Once again another fraudware application reaches the public. This time going by the name “IE Defender“.

The infection behind this is a “Browser Helper Object” which is installed in your Internet Explorer. This one hijacks your searches. The results of your searches in the engines state that you are infected with x, y and z when in fact you probably are not, other than the hijack itself. IE Defender then introduces itself as an application that informs you it will help with all your problems. When in fact those warnings are fake. Do not purchase anything!

Multimedia Decoder is associated with this.

IE Defender looks like this:

Over the years we have reported about rogues, but they have been getting out of hand. More rogues and hijacks appear out of the woodwork and more and more of you are a victim of fraud. This is why we are here, so we can warn you ahead of any fraud being committed. Whilst there are other malware to report about and to try and shutdown, this type of fraud is still at large. Hence why we blog about it. If you do wish to complain, then you can do so at MalwareComplaints. Tell your friend, neighbour and your boss!

So what are the details for IE Defender? Well as most of them, these are a part of Estdomains Inc and Inhoster. Known organisations behind these fraudware. Inhoster are also blacklisted, or at least their IP is.

And it’s website is;

www(dot)iedefender(dot)com

If you manage to have this and need help, then make sure you visit our Malware Removal support forum. If English isn’t your first language then visit other ASAP sites with support sites for different languages.

Click here for an Automated Removal guide (IE Defender removal instructions).

Have you been a victim of this? Want to express your opinion? Then tell us!

“Shut down” in every sense that hopefully will happen.

Taken from their website, you can clearly see the words. Words that hopefully mean something. I have major doubts this is the last we will see from the people behind Direct Revenue, but then I could be surprised.

Our fellow friend and security researcher, Chris Boyd, shares a few stories about his experiences with this company over at Vitalsecurity.Org. Some good reads.

Do you think this is a good thing for computer users? Chat about it here.

You know I could go into detail about this and give you guys a never-ending-rant, but I won’t. Alex from SunBelt pretty much sums it up well.

“Our research leads us to believe that one major reason may be as a way for Zango to get an imprimatur of credibility. SmartShopper is in the TRUSTe Trusted Download Program, a fact that the SmartShopper folks are quite proud of, showcasing it prominently on their website. (Incidentally, and of some concern — SmartShopper is not listed on TRUSTe’s main list of trusted applications, but is, in fact, in the Trusted Download program. This is the second occurrence we’ve observed of “quiet” listings in TRUSTe.)”

It’s fun and interesting to read. So check it out and discuss here. Your view counts.

We and several experts have discovered a new rogue in the wild. This one going by the name of VirusRay.

Site:

www(dot)virusray(dot)com

This one appears to self install like previous rogues and looks very much like AntiVirGear, VirusProtectPro and as far back as VirusBursters. Plus rogues inbetween.

Just have a look:

(Click to Enlarge)

Then click on the hyperlinks above to see what we mean. Brother and sister rogues. And, although the whois isn’t a weapon in this area, it does show signs of being hosted and run by the same organisation as previous rogues:

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: hxxp://www.estdomains.com

Domain Name: VIRUSRAY.COM

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Creation Date: 17-Oct-2007
Expiration Date: 17-Oct-2008

Domain servers in listed order:
ns4.sigmacode.biz
ns3.sigmacode.biz
ns2.sigmacode.biz
ns1.sigmacode.biz

It’s IP (85.255.119.126) is blacklisted which is the IP for Inhoster Hosting Company.

Make sure you get 1st response help in our forums if you have been affected by this. We will help you remove this along with everything else that comes with it. Just navigate to our HijackThis Logs and Malware Removal forum for free assistance. Or follow the Automated VirusRay Removal Guide.

Additionally you can chat about this rogue in our forum. Let us know what you think of this. This post will be updated when we know more.

It’s not often I post sites news on our home page. Mainly because we are going about our business nicely in a good manner and I never feel the need to do so. However, let’s make an exception!

I very much consider this support site a community based one rather than an englishman running the show. Yes I pay the bills, but we have a wide variety of people working at this site. Especially our support forums.

Basically we have some pretty big things coming up and before those come up we need your input! As you will notice, you should be able to see a poll structure to your right. Well, I explain everything here. Let’s work together and make a difference!

Lately I have been monitoring the search engines very closely for several reasons. I’ve been monitoring them so close, I think I’m getting scared and obsessive!

The mass line of rogue programs we get this day is pretty scary. You’d think rogues would die down like normal malware and disappear. Unfortunately this isn’t the case as it proves to be a popular source for revenue. More and more rogues are being made to scam computer users. Some come with a zlob install, some are just fake and others get spammed on forums in hope to get computers users to use the rogue then end up being charged for removing something that isn’t there. Plus many other tactics.

But this isn’t my beef in this post. Not for today.

A few days after, when a new rogue has come to light, I tend to look into Google and see how far my articles and free removal guides rank compared to others. And frankly I am appalled at some of the tactics being used.

Not so much by free support forums like this, but at some companies who have programs I certainly don’t recommend regardless if they are free or not. And legit or not.

Because of this, one avenue to look into is ones affiliate section being used by these companies. Either they register a lot of domains and pretend to be an affiliate customer or spam on social networks like Digg.com and the like. Thus prompting them to be higher in search engines. Some affiliate sites also tend to cross link aswell.

This is simply pushing free support forums away from helping those in need more and more. And more tactics like this are being used just to gain money on the computer users expense while in fact they may have shed the $40 or so for the rogue itself! Nevermind the removal tool they will purchase to remove the rogue. This is why free support forums like ours and those at ASAP and many other free forums are the best of the best. We simply don’t charge anyone for help.

If I had a magic wand, I’d make sure affiliate sites and companies that charge you for malware removal are gone from the internet. But we all know that won’t happen. Some drastically need to address their practices in order to provide the correct manner of assistance.

My tip; Get help on free forums which simply offer advice, step by step guidance and reassures you better than anyone.

Disclaimer – This is not directed at any major security vendor of which offer free trials of their product.

Update - Due to the crash of an image program, no images will be added untill tomorrow. Hopefully!

Another one in the wild, Web Spy Shield. One starting to be picked out by guys like us. And to no surprise “Estdomains Inc” are involved!

Site :

www(dot)webspyshield(dot)com

HijackThis Entries (maybe not relevant to the normal user, but to us they are) :

• R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webspyshield(dot)com/scan.html
• O2 – BHO: WebSpyShieldToolBarShower – {DC87418B-0B2C-424E-900D-54F2ECE15B6B} – C:\Program Files\WebSpyShield\WebSpyShield.dll
• O3 – Toolbar: WebSpyShield – {E4988DE7-C5DB-4173-96F9-AAC426AF7BCE} – C:\Program Files\WebSpyShield\WebSpyShield.dll
• O4 – HKCU\..\Run: [WebSpyShield] C:\Program Files\WebSpyShield\WebSpyShield.exe

Screenshot:

(Click to Enlarge)

Found by several researchers, Patrick Jordan tells us that:

“It installs a toolbar and an exe in a webspyshield folder however, it is a fake web based scam. You have to be connected for it to run and I would hate to think what anyone may pay for to register it as it is no real software but only a new form of their online scanner scams.”

So one to avoid then? For sure. Alternatively if you didn’t manage to avoid this, seek help in our forums. Help is free as always! Or discuss this matter in more detail here!

… The one about Messenger Discovery Live and general add-ons for windows messenger?

Well I’m not the only one with an opinion about this. Chris Boyd, aka PaperGhost also highlights the dangers and very bad practice of the one I highlighted! What do you think? Tell us!

Update – I am watching the official support forum for this add-on daily. And all I can say is, “education” is required for the support staff of that forum. Let alone it’s users.

All this week and last week we have asked our members to come up with a brand new slogan for Security Cadets. At present it stands at the following:

“Free Security Assistance, News and Information”

…. and in the forum it stands at:

“Free Malware Removal & Help Site Since 2006″

The first one is the slogan in our logo. That will change to the new one which gets decided by you and our members.

We’ve set up a dedicated topic in our forum for this so all you need to do is register and put your slogan forward.

At present the winner will get a link on our links page and also a possibility of a separate prize. It will close this coming Saturday and after the closing date we will put polls forward for you to vote on!

So visit the topic in the Comments & Suggestion Box and get involved with Security Cadets!

After reading Sandi’s blog post yesterday — posted while she is on Holiday — I kept refreshing the IE Team Blog watching for the announcement of the re-release of IE7 for Windows XP. The announcement was finally made this morning {bold added in the quote}:

“Because Microsoft takes its commitment to help protect the entire Windows ecosystem seriously, we’re updating the IE7 installation experience to make it available as broadly as possible to all Windows users. With today’s “Installation and Availability Update,” Internet Explorer 7 installation will no longer require Windows Genuine Advantage validation and will be available to all Windows XP users. If you are not already running IE7, you can get it now from the Internet Explorer home page on Microsoft.com, get a customized version from a third-party site, or, if you haven’t already received it via Automatic Updates, this version will be delivered to you as we described previously. If you are already running IE7, you will not be offered IE7 again by Automatic Updates.

Additionally, we’ve made minor changes to IE7 for Windows XP based on customer feedback:

• The menu bar is now visible by default.
• The Internet Explorer 7 online tour has updated how-to’s. Also, the “first-run” experience includes a new overview.
• We’ve included a new MSI installer that simplifies deployment for IT administrators in enterprises. Learn more about it here.

Thanks,

Steve Reynolds
Program Manager”

Actually, I think this bears repeating: “Internet Explorer 7 installation will no longer require Windows Genuine Advantage validation and will be available to all Windows XP users.” With this change, even if you do not have WGA installed, there is no excuse now for Windows XP users not upgrade to IE7. Do it today to take advantage not only of the additional security features, but the other major improvements to Internet Explorer.

Before installing IE7, please see the instructions for Preparing for and Installing IE7.  If you have any questions or concerns before installing IE7, post your questions/concerns in the Microsoft Windows ® (98 – ME – 2K – XP – Vista) Forum.

Remember – “A day without laughter is a day wasted.”
May the wind sing to you and the sun rise in your heart…