MalwareTeks Blog

Today someone posting as iedefender registered at CastleCops® and posted in the thread by the very same name. http://www.castlecops.com/p1017137-iedefender.html#1017137

Hello, we’re developers of IEDefender, our software is clean and is real antispyware. As we can see, people from your site send our exe to different antivirus and antispyware companies, trying to black PR our company. They’ve got answers, that our soft is clean, because IT IS CLEAN! We contacted Kaspersky, they also confirmed, there are no problems with our software, you can check our .exe with any popular antiviruses, there no problems! Stop sending your detractive mails and messages, in other case we would be forced to send all information to our lawyers and meet your representative in the court, where it would be very hard for you to prove, that our software is not real, because IT’S REAL ANTISPYWARE!

Give me a break. This craptacular “Rogue” Anti-Spyware application is fraudware. The IE Defender site is registered through ESTDomains, known as the registrar of record for several other fraudulent applications. Their website is hosted by InHoster also known for hosting several fraudulent applications and malware.

IE Defender finds it’s way onto your system via a fake video codec. Now IE Defender would like you to believe that this is because of some “Rogue” affiliate(s). Nice try fellas, that might work on someone else, a bit more naive then the folks you are currently engaging in a dialog.

Your software is detected as Malware, Fraudware, Risktool … etc, by Ad-Aware SE, Avira, Kaspersky, PrevX, Trojan Hunter, VBA32, WebWasher. More Anti-Virus, Anti-Spyware vendors will be detecting your Crapware very soon.

Then iedefender has the balls, to take a poke at RogueRemover by MalwareBytes. H’m, that’s interesting, just how many fraudulent security applications do you guys put out that are targeted by the very legit program, RogueRemover? Don’t even bother to answer that question. The answer would just be a lie. Just like all the lies you have told so far.

So, I have taken the liberty to put together a batch script to remove your malware and generally craptacular IE Defender “Rogue” Anti-Spyware application.

Download FixIEDef by ShadowPuterDude to the Desktop.

Direction for using FixIEDef can be found on the FixIEDef Web Page

Because of the speed at which new variants are released, FixIEDef may not have your particular variant added to the script. In that case, complete the steps in our Malware Cleaning Guide.

Start a new thread in the Malware Removal Forum of this site.

Attach the following logs:

1. ISeeYouXp log
2. HijackThis log
3. Both Online AV scan logs

(You must Register before posting anywhere on this board. Registering is 100% FREE)

Download Mirrors for FixIEDef:
http://it-mate.co.uk/downloads/fixiedef/fixiedef.exe
http://hosts-file.net/download/fixiedef/fixiedef.exe
http://avant.it-mate.co.uk/?c=Download&f=Tools/FixIEDef
http://archives.mysteryfcm.co.uk/?f=Security/AntiMalware/Antispyware/F ixIEDef

EDIT: (03 November 2007) Added download mirrors

EDIT: (03 November 2007) Removed
[HKEY_CLASSES_ROOT\AppID\{0EEDB911-C5FA-486F-8334-57288578C627}]
 [HKEY_CLASSES_ROOT\CLSID\{0EEDB911-C5FA-486F-8334-57288578C627}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{0EEDB911-C5FA-486F-8334-57 288578C627}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EEDB911-C5FA-486F-8334-57 288578C627}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer  \Browser Helper Objects\{0EEDB911-C5FA-486F-8334-57288578C627}]

Legit software, XunLei a Chinese P2P application, uses the same CLSID as the infection.