Zlob fake codec rootkit removal procedure

Lately there has been a rise in rootkit based Zlob fake codecs and video players. The rootkit belongs to TDSServ family, and is quite difficult to remove using standard anti-malware tools. Now, we will see how to remove these rootkit based Zlob malware. This removal procedure holds good for Zlob variants that drop kernel mode rootkits such as BrakePlayer, Moon-Player, TurboPlayer and Light-Track etc.

The removal process consists of three steps:

1. Removing rootkit driver file and its Registry entry
   
2. Removing other malware files dropped by Zlob installer
   
3. Removing stray "shell open command" entry (a.k.a malicious autorun.inf file)
   

Download the following tools and install them (do not run them as of now):

1. GMER
   
2. Malwarebytes' Anti-Malware (MBAM)

Removing rootkit driver file and its Registry entry:

1. Launch GMER.exe. As soon as GMER starts, it performs a preliminary system scan. If it finds any traces of rootkit, it will ask you to run a full PC scan. Click "No" for this prompt.
   
2. Now, click on "Rootkit/Malware" tab and then select only "Services" checkbox (deselect all other scan options). Click "Scan" button to start scan. An example is shown in screenshot below.
   
   
   
3. GMER should show the rootkit service after the scan. Right-click on that entry and click "Delete Service". Click "Yes" for the prompts that pop up. An example screenshot is shown below.
   
   
   
4. Reboot the PC.
   
5. Run GMER again and repeat steps 1, 2, 3 and 4 again (GMER will again detect the same rootkit service again).
   

Note: If GMER does not detect any rootkit in its preliminary system scan (in Step 1 above), then you may not have kernel-mode rootkit variant of Zlob (or GMER is not detecting it ;)). Proceed to the section below.

Update: Zlob rootkit driver can also be removed using SysProt AntiRootkit. More information can be found here.

Removing other malware files dropped by Zlob installer:

1. Run Malwarebytes' Anti-Malware (MBAM), click "Update" tab and then click "Check for updates" button to download latest malware database.
   
2. Once the update completes, click "Scanner" tab and select the "Perform full scan" option. Select all the hard disk partitions (C:\, D:\ etc) and then click "OK" to start scan.
   
3. Once the scan completes, remove all the malware that MBAM may report. An example screenshot is shown below.
   
   
   
4. Reboot the PC.
   

Removing stray "shell open command" (a.k.a malicious autorun.inf file):

1. Go to Start Menu > Search option to open Windows Search tool. Make Search to look in sytem/hidden folders and files. Finally, search for files named autorun.inf. An example screenshot is shown below.
   
   
   
2. These autorun.inf files contain few commands which instruct Windows Explorer to load a Zlob malware file (generally, %rootdrive%\resycled\boot.com) whenever a user double-clicks on drive icons. Delete all the autorun.inf files found in hard disk partitions (for ex: C:\, D:\ etc)
   
3. Reboot the PC.
   

Finally, run an online scan at F-Secure or TrendMicro to make sure that the PC is clean. Hopefully, the Zlob rootkit will be gone for good by this time!

Read More

Rogue security software video tutorials

This is really hilarious. It seems that the rogue software gang decided to improve OOBE of their software! They now have video tutorials at YouTube, which tell how to run online malware-scan and how to remove malware using their software for FREE! Check out these screenshots of the video:


Here are the links to some videos:
http://www.youtube.com/watch?v=jykJ1erupZ4
http://www.youtube.com/watch?v=FSQ0WpoyZJo

Video uploaders' profiles:
http://www.youtube.com/user/AntiVirusSpywareMalw
http://www.youtube.com/user/OkThisJustAnti

The webiste, www.antiviruson.com (89.111.176.21), mentioned in those tutorials redirects to another website that hosts System Security rogue application. Do NOT follow the steps told in those tutorials ;)

Read More

Zlob updates

Zlob gang does not seem to be in holiday mood. They are churning up more domains to spread their badware. Here are some of the new domains:

94.247.3.232
216.240.151.112
78.159.99.52
www.newdllsolution.com (92.241.163.90)
http://brakeplayer.net (94.247.2.183)

One of the site mentioned above, http://brakeplayer.net (94.247.2.183), hosts a fake media player installer called BrakePlayer. This installer actually installs a nasty kernel mode rootkit. Following screenshot shows the kernel mode hooks installed by rootkit driver:


The backdoor component of this rootkit establishes connection with a remote rogue server 85.255.112.188 (whois). VirusTotal scan results for the installer and rootkit driver files can be found here and here respectively.

Update: BrakePlayer removal procedure has been posted here. Hope that helps :)

Read More

New rogue: System Security

System Security is new rogue software. The installer is hosted at http://webnetworksecurity.com (91.211.64.31). Here's a screenshot of System Security:


VirusTotal scan results for the installer can be found here. BleepingComputer has a removal guide here.

Read More

Zlob updates

Here are some of the new Zlob trojan spreading domains:

http://vidzwares.com (92.241.163.90)
http://light-player.net (94.247.2.183)
http://fire-player.net (93.190.140.48)
http://downloadallsoft-now.com (94.247.3.228)
http://myprivatetubes09.net (91.208.0.221)

One of the Zlob variant (named wmpcdcs.exe, hosted at http://myprivatetubes09.net) uses Microsoft Windows Background Intelligent Transfer Service (BITS) to communicate with rogue servers to transfer data. Since BITS is a trusted Windows component, firewalls don't block it; making it easy for malware to download files from remote servers (info here and here). An automated analysis of this malware is available at ThreatExpert here.

Read More

Antivirus 360 featured in top PC magazines and antivirus certification labs!

No, we are not talking about Norton 360, which is a genuine security software. This is about Antivirus 360, one of the latest rogue security software (info here).

Now, gang responsible for Antivirus 360 has gone one step further! Their new site, http://anti-viruspcscanner.com (78.46.216.238), claims that Antivirus 360 has been rated as top antivirus solution by reputed websites like Computer Shopper, LAPTOP Magazine, PC Magazine, Computer Active, PC Advisor and CNET.



Apart from this, they also blatantly display Virus Bulletin, West Coast Labs Checkmark and ICSA Labs certifications, which are obviously fake!


All these fake recommendations and a deceptive name may lead an innocent PC user to download Antivirus 360 into his/her PC.


As per the site http://anti-viruspcscanner.com (78.46.216.238), the company responsible for Antivirus 360 is:
BOLZAR LIMITED Arch. Makariou III. 69. TLAIS TOWER. P.C. 1070. Nicosia, Cyprus.
Contact email: company@Antivirus360pro.com

And, it seems that BOLZAR LIMITED (http://bolzar.biz (216.195.62.169)) develops few other fake security software as well:
Antivirus Security - http://antivirussecurity-solution.com/ (89.149.255.191)
Antispyware32 - http://antispyware32.com/ (84.16.231.194)

VirusTotal scan result of Antivirus 360 is available here. An automated analysis of Antivirus 360 is available at ThreatExpert. Stay away from these rogues :)

Read More

eCard worm: The new batch!

After a brief period of inactivity, eCard themed spam mails seem to be back in action. As usual, these mails carry links to malware masqueraded as e-greeting cards. Here are some examples of eCard mails (note that the From header is spoofed):




This eCard malware is a mIRC based backdoor, and most of the AVs detect it. The dropper is actually a SFX file, following screenshot shows files bundled in the dropper:



When run, the dropper installs an mIRC client and also adds a WH_KEYBOARD message hook to log keystrokes. The mIRC client tries to establish connection with remote servers 89.46.165.197 (whois) and 210.51.167.75 (whois). An automated analysis of this malware is avilable at ThreatExpert.

Read More

Zlob and Vundo team up!

Recently, noticed few rogue websites that are pushing both Zlob fake codec and Vundo trojan. Usually, Vundo trojans spread in the form of keygens or cracks. However, the gang behind Vundo seems to be collaborating with Zlob gang to spread malware in the form of fake codecs!

Here's one such website, aaibberlinoschlosschn.com.cn (69.61.96.245), hosting both Vundo and Zlob. A Zlob installer is offered for download if "Continue" button is clicked, and a Vundo dropper is delivered when "Download free player" link is clicked.



VirusTotal scan results for Zlob and Vundo droppers are available here and here respectively.

Read More

Moon-Player

Moon-Player is one of the latest fake video codec/player by Zlob/DNSChaner gang! Moon-Player installer is dropped by the standard Zlob fake codec infection technique. An example of a dropper-website and installer is shown here:




Moon-Player installer is hosted at http://moon-player.com (203.169.164.18) (whois info). This particular Zlob variant is highly dangerous as it drops rootkit based spyware and also adds malicious DNS servers. Following HijackThis entry shows the rogue name servers added to the "NameServer" list of the system:

O17 - HKLM\System\CCS\Services\Tcpip\..\{27C05F16-264E-4B56-9C02-90A5B7D0A17D}: NameServer = 85.255.112.143;85.255.112.94

These name servers are located at Ukraine and whois information can be found here and here.

The rootkit component is a user mode rootkit that hides files by hooking APIs of ntdll.dll. Following screenshots show rooted file and hooked APIs:



The rootkit also injects a DLL into few of the standard Windows processes (alg.exe and spoolsv.exe), as shown in below screenshot.


The injected DLL C:\Windows\System32\Dll.dll actually does not exist, and the file that is really injected is C:\Windows\Temp\tempX.tmp (where X is some random number). This can be seen from the DLL information shown by IceSword. It seems that the injected file changes its name in the module list maintained in process PEB, to a dummy/non-existent one.


VirusTotal scan result of the installer can be found here. An automated analysis of the installer can be found at this ThreatExpert page.

Update: A Zlob (Moon-Player and other fake video players)  rootkit removal tutorial has been posted here.

Read More

SysProt AntiRootkit v1.0.0.7 released!

Here's a quick update on SysProt AntiRootkit. Various improvements were made in SSDT hook detection and hidden files scanning feature. And as a result, here's the latest release - SysProt AntiRootkit v1.0.0.7.

Download SysProt AntiRootkit v1.0.0.7 from MajorGeeks. Your feedback is welcome :)

Supported operating systems: Windows 2000/XP/2003 32 bit.

Read More

SysProt AntiRootkit v1.0.0.6 released!

Here comes the latest version of SysProt AntiRootkit, with various improvements over the previous version. Following list summarizes the improvements in SysProt AntiRootkit v1.0.0.6:

• Improved hidden drivers and services detection
  
• Improved driver/service disabling feature
  
• Improved process killing mechanisms
  
• Added DLLs view for processes (double-click on a process to see loaded DLLs)
  
• Brand new hidden and locked files/folder scanning
  
• Color coded display (hidden items are displayed in red color)
  
• Ability to filter the display to show only hidden items
  
• Various optimizations in driver for better performance and stability

Here are some screenshots which show SysProt AntiRootkit v1.0.0.6 in action:
Processes view:


DLLs of a process:


Hidden drivers:


Hidden and locked files:


SSDT hooks:

Download SysProt AntiRootkit v1.0.0.6 from MajorGeeks. Feedback is welcome :)

Read More

MSoftCodec

MSoftCodec is yet another fake codec belonging to Zlob trojan family. The dropper, MSoftCodec.exe, is hosted at 1st-download-software-base.net (206.51.225.218) (whois info). As of now, detections are poor as demonstrated by this VirusTotal scan.

Read More

Fake DivX codec

Here's a new Zlob fake codec variant, which touts itself as DivX codec. The dropper is named as DivXCodecPKG.7.exe and is hosted at http://softawe-download-forpc.com (66.232.126.78). Whois information for this domain can be found here.



As of now, detection by AVs are not good. VirusTotal scan result can be found here.

Read More

Chandrayaan-1 launched successfully

Quick update! The Chandrayaan-1 has been successfully launched and placed in its orbit. Get more info here.

Read More

Chandrayaan-1 – The countdown begins!

Chandrayaan-1 is an unmanned Lunar exploration mission by the Indian Space Research Organization, and is also first Moon mission by India.



Chandrayaan is carrying 12 payloads - 6 Indian and 6 from other International space agencies - for conducting various experiments. More information about Chandrayaan is available here:

Chandrayaan-1 Mission brochure
Chandrayaan-1 photos
Payloads and experiments
PSLV Launch Vehicle

And, we are all set for launch! The launch is scheduled on 22nd October 2008, 0550 hrs IST. Catch the live webcast at the ISRO website.

Read More

Spyware Guard 2008

Spyware Guard 2008 is a new rogue application. Does that name sound familiar? Well, yes, there is a legitimate application named SpywareGuard (note that there is no space between Spyware and Guard, and there is no 2008) from Javacool Software. Please do not get confused!!

Spyware Guard 2008 is hosted at www.spywareguard2008.com (67.19.176.187), registered by ESTDomains (whois lookup). Here's a screenshot of the website:



The IP address 67.19.176.187 also hosts a fake online video page, with the domain name http://porn-movies-online.net. This page pushes yet another variant of Zlob fake codec hosted at http://pyroscanner.com (67.19.176.188).



By the way, the Spyware Guard 2008 installer is named as SpywareGuard2008.exe, and here's how the rogue application looks:



VirusTotal scan results of the installer can be found here. Stay away from this rogue!

Update: SpywareGuard2008 removal guide can be found here.

Read More

Zlob fake codec updates

Here are some more Zlob domains:

soft-download-channel.com (66.232.126.193)
liveupdateservice.cn (91.203.92.47)

And, here's one more domain that offers fake MP3 files for download. The MP3 files are actually Zlob fake codecs hosted at mediamswares.com (info here):

mp3lized.com (78.157.143.200)

Read More

Zlob fake codec updates

New Zlob fake codec domains:

theprivatetube.com (78.157.143.191)
softload2008jq.com (78.157.143.250)
91.203.93.26

Read More

Zlob fake codec updates

More fake codec distributing domains:

http://xh-codec.net (78.157.142.111)
http://mediamswares.com (77.91.231.183)
http://movsdlls.com (77.91.231.201)

Read More

Total Secure 2009 and Google search poisoning

Total Secure 2009 is one of the new batch rogue security applications. The installer of Total Secure 2009 generally masquerades itself as a fake codec (Zlob!) and gets registered as a BHO for Internet Explorer. Here's a HijackThis entry for one of such BHO:

O2 - BHO: Apaps - {EC748705-E0FD-4671-9AFF-890579E57450} - C:\WINDOWS\system32\gaspt.dll

This BHO poisons the Google search results, so that first few results are always redirected to Total Secure 2009 download links. Here's an example of search result poisoning by Total Secure 2009 dropper:



You can follow the steps given here to get rid of this malware.

Read More

Zlob fake codec updates

These are some new Zlob pushing domains:

free-download-basez.com (74.50.117.68)
wmmsupdate.com (77.91.231.201)
metavideotube.com (78.157.143.191)
codecdownload.trustedsoftportal07.net (74.50.117.89)
softload2008mx.com (78.157.143.250)
downloadtorun.com (91.203.93.25)

Stay away from them ;)

Read More

More fake MP3 download sites

Few months ago I had blogged about fake MP3 download sites, which were pushing Zlob and other malware. Now, here are some more domains which are utilizing this same trick!

mp3lisious.com (78.108.177.112)
Name servers:
ns1.mp3lisious.com (78.108.177.112)
ns2.mp3lisious.com (78.108.177.118)
Registrar: RegTime.net Limited
Creation date: 2008-09-10
Expiration date: 2009-09-10
Registrant: Alex Bearns
Email: alex.bearns.domain.reg@gmail.com
Organization: Private person
Address: PO Box 92
City: Prague
State: CZ
ZIP: 4729
Country: CZ
Phone: 420.221700111

highratedmp3.com (78.108.177.113)
Registration Service Provided By: ESTDOMAINS INC
Website: http://www.estdomains.com
Domain Name: HIGHRATEDMP3.COM
Registrant: Evgenij Dobrolubov clip@neverseenclips.com
ul Sovetskaja 89
Toljati
Not Applicable 445000
RU
Tel. 7.8482485109
Creation Date: 30-Jun-2008
Expiration Date: 30-Jun-2009
Domain servers in listed order:
ns2.highratedmp3.com
ns1.highratedmp3.com
Status: ACTIVE



The MP3s offered for download are actually Zlob fake codecs hosted at wplayerware.com.

Read More

Zlob fake codec updates

Here are some of the latest Zlob distributing domains:

favoritetube.net
trustedware.com
wplayerware.com
codecdownload.trustedsoftportal2009.net

Read More

Zlob fake codec updates

Here are some more new Zlob pushing websites:

http://gothotvidtosee.com
http://imagesaccess.com
http://myveryprivatevid.com
http://watchmovie2009.com
http://softload2009.com
http://www.pwrware.com
http://yebanulisohuenno.com
http://u-software-online.com

And, VirusTotal scan results of malware pushed by above-mentioned sites, can be found here, here and here.

Read More

AntiVirus 2009 updates

Here's one more site pushing AntiVirus 2009 rogue security software:

http://googlescanners-360.com/



AntiVirus 2009 replaces the actual Windows Security Center applet in Control Panel with a fake version, which contains links to dubious websites. This Control Panel applet is named as scui.cpl, whereas the original applet is named wscui.cpl. See if you can spot the not in the below screenshots ;)

Read More

Antispyware Pro XP

One more rogue application, called Antispyware Pro XP, is out in the wild. The fake online scanner at http://scan.antispyware-free-scanner.com/ looks like this:



It pushes an installer that is hosted at http://files.as-pro-xp-download.com/. This installer downloads the actual rogue application executable.



And, finally the rogue application looks like this!



Detections for the installer and rogue executable are not very good at this moment. VirusTotal scan results of the installer and rogue application executable can be found here and here respectively.

Read More

Zlob fake codec updates

Here are some new Zlob peddling sites:
http://soft-upgrade-network.com
http://tube-911.com

The fake codec is named as LcodecPlus and detections are not good at this point of time:

File LcodecPlus.v.1.0.exe
Avast - Win32:Agent-ABHP
GData - Win32:Agent-ABHP
Microsoft - TrojanDownloader:Win32/Renos.Y

Complete VirusTotal scan report can be found here.

Read More

PrivateContent and fake Google Toolbar BHO

The gang behind rogue security software has taken new approach to peddle malware. Instead of fake codecs, now they are offering some kind of "Access Code Generator" called PrivateContent, using which one can supposedly access online videos. Obviously, this access code generator is a fake!



PrivateContent.exe is hosted at http://teens.niche-planet.com and is not very well detected as of now. Here's the VirusTotal scan result (complete scan results can be found here):

File PrivateContent.exe
AntiVir 7.8.1.28 - TR/Drop.Agent.vsu
Prevx1 V2 - Malicious Software
Webwasher-Gateway - Trojan.Drop.Agent.vsu

PrivateContent.exe drops a DLL named googletoolbar1.dll in %ProgramFiles%\Google\ directory. This DLL is registered as an Internet Explorer BHO. HijackThis entry for this BHO is as shown below:

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4D91-8333-CF10577473F7} - C:\Program Files\Google\googletoolbar1.dll

Surprisingly, this fake googletoolbar1.dll is not detected by any of the AVs at VirusTotal (scan results can be found here).

Googletoolbar1.dll generates popups/ads and tries to install rogue security software. Check out below screenshots which show fake googletoolbar1.dll in action!

Read More

Fake Windows Media Player!

Here's a rogue website which fakes Windows Media Player. This time, gang behind these websites has given good amount of attention-to-detail for their fake Windows Media Player. This fake player initially tries to "search" for codecs in update.microsoft.com and then offers a codec (fake, obviously!) for download. Here are some of the screenshots of fake player:







The codec is named as Megazcodec and is hosted at http://megazcodec.com. Megazcodec is yet another Zlob/DNSChanger variant; however it is not well detected as of now. The VirusTotal report is as shown:

File megazcodec.v3.104.exe
AntiVir 7.8.1.28 - TR/Dropper.Gen
BitDefender - Trojan.DNSChanger.VD
Ikarus - Win32.SuspectCrc
Sunbelt 3.1.1610.1 - Media Code, Inc (v)
Webwasher-Gateway - Trojan.Dropper.Gen

Complete VirusTotal scan result can be found here.

Read More

Zlob fake codec updates

Here are some of the new Zlob pushing websites:
http://getqtysoftware.com
http://softwareportal2008.com
http://www.favoredmovie.com
http://megazcodec.com
http://www.plupdate.com
Stay away from these sites...

Read More

Windows Filtering Platform (WFP) user mode examples

So far, in Windows 2000/XP/2003 operating systems the packet filtering APIs (PfXxx APIs) were used to implement TCP/IP packet filtering applications and firewalls. However, these PfXxx APIs are discontinued in Windows Vista/2008! But, Vista contains a completely new filtering engine called Windows Filtering Platform (WFP). The WFP gives various APIs using which packet filtering can be achieved. I thought of writing a simple class which encapsulates these APIs. It might help if you are planning to use WFP APIs. The article can be found here. That article is just a starting point, and you can do much more things with WFP. These are some of the pages which give information about WFP:
WFP Management API Reference
WFP structures Reference
Windows SDK 2008
Visual Studio 2008

Read More

Windows Automatic Update fails to install updates!

Sometimes Automatic Update in Windows behaves in a weird manner. It downloads all the updates but fails to install them. The installation fails with error code 0x8007F0EA. An example screen shot is shown below:



This issue can be fixed by reinstalling the Windows Update Agent, by following the steps mentioned below:

• Download wuredist.cab file from here.


• Open wuredist.cab using any of the file archival tools, and extract the file wuredist.xml present in it.


• Open wuredist.xml in a text editor. The contents of the file will be something like this:
  <?xml version="1.0" ?>
<WURedist>
<StandaloneRedist Version="30">
<architecture name="x86" clientVersion="7.0.6000.381" downloadUrl="http://download.windowsupdate.com/WindowsUpdate/redist/standalone/7.0.6000.381/WindowsUpdateAgent30-x86.exe"/>
<architecture name="x64" clientVersion="7.0.6000.381" downloadUrl="http://download.windowsupdate.com/WindowsUpdate/redist/standalone/7.0.6000.381/WindowsUpdateAgent30-x64.exe"/>
<architecture name="ia64" clientVersion="7.0.6000.381" downloadUrl="http://download.windowsupdate.com/WindowsUpdate/redist/standalone/7.0.6000.381/WindowsUpdateAgent30-ia64.exe"/>
<MUAuthCab RevisionId="6" DownloadURL="http://download.windowsupdate.com/v7/windowsupdate/redist/standalone/MUAuth.cab"/>
</StandaloneRedist>
</WURedist>


• As you might have guessed, this xml file contains download links to Windows Update Agent installer for different architecture like x86 (32 bit PCs), x64 (64 bit) and ia64 (Intel Itanium 64 bit). Copy the download link suitable to your system architecture and download the installer. For example, if it is a 32 bit PC, then corresponding Windows Update Agent installer will be WindowsUpdateAgent30-x86.exe.


• Open Command Prompt and navigate (using "cd" command) to the folder where Windows Update Agent installer is present. Finally, run the following command to reinstall the Windows Update Agent:
  WindowsUpdateAgent30-x86.exe /wuforce

Reboot the PC and try running Automatic Updates again.

Read More

Zlob fake codec updates

Here are some websites that are pushing new, not-so-well detected Zlob fake codecs. Most of these variants drop junk like fake security programs, security toolbars etc.
http://codecdownload.bigfreesoftarchive.net (VirusTotal scan result)
http://aviupdate.com (VirusTotal scan result)
http://mydownloadbackup.com (VirusTotal scan result)
http://www.swfapplication.com (VirusTotal scan result)

Read More

Canadian Pharmacy spammers target Microsoft - Part 2!!

Now, Canadian Pharmacy spammers are directly targeting MSN! Spam mails now contain the following text:

About this mailing:
You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the "Unsubscribe" link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service advertised. Prices and item availability subject to change without notice.

©2008 Microsoft | Unsubscribe | More Newsletters | Privacy

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052

However, as usual all the links lead to dubious healthcare websites. Check out the screenshots below:

Read More

Canadian Pharmacy spammers target Microsoft!

Almost everyone knows about Canadian Pharmacy (info here) spam mails, which promote various medicines. We generally get thousands of such mails. However, here is one such spam mail which gives us the impression that it has been sent by (or affiliated with) Microsoft. Check out the below screenshot:



However, all the links mentioned in the above screenshot point to these dubious websites, which sell aphrodisiac drugs:



Some of the sites are (do NOT visit any of these sites):
www.stavenic.com
www.satoenn.com
www.manatero.com
www.traiplexi.com

On a side note, back in 2005 Microsoft and Pfizer had joined hands to fight against these kinds of pharmacy spam rings (info here). We need more such actions by genuine drug manufactures to curb these spam rings.

Read More