A link to VirusREmover 2009 - how come this still works

Poking around on the web for info on Conficker, I wound up being directed to this site:

xxxx XXXX://promotion-offer.com/vsm/adv/142/?a=csptop-sst&l=371&f=cs_2037721714&ex=&ed=&h=&sub=csp&prodabbr=3P_UVSM

*URL disabled by rpggamergirl, ZAPE*

If you go to that site (without the x's), you get the popup that your machine is infected and you need to download virusremover 2009.


Now, on this machine, I have OpenDNS and Trend Micro Internet security with their internet security turned on to medium.

I wouldn't think I am the first to find this link.  Other than that being the reason, any thoughts on why, with those 2 different protections, I can still get to this site (would trend stop the install?  I don't want to take it that far to test it : )

Who is Participating?
rpggamergirlConnect With a Mentor Commented:
The link is still active, you need to replace http with Xs to disable it.
TrendMicro should've blocked access to the site, sounds inefficient to me.
Avast which is free is able to block access to malicious sites including that one you posted.

I clicked on the link and Avast' Network shield straightaway alerted me of the malicious site and blocked it, the page did not load after Avast blocked it.
For extra security measures i would install Winhelp2002 Hosts file:

And Spywareblaster, which is escellent for blacking activeX based malware, and it doesn't need any resources.
And if you use firefox, then install the "noscript" add ons.
I do know that it's malware and not a virus. So the scan engine for Trend Micro may not blacklist it for that reason or simply because they just haven't added it to their protection.
If you install and update malwarebytes from www.malwarebytes.org 
and then boot into Safe Mode you should be able to remove it easily enough (if it was installed).
You could also add that URL to your IE's list of Restricted Sites.
babaganooshAuthor Commented:
I'm thinking for my clients - having to add to the restricted sites and / or having to remove the app (I love malwarebytes lots... but superantispyware even more) isn't what I'm looking for.

I'd like to find how to protect them from themselves more transparently.
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

You could use something like Tea-Timer, packaged with Spybot. That's free.
Even if your clients log on as User vice Administrator won't stop many threat installations, so that won't work for you.
No matter which application you choose though there will be a learning curve on what they should allow and not. It comes down to the users/clients I guess. Do they follow the directions you give them. Do they update the antimalware/antivirus suites, etc.?
You could setup a Proxy server and have all systems go through that, or black list the site in DNS (if you run your own DNS servers).  If you have a way to push files to the client machines, you can also update the hosts file (typically located at C:\Windows\System32\Drivers\Etc) and point that domain to a different IP address ( should work, or point it to something like Google).  Just a couple of suggestions.  The down side to all of this is that you would be responsible for keeping your blacklist updated where as something like AVG (and other Anti-Virus Anti-Malware companies) have staffs that do this for you.  But, again, the protection is only as good as the black list, and these people putting the malware out there are constantly changing things up.
babaganooshAuthor Commented:
I'm thinking this is a big enough / common enough piece of garbage that the 2 services being used should be enough?  How are home / small business users able to keep up with this?  Job security for us consultants, but depressing that it's such a cat & mouse game.
Unfortunately the people putting out this garbage buy up domains like there's no tomorrow and get them to rank high in lots of search engines as fast as possible making it nearly impossible to stop them 100% dead in their tracks, even if you install 100 AV/AM programs.  These people are making a lot of money by tricking the uninformed allowing them to keep morphing the program and where it's coming from just as fast as they get the older stuff shutdown.  Sadly, this is where we've gone with viruses...even to the point where some companies won't fight it because they classify it as something else (like Ad-ware vs. Spy-ware vs. virus).  It's all garbage and it needs to be removed.
babaganooshAuthor Commented:
the hosts file - that got me thinking...  For sbs domains, can you bring it into the dns server rather than put it on each machine as you would for workgroups?

All you would have to do is create a DNS record on your SBS server to point the domain to and VIOLA!  Instant black hole.
Ron MalmsteadInformation Services ManagerCommented:
Funny...when you go looking for viruses, you sometimes find them.  I did the same thing you did, and ran into antivirus2009 as well.  Coincidence...?

I've been investigating this further...
Like me it seems you've stumbled upon one of the many thousands of sites setup by affiliates of  www.trafficconverter.biz - Who's currently being looked at for knowledge or involvement with conficker due to the fact that conficker had a link to trafficconverter deep in the conficker code...and conficker is derrived from the letters in trafficconverter.  That site has been shutdown, because they trick people into installing and paying for fake antivirus.  Their affiliates setup these websites that utilize the zlob exploit to to produce a windows style popup proclaiming that you are infected.  Then when you click the link and active x installs and redirects your browser to a website where you are encouraged to buy the software.  The AntiVirus 2009 is not the conficker virus, however, I find it to be very non-coincidental that you ran into this by searching for it, given the circumstances.  These TLD domains are notorious for this stuff.

Here is where I hit the same code...different page same scam.
DO NOT CLICK THIS >> mycheckdiseasepro.cn
That site with a .cn (china) ,...eventually resolves to a .lv domain...Latvia ...which is in Eastern Europe...the same region the conficker's masters are suspected of being located.

Just my opinion, but I don't think it is coincidence...either someone wants to implicate trafficconvert.biz and make them look guilty..., or trafficconverter.biz affiliates are somehow involved.  Conficker was programmed at one point to connect to trafficconverter.biz to download a file after December 1st,... http://trafficconverter.biz//loadadv.exe  - That file was not present when global security teams started investigating and it is unclear at this point if it ever was present...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.