1 reply to this topic

[miekiemoes]

UPDATE! For latest new removal instructions, see the second post below!!!!
The manual method won't be updated anymore since this infection uses semi random files now.

Explanation:

This one is getting installed via a FAKE codec.
Be careful when watching online videos, especially when they ask you to install a certain codec in order to watch the video. By default, your mediaplayer should already have the necessary codecs installed to watch online videos. In case you're prompted to install an additional codec while trying to watch a movie online, it may be a false alert and this so called codec may install malware.

Example of such FAKE codec:



Once installed, it displays fake alerts in order to download/install the fake program IE Defender or Files Secure.
The Alerts display you are infected with one of the following:

* Trojan.Zlob-X.a
* Trojan.Win32.Agent.akk
* Trojan.Win32.Obfuscated.gx
* Trojan.Win32.LinkReplacer
* Trojan.Win32.StarField
* Trojan.Win32.Startpage.fq
* Trojan.Agent
* Trojan.Win32.Gorshok.a
* Worm.Win32.Sober
* Trojan.Vundo
* Trojan.KillAV
* Trojan.Win32.Patched
* Trojan.Win32.CP4000
* Trojan Win32/Qoologic
* Trojan Win32.Murlo
* unknown trojan
* dangerous trojan
* dangerous virus

Example Alert:



Also read here for a detailed description of this infection.


Removal:

In case you don't have HijackThis...

* Download Trend Micro Hijack This™
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.

Then in HijackThis, look if one of the following is present and check it in HijackThis:
(the CLSIDs {********-****-****-****-************} may be different in your case, but the filename is always the same)

Note: If you are dealing with this infection since recently, it's better to start at the bottom of the bold entries here, since the new ones are added at the bottom of the list

O2 - BHO: BetaDivX - {48BF2BC0-2945-11D8-8CAC-00080FC65465} - C:\WINDOWS\system32\IR9V0_QCX.dll
O2 - BHO: BetaDivX - {D99BACC6-6289-4D4F-8BAF-4192016AF547} - C:\Windows\System32\bDivX.dll
O2 - BHO: IntelVideoCodec - {33A12BEB-3219-4CA8-99B4-733192704C62} - C:\WINDOWS\system32\IntelVideoDivX.dll
O2 - BHO: IntelVideoCodec - {04F7FAC5-F506-4F29-9094-9CB9144B192C} - C:\WINDOWS\system32\IntelVideo.dll
O2 - BHO: IntelVideoCodec - {AF36E90A-44CA-4EE3-B578-C07383623217} - C:\Windows\System32\Video32.dll
O2 - BHO: RealMedia - {87B570FB-D2CF-4D3C-8E1B-E1E7018BBA95} - C:\WINDOWS\system32\dx50codec.dll
O2 - BHO: RealMedia - {0EEDB911-C5FA-486F-8334-57288578C627} - C:\WINDOWS\system32\XunLeiBHO_Now.dll
O2 - BHO: 3GP - {5D67E2E7-0C2B-4491-87C4-37F2AC6033D2} - C:\WINDOWS\system32\a3gpcodec.dll
O2 - BHO: AlphaDivX - {3B236BEE-8200-421D-919D-CA17D5739D8F} - C:\WINDOWS\system32\aDivX.dll
O2 - BHO: Mp3 Video - {D4FD35A3-101C-4FAA-A9CA-E8C9461C3CEF} - C:\WINDOWS\system32\mp3avi.dll
O2 - BHO: Mp3 Video - {2B659BB5-3E85-4BC6-BAFC-98FEDFF3AE99} - C:\WINDOWS\system32\VideoMP3.dll
O2 - BHO: Video On-line - {741403DD-46A4-4D58-8FA7-427335C3BBF6} - C:\WINDOWS\system32\PowerVideo.dll
O2 - BHO: Video DivX 3.12 - {09D72564-27E2-4F12-8AB6-03F83E4567DE} - C:\WINDOWS\system32\sysdivx.dll
O2 - BHO: System DivX4 - {2FA3B736-1AC7-454D-8E94-8BA8158BF064} - C:\WINDOWS\system32\sysvideo32.dll
O2 - BHO: System DivX4 - {2FA3B736-1AC7-454D-8E94-8BA8158BF064} - C:\WINDOWS\system32\sysvideo32.dll
O2 - BHO: Video - {15FEB658-AACC-412E-BC13-D54CFD74A8F6} - C:\WINDOWS\stream32a.dll
O2 - BHO: Video - {D0995F82-90C7-4C78-9B4C-C1700FB8B120} - C:\WINDOWS\windivx.dll
O2 - BHO: Video - {80590BC5-F4BA-4AD1-B216-C19EE86E2A77} - C:\WINDOWS\msvideo.dll
O2 - BHO: IE plugin - {6F6D1C90-7BEE-4A15-8DAB-9C37A643FD3A} - C:\WINDOWS\pmspl.dll
O2 - BHO: FireFox Viewer - {8883BBC2-E716-4C98-B12C-BB40B4A415ED} - C:\WINDOWS\corpol.dll
O2 - BHO: Web Search - {B3E45A9B-7756-46A2-AB14-90175CD374F9} - C:\WINDOWS\websrc32.dll
O2 - BHO: IE Config Tools - {E780E148-0BAC-4654-81A4-8A649F4D4A90} - C:\WINDOWS\mscfg32.dll
O2 - BHO: PDS Viewer - {E2278F85-4584-4BEE-928C-600B38C385C1} - C:\Windows\pdswin.dll
O2 - BHO: OGG Viewer - {82FE0677-75EC-49BF-83E9-A815F68F6212} - C:\WINDOWS\oggview.dll
O2 - BHO: pwn plugin - {7E24E909-FB8A-4837-9DF7-05E7587CB26C} - C:\WINDOWS\pwnbho.dll
O2 - BHO: POS plugin - {369A87BB-07DF-4AB6-B23D-B5BF81338572} - C:\WINDOWS\poswin.dll
O2 - BHO: PLAsim plugin - {7753B2C4-8E27-4CEC-87EB-2739480D8A11} - C:\WINDOWS\poswin.dll
O2 - BHO: player addon - {4EBAA7B0-740D-4CFA-9455-5C233BB354E1} - C:\WINDOWS\oggview32.dll
O2 - BHO: Rates - {834B0DD4-3A68-4F58-B265-D9FDB3D8F88B} - C:\WINDOWS\toprates.dll
O2 - BHO: Office toolbar - {472BC14C-6464-4FDF-A12A-A057CDCD9C58} - C:\WINDOWS\sysosa.dll
O2 - BHO: Video decompressor - {A69E182D-F9CA-4B90-80E9-854CBACCD73B} - C:\WINDOWS\pandsf.dll
O2 - BHO: Player - {84885FC9-44B0-4953-98F9-166E048B7052} - C:\WINDOWS\orgnavi.dll
O2 - BHO: Sysem Player - {2AE4C401-AAC4-4F41-9665-1EC88C3BDD7D} - C:\WINDOWS\sysvol32.dll
O2 - BHO: Adobe PDF Reader Link Helper - {445A3D12-EBA3-4054-AB54-587BF3FF40EA} - C:\WINDOWS\AcroIEHelper.dll
O2 - BHO: Adobe PDF Reader Link Helper - {B782EDE4-CCB3-4E3E-981F-96C68116F38C} - C:\WINDOWS\System32\AcroIeHelp.dll
O2 - BHO: Adobe PDF Reader Link Helper - {B782EDE4-CCB3-4E3E-981F-96C68116F38C} - C:\WINDOWS\system32\AcroIeHelpU2.dll
O2 - BHO: MS Video Control 1.0 - {853D915E-40FF-4125-996E-89DD934B2060} - C:\WINDOWS\msvidc32.dll
O2 - BHO: Windows Media Player - {7CF52009-F408-49AE-BBCB-6279CB53BB42} - C:\WINDOWS\wmpdxm.dll
O2 - BHO: Media Player Classic - {CE0487CA-8B02-431E-BA63-D38844E020B5} - C:\WINDOWS\ausctv32a.dll
O2 - BHO: Media Player Codec - {3084A75F-5350-4D8B-BC5F-6B378035C133} - C:\WINDOWS\dsaip32b.dll
O2 - BHO: Media Codec - {50B051EE-8EF3-4D58-828D-74F0D1FFE4AA} - C:\WINDOWS\kiasys.dll
O2 - BHO: FLW Viewer - {38E4618F-E3E4-42E9-925F-6B02C798BD94} - C:\WINDOWS\cndr32a.dll
O2 - BHO: Sofos - {B49949CA-3062-4FA3-A24A-E27BAFD7C940} - C:\WINDOWS\sofos16x.dll
O2 - BHO: Sofos - {73776361-F206-4A50-9687-801C6FE9BA31} - C:\WINDOWS\sofos32x.dll
O2 - BHO: WinSurf - {1F91C786-BBA0-41D2-8B3D-B88242677BAC} - C:\WINDOWS\winsurf.dll
O2 - BHO: WinSurf - {53E30863-280F-4CFA-99AB-55CAEB95271C} - C:\WINDOWS\ps16sys.dll
O2 - BHO: PCTools - {C9BB982C-503D-4C0C-BDC7-ECE2A7FADFE9} - C:\WINDOWS\pctools.dll
O2 - BHO: PCTools - {5C8494A5-7525-46B3-94C2-2F734EEBD48B} - C:\WINDOWS\netweb64c.dll
O2 - BHO: PCTools - {5C8494A5-7525-46B3-94C2-2F734EEBD48B} - C:\WINDOWS\sysapi32a.dll

Click the "Fix checked" button below.
Then reboot your computer.
After reboot, navigate to and delete one of the following file if still present (matches with the entry you fixed in HijackThis):

C:\WINDOWS\system32\IR9V0_QCX.dll
C:\Windows\System32\bDivX.dll
C:\WINDOWS\system32\IntelVideoDivX.dll
C:\WINDOWS\system32\IntelVideo.dll
C:\Windows\System32\Video32.dll
C:\WINDOWS\system32\XunLeiBHO_Now.dll
C:\WINDOWS\system32\dx50codec.dll
C:\WINDOWS\system32\a3gpcodec.dll
C:\WINDOWS\system32\aDivX.dll
C:\WINDOWS\system32\mp3avi.dll
C:\WINDOWS\system32\VideoMP3.dll
C:\WINDOWS\system32\PowerVideo.dll
C:\WINDOWS\system32\sysdivx.dll
C:\WINDOWS\system32\sysvideo32.dll
C:\WINDOWS\stream32a.dll
C:\WINDOWS\windivx.dll
C:\WINDOWS\msvideo.dll <== do NOT delete this file present in your C:\Windows\system32-folder as this one is legit!
C:\WINDOWS\pmspl.dll <== do NOT delete this file present in your C:\Windows\system32-folder as this one is legit!
C:\WINDOWS\corpol.dll <== do NOT delete this file present in your C:\Windows\system32-folder as this one is legit!
C:\WINDOWS\websrc32.dll
C:\WINDOWS\mscfg32.dll
C:\WINDOWS\pdswin.dll
C:\WINDOWS\oggview.dll
C:\WINDOWS\pwnbho.dll
C:\WINDOWS\poswin.dll
C:\WINDOWS\oggview32.dll
C:\WINDOWS\toprates.dll
C:\WINDOWS\sysosa.dll
C:\WINDOWS\pandsf.dll
C:\WINDOWS\orgnavi.dll
C:\WINDOWS\sysvol32.dll
C:\WINDOWS\AcroIEHelper.dll <== this file is present in the %Windir% (Windows) folder and is not the legitimate AcroIEHelper.dll present in the Acrobat *\ActiveX - folder.
C:\WINDOWS\System32\AcroIeHelp.dll <== this file is present in the %Windir%\System32 folder and is not the legitimate AcroIEHelper.dll present in the Acrobat *\ActiveX - folder.
C:\WINDOWS\System32\AcroIeHelpU2.dll
C:\WINDOWS\msvidc32.dll <== do NOT delete this file present in the System32-folder because that one is legitimate!
C:\WINDOWS\wmpdxm.dll <== do NOT delete this file present in the System32-folder because that one is legitimate!
C:\WINDOWS\ausctv32a.dll
C:\WINDOWS\dsaip32b.dll
C:\WINDOWS\kiasys.dll
C:\WINDOWS\cndr32a.dll
C:\WINDOWS\sofos16x.dll
C:\WINDOWS\sofos32x.dll
C:\WINDOWS\winsurf.dll
C:\WINDOWS\ps16sys.dll
C:\WINDOWS\pctools.dll
C:\WINDOWS\netweb64c.dll
C:\WINDOWS\sysapi32a.dll

Normally, by default, if you fix that entry in Hijackthis and your Internet Explorer is closed while fixing in HijackThis, HijackThis will already delete that file as well. So don't worry if you can't find the file afterwards anymore - HijackThis already deleted it. But it's always a good idea to doublecheck.
Please make sure you don't delete "similar looking" files as they may be legitimate.


Extra note: Most people find this thread via a searchengine. However, there are many similar threads as well where they offer help to remove this infection. In case you have found one of these threads/sites where they offer SpyHunter in order to remove this pest, please DO NOT install it! Many of these threads/sites are really PUSHING SpyHunter, same principle as how this infection exists (pushing a "so called" Spyware Remover to purchase to remove this pest).
As you see, above instructions are simple instructions how to remove this pest manually - so it won't cost you anything.

In case when you're in doubt or it didn't solve your problem, please start a NEW thread in the HijackThisforum with your HijackThislog.

Edited by miekiemoes, 29 April 2008 - 11:09 AM.

[miekiemoes]

IEDefender Removal Instructions:
ShadowPuterDude has authored an automated tool for removal of IEDefender. You can find the download and instructions here.

• NOTE: You will need to temporarily disable any programs you have running that will block attempts to edit the registry. As FixIEDef calls REGEDIT to delete registry keys added by Zlob, Trojan.Downloader.Delf, AntiSpyPro, and IE Defender.
  
• Download FixIEDef.exe by ShadowPuterDude to the Desktop.
  Note: FixIEDef now supports Non-English Language Systems
  
  
• Double-click FixIEDef.exe:
  
  
  
• That will open the About FixIEDef screen. Click OK to continue:
  
  
  
• Next, press the Scan! button:
  
  
  
• FixIEDef needs to run as Administrator to perform correctly. This message simply confirms it was able to run with admin privileges. Click OK to continue:
  
  
  
• Wait for the scan to finish. It shouldn't take very long:
  
  
  
• After the !!! All Finished !!! message is displayed, click Exit
  
  
• That's it! You're done, and the infection should be removed.
  
  Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. See: http://www.beyondlog...processutil.htm

Mirrors: Alternate official download locations for FixIEDef.exe

http://it-mate.co.uk...ef/fixiedef.exe
http://hosts-file.ne...ef/fixiedef.exe
http://avant.it-mate...=Tools/FixIEDef

Credits goes to Blair (GeekstoGo)