PCTotalDefender
July 25, 2008 | Malware, Rogues
PCTotalDefender is a rogue Antispyware application. Stay away from following IP and hosts!
Host: pctotaldefender.com
IP: 84.243.253.220
Whois:
inetnum: 84.243.253.0 - 84.243.253.255
netname: GFX-CUST-WORLDSTREAM
descr: WorldStream ip-block 3
org: ORG-WS14-RIPE
country: NL
admin-c: GFX-RIPE
tech-c: GFX-RIPE
status: ASSIGNED PA
mnt-by: GFX-MNT
source: RIPE # Filteredorganisation: ORG-WS14-RIPE
org-name: WorldStream2
org-type: OTHER
address: Dijkweg 127c
address: 2675 AC Honselersdijk
address: The Netherlands
phone: +31 70 755 1131
abuse-mailbox: abuse@worldstream.nl
mnt-ref: GFX-MNT
mnt-by: GFX-MNT
source: RIPE # Filteredrole: GrafiX NOC
org: ORG-GIB1-RIPE
address: GrafiX Internet B.V.
address: Stationsplein 20
address: 2907 MJ Capelle aan den IJssel
phone: +31 10 2640210
fax-no: +31 10 2640211
abuse-mailbox: abuse@grafix.nl
Other sites on this IP:
1. Anonymbrowser.com
2. Best-payments.net
3. Bestpaymentsolution.net
4. Billingbit.com
5. Billingbridge.com
6. Blablahost.com
7. Direct-billing.com
8. Errordigger.com
9. Errorinspector.com
10. Internetsupernanny.com
11. Passwordinspector.com
12. Sellmosoft.net
13. Softwarepayments.net
14. Statsgod.com
Virus tottal description of the PCTotalDefender :
| File AntiVirusInstallFree_en.exe received on 07.25.2008 15:17:14 (CET) | |||
| Antivirus | Version | Last Update | Result |
| AhnLab-V3 | 2008.7.25.1 | 2008.07.25 | - |
| AntiVir | 7.8.1.12 | 2008.07.25 | TR/Dldr.FraudLoa.CE |
| Authentium | 5.1.0.4 | 2008.07.24 | - |
| Avast | 4.8.1195.0 | 2008.07.25 | Win32:Adware-gen |
| AVG | 8.0.0.130 | 2008.07.25 | Agent.YBI |
| BitDefender | 7.2 | 2008.07.25 | - |
| CAT-QuickHeal | 9.50 | 2008.07.24 | TrojanDownloader.FraudLoad.ce |
| ClamAV | 0.93.1 | 2008.07.25 | - |
| DrWeb | 4.44.0.09170 | 2008.07.25 | - |
| eSafe | 7.0.17.0 | 2008.07.24 | - |
| eTrust-Vet | 31.6.5981 | 2008.07.25 | - |
| Ewido | 4.0 | 2008.07.25 | - |
| F-Prot | 4.4.4.56 | 2008.07.24 | - |
| F-Secure | 7.60.13501.0 | 2008.07.25 | - |
| Fortinet | 3.14.0.0 | 2008.07.25 | PossibleThreat |
| GData | 2.0.7306.1023 | 2008.07.25 | Win32:Adware-gen |
| Ikarus | T3.1.1.34.0 | 2008.07.25 | Trojan-Downloader.FraudLoa.CE |
| Kaspersky | 7.0.0.125 | 2008.07.25 | - |
| McAfee | 5346 | 2008.07.24 | - |
| Microsoft | 1.3704 | 2008.07.24 | - |
| NOD32v2 | 3298 | 2008.07.25 | Win32/Adware.AVSystemCare |
| Norman | 5.80.02 | 2008.07.24 | - |
| Panda | 9.0.0.4 | 2008.07.25 | - |
| PCTools | 4.4.2.0 | 2008.07.25 | RogueAntiSpyware.AVSystemCare |
| Prevx1 | V2 | 2008.07.25 | - |
| Rising | 20.54.42.00 | 2008.07.25 | - |
| Sophos | 4.31.0 | 2008.07.25 | - |
| Sunbelt | 3.1.1536.1 | 2008.07.18 | - |
| TheHacker | 6.2.96.389 | 2008.07.25 | - |
| TrendMicro | 8.700.0.1004 | 2008.07.25 | - |
| VBA32 | 3.12.8.1 | 2008.07.24 | Win32.Adware.AVSystemCare |
| ViRobot | 2008.7.25.1310 | 2008.07.25 | - |
| VirusBuster | 4.5.11.0 | 2008.07.25 | - |
| Webwasher-Gateway | 6.6.2 | 2008.07.25 | Trojan.Dldr.FraudLoa.CE |
| Additional information | |||
| File size: 232768 bytes | |||
| MD5…: d558c4f24c13232e11b43684da18e7b1 | |||
| SHA1..: 6d163a506ef582467fa39eb2fbce6908a3427647 | |||
| SHA256: dfeffbbb73733fc556f7f7f2f22b64527a9761d4018cc2e8cc1e32ddd3828389 | |||
| SHA512: 19d44291613a216409aabf859834f8280be256caae4d9aeb4ed1f65feb3e1088 2370b11a0974f2b84fdc23381c3c2384176989cdc7ab9fddd407419f2b0b4e9f |
|||
| PEiD..: - | |||
| PEInfo: PE Structure information( base data ) entrypointaddress.: 0×4176d6 timedatestamp…..: 0×4836db82 (Fri May 23 14:58:10 2008) machinetype…….: 0×14c (I386) ( 4 sections ) ( 10 imports ) ( 0 exports ) |
|||
| ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=d558c4f24c13232e11b43684da18e7b1 | |||
Screenshot of fake scanning by PCTotalDefender
Screenshot of licence purchase from pctotaldefender.com
Screenshot of licence purchase from secure.software-payment.com
Host: secure.software-payment.com
IP: 216.195.56.160
Whois:
OrgName: APS Telecom
OrgID: APSTE
Address: 8130 SW BEAVERTON-HILLSDALE HWY
City: PORTLAND
StateProv: OR
PostalCode: 97225
Country: USNetRange: 216.195.32.0 - 216.195.63.255
CIDR: 216.195.32.0/19
NetName: APS-EPSI
NetHandle: NET-216-195-32-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.3FN.NET
NameServer: NS2.3FN.NET
Comment: send abuse issues to abuse@3fn.net , send networkRTechHandle: NSW-ARIN
RTechName: Swen, Nash
RTechPhone: +1-800-539-8209
RTechEmail : noc@apxnoctelecom.com
Additional hosts and IPs of the PCTotalDefender malware:
Host: download.pctotaldefender.com
IP: 85.17.4.101
Whois:
inetnum: 85.17.4.0 - 85.17.4.255
netname: LEASEWEB
descr: LeaseWeb
descr: P.O. Box 93054
descr: 1090BB AMSTERDAM
descr: Netherlands
descr: www.leaseweb.com
remarks: Please send email to “abuse@leaseweb.com” for complaints
remarks: regarding portscans, DoS attacks and spam.
remarks: INFRA-AW
country: NL
admin-c: LSW1-RIPE
tech-c: LSW1-RIPE
status: ASSIGNED PA
mnt-by: OCOM-MNT
source: RIPE # Filteredperson: RIP Mean
address: P.O. Box 93054
address: 1090BB AMSTERDAM
address: Netherlands
phone: +31 20 3162880
fax-no: +31 20 3162890
abuse-mailbox: abuse@leaseweb.com
IP: 83.170.121.254
Whois:
inetnum: 83.170.64.0 - 83.170.127.255
netname: UK-UK2NET-20040420
descr: PROVIDER Local Registry
descr: UK2 - Ltd
country: GB
org: ORG-UL5-RIPE
admin-c: BB963-RIPE
tech-c: BB963-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: AS13213-MNT
mnt-routes: AS13213-MNT
source: RIPE # Filteredorganisation: ORG-UL5-RIPE
org-name: UK2 - Ltd
org-type: LIR
address: One Canada Square
Canary Wharf
address: E14 5DY
address: London
address: United Kingdom
phone: +44 207 9871200
fax-no: +44 207 9870424
e-mail: ripe@uk2.net
Other sites on this IP :
1. Cryptdrive.com
2. Easyfixer.com
3. Internetanonymizer.com
4. Lyonyakosmos.com
5. Mobileantiviruspro.com
6. Pcsupernanny.com
7. Pctotaldefender.com
8. Personalantispy.com
9. Superdiet4u.com
10. Winbugfixer.com
