Defender-Review.com fake website

My son's PC is infected with Defender-Review.com.  A pop-up appears when he tries to use Internet Explorer which warns him that he is infected by Trojan.Zlob.G and redirects him to Defender-Review.com which recommends he purchase Personal Defender 2009.  It has an authentic looking Windows Security Centre logo but I know it's a fake because Windows firewall is not activated (because I use Norton IS 2007). 

Running a full scan does not detect it.  There are numerous hits on Google on how to remove it, from paying for Spy Doctor to "free" Perfect Uninstaller 4.1, and remove-malware.net..... but who can I trust?

 

I am surprised Norton has no apparent solution to this..... does anybody have any experience with this?

 

Thanks.

And there it is....

 

...another day and yet another piece of malware Symantec can't protect us from...

 

My disappointment sinks deeper.

Message Edited by TomiRed on 12-08-2008 10:02 PM

The browser has been hijacked. I would recommend calling Symantec Tech Support for the removal. The technician will remote into your computer and do the fix for you. It will cost - but unless you’re skilled with using tools like fraudfix.exe and the like, it’s well worth the money. We had the same problem with one of our household computers - the root cause being teenage boy with a computer, no adult supervision, and way too much time on his hands. One can well imagine where his journeys took him, and it turned out he got scammed into clicking on something to download a codec in order to view a video (rhymes with wornography). I figure this is where it loaded into the system. The trojan is a nasty little bugger - and was above my confidence in trying to resolve it, hence I called for tech support. Kelly

.......oooor, you could maybe use Malwarebytes AntiMalware, which is FREE..,

 

and follow removal instructions here, which are also - FREE.

After cleaning up the infection please try and refrain from using Internet Explorer and switch to Firefox which has been proven safer and faster.

 

http://en-us.www.mozilla.com/en-US/products/firefox/

Vineeth wrote:
Check the document Trojan.Zlob.G from Symantec Security response for the removal instructions.

He is almost surely not infected with that, it is a fake alert. It is what these programs do: they try to extort money using scare tactics and fake alerts.

This is why Firefox is so much safer then IE. It can block fake ads and other various things. AntiVirus 2008,2009 attacks IE but is very easily blocked by Firefox.

Thanks... so how much did it cost, and how long did it take?  Was this specifically for Defender-Review.com?

How much did what cost? How long did what take?

Hi

 

I would try a Full scan by Malwarebytes and SuperAntispyware free updated then run in Safe Mode

 

A webpage on it 

http://www.bleepingcomputer.com/malware-removal/remove-personal-defender-2009

 

If you want to send me a PM with your Hijackthis log that's OK to, should show the start up entry (ies).

 

Quads 

Snug,

 

My session with Symantec cost about $70.  Once I got a technician on the phone it took about 10-15 minutes for him to remote into the computer and resolve the issue.  He ran several tools on my computer.  If you decide to go this route, make sure you write down the case number - in case your phone gets disconnected, or should you have to call back if you continue to have problems.

 

I realize there are a lot of free tools out there.  Your post doesn't mention your level of expertise or confidence.  I consider myself a modest user; I'm capable of doing a lot of self-help but there's a limit to my comfort zone.

 

Whichever route you decide to take, good luck.

 

Kelly

and yes, it was specifically for the defender hijack issue.

Thanks ‘Quads’, I will try this over the weekend, when I have the time.  My son can still use the internet by logging on (to Windows) using another id on his PC.

Hi Kelly, I am an old mainframe developer, where all this sort of thing is handled by a Systems Programmer, leaving us developers to get on with creating applications for customers... so my level of confidence is low to moderate, depending on the time I have and the repercussions of failure!

Steve

My son's PC is infected with Defender-Review.com.  A pop-up appears when he tries to use Internet Explorer which warns him that he is infected by Trojan.Zlob.G and redirects him to Defender-Review.com which recommends he purchase Personal Defender 2009.  It has an authentic looking Windows Security Centre logo but I know it's a fake because Windows firewall is not activated (because I use Norton IS 2007). 

Running a full scan does not detect it.  There are numerous hits on Google on how to remove it, from paying for Spy Doctor to "free" Perfect Uninstaller 4.1, and remove-malware.net..... but who can I trust?

 

I am surprised Norton has no apparent solution to this..... does anybody have any experience with this?

 

Thanks.


snug wrote:
Thanks 'Quads', I will try this over the weekend, when I have the time.  My son can still use the internet by logging on (to Windows) using another id on his PC.
I am on here most days, between other work.
 
Quads 

 

Please answer this question: Did you ever run a full system scan from the point when it was obvious that you were infected; you noticed the issues as listed?

 

And I will look into it; or in other words execute it.


Here is the original VirusTotal report: http://www.virustotal.com/analisis/eefd5d6dd0694b238d4d1d259821392f
There is no excuse that yet another sample managed to"fly under our radar" again...
Here is the updated VirusTotal Report, hours after the first report: http://www.virustotal.com/analisis/0ac1c6c4e5b20c98d5393c1b267a3d59
F-Secure added the definition

Looking at the program downloaded from the website, it seems to be legit. Seems like the company has some malicious practices though and some AVs consider it to be malware. 
Message Edited by Tech0utsider on 12-08-2008 06:33 PM

Has anyone noticed that he has a Norton 2007 product?

 

You can upgrade for free to the 2009 version of your product.

 

First, uninstall 2007 using the Norton Removal Tool.

 

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2007080716240739?Open&docid=2005033108162039&nsf=tsgeninfo.nsf&view=docid

 

Reboot as prompted. When you login, you should be prompted to download the latest version of Norton. If not, download IS09 through here: http://shop.symantecstore.com/store/symnahho/en_US/ContentTheme/ThemeID.106300/pbPage.Trialware_en_US

 


And as for Perfect Defender, it seems to be legit, just by the looks. No advertisments or pop-ups or suspicious activity yet. It even has a functional firewall ....

 

The only suspicious thing is that it does not register itself in the Windows Security Center.

 

I will leave my VPC on to see what Perfect Defender does when it thinks it idle ^.-

Message Edited by Tech0utsider on 12-08-2008 07:26 PM

I think the phenomenon Snug is talking about is a browser hijack that directs the user to a spoofed website, informs the user it has a Trojan, and keeps looping back to the fraud site.  It solicits credit card info and, in essence, takes the credit card info and runs (there isn’t any software delivery, and the hijack doesn’t go away).  There’s been one instance of it in my household.  Media forensics is what I do (kind of like autopsies on computers), so I’ve also seen it several times on seized computers during media examination/exploitation.

 Kelly

Finally I can say: well done!

 

I submitted the installer of this rogue 'antivirus' critter manually, through NIS 2009 manual quarantine and removal on Monday, little less than 48 hours ago.

 

Today it is detected and removed immediatelly after download. Now that is an acceptable response time. :smileywink:

 

And it seems it was added to detections then and there.