Once again another fraudware application reaches the public. This time going by the name “IE Defender“.

The infection behind this is a “Browser Helper Object” which is installed in your Internet Explorer. This one hijacks your searches. The results of your searches in the engines state that you are infected with x, y and z when in fact you probably are not, other than the hijack itself. IE Defender then introduces itself as an application that informs you it will help with all your problems. When in fact those warnings are fake. Do not purchase anything!

Multimedia Decoder is associated with this.

IE Defender looks like this:

Over the years we have reported about rogues, but they have been getting out of hand. More rogues and hijacks appear out of the woodwork and more and more of you are a victim of fraud. This is why we are here, so we can warn you ahead of any fraud being committed. Whilst there are other malware to report about and to try and shutdown, this type of fraud is still at large. Hence why we blog about it. If you do wish to complain, then you can do so at MalwareComplaints. Tell your friend, neighbour and your boss!

So what are the details for IE Defender? Well as most of them, these are a part of Estdomains Inc and Inhoster. Known organisations behind these fraudware. Inhoster are also blacklisted, or at least their IP is.

And it’s website is;

www(dot)iedefender(dot)com

If you manage to have this and need help, then make sure you visit our Malware Removal support forum. If English isn’t your first language then visit other ASAP sites with support sites for different languages.

Click here for an Automated Removal guide (IE Defender removal instructions).

Have you been a victim of this? Want to express your opinion? Then tell us!

“Shut down” in every sense that hopefully will happen.

Taken from their website, you can clearly see the words. Words that hopefully mean something. I have major doubts this is the last we will see from the people behind Direct Revenue, but then I could be surprised.

Our fellow friend and security researcher, Chris Boyd, shares a few stories about his experiences with this company over at Vitalsecurity.Org. Some good reads.

Do you think this is a good thing for computer users? Chat about it here.

You know I could go into detail about this and give you guys a never-ending-rant, but I won’t. Alex from SunBelt pretty much sums it up well.

“Our research leads us to believe that one major reason may be as a way for Zango to get an imprimatur of credibility. SmartShopper is in the TRUSTe Trusted Download Program, a fact that the SmartShopper folks are quite proud of, showcasing it prominently on their website. (Incidentally, and of some concern — SmartShopper is not listed on TRUSTe’s main list of trusted applications, but is, in fact, in the Trusted Download program. This is the second occurrence we’ve observed of “quiet” listings in TRUSTe.)”

It’s fun and interesting to read. So check it out and discuss here. Your view counts.

We and several experts have discovered a new rogue in the wild. This one going by the name of VirusRay.

Site:

www(dot)virusray(dot)com

This one appears to self install like previous rogues and looks very much like AntiVirGear, VirusProtectPro and as far back as VirusBursters. Plus rogues inbetween.

Just have a look:

(Click to Enlarge)

Then click on the hyperlinks above to see what we mean. Brother and sister rogues. And, although the whois isn’t a weapon in this area, it does show signs of being hosted and run by the same organisation as previous rogues:

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: hxxp://www.estdomains.com

Domain Name: VIRUSRAY.COM

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Creation Date: 17-Oct-2007
Expiration Date: 17-Oct-2008

Domain servers in listed order:
ns4.sigmacode.biz
ns3.sigmacode.biz
ns2.sigmacode.biz
ns1.sigmacode.biz

It’s IP (85.255.119.126) is blacklisted which is the IP for Inhoster Hosting Company.

Make sure you get 1st response help in our forums if you have been affected by this. We will help you remove this along with everything else that comes with it. Just navigate to our HijackThis Logs and Malware Removal forum for free assistance. Or follow the Automated VirusRay Removal Guide.

Additionally you can chat about this rogue in our forum. Let us know what you think of this. This post will be updated when we know more.

It’s not often I post sites news on our home page. Mainly because we are going about our business nicely in a good manner and I never feel the need to do so. However, let’s make an exception!

I very much consider this support site a community based one rather than an englishman running the show. Yes I pay the bills, but we have a wide variety of people working at this site. Especially our support forums.

Basically we have some pretty big things coming up and before those come up we need your input! As you will notice, you should be able to see a poll structure to your right. Well, I explain everything here. Let’s work together and make a difference!

Lately I have been monitoring the search engines very closely for several reasons. I’ve been monitoring them so close, I think I’m getting scared and obsessive!

The mass line of rogue programs we get this day is pretty scary. You’d think rogues would die down like normal malware and disappear. Unfortunately this isn’t the case as it proves to be a popular source for revenue. More and more rogues are being made to scam computer users. Some come with a zlob install, some are just fake and others get spammed on forums in hope to get computers users to use the rogue then end up being charged for removing something that isn’t there. Plus many other tactics.

But this isn’t my beef in this post. Not for today.

A few days after, when a new rogue has come to light, I tend to look into Google and see how far my articles and free removal guides rank compared to others. And frankly I am appalled at some of the tactics being used.

Not so much by free support forums like this, but at some companies who have programs I certainly don’t recommend regardless if they are free or not. And legit or not.

Because of this, one avenue to look into is ones affiliate section being used by these companies. Either they register a lot of domains and pretend to be an affiliate customer or spam on social networks like Digg.com and the like. Thus prompting them to be higher in search engines. Some affiliate sites also tend to cross link aswell.

This is simply pushing free support forums away from helping those in need more and more. And more tactics like this are being used just to gain money on the computer users expense while in fact they may have shed the $40 or so for the rogue itself! Nevermind the removal tool they will purchase to remove the rogue. This is why free support forums like ours and those at ASAP and many other free forums are the best of the best. We simply don’t charge anyone for help.

If I had a magic wand, I’d make sure affiliate sites and companies that charge you for malware removal are gone from the internet. But we all know that won’t happen. Some drastically need to address their practices in order to provide the correct manner of assistance.

My tip; Get help on free forums which simply offer advice, step by step guidance and reassures you better than anyone.

Disclaimer - This is not directed at any major security vendor of which offer free trials of their product.

Update - Due to the crash of an image program, no images will be added untill tomorrow. Hopefully!

Another one in the wild, Web Spy Shield. One starting to be picked out by guys like us. And to no surprise “Estdomains Inc” are involved!

Site :

www(dot)webspyshield(dot)com

HijackThis Entries (maybe not relevant to the normal user, but to us they are) :

• R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webspyshield(dot)com/scan.html
• O2 - BHO: WebSpyShieldToolBarShower - {DC87418B-0B2C-424E-900D-54F2ECE15B6B} - C:\Program Files\WebSpyShield\WebSpyShield.dll
• O3 - Toolbar: WebSpyShield - {E4988DE7-C5DB-4173-96F9-AAC426AF7BCE} - C:\Program Files\WebSpyShield\WebSpyShield.dll
• O4 - HKCU\..\Run: [WebSpyShield] C:\Program Files\WebSpyShield\WebSpyShield.exe

Screenshot:

(Click to Enlarge)

Found by several researchers, Patrick Jordan tells us that:

“It installs a toolbar and an exe in a webspyshield folder however, it is a fake web based scam. You have to be connected for it to run and I would hate to think what anyone may pay for to register it as it is no real software but only a new form of their online scanner scams.”

So one to avoid then? For sure. Alternatively if you didn’t manage to avoid this, seek help in our forums. Help is free as always! Or discuss this matter in more detail here!

… The one about Messenger Discovery Live and general add-ons for windows messenger?

Well I’m not the only one with an opinion about this. Chris Boyd, aka PaperGhost also highlights the dangers and very bad practice of the one I highlighted! What do you think? Tell us!

Update - I am watching the official support forum for this add-on daily. And all I can say is, “education” is required for the support staff of that forum. Let alone it’s users.