Solved

A link to VirusREmover 2009 - how come this still works

Posted on 2009-04-01
11
363 Views
Last Modified: 2013-11-22
Poking around on the web for info on Conficker, I wound up being directed to this site:

xxxx XXXX://promotion-offer.com/vsm/adv/142/?a=csptop-sst&l=371&f=cs_2037721714&ex=&ed=&h=&sub=csp&prodabbr=3P_UVSM

*URL disabled by rpggamergirl, ZAPE*

If you go to that site (without the x's), you get the popup that your machine is infected and you need to download virusremover 2009.

YOU NEED TO RUN TASK MANAGER AND END THE IE TASK to get out of it...

Now, on this machine, I have OpenDNS and Trend Micro Internet security with their internet security turned on to medium.

I wouldn't think I am the first to find this link.  Other than that being the reason, any thoughts on why, with those 2 different protections, I can still get to this site (would trend stop the install?  I don't want to take it that far to test it : )

Thanks!
0
Comment
Question by:babaganoosh
  • 3
  • 3
  • 2
  • +2
11 Comments
 
LVL 27

Expert Comment

by:David-Howard
ID: 24041250
I do know that it's malware and not a virus. So the scan engine for Trend Micro may not blacklist it for that reason or simply because they just haven't added it to their protection.
If you install and update malwarebytes from www.malwarebytes.org
and then boot into Safe Mode you should be able to remove it easily enough (if it was installed).
You could also add that URL to your IE's list of Restricted Sites.
0
 

Author Comment

by:babaganoosh
ID: 24041604
I'm thinking for my clients - having to add to the restricted sites and / or having to remove the app (I love malwarebytes lots... but superantispyware even more) isn't what I'm looking for.

I'd like to find how to protect them from themselves more transparently.
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 24041783
You could use something like Tea-Timer, packaged with Spybot. That's free.
Even if your clients log on as User vice Administrator won't stop many threat installations, so that won't work for you.
No matter which application you choose though there will be a learning curve on what they should allow and not. It comes down to the users/clients I guess. Do they follow the directions you give them. Do they update the antimalware/antivirus suites, etc.?
0
 
LVL 2

Expert Comment

by:ThinkSmartInc
ID: 24042622
You could setup a Proxy server and have all systems go through that, or black list the site in DNS (if you run your own DNS servers).  If you have a way to push files to the client machines, you can also update the hosts file (typically located at C:\Windows\System32\Drivers\Etc) and point that domain to a different IP address (127.0.0.1 should work, or point it to something like Google).  Just a couple of suggestions.  The down side to all of this is that you would be responsible for keeping your blacklist updated where as something like AVG (and other Anti-Virus Anti-Malware companies) have staffs that do this for you.  But, again, the protection is only as good as the black list, and these people putting the malware out there are constantly changing things up.
0
 

Author Comment

by:babaganoosh
ID: 24044427
I'm thinking this is a big enough / common enough piece of garbage that the 2 services being used should be enough?  How are home / small business users able to keep up with this?  Job security for us consultants, but depressing that it's such a cat & mouse game.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 2

Expert Comment

by:ThinkSmartInc
ID: 24044510
Unfortunately the people putting out this garbage buy up domains like there's no tomorrow and get them to rank high in lots of search engines as fast as possible making it nearly impossible to stop them 100% dead in their tracks, even if you install 100 AV/AM programs.  These people are making a lot of money by tricking the uninformed allowing them to keep morphing the program and where it's coming from just as fast as they get the older stuff shutdown.  Sadly, this is where we've gone with viruses...even to the point where some companies won't fight it because they classify it as something else (like Ad-ware vs. Spy-ware vs. virus).  It's all garbage and it needs to be removed.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 24057736
The link is still active, you need to replace http with Xs to disable it.
TrendMicro should've blocked access to the site, sounds inefficient to me.
Avast which is free is able to block access to malicious sites including that one you posted.

I clicked on the link and Avast' Network shield straightaway alerted me of the malicious site and blocked it, the page did not load after Avast blocked it.
For extra security measures i would install Winhelp2002 Hosts file:
http://www.mvps.org/winhelp2002/hosts.htm

And Spywareblaster, which is escellent for blacking activeX based malware, and it doesn't need any resources.
And if you use firefox, then install the "noscript" add ons.
http://www.javacoolsoftware.com/spywareblaster.html
0
 

Author Comment

by:babaganoosh
ID: 24059290
the hosts file - that got me thinking...  For sbs domains, can you bring it into the dns server rather than put it on each machine as you would for workgroups?

0
 
LVL 2

Expert Comment

by:ThinkSmartInc
ID: 24062319
All you would have to do is create a DNS record on your SBS server to point the domain to 127.0.0.1 and VIOLA!  Instant black hole.
0
 
LVL 25

Expert Comment

by:Ron M
ID: 24063475
Funny...when you go looking for viruses, you sometimes find them.  I did the same thing you did, and ran into antivirus2009 as well.  Coincidence...?

I've been investigating this further...
Like me it seems you've stumbled upon one of the many thousands of sites setup by affiliates of  www.trafficconverter.biz - Who's currently being looked at for knowledge or involvement with conficker due to the fact that conficker had a link to trafficconverter deep in the conficker code...and conficker is derrived from the letters in trafficconverter.  That site has been shutdown, because they trick people into installing and paying for fake antivirus.  Their affiliates setup these websites that utilize the zlob exploit to to produce a windows style popup proclaiming that you are infected.  Then when you click the link and active x installs and redirects your browser to a website where you are encouraged to buy the software.  The AntiVirus 2009 is not the conficker virus, however, I find it to be very non-coincidental that you ran into this by searching for it, given the circumstances.  These TLD domains are notorious for this stuff.

Here is where I hit the same code...different page same scam.
DO NOT CLICK THIS >> mycheckdiseasepro.cn
That site with a .cn (china) ,...eventually resolves to a .lv domain...Latvia ...which is in Eastern Europe...the same region the conficker's masters are suspected of being located.

Just my opinion, but I don't think it is coincidence...either someone wants to implicate trafficconvert.biz and make them look guilty..., or trafficconverter.biz affiliates are somehow involved.  Conficker was programmed at one point to connect to trafficconverter.biz to download a file after December 1st,... http://trafficconverter.biz//loadadv.exe  - That file was not present when global security teams started investigating and it is unclear at this point if it ever was present...
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Some of the most commonly posted questions in the "Virus & Malware" Zones are related to the family of rogue malware with the date "2012" somewhere in the title. Examples: XP Antispyware 2012 XP Antivirus 2012 XP Security 2012   XP Home Sec…
It started not too long ago. It was at first annoying. My keystrokes seemed to be randomly generated, not the ones I typed on the keyboard. For some reason this only happened in certain applications (especially browsers such as IE11, Firefox and Chr…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now