SafetyDefender MalWare

[xlurker]

This SafetyDefender MalWare is still on my computer. Why has
Norton/Symantec not removed it? Why has no one done sufficient harm to
safetydefender.com to make safetydefender crawl and stay back in its
hole?

My AV SW showed me an alert box when SafetyDefender attacked me,
offering me the choice of blocking a change to my browser home page. I
clicked to block, but SafetyDefender seized my home page anyway.

SafetyDefender spawns pop up ad browser windows which is a very serious
inconvenience since MSIE loses its back button function whenever a new
window or application opens. Why does MSIE have to do that?

I found the information in the thread which included message number
BEc2g.66$BO2.14@trnddc02 interesting, useful and disturbing. Thanks to
Gabriele Neukam for that reference. It looks like our AV vendors still
have too much to learn.

The cleansing procedure suggested by David H. Lipman is too complicated
and risky for all the unskilled users who would need to use such a
procedure. When such complicated programming sets are necessary, they
need to be automated, preferably into the AV SW distributed by AV
vendor. BTW, when one AV vendor writes a solution to a threat, do the
other AV vendors usually buy a license to distribute it or must the
customers of the other vendors suffer until each one writes a separate
solution?



From: (e-mail address removed)
Date: Sat, Apr 22 2006 12:43 am
Email: (e-mail address removed)
Groups: microsoft.public.security.virus, alt.comp.virus,
alt.comp.anti-virus, alt.privacy.spyware,
symantec.customerservice.general

SafetyDefender malWare has infected my Win NT computer. SafetyDefender
malWare makes itself my MSIE home page and prevents me from changing
that. It repeatedly shows me red- and yellow-color alert boxes which
advise me to cleanse an infection in my computer. I do not yet know of

any other harm it wreaks.

SafetyDefender malWare apparently reached me in the file
mediacodec-v4.288.exe. That file had been offered to me from a page
which distributed video clips as a means to augment and update the
available codecs for my media player(s). I had run a Norton/Symantec
'internet security 2005' virus scan on that mediacodec-v4.288.exe file
before I ran it; the scan results were clean.


We need Symantec/Norton and MS AntiSpy to block this virus. I need
Symantec/Norton and/or MS AntiSpy to get this virus off my computer.

 

[David H. Lipman]

From: <[email protected]>

| This SafetyDefender MalWare is still on my computer. Why has
| Norton/Symantec not removed it? Why has no one done sufficient harm to
| safetydefender.com to make safetydefender crawl and stay back in its
| hole?
|
| My AV SW showed me an alert box when SafetyDefender attacked me,
| offering me the choice of blocking a change to my browser home page. I
| clicked to block, but SafetyDefender seized my home page anyway.
|
| SafetyDefender spawns pop up ad browser windows which is a very serious
| inconvenience since MSIE loses its back button function whenever a new
| window or application opens. Why does MSIE have to do that?
|
| I found the information in the thread which included message number
| BEc2g.66$BO2.14@trnddc02 interesting, useful and disturbing. Thanks to
| Gabriele Neukam for that reference. It looks like our AV vendors still
| have too much to learn.
|
| The cleansing procedure suggested by David H. Lipman is too complicated
| and risky for all the unskilled users who would need to use such a
| procedure. When such complicated programming sets are necessary, they
| need to be automated, preferably into the AV SW distributed by AV
| vendor. BTW, when one AV vendor writes a solution to a threat, do the
| other AV vendors usually buy a license to distribute it or must the
| customers of the other vendors suffer until each one writes a separate
| solution?
|
| From: (e-mail address removed)
| Date: Sat, Apr 22 2006 12:43 am
| Email: (e-mail address removed)
| Groups: microsoft.public.security.virus, alt.comp.virus,
| alt.comp.anti-virus, alt.privacy.spyware,
| symantec.customerservice.general
|
| SafetyDefender malWare has infected my Win NT computer. SafetyDefender
| malWare makes itself my MSIE home page and prevents me from changing
| that. It repeatedly shows me red- and yellow-color alert boxes which
| advise me to cleanse an infection in my computer. I do not yet know of
|
| any other harm it wreaks.
|
| SafetyDefender malWare apparently reached me in the file
| mediacodec-v4.288.exe. That file had been offered to me from a page
| which distributed video clips as a means to augment and update the
| available codecs for my media player(s). I had run a Norton/Symantec
| 'internet security 2005' virus scan on that mediacodec-v4.288.exe file
| before I ran it; the scan results were clean.
|
| We need Symantec/Norton and MS AntiSpy to block this virus. I need
| Symantec/Norton and/or MS AntiSpy to get this virus off my computer.

Prevention is better than cure. This is NOT the first time you have been infected. If you
can't use your PC in a way that you won't get infected and you can't handle the cure, then
maybe you need to give up on computers. You also had a hard time dealing with that
infection.

Like I said before, mediacodec-v4.288.exe is most likely a ZLob Trojan variant. There is a
web site that is creating new variants of the ZLob on a regular and perioic basis.

Read the thread;
Newsgroups: alt.comp.anti-virus
Subject: Different packing = different scan results (remember Zlob posts?)

Please learn about Safe Hex.
http://www.claymania.com/safe-hex.html

If this is too complicated too..


Please submit a sample of "mediacodec-v4.288.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.

 

[Phil Weldon]

'xlurker' wrote, in part:
| This SafetyDefender MalWare is still on my computer. Why has
| Norton/Symantec not removed it? Why has no one done sufficient harm to
| safetydefender.com to make safetydefender crawl and stay back in its
| hole?
_____

I think the methods suggested by David Lipman (and others who post regularly
on the microsoft.public.security.virus newsgroup) provide or suggest for
removing malware are a LOT of hard work, and require a LOT of time.

I would do almost anything to avoid doing that much work.

That is one reason I am VERY careful in protecting my computer systems from
infections and other attacks.

You might have trouble understanding the steps, but even if you know EXACTLY
what is involved, removing malware once it has lodged on your system, is a
lot of tedious work. AND you may have still lost data and have your credit
identity stolen by the time you restore your system.

So, if removing malware is too much work for you (it is too much work,
unless paid, for anyone)
So, if you
#1. you connect to the Internet
#2. connect to other computers
#3. share computers
#4. have a floppy and/or a CD/DVD drive, or removable Flash memory
#5. don't keep your system locked in a safe

you need to prevent infection, AND prepare to BE infected.

If it is too much work for you, then get professional help, and be prepared
to pay for it.

Phil Weldon

| This SafetyDefender MalWare is still on my computer. Why has
| Norton/Symantec not removed it? Why has no one done sufficient harm to
| safetydefender.com to make safetydefender crawl and stay back in its
| hole?
|
| My AV SW showed me an alert box when SafetyDefender attacked me,
| offering me the choice of blocking a change to my browser home page. I
| clicked to block, but SafetyDefender seized my home page anyway.
|
| SafetyDefender spawns pop up ad browser windows which is a very serious
| inconvenience since MSIE loses its back button function whenever a new
| window or application opens. Why does MSIE have to do that?
|
| I found the information in the thread which included message number
| BEc2g.66$BO2.14@trnddc02 interesting, useful and disturbing. Thanks to
| Gabriele Neukam for that reference. It looks like our AV vendors still
| have too much to learn.
|
| The cleansing procedure suggested by David H. Lipman is too complicated
| and risky for all the unskilled users who would need to use such a
| procedure. When such complicated programming sets are necessary, they
| need to be automated, preferably into the AV SW distributed by AV
| vendor. BTW, when one AV vendor writes a solution to a threat, do the
| other AV vendors usually buy a license to distribute it or must the
| customers of the other vendors suffer until each one writes a separate
| solution?
|
|
|
| From: (e-mail address removed)
| Date: Sat, Apr 22 2006 12:43 am
| Email: (e-mail address removed)
| Groups: microsoft.public.security.virus, alt.comp.virus,
| alt.comp.anti-virus, alt.privacy.spyware,
| symantec.customerservice.general
|
| SafetyDefender malWare has infected my Win NT computer. SafetyDefender
| malWare makes itself my MSIE home page and prevents me from changing
| that. It repeatedly shows me red- and yellow-color alert boxes which
| advise me to cleanse an infection in my computer. I do not yet know of
|
| any other harm it wreaks.
|
| SafetyDefender malWare apparently reached me in the file
| mediacodec-v4.288.exe. That file had been offered to me from a page
| which distributed video clips as a means to augment and update the
| available codecs for my media player(s). I had run a Norton/Symantec
| 'internet security 2005' virus scan on that mediacodec-v4.288.exe file
| before I ran it; the scan results were clean.
|
|
| We need Symantec/Norton and MS AntiSpy to block this virus. I need
| Symantec/Norton and/or MS AntiSpy to get this virus off my computer.
|

 

[Gary Tayman]

This sounds like what I've got! There were red, green, and yellow shields
posted all over the place, telling me I had to click on them to fix the
virus. The Internet Explorer was pretty well hijacked. The other notable
thing was that I kept getting comtinual messages from McAfee that the
"PUPER.DLL" trojan had been deleted (but keeps coming back!).

I DID send my computer to a professional, and I DID pay through the nose for
having it fixed, and when I got it back IT WAS STILL THERE! The good news
was that, after paying to have it fixed, the Internet Explorer became
usable. So I DL'ed Spysweeper. If you can't get there with Internet
Explorer, try Mozilla/Firefox if you have it. BTW, Spysweeper invites you
to do a scan for free; don't bother. It will run for awhile, find your
trojans, then tell you to buy the @&&*&* thing before you can fix it. Once
you've bought it, you have to start over. Just buy it; you know you're
infected.

Spysweeper made a drastic improvement! It cut out all of those popup
windows and nasty messages; however, like I said I still get a yellow shield
in my bottom right corner. I've manually scanned through Windows folders,
and found a few files with those same shields as icons -- and deleted them.
That improved things further. Overall I'm doing fine, as long as I don't
click on that shield. But I know there's something still in there, and
frustrated that nobody else seems to know or care about it.

As I said in a previous thread, I tried David's method. It took the entire
day, and did nothing.

I suppose this means I'm not worthy of having a computer; I use it for my
personal business, so I should give up and get a job picking tomatoes. Then
again, since everyone seems to be ignoring this, soon we ALL will be
infected, and we ALL will be picking tomatoes for a living, which means the
illegal aliens will have to go back home. So maybe this virus will fix
something after all!

 

[Gary Tayman]

I might add that -- please, if anyone is trying to contact me directly,
don't use the mindspring address shown. Use gate dot net.

 

[Peter Seiler]

Gary Tayman - 24.04.2006 01:37 :

I might add that -- please, if anyone is trying to contact me directly,
don't use the mindspring address shown. Use gate dot net.

as usual (not only) by you: unnecessary sig-fullquoting (~170 lines!)
again only to post 2 lines and further wild crossposting to 5 NGs and
further without any fup2 :-(

Recommendation:

1. learn to (re-)post, learn to quote (google is your friend)

2. OE-QuoteFix is a great piece of software enhancement for OE
since it actually has an option for bottom-posting. In addition it
color-quotes conversations and corrects the breaking up of lines. If
Quotefix had been incorporated into OE from the beginning it would
prevent a majority of gripes non-OE users have.

THX in advance for your kind understanding, willing to learn and a
better quoting- and usenet behavior in the future.

 

[Gary Tayman]

Gary Tayman - 24.04.2006 01:37 :



as usual (not only) by you: unnecessary sig-fullquoting (~170 lines!)
again only to post 2 lines and further wild crossposting to 5 NGs and
further without any fup2 :-(

SHEEEEEESH!!!

I can't win for trying!

In another group I was chastised for NOT quoting the rest of the message!
This gets a bit frustrating to say the least!

Maybe next time I'll include the virus . . .

Better yet, if I can actually get RID of this virus, I can go away entirely.

 

[YoKenny]

'xlurker' wrote, in part:

I think the methods suggested by David Lipman (and others who post
regularly on the microsoft.public.security.virus newsgroup) provide
or suggest for removing malware are a LOT of hard work, and require a
LOT of time.

I would do almost anything to avoid doing that much work.

Boot a DOS diskette or the WinXP CD then load the FORMAT command then FORMAT
the hard drive.

Find the cartons that the PC and its peripherals (Monitor, mouse, keyboard
and printer) and repackage them carefully and return them to the store where
you purchased them and demand your money back using the excuse that you are
not smart enough to use such a complicated thing as a computer.

Or better yet, donate the system and its components to a worthwhile charity
or church and get a tax reduction recept.

 

[edgewalker]

I DID send my computer to a professional, and I DID pay through the nose for
having it fixed, and when I got it back IT WAS STILL THERE!

Can I assume you paid for a fix and not for an almost fix? Stop payment
or have the professional actually fix it. If the professional is willing to take
your money, he should be willing to give you a satisfactory repair. If he is
unwilling, he should return your money.

 

[Phil Weldon]

'YoKenny' wrote, in part:
| Boot a DOS diskette or the WinXP CD then load the FORMAT command then
FORMAT
| the hard drive.
_____

And your reply is directed to what post? And what makes you think that
backing up all data (from an infected system), formatting the hard drive,
then reinstalling the operating system, every program, and all patches is
easier than the procedures recommended by David Lipman and others?

Phil Weldon

| <Phil Weldon> typed:
| > 'xlurker' wrote, in part:
| >> This SafetyDefender MalWare is still on my computer. Why has
| >> Norton/Symantec not removed it? Why has no one done sufficient harm
| >> to safetydefender.com to make safetydefender crawl and stay back in
| >> its hole?
| >
| > I think the methods suggested by David Lipman (and others who post
| > regularly on the microsoft.public.security.virus newsgroup) provide
| > or suggest for removing malware are a LOT of hard work, and require a
| > LOT of time.
| >
| > I would do almost anything to avoid doing that much work.
|
| Boot a DOS diskette or the WinXP CD then load the FORMAT command then
FORMAT
| the hard drive.
|
| Find the cartons that the PC and its peripherals (Monitor, mouse, keyboard
| and printer) and repackage them carefully and return them to the store
where
| you purchased them and demand your money back using the excuse that you
are
| not smart enough to use such a complicated thing as a computer.
|
| Or better yet, donate the system and its components to a worthwhile
charity
| or church and get a tax reduction recept.
|
| > That is one reason I am VERY careful in protecting my computer
| > systems from infections and other attacks.
| >
| > You might have trouble understanding the steps, but even if you know
| > EXACTLY what is involved, removing malware once it has lodged on your
| > system, is a lot of tedious work. AND you may have still lost data
| > and have your credit identity stolen by the time you restore your
| > system.
| >
| > So, if removing malware is too much work for you (it is too much work,
| > unless paid, for anyone)
| > So, if you
| > #1. you connect to the Internet
| > #2. connect to other computers
| > #3. share computers
| > #4. have a floppy and/or a CD/DVD drive, or removable Flash memory
| > #5. don't keep your system locked in a safe
| >
| > you need to prevent infection, AND prepare to BE infected.
| >
| > If it is too much work for you, then get professional help, and be
| > prepared to pay for it.
| >
| > Phil Weldon
| > | >> This SafetyDefender MalWare is still on my computer. Why has
| >> Norton/Symantec not removed it? Why has no one done sufficient harm
| >> to safetydefender.com to make safetydefender crawl and stay back in
| >> its hole?
| >>
| >> My AV SW showed me an alert box when SafetyDefender attacked me,
| >> offering me the choice of blocking a change to my browser home page.
| >> I clicked to block, but SafetyDefender seized my home page anyway.
| >>
| >> SafetyDefender spawns pop up ad browser windows which is a very
| >> serious inconvenience since MSIE loses its back button function
| >> whenever a new window or application opens. Why does MSIE have to do
| >> that?
| >>
| >> I found the information in the thread which included message number
| >> BEc2g.66$BO2.14@trnddc02 interesting, useful and disturbing. Thanks
| >> to Gabriele Neukam for that reference. It looks like our AV vendors
| >> still have too much to learn.
| >>
| >> The cleansing procedure suggested by David H. Lipman is too
| >> complicated and risky for all the unskilled users who would need to
| >> use such a procedure. When such complicated programming sets are
| >> necessary, they need to be automated, preferably into the AV SW
| >> distributed by AV vendor. BTW, when one AV vendor writes a solution
| >> to a threat, do the other AV vendors usually buy a license to
| >> distribute it or must the customers of the other vendors suffer
| >> until each one writes a separate solution?
| >> From: (e-mail address removed)
| >> Date: Sat, Apr 22 2006 12:43 am
| >> Email: (e-mail address removed)
| >> Groups: microsoft.public.security.virus, alt.comp.virus,
| >> alt.comp.anti-virus, alt.privacy.spyware,
| >> symantec.customerservice.general
| >> SafetyDefender malWare has infected my Win NT computer.
| >> SafetyDefender malWare makes itself my MSIE home page and prevents
| >> me from changing that. It repeatedly shows me red- and yellow-color
| >> alert boxes which advise me to cleanse an infection in my computer.
| >> I do not yet know of any other harm it wreaks.
| >>
| >> SafetyDefender malWare apparently reached me in the file
| >> mediacodec-v4.288.exe. That file had been offered to me from a page
| >> which distributed video clips as a means to augment and update the
| >> available codecs for my media player(s). I had run a Norton/Symantec
| >> 'internet security 2005' virus scan on that mediacodec-v4.288.exe
| >> file before I ran it; the scan results were clean.
| >>
| >> We need Symantec/Norton and MS AntiSpy to block this virus. I need
| >> Symantec/Norton and/or MS AntiSpy to get this virus off my computer.
| --
| YoKenny
| See CoU at least weekly:
| http://www.dozleng.com/updates/index.php?&act=calendar
| I support the right to arm bears
|

 

[YoKenny]

'YoKenny' wrote, in part:
_____

And your reply is directed to what post? And what makes you think
that backing up all data (from an infected system), formatting the
hard drive, then reinstalling the operating system, every program,
and all patches is easier than the procedures recommended by David
Lipman and others?

Phil Weldon

It was ment for (e-mail address removed)

You have a good point about backing up possible infected files.

(e-mail address removed) if you read this then turn off System Restore then run the
Kaspersky On-line Scanner:
http://www.kaspersky.com/downloads/kws/kavwebscan.html