NOTE!! Redundant thread. That's why this thread won't be updated anymore since you can find the instructions for Specific alerts in this listing:
http://forums.whatthetech.com/Self_Help_Fi...alware_f97.html

Hello and welcome to the WhatTheTech Forum's .

Use at your own risk: WhatTheTech forum's, does not take responsibility for any outcome of following these directions. Every computer is different, so we cannot guarante the outcome. If you are apprehensive, please post a log from HijackThis in the designated forum and let us take a look and guide you to a clean system.

This is a "self help" to remove the infection on Windows 2000, all XP and Vista.

Keep in mind this infection can be accompanied by other infections as well. We strongly suggest you Register after running this fix and posting a HijackThis log for one of the pro's to check over.


Please do not delete anything unless instructed to.

Explanation:

This one is getting installed via a FAKE codec.
Be careful when watching online videos, especially when they ask you to install a certain codec in order to watch the video. By default, your mediaplayer should already have the necessary codecs installed to watch online videos. In case you're prompted to install an additional codec while trying to watch a movie online, it may be a false alert and this so called codec may install malware.

Example of such FAKE codec:



Once installed, it displays fake alerts in order to download/install the fake program IE Defender.
The Alerts display you are infected with one of the following:

* Trojan.Zlob-X.a
* Trojan.Win32.Agent.akk
* Trojan.Win32.Obfuscated.gx
* Trojan.Win32.LinkReplacer

Example Alert:



Removal:

In case you don't have HijackThis...

* Download Trend Micro Hijack This™
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.

Then in HijackThis, look if one of the following is present and check it in HijackThis:
(the CLSIDs {********-****-****-****-************} may be different in your case, but the filename is always the same)

O2 - BHO: BetaDivX - {48BF2BC0-2945-11D8-8CAC-00080FC65465} - C:\WINDOWS\system32\IR9V0_QCX.dll
O2 - BHO: BetaDivX - {D99BACC6-6289-4D4F-8BAF-4192016AF547} - C:\Windows\System32\bDivX.dll
O2 - BHO: IntelVideoCodec - {33A12BEB-3219-4CA8-99B4-733192704C62} - C:\WINDOWS\system32\IntelVideoDivX.dll
O2 - BHO: IntelVideoCodec - {04F7FAC5-F506-4F29-9094-9CB9144B192C} - C:\WINDOWS\system32\IntelVideo.dll
O2 - BHO: IntelVideoCodec - {AF36E90A-44CA-4EE3-B578-C07383623217} - C:\Windows\System32\Video32.dll
O2 - BHO: RealMedia - {87B570FB-D2CF-4D3C-8E1B-E1E7018BBA95} - C:\WINDOWS\system32\dx50codec.dll
O2 - BHO: RealMedia - {0EEDB911-C5FA-486F-8334-57288578C627} - C:\WINDOWS\system32\XunLeiBHO_Now.dll
O2 - BHO: 3GP - {5D67E2E7-0C2B-4491-87C4-37F2AC6033D2} - C:\WINDOWS\system32\a3gpcodec.dll
O2 - BHO: AlphaDivX - {3B236BEE-8200-421D-919D-CA17D5739D8F} - C:\WINDOWS\system32\aDivX.dll
O2 - BHO: Mp3 Video - {D4FD35A3-101C-4FAA-A9CA-E8C9461C3CEF} - C:\WINDOWS\system32\mp3avi.dll
O2 - BHO: Mp3 Video - {2B659BB5-3E85-4BC6-BAFC-98FEDFF3AE99} - C:\WINDOWS\system32\VideoMP3.dll
O2 - BHO: Video On-line - {741403DD-46A4-4D58-8FA7-427335C3BBF6} - C:\WINDOWS\system32\PowerVideo.dll
O2 - BHO: Video DivX 3.12 - {09D72564-27E2-4F12-8AB6-03F83E4567DE} - C:\WINDOWS\system32\sysdivx.dll
O2 - BHO: System DivX4 - {2FA3B736-1AC7-454D-8E94-8BA8158BF064} - C:\WINDOWS\system32\sysvideo32.dll
O2 - BHO: System DivX4 - {2FA3B736-1AC7-454D-8E94-8BA8158BF064} - C:\WINDOWS\system32\sysvideo32.dll
O2 - BHO: Video - {15FEB658-AACC-412E-BC13-D54CFD74A8F6} - C:\WINDOWS\stream32a.dll
O2 - BHO: Video - {D0995F82-90C7-4C78-9B4C-C1700FB8B120} - C:\WINDOWS\windivx.dll
O2 - BHO: Video - {80590BC5-F4BA-4AD1-B216-C19EE86E2A77} - C:\WINDOWS\msvideo.dll

Click the "Fix checked" button below.
Then reboot your computer.
After reboot, navigate to and delete one of the following file if still present (related with the entry you fixed in HijackThis):

C:\WINDOWS\system32\IR9V0_QCX.dll
C:\Windows\System32\bDivX.dll
C:\WINDOWS\system32\IntelVideoDivX.dll
C:\WINDOWS\system32\IntelVideo.dll
C:\Windows\System32\Video32.dll
C:\WINDOWS\system32\XunLeiBHO_Now.dll
C:\WINDOWS\system32\dx50codec.dll
C:\WINDOWS\system32\a3gpcodec.dll
C:\WINDOWS\system32\aDivX.dll
C:\WINDOWS\system32\mp3avi.dll
C:\WINDOWS\system32\VideoMP3.dll
C:\WINDOWS\system32\PowerVideo.dll
C:\WINDOWS\system32\sysdivx.dll
C:\WINDOWS\system32\sysvideo32.dll
C:\WINDOWS\stream32a.dll
C:\WINDOWS\windivx.dll
C:\WINDOWS\msvideo.dll

Also look if the following files are present and delete them:

C:\Windows\System32\bDivX.dll.bak
C:\WINDOWS\system32\IR9V0_QCX.dll.bak
C:\WINDOWS\system32\IntelVideo.dll.bak
C:\WINDOWS\system32\IntelVideoDivX.dll.bak
C:\Windows\System32\Video32.dll.bak
C:\WINDOWS\system32\XunLeiBHO_Now.dll.bak
C:\WINDOWS\system32\dx50codec.dll.bak
C:\WINDOWS\system32\a3gpcodec.dll.bak
C:\WINDOWS\system32\aDivX.dll.bak
C:\WINDOWS\system32\mp3avi.dll.bak
C:\WINDOWS\system32\sysdivx.dll.bak
C:\WINDOWS\system32\VideoMP3.dll.bak
C:\WINDOWS\system32\PowerVideo.dll.bak
C:\WINDOWS\system32\sysvideo32.dll.bak
C:\WINDOWS\stream32a.dll.bak
C:\WINDOWS\windivx.dll.bak
C:\WINDOWS\msvideo.dll.bak

Normally, by default, if you fix that entry in Hijackthis and your Internet Explorer is closed while fixing in HijackThis, HijackThis will already delete that file as well. So don't worry if you can't find the file afterwards anymore - HijackThis already deleted it. But it's always a good idea to doublecheck.
Please make sure you don't delete "similar looking" files as they may be legitimate.

In case when you're in doubt or it didn't solve your problem, please start a NEW thread in the HijackThisforum with your HijackThislog.