SafetyDefender MalWare

[xlurker]

SafetyDefender MalWare is still on my computer. I notice it added an
"antivirus test" entry to my favorites list and often shows a MSIE tool
bar. MS anti spy shows me detection of it as the 2 threats spyaxe and
zlob trojan downloader. Norton internet security has never shown me any
sign that Norton is detecting it. MS anti spy offered me an opportunity
to remove the viruses and reset my home page, but I ran that
opportunity to no avail. It is inconvenient that MS anti spy does not
show on the XP task lists, because one has to minimize or close all
other applications to notice what MS anti spy has accomplished and take
advantage of its offered cures.

Why must the MSIE lose contact with the cache whenever a new window or
application opens? Do AV SW vendors cooperate to share awareness of new
threats and defenses to them?


From: (e-mail address removed)
Date: Sat, Apr 22 2006 6:09 pm
Email: (e-mail address removed)
Groups: microsoft.public.security.virus, alt.comp.virus,
alt.comp.anti-virus, alt.privacy.spyware,
symantec.customerservice.general

This SafetyDefender MalWare is still on my computer. Why has
Norton/Symantec not removed it? Why has no one done sufficient harm to
safetydefender.com to make safetydefender crawl and stay back in its
hole?

My AV SW showed me an alert box when SafetyDefender attacked me,
offering me the choice of blocking a change to my browser home page. I
clicked to block, but SafetyDefender seized my home page anyway.

SafetyDefender spawns pop up ad browser windows which is a very serious

inconvenience since MSIE loses its back button function whenever a new
window or application opens. Why does MSIE have to do that?

I found the information in the thread which included message number
BEc2g.66$BO2.14@trnddc02 interesting, useful and disturbing. Thanks to
Gabriele Neukam for that reference. It looks like our AV vendors still
have too much to learn... BTW, when one AV vendor writes a solution to
a threat, do the
other AV vendors usually buy a license to distribute it or must the
customers of the other vendors suffer until each one writes a separate
solution?

 

[David H. Lipman]

From: <[email protected]>

| SafetyDefender MalWare is still on my computer. I notice it added an
| "antivirus test" entry to my favorites list and often shows a MSIE tool
| bar. MS anti spy shows me detection of it as the 2 threats spyaxe and
| zlob trojan downloader. Norton internet security has never shown me any
| sign that Norton is detecting it. MS anti spy offered me an opportunity
| to remove the viruses and reset my home page, but I ran that
| opportunity to no avail. It is inconvenient that MS anti spy does not
| show on the XP task lists, because one has to minimize or close all
| other applications to notice what MS anti spy has accomplished and take
| advantage of its offered cures.

| Why must the MSIE lose contact with the cache whenever a new window or
| application opens? Do AV SW vendors cooperate to share awareness of new
| threats and defenses to them?


| From: (e-mail address removed)
| Date: Sat, Apr 22 2006 6:09 pm
| Email: (e-mail address removed)
| Groups: microsoft.public.security.virus, alt.comp.virus,
| alt.comp.anti-virus, alt.privacy.spyware,
| symantec.customerservice.general

| This SafetyDefender MalWare is still on my computer. Why has
| Norton/Symantec not removed it? Why has no one done sufficient harm to
| safetydefender.com to make safetydefender crawl and stay back in its
| hole?

| My AV SW showed me an alert box when SafetyDefender attacked me,
| offering me the choice of blocking a change to my browser home page. I
| clicked to block, but SafetyDefender seized my home page anyway.

| SafetyDefender spawns pop up ad browser windows which is a very serious

| inconvenience since MSIE loses its back button function whenever a new
| window or application opens. Why does MSIE have to do that?

| I found the information in the thread which included message number
| BEc2g.66$BO2.14@trnddc02 interesting, useful and disturbing. Thanks to
| Gabriele Neukam for that reference. It looks like our AV vendors still
| have too much to learn... BTW, when one AV vendor writes a solution to
| a threat, do the
| other AV vendors usually buy a license to distribute it or must the
| customers of the other vendors suffer until each one writes a separate
| solution?


I don't see that Virus Total report on the "mediacodec-v4.288.exe" file that was
requested.

 

[Jon Phipps]

whyh not just go to www.pandasoftware.com , download and install panda
titanium(30day demo, 79.95 usd if you wish to buy it). THis product should
take care of your problem
Jon

 

[tim]

SafetyDefender MalWare is still on my computer. I notice it added an
"antivirus test" entry to my favorites list and often shows a MSIE tool
bar. MS anti spy shows me detection of it as the 2 threats spyaxe and
zlob trojan downloader. Norton internet security has never shown me any
sign that Norton is detecting it. MS anti spy offered me an opportunity
to remove the viruses and reset my home page, but I ran that
opportunity to no avail. It is inconvenient that MS anti spy does not
show on the XP task lists, because one has to minimize or close all
other applications to notice what MS anti spy has accomplished and take
advantage of its offered cures.

Why must the MSIE lose contact with the cache whenever a new window or
application opens? Do AV SW vendors cooperate to share awareness of new
threats and defenses to them?

I'm thinking that the best solution for you may be a format and clean
install. Followed by a trip to your local goodwill store to make a donation
of your hardware. You seem to be having trouble following David Lipmans
instructions, as easy as they are to understand.
By and large, people in this group are willing to help. You have to be
willing to get your hands dirty and help yourself as well. This isn't a one
way street out here.

 

[Gary Tayman]

SafetyDefender MalWare is still on my computer. I notice it added an
"antivirus test" entry to my favorites list and often shows a MSIE tool

Gee, I've been away from this nonsense for a few days, as business goes on
and is very heavy. However this evening I took a break, and signed on here
to see if anyone had any progress to offer.

To summarize MY story:

I got hijacked, and IE was stuck on an about:blank address. It had a
toolbar with colored shields, inviting me to install anti-virus software. I
also had popup windows galore, and McAfee continually gave me messages that
it kept trying to delete a puper.dll trojan.

The computer dealer got me cleaned up, for the most part, but I still had an
occasional popup, the shields were still around, IE still had the toolbar,
and puper was still there, though not as often. I DL'ed Spysweeper, ran it,
and it got rid of ALL the popups. Someone here linked me to an antipuper
program, which appears to have removed the puper trojan -- a week later
there have been no more problems. The toolbar, those shield programs, I've
gotten most of them out manually. The only "clue" of something still
lurking is the yellow shield at the bottom right corner of the desktop,
inviting me to install updates.

Now -- Dave Lipman told me your problem and mine are different. Maybe,
maybe not, but they seem so close that I can't ignore it. After reading
your message again, I noticed you have an addition to your programs list.
SO -- I checked my own, and guess what? I've got it too! It says
"Antivirus Test Online", and it has a link to http://youronlinesecurity.com.

First off, I recommend anyone reading this DON'T CLICK ON IT until/unless
someone is able to investigate it, as it could well be a hijack. However I
posted it so Dave, or anyone else wanting to investigate this problem, can
learn more about it. Now: is your program line the same or different?
Just moving the cursor over the line, without clicking, should give you the
link.

For Dave or anyone else: I'm not clicking on this, or deleting it, or
touching it, until I hear from you. If you have an idea that may give you
more details, I'll do what I can. Dave, I haven't run your method again,
mainly because of the constraints of time. But I still have this, and will
run it again when I have the chance.


--
Gary E. Tayman/Tayman Electrical
Sound Solutions For Classic Cars
http://www.taymanelectrical.com

PS -- for what it's worth, for the time being you may reply to either
gate.net or to mindspring.com. However as of next week I'm migrating to
Verizon -- for reasons not associated with this malware.

 

[Phil Weldon]

'Gary Tayman' wrote, in part:
| I got hijacked, and IE was stuck on an about:blank address. It had a
| toolbar with colored shields, inviting me to install anti-virus software.
I
| also had popup windows galore, and McAfee continually gave me messages
that
| it kept trying to delete a puper.dll trojan.
| .
| .
| Now -- Dave Lipman told me your problem and mine are different. Maybe,
| maybe not, but they seem so close that I can't ignore it. After reading
| your message again, I noticed you have an addition to your programs list.
| SO -- I checked my own, and guess what? I've got it too! It says
| "Antivirus Test Online", and it has a link to
| ** edited for security {your online security}
_____

The URL you posted is hosted in Athens, Greece. It is a source of malware
(one thing that should clue you in is that the 'Search' function does
nothing, and there are no other pages to the site reached through the URL.)
All of the links to installable programs are to other websites.

Evidently you followed the diagnostic tree right to where they wanted you.
And then you installed 'Brave Sentry'. spywarewarrior.com has this to say
about 'Brave Sentry':
"aggressive advertising, desktop hijacking (1, 2); false positives work as
goad to purchase; inadequate scan reporting; same app as PestTrap,
PestWiper, SpyDemolisher, SpySheriff, SpyTrooper, SpywareNo, & Spyware-Stop
[A: 3-9-06 / U: 3-9-06]

The entry about 'Brave Sentry' also links to screen shots of the
infestation.
The URL for the list of rogue anti-spyware is
http://spywarewarrior.com/rogue_anti-spyware.htm#products .

* Expect your replies in the newsgroup, not email. Newsgroups don't work
that way.

* It is not a good idea to post malware URLs, especially if you have no
idea what it is.

* Don't needlessly crosspost. Some of the newsgroups you posted to are not
appropriate for your question because of the nature of the newsgroup.

* Keep your replies in one thread. Just because the original poster did it
is no reason to do it your self.

* SUCCINCT post describing your problem, the symptoms, and what you have
done yourself to solve the problem will get you a lot more help than a
rambling post or a post with too little information.

Phil Weldon

|
| | > SafetyDefender MalWare is still on my computer. I notice it added an
| > "antivirus test" entry to my favorites list and often shows a MSIE tool
|
| Gee, I've been away from this nonsense for a few days, as business goes on
| and is very heavy. However this evening I took a break, and signed on
here
| to see if anyone had any progress to offer.
|
| To summarize MY story:
|
| I got hijacked, and IE was stuck on an about:blank address. It had a
| toolbar with colored shields, inviting me to install anti-virus software.
I
| also had popup windows galore, and McAfee continually gave me messages
that
| it kept trying to delete a puper.dll trojan.
|
| The computer dealer got me cleaned up, for the most part, but I still had
an
| occasional popup, the shields were still around, IE still had the toolbar,
| and puper was still there, though not as often. I DL'ed Spysweeper, ran
it,
| and it got rid of ALL the popups. Someone here linked me to an antipuper
| program, which appears to have removed the puper trojan -- a week later
| there have been no more problems. The toolbar, those shield programs,
I've
| gotten most of them out manually. The only "clue" of something still
| lurking is the yellow shield at the bottom right corner of the desktop,
| inviting me to install updates.
|
| Now -- Dave Lipman told me your problem and mine are different. Maybe,
| maybe not, but they seem so close that I can't ignore it. After reading
| your message again, I noticed you have an addition to your programs list.
| SO -- I checked my own, and guess what? I've got it too! It says
| "Antivirus Test Online", and it has a link to
| ** edited for security {your online security}
|
| First off, I recommend anyone reading this DON'T CLICK ON IT until/unless
| someone is able to investigate it, as it could well be a hijack. However
I
| posted it so Dave, or anyone else wanting to investigate this problem, can
| learn more about it. Now: is your program line the same or different?
| Just moving the cursor over the line, without clicking, should give you
the
| link.
|
| For Dave or anyone else: I'm not clicking on this, or deleting it, or
| touching it, until I hear from you. If you have an idea that may give you
| more details, I'll do what I can. Dave, I haven't run your method again,
| mainly because of the constraints of time. But I still have this, and
will
| run it again when I have the chance.
|
|
| --
| Gary E. Tayman/Tayman Electrical
| Sound Solutions For Classic Cars
| http://www.taymanelectrical.com
|
| PS -- for what it's worth, for the time being you may reply to either
| gate.net or to mindspring.com. However as of next week I'm migrating to
| Verizon -- for reasons not associated with this malware.
|
|

 

[David H. Lipman]

From: "Gary Tayman" <[email protected]>


|
| Gee, I've been away from this nonsense for a few days, as business goes on
| and is very heavy. However this evening I took a break, and signed on here
| to see if anyone had any progress to offer.
|
| To summarize MY story:
|
| I got hijacked, and IE was stuck on an about:blank address. It had a
| toolbar with colored shields, inviting me to install anti-virus software. I
| also had popup windows galore, and McAfee continually gave me messages that
| it kept trying to delete a puper.dll trojan.
|
| The computer dealer got me cleaned up, for the most part, but I still had an
| occasional popup, the shields were still around, IE still had the toolbar,
| and puper was still there, though not as often. I DL'ed Spysweeper, ran it,
| and it got rid of ALL the popups. Someone here linked me to an antipuper
| program, which appears to have removed the puper trojan -- a week later
| there have been no more problems. The toolbar, those shield programs, I've
| gotten most of them out manually. The only "clue" of something still
| lurking is the yellow shield at the bottom right corner of the desktop,
| inviting me to install updates.
|
| Now -- Dave Lipman told me your problem and mine are different. Maybe,
| maybe not, but they seem so close that I can't ignore it. After reading
| your message again, I noticed you have an addition to your programs list.
| SO -- I checked my own, and guess what? I've got it too! It says
| "Antivirus Test Online", and it has a link to hxxp://youronlinesecurity.com.
|
| First off, I recommend anyone reading this DON'T CLICK ON IT until/unless
| someone is able to investigate it, as it could well be a hijack. However I
| posted it so Dave, or anyone else wanting to investigate this problem, can
| learn more about it. Now: is your program line the same or different?
| Just moving the cursor over the line, without clicking, should give you the
| link.
|
| For Dave or anyone else: I'm not clicking on this, or deleting it, or
| touching it, until I hear from you. If you have an idea that may give you
| more details, I'll do what I can. Dave, I haven't run your method again,
| mainly because of the constraints of time. But I still have this, and will
| run it again when I have the chance.
|

If you are not sure about a URL -- delete it !

If you are going to post site a site that is or possibly malicious, obfuscate the URL such
as...
hxxp://youronlinesecurity.com

That site wants you to download Rogue anti malware software. As Phil indicated, always
check with Spyware Warrior for possible Rogue applications. Since the URL does point to
Rougue anti malware applications, malware, the URL can/should be deleted.

If you have downloaded any utilities, remove them and download the latest versions (make
sure you clear your Browser cache first) so the utilities are up-to-date.




Two part reply..

Perform Part 1 then perform Part 2.

If the first two parts don't work, perform the alternate utility.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.


Part 1
-----------

Use noahdfear's SmitFraud, SpyAxe, SpyFalcon, et. al., removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic43659.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be
displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are using
WinXP, Win2K or Win2003 your system will be left in a state where you will have to manually
shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in your bowser
but your PC will automatically be shutdown. It is suggested that you move the report out of
c:\mcafee before performing another scan.

It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


ALTERNATE:

Part 1
-----------

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

http://forums.mcafeehelp.com/viewtopic.php?t=65072


Part 2
-----------

S!ris's SmitfraudFix
http://siri.urz.free.fr/Fix/SmitfraudFix.zip


Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.

* * * Please report back your results * * *