IEDef family

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
dh, f, eg, of, oz, az, r, a

Possible filenames:
dhegozr.dll, dhegoza.dll, dhegazr.dll, dhegaza.dll, dhofozr.dll, dhofoza.dll, dhofazr.dll, dhofaza.dll, fegozr.dll, fegoza.dll, fegazr.dll, fegaza.dll, fofozr.dll, fofoza.dll, fofazr.dll, fofaza.dll

It displays alert messages with popups that download WinDefender 2009:


It also drops Internet Shortcut on the desktop, Favorites, Start Menu: Cheap Pharmacy Online.url, Cheap Software.url, Search Online.url, SMS Trap.url and VIP Casino.url

Use SmitfraudFix to remove the infection.

Zlob

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\ijofmsu.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2ecca339-c274-40e3-a582-ef4c0e917639}"="bussebuschke"

It also installs Toolbar, BHO, Antivirus Trigger software...

SmitfraudFix removes the infection.

IEDef family

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
fk, ul, im, in, jz, uv, g, e

Possible filenames:
fkimjzg.dll, fkimjze.dll, fkimuvg.dll, fkimuve.dll, fkinjzg.dll, fkinjze.dll, fkinuvg.dll, fkinuve.dll, ulimjzg.dll, ulimjze.dll, ulimuvg.dll, ulimuve.dll, ulinjzg.dll, ulinjze.dll, ulinuvg.dll, ulinuve.dll

It displays alert messages with popups that download WinDefender 2009:


It also drops Internet Shortcut on the desktop, Favorites, Start Menu: Cheap Pharmacy Online.url, Cheap Software.url, Search Online.url, SMS Trap.url and VIP Casino.url

Use SmitfraudFix to remove the infection.

Antivirus 360

Antivirus360 is a fake security software (rogue) from the same family as: Antivirus Sentry, PC Protection Center 2008, Antivirus 2010, eAntivirusPro, AntiMalware 2009, Micro Antivirus 2009, Vista Antivirus 2008, Antispyware 2008 XP, System Antivirus 2008, Internet Antivirus, Smart Antivirus 2009, MS Antivirus, Advanced Antivirus, Power Antivirus, XPert Antivirus.



SmitfraudFix removes the infection.

IEDef family

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
k, l, m, n, z, u, g, e

Possible filenames are:
kmzg.dll, kmze.dll, kmug.dll, kmue.dll, knzg.dll, knze.dll, knug.dll, knue.dll, lmzg.dll, lmze.dll, lmug.dll, lmue.dll, lnzg.dll, lnze.dll, lnug.dll, lnue.dll

It displays alert messages with popups that download WinDefender 2009:


It also drops Internet Shortcut on the desktop, Favorites, Start Menu: Cheap Pharmacy Online.url, Cheap Software.url, Search Online.url, SMS Trap.url and VIP Casino.url

Use SmitfraudFix to remove the infection.

Zlob

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\pgfshvp.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{50e9d039-fb50-4020-a841-1d226ae52b22}"="defroster"

It also installs Toolbar, BHO, Virus Response Lab 2009 software...

SmitfraudFix removes the infection.

Zlob

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\elmnplw.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{341bd909-3367-4307-b37d-fb1cc56387ad}"="cacara"

It also installs Toolbar, BHO, Virus Response Lab 2009 software...

SmitfraudFix removes the infection.

IE Defender, Files Secure, Malware Bell, IE Antivirus, Total Secure 2009

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
rt, tah, cip, enaz, ot, er

Possible filenames are:
rtcipot.dll, rtciper.dll, rtenazot.dll, rtenazer.dll, tahcipot.dll, tahciper.dll, tahenazot.dll, tahenazer.dll

It displays alert messages with popups that download WinDefender 2009:


It also drops Internet Shortcut on the desktop, Favorites, Start Menu: Cheap Pharmacy Online.url , Search Online.url, SMS Trap.url and VIP Casino.url

Use SmitfraudFix to remove the infection.

IE Defender, Files Secure, Malware Bell, IE Antivirus, Total Secure 2009

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
g, h, c, z, o, e

Possible filenames are:
gco.dll, gce.dll, gzo.dll, gze.dll, hco.dll, hce.dll, hzo.dll, hze.dll

It displays alert messages with popups that download WinDefender 2009:


It also drops Internet Shortcut on the desktop, Favorites, Start Menu: Cheap Pharmacy Online.url , Search Online.url, SMS Trap.url and VIP Casino.url

Use SmitfraudFix to remove the infection.

Zlob

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\gtckad.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{61d70260-527c-44e8-bb23-2243e93808d3}"="achromatic"

It also installs Toolbar, BHO, Virus Response Lab 2009 software...

SmitfraudFix removes the infection.

IE Defender, Files Secure, Malware Bell, IE Antivirus, Total Secure 2009

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
dj, ugs, ifv, ak, ot, er

Possible filenames are:
djifvot.dll, djifver.dll, djakot.dll, djaker.dll, ugsifvot.dll, ugsifver.dll, ugsakot.dll, ugsaker.dll

It displays alert messages with popups that download WinDefender 2009:


It also drops Internet Shortcut on the desktop, Favorites, Start Menu: Cheap Pharmacy Online.url , Search Online.url, SMS Trap.url and VIP Casino.url

Use SmitfraudFix to remove the infection.

Zlob

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\pbhha.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{51e7273d-911a-445a-bf46-bd4b86b0e87b}"="fddi"

It also installs Toolbar, BHO, AntivirusTrigger software...

SmitfraudFix removes the infection.

Zlob

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\cwegus.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{4d5b7736-a3bc-4e5b-9fa2-1bcc3e587abb}"="evacuative"

It also installs Toolbar, BHO, AntivirusTrigger software...

SmitfraudFix removes the infection.

IE Defender, Files Secure, Malware Bell, IE Antivirus, Total Secure 2009

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
a, ax, v, vi, t, tu

Possible filenames are:
avt.dll, avtu.dll, avit.dll, avitu.dll, axvt.dll, axvtu.dll, axvit.dll, axvitu.dll

It displays alert messages with popups that download WinDefender 2009:


It also drops Internet Shortcut on the desktop, Favorites, Start Menu: Cheap Pharmacy Online.url , Search Online.url, SMS Trap.url and VIP Casino.url

Use SmitfraudFix to remove the infection.

Zlob

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\ftfea.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{22ef8ba1-a18c-4ad3-ad84-01b95b581c5c}"="fractabling"

It also installs Toolbar, BHO, AntivirusTrigger software...

SmitfraudFix removes the infection.

Hosts file corrupted

A fake codec (stream_video_player.exe) is redirecting google's pages by corrupting the hosts file.



The file is a batch code compiled with Quick Batch File Compiler:

Zlob

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\eebpj.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{854b8525-c907-4258-bc2e-7b118037419c}"="disaffiliation"

It also installs Toolbar, BHO, VirusTrigger software...

SmitfraudFix removes the infection.

IE Defender, Files Secure, Malware Bell, IE Antivirus, Total Secure 2009

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
da, sd, zs, she, ax, ol

Possible filenames are:
dazsax.dll, dazsol.dll, dasheax.dll, dasheol.dll, sdzsax.dll, sdzsol.dll, sdsheax.dll, sdsheol.dll

It displays alert messages with popups that download WinDefender 2009:


It also drops Internet Shortcut on the desktop, Favorites, Start Menu: Cheap Pharmacy Online.url , Search Online.url, SMS Trap.url and VIP Casino.url

Once installed, it connects to a server, downloads a config. file that contains various error messages to display and URL of malwares to download and installs.

Use SmitfraudFix to remove the infection.

Zlob

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\tiltmeo.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{e0feeb92-908e-46d2-8a66-88c5295f2629}"="crimsonness"

It also installs Toolbar, BHO, VirusTrigger software...

SmitfraudFix removes the infection.

Zlob

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\gowqug.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{1f3dd9bf-1472-4a8b-b295-b596a597149b}"="behaves"

It also installs Toolbar, BHO, VirusTrigger software...

SmitfraudFix removes the infection.

Zlob

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\wakjs.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{257f6f44-2c64-46bb-acb4-55f9b9e0ae08}"="flaxen"

It also installs Toolbar, BHO, VirusTrigger software...

SmitfraudFix removes the infection.

VirusTrigger

A new rogue, VirusTrigger, has been released. This rogue is a new version of Virus Response Lab 2009. It is automatically installed by a Zlob trojan.



Use SmitfraudFix to remove the infection.

IE Defender, Files Secure, Malware Bell, IE Antivirus, Total Secure 2009

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
ps, dz, g, h, uax, oil

Possible filenames are:
psguax.dll, psgoil.dll, pshuax.dll, pshoil.dll, dzguax.dll, dzgoil.dll, dzhuax.dll, dzhoil.dll

It displays alert messages with popups that download WinDefender 2009:


It also drops Internet Shortcut on the desktop, Favorites, Start Menu: Cheap Pharmacy Online.url , Search Online.url, SMS Trap.url and VIP Casino.url

Once installed, it connects to a server, downloads a config. file that contains various error messages to display and URL of malwares to download and install.

Use SmitfraudFix to remove the infection.

IE Defender, Files Secure, Malware Bell, IE Antivirus, Total Secure 2009

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
qip, vxf, auz, ecg, ax, kco

Possible filenames are:
qipauzax.dll, qipauzkco.dll, qipecgax.dll, qipecgkco.dll, vxfauzax.dll, vxfauzkco.dll, vxfecgax.dll, vxfecgkco.dll

It displays alert messages with popups that download WinDefender 2009:


It also drops Internet Shortcut on the desktop, Favorites, Start Menu: Cheap Pharmacy Online.url , Search Online.url, SMS Trap.url and VIP Casino.url

Once installed, it connects to a server, downloads a config. file that contains various error messages to display and URL of malwares to download and installs.

Use SmitfraudFix to remove the infection.

Zlob

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\ebmkdz.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{6b9a461b-893f-45ee-8c59-06d3a2223b24}"="cypselomorphae"

It also installs Toolbar, BHO, Virus Response Lab 2009 software...

SmitfraudFix removes the infection.

SpywareGuard 2008

This fake AntiSpyware tool SpywareGuard 2008 detects infections on a clean system.



Use SmitfraudFix to remove the infection.
Thanks to MAD

VideoAccessCodec (VAC)

VideoAccessCodec has been update, it installs the following files:

%WINDOWS%\xdsfqroe???.dll (where ? is a random caracter)
%WINDOWS%\mstoanrd.dll
%WINDOWS%\mqxvbdwk.dll
%WINDOWS%\fweqsvxo.dll
%WINDOWS%\nefstqdr.exe
%WINDOWS%\e???.exe (where ? is a random caracter)

Use SmitfraudFix to remove the infection.

Zlob

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\qfrmwmq.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{d54f12f7-4d76-4c39-a096-e51ef5d33f2b}"="displume"

It also installs Toolbar, BHO, Virus Response Lab 2009 software...

SmitfraudFix removes the infection.

IE Defender, Files Secure, Malware Bell, IE Antivirus, Total Secure 2009

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
hh, jo, ahg, fc, xda, sd

Possible filenames are:
hhahgxda.dll, hhahgsd.dll, hhfcxda.dll, hhfcsd.dll, joahgxda.dll, joahgsd.dll, jofcxda.dll, jofcsd.dll

It displays alert messages with popups that download WinDefender 2009:


It also drops Internet Shortcut on the desktop, Favorites, Start Menu: Cheap Pharmacy Online.url , Search Online.url, SMS Trap.url and VIP Casino.url

Once installed, it connects to a server, downloads a config. file that contains various error messages to display and URL of malwares to download and installs.

Use SmitfraudFix to remove the infection.

IE Defender, Files Secure, Malware Bell, IE Antivirus, Total Secure 2009

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
dip, lo, yn, if, xx2, sa

Possible filenames are:
dipynxx2.dll, dipynsa.dll, dipifxx2.dll, dipifsa.dll, loynxx2.dll, loynsa.dll, loifxx2.dll, loifsa.dll

It displays alert messages with popups that download WinDefender 2009:


It also drops Internet Shortcut on the desktop, Favorites, Start Menu: Cheap Pharmacy Online.url , Search Online.url, SMS Trap.url and VIP Casino.url

Once installed, it connects to a server, downloads a config. file that contains various error messages to display and URL of malwares to download and installs.

Use SmitfraudFix to remove the infection.

Zlob

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\duzakwq.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{7ca07c92-0ab2-4346-b119-a076695d46ed}"="hemielytron"

It also installs Toolbar, BHO, Virus Response Lab 2009 software...

SmitfraudFix removes the infection.

Personal Defender 2009

This fake AntiSpyware tool Personal Defender 2009 detects infections on a clean system.



SmitfraudFix removes the malware.

WinDefender 2009

New Rogue released: WinDefender 2009. It is using the same GUI as Total Secure 2009.



SmitfraudFix removes the infection.
Thanks to Bharath

Zlob

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\vimhx.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{d04bbe06-7ce7-405e-8730-cd56d9531cbb}"="bismuthiferous"

It also installs Toolbar, BHO, Virus Response Lab 2009 software...

SmitfraudFix removes the infection.

Autorun Plasma

Yesterday, I received 2 new PC from my supplier. 2 computers with Windows and last updates. Nothing more, nothing less. Before delivering them to my customer, I checked if everything was Okay.

One of them was infected by VBS.Solow.b. This infection who spreads from USB keys and modifies IE title.
A brand new PC already infected !



I decided to code a quick and dirty program, AutorunPlasma, to place on USB keys root with its autorun.inf file. If the message is displayed when the key is insert, it is Virus Free...

Antivirus Sentry

Antivirus Sentry is a fake security software (rogue) from the same family as: PC Protection Center 2008, Antivirus 2010, eAntivirusPro, AntiMalware 2009, Micro Antivirus 2009, Vista Antivirus 2008, Antispyware 2008 XP, System Antivirus 2008, Internet Antivirus, Smart Antivirus 2009, MS Antivirus, Advanced Antivirus, Power Antivirus, XPert Antivirus.



SmitfraudFix removes the infection.
Thanks to MAD

VideoAccessCodec (VAC)

VideoAccessCodec has been update, it installs the following files:

%WINDOWS%\rsdgbtkq???.dll (where ? is a random caracter)
%WINDOWS%\wvfsrqab.dll
%WINDOWS%\wfexqnrp.dll
%WINDOWS%\wvbegpqs.dll
%WINDOWS%\emnvoqgx.exe
%WINDOWS%\e???.exe (where ? is a random caracter)

Use SmitfraudFix to remove the infection.

Zlob

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\gcqltg.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{ba934431-76af-4c99-93c2-c3d21944a72e}"="gey"

It also installs Toolbar, BHO, Virus Response Lab 2009 software...

SmitfraudFix removes the infection.

Internet Antivirus Pro

InternetAntivirusPro is a new rogue (fake security software). It belongs to the same family as Anti-Virus Number-1, Antivirus Sentry, Antivirus 2010, Micro Antivirus 2009, MS Antivirus, Smart Antivirus 2009, System Antivirus 2008, Antivirus 2009, Internet-antivirus



This rogue detects infections on a clean system. It displays alerts and messages to sell a license to remove those fake infections.

Zlob

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\bcxjqr.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{e3623691-f85d-48d8-8e4d-abe79077f841}"="awash"

It also installs Toolbar, BHO, Virus Response Lab 2009 software...

SmitfraudFix removes the infection.

IE Defender, Files Secure, Malware Bell, IE Antivirus, Total Secure 2009

A new IEDef dropper has been released. It is using the same dictionary and same alert messages as previously.

Something new: it replace the original %SYSTEM%\userinit.exe by an infected file. Do not delete it, the system will not reboot ! A similar filename is used by Windows.

Each time Windows runs userinit.exe, the infected one is called and executes a backup of the Microsoft original file. If the infection is deleted/removed, the chain is broken and Windows will not boot.

This infection have been seen with another fake codec. It is new for IEDef.

You can use SmitfraudFix to remove the infection and restore the original Microsoft file.

VideoAccessCodec (VAC) + Total Secure 2009 (IEDef)

VideoAccessCodec has been update, it installs the following files:

%WINDOWS%\aetlsrkn???.dll (where ? is a random caracter)
%WINDOWS%\bkqxdons.dll
%WINDOWS%\qnflkotm.dll
%WINDOWS%\vwnskbot.dll
%WINDOWS%\woprdagt.exe
%WINDOWS%\e???.exe (where ? is a random caracter)



This infection installs Total Secure 2009 Rogue, which drops an IEDef infection:
%WINDOWS%\sysbase32.dll

Spy Protector

This fake AntiSpyware tool Spy Protector detects infections on a clean system.



SmitfraudFix removes the malware.

Thanks snemelk.

Zlob

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\teoga.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2f199d0e-f3e7-41a7-a060-816c24cceea0}"="emaa"

It also installs Toolbar, BHO, Virus Response Lab 2009 software...

SmitfraudFix removes the infection.

PC Protection Center 2008

PC Protection Center 2008 is a fake security software (rogue) from the same family as: Antivirus 2010, eAntivirusPro, AntiMalware 2009, Micro Antivirus 2009, Vista Antivirus 2008, Antispyware 2008 XP, System Antivirus 2008, Internet Antivirus, Smart Antivirus 2009, MS Antivirus, Advanced Antivirus, Power Antivirus, XPert Antivirus.



SmitfraudFix removes the infection.

XLG Security Center

The fake AntiSpyware tool XLG Security Center detects infections on a clean system.



SmitfraudFix removes the malware.

Thanks to Malekal_morte.

Virus Remover 2008

Virus Remover 2008 is a fake security software (rogue) installed with VAC infections.



Use SmitfraudFix to remove the infection.

Malwarebytes' Anti-Malware (MBAM)

I have joined Malwarebytes' team as Malware Researcher.
Malwarebytes' Anti-Malware is a new easy-to-use, simple, powerful cleaning application against Malwares.

IE Defender, Files Secure, Malware Bell, IE Antivirus, Total Secure 2009

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
ifs, go, n, p, du, fa

Possible filenames are:
ifsndu.dll, ifsnfa.dll, ifspdu.dll, ifspfa.dll, gondu.dll, gonfa.dll, gopdu.dll, gopfa.dll

It displays alert messages with popups that download Total Secure 2009:


It also drops Internet Shortcut on the desktop, Favorites, Start Menu: Cheap Pharmacy Online.url , Search Online.url and VIP Casino.url

Use SmitfraudFix to remove the infection.

IE Defender, Files Secure, Malware Bell, IE Antivirus, Total Secure 2009

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
mi, mo, pin, pon, u, a

Possible filenames are:
mipinu.dll, mipina.dll, miponu.dll, mipona.dll, mopinu.dll, mopina.dll, moponu.dll, mopona.dll

It displays alert messages with popups that download Total Secure 2009:


It also drops Internet Shortcut on the desktop, Favorites, Start Menu: Cheap Pharmacy Online.url , Search Online.url and VIP Casino.url

Use SmitfraudFix to remove the infection.

Zlob

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\eivrbsi.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{da75fab1-136e-4ead-834d-0e04fbd6edc1}"="euphuize"

It also installs Toolbar, BHO, Virus Response Lab 2009 software...

SmitfraudFix removes the infection.

Zlob

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\obicx.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{fb357e54-83f1-4a3c-80a2-319201ed6c17}"="bisque"

It also installs Toolbar, BHO, Virus Response Lab 2009 software...

SmitfraudFix removes the infection.

SearchAndDestroy

Search And Destroy rogue can (should?) do better and be more aggressive to sell.

Antivirus 2010

eAntivirusPro is a fake security software (rogue) from the same family as: eAntivirusPro, AntiMalware 2009, Micro Antivirus 2009, Vista Antivirus 2008, Antispyware 2008 XP, System Antivirus 2008, Internet Antivirus, Smart Antivirus 2009, MS Antivirus, Advanced Antivirus, Power Antivirus, XPert Antivirus.



A component of the rogue displays an image of a BSOD followed by a Windows XP reboot animation.





SmitfraudFix removes the infection.

IE Defender, Files Secure, Malware Bell, IE Antivirus, Total Secure 2009

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
msys, lsyst, amd, ipl, 32, 64

Possible filenames are:
msysamd32.dll, msysamd64.dll, msysipl32.dll, msysipl64.dll, lsystamd32.dll, lsystamd64.dll, lsystipl32.dll, lsystipl64.dll

It displays alert messages with popups that download Total Secure 2009:


It also drops Internet Shortcut on the desktop, Favorites, Start Menu: Cheap Pharmacy Online.url , Search Online.url and VIP Casino.url

Use SmitfraudFix to remove the infection.

Zlob

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\oanlvs.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{0ba3e00d-b660-46e6-a2db-2672ee82dc98}"="impetuousities"

It also installs Toolbar, BHO, Virus Response Lab 2009 software...

SmitfraudFix removes the infection.

IE Defender, Files Secure, Malware Bell, IE Antivirus, Total Secure 2009

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
r, f, g, h, f, l

Possible filenames are:
rgf.dll, rgl.dll, rhf.dll, rhl.dll, fgf.dll, fgl.dll, fhf.dll, fhl.dll

It displays alert messages with popups that download Total Secure 2009:


It also drops Internet Shortcut on the desktop, Favorites, Start Menu: Free Porn.url , Free MP3 Search.url, Search Online.url and VIP Casino.url

Use SmitfraudFix to remove the infection.

VideoAccessCodec (VAC), Desktop Hijack

The new version of Video Access Codec infection installs a new Wallpaper on the desktop.

VideoAccessCodec (VAC)

VideoAccessCodec has been update, it installs the following files:

%WINDOWS%\nkefbltd???.dll (where ? is a random caracter)
%WINDOWS%\dkwqgnbe.dll
%WINDOWS%\neksolda.dll
%WINDOWS%\xgpsarbm.dll
%WINDOWS%\fkebanrw.exe
%WINDOWS%\e???.exe (where ? is a random caracter)

Use SmitfraudFix to remove the infection.

IE Defender, Files Secure, Malware Bell, IE Antivirus, Total Secure 2009

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
sd, gj, et, op, cs, li

Possible filenames are:
sdetcs.dll, sdetli.dll, sdopcs.dll, sdopli.dll, gjetcs.dll, gjetli.dll, gjopcs.dll, gjopli.dll

It displays alert messages with popups that download Total Secure 2009:


It also drops Internet Shortcut on the desktop, Favorites, Start Menu: Free Porn.url , Free MP3 Search.url, Search Online.url and VIP Casino.url

Use SmitfraudFix to remove the infection.

IE Defender, Files Secure, Malware Bell, IE Antivirus, Total Secure 2009

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
gp, hj, at, ax, bs, vok

Possible filenames are:
gpatbs.dll, gpatvok.dll, gpaxbs.dll, gpaxvok.dll, hjatbs.dll, hjatvok.dll, hjaxbs.dll, hjaxvok.dll

It displays alert messages with popups that download Total Secure 2009:


It also drops Internet Shortcut on the desktop, Favorites, Start Menu: Free Porn.url , Free MP3 Search.url, Search Online.url and VIP Casino.url

Use SmitfraudFix to remove the infection.

IE Defender, Files Secure, Malware Bell, IE Antivirus, Total Secure 2009

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
v, x, add, app, es, it

Possible filenames are:
vaddes.dll, vaddit.dll, vappes.dll, vappit.dll, xaddes.dll, xaddit.dll, xappes.dll, xappit.dll

It displays alert messages with popups that download Total Secure 2009:


It also drops a new Internet Shortcut on the desktop, Favorites, Start Menu: Free Porn.url with Free MP3 Search.url and VIP Casino.url

Use SmitfraudFix to remove the infection.

VideoAccessCodec (VAC)

VideoAccessCodec has been update, it installs the following files:

%WINDOWS%\dfmlxbpk???.dll (where ? is a random caracter)
%WINDOWS%\peltodgx.dll
%WINDOWS%\rwlfsdmk.dll
%WINDOWS%\onfwbsak.dll
%WINDOWS%\fbxrqtwn.exe
%WINDOWS%\e???.exe (where ? is a random caracter)

Use SmitfraudFix to remove the infection.

eAntivirusPro

eAntivirusPro is a fake security software (rogue) from the AntiMalware 2009, Micro Antivirus 2009, Vista Antivirus 2008, Antispyware 2008 XP, System Antivirus 2008, Internet Antivirus, Smart Antivirus 2009, MS Antivirus, Advanced Antivirus, Power Antivirus, XPert Antivirus family... that detects infections on a clean system.

AntiMalware 2009

AntiMalware 2009 is a fake security software (rogue) from the Micro Antivirus 2009, Vista Antivirus 2008, Antispyware 2008 XP, System Antivirus 2008, Internet Antivirus, Smart Antivirus 2009, MS Antivirus, Advanced Antivirus, Power Antivirus, XPert Antivirus family... that detects infections on a clean system.

IE Defender, Files Secure, Malware Bell, IE Antivirus, Total Secure 2009

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
p, f, h, g, a, i

Possible filenames are:
pha.dll, phi.dll, pga.dll, pgi.dll, fha.dll, fhi.dll, fga.dll, fgi.dll

It displays alert messages with popups that download Total Secure 2009:


It also drops a new Internet Shortcut on the desktop: Free MP3 Search.url with VIP Casino.url

Use SmitfraudFix to remove the infection.

IE Defender, Files Secure, Malware Bell, IE Antivirus, Total Secure 2009

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
ha, p, re, gy, 32, ss

Possible filenames are:
hare32.dll, haress.dll, hagy32.dll, hagyss.dll, pre32.dll, press.dll, pgy32.dll, pgyss.dll

It displays alert messages with popups that download Total Secure 2009:


At this time, there is no more extra dropper (users64.dat) in this version. But things could change quickly.

Use SmitfraudFix to remove the infection.

IE Defender, Files Secure, Malware Bell, IE Antivirus, Total Secure 2009

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
ajk, gj, pik, tbl, avn, i

Possible filenames are:
ajktbl.dll, ajkavn.dll, ajki.dll, gjtbl.dll, gjavn.dll, gji.dll, piktbl.dll, pikavn.dll, piki.dll

It displays alert messages with popups that download Total Secure 2009:


This infection runs a file from its resources, who modifies Avira Antivirus .ini file. This will prevent the Antivirus from scanning some infected files on the system. Easy, and powerful.

This new malware drops users64.dat in %SYSTEM% folder. This lib is executed by infected (patched) binaries in HKLM..Run or HKCU..Run keys.

Use SmitfraudFix to remove the infection.

Virus Response Lab 2009

A new rogue, Virus Response Lab 2009, has been released. This rogue is a new version of Antivirus Lab 2009. It is automatically installed by a Zlob trojan.



Use SmitfraudFix to remove the infection.