Periodically we get pop-ups, message boxes; system tray balloon tool tips about malware infection and urges the user to download some "recommended" anti-spyware applications:
When we click on empty area of Desktop (it's actually a webpage) or the URL shortcuts on Desktop, IE opens up dubious sites like Winantispyware(dot)com, Onlinestability(dot)com, Aboutyourprivacy(dot)com, Udefender(dot)com, Softwareferrel(dot)com etc and downloads fake anti-spyware applications. Some of the fake anti-spyware applications available for download are Privacy Protector and Udefender. The installers of both these rogue software are poorly detected by AVs. Following screenshots show Virus.org Malware Scanner results of Udefender and Privacy Protector installers:
Here's a screenshot of Privacy Protector displaying its exaggerated scan results:
Below screenshot of HijackThis shows the entries added by "NewMediaCodec" malware (tick-marked entries):
As we can see from the above screenshot, two DLLs are loaded using the SSODL (ShellServiceObjectDelayLoad) method. Explorer.exe loads these DLLs when Windows starts.
AVG AntiSpyware was able to detect and remove most of the files related to NewMediaCodec. But, it did not detect SSODL DLLs, Desktop/IE hijack page and some other files dropped by the malware. HijackThis, in Windows Safe Mode, can be used to remove the Desktop/IE hijacks, SSODL DLLs. However, it's advised to run a complete system scan using an online AntiVirus, like TrendMicro HouseCall or Kaspersky WebScanner. If you are not too sure about entries to be removed in HijackThis, post the HijackThis log at any of PC security forums, like CastleCops.
0 comments:
Post a Comment