[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


A link to VirusREmover 2009 - how come this still works

Posted on 2009-04-01
Medium Priority
Last Modified: 2013-11-22
Poking around on the web for info on Conficker, I wound up being directed to this site:

xxxx XXXX://promotion-offer.com/vsm/adv/142/?a=csptop-sst&l=371&f=cs_2037721714&ex=&ed=&h=&sub=csp&prodabbr=3P_UVSM

*URL disabled by rpggamergirl, ZAPE*

If you go to that site (without the x's), you get the popup that your machine is infected and you need to download virusremover 2009.


Now, on this machine, I have OpenDNS and Trend Micro Internet security with their internet security turned on to medium.

I wouldn't think I am the first to find this link.  Other than that being the reason, any thoughts on why, with those 2 different protections, I can still get to this site (would trend stop the install?  I don't want to take it that far to test it : )

Question by:babaganoosh
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2
LVL 27

Expert Comment

ID: 24041250
I do know that it's malware and not a virus. So the scan engine for Trend Micro may not blacklist it for that reason or simply because they just haven't added it to their protection.
If you install and update malwarebytes from www.malwarebytes.org 
and then boot into Safe Mode you should be able to remove it easily enough (if it was installed).
You could also add that URL to your IE's list of Restricted Sites.

Author Comment

ID: 24041604
I'm thinking for my clients - having to add to the restricted sites and / or having to remove the app (I love malwarebytes lots... but superantispyware even more) isn't what I'm looking for.

I'd like to find how to protect them from themselves more transparently.
LVL 27

Expert Comment

ID: 24041783
You could use something like Tea-Timer, packaged with Spybot. That's free.
Even if your clients log on as User vice Administrator won't stop many threat installations, so that won't work for you.
No matter which application you choose though there will be a learning curve on what they should allow and not. It comes down to the users/clients I guess. Do they follow the directions you give them. Do they update the antimalware/antivirus suites, etc.?
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?


Expert Comment

ID: 24042622
You could setup a Proxy server and have all systems go through that, or black list the site in DNS (if you run your own DNS servers).  If you have a way to push files to the client machines, you can also update the hosts file (typically located at C:\Windows\System32\Drivers\Etc) and point that domain to a different IP address ( should work, or point it to something like Google).  Just a couple of suggestions.  The down side to all of this is that you would be responsible for keeping your blacklist updated where as something like AVG (and other Anti-Virus Anti-Malware companies) have staffs that do this for you.  But, again, the protection is only as good as the black list, and these people putting the malware out there are constantly changing things up.

Author Comment

ID: 24044427
I'm thinking this is a big enough / common enough piece of garbage that the 2 services being used should be enough?  How are home / small business users able to keep up with this?  Job security for us consultants, but depressing that it's such a cat & mouse game.

Expert Comment

ID: 24044510
Unfortunately the people putting out this garbage buy up domains like there's no tomorrow and get them to rank high in lots of search engines as fast as possible making it nearly impossible to stop them 100% dead in their tracks, even if you install 100 AV/AM programs.  These people are making a lot of money by tricking the uninformed allowing them to keep morphing the program and where it's coming from just as fast as they get the older stuff shutdown.  Sadly, this is where we've gone with viruses...even to the point where some companies won't fight it because they classify it as something else (like Ad-ware vs. Spy-ware vs. virus).  It's all garbage and it needs to be removed.
LVL 47

Accepted Solution

rpggamergirl earned 2000 total points
ID: 24057736
The link is still active, you need to replace http with Xs to disable it.
TrendMicro should've blocked access to the site, sounds inefficient to me.
Avast which is free is able to block access to malicious sites including that one you posted.

I clicked on the link and Avast' Network shield straightaway alerted me of the malicious site and blocked it, the page did not load after Avast blocked it.
For extra security measures i would install Winhelp2002 Hosts file:

And Spywareblaster, which is escellent for blacking activeX based malware, and it doesn't need any resources.
And if you use firefox, then install the "noscript" add ons.

Author Comment

ID: 24059290
the hosts file - that got me thinking...  For sbs domains, can you bring it into the dns server rather than put it on each machine as you would for workgroups?


Expert Comment

ID: 24062319
All you would have to do is create a DNS record on your SBS server to point the domain to and VIOLA!  Instant black hole.
LVL 25

Expert Comment

by:Ron Malmstead
ID: 24063475
Funny...when you go looking for viruses, you sometimes find them.  I did the same thing you did, and ran into antivirus2009 as well.  Coincidence...?

I've been investigating this further...
Like me it seems you've stumbled upon one of the many thousands of sites setup by affiliates of  www.trafficconverter.biz - Who's currently being looked at for knowledge or involvement with conficker due to the fact that conficker had a link to trafficconverter deep in the conficker code...and conficker is derrived from the letters in trafficconverter.  That site has been shutdown, because they trick people into installing and paying for fake antivirus.  Their affiliates setup these websites that utilize the zlob exploit to to produce a windows style popup proclaiming that you are infected.  Then when you click the link and active x installs and redirects your browser to a website where you are encouraged to buy the software.  The AntiVirus 2009 is not the conficker virus, however, I find it to be very non-coincidental that you ran into this by searching for it, given the circumstances.  These TLD domains are notorious for this stuff.

Here is where I hit the same code...different page same scam.
DO NOT CLICK THIS >> mycheckdiseasepro.cn
That site with a .cn (china) ,...eventually resolves to a .lv domain...Latvia ...which is in Eastern Europe...the same region the conficker's masters are suspected of being located.

Just my opinion, but I don't think it is coincidence...either someone wants to implicate trafficconvert.biz and make them look guilty..., or trafficconverter.biz affiliates are somehow involved.  Conficker was programmed at one point to connect to trafficconverter.biz to download a file after December 1st,... http://trafficconverter.biz//loadadv.exe  - That file was not present when global security teams started investigating and it is unclear at this point if it ever was present...

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of the most commonly posted questions in the "Virus & Malware" Zones are related to the family of rogue malware with the date "2012" somewhere in the title. Examples: XP Antispyware 2012 XP Antivirus 2012 XP Security 2012   XP Home Sec…
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question