Select Page

2GCash and Windows System Optimizator rogue from one fake codec scam

Today we came across this fake codec scam that delivered two pieces of malware for those unfortunate enough to stumble across it. The malicious site offers Megan Fox and Carmen Electra sex  videos (among other things.)

(Click on graphic to enlarge)

After installing a fake video viewer, it throws up fake Microsoft Security Essentials alerts and installs the Windows System Optimizator rogue.

(Click on graphic to enlarge)

(Click on graphic to enlarge)

# 1. 2GCash (VIPRE detection: VirTool.Win32.Obfuscator.hg!b1)

The 2GCash malware has been one of the major downloaders. It’s been used by thousands of affiliate sites since 2008. Its main purpose is to generate profits through click fraud transmissions from infected computers and search engine result hijackings.

VIPRE detects the 2GCash malware as VirTool.Win32.Obfuscator.hg!b1 (v). Kaspersky detects it as *.codecpack, Sophos as FakeAV-CX and Microsoft as Renos.

It uses online scanner scams, third party bundled downloads, fake codec scam sites  and fake crack serial sites.

The file video_part_##.exe is detected as Trojan.Win32.Generic.pak!cobra

# 2. Windows System Optimizator rogue

Windows System Optimizator  is a rogue what uses a fake Microsoft Security Essentials alert.  VIPRE detects it as Trojan.Win32.Generic.pak!cobra.

It’s a rebranding of the Windows Optimization Center rogue.


2GCash is the name we gave the detection when the group behind it began an affiliate program with a site named in December of 2008.

The page for affiliates was titled “Go Go Cash.”

(Click on graphic to enlarge)

Thanks to Patrick Jordan for the analysis.

Tom Kelchner

Fatal error: Uncaught wfWAFStorageFileException: Unable to save temporary file for atomic writing. in /home/eckelberry1966/public_html/sunbeltblog/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php:34 Stack trace: #0 /home/eckelberry1966/public_html/sunbeltblog/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php(658): wfWAFStorageFile::atomicFilePutContents('/home/eckelberr...', '<?php exit('Acc...') #1 [internal function]: wfWAFStorageFile->saveConfig('livewaf') #2 {main} thrown in /home/eckelberry1966/public_html/sunbeltblog/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php on line 34