MalwareTeks Blog

Since, writing and making FixIEDef available to the general public; free of charge of course; I’m starting to get some feed back from users that were infected by this piece of fraudware.

Comments can be viewed here: http://blog.malwareteks.com/?p=163#comments.

Also started receiving email feed back.

Rick said:

Dear ShadowPuterDude,

I just wanted to extend a thank-you for taking a stand against those assholes at IE Defender and not only calling them out on the carpet but by writing and providing the FixIEDef utility. I was infected the first time and was able to find the .dll that was causing the problem and delete it. But not two days later a new version that was almost impossible to correct and had me ready to throw my laptop out the window. I am a bit of a tech guy and this virus kicked my ass and had me on my last nerve as my IE was useless because the error message would not go away. I wrote to the IE Defender guys and got an e-mail back saying that they don’t hijack systems they fix them…… I found your script and I had everything fixed in moments. So again thank-you for your time and effort to help guys like me deal with a very nasty problem. You have a new fan and supporter of your site and what you do.

Sincerely, Rick <Last Name Removed>

Email message edited for format and spelling.

So, In you face! IE Defender.

FixIEDef can be download from the following locations:

Primary Download location:
MalwareTeks: http://downloads.malwareteks.com/FixIEDef.exe

Download Mirrors for FixIEDef:
http://it-mate.co.uk/downloads/fixiedef/fixiedef.exe
http://hosts-file.net/download/fixiedef/fixiedef.exe
http://avant.it-mate.co.uk/?c=Download&f=Tools/FixIEDef
http://archives.mysteryfcm.co.uk/?f=Security/AntiMalware/Antispyware/F ixIEDef

Instructions: See http://www.malwareteks.com/FixIEDef.php

Today someone posting as iedefender registered at CastleCops® and posted in the thread by the very same name. http://www.castlecops.com/p1017137-iedefender.html#1017137

Hello, we’re developers of IEDefender, our software is clean and is real antispyware. As we can see, people from your site send our exe to different antivirus and antispyware companies, trying to black PR our company. They’ve got answers, that our soft is clean, because IT IS CLEAN! We contacted Kaspersky, they also confirmed, there are no problems with our software, you can check our .exe with any popular antiviruses, there no problems! Stop sending your detractive mails and messages, in other case we would be forced to send all information to our lawyers and meet your representative in the court, where it would be very hard for you to prove, that our software is not real, because IT’S REAL ANTISPYWARE!

Give me a break. This craptacular “Rogue” Anti-Spyware application is fraudware. The IE Defender site is registered through ESTDomains, known as the registrar of record for several other fraudulent applications. Their website is hosted by InHoster also known for hosting several fraudulent applications and malware.

IE Defender finds it’s way onto your system via a fake video codec. Now IE Defender would like you to believe that this is because of some “Rogue” affiliate(s). Nice try fellas, that might work on someone else, a bit more naive then the folks you are currently engaging in a dialog.

Your software is detected as Malware, Fraudware, Risktool … etc, by Ad-Aware SE, Avira, Kaspersky, PrevX, Trojan Hunter, VBA32, WebWasher. More Anti-Virus, Anti-Spyware vendors will be detecting your Crapware very soon.

Then iedefender has the balls, to take a poke at RogueRemover by MalwareBytes. H’m, that’s interesting, just how many fraudulent security applications do you guys put out that are targeted by the very legit program, RogueRemover? Don’t even bother to answer that question. The answer would just be a lie. Just like all the lies you have told so far.

So, I have taken the liberty to put together a batch script to remove your malware and generally craptacular IE Defender “Rogue” Anti-Spyware application.

Download FixIEDef by ShadowPuterDude to the Desktop.

Direction for using FixIEDef can be found on the FixIEDef Web Page

Because of the speed at which new variants are released, FixIEDef may not have your particular variant added to the script. In that case, complete the steps in our Malware Cleaning Guide.

Start a new thread in the Malware Removal Forum of this site.

Attach the following logs:

1. ISeeYouXp log
2. HijackThis log
3. Both Online AV scan logs

(You must Register before posting anywhere on this board. Registering is 100% FREE)

Download Mirrors for FixIEDef:
http://it-mate.co.uk/downloads/fixiedef/fixiedef.exe
http://hosts-file.net/download/fixiedef/fixiedef.exe
http://avant.it-mate.co.uk/?c=Download&f=Tools/FixIEDef
http://archives.mysteryfcm.co.uk/?f=Security/AntiMalware/Antispyware/F ixIEDef

EDIT: (03 November 2007) Added download mirrors

EDIT: (03 November 2007) Removed
[HKEY_CLASSES_ROOT\AppID\{0EEDB911-C5FA-486F-8334-57288578C627}]
 [HKEY_CLASSES_ROOT\CLSID\{0EEDB911-C5FA-486F-8334-57288578C627}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{0EEDB911-C5FA-486F-8334-57 288578C627}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EEDB911-C5FA-486F-8334-57 288578C627}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer  \Browser Helper Objects\{0EEDB911-C5FA-486F-8334-57288578C627}]

Legit software, XunLei a Chinese P2P application, uses the same CLSID as the infection.