Screenshot from my visit to the IE Antivirus Free Scanner Web Page:

Can you spot what’s not right with this picture?  The answer is found in the red-boxed text.

Somehow they managed to identify my Operating System as Windows, when my Browser information says I’m on Linux.

Now keep in mind that your Operating System is part of the information transmitted by your web browser when connecting to a web site.

Things that make you go H’m!

Stay tuned more to follow of this particular scam.

If you been following along, many are familiar with the IE Defender dissuasion at Castle Cops, http://www.castlecops.com/p1017137-iedefender.html#1017137. Previously blogged about, here.

Well, today Andy at Security Cadets, blogged this, Is this the new comedy? IE Defender Related.

Here is what the site looked like yesterday:

Image from Security Cadets.

Today:

The site now displays: IEDefender is coming…
Source: AndyAtHull (securitycadets.com)
Edited: 2007-11-12 12:16 PM EST

Site Live now serving IE Defender:

Whois Information for: xiedefender.com

[whois.estdomains.com]
Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.comDomain Name: XIEDEFENDER.COM

Registrant:
N/A
Alexander (iedefender@gmail.com)
Yborevicha street
Kiev
Kiev Oblast,93000
UA
Tel. +380.993363649

Creation Date: 25-Oct-2007
Expiration Date: 25-Oct-2008

Domain servers in listed order:
ns2.xiedefender.com
ns1.xiedefender.com

Administrative Contact:
N/A
Alexander (iedefender@gmail.com)
Yborevicha street
Kiev
Kiev Oblast,93000
UA
Tel. +380.993363649

Technical Contact:
N/A
Alexander (iedefender@gmail.com)
Yborevicha street
Kiev
Kiev Oblast,93000
UA
Tel. +380.993363649

Billing Contact:
N/A
Alexander (iedefender@gmail.com)
Yborevicha street
Kiev
Kiev Oblast,93000
UA
Tel. +380.993363649

Status:ACTIVE

The data in this whois database is provided to you for informationpurposes only, that is, to assist you in obtaining information about or related to a domain name registration record. We make this informationavailable “as is”, and do not guarantee its accuracy. By submitting awhois query, you agree that you will use this data only for lawfulpurposes and that, under no circumstances will you use this data to:( 1) enable high volume, automated, electronic processes that stress orload this whois database system providing you this information; or (2) allow, enable, or otherwise support the transmission of massunsolicited, commercial advertising or solicitations via fascimile,electronic mail, or by telephone. The compilation, repackaging,dissemination or other use of this data is expressly prohibited withoutprior written consent from us. The registrar of record is Critical Internet, Inc.. We reserve the right to modifythese terms at any time. By submitting this query, you agree to abideby these terms.

Same folks, different page.

Since, writing and making FixIEDef available to the general public; free of charge of course; I’m starting to get some feed back from users that were infected by this piece of fraudware.

Comments can be viewed here: http://blog.malwareteks.com/?p=163#comments.

Also started receiving email feed back.

Rick said:

Dear ShadowPuterDude,

I just wanted to extend a thank-you for taking a stand against those assholes at IE Defender and not only calling them out on the carpet but by writing and providing the FixIEDef utility. I was infected the first time and was able to find the .dll that was causing the problem and delete it. But not two days later a new version that was almost impossible to correct and had me ready to throw my laptop out the window. I am a bit of a tech guy and this virus kicked my ass and had me on my last nerve as my IE was useless because the error message would not go away. I wrote to the IE Defender guys and got an e-mail back saying that they don’t hijack systems they fix them…… I found your script and I had everything fixed in moments. So again thank-you for your time and effort to help guys like me deal with a very nasty problem. You have a new fan and supporter of your site and what you do.

Sincerely, Rick <Last Name Removed>

Email message edited for format and spelling.

So, In you face! IE Defender.

FixIEDef can be download from the following locations:

Primary Download location:
MalwareTeks: http://downloads.malwareteks.com/FixIEDef.exe

Download Mirrors for FixIEDef:
http://it-mate.co.uk/downloads/fixiedef/fixiedef.exe
http://hosts-file.net/download/fixiedef/fixiedef.exe
http://avant.it-mate.co.uk/?c=Download&f=Tools/FixIEDef
http://archives.mysteryfcm.co.uk/?f=Security/AntiMalware/Antispyware/F ixIEDef

Instructions: See http://www.malwareteks.com/FixIEDef.php

Today someone posting as iedefender registered at CastleCops® and posted in the thread by the very same name. http://www.castlecops.com/p1017137-iedefender.html#1017137

Hello, we’re developers of IEDefender, our software is clean and is real antispyware. As we can see, people from your site send our exe to different antivirus and antispyware companies, trying to black PR our company. They’ve got answers, that our soft is clean, because IT IS CLEAN! We contacted Kaspersky, they also confirmed, there are no problems with our software, you can check our .exe with any popular antiviruses, there no problems! Stop sending your detractive mails and messages, in other case we would be forced to send all information to our lawyers and meet your representative in the court, where it would be very hard for you to prove, that our software is not real, because IT’S REAL ANTISPYWARE!

Give me a break. This craptacular “Rogue” Anti-Spyware application is fraudware. The IE Defender site is registered through ESTDomains, known as the registrar of record for several other fraudulent applications. Their website is hosted by InHoster also known for hosting several fraudulent applications and malware.

IE Defender finds it’s way onto your system via a fake video codec. Now IE Defender would like you to believe that this is because of some “Rogue” affiliate(s). Nice try fellas, that might work on someone else, a bit more naive then the folks you are currently engaging in a dialog.

Your software is detected as Malware, Fraudware, Risktool … etc, by Ad-Aware SE, Avira, Kaspersky, PrevX, Trojan Hunter, VBA32, WebWasher. More Anti-Virus, Anti-Spyware vendors will be detecting your Crapware very soon.

Then iedefender has the balls, to take a poke at RogueRemover by MalwareBytes. H’m, that’s interesting, just how many fraudulent security applications do you guys put out that are targeted by the very legit program, RogueRemover? Don’t even bother to answer that question. The answer would just be a lie. Just like all the lies you have told so far.

So, I have taken the liberty to put together a batch script to remove your malware and generally craptacular IE Defender “Rogue” Anti-Spyware application.

Download FixIEDef by ShadowPuterDude to the Desktop.

Direction for using FixIEDef can be found on the FixIEDef Web Page

Because of the speed at which new variants are released, FixIEDef may not have your particular variant added to the script. In that case, complete the steps in our Malware Cleaning Guide.

Start a new thread in the Malware Removal Forum of this site.

Attach the following logs:

1. ISeeYouXp log
2. HijackThis log
3. Both Online AV scan logs

(You must Register before posting anywhere on this board. Registering is 100% FREE)

Download Mirrors for FixIEDef:
http://it-mate.co.uk/downloads/fixiedef/fixiedef.exe
http://hosts-file.net/download/fixiedef/fixiedef.exe
http://avant.it-mate.co.uk/?c=Download&f=Tools/FixIEDef
http://archives.mysteryfcm.co.uk/?f=Security/AntiMalware/Antispyware/F ixIEDef

EDIT: (03 November 2007) Added download mirrors

EDIT: (03 November 2007) Removed
[HKEY_CLASSES_ROOT\AppID\{0EEDB911-C5FA-486F-8334-57288578C627}]
 [HKEY_CLASSES_ROOT\CLSID\{0EEDB911-C5FA-486F-8334-57288578C627}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{0EEDB911-C5FA-486F-8334-57 288578C627}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EEDB911-C5FA-486F-8334-57 288578C627}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer  \Browser Helper Objects\{0EEDB911-C5FA-486F-8334-57288578C627}]

Legit software, XunLei a Chinese P2P application, uses the same CLSID as the infection.

IE Defender is a rogue security program that uses flawed, inadequate detections scheme and the false positives work as goad to purchase. Possibly Ultimate Defender clone.

You read about some starlet on CNN.com, and decided to Google her name. While checking out the pages returned from your search; You encounter a page with a supposed video of her in a compromising situation. You are greeted with something that looks like this:

Shortly afterwards, as in mere seconds, you are present with a download prompt to download and install a file you believe to be a Codec needed to view the Video on the site.

As soon as you install the “Fake Codec” you immediately start recieving pop-ups.

Clicking OK results in IE Defender being installed.

Other signs you have been infected:

HijackThis entries to look for:

O2 - BHO: 3GP - {5D67E2E7-0C2B-4491-87C4-37F2AC6033D2} - C:\WINDOWS\system32\a3gpcodec.dll
O2 - BHO: AlphaDivX - {3B236BEE-8200-421D-919D-CA17D5739D8F} - C:\WINDOWS\system32\aDivX.dll
O2 - BHO: BetaDivX - {48BF2BC0-2945-11D8-8CAC-00080FC65465} - C:\WINDOWS\system32\IR9V0_QCX.dll
O2 - BHO: BetaDivX - {D99BACC6-6289-4D4F-8BAF-4192016AF547} - C:\Windows\System32\bDivX.dll
O2 - BHO: IntelVideoCodec - {04F7FAC5-F506-4F29-9094-9CB9144B192C} - C:\WINDOWS\system32\IntelVideo.dll
O2 - BHO: IntelVideoCodec - {33A12BEB-3219-4CA8-99B4-733192704C62} - C:\WINDOWS\system32\IntelVideoDivX.dll
O2 - BHO: IntelVideoCodec - {AF36E90A-44CA-4EE3-B578-C07383623217} - C:\Windows\System32\Video32.dll
O2 - BHO: Mp3 Video - {2B659BB5-3E85-4BC6-BAFC-98FEDFF3AE99} - C:\WINDOWS\system32\VideoMP3.dll
O2 - BHO: Mp3 Video - {5DE176A4-B5FF-4D50-B084-E047526B8E97} - C:\WINDOWS\system32\VideoMP3.dll
O2 - BHO: Mp3 Video - {6FFE49B7-F475-4EAB-8E80-E5D74C4E8D5F} - C:\WINDOWS\system32\VideoMP3.dll
O2 - BHO: Mp3 Video - {D4FD35A3-101C-4FAA-A9CA-E8C9461C3CEF} - C:\WINDOWS\system32\mp3avi.dll
O2 - BHO: Mp3 Video - {9A1EF21C-B0D4-4EB0-894F-CBAE2F4D0A82} - C:\WINDOWS\system32\mp3avi.dll
O2 - BHO: RealMedia - {0EEDB911-C5FA-486F-8334-57288578C627} - C:\WINDOWS\system32\XunLeiBHO_Now.dll
O2 - BHO: RealMedia - {87B570FB-D2CF-4D3C-8E1B-E1E7018BBA95} - C:\WINDOWS\system32\dx50codec.dll
O2 - BHO: Video DivX 3.12 - {09D72564-27E2-4F12-8AB6-03F83E4567DE} - C:\WINDOWS\system32\sysdivx.dll
O2 - BHO: Video DivX 3.12 - {7A23A1E8-B2AB-4C50-AD12-9E19B747E17C} - C:\WINDOWS\system32\sysdivx.dll
O2 - BHO: Video DivX 3.12 - {F02B8C83-C817-4EA2-A499-29257DA0373A} - C:\WINDOWS\system32\sysdivx.dll
O2 - BHO: Video On-line - {032706C0-EB72-4DF0-ABF6-B89958D2A6CC} - C:\WINDOWS\system32\PowerVideo.dll
O2 - BHO: Video On-line - {323301C5-CB6B-490C-B59F-E7FAD4D69C93} - C:\WINDOWS\system32\PowerVideo.dll
O2 - BHO: Video On-line - {66D69CC1-5373-4730-AB8E-24D2AB7FF95F} - C:\WINDOWS\system32\PowerVideo.dll
O2 - BHO: Video On-line - {741403DD-46A4-4D58-8FA7-427335C3BBF6} - C:\WINDOWS\system32\PowerVideo.dll
O2 - BHO: Video On-line - {BD907325-42B2-4077-BA63-F636B627C998} - C:\Windows\System32\PowerVideo.dll

On the Desktop:

In the System Tray:

Screenshot of the IE Defender website:

IE Defender WHOIS information: http://whois.domaintools.com/iedefender.com

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: IEDEFENDER.COM

Registrant:
PrivacyProtect.org
Domain Admin (Whois Privacy and Spam Prevention by DomainTools.com)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Creation Date: 05-Oct-2007
Expiration Date: 05-Oct-2008

Domain servers in listed order:
ns2.iedefender.com
ns1.iedefender.com

Administrative Contact:
PrivacyProtect.org
Domain Admin (Whois Privacy and Spam Prevention by DomainTools.com)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Technical Contact:
PrivacyProtect.org
Domain Admin (Whois Privacy and Spam Prevention by DomainTools.com)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Billing Contact:
PrivacyProtect.org
Domain Admin (Whois Privacy and Spam Prevention by DomainTools.com)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Status:ACTIVE

There is now an automated removal script for this infection. You can download the fix at http://www.malwareteks.com/FixIEDef.php

MalwareAlarm is a rogue security program that provides minimum or no protection. MalwareAlarm uses aggressive and deceptive advertising and the false positives work as goad to purchase. MalwareAlarm installs without user consent. Same application as BraveSentry, DIARemover, Mr.AntiSpy, PestCapture, PestTrap, PestWiper, SpyDemolisher, SpyMarshal, SpySheriff, SpyTrooper, SpywareNo, & Spyware-Stop. MalwareAlarm is considered a security risk and is recommended to be removed immediately.

Download to your Desktop:
RougeRemover by MalwareBytes
SmitFraudFix by S!Ri

Unzip RogueRemover, and run the installer. Start RogueRemover and select Scan. The program will walk you through the remaining steps.

Double-click smitfraudfix.exe

Select option #1 - Search by typing 1 and press Enter

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Note: process.exe (which is used by SmitFraudFix) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a “RiskTool”; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between “good” and “malicious” use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/processutil/processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!

RENAME THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!! And then immediately continue on to the below steps.

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below.

Reboot your computer into Safe Mode.

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : “Registry cleaning - Do you want to clean the registry ?” answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question “Replace infected file ?” by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

STEP 3: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete… under Browsing History.
• Next to Temporary Internet Files, click Delete files, and then click OK.
• Next to Cookies, click Delete cookies, and then click OK.
• Next to History, click Delete history, and then click OK.
• Click the Close button.
• Click OK.

For Internet Explorer 4.x - 6.x

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
• On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
• Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
• Click OK.

For Netscape 4.x and Up

• Click Edit from the Netscape menubar.
• Click Preferences… from the Edit menu.
• Expand the Advanced menu by clicking the triangle sign.
• Click Cache.
• Click both the Clear Memory Cache and the Clear Disk Cache buttons.

For Mozilla 1.x and Up

• Click Edit from the Mozilla menubar.
• Click Preferences… from the Edit menu.
• Expand the Advanced menu by clicking the plus sign.
• Click Cache.
• Click the Clear Cache button.

For Opera

• Click File from the Opera menubar.
• Click Preferences… from the File menu.
• Click the History and Cache menu.
• Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
• Click Ok to close the Preferences menu.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

STEP 4: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING.

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #3 - Delete Trusted zone by typing 3 and press Enter.
Answer Yes to the question “Restore Trusted Zone ?” by typing Y and hit Enter.

Note: if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Since one infection is often accompanied by other infections it is advised that you complete the steps in our Malware Cleaning Guide.

Start a new thread in the Malware Removal Forum of this site.

Attach the following logs:

1. Both rapport.txt logs from SmitFraudFix
2. ISeeYouXp log
3. HijackThis log
4. Both Online AV scan logs

(You must Register before posting anywhere on this board. Registering is 100% FREE)

VirusProtectPro is a rogue security program that provides minimum or no protection and the false positives work as goad to purchase. It shows Poor scan reports and false Detection. The tool shows fake alerts and highly exaggerate low level threats as critical threats. It wont remove any threats until the copy of trial is purchased. VirusProtectPro is a variant of SpyLocked, SpywareLocked, SpyDawn and VirusBurst. VirusProtectPro is considered a security risk and is recommended to be removed immediately.

Download to your Desktop:
RougeRemover by MalwareBytes
SmitFraudFix by S!Ri

Unzip RogueRemover, and run the installer. Start RogueRemover and select Scan. The program will walk you through the remaining steps.

Double-click smitfraudfix.exe

Select option #1 - Search by typing 1 and press Enter

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Note: process.exe ( which is used by SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a “RiskTool”; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between “good” and “malicious” use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/processutil/processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!

RENAME THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!! And then immediately continue on to the below steps.

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below.

Reboot your computer into Safe Mode.

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : “Registry cleaning - Do you want to clean the registry ?” answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question “Replace infected file ?” by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

STEP 3: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete… under Browsing History.
• Next to Temporary Internet Files, click Delete files, and then click OK.
• Next to Cookies, click Delete cookies, and then click OK.
• Next to History, click Delete history, and then click OK.
• Click the Close button.
• Click OK.

For Internet Explorer 4.x - 6.x

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
• On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
• Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
• Click OK.

For Netscape 4.x and Up

• Click Edit from the Netscape menubar.
• Click Preferences… from the Edit menu.
• Expand the Advanced menu by clicking the triangle sign.
• Click Cache.
• Click both the Clear Memory Cache and the Clear Disk Cache buttons.

For Mozilla 1.x and Up

• Click Edit from the Mozilla menubar.
• Click Preferences… from the Edit menu.
• Expand the Advanced menu by clicking the plus sign.
• Click Cache.
• Click the Clear Cache button.

For Opera

• Click File from the Opera menubar.
• Click Preferences… from the File menu.
• Click the History and Cache menu.
• Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
• Click Ok to close the Preferences menu.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

STEP 4: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING.

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #3 - Delete Trusted zone by typing 3 and press Enter.
Answer Yes to the question “Restore Trusted Zone ?” by typing Y and hit Enter.

Note: if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Since one infection is often accompanied by other infections it is advised that you complete the steps in our Malware Cleaning Guide.

Start a new thread in the Malware Removal Forum of this site.

Attach the following logs:

1. Both rapport.txt logs from SmitFraudFix
2. ISeeYouXp log
3. HijackThis log
4. Both Online AV scan logs

(You must Register before posting anywhere on this board. Registering is 100% FREE)

Ultimate Fixer is a rogue security program that uses flawed, inadequate detections scheme and the false positives work as goad to purchase.

Download to your Desktop:
RougeRemover by MalwareBytes
VundoFix by Atribune

Unzip RogueRemover, and run the installer. Start RogueRemover and select Scan. The program will walk you through the remaining steps.

Run VundoFix

• Double-click VundoFix.exe to run it.
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it’s done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES.
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.

The Vundo fix log is found at C:\VundoFix.txt
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from “Click the Scan for Vundo button.” when VundoFix appears at reboot.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete… under Browsing History.
• Next to Temporary Internet Files, click Delete files, and then click OK.
• Next to Cookies, click Delete cookies, and then click OK.
• Next to History, click Delete history, and then click OK.
• Click the Close button.
• Click OK.

For Internet Explorer 4.x - 6.x

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
• On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
• Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
• Click OK.

For Netscape 4.x and Up

• Click Edit from the Netscape menubar.
• Click Preferences… from the Edit menu.
• Expand the Advanced menu by clicking the triangle sign.
• Click Cache.
• Click both the Clear Memory Cache and the Clear Disk Cache buttons.

For Mozilla 1.x and Up

• Click Edit from the Mozilla menubar.
• Click Preferences… from the Edit menu.
• Expand the Advanced menu by clicking the plus sign.
• Click Cache.
• Click the Clear Cache button.

For Opera

• Click File from the Opera menubar.
• Click Preferences… from the File menu.
• Click the History and Cache menu.
• Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
• Click Ok to close the Preferences menu.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

Becuase some variants of Vundo can be difficult to remove it is advised that you complete the steps in our Malware Cleaning Guide.

Start a new thread in the Malware Removal Forum of this site.

Attach the following logs:

1. VundoFix log
2. ISeeYouXp log
3. HijackThis log
4. Both Online AV scan logs

(You must Register before posting anywhere on this board. Registering is 100% FREE)

Ultimate Defender is a rogue security program that uses flawed, inadequate detections scheme and the false positives work as goad to purchase. Same application as 1stAntiVirus, KillSpy, SpyDeface, SpyContra, & XSRemover.

Download to your Desktop:
RougeRemover by MalwareBytes
VundoFix by Atribune

Unzip RogueRemover, and run the installer. Start RogueRemover and select Scan. The program will walk you through the remaining steps.

Run VundoFix

• Double-click VundoFix.exe to run it.
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it’s done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES.
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.

The Vundo fix log is found at C:\VundoFix.txt
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from “Click the Scan for Vundo button.” when VundoFix appears at reboot.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete… under Browsing History.
• Next to Temporary Internet Files, click Delete files, and then click OK.
• Next to Cookies, click Delete cookies, and then click OK.
• Next to History, click Delete history, and then click OK.
• Click the Close button.
• Click OK.

For Internet Explorer 4.x - 6.x

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
• On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
• Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
• Click OK.

For Netscape 4.x and Up

• Click Edit from the Netscape menubar.
• Click Preferences… from the Edit menu.
• Expand the Advanced menu by clicking the triangle sign.
• Click Cache.
• Click both the Clear Memory Cache and the Clear Disk Cache buttons.

For Mozilla 1.x and Up

• Click Edit from the Mozilla menubar.
• Click Preferences… from the Edit menu.
• Expand the Advanced menu by clicking the plus sign.
• Click Cache.
• Click the Clear Cache button.

For Opera

• Click File from the Opera menubar.
• Click Preferences… from the File menu.
• Click the History and Cache menu.
• Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
• Click Ok to close the Preferences menu.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

Becuase some variants of Vundo can be difficult to remove it is advised that you complete the steps in our Malware Cleaning Guide.

Start a new thread in the Malware Removal Forum of this site.

Attach the following logs:

1. VundoFix log
2. ISeeYouXp log
3. HijackThis log
4. Both Online AV scan logs

(You must Register before posting anywhere on this board. Registering is 100% FREE)