ValueClick turns to the Dark Side
Following up on my previous post, I found a post that better describes the damage that Trojan.Zlob.N does. Sometimes the (boring) technical descriptions do not quite convey what really occurs.
I recently had a worm/virus attack that took control of IE6 and inserted a
tool bar called 'Security Toolbar' that takes you to the above www site. I
cannot remove this toolbar.
Other names that appeared in dialogue boxes, callout boxes, and file names
found when I could eventualy scan my pc are: Zlob.JQC, Zlob.JQA,
W32.Myzor.FK@yf, Trojan TJ/BZ, www.asecuritynote(dot)com/vc/07-38929322/,
www.protectionclicks(dot)com (URLs disabled)
This worm/virus disbaled my AVG virus protection, deleted my temporary
internet files and cookies, removed Windows installer, and a yellow shaped
triangular icon appeared in the tray with an '!' in its centre. It would not
allow me to access www sites such as Symantec to access its knowledge base to
try and found out about this infection. The green progress bar at the bottom
of IE6 stopped at about the 80% mark. It also removed all of my Windows
So browsing to guardtoolbar(dot)com ... we discover several redirects and then another "adfarm.mediaplex.com" ...
As you can see the endpoint is trustedprotection(dot)com which is yet another Rogue program. So I downloaded the offered program and checked it out. Turns out this is actually a AV program from avsystemcare(dot).com, yet another Rogue/Suspect program. This is the completely bogus message you see when visiting there ...
Oh it doesn't stop there ... I submitted the file to the SunBelt Sandbox see results here, where it clearly states (along with some other nasties) in the Network Activity section:
which redirects to:
Note: 18.104.22.168 = MediaPlex ... also mentioned inside the download (install_en.exe) is "gn.web-fastserve.com", now who is that? Well browsing there we see ... you guessed it "Welcome to MediaPlex". So now they are no longer just serving as a content provider, ValueClick is directly involved with several more Rogue programs.
Seems I was not the only one to discover this Spyware Detector - Fake Anti Spyware.AVSystem Care
Remember in the quote above ... (www.protectionclicks(dot)com)
This is the same exact image Symantec supplied in their Trojan.Zlob.N description. In the above image it states "Antivirus software was not found on this computer" ... well now we know why! According to the users description above the Trojan wiped out their AV program, then offers to supply them with a bogus product.
Way to go ValueClick! ... enjoy the Dark Side and your ill-gotten gains (for now)
Knock-knock ... who's there? (hopefully) The FTC