NOTE!! Redundant thread. That's why this thread won't be updated anymore since you can find the instructions for Specific alerts in this listing:
http://forums.whatthetech.com/Self_Help_Fi...alware_f97.html

Hello and welcome to the WhatTheTech Forum's .

Use at your own risk: WhatTheTech forum's, does not take responsibility for any outcome of following these directions. Every computer is different, so we cannot guarante the outcome. If you are apprehensive, please post a log from HijackThis in the designated forum and let us take a look and guide you to a clean system.

This is a "self help" to remove the infection on Windows 2000, all XP and Vista.

Keep in mind this infection can be accompanied by other infections as well. We strongly suggest you Register after running this fix and posting a HijackThis log for one of the pro's to check over.


Please do not delete anything unless instructed to.

Explanation:

This one is getting installed via a FAKE codec.
Be careful when watching online videos, especially when they ask you to install a certain codec in order to watch the video. By default, your mediaplayer should already have the necessary codecs installed to watch online videos. In case you're prompted to install an additional codec while trying to watch a movie online, it may be a false alert and this so called codec may install malware.

Example of such FAKE codec:



Once installed, it displays fake alerts in order to download/install the fake program IE Defender.
The Alerts display you are infected with one of the following:

* Trojan.Zlob-X.a
* Trojan.Win32.Agent.akk
* Trojan.Win32.Obfuscated.gx
* Trojan.Win32.LinkReplacer

Example Alert:



Removal:

In case you don't have HijackThis...

* Download Trend Micro Hijack This™
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.

Then in HijackThis, look if one of the following is present and check it in HijackThis:
(the CLSIDs {********-****-****-****-************} may be different in your case, but the filename is always the same)

O2 - BHO: BetaDivX - {48BF2BC0-2945-11D8-8CAC-00080FC65465} - C:\WINDOWS\system32\IR9V0_QCX.dll
O2 - BHO: BetaDivX - {D99BACC6-6289-4D4F-8BAF-4192016AF547} - C:\Windows\System32\bDivX.dll
O2 - BHO: IntelVideoCodec - {33A12BEB-3219-4CA8-99B4-733192704C62} - C:\WINDOWS\system32\IntelVideoDivX.dll
O2 - BHO: IntelVideoCodec - {04F7FAC5-F506-4F29-9094-9CB9144B192C} - C:\WINDOWS\system32\IntelVideo.dll
O2 - BHO: IntelVideoCodec - {AF36E90A-44CA-4EE3-B578-C07383623217} - C:\Windows\System32\Video32.dll
O2 - BHO: RealMedia - {87B570FB-D2CF-4D3C-8E1B-E1E7018BBA95} - C:\WINDOWS\system32\dx50codec.dll
O2 - BHO: RealMedia - {0EEDB911-C5FA-486F-8334-57288578C627} - C:\WINDOWS\system32\XunLeiBHO_Now.dll
O2 - BHO: 3GP - {5D67E2E7-0C2B-4491-87C4-37F2AC6033D2} - C:\WINDOWS\system32\a3gpcodec.dll
O2 - BHO: AlphaDivX - {3B236BEE-8200-421D-919D-CA17D5739D8F} - C:\WINDOWS\system32\aDivX.dll
O2 - BHO: Mp3 Video - {D4FD35A3-101C-4FAA-A9CA-E8C9461C3CEF} - C:\WINDOWS\system32\mp3avi.dll
O2 - BHO: Mp3 Video - {2B659BB5-3E85-4BC6-BAFC-98FEDFF3AE99} - C:\WINDOWS\system32\VideoMP3.dll
O2 - BHO: Video On-line - {741403DD-46A4-4D58-8FA7-427335C3BBF6} - C:\WINDOWS\system32\PowerVideo.dll
O2 - BHO: Video DivX 3.12 - {09D72564-27E2-4F12-8AB6-03F83E4567DE} - C:\WINDOWS\system32\sysdivx.dll
O2 - BHO: System DivX4 - {2FA3B736-1AC7-454D-8E94-8BA8158BF064} - C:\WINDOWS\system32\sysvideo32.dll
O2 - BHO: System DivX4 - {2FA3B736-1AC7-454D-8E94-8BA8158BF064} - C:\WINDOWS\system32\sysvideo32.dll
O2 - BHO: Video - {15FEB658-AACC-412E-BC13-D54CFD74A8F6} - C:\WINDOWS\stream32a.dll
O2 - BHO: Video - {D0995F82-90C7-4C78-9B4C-C1700FB8B120} - C:\WINDOWS\windivx.dll
O2 - BHO: Video - {80590BC5-F4BA-4AD1-B216-C19EE86E2A77} - C:\WINDOWS\msvideo.dll

Click the "Fix checked" button below.
Then reboot your computer.
After reboot, navigate to and delete one of the following file if still present (related with the entry you fixed in HijackThis):

C:\WINDOWS\system32\IR9V0_QCX.dll
C:\Windows\System32\bDivX.dll
C:\WINDOWS\system32\IntelVideoDivX.dll
C:\WINDOWS\system32\IntelVideo.dll
C:\Windows\System32\Video32.dll
C:\WINDOWS\system32\XunLeiBHO_Now.dll
C:\WINDOWS\system32\dx50codec.dll
C:\WINDOWS\system32\a3gpcodec.dll
C:\WINDOWS\system32\aDivX.dll
C:\WINDOWS\system32\mp3avi.dll
C:\WINDOWS\system32\VideoMP3.dll
C:\WINDOWS\system32\PowerVideo.dll
C:\WINDOWS\system32\sysdivx.dll
C:\WINDOWS\system32\sysvideo32.dll
C:\WINDOWS\stream32a.dll
C:\WINDOWS\windivx.dll
C:\WINDOWS\msvideo.dll

Also look if the following files are present and delete them:

C:\Windows\System32\bDivX.dll.bak
C:\WINDOWS\system32\IR9V0_QCX.dll.bak
C:\WINDOWS\system32\IntelVideo.dll.bak
C:\WINDOWS\system32\IntelVideoDivX.dll.bak
C:\Windows\System32\Video32.dll.bak
C:\WINDOWS\system32\XunLeiBHO_Now.dll.bak
C:\WINDOWS\system32\dx50codec.dll.bak
C:\WINDOWS\system32\a3gpcodec.dll.bak
C:\WINDOWS\system32\aDivX.dll.bak
C:\WINDOWS\system32\mp3avi.dll.bak
C:\WINDOWS\system32\sysdivx.dll.bak
C:\WINDOWS\system32\VideoMP3.dll.bak
C:\WINDOWS\system32\PowerVideo.dll.bak
C:\WINDOWS\system32\sysvideo32.dll.bak
C:\WINDOWS\stream32a.dll.bak
C:\WINDOWS\windivx.dll.bak
C:\WINDOWS\msvideo.dll.bak

Normally, by default, if you fix that entry in Hijackthis and your Internet Explorer is closed while fixing in HijackThis, HijackThis will already delete that file as well. So don't worry if you can't find the file afterwards anymore - HijackThis already deleted it. But it's always a good idea to doublecheck.
Please make sure you don't delete "similar looking" files as they may be legitimate.

In case when you're in doubt or it didn't solve your problem, please start a NEW thread in the HijackThisforum with your HijackThislog.

If you want us to look at your HijackThis log to see if anything else needs fixed, please register and post a HijackThis log.
Post your HijackThis log here:

Please create a new Topic

ShadowPuterDude has authored an automated tool for removal of IEDefender. You can find the download and instructions here.

IEDefender Removal Instructions:
ShadowPuterDude has authored an automated tool for removal of Trojan.Win32.LinkReplacer. You can find the download and instructions here.

NOTE: You will need to temporarily disable any programs you have running that will block attempts to edit the registry. As FixIEDef calls REGEDIT to delete registry keys added by Zlob, Trojan.Downloader.Delf, AntiSpyPro, and IE Defender.


1. Download FixIEDef.exe by ShadowPuterDude to the Desktop.
   Note: FixIEDef now supports Non-English Language Systems
   
   
2. Double-click FixIEDef.exe:
   
   
   
3. That will open the About FixIEDef screen. Click OK to continue:
   
   
   
4. Next, press the Scan! button:
   
   
   
5. FixIEDef needs to run as Administrator to perform correctly. This message simply confirms it was able to run with admin privileges. Click OK to continue:
   
   
   
6. Wait for the scan to finish. It shouldn't take very long:
   
   
   
7. After the !!! All Finished !!! message is displayed, click Exit:
   
   
   
8. That's it! You're done, and the infection should be removed.
   
   Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. See: http://www.beyondlogic.org/consulting/proc...processutil.htm
   
   Mirrors: Alternate official download locations for FixIEDef.exe
   
   http://it-mate.co.uk/downloads/fixiedef/fixiedef.exe
   http://hosts-file.net/download/fixiedef/fixiedef.exe
   http://avant.it-mate.co.uk/?c=Download&f=Tools/FixIEDef
   http://archives.mysteryfcm.co.uk/?f=Securi...pyware/FixIEDef