miekiemoes 0 Report post Posted October 28, 2007 (edited) UPDATE! For latest new removal instructions, see the second post below!!!! The manual method won't be updated anymore since this infection uses semi random files now. Explanation: This one is getting installed via a FAKE codec. Be careful when watching online videos, especially when they ask you to install a certain codec in order to watch the video. By default, your mediaplayer should already have the necessary codecs installed to watch online videos. In case you're prompted to install an additional codec while trying to watch a movie online, it may be a false alert and this so called codec may install malware. Example of such FAKE codec: Once installed, it displays fake alerts in order to download/install the fake program IE Defender or Files Secure. The Alerts display you are infected with one of the following: * Trojan.Zlob-X.a * Trojan.Win32.Agent.akk * Trojan.Win32.Obfuscated.gx * Trojan.Win32.LinkReplacer * Trojan.Win32.StarField * Trojan.Win32.Startpage.fq * Trojan.Agent * Trojan.Win32.Gorshok.a * Worm.Win32.Sober * Trojan.Vundo * Trojan.KillAV * Trojan.Win32.Patched * Trojan.Win32.CP4000 * Trojan Win32/Qoologic * Trojan Win32.Murlo * unknown trojan * dangerous trojan * dangerous virus Example Alert: Also read here for a detailed description of this infection. Removal: In case you don't have HijackThis... * Download Trend Micro Hijack Thisâ„¢ Doubleclick the HJTInstall.exe to start it. By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut. HijackThis will open after install. Press the Scan button below. Then in HijackThis, look if one of the following is present and check it in HijackThis: (the CLSIDs {********-****-****-****-************} may be different in your case, but the filename is always the same) Note: If you are dealing with this infection since recently, it's better to start at the bottom of the bold entries here, since the new ones are added at the bottom of the list O2 - BHO: BetaDivX - {48BF2BC0-2945-11D8-8CAC-00080FC65465} - C:\WINDOWS\system32\IR9V0_QCX.dll O2 - BHO: BetaDivX - {D99BACC6-6289-4D4F-8BAF-4192016AF547} - C:\Windows\System32\bDivX.dll O2 - BHO: IntelVideoCodec - {33A12BEB-3219-4CA8-99B4-733192704C62} - C:\WINDOWS\system32\IntelVideoDivX.dll O2 - BHO: IntelVideoCodec - {04F7FAC5-F506-4F29-9094-9CB9144B192C} - C:\WINDOWS\system32\IntelVideo.dll O2 - BHO: IntelVideoCodec - {AF36E90A-44CA-4EE3-B578-C07383623217} - C:\Windows\System32\Video32.dll O2 - BHO: RealMedia - {87B570FB-D2CF-4D3C-8E1B-E1E7018BBA95} - C:\WINDOWS\system32\dx50codec.dll O2 - BHO: RealMedia - {0EEDB911-C5FA-486F-8334-57288578C627} - C:\WINDOWS\system32\XunLeiBHO_Now.dll O2 - BHO: 3GP - {5D67E2E7-0C2B-4491-87C4-37F2AC6033D2} - C:\WINDOWS\system32\a3gpcodec.dll O2 - BHO: AlphaDivX - {3B236BEE-8200-421D-919D-CA17D5739D8F} - C:\WINDOWS\system32\aDivX.dll O2 - BHO: Mp3 Video - {D4FD35A3-101C-4FAA-A9CA-E8C9461C3CEF} - C:\WINDOWS\system32\mp3avi.dll O2 - BHO: Mp3 Video - {2B659BB5-3E85-4BC6-BAFC-98FEDFF3AE99} - C:\WINDOWS\system32\VideoMP3.dll O2 - BHO: Video On-line - {741403DD-46A4-4D58-8FA7-427335C3BBF6} - C:\WINDOWS\system32\PowerVideo.dll O2 - BHO: Video DivX 3.12 - {09D72564-27E2-4F12-8AB6-03F83E4567DE} - C:\WINDOWS\system32\sysdivx.dll O2 - BHO: System DivX4 - {2FA3B736-1AC7-454D-8E94-8BA8158BF064} - C:\WINDOWS\system32\sysvideo32.dll O2 - BHO: System DivX4 - {2FA3B736-1AC7-454D-8E94-8BA8158BF064} - C:\WINDOWS\system32\sysvideo32.dll O2 - BHO: Video - {15FEB658-AACC-412E-BC13-D54CFD74A8F6} - C:\WINDOWS\stream32a.dll O2 - BHO: Video - {D0995F82-90C7-4C78-9B4C-C1700FB8B120} - C:\WINDOWS\windivx.dll O2 - BHO: Video - {80590BC5-F4BA-4AD1-B216-C19EE86E2A77} - C:\WINDOWS\msvideo.dll O2 - BHO: IE plugin - {6F6D1C90-7BEE-4A15-8DAB-9C37A643FD3A} - C:\WINDOWS\pmspl.dll O2 - BHO: FireFox Viewer - {8883BBC2-E716-4C98-B12C-BB40B4A415ED} - C:\WINDOWS\corpol.dll O2 - BHO: Web Search - {B3E45A9B-7756-46A2-AB14-90175CD374F9} - C:\WINDOWS\websrc32.dll O2 - BHO: IE Config Tools - {E780E148-0BAC-4654-81A4-8A649F4D4A90} - C:\WINDOWS\mscfg32.dll O2 - BHO: PDS Viewer - {E2278F85-4584-4BEE-928C-600B38C385C1} - C:\Windows\pdswin.dll O2 - BHO: OGG Viewer - {82FE0677-75EC-49BF-83E9-A815F68F6212} - C:\WINDOWS\oggview.dll O2 - BHO: pwn plugin - {7E24E909-FB8A-4837-9DF7-05E7587CB26C} - C:\WINDOWS\pwnbho.dll O2 - BHO: POS plugin - {369A87BB-07DF-4AB6-B23D-B5BF81338572} - C:\WINDOWS\poswin.dll O2 - BHO: PLAsim plugin - {7753B2C4-8E27-4CEC-87EB-2739480D8A11} - C:\WINDOWS\poswin.dll O2 - BHO: player addon - {4EBAA7B0-740D-4CFA-9455-5C233BB354E1} - C:\WINDOWS\oggview32.dll O2 - BHO: Rates - {834B0DD4-3A68-4F58-B265-D9FDB3D8F88B} - C:\WINDOWS\toprates.dll O2 - BHO: Office toolbar - {472BC14C-6464-4FDF-A12A-A057CDCD9C58} - C:\WINDOWS\sysosa.dll O2 - BHO: Video decompressor - {A69E182D-F9CA-4B90-80E9-854CBACCD73B} - C:\WINDOWS\pandsf.dll O2 - BHO: Player - {84885FC9-44B0-4953-98F9-166E048B7052} - C:\WINDOWS\orgnavi.dll O2 - BHO: Sysem Player - {2AE4C401-AAC4-4F41-9665-1EC88C3BDD7D} - C:\WINDOWS\sysvol32.dll O2 - BHO: Adobe PDF Reader Link Helper - {445A3D12-EBA3-4054-AB54-587BF3FF40EA} - C:\WINDOWS\AcroIEHelper.dll O2 - BHO: Adobe PDF Reader Link Helper - {B782EDE4-CCB3-4E3E-981F-96C68116F38C} - C:\WINDOWS\System32\AcroIeHelp.dll O2 - BHO: Adobe PDF Reader Link Helper - {B782EDE4-CCB3-4E3E-981F-96C68116F38C} - C:\WINDOWS\system32\AcroIeHelpU2.dll O2 - BHO: MS Video Control 1.0 - {853D915E-40FF-4125-996E-89DD934B2060} - C:\WINDOWS\msvidc32.dll O2 - BHO: Windows Media Player - {7CF52009-F408-49AE-BBCB-6279CB53BB42} - C:\WINDOWS\wmpdxm.dll O2 - BHO: Media Player Classic - {CE0487CA-8B02-431E-BA63-D38844E020B5} - C:\WINDOWS\ausctv32a.dll O2 - BHO: Media Player Codec - {3084A75F-5350-4D8B-BC5F-6B378035C133} - C:\WINDOWS\dsaip32b.dll O2 - BHO: Media Codec - {50B051EE-8EF3-4D58-828D-74F0D1FFE4AA} - C:\WINDOWS\kiasys.dll O2 - BHO: FLW Viewer - {38E4618F-E3E4-42E9-925F-6B02C798BD94} - C:\WINDOWS\cndr32a.dll O2 - BHO: Sofos - {B49949CA-3062-4FA3-A24A-E27BAFD7C940} - C:\WINDOWS\sofos16x.dll O2 - BHO: Sofos - {73776361-F206-4A50-9687-801C6FE9BA31} - C:\WINDOWS\sofos32x.dll O2 - BHO: WinSurf - {1F91C786-BBA0-41D2-8B3D-B88242677BAC} - C:\WINDOWS\winsurf.dll O2 - BHO: WinSurf - {53E30863-280F-4CFA-99AB-55CAEB95271C} - C:\WINDOWS\ps16sys.dll O2 - BHO: PCTools - {C9BB982C-503D-4C0C-BDC7-ECE2A7FADFE9} - C:\WINDOWS\pctools.dll O2 - BHO: PCTools - {5C8494A5-7525-46B3-94C2-2F734EEBD48B} - C:\WINDOWS\netweb64c.dll O2 - BHO: PCTools - {5C8494A5-7525-46B3-94C2-2F734EEBD48B} - C:\WINDOWS\sysapi32a.dll Click the "Fix checked" button below. Then reboot your computer. After reboot, navigate to and delete one of the following file if still present (matches with the entry you fixed in HijackThis): C:\WINDOWS\system32\IR9V0_QCX.dll C:\Windows\System32\bDivX.dll C:\WINDOWS\system32\IntelVideoDivX.dll C:\WINDOWS\system32\IntelVideo.dll C:\Windows\System32\Video32.dll C:\WINDOWS\system32\XunLeiBHO_Now.dll C:\WINDOWS\system32\dx50codec.dll C:\WINDOWS\system32\a3gpcodec.dll C:\WINDOWS\system32\aDivX.dll C:\WINDOWS\system32\mp3avi.dll C:\WINDOWS\system32\VideoMP3.dll C:\WINDOWS\system32\PowerVideo.dll C:\WINDOWS\system32\sysdivx.dll C:\WINDOWS\system32\sysvideo32.dll C:\WINDOWS\stream32a.dll C:\WINDOWS\windivx.dll C:\WINDOWS\msvideo.dll <== do NOT delete this file present in your C:\Windows\system32-folder as this one is legit! C:\WINDOWS\pmspl.dll <== do NOT delete this file present in your C:\Windows\system32-folder as this one is legit! C:\WINDOWS\corpol.dll <== do NOT delete this file present in your C:\Windows\system32-folder as this one is legit! C:\WINDOWS\websrc32.dll C:\WINDOWS\mscfg32.dll C:\WINDOWS\pdswin.dll C:\WINDOWS\oggview.dll C:\WINDOWS\pwnbho.dll C:\WINDOWS\poswin.dll C:\WINDOWS\oggview32.dll C:\WINDOWS\toprates.dll C:\WINDOWS\sysosa.dll C:\WINDOWS\pandsf.dll C:\WINDOWS\orgnavi.dll C:\WINDOWS\sysvol32.dll C:\WINDOWS\AcroIEHelper.dll <== this file is present in the %Windir% (Windows) folder and is not the legitimate AcroIEHelper.dll present in the Acrobat *\ActiveX - folder. C:\WINDOWS\System32\AcroIeHelp.dll <== this file is present in the %Windir%\System32 folder and is not the legitimate AcroIEHelper.dll present in the Acrobat *\ActiveX - folder. C:\WINDOWS\System32\AcroIeHelpU2.dll C:\WINDOWS\msvidc32.dll <== do NOT delete this file present in the System32-folder because that one is legitimate! C:\WINDOWS\wmpdxm.dll <== do NOT delete this file present in the System32-folder because that one is legitimate! C:\WINDOWS\ausctv32a.dll C:\WINDOWS\dsaip32b.dll C:\WINDOWS\kiasys.dll C:\WINDOWS\cndr32a.dll C:\WINDOWS\sofos16x.dll C:\WINDOWS\sofos32x.dll C:\WINDOWS\winsurf.dll C:\WINDOWS\ps16sys.dll C:\WINDOWS\pctools.dll C:\WINDOWS\netweb64c.dll C:\WINDOWS\sysapi32a.dll Normally, by default, if you fix that entry in Hijackthis and your Internet Explorer is closed while fixing in HijackThis, HijackThis will already delete that file as well. So don't worry if you can't find the file afterwards anymore - HijackThis already deleted it. But it's always a good idea to doublecheck. Please make sure you don't delete "similar looking" files as they may be legitimate. Extra note: Most people find this thread via a searchengine. However, there are many similar threads as well where they offer help to remove this infection. In case you have found one of these threads/sites where they offer SpyHunter in order to remove this pest, please DO NOT install it! Many of these threads/sites are really PUSHING SpyHunter, same principle as how this infection exists (pushing a "so called" Spyware Remover to purchase to remove this pest). As you see, above instructions are simple instructions how to remove this pest manually - so it won't cost you anything. In case when you're in doubt or it didn't solve your problem, please start a NEW thread in the HijackThisforum with your HijackThislog. Edited April 29, 2008 by miekiemoes Share this post Link to post Share on other sites
miekiemoes 0 Report post Posted April 17, 2008 IEDefender Removal Instructions: ShadowPuterDude has authored an automated tool for removal of IEDefender. You can find the download and instructions here. NOTE: You will need to temporarily disable any programs you have running that will block attempts to edit the registry. As FixIEDef calls REGEDIT to delete registry keys added by Zlob, Trojan.Downloader.Delf, AntiSpyPro, and IE Defender. Download FixIEDef.exe by ShadowPuterDude to the Desktop.Note: FixIEDef now supports Non-English Language Systems Double-click FixIEDef.exe: That will open the About FixIEDef screen. Click OK to continue: Next, press the Scan! button: FixIEDef needs to run as Administrator to perform correctly. This message simply confirms it was able to run with admin privileges. Click OK to continue: Wait for the scan to finish. It shouldn't take very long: After the !!! All Finished !!! message is displayed, click Exit That's it! You're done, and the infection should be removed. Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. See: http://www.beyondlogic.org/consulting/proc...processutil.htm Mirrors: Alternate official download locations for FixIEDef.exe http://it-mate.co.uk/downloads/fixiedef/fixiedef.exe http://hosts-file.net/download/fixiedef/fixiedef.exe http://avant.it-mate.co.uk/?c=Download&f=Tools/FixIEDef Credits goes to Blair (GeekstoGo) Share this post Link to post Share on other sites
