS%\erpobmsw.dll
%WINDOWS%\xbqmfsed.exe
%WINDOWS%\e???.exe (where ? is a random caracter)

Malwareprotector2008 is a new rogue security application from WinIFixer family of Rogue security applications. As usual this rogue is pushed by Fake codecs.

Site Name: Malwareprotector2008.com
IP address: 216.240.139.169

IE Defender/Files Secure/MalwareBell/IE Antivirus Codec has been update, it installs files with semi-random filenames, composed from fragment words: t, p, b, a, o, u, sant, post, sect, 32, 16a, 8x

Files could look like: tosant32.dll, pasant32.dll ...and displays alert messages:

Ultimate Antivirus 2008 is a yet another rogue from the SSH Zlob Trojan family. The application is a clone of Windows Antivirus 2008 rogue security application.

Site Name: Uav2008.com
IP address: 77.91.229.98

New Zlob has been released again. It installs the following files and registry entries.

C:\Windows\System32\kfcpnd.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
{5c7b71bb-6d49-4bdc-b60d-f9fe0481eb5f} = campaniform

A new rogue, AntiSpyCheck, has been released. It is advertised by a trojan.