Solved

A link to VirusREmover 2009 - how come this still works

Posted on 2009-04-01
11
367 Views
Last Modified: 2013-11-22
Poking around on the web for info on Conficker, I wound up being directed to this site:

xxxx XXXX://promotion-offer.com/vsm/adv/142/?a=csptop-sst&l=371&f=cs_2037721714&ex=&ed=&h=&sub=csp&prodabbr=3P_UVSM

*URL disabled by rpggamergirl, ZAPE*

If you go to that site (without the x's), you get the popup that your machine is infected and you need to download virusremover 2009.

YOU NEED TO RUN TASK MANAGER AND END THE IE TASK to get out of it...

Now, on this machine, I have OpenDNS and Trend Micro Internet security with their internet security turned on to medium.

I wouldn't think I am the first to find this link.  Other than that being the reason, any thoughts on why, with those 2 different protections, I can still get to this site (would trend stop the install?  I don't want to take it that far to test it : )

Thanks!
0
Comment
Question by:babaganoosh
  • 3
  • 3
  • 2
  • +2
11 Comments
 
LVL 27

Expert Comment

by:David-Howard
ID: 24041250
I do know that it's malware and not a virus. So the scan engine for Trend Micro may not blacklist it for that reason or simply because they just haven't added it to their protection.
If you install and update malwarebytes from www.malwarebytes.org 
and then boot into Safe Mode you should be able to remove it easily enough (if it was installed).
You could also add that URL to your IE's list of Restricted Sites.
0
 

Author Comment

by:babaganoosh
ID: 24041604
I'm thinking for my clients - having to add to the restricted sites and / or having to remove the app (I love malwarebytes lots... but superantispyware even more) isn't what I'm looking for.

I'd like to find how to protect them from themselves more transparently.
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 24041783
You could use something like Tea-Timer, packaged with Spybot. That's free.
Even if your clients log on as User vice Administrator won't stop many threat installations, so that won't work for you.
No matter which application you choose though there will be a learning curve on what they should allow and not. It comes down to the users/clients I guess. Do they follow the directions you give them. Do they update the antimalware/antivirus suites, etc.?
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 2

Expert Comment

by:ThinkSmartInc
ID: 24042622
You could setup a Proxy server and have all systems go through that, or black list the site in DNS (if you run your own DNS servers).  If you have a way to push files to the client machines, you can also update the hosts file (typically located at C:\Windows\System32\Drivers\Etc) and point that domain to a different IP address (127.0.0.1 should work, or point it to something like Google).  Just a couple of suggestions.  The down side to all of this is that you would be responsible for keeping your blacklist updated where as something like AVG (and other Anti-Virus Anti-Malware companies) have staffs that do this for you.  But, again, the protection is only as good as the black list, and these people putting the malware out there are constantly changing things up.
0
 

Author Comment

by:babaganoosh
ID: 24044427
I'm thinking this is a big enough / common enough piece of garbage that the 2 services being used should be enough?  How are home / small business users able to keep up with this?  Job security for us consultants, but depressing that it's such a cat & mouse game.
0
 
LVL 2

Expert Comment

by:ThinkSmartInc
ID: 24044510
Unfortunately the people putting out this garbage buy up domains like there's no tomorrow and get them to rank high in lots of search engines as fast as possible making it nearly impossible to stop them 100% dead in their tracks, even if you install 100 AV/AM programs.  These people are making a lot of money by tricking the uninformed allowing them to keep morphing the program and where it's coming from just as fast as they get the older stuff shutdown.  Sadly, this is where we've gone with viruses...even to the point where some companies won't fight it because they classify it as something else (like Ad-ware vs. Spy-ware vs. virus).  It's all garbage and it needs to be removed.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 24057736
The link is still active, you need to replace http with Xs to disable it.
TrendMicro should've blocked access to the site, sounds inefficient to me.
Avast which is free is able to block access to malicious sites including that one you posted.

I clicked on the link and Avast' Network shield straightaway alerted me of the malicious site and blocked it, the page did not load after Avast blocked it.
For extra security measures i would install Winhelp2002 Hosts file:
http://www.mvps.org/winhelp2002/hosts.htm 

And Spywareblaster, which is escellent for blacking activeX based malware, and it doesn't need any resources.
And if you use firefox, then install the "noscript" add ons.
http://www.javacoolsoftware.com/spywareblaster.html
0
 

Author Comment

by:babaganoosh
ID: 24059290
the hosts file - that got me thinking...  For sbs domains, can you bring it into the dns server rather than put it on each machine as you would for workgroups?

0
 
LVL 2

Expert Comment

by:ThinkSmartInc
ID: 24062319
All you would have to do is create a DNS record on your SBS server to point the domain to 127.0.0.1 and VIOLA!  Instant black hole.
0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 24063475
Funny...when you go looking for viruses, you sometimes find them.  I did the same thing you did, and ran into antivirus2009 as well.  Coincidence...?

I've been investigating this further...
Like me it seems you've stumbled upon one of the many thousands of sites setup by affiliates of  www.trafficconverter.biz - Who's currently being looked at for knowledge or involvement with conficker due to the fact that conficker had a link to trafficconverter deep in the conficker code...and conficker is derrived from the letters in trafficconverter.  That site has been shutdown, because they trick people into installing and paying for fake antivirus.  Their affiliates setup these websites that utilize the zlob exploit to to produce a windows style popup proclaiming that you are infected.  Then when you click the link and active x installs and redirects your browser to a website where you are encouraged to buy the software.  The AntiVirus 2009 is not the conficker virus, however, I find it to be very non-coincidental that you ran into this by searching for it, given the circumstances.  These TLD domains are notorious for this stuff.

Here is where I hit the same code...different page same scam.
DO NOT CLICK THIS >> mycheckdiseasepro.cn
That site with a .cn (china) ,...eventually resolves to a .lv domain...Latvia ...which is in Eastern Europe...the same region the conficker's masters are suspected of being located.

Just my opinion, but I don't think it is coincidence...either someone wants to implicate trafficconvert.biz and make them look guilty..., or trafficconverter.biz affiliates are somehow involved.  Conficker was programmed at one point to connect to trafficconverter.biz to download a file after December 1st,... http://trafficconverter.biz//loadadv.exe  - That file was not present when global security teams started investigating and it is unclear at this point if it ever was present...
0

Featured Post

ScreenConnect 6.0 Free Trial

Discover new time-saving features in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI, app configurations and chat acknowledgement to improve customer engagement!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
Sub-Titled: “My Way” (with apologies to Francis Albert Sinatra) Let me start by stating emphatically that I am one of those Experts who prefer doing things “My Way”. It’s kind of a no-brainer. “The following procedure works for me, so here is …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question