Rogues | Category | Clean The Net - Your guide to remove virus

System security fake antivirus application

Wednesday, December 31st, 2008

System security is a rogue antivirus application. To remove that rogue application viruses and antispyware use Cesam Anti-Malware - http://cleanthe.net/how-to-remove-virus/

System Security

File exclusivemovie.exe received on 12.31.2008 13:33:56 (CET)
Antivirus	Version	Last Update	Result
a-squared	4.0.0.73	2008.12.31	Trojan-Downloader.Win32.Renos!IK
AhnLab-V3	2008.12.31.0	2008.12.31	-
AntiVir	7.9.0.45	2008.12.31	-
Authentium	5.1.0.4	2008.12.30	-
Avast	4.8.1281.0	2008.12.30	-
AVG	8.0.0.199	2008.12.31	-
BitDefender	7.2	2008.12.31	-
CAT-QuickHeal	10.00	2008.12.31	-
ClamAV	0.94.1	2008.12.31	-
Comodo	851	2008.12.31	-
DrWeb	4.44.0.09170	2008.12.31	Trojan.DownLoader.origin
eSafe	7.0.17.0	2008.12.30	-
eTrust-Vet	31.6.6284	2008.12.31	-
Ewido	4.0	2008.12.31	-
F-Prot	4.4.4.56	2008.12.30	-
F-Secure	8.0.14470.0	2008.12.31	-
Fortinet	3.117.0.0	2008.12.31	-
GData	19	2008.12.31	-
Ikarus	T3.1.1.45.0	2008.12.31	Trojan-Downloader.Win32.Renos
K7AntiVirus	7.10.572	2008.12.31	-
Kaspersky	7.0.0.125	2008.12.31	-
McAfee	5479	2008.12.30	-
McAfee+Artemis	5479	2008.12.30	-
Microsoft	1.4205	2008.12.31	TrojanDownloader:Win32/Renos.FU
NOD32	3725	2008.12.31	-
Norman	5.80.02	2008.12.30	-
Panda	9.0.0.4	2008.12.31	-
PCTools	4.4.2.0	2008.12.31	-
Prevx1	V2	2008.12.31	-
Rising	21.10.22.00	2008.12.31	-
SecureWeb-Gateway	6.7.6	2008.12.31	-
Sophos	4.37.0	2008.12.31	-
Sunbelt	3.2.1809.2	2008.12.22	-
Symantec	10	2008.12.31	-
TheHacker	6.3.1.4.202	2008.12.30	-
TrendMicro	8.700.0.1004	2008.12.31	Possible_DLDER
VBA32	3.12.8.10	2008.12.30	-
ViRobot	2008.12.30.1540	2008.12.31	-
VirusBuster	4.5.11.0	2008.12.30	-

Additional information
File size: 44032 bytes
MD5…: f975529e11396a52984cecef1c89f9af
SHA1..: f380faab50b864fd865d75a7cf8a3897a0f892e1
SHA256: c0c37870ea22171e78e025551f18f9fd5f3351bb79616c6aa72e7a39c687174d
SHA512: baf69c259cab1fea5403b1e9c2b13382066d00f38e3eb3de5ba64f2e0326a0b2 92e503abbc975548d50f736c46132051143243068c5546ca6ee7b7ace2bcbae7
ssdeep: 768:dFrGBBBkWsBHDOccg5xdqNk+nBALaBCQjqP0K6j6foKTAzdsG:OBBB0Koxdq NHn2LaBV86mfpTAzF
PEiD..: -
TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0×402010 timedatestamp…..: 0×495add17 (Wed Dec 31 02:46:47 2008) machinetype…….: 0×14c (I386)
CWSandbox info: <a href=’http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=f975529e11396a52984cecef1c89f9af’ target=’_blank’>http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=f975529e11396a52984cecef1c89f9af</a>

System Security

File install.exe received on 12.31.2008 13:37:22 (CET)
Antivirus	Version	Last Update	Result
a-squared	4.0.0.73	2008.12.31	-
AhnLab-V3	2008.12.31.0	2008.12.31	-
AntiVir	7.9.0.45	2008.12.31	TR/Dldr.FraudLoad.vfgb
Authentium	5.1.0.4	2008.12.30	-
Avast	4.8.1281.0	2008.12.30	-
AVG	8.0.0.199	2008.12.31	Downloader.Generic8.KXU
BitDefender	7.2	2008.12.31	-
CAT-QuickHeal	10.00	2008.12.31	-
ClamAV	0.94.1	2008.12.31	-
Comodo	851	2008.12.31	-
DrWeb	4.44.0.09170	2008.12.31	Trojan.DownLoad.26371
eTrust-Vet	31.6.6284	2008.12.31	-
Ewido	4.0	2008.12.31	-
F-Prot	4.4.4.56	2008.12.30	-
F-Secure	8.0.14470.0	2008.12.31	-
Fortinet	3.117.0.0	2008.12.31	-
GData	19	2008.12.31	-
Ikarus	T3.1.1.45.0	2008.12.31	-
K7AntiVirus	7.10.572	2008.12.31	-
Kaspersky	7.0.0.125	2008.12.31	-
McAfee	5479	2008.12.30	-
McAfee+Artemis	5479	2008.12.30	-
Microsoft	1.4205	2008.12.31	Program:Win32/Winwebsec
NOD32	3725	2008.12.31	-
Norman	5.80.02	2008.12.30	-
Panda	9.0.0.4	2008.12.31	Suspicious file
PCTools	4.4.2.0	2008.12.31	-
Prevx1	V2	2008.12.31	Malicious Software
Rising	21.10.22.00	2008.12.31	-
SecureWeb-Gateway	6.7.6	2008.12.31	Trojan.Dldr.FraudLoad.vfgb
Sophos	4.37.0	2008.12.31	-
Sunbelt	3.2.1809.2	2008.12.22	-
Symantec	10	2008.12.31	Downloader.MisleadApp
TheHacker	6.3.1.4.202	2008.12.30	-
TrendMicro	8.700.0.1004	2008.12.31	PAK_Generic.001
VBA32	3.12.8.10	2008.12.30	-
ViRobot	2008.12.30.1540	2008.12.31	-
VirusBuster	4.5.11.0	2008.12.30	-

Additional information
File size: 63019 bytes
MD5…: b31c01ac8f06d9ef19fa5b1acac67ee0
SHA1..: 8411e84ac747d040cfca5b19490628169160307a
SHA256: 377008f44c8b75b29e9e8d954da9b490eb76f18f86011fa2d44cde2fda111d68
SHA512: ec7397449a46779d37a82846784bf59c6d123bc7dff864c55f17216b66755360 de4ae8d2cf2cc0035daeb901c15078e55aa2d844b2b926f85d1b9d9e99d66745
ssdeep: 1536:X3qCkvQhnmlq+/jJ1bifU9nMDbZnouy83EY5qnXK:X3qsP+dl0out3LInXK
PEiD..: -
TrID..: File type identification UPX compressed Win32 Executable (38.5%) Win32 EXE Yoda’s Crypter (33.4%) Win32 Executable Generic (10.7%) Win32 Dynamic Link Library (generic) (9.5%) Win16/32 Executable Delphi generic (2.6%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0×427740 timedatestamp…..: 0×4959e731 (Tue Dec 30 09:17:37 2008) machinetype…….: 0×14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0×1000 0×1a000 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0×1b000 0xe000 0xd400 7.97 c23f87651a1f2e4de78e7937b77608e2 .rsrc 0×29000 0×2000 0×1e00 5.04 e8ca867ba12246a3769573f068ad48b3 ( 7 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess > advapi32.dll: RegCloseKey > comctl32.dll: ImageList_Draw > gdi32.dll: SaveDC > oleaut32.dll: SysFreeString > user32.dll: GetDC > wininet.dll: InternetOpenW ( 0 exports )
Prevx info: <a href=’http://info.prevx.com/aboutprogramtext.asp?PX5=9FFF036C2B257BD9F6140086DCCFB80089A90EDC’ target=’_blank’>http://info.prevx.com/aboutprogramtext.asp?PX5=9FFF036C2B257BD9F6140086DCCFB80089A90EDC</a>
packers (Kaspersky): UPX
packers (F-Prot): UPX_LZMA

System Security

Host: 2009happytubes.com
IP: 74.50.117.70

Whois:

OrgName: NOC4Hosts Inc.
OrgID: NOC4H
Address: 400 N Tampa St
Address: #1025
City: Tampa
StateProv: FL
PostalCode: 33602
Country: US

Other sites:

1. All-celebs4you-here.com
2. All-porn-tubes-here.com
3. Scanner-av-here.com
4. Xmassextube.com
5. Xmasssporntube.com

Host: freedownload2009.com
IP: 94.247.3.232

Whois:

role: DATORU EXPRESS SERVISS HostMaster
address: 18. novembra street 319C
address: Daugavpils, LV-5413
address: Latvia
phone: +371 26631339
fax-no: +371 65420725
remarks: Information: http://www.pcexpress.lv

Other sites:

1. 3d-softwareportal.com
2. Becollectionoffiles.com
3. Clickandgetfile.com
4. Downloadexenow.com
5. Downloadfilesportal.com
6. Downloadfilesservice.com
7. Exefileshere.com
8. Exesoftportal.com
9. Extracoolfiles.com
10. Extrafilesonlyhere.com
11. Filesportalhere.com
12. Freepornclips2u.com
13. Jetexestorage.com
14. Pornexearchive.com
15. Secretfilesstoragehere.com
16. Softexeportal.com
17. Strongestarchive.com
18. Viewerarchive.com
19. X-filesstorehere.com

Host: netsecurityonline.com
IP: 91.211.64.31

Whois:

org-name: Ural Industrial Company
org-type: OTHER
address: Russia, 620240 Ekaterinburg, Sofia Kovalevsaja st.
admin-c: AP10609-RIPE
mnt-ref: URALCOMP-MNT
mnt-by: URALCOMP-MNT
source: RIPE # Filtered

role: UralNet IP Master
address: Ukraine, 69078 Kiev, Luteranskaya 28 st.
phone: +38 050 577 65 61

Other sites:

1. Hitstransfer.com
2. Trafficrelocation.com
3. Webnetworksecurity.com

Host: www.securedigitalpayments.com
IP: 209.8.45.153

Whois:

OrgName: Beyond The Network America, Inc.
OrgID: BNA-42
Address: 450 Springpark PL
Address: Suite 100
City: Herdon
StateProv: VA
PostalCode: 20170
Country: US

Whois of securedigitalpayments.com :

Registrant:
Piter Walter
Email: walterplovett@gmail.com
Organization: Private person
Address: 1308 Roosevelt Street
City: Oakland
State: CA
ZIP: 94612
Country: US
Phone: +1.4154495540
Administrative Contact:
Piter Walter
Email: walterplovett@gmail.com
Organization: Private person
Address: 1308 Roosevelt Street
City: Oakland
State: CA
ZIP: 94612
Country: US
Phone: +1.4154495540
Technical Contact:
Piter Walter
Email: walterplovett@gmail.com
Organization: Private person
Address: 1308 Roosevelt Street
City: Oakland
State: CA
ZIP: 94612
Country: US
Phone: +1.4154495540

System Security

Tags: Beyond The Network America, DATORU EXPRESS SERVISS HostMaster, fake Antivirus application, NOC4Hosts, System Security, Ural Industrial Company
Posted in Fake Codec, Malware, Rogues | No Comments »

Spyware Guard 2008 rogue antivirus application

Tuesday, December 30th, 2008

Spyware Guard 2008 is a rogue antivirus application. To remove that rogue application viruses and antispyware use Cesam Anti-Malware - http://cleanthe.net/how-to-remove-virus/

Spyware Guard 2008

File SpywareGuard2008.exe received on 12.30.2008 14:33:18 (CET)
Antivirus	Version	Last Update	Result
a-squared	4.0.0.73	2008.12.30	Rootkit.Win32.TDSS!IK
AhnLab-V3	2008.12.30.2	2008.12.30	-
AntiVir	7.9.0.45	2008.12.30	BDS/Hupigon.Gen
Authentium	5.1.0.4	2008.12.30	-
Avast	4.8.1281.0	2008.12.29	-
AVG	8.0.0.199	2008.12.29	-
BitDefender	7.2	2008.12.30	-
CAT-QuickHeal	10.00	2008.12.30	(Suspicious) - DNAScan
ClamAV	0.94.1	2008.12.30	-
Comodo	837	2008.12.29	-
DrWeb	4.44.0.09170	2008.12.30	-
eSafe	7.0.17.0	2008.12.28	Suspicious File
eTrust-Vet	31.6.6281	2008.12.29	-
Ewido	4.0	2008.12.30	-
F-Prot	4.4.4.56	2008.12.29	-
F-Secure	8.0.14470.0	2008.12.30	Suspicious:W32/Malware!Gemini
Fortinet	3.117.0.0	2008.12.30	-
GData	19	2008.12.30	-
Ikarus	T3.1.1.45.0	2008.12.30	Rootkit.Win32.TDSS
K7AntiVirus	7.10.569	2008.12.29	-
Kaspersky	7.0.0.125	2008.12.30	-
McAfee	5478	2008.12.29	-
McAfee+Artemis	5478	2008.12.29	-
Microsoft	1.4205	2008.12.30	-
NOD32	3723	2008.12.30	a variant of Win32/Kryptik.DR
Norman	5.80.02	2008.12.29	-
Panda	9.0.0.4	2008.12.29	-
PCTools	4.4.2.0	2008.12.30	-
Prevx1	V2	2008.12.30	-
Rising	21.10.12.00	2008.12.30	-
SecureWeb-Gateway	6.7.6	2008.12.30	Trojan.Backdoor.Hupigon.Gen
Sophos	4.37.0	2008.12.30	Mal/FakeVirPk-A
Sunbelt	3.2.1809.2	2008.12.22	-
Symantec	10	2008.12.30	-
TheHacker	6.3.1.4.202	2008.12.30	-
TrendMicro	8.700.0.1004	2008.12.30	-
VBA32	3.12.8.10	2008.12.30	-
ViRobot	2008.12.30.1540	2008.12.30	-
VirusBuster	4.5.11.0	2008.12.29	-

Additional information
File size: 68101 bytes
MD5…: 1e8c81071f8c89bdf1e6e6fa7ac8b74a
SHA1..: b339246475ab885c4a456a38a83b9d049a2a571d
SHA256: 0031f10e24bed59fb737626417ba4fa58234d4a9915ad46db3c6c4cce5968102
SHA512: 30c456ab3d85bc8e6fc4d8c6ffe485b43a597ab470cbb33d772008da30ab6baa d3b337ba4d89f4f42228159574653b1c52372e18cde6dc71302a7527f8a2d013
ssdeep: 1536:5RvDhDtWl1wwM2yI9p2YGvkTutt6Ug8m+IvJET:vDhxWl1wwDy2kYGkTutt 6vEIhU
PEiD..: -
TrID..: File type identification Win32 Executable Generic (38.4%) Win32 Dynamic Link Library (generic) (34.1%) Win16/32 Executable Delphi generic (9.3%) Generic Win/DOS Executable (9.0%) DOS Executable Generic (9.0%)
PEInfo: PE Structure information( base data ) entrypointaddress.: 0×401536 timedatestamp…..: 0×49587329 (Mon Dec 29 06:50:17 2008) machinetype…….: 0×14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 text 0×1000 0×17000 0×1200 5.11 a9f98ffe3fd6f661fba0022ff1a26fd2 rdata 0×18000 0xd000 0xb400 8.00 715c8df0b1f73273a6dec98baef64a74 idata 0×25000 0×198 0×600 1.67 c45622a20d4dd078d2faa86dd3fc8dc2 .rsrc 0×26000 0×4000 0×3a00 4.96 249c00c607c8babb4a8d1fa73a816e1a ( 1 imports ) > kernel32.dll: GetConsoleCommandHistoryLengthA, SetCommBreak, SetVDMCurrentDirectories, IsDBCSLeadByteEx, WriteConsoleA, CreateTimerQueueTimer, IsDBCSLeadByte, TerminateJobObject, GetCommandLineA, ExitProcess, GetStartupInfoA ( 0 exports )

Spyware Guard 2008

Whois: sgviralscan.com
IP: 94.247.2.31

Whois:

netname:        ZLKON
descr:          ZlKon
country:        LV
admin-c:        ZK508-RIPE
tech-c:         DES31-RIPE
status:         ASSIGNED PA
mnt-by:         PCEXPRESS-MNT
mnt-lower:      ZLKON-MNT
mnt-routes:     ZLKON-MNT
source:         RIPE # Filtered

role:           ZlKon HostMaster
address:        Lilijas iela 4-74
address:        Riga, LV-1055
address:        Latvija
phone:          +371 26330593

Other sites:

1. Dlsgd2.com
2. Dlsgd3.com
3. Getsgd2.com
4. Getsgd3.com
5. Gosgd2.com
6. Gosgd3.com
7. Scannersg.com
8. Scansguard.com
9. Sgproduct.com
10. Sgproductm.com
11. Sgscanner.com
12. Sguardscan.com
13. Sgviralscan.com

Whois: sgproduct.com
IP: 78.26.179.253

Whois:

netname:        RENOME-SERVICE
descr:          Renome-Service: Joint Multimedia Cable Network
country:        UA
admin-c:        RSM-RIPE
tech-c:         RSM-RIPE
status:         ASSIGNED PA
mnt-by:         RENOME-MNT
mnt-lower:      RENOME-MNT
mnt-routes:     RENOME-MNT
source:         RIPE # Filtered

role:           Renome Service Tech Staff
address:        Kosvennaya str., 78, Odessa, Ukraine, 65000
org:            ORG-RA159-RIPE
phone:          +380487597596
fax-no:         +380487597596
mnt-by:         RENOME-MNT

Whois of sgproduct.com:

Registrant:
    Maksi Jelacic
    Email: MaksiJelacic77az@yahoo.com
    Organization: Private person
    Address: Turjaska 51
    City: Lasko
    State: Lasko
    ZIP: Sl1357
    Country: SI
    Phone: +386.49764122
Administrative Contact:
    Maksi Jelacic
    Email: MaksiJelacic77az@yahoo.com
    Organization: Private person
    Address: Turjaska 51
    City: Lasko
    State: Lasko
    ZIP: Sl1357
    Country: SI
    Phone: +386.49764122
Technical Contact:
    Maksi Jelacic
    Email: MaksiJelacic77az@yahoo.com
    Organization: Private person
    Address: Turjaska 51
    City: Lasko
    State: Lasko
    ZIP: Sl1357
    Country: SI
    Phone: +386.49764122
Billing Contact:
    Maksi Jelacic
    Email: MaksiJelacic77az@yahoo.com
    Organization: Private person
    Address: Turjaska 51
    City: Lasko
    State: Lasko
    ZIP: Sl1357
    Country: SI
    Phone: +386.49764122

Spyware Guard 2008

Tags: Renome-Service, rogue antivirus, Spyware Guard 2008, ZLKON
Posted in Malware, Rogues | 2 Comments »

Antivirus 2009 rogue antivirus application

Tuesday, December 30th, 2008

Antivirus 2009 is a rogue antivirus application. To remove that rogue application viruses and antispyware use Cesam Anti-Malware - http://cleanthe.net/how-to-remove-virus/

Antivirus 2009

File Install.exe received on 12.30.2008 14:12:58 (CET)
Antivirus	Version	Last Update	Result
a-squared	4.0.0.73	2008.12.30	Virus.Win32.Ups!IK
AhnLab-V3	2008.12.30.2	2008.12.30	-
AntiVir	7.9.0.45	2008.12.30	TR/Crypt.CFI.Gen
Authentium	5.1.0.4	2008.12.30	-
Avast	4.8.1281.0	2008.12.29	Win32:Ups
AVG	8.0.0.199	2008.12.29	-
BitDefender	7.2	2008.12.30	-
CAT-QuickHeal	10.00	2008.12.30	-
ClamAV	0.94.1	2008.12.30	-
Comodo	837	2008.12.29	-
DrWeb	4.44.0.09170	2008.12.30	-
eSafe	7.0.17.0	2008.12.28	-
eTrust-Vet	31.6.6281	2008.12.29	-
Ewido	4.0	2008.12.30	-
F-Prot	4.4.4.56	2008.12.29	-
F-Secure	8.0.14470.0	2008.12.30	-
Fortinet	3.117.0.0	2008.12.30	-
GData	19	2008.12.30	Win32:Ups
Ikarus	T3.1.1.45.0	2008.12.30	Virus.Win32.Ups
K7AntiVirus	7.10.569	2008.12.29	-
Kaspersky	7.0.0.125	2008.12.30	Trojan-Downloader.Win32.FraudLoad.vffa
McAfee	5478	2008.12.29	-
McAfee+Artemis	5478	2008.12.29	-
Microsoft	1.4205	2008.12.30	Trojan:Win32/FakeXPA
NOD32	3723	2008.12.30	-
Norman	5.80.02	2008.12.29	-
Panda	9.0.0.4	2008.12.29	-
PCTools	4.4.2.0	2008.12.30	-
Prevx1	V2	2008.12.30	Fraudulent Security Program
Rising	21.10.12.00	2008.12.30	-
SecureWeb-Gateway	6.7.6	2008.12.30	Trojan.Crypt.CFI.Gen
Sophos	4.37.0	2008.12.30	Mal/FakeAV-I
Sunbelt	3.2.1809.2	2008.12.22	-
Symantec	10	2008.12.30	AntiVirus2009
TheHacker	6.3.1.4.202	2008.12.30	-
TrendMicro	8.700.0.1004	2008.12.30	TROJ_RENOS.ARM
VBA32	3.12.8.10	2008.12.30	-
ViRobot	2008.12.30.1540	2008.12.30	-
VirusBuster	4.5.11.0	2008.12.29	-

Additional information
File size: 122880 bytes
MD5…: fdf71fb76f20c333c814b42bbe78e770
SHA1..: 4bde41ab62a907176c2a7127a300d322d53b0ebf
SHA256: 0a33393cb255aaaaebd9bd7485e3e572ffe359372d96c75d8a2378bb012d7255
SHA512: b7a188d39f053691477f3ed425d33d477b2e959460aa16fb2e7aa44e49a52c81 a8e099ba1287d63e074d355c9f8236a21f5b4ed9ed5c8d0acac932feb4ebe4c2
ssdeep: 1536:2mo51WDrfKXKNaJXjiea/062TVOlBSVil0tHgCGxROrAE3q7VoagHh:2n51 W/Sa4jieYXPwilgHvQONa7Voa
PEiD..: -
TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) VXD Driver (0.1%)
PEInfo: PE Structure information( base data ) entrypointaddress.: 0×401285 timedatestamp…..: 0×461c692a (Wed Apr 11 04:50:50 2007) machinetype…….: 0×14c (I386) ( 7 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0×1000 0×13ce 0×2000 1.93 e90a4da96bdf4c691cb20a4ea9bdb0a1 .data 0×3000 0×235f11 0×12000 6.73 46aac447ceb18e336e13476735580da0 .tls 0×239000 0xc3 0×1000 0.00 620f0b67a91f7f74151bc5be745b7110 .rdata 0×23a000 0×18 0×1000 0.04 0212d08b7b3688039954d004bebd2823 .idata 0×23b000 0xb21 0×1000 3.97 b97fd674f0952dac0ec7f97289d26f6f .reloc 0×23c000 0×2bd 0×1000 0.00 620f0b67a91f7f74151bc5be745b7110 .rsrc 0×23d000 0×4ff3 0×5000 4.62 48b7bf282b25a6161ca23b82c52e2753 ( 6 imports ) > COMCTL32.DLL: ImageList_ReplaceIcon, ImageList_DrawIndirect, ImageList_GetImageInfo, ImageList_Merge, ImageList_AddMasked, ImageList_GetDragImage, ImageList_GetIconSize, ImageList_BeginDrag, ImageList_DragEnter, ImageList_AddIcon, ImageList_LoadImageW, ImageList_DrawEx, ImageList_LoadImage, ImageList_GetImageCount, ImageList_LoadImageA, ImageList_Create > USER32.DLL: BlockInput, CalcMenuBar, DialogBoxParamA, AppendMenuW, GetFocus, IsWindow, GetWindowTextLengthA, IsMenu, DrawIconEx, CloseWindow, CopyIcon, DialogBoxParamW, CopyRect, GetMenu, GetDlgItem, EndDialog > USER32.DLL: LoadCursorA, GetWindowTextA, LoadMenuA, GetDC, AppendMenuW, CreateIcon, IsMenu, CalcMenuBar, GetFocus, InsertMenuA, CopyIcon, DialogBoxParamA, DrawTextA, DrawIcon, DialogBoxParamW, GetWindowTextLengthA, IsWindow, DrawIconEx, CloseWindow, GetMenu, AlignRects > GDI32.DLL: CloseFigure, DeleteDC, DeleteObject, ClearBrushAttributes, AddFontMemResourceEx, GetBrushOrgEx, CancelDC, GetClipBox, CreateSolidBrush, BeginPath, GetCurrentPositionEx, CopyMetaFileA, RestoreDC, AddFontResourceTracking, AddFontResourceW, GetPixel, AbortPath > USER32.DLL: CopyIcon, GetDC, CopyRect, DrawTextW, CloseWindow, GetWindowTextA, EndDialog, DrawIcon, DrawIconEx, DialogBoxParamW, GetCursor, AppendMenuW, AppendMenuA, LoadCursorA, CopyImage, GetFocus, LoadMenuA, BlockInput, IsMenu, AlignRects, GetMenu, GetDlgItem, IsWindow > USER32.DLL: IsMenu, GetDC, DialogBoxParamW, GetWindowTextLengthA, CopyRect, GetCursor, DrawTextA, GetMenu, GetWindowTextA, InsertMenuA, GetDlgItem, DrawIconEx, CloseWindow, CreateIcon, GetFocus, BlockInput, DrawTextW, AppendMenuW, CalcMenuBar, DialogBoxParamA ( 0 exports )
Prevx info: <a href=’http://info.prevx.com/aboutprogramtext.asp?PX5=FA1F4A450036D329E00A012DDDE82A0007534F54′ target=’_blank’>http://info.prevx.com/aboutprogramtext.asp?PX5=FA1F4A450036D329E00A012DDDE82A0007534F54</a>
ThreatExpert info: <a href=’http://www.threatexpert.com/report.aspx?md5=fdf71fb76f20c333c814b42bbe78e770′ target=’_blank’>http://www.threatexpert.com/report.aspx?md5=fdf71fb76f20c333c814b42bbe78e770</a>

Antivirus 2009

Host: securedwwwclicks.com
IP: 91.211.64.68

Whois:

netname:        Ural-NET
descr:          Ural Industrial Limited Company
country:        RU
org:            ORG-UICL2-RIPE
admin-c:        UIM1-RIPE
tech-c:         UIM1-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-HM-PI-MNT
mnt-lower:      RIPE-NCC-HM-PI-MNT
mnt-by:         URALCOMP-MNT
mnt-routes:     URALCOMP-MNT
mnt-domains:    URALCOMP-MNT
source:         RIPE # Filtered

organisation:   ORG-UICL2-RIPE
org-name:       Ural Industrial Company
org-type:       OTHER
address:        Russia, 620240 Ekaterinburg, Sofia Kovalevsaja st.
admin-c:        AP10609-RIPE
mnt-ref:        URALCOMP-MNT
mnt-by:         URALCOMP-MNT
source:         RIPE # Filtered

role:           UralNet IP Master
address:        Ukraine, 69078 Kiev, Luteranskaya 28 st.
phone:          +38 050 577 65 61

Host: antivirusprofessionalscan.com
IP: 91.211.64.68

Whois:

netname:        Ural-NET
descr:          Ural Industrial Limited Company
country:        RU
org:            ORG-UICL2-RIPE
admin-c:        UIM1-RIPE
tech-c:         UIM1-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-HM-PI-MNT
mnt-lower:      RIPE-NCC-HM-PI-MNT
mnt-by:         URALCOMP-MNT
mnt-routes:     URALCOMP-MNT
mnt-domains:    URALCOMP-MNT
source:         RIPE # Filtered

organisation:   ORG-UICL2-RIPE
org-name:       Ural Industrial Company
org-type:       OTHER
address:        Russia, 620240 Ekaterinburg, Sofia Kovalevsaja st.
admin-c:        AP10609-RIPE
mnt-ref:        URALCOMP-MNT
mnt-by:         URALCOMP-MNT
source:         RIPE # Filtered

role:           UralNet IP Master
address:        Ukraine, 69078 Kiev, Luteranskaya 28 st.
phone:          +38 050 577 65 61

Host: systemprotectionupdates.com
IP: 212.95.37.241

Whois:

netname:        NETDIRECT-NET
descr:          netdirekt e.K.
remarks:        INFRA-AW
country:        DE
admin-c:        WW200-RIPE
tech-c:         SR614-RIPE
status:         ASSIGNED PA
mnt-by:         NETDIRECT-MNT
mnt-lower:      NETDIRECT-MNT
mnt-routes:     NETDIRECT-MNT
source:         RIPE # Filtered

person:       Wiethold Wagner
address:      netdirekt e. K.
address:      Kleyer Strasse 79 / Tor 14
address:      60326 Frankfurt
address:      DE
phone:        +49 69 90556880
fax-no:       +49 69 905568822

Host: updatedeliverysystems.com
IP: 91.211.64.68

Whois:

descr:          Ural Industrial Limited Company
country:        RU
org:            ORG-UICL2-RIPE
admin-c:        UIM1-RIPE
tech-c:         UIM1-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-HM-PI-MNT
mnt-lower:      RIPE-NCC-HM-PI-MNT
mnt-by:         URALCOMP-MNT
mnt-routes:     URALCOMP-MNT
mnt-domains:    URALCOMP-MNT
source:         RIPE # Filtered

organisation:   ORG-UICL2-RIPE
org-name:       Ural Industrial Company
org-type:       OTHER
address:        Russia, 620240 Ekaterinburg, Sofia Kovalevsaja st.
admin-c:        AP10609-RIPE
mnt-ref:        URALCOMP-MNT
mnt-by:         URALCOMP-MNT
source:         RIPE # Filtered

role:           UralNet IP Master
address:        Ukraine, 69078 Kiev, Luteranskaya 28 st.
phone:          +38 050 577 65 61

Host: systemprotectiondownloads.com
IP: 78.159.119.52

Whois:

netname:        NETDIRECT-NET
descr:          netdirekt e.K.
remarks:        INFRA-AW
country:        DE
admin-c:        WW200-RIPE
tech-c:         SR614-RIPE
status:         ASSIGNED PA
mnt-by:         NETDIRECT-MNT
mnt-lower:      NETDIRECT-MNT
mnt-routes:     NETDIRECT-MNT
source:         RIPE # Filtered

person:       Wiethold Wagner
address:      netdirekt e. K.
address:      Kleyer Strasse 79 / Tor 14
address:      60326 Frankfurt
address:      DE
phone:        +49 69 90556880
fax-no:       +49 69 905568822

Host: protectedonlinepayments.com
IP: 91.211.64.68

Whois:

descr:          Ural Industrial Limited Company
country:        RU
org:            ORG-UICL2-RIPE
admin-c:        UIM1-RIPE
tech-c:         UIM1-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-HM-PI-MNT
mnt-lower:      RIPE-NCC-HM-PI-MNT
mnt-by:         URALCOMP-MNT
mnt-routes:     URALCOMP-MNT
mnt-domains:    URALCOMP-MNT
source:         RIPE # Filtered

organisation:   ORG-UICL2-RIPE
org-name:       Ural Industrial Company
org-type:       OTHER
address:        Russia, 620240 Ekaterinburg, Sofia Kovalevsaja st.
admin-c:        AP10609-RIPE
mnt-ref:        URALCOMP-MNT
mnt-by:         URALCOMP-MNT
source:         RIPE # Filtered

role:           UralNet IP Master
address:        Ukraine, 69078 Kiev, Luteranskaya 28 st.
phone:          +38 050 577 65 61

Whois of protectedonlinepayments.com:

Registrant Contact:
   Privat person
   Igor Popov stats2damains@lycos.com
   +33491858954 fax: +33491858954
   Rue la produit 642
   Marseille Marseille 13002
   fr

Administrative Contact:
   Igor Popov stats2damains@lycos.com
   +33491858954 fax: +33491858954
   Rue la produit 642
   Marseille Marseille 13002
   fr

Technical Contact:
   Igor Popov stats2damains@lycos.com
   +33491858954 fax: +33491858954
   Rue la produit 642
   Marseille Marseille 13002
   fr

Billing Contact:
   Igor Popov stats2damains@lycos.com
   +33491858954 fax: +33491858954
   Rue la produit 642
   Marseille Marseille 13002
   fr

Antivirus 2009

Tags: Antivirus 2009, NETDIRECT-NET, rogue antivirus, Ural-NET
Posted in Fake Codec, Malware, Rogues | No Comments »

Antivirus 2009 rogue antivirus application

Tuesday, December 9th, 2008

Antivirus 2009is a rogue antivirus application. To remove that rogue application viruses and antispyware use Cesam Anti-Malware - http://cleanthe.net/how-to-remove-virus/

Antivirus 2009

File exclusivemovie.1212.exe received on 12.09.2008 17:22:30 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2008.12.10.0	2008.12.09	-
AntiVir	7.9.0.43	2008.12.09	TR/Dldr.Zlob.imk
Authentium	5.1.0.4	2008.12.08	-
Avast	4.8.1281.0	2008.12.08	-
AVG	8.0.0.199	2008.12.09	-
BitDefender	7.2	2008.12.09	-
CAT-QuickHeal	10.00	2008.12.09	-
ClamAV	0.94.1	2008.12.09	-
Comodo	713	2008.12.09	-
DrWeb	4.44.0.09170	2008.12.09	-
eSafe	7.0.17.0	2008.12.09	Suspicious File
eTrust-Vet	31.6.6252	2008.12.09	-
Ewido	4.0	2008.12.09	-
F-Prot	4.4.4.56	2008.12.08	-
F-Secure	8.0.14332.0	2008.12.09	Trojan-Downloader.Win32.Agent.atlu
Fortinet	3.117.0.0	2008.12.09	-
GData	19	2008.12.09	-
Ikarus	T3.1.1.45.0	2008.12.08	-
K7AntiVirus	7.10.549	2008.12.09	-
Kaspersky	7.0.0.125	2008.12.09	Trojan-Downloader.Win32.Agent.atlu
McAfee	5458	2008.12.08	-
McAfee+Artemis	5458	2008.12.09	-
Microsoft	1.4205	2008.12.09	-
NOD32	3676	2008.12.09	-
Norman	5.80.02	2008.12.09	-
Panda	9.0.0.4	2008.12.09	-
PCTools	4.4.2.0	2008.12.09	-
Prevx1	V2	2008.12.09	Malware Dropper
Rising	21.07.12.00	2008.12.09	-
SecureWeb-Gateway	6.7.6	2008.12.09	Trojan.Dldr.Zlob.imk
Sophos	4.36.0	2008.12.09	Troj/DwnLdr-HLR
Sunbelt	3.1.1832.2	2008.12.01	-
Symantec	10	2008.12.09	-
TheHacker	6.3.1.2.180	2008.12.09	-
TrendMicro	8.700.0.1004	2008.12.09	Possible_DLDER
VBA32	3.12.8.10	2008.12.09	-
ViRobot	2008.12.9.1509	2008.12.09	Dropper.Agent.66560.D
VirusBuster	4.5.11.0	2008.12.09	-

Additional information
File size: 66560 bytes
MD5…: e24b67c9e5f7bb2c9d1e15eafee9f329
SHA1..: 0b3c238fc6bdf8cd469bc377b4f5bfa3e23a705f
SHA256: 1df0e73f40d49e9497e39bb1931dab84606ba0e309b3a10b03e858ba029d194b
SHA512: 7ab32711fa2ab4a614248eb1e2e2d9a2887b3efddef261f85dea2caf9c0f063f 001231816f8d59687827d35163dc832e5df6d1d5e7c57b00fcb13636fd3eab60
ssdeep: 1536:b9/+qo7X7Q1N4PpQ2iHzNb3vSkdaZcPvQRcCefymztRe:blJ0EIRQ2iJ5da iPvQR6qmhR
PEiD..: -
TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

Antivirus 2009

File InstallAVv_77100106.exe received on 12.09.2008 17:22:36 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2008.12.10.0	2008.12.09	-
AntiVir	7.9.0.43	2008.12.09	-
Authentium	5.1.0.4	2008.12.08	-
Avast	4.8.1281.0	2008.12.08	-
AVG	8.0.0.199	2008.12.09	Win32/Heur
BitDefender	7.2	2008.12.09	-
CAT-QuickHeal	10.00	2008.12.09	-
ClamAV	0.94.1	2008.12.09	-
Comodo	713	2008.12.09	-
DrWeb	4.44.0.09170	2008.12.09	-
eSafe	7.0.17.0	2008.12.09	Suspicious File
eTrust-Vet	31.6.6252	2008.12.09	-
Ewido	4.0	2008.12.09	-
F-Prot	4.4.4.56	2008.12.08	-
F-Secure	8.0.14332.0	2008.12.09	-
Fortinet	3.117.0.0	2008.12.09	-
GData	19	2008.12.09	-
Ikarus	T3.1.1.45.0	2008.12.08	-
K7AntiVirus	7.10.549	2008.12.09	-
Kaspersky	7.0.0.125	2008.12.09	-
McAfee	5458	2008.12.08	-
McAfee+Artemis	5458	2008.12.09	-
Microsoft	1.4205	2008.12.09	Trojan:Win32/FakeXPA
NOD32	3676	2008.12.09	-
Norman	5.80.02	2008.12.09	-
Panda	9.0.0.4	2008.12.09	-
PCTools	4.4.2.0	2008.12.09	-
Prevx1	V2	2008.12.09	-
Rising	21.07.12.00	2008.12.09	-
SecureWeb-Gateway	6.7.6	2008.12.09	-
Sophos	4.36.0	2008.12.09	Sus/Behav-297
Sunbelt	3.1.1832.2	2008.12.01	-
Symantec	10	2008.12.09	-
TheHacker	6.3.1.2.180	2008.12.09	-
TrendMicro	8.700.0.1004	2008.12.09	PAK_Generic.001
VBA32	3.12.8.10	2008.12.09	-
ViRobot	2008.12.9.1509	2008.12.09	-
VirusBuster	4.5.11.0	2008.12.09	-

Additional information
File size: 90112 bytes
MD5…: c5135fdf2bd0cf512b034607cdaf3bde
SHA1..: 303bd94d484830cd729fb58bd7979152d13ab788
SHA256: bb22d1f01e882196c820cb6d528ecabde3fc23f6bbfe2b93477893022956402e
SHA512: a8d0cc17a38f9fb5e6fbfd0bce6df2780a6e6c154d4997455cf842c5fb93caaf fa8d22902e6e3c8f89d39ce2418f98dd557ac927040f83977b9a22f4818082bb
ssdeep: 1536:M3q7VoagHfSTDFHVs9aur8It+Ah83mOxHIRp21OaBreBbMzXH8MV:Ma7Voa N/FHVQao88+wpT8MID
PEiD..: -
TrID..: File type identification Win32 Executable Generic (38.4%) Win32 Dynamic Link Library (generic) (34.1%) Win16/32 Executable Delphi generic (9.3%) Generic Win/DOS Executable (9.0%) DOS Executable Generic (9.0%)
PEInfo: PE Structure information

Antivirus 2009

Host: allcooltubeshere.com
IP: 89.149.228.200

Whois:

netname:        NETDIRECT-NET
descr:          netdirekt e.K.
remarks:        INFRA-AW
country:        DE
admin-c:        WW200-RIPE
tech-c:         SR614-RIPE
status:         ASSIGNED PA
mnt-by:         NETDIRECT-MNT
mnt-lower:      NETDIRECT-MNT
mnt-routes:     NETDIRECT-MNT
source:         RIPE # Filtered

person:       Wiethold Wagner
address:      netdirekt e. K.
address:      Kleyer Strasse 79 / Tor 14
address:      60326 Frankfurt
address:      DE
phone:        +49 69 90556880
fax-no:       +49 69 905568822
e-mail:       info@netdirekt.de
nic-hdl:      WW200-RIPE
mnt-by:       NETDIRECT-MNT
source:       RIPE # Filtered

Other sites:

1) 69-tube-69.com
2) Megasexytube.com
3) Super-av-scanner.com

Host: codecdownload.allcleanfileshere.com
IP: 91.203.93.81

Whois:

netname:        NETDIRECT-NET
descr:          netdirekt e.K.
remarks:        INFRA-AW
country:        DE
admin-c:        WW200-RIPE
tech-c:         SR614-RIPE
status:         ASSIGNED PA
mnt-by:         NETDIRECT-MNT
mnt-lower:      NETDIRECT-MNT
mnt-routes:     NETDIRECT-MNT
source:         RIPE # Filtered

person:       Wiethold Wagner
address:      netdirekt e. K.
address:      Kleyer Strasse 79 / Tor 14
address:      60326 Frankfurt
address:      DE
phone:        +49 69 90556880
fax-no:       +49 69 905568822
e-mail:       info@netdirekt.de
nic-hdl:      WW200-RIPE
mnt-by:       NETDIRECT-MNT
source:       RIPE # Filtered

Other sites:

1) 3d-softportal.com
2) 3d-softportal.net
3) Allfilesherefordownload.com

Host: advancedproscan.com
IP: 69.10.44.207

Whois:

Interserver, Inc INTERSERVER

Host: protectedpaymentsite.com
IP: 209.8.45.117

Whois:

OrgName:    Beyond The Network America, Inc.
OrgID:      BNA-42
Address:    450 Springpark PL
Address:    Suite 100
City:       Herdon
StateProv: VA
PostalCode: 20170
Country:    US

Host: microsoft.protectionsoftwaredownload.com
IP: 89.149.241.106

Whois:

inetnum:        89.149.241.0 - 89.149.244.255
netname:        NETDIRECT-NET
descr:          netdirekt e.K.
remarks:        INFRA-AW
country:        DE
admin-c:        WW200-RIPE
tech-c:         SR614-RIPE
status:         ASSIGNED PA
mnt-by:         NETDIRECT-MNT
mnt-lower:      NETDIRECT-MNT
mnt-routes:     NETDIRECT-MNT
source:         RIPE # Filtered

person:       Wiethold Wagner
address:      netdirekt e. K.
address:      Kleyer Strasse 79 / Tor 14
address:      60326 Frankfurt
address:      DE
phone:        +49 69 90556880
fax-no:       +49 69 905568822

Host: softwareservicebilling.com
IP: 63.219.177.214

Whois:

OrgName:    Beyond The Network America, Inc.
OrgID:      BNA-42
Address:    450 Springpark PL
Address:    Suite 100
City:       Herdon
StateProv: VA
PostalCode: 20170
Country:    US

Antivirus 2009

Tags: Antivirus 2009, Beyond The Network America, netdirect, rogue antivirus
Posted in Fake Codec, Malware, Rogues | 1 Comment »

WinDefender 2009 rogue antivirus application

Monday, December 8th, 2008

Windefender 2009 is a rogue antivirus application. To remove that rogue application viruses and antispyware use Cesam Anti-Malware - http://cleanthe.net/how-to-remove-virus/

Windefender 2009

File c-setup.exe received on 12.08.2008 17:57:01 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2008.12.6.0	2008.12.06	-
AntiVir	7.9.0.42	2008.12.08	TR/Dldr.JLBO.1
Authentium	5.1.0.4	2008.12.08	-
Avast	4.8.1281.0	2008.12.08	Win32:Trojan-gen {Other}
AVG	8.0.0.199	2008.12.07	SHeur2.FIQ
BitDefender	7.2	2008.12.07	Trojan.Downloader.JLBO
CAT-QuickHeal	10.00	2008.12.08	-
ClamAV	0.94.1	2008.12.07	-
Comodo	708	2008.12.08	-
DrWeb	4.44.0.09170	2008.12.07	-
eSafe	7.0.17.0	2008.12.08	Suspicious File
eTrust-Vet	31.6.6246	2008.12.05	-
Ewido	4.0	2008.12.07	-
F-Prot	4.4.4.56	2008.12.04	-
F-Secure	8.0.14332.0	2008.12.08	Trojan-Downloader.Win32.Agent.atgo
Fortinet	3.117.0.0	2008.12.07	-
GData	19	2008.12.07	Trojan.Downloader.JLBO
Ikarus	T3.1.1.45.0	2008.12.08	-
K7AntiVirus	7.10.548	2008.12.08	-
Kaspersky	7.0.0.125	2008.12.07	-
McAfee	5456	2008.12.06	-
McAfee+Artemis	5456	2008.12.06	-
Microsoft	1.4205	2008.12.08	TrojanDownloader:Win32/Renos.FS
NOD32	3670	2008.12.08	-
Norman	5.80.02	2008.12.05	-
Panda	9.0.0.4	2008.12.07	-
PCTools	4.4.2.0	2008.12.08	-
Prevx1	V2	2008.12.08	-
Rising	21.07.02.00	2008.12.08	-
SecureWeb-Gateway	6.7.6	2008.12.08	Trojan.Dldr.JLBO.1
Sophos	4.36.0	2008.12.07	-
Sunbelt	3.1.1832.2	2008.12.01	-
Symantec	10	2008.12.07	Trojan.Dropper
TheHacker	6.3.1.2.179	2008.12.06	-
TrendMicro	8.700.0.1004	2008.12.08	PAK_Generic.001
VBA32	3.12.8.10	2008.12.07	-
ViRobot	2008.12.6.1504	2008.12.06	-
VirusBuster	4.5.11.0	2008.12.08	-

Additional information
File size: 63495 bytes
MD5…: 06772f1d4e28d4538a55be97d2ed4d5c
SHA1..: e7cd8823c0aaa03d179b62118d7f01bcddc39258
SHA256: 5593d8490c53d0dfd2d61b5228cd568aa279b1e8c40ee6eee04ce09756392bbf
SHA512: 1e86cf6ac3a729ed074bbaaf4ee13f10c01dcee84f642a6bc68a254869acbc09 9c2e204f8c671cc06c6cd3f2b4b9637a6ba09004642b1ac33f562efee4de57d3
ssdeep: 1536:/fjQtATi+FDfXsKA2p2v97RybohyjWgX5PtXhSMImX8/nld:/fkaFTjMtRy DjR5PtVXGL
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification UPX compressed Win32 Executable (39.5%) Win32 EXE Yoda’s Crypter (34.3%) Win32 Executable Generic (11.0%) Win32 Dynamic Link Library (generic) (9.8%) Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0×42e850 timedatestamp…..: 0×493a487d (Sat Dec 06 09:40:13 2008) machinetype…….: 0×14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0×1000 0×1f000 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0×20000 0xf000 0xea00 7.91 fd0b077a24c66653d04940314339e1f9 .rsrc 0×2f000 0×1000 0xa00 3.23 1463387eba52b777fed496dfedf57a60 ( 4 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess > ADVAPI32.dll: RegCloseKey > SHELL32.dll: ShellExecuteA > USER32.dll: RegisterClassA ( 0 exports )
packers (Kaspersky): PE_Patch.UPX, UPX
packers (F-Prot): UPX

Windefender 2009

File WinDefender2009.exe received on 12.08.2008 17:59:01 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2008.12.6.0	2008.12.06	-
AntiVir	7.9.0.42	2008.12.08	-
Authentium	5.1.0.4	2008.12.08	-
Avast	4.8.1281.0	2008.12.08	-
AVG	8.0.0.199	2008.12.07	-
BitDefender	7.2	2008.12.07	-
CAT-QuickHeal	10.00	2008.12.08	-
ClamAV	0.94.1	2008.12.07	-
Comodo	708	2008.12.08	-
DrWeb	4.44.0.09170	2008.12.07	-
eSafe	7.0.17.0	2008.12.08	Suspicious File
eTrust-Vet	31.6.6246	2008.12.05	-
Ewido	4.0	2008.12.07	-
F-Prot	4.4.4.56	2008.12.04	-
F-Secure	8.0.14332.0	2008.12.08	-
Fortinet	3.117.0.0	2008.12.07	-
GData	19	2008.12.07	-
Ikarus	T3.1.1.45.0	2008.12.08	-
K7AntiVirus	7.10.548	2008.12.08	-
Kaspersky	7.0.0.125	2008.12.07	-
McAfee	5456	2008.12.06	-
McAfee+Artemis	5456	2008.12.06	-
Microsoft	1.4205	2008.12.08	Trojan:Win32/Delflob.I
NOD32	3670	2008.12.08	-
Norman	5.80.02	2008.12.05	-
Panda	9.0.0.4	2008.12.07	-
PCTools	4.4.2.0	2008.12.08	-
Prevx1	V2	2008.12.08	Malicious Software
Rising	21.07.02.00	2008.12.08	-
SecureWeb-Gateway	6.7.6	2008.12.08	-
Sophos	4.36.0	2008.12.07	-
Sunbelt	3.1.1832.2	2008.12.01	-
Symantec	10	2008.12.07	-
TheHacker	6.3.1.2.179	2008.12.06	-
TrendMicro	8.700.0.1004	2008.12.08	-
VBA32	3.12.8.10	2008.12.07	-
ViRobot	2008.12.6.1504	2008.12.06	-
VirusBuster	4.5.11.0	2008.12.08	-

Additional information
File size: 4230473 bytes
MD5…: 54c9b9d46c347e8fb8bec5219e2c86d3
SHA1..: 5e8861adb6e895a8b1d6f8305d264e49600fb666
SHA256: 971c63bb70a3e205c39ee4182eeaf4df51e29ec61e046587e5c519a70708ca56
SHA512: eb849356568b4b1d20068e29f81b9f2bc73c9b918c8e5f808cd0bef75f47e427 2374645b722adfa8cc8b4f36d5c37cbccc05a601b92d76b31c9d65ed1a719af6
ssdeep: 98304:7QnfsjcEWUHTIByH9KUWR6+wM/0o7z1i/q2Fe:7TBWUkMH9ew7szvOe
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification UPX compressed Win32 Executable (39.5%) Win32 EXE Yoda’s Crypter (34.3%) Win32 Executable Generic (11.0%) Win32 Dynamic Link Library (generic) (9.8%) Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0×7c71f0 timedatestamp…..: 0×4878f222 (Sat Jul 12 18:04:18 2008) machinetype…….: 0×14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0×1000 0×3c1000 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0×3c2000 0×6000 0×5400 7.60 81bcef94706f2b072e72e8ff8ac248bc .rsrc 0×3c8000 0×1a000 0×19800 7.50 3d4fd873ad9988df0d5b81c8a7da0aa2 ( 8 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess > ADVAPI32.dll: RegEnumKeyA > COMCTL32.dll: - > GDI32.dll: SetBkMode > ole32.dll: CoTaskMemFree > SHELL32.dll: ShellExecuteA > USER32.dll: GetDC > VERSION.dll: VerQueryValueA ( 0 exports )
Prevx info: <a href=’http://info.prevx.com/aboutprogramtext.asp?PX5=4F9577C849C502658DBC40F2671E0B00DF87BB08′ target=’_blank’>http://info.prevx.com/aboutprogramtext.asp?PX5=4F9577C849C502658DBC40F2671E0B00DF87BB08</a>
packers (Kaspersky): PE_Patch.UPX, UPX, PE_Patch
packers (F-Prot): UPX

Windefender 2009

Host: videopreviewshow.com
IP: 91.203.93.25

Whois:

inetnum:        91.203.93.1 - 91.203.93.128
netname:        ZHITOMIR-NET
descr:          pool for co-location customers
country:        UA
admin-c:        ML7676-RIPE
tech-c:         ML7676-RIPE
status:         ASSIGNED PI
mnt-by:         UATELECOM-MNT
source:         RIPE # Filtered

person:         Mark Liberman
address:        Kiev, Ukraine
e-mail:         m.liberman@uatelecom.com.ua
phone:          +380963801326
nic-hdl:        ML7676-RIPE
source:         RIPE # Filtered

Other sites on this ip:

1. Archiveviewsoftware.com
2. Gensoftdownload.com
3. Softwareformyvideo.com
4. Videopreviewshow.com

Host: lookfornewsoftware.com
IP: 91.203.92.99

Whois:

netname:        BASTION-NET
descr:          ISP UATelecom
country:        EU
org:            ORG-TG39-RIPE
admin-c:        ML7676-RIPE
tech-c:         UNm3-RIPE
status:         ASSIGNED PI
mnt-by:         UATELECOM-MNT
mnt-lower:      UATELECOM-MNT
mnt-routes:     UATELECOM-MNT
mnt-domains:    UATELECOM-MNT

Other sites on this ip:

1. Lookfornewsoftware.com
2. Megauplinkbindinstaller.com
3. Systemerroronline.com
4. Theupdatedownload.com

Host: megauplinkbindinstaller.com
IP: 91.203.92.99

Whois:

netname:        BASTION-NET
descr:          ISP UATelecom
country:        EU
org:            ORG-TG39-RIPE
admin-c:        ML7676-RIPE
tech-c:         UNm3-RIPE
status:         ASSIGNED PI
mnt-by:         UATELECOM-MNT
mnt-lower:      UATELECOM-MNT
mnt-routes:     UATELECOM-MNT
mnt-domains:    UATELECOM-MNT

Host: win-defender-2009.com
IP: 91.203.92.100

Whois:

netname:        BASTION-NET
descr:          ISP UATelecom
country:        EU
org:            ORG-TG39-RIPE
admin-c:        ML7676-RIPE
tech-c:         UNm3-RIPE
status:         ASSIGNED PI
mnt-by:         UATELECOM-MNT
mnt-lower:      UATELECOM-MNT
mnt-routes:     UATELECOM-MNT
mnt-domains:    UATELECOM-MNT
remarks:        *************************************************
remarks:        * For spam/abuse/security issues please contact *
remarks:        * abuse@uatelecom.com.ua                        *
remarks:        *************************************************

Other sites on this ip:

1. Thesystemcheck.com
2. Win-defender-2009.com

Windefender 2009

Tags: BASTION, ISP UATelecom, rogue antivirus, Windefender 2009, ZHITOMIR
Posted in Fake Codec, Malware, Rogues | No Comments »

Antivirus 2009 rogue antivirus application

Wednesday, November 19th, 2008

Antivirus 2009 a rogue antivirus application. To remove that rogue application viruses and antispyware use Cesam Anti-Malware - http://cleanthe.net/how-to-remove-virus/

Antivirus 2009

File v-codec.123.exe received on 11.19.2008 16:23:57 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2008.11.18.2	2008.11.19	-
AntiVir	7.9.0.34	2008.11.19	-
Authentium	5.1.0.4	2008.11.18	-
Avast	4.8.1281.0	2008.11.18	-
AVG	8.0.0.199	2008.11.19	-
BitDefender	7.2	2008.11.19	-
CAT-QuickHeal	10.00	2008.11.19	-
ClamAV	0.94.1	2008.11.19	-
DrWeb	4.44.0.09170	2008.11.19	-
eSafe	7.0.17.0	2008.11.18	Suspicious File
eTrust-Vet	31.6.6216	2008.11.19	-
Ewido	4.0	2008.11.19	-
F-Prot	4.4.4.56	2008.11.18	-
F-Secure	8.0.14332.0	2008.11.19	-
Fortinet	3.117.0.0	2008.11.19	-
GData	19	2008.11.19	-
Ikarus	T3.1.1.45.0	2008.11.19	Trojan-Downloader.Win32.CodecPack
K7AntiVirus	7.10.527	2008.11.18	-
Kaspersky	7.0.0.125	2008.11.19	-
McAfee	5438	2008.11.18	-
Microsoft	1.4104	2008.11.19	TrojanDownloader:Win32/Renos.BAH
NOD32	3624	2008.11.19	Win32/TrojanDownloader.Zlob.CVG
Norman	5.80.02	2008.11.19	-
Panda	9.0.0.4	2008.11.19	-
PCTools	4.4.2.0	2008.11.19	-
Prevx1	V2	2008.11.19	Malware Dropper
Rising	21.04.22.00	2008.11.19	-
SecureWeb-Gateway	6.7.6	2008.11.19	-
Sophos	4.35.0	2008.11.19	Troj/Dloadr-CAG
Sunbelt	3.1.1801.2	2008.11.14	-
Symantec	10	2008.11.19	Downloader
TheHacker	6.3.1.1.158	2008.11.19	-
TrendMicro	8.700.0.1004	2008.11.19	Possible_DLDER
VBA32	3.12.8.9	2008.11.19	-
ViRobot	2008.11.18.1474	2008.11.18	-
VirusBuster	4.5.11.0	2008.11.18	-

Additional information
File size: 50176 bytes
MD5…: eec2d22e39d75355539f7eb7ff384fc2
SHA1..: 0ba883d406a51f5194c1ea5df2f8d78f02a30342
SHA256: b396ab2fc5128eb3643b0e483bcefe146c2fc855e3658eba7ab2b83df1b81860
SHA512: a3f42f426d7df0688984b57c89953cafab9432fc91793328c0385bbb2b471e3a 4897f4fc4efa6045e9181df30d74f40d34bcbf23d6e7a4ca0e4ca01aa2386270
PEiD..: -
TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=45B34567006772C7C4750054B66A1E00137572E3

Antivirus 2009

File A9installertest_77100102.exe received on 11.19.2008 16:24:06 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2008.11.18.2	2008.11.19	-
AntiVir	7.9.0.34	2008.11.19	-
Authentium	5.1.0.4	2008.11.18	-
Avast	4.8.1281.0	2008.11.18	-
AVG	8.0.0.199	2008.11.19	-
BitDefender	7.2	2008.11.19	-
CAT-QuickHeal	10.00	2008.11.19	-
ClamAV	0.94.1	2008.11.19	-
DrWeb	4.44.0.09170	2008.11.19	-
eSafe	7.0.17.0	2008.11.18	-
eTrust-Vet	31.6.6216	2008.11.19	-
Ewido	4.0	2008.11.19	-
F-Prot	4.4.4.56	2008.11.18	-
F-Secure	8.0.14332.0	2008.11.19	-
Fortinet	3.117.0.0	2008.11.19	-
GData	19	2008.11.19	-
Ikarus	T3.1.1.45.0	2008.11.19	-
K7AntiVirus	7.10.527	2008.11.18	-
Kaspersky	7.0.0.125	2008.11.19	-
McAfee	5438	2008.11.18	-
Microsoft	1.4104	2008.11.19	Trojan:Win32/FakeXPA
NOD32	3624	2008.11.19	-
Norman	5.80.02	2008.11.19	-
Panda	9.0.0.4	2008.11.19	-
PCTools	4.4.2.0	2008.11.19	-
Prevx1	V2	2008.11.19	-
Rising	21.04.22.00	2008.11.19	-
SecureWeb-Gateway	6.7.6	2008.11.19	-
Sophos	4.35.0	2008.11.19	-
Sunbelt	3.1.1801.2	2008.11.14	-
Symantec	10	2008.11.19	-
TheHacker	6.3.1.1.158	2008.11.19	-
TrendMicro	8.700.0.1004	2008.11.19	-
VBA32	3.12.8.9	2008.11.19	-
ViRobot	2008.11.18.1474	2008.11.18	-
VirusBuster	4.5.11.0	2008.11.18	-

Additional information
File size: 163840 bytes
MD5…: b58b7c0fca632601b7b6f22faf0c73ac
SHA1..: ea50267f8ccdb033d3b1a2c060cc238f084e23fa
SHA256: a67e4fe36e60fbe3db906591fbede08bae239c1afb55ebc715879e57d621debf
SHA512: e4f4a17190f92e9371ce6aa2e74bf4dc016c30071e4a061ff6dbac116a41e15d bd64b95d9b4545b4b85ff07259a77158df2970c67d595db304cf368b0bfedc55
PEiD..: -
TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) VXD Driver (0.1%)
PEInfo: PE Structure information

Host: imp-porntube.net
IP: 64.27.28.224
Whois:

OrgName:    Hollywood Interactive, Inc.
OrgID:      HLWD
Address:    600 W. 7th Street, Ste. 360
City:       Los Angeles
StateProv: CA
PostalCode: 90017
Country:    US

NetRange:   64.27.0.0 - 64.27.31.255
CIDR:       64.27.0.0/19
NetName:    HOLLYWOOD-INTERACTIVE
NetHandle: NET-64-27-0-0-1
Parent:     NET-64-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.CALPOP.COM
NameServer: NS2.CALPOP.COM
Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate:    2000-01-10
Updated:    2004-09-13

RNOCHandle: CNO4-ARIN
RNOCName:   CalPOP Network Operations
RNOCPhone: +1-213-627-1937
RNOCEmail:   noc@calpop.com

Other sites:

1. Celebs4you-online2008.com
2. I-av-sscan2009.com
3. Imp-porntube.net

Host: antivirusdefense.com
IP: 69.10.44.207

Whois:

OrgName:    Interserver, Inc
OrgID:      INTER-83
Address:    110 Meadowlands Pkwy
Address:    1st Floor
City:       Secaucus
StateProv: NJ
PostalCode: 07094
Country:    US

Host: www.win-security-scanner.org
IP: 115.126.5.92

Whois:

OrgName:    Asia Pacific Network Information Centre
OrgID:      APNIC
Address:    PO Box 2131
City:       Milton
StateProv: QLD
PostalCode: 4064
Country:    AU

Other sites:

1. Spy-protector.org
2. Win-security-scanner.org
3. Spy-protector.biz

Host: powerfulvirusremover2008.com
IP: 77.245.61.80

Whois:

descr:          Webair Internet Development company, Inc
country:        NL
org:            ORG-RII1-RIPE
admin-c:        RIIS1-RIPE
tech-c:         RIIS1-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      GLOBALAXS-MNT
mnt-lower:      WEBAIRINC-MTL
mnt-domains:    MNT-RECURRING
mnt-routes:     MNT-RECURRING
source:         RIPE # Filtered

organisation:   ORG-RII1-RIPE
org-name:       Webair Internet Development company, Inc
org-type:       LIR
address:        Recurring International Inc
                Sagi Brody
                REDBUS INTERHOUSE (NETHERLANDS) B V GYROSCOOPWEG 2E
                AB 1042 AMSTERDAM
                Netherlands
phone:          +31 20 4804400
fax-no:         +15169385100

Other sites:

1. Mysecureexpertcleaner.com
2. Pcvirusremover2008.com
3. Powerfulvirusremover2008.com
4. Prosecureexpertcleaner.com
5. Prosecureexpertcleanerpro.com
6. Registrydoctor2008-online.com
7. Registrydoctor2008-pro.com
8. Registrydoctor2008-scan.com
9. Registrydoctor2008.com
10. Registrydoctorpro2008.com
11. Secureexpertcleaner.com
12. Securefileshred.com
13. Securefileshredder.com
14. Securefileshredder2009.com
15. Securefilesshred.com
16. Securefilesshredder.com
17. Strongvirusremover2008.com
18. Supersecurefileshredder.com
19. Topregistrydoctor2008.com
20. Virusremover2008flash.com
21. Virusremover2008plus.com
22. Winsecureexpertcleaner.com
23. Yoursecureexpertcleaner.com

Host: official-antivirus2009.com
IP: 84.243.196.136

Whois:

org-name:       PortNAP Internet Services
org-type:       OTHER
address:        Beverwaardseweg 232
address:        3077GD Rotterdam
address:        The Netherlands
phone:          +31.612928606
mnt-ref:        GFX-MNT
mnt-by:         GFX-MNT
source:         RIPE # Filtered

role:           GrafiX NOC
org:            ORG-GIB1-RIPE
address:        GrafiX Internet B.V.
address:        Stationsplein 20
address:        2907 MJ Capelle aan den IJssel
phone:          +31 10 2640210
fax-no:         +31 10 2640211

Host: softwarebillingservice.com
IP: 63.219.177.214

Whois of softwarebillingservice.com

Registration Service Provided By: ERDOMAIN.COM
Contact: +49.3036741521
Website: http://www.erdomain.com

Domain Name: SOFTWAREBILLINGSERVICE.COM

Registrant:
    N/A
    Viktor Temchenko        (temchenkoviktor@googlemail.com)
    Pr. Geroev Tryda
    Kharkov
    Kharkiv Oblast,01001
    UA
    Tel. +380.936328480

Creation Date: 03-Nov-2008
Expiration Date: 03-Nov-2009

Whois of 63.219.177.214

OrgName:    Beyond The Network America, Inc.
OrgID:      BNA-42
Address:    450 Springpark PL
Address:    Suite 100
City:       Herdon
StateProv: VA
PostalCode: 20170
Country:    US

Antivirus 2009

Antivirus 2009 from Pandora software

Antivirus 2009

Tags: Antivirus 2009, Asia Pacific Network Information Centre, Beyond The Network America, Hollywood Interactive, Interserver, PortNAP Internet Services, rogue antivirus, Webair Internet Development company
Posted in Malware, Rogues | 3 Comments »

Windefender 2009 rogue antivirus application

Tuesday, November 18th, 2008

Windefender 2009 is a rogue antivirus application. To remove that rogue application viruses and antispyware use Cesam Anti-Malware - http://cleanthe.net/how-to-remove-virus/

Windefender 2009

File c-setup.exe received on 11.18.2008 18:08:03 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2008.11.18.2	2008.11.18	-
AntiVir	7.9.0.31	2008.11.18	TR/BHO.Gen
Authentium	5.1.0.4	2008.11.18	-
Avast	4.8.1281.0	2008.11.18	Win32:Trojan-gen {Other}
AVG	8.0.0.199	2008.11.18	Downloader.Zlob_r.DQ
BitDefender	7.2	2008.11.18	Trojan.BHO.Agent.AL
CAT-QuickHeal	10.00	2008.11.18	-
ClamAV	0.94.1	2008.11.18	-
DrWeb	4.44.0.09170	2008.11.18	Trojan.MulDrop.23099
eSafe	7.0.17.0	2008.11.18	Suspicious File
eTrust-Vet	31.6.6210	2008.11.14	-
Ewido	4.0	2008.11.18	-
F-Prot	4.4.4.56	2008.11.18	-
F-Secure	8.0.14332.0	2008.11.18	Trojan-Dropper.Win32.Agent.zsl
Fortinet	3.117.0.0	2008.11.18	-
GData	19	2008.11.18	Trojan.BHO.Agent.AL
Ikarus	T3.1.1.45.0	2008.11.18	-
K7AntiVirus	7.10.527	2008.11.18	-
Kaspersky	7.0.0.125	2008.11.18	Trojan-Dropper.Win32.Agent.zsl
McAfee	5437	2008.11.17	-
Microsoft	1.4104	2008.11.17	TrojanDownloader:Win32/Renos.DU
NOD32	3622	2008.11.18	a variant of Win32/Adware.IeDefender.NHN
Norman	5.80.02	2008.11.18	W32/DLoader.KWIR
Panda	9.0.0.4	2008.11.17	Suspicious file
PCTools	4.4.2.0	2008.11.18	-
Prevx1	V2	2008.11.18	-
Rising	21.04.12.00	2008.11.18	-
SecureWeb-Gateway	6.7.6	2008.11.18	Trojan.BHO.Gen
Sophos	4.35.0	2008.11.18	-
Sunbelt	3.1.1801.2	2008.11.14	-
Symantec	10	2008.11.18	Downloader
TheHacker	6.3.1.1.157	2008.11.18	-
TrendMicro	8.700.0.1004	2008.11.18	PAK_Generic.001
VBA32	3.12.8.9	2008.11.18	-
ViRobot	2008.11.18.1474	2008.11.18	Dropper.Agent.57351
VirusBuster	4.5.11.0	2008.11.18	Trojan.Renos.Gen.16

Additional information
File size: 57351 bytes
MD5…: 1a9583d617ff88abc9545a3900236157
SHA1..: 4094537a779cf871c5093cc56db6cfc026ea72f6
SHA256: 9f98c152410921131b66771f600b719b4719d4b715d09668f85ea60ac77f133d
SHA512: da13cd6ed92b20e0d448f93267a40a12b7f663ade1e2be7f3cdc188058a0d58c 36e34f0243a7213ee6ce347e3e4753d36a2fcdaefad4e5706a9cf2c050beeb5f
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification UPX compressed Win32 Executable (39.5%) Win32 EXE Yoda’s Crypter (34.3%) Win32 Executable Generic (11.0%) Win32 Dynamic Link Library (generic) (9.8%) Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information( base data ) entrypointaddress.: 0×429360 timedatestamp…..: 0×491fe9c9 (Sun Nov 16 09:37:13 2008) machinetype…….: 0×14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0×1000 0×1c000 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0×1d000 0xd000 0xc600 7.86 296d10f178fd443321b930fe12aedbdd .rsrc 0×2a000 0×2000 0×1600 3.31 251ab64ce46cbb40a0ae5643b8a4fd11 ( 3 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess > ADVAPI32.dll: RegCloseKey > SHELL32.dll: ShellExecuteA ( 0 exports )
packers (Kaspersky): PE_Patch.UPX, UPX
packers (F-Prot): UPX

Windefender 2009

File WinDefender2009.exe received on 11.18.2008 18:11:48 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2008.11.18.2	2008.11.18	-
AntiVir	7.9.0.31	2008.11.18	DR/Fraud.WinDefender.2009
Authentium	5.1.0.4	2008.11.18	-
Avast	4.8.1281.0	2008.11.18	Win32:Trojan-gen {Other}
AVG	8.0.0.199	2008.11.18	Generic3.ADNC
BitDefender	7.2	2008.11.18	Trojan.Generic.1133460
CAT-QuickHeal	10.00	2008.11.18	-
ClamAV	0.94.1	2008.11.18	-
DrWeb	4.44.0.09170	2008.11.18	Trojan.Fakealert.2116
eSafe	7.0.17.0	2008.11.18	-
eTrust-Vet	31.6.6209	2008.11.14	-
Ewido	4.0	2008.11.18	-
F-Prot	4.4.4.56	2008.11.18	-
F-Secure	8.0.14332.0	2008.11.18	FraudTool.Win32.WinDefender.2009
Fortinet	3.117.0.0	2008.11.18	-
GData	19	2008.11.18	Trojan.Generic.1133460
Ikarus	T3.1.1.45.0	2008.11.18	Trojan.Win32.Delflob.I
K7AntiVirus	7.10.527	2008.11.18	-
Kaspersky	7.0.0.125	2008.11.18	not-a-virus:FraudTool.Win32.WinDefender.2009
McAfee	5437	2008.11.17	-
Microsoft	1.4104	2008.11.17	Trojan:Win32/Delflob.I
NOD32	3622	2008.11.18	probably a variant of Win32/Adware.IeDefender.NHA
Norman	5.80.02	2008.11.18	-
Panda	9.0.0.4	2008.11.17	Adware/WinDefender2009
PCTools	4.4.2.0	2008.11.18	-
Prevx1	V2	2008.11.18	-
Rising	21.04.12.00	2008.11.18	-
SecureWeb-Gateway	6.7.6	2008.11.18	Trojan.Dropper.Fraud.WinDefender.2009
Sophos	4.35.0	2008.11.18	IE Defender
Sunbelt	3.1.1801.2	2008.11.14	-
Symantec	10	2008.11.18	WinDefender
TheHacker	6.3.1.1.157	2008.11.18	-
TrendMicro	8.700.0.1004	2008.11.18	-
VBA32	3.12.8.9	2008.11.18	Hoax.Win32.WinDefender2009
ViRobot	2008.11.18.1474	2008.11.18	Adware.WinDefender.R.1726125
VirusBuster	4.5.11.0	2008.11.18	-

Additional information
File size: 1726125 bytes
MD5…: 9f74ce5fb169ae4a78d1d3fca0c4768e
SHA1..: 31f7ef93e02394baa92f3f4aee84f907755580f8
SHA256: 1c53eb545a96cd85f68a0bd2b7b08d6b44e7f05a465f97a40bb2932e6b2da1a0
SHA512: 1542a404860a9b10248cd6bcf53b9e98eae73abd86c8983d23811da322ef3454 362053944c853930f667c3868d71311c693e7d893080364a41ddd7ba8340e727
PEiD..: -
TrID..: File type identification Win32 Executable MS Visual C++ (generic) (65.2%) Win32 Executable Generic (14.7%) Win32 Dynamic Link Library (generic) (13.1%) Generic Win/DOS Executable (3.4%) DOS Executable Generic (3.4%)
PEInfo: PE Structure information ( 0 exports )
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=9f74ce5fb169ae4a78d1d3fca0c4768e

Windefender 2009

Host: mymostprivatevideo.com
IP: 78.157.141.6

Whois:

role:           UltraNet Hostmaster
address:        UltraNet SIA
                Aizkraukles 23
                Riga, LV-1006
                Latvia
phone:          +371 67543003
fax-no:         +371 67594435
e-mail:         hostmaster@ultranet.lv
admin-c:        AS28817-RIPE
admin-c:        MS16883-RIPE
tech-c:         AS28817-RIPE
nic-hdl:        UNHM-RIPE
mnt-by:         UN-MNT
source:         RIPE # Filtered

Host: windefender-2009.com
IP: 200.63.45.55

Whois:

status:      reallocated
owner:       Ricardo Carreras
ownerid:     HN-RICA-LACNIC
responsible: Honduras Web
address:     P.O.Box: 1142 La Ceiba, #37 street., 1142, 37
address:     00000 - Tegucigalpa - TE
country:     HN
phone:       +504 9815-3645 []
owner-c:     RIC9
tech-c:      RIC9
abuse-c:     RIC9
created:     20080630
changed:     20080630
inetnum-up: 200.63.40/21

nic-hdl:     RIC9
person:      Ricardo Carreras
e-mail:      hn-rica@ONLINEABUSECENTER.COM

Host: windefender2009.com
IP: 200.63.45.132

Whois:

status:      reallocated
owner:       Ricardo Carreras
ownerid:     HN-RICA-LACNIC
responsible: Honduras Web
address:     P.O.Box: 1142 La Ceiba, #37 street., 1142, 37
address:     00000 - Tegucigalpa - TE
country:     HN
phone:       +504 9815-3645 []
owner-c:     RIC9
tech-c:      RIC9
abuse-c:     RIC9
created:     20080630
changed:     20080630
inetnum-up: 200.63.40/21

nic-hdl:     RIC9
person:      Ricardo Carreras
e-mail:      hn-rica@ONLINEABUSECENTER.COM

Windefender 2009

Tags: Honduras Web, Ricardo Carreras, rogue antivirus, UltraNet Hostmaster, Windefender 2009
Posted in Malware, Rogues | No Comments »

PRO Antispyware 2009 rogue antispyware application

Tuesday, November 18th, 2008

PRO Antispyware 2009 is a rogue antispyware. To remove that rogue application viruses and antispyware use Cesam Anti-Malware - http://cleanthe.net/how-to-remove-virus/

Pro ANtispyware 2009

File setup_225_7777_.exe received on 11.18.2008 12:09:21 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2008.11.18.2	2008.11.18	-
AntiVir	7.9.0.31	2008.11.18	-
Authentium	5.1.0.4	2008.11.18	-
Avast	4.8.1281.0	2008.11.17	-
AVG	8.0.0.199	2008.11.17	-
BitDefender	7.2	2008.11.18	-
CAT-QuickHeal	10.00	2008.11.18	-
ClamAV	0.94.1	2008.11.18	-
DrWeb	4.44.0.09170	2008.11.18	-
eSafe	7.0.17.0	2008.11.17	-
eTrust-Vet	31.6.6210	2008.11.14	-
Ewido	4.0	2008.11.17	-
F-Prot	4.4.4.56	2008.11.17	W32/SuspPack.H.gen!Eldorado
F-Secure	8.0.14332.0	2008.11.18	-
Fortinet	3.117.0.0	2008.11.18	-
GData	19	2008.11.18	-
Ikarus	T3.1.1.45.0	2008.11.18	-
K7AntiVirus	7.10.526	2008.11.15	-
Kaspersky	7.0.0.125	2008.11.18	-
McAfee	5437	2008.11.17	-
Microsoft	1.4104	2008.11.17	Program:Win32/WinSpywareProtect
NOD32	3621	2008.11.18	-
Norman	5.80.02	2008.11.17	-
Panda	9.0.0.4	2008.11.17	Suspicious file
PCTools	4.4.2.0	2008.11.17	-
Prevx1	V2	2008.11.18	-
Rising	21.04.12.00	2008.11.18	-
SecureWeb-Gateway	6.7.6	2008.11.18	-
Sophos	4.35.0	2008.11.18	-
Sunbelt	3.1.1801.2	2008.11.14	-
Symantec	10	2008.11.18	-
TheHacker	6.3.1.1.157	2008.11.18	-
TrendMicro	8.700.0.1004	2008.11.18	-
VBA32	3.12.8.9	2008.11.17	-
ViRobot	2008.11.18.1474	2008.11.18	-
VirusBuster	4.5.11.0	2008.11.17	-

Additional information
File size: 114688 bytes
MD5…: 5113da8324f92352294aee4f47a532b2
SHA1..: fc2bd52925959ee5061e412d12754ccc120d7925
SHA256: 9506866e9b3cda9e1867c34e091dc1c662032395e1dcf857627fa31547c76bd3
SHA512: ddb22cefe217431451134787847b8fc7b697bb154778cb41b63bc0d2caa70aa6 6d544bb2cf0b89c06d47ba7c56345b0408ac08354e44eddd0e20e17ca74a822e
PEiD..: -
TrID..: File type identification Win32 Executable Generic (38.4%) Win32 Dynamic Link Library (generic) (34.2%) Clipper DOS Executable (9.1%) Generic Win/DOS Executable (9.0%) DOS Executable Generic (9.0%)
PEInfo: PE Structure information

Pro ANtispyware 2009

Host: scan.scannerantispyware.com
IP: 78.26.179.233

Whois:

role:           Renome Service Tech Staff
address:        Kosvennaya str., 78, Odessa, Ukraine, 65000
org:            ORG-RA159-RIPE
phone:          +380487597596
fax-no:         +380487597596
mnt-by:         RENOME-MNT
abuse-mailbox: abuse@odessa.tv
admin-c:        WU-RIPE
admin-c:        GA-RIPE
tech-c:         WU-RIPE
nic-hdl:        RSM-RIPE
source:         RIPE # Filtered

Host: files.download-antispyware.com
IP: 78.157.142.81

Whois:

netname:        VDHOST
descr:          VdHost Ltd.
descr:          abuse@vdhost.info
country:        LV
admin-c:        AV2990-RIPE
tech-c:         AV2990-RIPE
status:         ASSIGNED PA
mnt-by:         UN-MNT
source:         RIPE # Filtered

person:         Arturs Vavilovs
address:        Riga
phone:          +371 29653077
e-mail:         admin@vdhost.info
nic-hdl:        AV2990-RIPE
mnt-by:         UN-MNT
source:         RIPE # Filtered

Host: sales.proantispyware-2009-buy.com
IP: 216.195.42.226

Whois:

OrgName:    APS Telecom
OrgID:      APSTE
Address:    8130 SW BEAVERTON-HILLSDALE HWY
City:       PORTLAND
StateProv: OR
PostalCode: 97225
Country:    US

Host: secure.websecurebilling.com
IP: 209.8.45.146

Whois of websecurebilling.com :

Domain Name: WEBSECUREBILLING.COM
   Registrar: REGTIME LTD.
   Whois Server: whois.regtime.net
   Referral URL: http://www.webnames.ru
   Name Server: NS1.WEBSECUREBILLING.COM
   Name Server: NS2.WEBSECUREBILLING.COM
   Status: ok
   Updated Date: 11-nov-2008
   Creation Date: 07-nov-2008
   Expiration Date: 07-nov-2009

Whois 209.8.45.146:

OrgName:    Beyond The Network America, Inc.
OrgID:      BNA-42
Address:    450 Springpark PL
Address:    Suite 100
City:       Herdon
StateProv: VA
PostalCode: 20170
Country:    US

Pro ANtispyware 2009

PRO Antispyware 2009 from Pandora software

Pro ANtispyware 2009

Tags: Beyond The Network America, PRO Antispyware 2009, rogue Antispyware, VdHost Ltd
Posted in Malware, Rogues | 1 Comment »

Antispyware PRO XP rogue antispyware application

Monday, November 17th, 2008

Antispyware PRO XP is a rogue antispyware. To remove that rogue application viruses and antispyware use Cesam Anti-Malware - http://cleanthe.net/how-to-remove-virus/

Antispyware PRO XP

File setup_100525_3_.exe received on 11.17.2008 18:37:56 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2008.11.18.0	2008.11.17	-
AntiVir	7.9.0.31	2008.11.17	-
Authentium	5.1.0.4	2008.11.17	-
Avast	4.8.1281.0	2008.11.16	-
AVG	8.0.0.199	2008.11.17	-
BitDefender	7.2	2008.11.17	-
CAT-QuickHeal	10.00	2008.11.15	-
ClamAV	0.94.1	2008.11.17	-
DrWeb	4.44.0.09170	2008.11.17	-
eSafe	7.0.17.0	2008.11.17	-
eTrust-Vet	31.6.6210	2008.11.14	-
Ewido	4.0	2008.11.17	-
F-Prot	4.4.4.56	2008.11.17	W32/SuspPack.H.gen!Eldorado
F-Secure	8.0.14332.0	2008.11.17	-
Fortinet	3.117.0.0	2008.11.15	-
GData	19	2008.11.17	-
Ikarus	T3.1.1.45.0	2008.11.17	-
K7AntiVirus	7.10.526	2008.11.15	-
Kaspersky	7.0.0.125	2008.11.17	-
McAfee	5436	2008.11.16	-
Microsoft	1.4104	2008.11.17	Program:Win32/WinSpywareProtect
NOD32	3618	2008.11.17	-
Norman	5.80.02	2008.11.14	-
Panda	9.0.0.4	2008.11.16	Suspicious file
PCTools	4.4.2.0	2008.11.17	-
Prevx1	V2	2008.11.17	-
Rising	21.04.02.00	2008.11.17	-
SecureWeb-Gateway	6.7.6	2008.11.17	-
Sophos	4.35.0	2008.11.17	-
Sunbelt	3.1.1801.2	2008.11.14	-
Symantec	10	2008.11.17	-
TheHacker	6.3.1.1.155	2008.11.15	-
TrendMicro	8.700.0.1004	2008.11.17	-
VBA32	3.12.8.9	2008.11.17	-
ViRobot	2008.11.17.1472	2008.11.17	-
VirusBuster	4.5.11.0	2008.11.17	-

Additional information
File size: 122880 bytes
MD5…: cbcaa0f14b3ad25036a0e8042fe0e9d5
SHA1..: ecea91c245222dc67eb5818d6986169a6d7725f1
SHA256: 1af2c9791b8fe7698871249cf9ee6838ee9997e846b2f901a2d1d1bb0c2ea74c
SHA512: 06d550cbee18719b4d34a5bade7b0001da93fb680e4191caac796e711fb35685 9ef5136e0070e91893cd40d78c1bf7800ae71a3f30754ae160ec0facaa02fc43
PEiD..: -
TrID..: File type identification Win32 Executable Generic (38.4%) Win32 Dynamic Link Library (generic) (34.2%) Clipper DOS Executable (9.1%) Generic Win/DOS Executable (9.0%) DOS Executable Generic (9.0%)
PEInfo: PE Structure information

Antispyware PRO XP

Host: scan.antispyware-free-scanner.com
IP: 78.26.179.230

Whois:

organisation:   ORG-RA159-RIPE
org-name:       Renome-Service
org-type:       LIR
descr:          Renome-Service: Joint Multimedia Cable Network
address:        Renome Service
                Andrew Gaidulyan
                Kosvennaya str., 78
                65000 Odessa
                UKRAINE
phone:          +3 80487597596
fax-no:         +3 80487597596
abuse-mailbox: abuse@odessa.tv
admin-c:        GA-RIPE
admin-c:        WU-RIPE
admin-c:        WU-RIPE
mnt-ref:        RENOME-MNT
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
source:         RIPE # Filtered

Host: files.pc-security-downloads.com
IP: 78.157.142.80

Whois:

inetnum:        78.157.142.0 - 78.157.142.255
netname:        VDHOST
descr:          VdHost Ltd.
descr:          abuse@vdhost.info
country:        LV
admin-c:        AV2990-RIPE
tech-c:         AV2990-RIPE
status:         ASSIGNED PA
mnt-by:         UN-MNT
source:         RIPE # Filtered

person:         Arturs Vavilovs
address:        Riga
phone:          +371 29653077
e-mail:         admin@vdhost.info
nic-hdl:        AV2990-RIPE
mnt-by:         UN-MNT
source:         RIPE # Filtered

Host: sales.buy-antispyware-pro-xp.com
IP: 216.195.42.223

Whois:

OrgName:    APS Telecom
OrgID:      APSTE
Address:    8130 SW BEAVERTON-HILLSDALE HWY
City:       PORTLAND
StateProv: OR
PostalCode: 97225
Country:    US

Host: secure.paymentbit.net
IP: 216.195.56.175

Whois of paymentbit.net

Registrant:
         Joana Termon (4epmck6ysxu@privateregistration.srsplus.com)
        Billing Group, Corp
        ATTN: paymentbit.net
        c/o SRSPlus Private Registration
        P.O. Box 447
        Herndon, VA 20172-0447
        570-708-8760

Domain Name: paymentbit.net

Whois of IP 216.195.56.175:

OrgName:    APS Telecom
OrgID:      APSTE
Address:    8130 SW BEAVERTON-HILLSDALE HWY
City:       PORTLAND
StateProv: OR
PostalCode: 97225
Country:    US

NetRange:   216.195.32.0 - 216.195.63.255
CIDR:       216.195.32.0/19
NetName:    APS-EPSI
NetHandle: NET-216-195-32-0-1
Parent:     NET-216-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.3FN.NET
NameServer: NS2.3FN.NET
Comment:    send abuse issues to abuse@3fn.net, send network
Comment:    issue to noc@3fn.net
RegDate:    2003-11-05
Updated:    2004-09-17

RTechHandle: NSW-ARIN
RTechName:   Swen, Nash
RTechPhone: +1-800-539-8209
RTechEmail: noc@apxtelecom.com

OrgTechHandle: NSW-ARIN
OrgTechName:   Swen, Nash
OrgTechPhone: +1-800-539-8209
OrgTechEmail: noc@apxtelecom.com

Other sites:

1. 1softwarespot.com
2. Adult-billing.com
3. Bestsoftclub.com
4. Billhlp.com
5. Billingcenteronline.com
6. Billinghost.net
7. Billingintegrator.com
8. Billingmill.com
9. Billingserviceonline.com
10. Billingsquad.net
11. Billinternet.com
12. Billsvc.com
13. Customerhlp.com
14. Dopaymentsonline.com
15. Ebillingcenter.com
16. Fantazybill.com
17. Interbills.com
18. Justnetbilling.net
19. Legalbillingsystems.com
20. Mainbillingcenter.com
21. Megafixer.com
22. Orderhlp.com
23. Paymentbit.com
24. Paymentbit.net
25. Paymentforge.com
26. Safepaymentsonline.com
27. Softwbill.com
28. Spankyhosting.com
29. Support-wizard.com
30. Truebillingservices.com

Antispyware PRO XP

Tags: Antispyware PRO XP, APS Telecom, Renome-Service, rogue Antispyware, VdHost Ltd
Posted in Malware, Rogues | 1 Comment »

DNS changer virus and commercial banner exchanger

Monday, November 17th, 2008

DNS changer virus. Stay away from following IPS and Domains!

To remove virus DNS changer use Cesam Anti-Malware http://cleanthe.net/how-to-remove-virus/

DNS Changer

File FlashPlayer.v..exe received on 11.17.2008 15:40:33 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2008.11.14.3	2008.11.17	-
AntiVir	7.9.0.31	2008.11.17	TR/DNSChanger.hkx
Authentium	5.1.0.4	2008.11.17	-
Avast	4.8.1281.0	2008.11.16	-
AVG	8.0.0.199	2008.11.17	-
BitDefender	7.2	2008.11.17	-
CAT-QuickHeal	10.00	2008.11.15	-
ClamAV	0.94.1	2008.11.17	-
DrWeb	4.44.0.09170	2008.11.17	-
eSafe	7.0.17.0	2008.11.16	-
eTrust-Vet	31.6.6210	2008.11.14	-
Ewido	4.0	2008.11.17	-
F-Prot	4.4.4.56	2008.11.17	-
F-Secure	8.0.14332.0	2008.11.17	-
Fortinet	3.117.0.0	2008.11.15	-
GData	19	2008.11.17	-
Ikarus	T3.1.1.45.0	2008.11.17	-
K7AntiVirus	7.10.526	2008.11.15	-
Kaspersky	7.0.0.125	2008.11.17	-
McAfee	5436	2008.11.16	-
Microsoft	1.4104	2008.11.17	-
NOD32	3617	2008.11.17	a variant of Win32/Kryptik.BT
Norman	5.80.02	2008.11.14	-
Panda	9.0.0.4	2008.11.16	-
PCTools	4.4.2.0	2008.11.17	-
Rising	21.04.02.00	2008.11.17	-
SecureWeb-Gateway	6.7.6	2008.11.17	-
Sophos	4.35.0	2008.11.17	-
Sunbelt	3.1.1801.2	2008.11.14	-
Symantec	10	2008.11.17	-
TheHacker	6.3.1.1.155	2008.11.15	-
TrendMicro	8.700.0.1004	2008.11.17	-
ViRobot	2008.11.17.1472	2008.11.17	-
VirusBuster	4.5.11.0	2008.11.16	-

Additional information
File size: 111051 bytes
MD5…: 7228ad946222e4323220402169b52755
SHA1..: 9e4c8906373344a12edf98d46aa2ace3eadc9068
SHA256: b1dd1c69c8f29e52cdf69e305569cc8872bc4403a84ab0b4c355fb1b50f32602
SHA512: cf8aa210256dad94abb1eacda2b1befc5e6670e59ed0c58200045a4f1583bcd0 7ded4742bcdfc94e43b395aa1623019fbfb9380d4e456ced15c8299ef2584528
PEiD..: -
TrID..: File type identification Win32 Executable MS Visual C++ (generic) (65.2%) Win32 Executable Generic (14.7%) Win32 Dynamic Link Library (generic) (13.1%) Generic Win/DOS Executable (3.4%) DOS Executable Generic (3.4%)

DNS Changer

Host: porntube08.com
IP: 99.198.96.54
Whois:

OrgName:    SingleHop, Inc.
OrgID:      SINGL-8
Address:    223 West Jackson Street
Address:    Suite 1014
City:       Chicago
StateProv: IL
PostalCode: 60606
Country:    US

NetRange:   99.198.96.0 - 99.198.127.255
CIDR:       99.198.96.0/19
OriginAS:   AS32475
NetName:    SINGLEHOP
NetHandle: NET-99-198-96-0-1
Parent:     NET-99-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.SINGLEHOP.COM
NameServer: NS2.SINGLEHOP.COM
Comment:
RegDate:    2008-08-14
Updated:    2008-08-14

RAbuseHandle: NETWO1546-ARIN
RAbuseName:   Network Operations
RAbusePhone: +1-866-817-2811

Other sites:

1. Porn-toube.com
2. Porntube08.com
3. Porntube09.com
4. Sex-toube.com
5. Sextoubi.com

Host: pillsexpert.com
IP: 66.230.181.160

Rogue DNS 85.255.112.12 and 85.255.112.132

org-name:       UkrTeleGroup Ltd.
org-type:       LIR
address:        UkrTeleGroup Ltd.
                Mechnikova 58/5
                65029 Odessa
                Ukraine
phone:          +380487311011
fax-no:         +380487502499
mnt-ref:        UKRTELE-MNT
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
source:         RIPE # Filtered

DNS Changer

Tags: DNS changer, SingleHop, UkrTeleGroup
Posted in Malware, Rogues | No Comments »

Clean The Net

Your guide to Remove Virus

Archive for the ‘Rogues’ Category

System security fake antivirus application

Spyware Guard 2008 rogue antivirus application

Antivirus 2009 rogue antivirus application

Antivirus 2009 rogue antivirus application

WinDefender 2009 rogue antivirus application

Antivirus 2009 rogue antivirus application

Windefender 2009 rogue antivirus application

PRO Antispyware 2009 rogue antispyware application

Antispyware PRO XP rogue antispyware application

DNS changer virus and commercial banner exchanger

We recommend:
CESAM Anti-Malware

Archives

Tag Cloud

Categories

Recent Posts

Recent Comments

Glossary

Your guide to Remove Virus

Archive for the ‘Rogues’ Category

We recommend: CESAM Anti-Malware

Archives

Tag Cloud

Categories

Recent Posts

Recent Comments

Glossary

We recommend:
CESAM Anti-Malware