• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
Followers 0
miekiemoes

Remove IE Defender, Files Secure, Malware Bell, IE Antivirus

2 posts in this topic

UPDATE! For latest new removal instructions, see the second post below!!!!

The manual method won't be updated anymore since this infection uses semi random files now.

 

Explanation:

 

This one is getting installed via a FAKE codec.

Be careful when watching online videos, especially when they ask you to install a certain codec in order to watch the video. By default, your mediaplayer should already have the necessary codecs installed to watch online videos. In case you're prompted to install an additional codec while trying to watch a movie online, it may be a false alert and this so called codec may install malware.

 

Example of such FAKE codec:

 

codecinstaller.gif

 

Once installed, it displays fake alerts in order to download/install the fake program IE Defender or Files Secure.

The Alerts display you are infected with one of the following:

 

* Trojan.Zlob-X.a

* Trojan.Win32.Agent.akk

* Trojan.Win32.Obfuscated.gx

* Trojan.Win32.LinkReplacer

* Trojan.Win32.StarField

* Trojan.Win32.Startpage.fq

* Trojan.Agent

* Trojan.Win32.Gorshok.a

* Worm.Win32.Sober

* Trojan.Vundo

* Trojan.KillAV

* Trojan.Win32.Patched

* Trojan.Win32.CP4000

* Trojan Win32/Qoologic

* Trojan Win32.Murlo

* unknown trojan

* dangerous trojan

* dangerous virus

 

Example Alert:

 

akk.gif

 

Also read here for a detailed description of this infection.

 

 

Removal:

 

In case you don't have HijackThis...

 

* Download Trend Micro Hijack Thisâ„¢

Doubleclick the HJTInstall.exe to start it.

By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.

HijackThis will open after install. Press the Scan button below.

 

Then in HijackThis, look if one of the following is present and check it in HijackThis:

(the CLSIDs {********-****-****-****-************} may be different in your case, but the filename is always the same)

 

Note: If you are dealing with this infection since recently, it's better to start at the bottom of the bold entries here, since the new ones are added at the bottom of the list

 

O2 - BHO: BetaDivX - {48BF2BC0-2945-11D8-8CAC-00080FC65465} - C:\WINDOWS\system32\IR9V0_QCX.dll

O2 - BHO: BetaDivX - {D99BACC6-6289-4D4F-8BAF-4192016AF547} - C:\Windows\System32\bDivX.dll

O2 - BHO: IntelVideoCodec - {33A12BEB-3219-4CA8-99B4-733192704C62} - C:\WINDOWS\system32\IntelVideoDivX.dll

O2 - BHO: IntelVideoCodec - {04F7FAC5-F506-4F29-9094-9CB9144B192C} - C:\WINDOWS\system32\IntelVideo.dll

O2 - BHO: IntelVideoCodec - {AF36E90A-44CA-4EE3-B578-C07383623217} - C:\Windows\System32\Video32.dll

O2 - BHO: RealMedia - {87B570FB-D2CF-4D3C-8E1B-E1E7018BBA95} - C:\WINDOWS\system32\dx50codec.dll

O2 - BHO: RealMedia - {0EEDB911-C5FA-486F-8334-57288578C627} - C:\WINDOWS\system32\XunLeiBHO_Now.dll

O2 - BHO: 3GP - {5D67E2E7-0C2B-4491-87C4-37F2AC6033D2} - C:\WINDOWS\system32\a3gpcodec.dll

O2 - BHO: AlphaDivX - {3B236BEE-8200-421D-919D-CA17D5739D8F} - C:\WINDOWS\system32\aDivX.dll

O2 - BHO: Mp3 Video - {D4FD35A3-101C-4FAA-A9CA-E8C9461C3CEF} - C:\WINDOWS\system32\mp3avi.dll

O2 - BHO: Mp3 Video - {2B659BB5-3E85-4BC6-BAFC-98FEDFF3AE99} - C:\WINDOWS\system32\VideoMP3.dll

O2 - BHO: Video On-line - {741403DD-46A4-4D58-8FA7-427335C3BBF6} - C:\WINDOWS\system32\PowerVideo.dll

O2 - BHO: Video DivX 3.12 - {09D72564-27E2-4F12-8AB6-03F83E4567DE} - C:\WINDOWS\system32\sysdivx.dll

O2 - BHO: System DivX4 - {2FA3B736-1AC7-454D-8E94-8BA8158BF064} - C:\WINDOWS\system32\sysvideo32.dll

O2 - BHO: System DivX4 - {2FA3B736-1AC7-454D-8E94-8BA8158BF064} - C:\WINDOWS\system32\sysvideo32.dll

O2 - BHO: Video - {15FEB658-AACC-412E-BC13-D54CFD74A8F6} - C:\WINDOWS\stream32a.dll

O2 - BHO: Video - {D0995F82-90C7-4C78-9B4C-C1700FB8B120} - C:\WINDOWS\windivx.dll

O2 - BHO: Video - {80590BC5-F4BA-4AD1-B216-C19EE86E2A77} - C:\WINDOWS\msvideo.dll

O2 - BHO: IE plugin - {6F6D1C90-7BEE-4A15-8DAB-9C37A643FD3A} - C:\WINDOWS\pmspl.dll

O2 - BHO: FireFox Viewer - {8883BBC2-E716-4C98-B12C-BB40B4A415ED} - C:\WINDOWS\corpol.dll

O2 - BHO: Web Search - {B3E45A9B-7756-46A2-AB14-90175CD374F9} - C:\WINDOWS\websrc32.dll

O2 - BHO: IE Config Tools - {E780E148-0BAC-4654-81A4-8A649F4D4A90} - C:\WINDOWS\mscfg32.dll

O2 - BHO: PDS Viewer - {E2278F85-4584-4BEE-928C-600B38C385C1} - C:\Windows\pdswin.dll

O2 - BHO: OGG Viewer - {82FE0677-75EC-49BF-83E9-A815F68F6212} - C:\WINDOWS\oggview.dll

O2 - BHO: pwn plugin - {7E24E909-FB8A-4837-9DF7-05E7587CB26C} - C:\WINDOWS\pwnbho.dll

O2 - BHO: POS plugin - {369A87BB-07DF-4AB6-B23D-B5BF81338572} - C:\WINDOWS\poswin.dll

O2 - BHO: PLAsim plugin - {7753B2C4-8E27-4CEC-87EB-2739480D8A11} - C:\WINDOWS\poswin.dll

O2 - BHO: player addon - {4EBAA7B0-740D-4CFA-9455-5C233BB354E1} - C:\WINDOWS\oggview32.dll

O2 - BHO: Rates - {834B0DD4-3A68-4F58-B265-D9FDB3D8F88B} - C:\WINDOWS\toprates.dll

O2 - BHO: Office toolbar - {472BC14C-6464-4FDF-A12A-A057CDCD9C58} - C:\WINDOWS\sysosa.dll

O2 - BHO: Video decompressor - {A69E182D-F9CA-4B90-80E9-854CBACCD73B} - C:\WINDOWS\pandsf.dll

O2 - BHO: Player - {84885FC9-44B0-4953-98F9-166E048B7052} - C:\WINDOWS\orgnavi.dll

O2 - BHO: Sysem Player - {2AE4C401-AAC4-4F41-9665-1EC88C3BDD7D} - C:\WINDOWS\sysvol32.dll

O2 - BHO: Adobe PDF Reader Link Helper - {445A3D12-EBA3-4054-AB54-587BF3FF40EA} - C:\WINDOWS\AcroIEHelper.dll

O2 - BHO: Adobe PDF Reader Link Helper - {B782EDE4-CCB3-4E3E-981F-96C68116F38C} - C:\WINDOWS\System32\AcroIeHelp.dll

O2 - BHO: Adobe PDF Reader Link Helper - {B782EDE4-CCB3-4E3E-981F-96C68116F38C} - C:\WINDOWS\system32\AcroIeHelpU2.dll

O2 - BHO: MS Video Control 1.0 - {853D915E-40FF-4125-996E-89DD934B2060} - C:\WINDOWS\msvidc32.dll

O2 - BHO: Windows Media Player - {7CF52009-F408-49AE-BBCB-6279CB53BB42} - C:\WINDOWS\wmpdxm.dll

O2 - BHO: Media Player Classic - {CE0487CA-8B02-431E-BA63-D38844E020B5} - C:\WINDOWS\ausctv32a.dll

O2 - BHO: Media Player Codec - {3084A75F-5350-4D8B-BC5F-6B378035C133} - C:\WINDOWS\dsaip32b.dll

O2 - BHO: Media Codec - {50B051EE-8EF3-4D58-828D-74F0D1FFE4AA} - C:\WINDOWS\kiasys.dll

O2 - BHO: FLW Viewer - {38E4618F-E3E4-42E9-925F-6B02C798BD94} - C:\WINDOWS\cndr32a.dll

O2 - BHO: Sofos - {B49949CA-3062-4FA3-A24A-E27BAFD7C940} - C:\WINDOWS\sofos16x.dll

O2 - BHO: Sofos - {73776361-F206-4A50-9687-801C6FE9BA31} - C:\WINDOWS\sofos32x.dll

O2 - BHO: WinSurf - {1F91C786-BBA0-41D2-8B3D-B88242677BAC} - C:\WINDOWS\winsurf.dll

O2 - BHO: WinSurf - {53E30863-280F-4CFA-99AB-55CAEB95271C} - C:\WINDOWS\ps16sys.dll

O2 - BHO: PCTools - {C9BB982C-503D-4C0C-BDC7-ECE2A7FADFE9} - C:\WINDOWS\pctools.dll

O2 - BHO: PCTools - {5C8494A5-7525-46B3-94C2-2F734EEBD48B} - C:\WINDOWS\netweb64c.dll

O2 - BHO: PCTools - {5C8494A5-7525-46B3-94C2-2F734EEBD48B} - C:\WINDOWS\sysapi32a.dll

 

Click the "Fix checked" button below.

Then reboot your computer.

After reboot, navigate to and delete one of the following file if still present (matches with the entry you fixed in HijackThis):

 

C:\WINDOWS\system32\IR9V0_QCX.dll

C:\Windows\System32\bDivX.dll

C:\WINDOWS\system32\IntelVideoDivX.dll

C:\WINDOWS\system32\IntelVideo.dll

C:\Windows\System32\Video32.dll

C:\WINDOWS\system32\XunLeiBHO_Now.dll

C:\WINDOWS\system32\dx50codec.dll

C:\WINDOWS\system32\a3gpcodec.dll

C:\WINDOWS\system32\aDivX.dll

C:\WINDOWS\system32\mp3avi.dll

C:\WINDOWS\system32\VideoMP3.dll

C:\WINDOWS\system32\PowerVideo.dll

C:\WINDOWS\system32\sysdivx.dll

C:\WINDOWS\system32\sysvideo32.dll

C:\WINDOWS\stream32a.dll

C:\WINDOWS\windivx.dll

C:\WINDOWS\msvideo.dll <== do NOT delete this file present in your C:\Windows\system32-folder as this one is legit!

C:\WINDOWS\pmspl.dll <== do NOT delete this file present in your C:\Windows\system32-folder as this one is legit!

C:\WINDOWS\corpol.dll <== do NOT delete this file present in your C:\Windows\system32-folder as this one is legit!

C:\WINDOWS\websrc32.dll

C:\WINDOWS\mscfg32.dll

C:\WINDOWS\pdswin.dll

C:\WINDOWS\oggview.dll

C:\WINDOWS\pwnbho.dll

C:\WINDOWS\poswin.dll

C:\WINDOWS\oggview32.dll

C:\WINDOWS\toprates.dll

C:\WINDOWS\sysosa.dll

C:\WINDOWS\pandsf.dll

C:\WINDOWS\orgnavi.dll

C:\WINDOWS\sysvol32.dll

C:\WINDOWS\AcroIEHelper.dll <== this file is present in the %Windir% (Windows) folder and is not the legitimate AcroIEHelper.dll present in the Acrobat *\ActiveX - folder.

C:\WINDOWS\System32\AcroIeHelp.dll <== this file is present in the %Windir%\System32 folder and is not the legitimate AcroIEHelper.dll present in the Acrobat *\ActiveX - folder.

C:\WINDOWS\System32\AcroIeHelpU2.dll

C:\WINDOWS\msvidc32.dll <== do NOT delete this file present in the System32-folder because that one is legitimate!

C:\WINDOWS\wmpdxm.dll <== do NOT delete this file present in the System32-folder because that one is legitimate!

C:\WINDOWS\ausctv32a.dll

C:\WINDOWS\dsaip32b.dll

C:\WINDOWS\kiasys.dll

C:\WINDOWS\cndr32a.dll

C:\WINDOWS\sofos16x.dll

C:\WINDOWS\sofos32x.dll

C:\WINDOWS\winsurf.dll

C:\WINDOWS\ps16sys.dll

C:\WINDOWS\pctools.dll

C:\WINDOWS\netweb64c.dll

C:\WINDOWS\sysapi32a.dll

 

Normally, by default, if you fix that entry in Hijackthis and your Internet Explorer is closed while fixing in HijackThis, HijackThis will already delete that file as well. So don't worry if you can't find the file afterwards anymore - HijackThis already deleted it. But it's always a good idea to doublecheck.

Please make sure you don't delete "similar looking" files as they may be legitimate.

 

 

Extra note: Most people find this thread via a searchengine. However, there are many similar threads as well where they offer help to remove this infection. In case you have found one of these threads/sites where they offer SpyHunter in order to remove this pest, please DO NOT install it! Many of these threads/sites are really PUSHING SpyHunter, same principle as how this infection exists (pushing a "so called" Spyware Remover to purchase to remove this pest).

As you see, above instructions are simple instructions how to remove this pest manually - so it won't cost you anything.

 

In case when you're in doubt or it didn't solve your problem, please start a NEW thread in the HijackThisforum with your HijackThislog.

Edited by miekiemoes

Share this post


Link to post
Share on other sites

IEDefender Removal Instructions:

ShadowPuterDude has authored an automated tool for removal of IEDefender. You can find the download and instructions here.


    NOTE: You will need to temporarily disable any programs you have running that will block attempts to edit the registry. As FixIEDef calls REGEDIT to delete registry keys added by Zlob, Trojan.Downloader.Delf, AntiSpyPro, and IE Defender.
     
  1. Download FixIEDef.exe by ShadowPuterDude to the Desktop.
    Note: FixIEDef now supports Non-English Language Systems
     
     
  2. Double-click FixIEDef.exe:
    fixiedef_zip.png
     
     
  3. That will open the About FixIEDef screen. Click OK to continue:
    about_fixiedef.png
     
     
  4. Next, press the Scan! button:
    press_scan.png
     
     
  5. FixIEDef needs to run as Administrator to perform correctly. This message simply confirms it was able to run with admin privileges. Click OK to continue:
    fixiedef_alert.png
     
     
  6. Wait for the scan to finish. It shouldn't take very long:
    fixiedef_scanning.png
     
     
  7. After the !!! All Finished !!! message is displayed, click Exit
     
     
  8. That's it! You're done, and the infection should be removed.
     
    Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. See: http://www.beyondlogic.org/consulting/proc...processutil.htm

Mirrors: Alternate official download locations for FixIEDef.exe

 

http://it-mate.co.uk/downloads/fixiedef/fixiedef.exe

http://hosts-file.net/download/fixiedef/fixiedef.exe

http://avant.it-mate.co.uk/?c=Download&f=Tools/FixIEDef

 

Credits goes to Blair (GeekstoGo)

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0