We’ve been watching a long list of domains that serve up whatever filename you give them, but they provide nothing but a good old fashioned Rogueware downloader, which sometimes goes by the family name Trojan-Downloader.Renos, or Trojan.Fakealert. It’s one of the downloaders that fetches and runs the AV2009 and other phony AV software, bombarding a user with shocking popups. Most often, users are redirected to these sites, expecting to download a codec. The filename may look like “tubeplayer.ver.6.exe”. DO NOT DOWNLOAD AND RUN WHAT MAY LOOK LIKE CODEC INSTALLERS FROM THESE SITES:
hxxp://2009download-best-soft.com
hxxp://best-ps-download-4pc.com
hxxp://downloabsecurehere1.com
hxxp://downloabsecurehere2.com
hxxp://downloabsecurehere3.com
hxxp://downloabsecurehere4.com
hxxp://download-all4free.com
hxxp://download-allsoftnow.com
hxxp://download-files-bak.net
hxxp://download-fls.com
hxxp://download-softarch.com
hxxp://download-top-software.com
hxxp://download-top-software.net
hxxp://downloadall-soft-now.com
hxxp://downloadallsoft-now.com
hxxp://downloadallsoftnow.com
hxxp://dwnld-files.com
hxxp://fast-download-base-free.com
hxxp://files-upload-21.com
hxxp://get-files-4free.net
hxxp://get-frsh-files.com
hxxp://go-downloadz-pc-soft.com
hxxp://load-software-dowload.net
hxxp://pure-download-new.net
hxxp://soft-4-you-download.net
hxxp://top-best-software-area.net
hxxp://2009download-best-soft.com
hxxp://best-ps-download-4pc.com
hxxp://downloabsecurehere1.com
hxxp://downloabsecurehere2.com
hxxp://downloabsecurehere3.com
hxxp://downloabsecurehere4.com
hxxp://download-all4free.com
hxxp://download-allsoftnow.com
hxxp://download-fls.com
hxxp://download-softarch.com
hxxp://download-top-software.com
hxxp://download-top-software.net
hxxp://download-top-software.net
hxxp://downloadall-soft-now.com
hxxp://downloadallsoft-now.com
hxxp://downloadallsoftnow.com
hxxp://dwnld-files.com
hxxp://fast-download-base-free.com
hxxp://files-upload-21.com
hxxp://get-frsh-files.com
hxxp://go-downloadz-pc-soft.com
hxxp://load-software-dowload.net
hxxp://pure-download-new.net
hxxp://soft-4-you-download.net
hxxp://top-best-software-area.net
How did you get the tubeplayer.ver.6 trojan horse out of your computer? I think I already did, but I’m not sure and want to try everything I can to make sure.
Thanks.
-cp
Was this from youtube?
Or a movie/video site? I have been going to both and was trying to figure where I got it so I won’t go there again. And how to be sure it is no longer in my computer!
Thanks for the note Rao. ThreatFire so far was not built to be a cleanup tool, but it is effective against the installs from current tubeplayer.ver.6 infections. In the lab on an infected system, we see that the user is prompted to kill four of the components and cleans them up properly. Some non-functional items are left behind by ThreatFire (they won’t run or perform any malicious task): some system tasks that attempt to run files that have been deleted (you can find the “Tasks” applet in your control panel), and a tmp file in the temp directory.
We’ll explore its cleanup further. Thanks!
There is a tubeplayer icon on my desktop but it appears to be a non existent file… The file size says 0 (Zero) and I can’t find anything with any of the latest tools such as windows defender…
Would tubeplayer normally appear after a scan?
How do I know that It’s been removed?
David J-
If you ran the downloader discussed in this post from one of the listed domains, you most likely would be seeing all sorts of popups and problems already.
You can find help to evaluate your system on the “Spyware, Adware and Malware Discussion” board at PC Tools’ community forums:
http://www.pctools.com/forum/index.php
You may want to install Spyware Doctor and give it a run, if you don’t already have ThreatFire installed.