IE Defender?

Question

I have a Dell Inspiron 9400 with windows xp.  Lately whenever I get on the internet a box pops up that says my computer is infected and not running correctly and it asks me if I want to download IE defender for free.  Is this legit or do I have some sort of virus or spyware on my computer?  My McAfee security center isn't picking anything up.

ky331 · Answer

i haven't heard of that particular one, but it sure "feels" like a SmitFraud variant.

i'm going to suggest a diagnostic tool, which will hopefully reveal what's happening:

Download the latest version of Trend Micro's HiJackThis (HJT) [version 2.0.2] installer from

http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

Save it to your Desktop.

Double-click on the HJTInstall.exe file you just downloaded, and click on the Install button, to install HJT in the suggested/default folder,

C:\Program Files\Trend Micro\HijackThis

( As part of the installation, a shortcut to the HJT program will be placed on your Desktop, and another shortcut in your START menu [for easy-access to using HJT in the future ---

you only need to run the program again, but not the installer ] ).

After installation, HJT will automatically open and start running.

[If this is your first time running HJT, please read and accept the EULA (End-User License Agreement)]

Click on Do a System Scan and Save a LogFile

This will automatically open NotePad

Copy the entire file from NotePad: EDIT/SelectAll, EDIT/Copy

Then go to the forum dedicated for HiJack This logs (**NOT** back here), and PASTE the results there:

http://forums.us.dell.com/supportforums/board?board.id=si_hijack

Be sure to include a detailed description of any problems/errors/warnings you are encountering.
Also, please indicate the steps you've already taken, if any, in terms of running anti-malware scanners or malware removal tools.

When you submit your HJT log, please make sure the box under your text which shows "Automatically convert carriage returns to HTML line breaks" is checked, or your log may not format correctly... it should consist of separate/readable lines, not one large "jumble".

Hopefully, one of the HJT experts will get to it as quickly as possible.

WARNING: HiJack This is a VERY POWERFUL tool. While it's completely safe for you to download, generate, and post your log (as described above), you should *NOT* attempt to do anything else (in particular, do NOT use it to delete/fix any entries) until you are advised to do so by a forum expert!! Improper use of this tool can severely damage your system.

joe53 · Answer

'IE Defender' seems to have just surfaced today:   http://forums.spywareinfo.com/index.php?showtopic=107412   I agree with ky331's advice.

Jp787 · Answer

I have the same problem and posted in the hijack this section.

ky331 · Answer

Here is the only definitive information I have located on this new problem:    IEDefender is a variant of ' Ultimate Defender' [which is a known rogue anti-spyware program -- another  Smitfraud variant]   it is produced by a BetaDivX BHO ( Browser Helper Object): named bDivX.dll , having ClassID D99BACC6-6289-4D4F-8BAF-4192016AF547 , or named IR9V0_QCX.dll , having ClassID 48BF2BC0-2945-11D8-8CAC-00080FC65465   it is detected by Kaspersky antivirus as Trojan-Downloader.Win32.Delf.cqs   sources:  http://www.castlecops.com/tk38258-bDivX_dll.html http://www.castlecops.com/tk38423-IR9V0_QCX_dll.html   ===========================================   For the two people who have posted HJT logs, please wait patiently until someone arrives there to personally assist you with an appropriate fix. For anyone else having the same symptom and seeing this, be sure to start a new/separate HiJackThis thread of your own ---- do NOT enter someone else's thread to post your log there. Message Edited by ky331 on 10-26-2007 08:36 AM

salmon_coho · Answer

check here : http://www.AdwareAway.net/iedefender.htm

ky331 · Answer

salmon:   are you personally experienced with the AdwareAway program in the link you cited? ---- or did you just 'google' the IEDefender problem, and 'stumble' on that link??   let me commence by stating that I have no first-hand knowledge of that program.   So it  might in fact be legitimate --- but until we know that for sure, we need to be careful in making suggestions/recommendations here.   EDIT:  It in fact turns out to be an untrustworthy/rogue program:   See Joe53's comments in message 11 on page 2 of this thread.   (Thanks for the assist, Joe :smileyhappy: )   for starters, by their own admission, AVG anti-virus is targeting AdwareAway as a PUP --- a Potentially Unwanted Program.  of course, AdwareAway asserts this to be a 'ridiculous' false-positive on the part of AVG (because AVG will target  any file that's placed/located within the AdwareAway folder).    Personally, until proven otherwise, I would have more confidence in AVG's claim than in AdwareAway's.   next:   as best as I can tell, the (free) downloadable version of AdwareAway is a TRIAL version.   So that immediately raises the questions: 1) how long is the trial good for? 2) does the trial version offer just a scanner, but then make you pay for the full version in order to remove the problems found?  [or does the free/trial version also remove the problems??] Note:  if you need to buy the full version in order to execute the removal, it will cost about $30. 3a) does AdwareAway in fact really target IEDefender in its database?  ---  I'm wondering because this threat is brand new, and I know of no other reputable malware remover that has already updated its database to include this new threat? 3b) assuming IEDefender to be in AdwareAway's database and that it can detect/locate the threat, is it really effective in completely removing it?   or will the problem just recur over and over again?   I'm asking these questions for the following reason:   HiJackThis, and any additional tools that may be used by the experts in the HJT forum, are all completely free... and by virtue of obtaining successful results, have proven themselves to do the job here.   As such, I still strongly recommend that each person encountering this problem post a new HiJackThis log of their own (start a separate thread) in the HJT forum and wait for an expert to reply to you there.   Please do NOT simply 'read' other threads and attempt things on your own, as the advice offered --- while often similar --- is in fact customized for each person's log. Message Edited by ky331 on 10-27-2007 09:17 PM

ky331 · Answer

We now have a third confirmed BHO generating IEDefender:

In addition to the two cited above in message 5,

IEDfender can be produced by an IntelVideoCodec BHO ( Browser Helper Object):

named IntelVideoDivX.dll , having ClassID 33A12BEB-3219-4CA8-99B4-733192704C62

http://www.castlecops.com/tk38435-IntelVideoDivX_dll.html

Message Edited by ky331 on 10-30-2007 09:37 AM

Rubonga · Answer

Rec'd intelvideodivx.dll yesterday afternoon.  Norton didn't pick up on scans.  What do we do now??

Bugbatter · Answer

We can remove it manually if you post on the HijackThis Board.

Please download HJT Installer from Here to your desktop.
If not available use this alternate link: Here

Click the Download button.
When the Trend Micro HJT install box appears, double click on the HJTInstall.exe.
Click on Install.

It will be installed by default here: C:\Program Files\Trend Micro\HijackThis
A shortcut to the application will also be placed on your Desktop.
The program will open automatically after installation.
You can double-click the icon that was placed on the Desktop to run subsequent HijackThis scans or you can use the icon inside the folder.
The folder HijackThis is where you will find the HJT logs that you save. When you use the application to remove anything, you will also find the backup copies made by HJT inside this folder.

Close all open windows except HijackThis.
Click on " Do a system scan and save logfile" When the log pops up in Notepad copy and paste that file as a NEW MESSAGE on the HijackThis Board.

Before closing HJT, please click on the Analyze This button. "Analyze This" is for Trendmicro use, and does not mean "Analyze My Log". You must post on the forum in order to receive an analysis of your log.

Close the web page that appears and then close the program HJT.

Posting Your Log:

1. Just click the New Message button in the HijackThis forum here: http://www.dellcommunity.com/supportforums/board?board.id=si_hijack
to start your own thread requesting assistance.
2. In the Message Body window that opens, simply Right-Click and select Paste.
3. Please add text to describe your symptoms.
4. Include in the message subject line a description of your problem. For example, "Popups warning of infection".
5. Make certain you post the entire log by clicking the Preview Post link at the bottom of the window and comparing it to the log from your scan before you click Submit Post

** Note: "The box next to Automatically convert carriage returns to HTML line breaks" should be checked if that appears at the bottom of your Message Body when composing your post.

* DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or required.

Bugbatter · Answer

Thanks, Joe. That's interesting. Did you run RogueRemover to see if it would remove Adware Away? I'm just curious.

joe53 · Answer

Just to add to what ky331 said regarding salmon_coho's post:

I'm always skeptical of first-time posters linking to paid products.

So I downloaded and ran Adware Away, after taking due precautions.

The trial version of Adware Away detected 7 false positives- to remove I would have to purchase the program. For me, this is enough to label it not only a PUP, but also a rogue program.

So I'm not surprised to now discover that RogueRemover has also targeted Adware Away. To quote RR:
"Adware Away is a rogue antispyware utility that uses false positives to lure the user into buying the product."

ky331 · Answer

I'd also like to thank Joe for his excellent research and feedback here.

joe53 · Answer

Bugbatter:

RogueRemover detected 20 Adware Away files. It completely uninstalled Adware Away, but left a dead entry in Add or Remove Programs.

So I re-installed Adware Away, uninstalled via Add/Remove, and RogueRemover now only detected one file:
C:\WINDOWS\adway.lic

This file RR also successfully removed.

ky331 · Answer

Note:  I am reporting the following 'as is' --- AdAware now claims to target IEDefender.   I don't have any first-hand (nor definitive) knowledge as to whether or not it is actually effective in removing this particular threat.   0030.00 is now available, new definition file for Ad-Aware 2007. SE1R200 29.10.2007 is now available, new definition file for Ad-Aware SE. New definitions: ==================== IEDefender +2 Win32.TrojanDownloader. IEDefender +3 Updated definitions: ==================== Win32.TrojanProxy.Bobax Win32.Worm.Rontokbro VirusRay MD5 checksum is for core.aawdef:8cddf703cfd3e68e5445dd05bc95e69a MD5 checksum is for defs.ref: ae058fd913aea8310291d7088073d76a

ky331 · Answer

We now have a fourth confirmed BHO generating IEDefender:   In addition to the three cited previously in this thread, IEDfender can be produced by a IntelVideoCodec BHO ( Browser Helper Object): named IntelVideo.dll , having ClassID 04F7FAC5-F506-4F29-9094-9CB9144B192C   http://www.castlecops.com/tk38453-IntelVideo_dll.html

Virus & Spyware

IE Defender?

Was this post helpful?