Saturday, July 07, 2007

NewMediaCodec, Privacy Protector and Udefender

This time, we have one more fake codec - NewMediaCodec, and a couple of rogue software - Privacy Protector and Udefender. Trouble starts as soon as this "codec" is installed! It hijacks Desktop background, Internet Explorer start page and places some URL shortcuts to fake security applications on Desktop. After the hijack, Desktop looks like this:


Periodically we get pop-ups, message boxes; system tray balloon tool tips about malware infection and urges the user to download some "recommended" anti-spyware applications:




When we click on empty area of Desktop (it's actually a webpage) or the URL shortcuts on Desktop, IE opens up dubious sites like Winantispyware(dot)com, Onlinestability(dot)com, Aboutyourprivacy(dot)com, Udefender(dot)com, Softwareferrel(dot)com etc and downloads fake anti-spyware applications. Some of the fake anti-spyware applications available for download are Privacy Protector and Udefender. The installers of both these rogue software are poorly detected by AVs. Following screenshots show Virus.org Malware Scanner results of Udefender and Privacy Protector installers:




Here's a screenshot of Privacy Protector displaying its exaggerated scan results:


Below screenshot of HijackThis shows the entries added by "NewMediaCodec" malware (tick-marked entries):


As we can see from the above screenshot, two DLLs are loaded using the SSODL (ShellServiceObjectDelayLoad) method. Explorer.exe loads these DLLs when Windows starts.

AVG AntiSpyware was able to detect and remove most of the files related to NewMediaCodec. But, it did not detect SSODL DLLs, Desktop/IE hijack page and some other files dropped by the malware. HijackThis, in Windows Safe Mode, can be used to remove the Desktop/IE hijacks, SSODL DLLs. However, it's advised to run a complete system scan using an online AntiVirus, like TrendMicro HouseCall or Kaspersky WebScanner. If you are not too sure about entries to be removed in HijackThis, post the HijackThis log at any of PC security forums, like CastleCops.

Labels: , ,

2 Comments:

Blogger StarGGundam2 said...

This same crap happened to me today, and I was royaly pissed. Everything you explained in this document is exactly what was happening. I tried fixing it my self but only managed to figure out how to delete the background image. Luckly I looked it up and found Smitfraudfix. It saved my life. http://siri.geekstogo.com/SmitfraudFix.php

7:02 AM  
Anonymous Anonymous said...

I have had the problem with all of the syntoms. Udefender's support team were totally uninterested in THEIR problem. I fired off several rather tetcy e-mails and in the end they told me that a third party company sold udefender on their behalf. Their last e-mail asked me to run some of their software so that they could investigate, some hope of me running their dodgy software! The solution of SmitfraudFix worked with no problem, thank you to whoever wrote this software. Be advised:- the company who write UDefender are NOT TO BE TRUSTED AT ALL. DO NOT BUY THEIR SOFTWARE. THEIR SOFTWARE IS NO BETTER THAN BEING CALLED SPYWARE AND MALWARE ALL IN ONE.
Jonathon Hardy
jonathonhardy@berrychone.com

10:30 PM  

Post a Comment

<< Home