netdirect | Tag | Clean The Net - Your guide to remove virus

Antivirus 2009 rogue antivirus application

Tuesday, December 9th, 2008

Antivirus 2009is a rogue antivirus application. To remove that rogue application viruses and antispyware use Kaspersky antivirus - http://cleanthe.net/how-to-remove-virus/

Antivirus 2009

File exclusivemovie.1212.exe received on 12.09.2008 17:22:30 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2008.12.10.0	2008.12.09	-
AntiVir	7.9.0.43	2008.12.09	TR/Dldr.Zlob.imk
Authentium	5.1.0.4	2008.12.08	-
Avast	4.8.1281.0	2008.12.08	-
AVG	8.0.0.199	2008.12.09	-
BitDefender	7.2	2008.12.09	-
CAT-QuickHeal	10.00	2008.12.09	-
ClamAV	0.94.1	2008.12.09	-
Comodo	713	2008.12.09	-
DrWeb	4.44.0.09170	2008.12.09	-
eSafe	7.0.17.0	2008.12.09	Suspicious File
eTrust-Vet	31.6.6252	2008.12.09	-
Ewido	4.0	2008.12.09	-
F-Prot	4.4.4.56	2008.12.08	-
F-Secure	8.0.14332.0	2008.12.09	Trojan-Downloader.Win32.Agent.atlu
Fortinet	3.117.0.0	2008.12.09	-
GData	19	2008.12.09	-
Ikarus	T3.1.1.45.0	2008.12.08	-
K7AntiVirus	7.10.549	2008.12.09	-
Kaspersky	7.0.0.125	2008.12.09	Trojan-Downloader.Win32.Agent.atlu
McAfee	5458	2008.12.08	-
McAfee+Artemis	5458	2008.12.09	-
Microsoft	1.4205	2008.12.09	-
NOD32	3676	2008.12.09	-
Norman	5.80.02	2008.12.09	-
Panda	9.0.0.4	2008.12.09	-
PCTools	4.4.2.0	2008.12.09	-
Prevx1	V2	2008.12.09	Malware Dropper
Rising	21.07.12.00	2008.12.09	-
SecureWeb-Gateway	6.7.6	2008.12.09	Trojan.Dldr.Zlob.imk
Sophos	4.36.0	2008.12.09	Troj/DwnLdr-HLR
Sunbelt	3.1.1832.2	2008.12.01	-
Symantec	10	2008.12.09	-
TheHacker	6.3.1.2.180	2008.12.09	-
TrendMicro	8.700.0.1004	2008.12.09	Possible_DLDER
VBA32	3.12.8.10	2008.12.09	-
ViRobot	2008.12.9.1509	2008.12.09	Dropper.Agent.66560.D
VirusBuster	4.5.11.0	2008.12.09	-

Additional information
File size: 66560 bytes
MD5…: e24b67c9e5f7bb2c9d1e15eafee9f329
SHA1..: 0b3c238fc6bdf8cd469bc377b4f5bfa3e23a705f
SHA256: 1df0e73f40d49e9497e39bb1931dab84606ba0e309b3a10b03e858ba029d194b
SHA512: 7ab32711fa2ab4a614248eb1e2e2d9a2887b3efddef261f85dea2caf9c0f063f 001231816f8d59687827d35163dc832e5df6d1d5e7c57b00fcb13636fd3eab60
ssdeep: 1536:b9/+qo7X7Q1N4PpQ2iHzNb3vSkdaZcPvQRcCefymztRe:blJ0EIRQ2iJ5da iPvQR6qmhR
PEiD..: -
TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

Antivirus 2009

File InstallAVv_77100106.exe received on 12.09.2008 17:22:36 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2008.12.10.0	2008.12.09	-
AntiVir	7.9.0.43	2008.12.09	-
Authentium	5.1.0.4	2008.12.08	-
Avast	4.8.1281.0	2008.12.08	-
AVG	8.0.0.199	2008.12.09	Win32/Heur
BitDefender	7.2	2008.12.09	-
CAT-QuickHeal	10.00	2008.12.09	-
ClamAV	0.94.1	2008.12.09	-
Comodo	713	2008.12.09	-
DrWeb	4.44.0.09170	2008.12.09	-
eSafe	7.0.17.0	2008.12.09	Suspicious File
eTrust-Vet	31.6.6252	2008.12.09	-
Ewido	4.0	2008.12.09	-
F-Prot	4.4.4.56	2008.12.08	-
F-Secure	8.0.14332.0	2008.12.09	-
Fortinet	3.117.0.0	2008.12.09	-
GData	19	2008.12.09	-
Ikarus	T3.1.1.45.0	2008.12.08	-
K7AntiVirus	7.10.549	2008.12.09	-
Kaspersky	7.0.0.125	2008.12.09	-
McAfee	5458	2008.12.08	-
McAfee+Artemis	5458	2008.12.09	-
Microsoft	1.4205	2008.12.09	Trojan:Win32/FakeXPA
NOD32	3676	2008.12.09	-
Norman	5.80.02	2008.12.09	-
Panda	9.0.0.4	2008.12.09	-
PCTools	4.4.2.0	2008.12.09	-
Prevx1	V2	2008.12.09	-
Rising	21.07.12.00	2008.12.09	-
SecureWeb-Gateway	6.7.6	2008.12.09	-
Sophos	4.36.0	2008.12.09	Sus/Behav-297
Sunbelt	3.1.1832.2	2008.12.01	-
Symantec	10	2008.12.09	-
TheHacker	6.3.1.2.180	2008.12.09	-
TrendMicro	8.700.0.1004	2008.12.09	PAK_Generic.001
VBA32	3.12.8.10	2008.12.09	-
ViRobot	2008.12.9.1509	2008.12.09	-
VirusBuster	4.5.11.0	2008.12.09	-

Additional information
File size: 90112 bytes
MD5…: c5135fdf2bd0cf512b034607cdaf3bde
SHA1..: 303bd94d484830cd729fb58bd7979152d13ab788
SHA256: bb22d1f01e882196c820cb6d528ecabde3fc23f6bbfe2b93477893022956402e
SHA512: a8d0cc17a38f9fb5e6fbfd0bce6df2780a6e6c154d4997455cf842c5fb93caaf fa8d22902e6e3c8f89d39ce2418f98dd557ac927040f83977b9a22f4818082bb
ssdeep: 1536:M3q7VoagHfSTDFHVs9aur8It+Ah83mOxHIRp21OaBreBbMzXH8MV:Ma7Voa N/FHVQao88+wpT8MID
PEiD..: -
TrID..: File type identification Win32 Executable Generic (38.4%) Win32 Dynamic Link Library (generic) (34.1%) Win16/32 Executable Delphi generic (9.3%) Generic Win/DOS Executable (9.0%) DOS Executable Generic (9.0%)
PEInfo: PE Structure information

Antivirus 2009

Host: allcooltubeshere.com
IP: 89.149.228.200

Whois:

netname:        NETDIRECT-NET
descr:          netdirekt e.K.
remarks:        INFRA-AW
country:        DE
admin-c:        WW200-RIPE
tech-c:         SR614-RIPE
status:         ASSIGNED PA
mnt-by:         NETDIRECT-MNT
mnt-lower:      NETDIRECT-MNT
mnt-routes:     NETDIRECT-MNT
source:         RIPE # Filtered

person:       Wiethold Wagner
address:      netdirekt e. K.
address:      Kleyer Strasse 79 / Tor 14
address:      60326 Frankfurt
address:      DE
phone:        +49 69 90556880
fax-no:       +49 69 905568822
e-mail:       info@netdirekt.de
nic-hdl:      WW200-RIPE
mnt-by:       NETDIRECT-MNT
source:       RIPE # Filtered

Other sites:

1) 69-tube-69.com
2) Megasexytube.com
3) Super-av-scanner.com

Host: codecdownload.allcleanfileshere.com
IP: 91.203.93.81

Whois:

netname:        NETDIRECT-NET
descr:          netdirekt e.K.
remarks:        INFRA-AW
country:        DE
admin-c:        WW200-RIPE
tech-c:         SR614-RIPE
status:         ASSIGNED PA
mnt-by:         NETDIRECT-MNT
mnt-lower:      NETDIRECT-MNT
mnt-routes:     NETDIRECT-MNT
source:         RIPE # Filtered

person:       Wiethold Wagner
address:      netdirekt e. K.
address:      Kleyer Strasse 79 / Tor 14
address:      60326 Frankfurt
address:      DE
phone:        +49 69 90556880
fax-no:       +49 69 905568822
e-mail:       info@netdirekt.de
nic-hdl:      WW200-RIPE
mnt-by:       NETDIRECT-MNT
source:       RIPE # Filtered

Other sites:

1) 3d-softportal.com
2) 3d-softportal.net
3) Allfilesherefordownload.com

Host: advancedproscan.com
IP: 69.10.44.207

Whois:

Interserver, Inc INTERSERVER

Host: protectedpaymentsite.com
IP: 209.8.45.117

Whois:

OrgName:    Beyond The Network America, Inc.
OrgID:      BNA-42
Address:    450 Springpark PL
Address:    Suite 100
City:       Herdon
StateProv: VA
PostalCode: 20170
Country:    US

Host: microsoft.protectionsoftwaredownload.com
IP: 89.149.241.106

Whois:

inetnum:        89.149.241.0 - 89.149.244.255
netname:        NETDIRECT-NET
descr:          netdirekt e.K.
remarks:        INFRA-AW
country:        DE
admin-c:        WW200-RIPE
tech-c:         SR614-RIPE
status:         ASSIGNED PA
mnt-by:         NETDIRECT-MNT
mnt-lower:      NETDIRECT-MNT
mnt-routes:     NETDIRECT-MNT
source:         RIPE # Filtered

person:       Wiethold Wagner
address:      netdirekt e. K.
address:      Kleyer Strasse 79 / Tor 14
address:      60326 Frankfurt
address:      DE
phone:        +49 69 90556880
fax-no:       +49 69 905568822

Host: softwareservicebilling.com
IP: 63.219.177.214

Whois:

OrgName:    Beyond The Network America, Inc.
OrgID:      BNA-42
Address:    450 Springpark PL
Address:    Suite 100
City:       Herdon
StateProv: VA
PostalCode: 20170
Country:    US

Antivirus 2009

Tags: Antivirus 2009, Beyond The Network America, netdirect, rogue antivirus
Posted in Fake Codec, Malware, Rogues | No Comments »

Antivirus 2009 rogue antivirus application

Thursday, December 4th, 2008

Antivirus 2009 a rogue antivirus application. To remove that rogue application viruses and antispyware use Kaspersky antivirus - http://cleanthe.net/how-to-remove-virus/

Antivirus 2009

File moviecodec.0.exe received on 12.04.2008 18:16:47 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2008.12.5.0	2008.12.04	-
AntiVir	7.9.0.36	2008.12.04	-
Authentium	5.1.0.4	2008.12.04	-
Avast	4.8.1281.0	2008.12.03	-
AVG	8.0.0.199	2008.12.04	-
BitDefender	7.2	2008.12.04	-
CAT-QuickHeal	10.00	2008.12.04	-
ClamAV	0.94.1	2008.12.04	-
DrWeb	4.44.0.09170	2008.12.04	-
eSafe	7.0.17.0	2008.12.04	Suspicious File
eTrust-Vet	31.6.6243	2008.12.04	-
Ewido	4.0	2008.12.04	-
F-Prot	4.4.4.56	2008.12.04	-
F-Secure	8.0.14332.0	2008.12.04	-
Fortinet	3.117.0.0	2008.12.04	-
GData	19	2008.12.04	-
Ikarus	T3.1.1.45.0	2008.12.04	-
K7AntiVirus	7.10.543	2008.12.04	-
Kaspersky	7.0.0.125	2008.12.04	-
McAfee	5453	2008.12.03	-
McAfee+Artemis	5453	2008.12.03	-
Microsoft	1.4205	2008.12.04	-
NOD32	3664	2008.12.04	-
Norman	5.80.02	2008.12.04	-
Panda	9.0.0.4	2008.12.04	-
PCTools	4.4.2.0	2008.12.04	-
Prevx1	V2	2008.12.04	Cloaked Malware
Rising	21.06.32.00	2008.12.04	-
SecureWeb-Gateway	6.7.6	2008.12.04	Win32.LooksLike.NewMalware
Sophos	4.36.0	2008.12.04	-
Sunbelt	3.1.1832.2	2008.12.01	-
Symantec	10	2008.12.04	-
TheHacker	6.3.1.2.174	2008.12.04	-
TrendMicro	8.700.0.1004	2008.12.04	Possible_DLDER
VBA32	3.12.8.10	2008.12.03	-
ViRobot	2008.12.4.1500	2008.12.04	-
VirusBuster	4.5.11.0	2008.12.04	-

Additional information
File size: 46592 bytes
MD5…: 08bd3afc04279b3b7b1ebf82e1977bc8
SHA1..: 48088f9c906799d1480ec7a6ab30b2e3cee9d23b
SHA256: 40b66f5a76cac3fd00cd8851fa2d16bcd72d7f994f2c89b66446653f8da5734e
SHA512: e09422a42a23f4104ce8ddb6398604db8026e7b59f7300612385a477e4a567d0 f27da7cad813c47eae9cf4237d109dc2684ecffd590a7b2f823157673db9528e
ssdeep: 768:nQ1YAFwAMymshqm6KbPm16ywH1b+xYangrN5HyPvReTicTXQ:QHwa7ZBrHH1 bDiHRKTX
PEiD..: -
TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

Prevx info: <a href=’http://info.prevx.com/aboutprogramtext.asp?PX5=A5E2B670000F3CA3B690009DB57617009E862E4C’ target=’_blank’>http://info.prevx.com/aboutprogramtext.asp?PX5=A5E2B670000F3CA3B690009DB57617009E862E4C</a>
ThreatExpert info: <a href=’http://www.threatexpert.com/report.aspx?md5=08bd3afc04279b3b7b1ebf82e1977bc8′ target=’_blank’>http://www.threatexpert.com/report.aspx?md5=08bd3afc04279b3b7b1ebf82e1977bc8</a>

Antivirus 2009

File InstallAVv_77100102.exe received on 12.04.2008 18:16:58 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2008.12.5.0	2008.12.04	-
AntiVir	7.9.0.36	2008.12.04	-
Authentium	5.1.0.4	2008.12.04	-
Avast	4.8.1281.0	2008.12.03	-
AVG	8.0.0.199	2008.12.04	FakeAlert.DC
BitDefender	7.2	2008.12.04	-
CAT-QuickHeal	10.00	2008.12.04	-
ClamAV	0.94.1	2008.12.04	-
DrWeb	4.44.0.09170	2008.12.04	-
eSafe	7.0.17.0	2008.12.04	Suspicious File
eTrust-Vet	31.6.6243	2008.12.04	-
Ewido	4.0	2008.12.04	-
F-Prot	4.4.4.56	2008.12.04	-
F-Secure	8.0.14332.0	2008.12.04	-
Fortinet	3.117.0.0	2008.12.04	-
GData	19	2008.12.04	-
Ikarus	T3.1.1.45.0	2008.12.04	-
K7AntiVirus	7.10.543	2008.12.04	-
Kaspersky	7.0.0.125	2008.12.04	-
McAfee	5453	2008.12.03	-
McAfee+Artemis	5453	2008.12.03	-
Microsoft	1.4205	2008.12.04	Trojan:Win32/FakeXPA
NOD32	3664	2008.12.04	-
Norman	5.80.02	2008.12.04	-
Panda	9.0.0.4	2008.12.04	-
PCTools	4.4.2.0	2008.12.04	-
Prevx1	V2	2008.12.04	-
Rising	21.06.32.00	2008.12.04	-
SecureWeb-Gateway	6.7.6	2008.12.04	-
Sophos	4.36.0	2008.12.04	Mal/FakeAV-I
Sunbelt	3.1.1832.2	2008.12.01	-
Symantec	10	2008.12.04	-
TheHacker	6.3.1.2.174	2008.12.04	-
TrendMicro	8.700.0.1004	2008.12.04	-
VBA32	3.12.8.10	2008.12.03	-
ViRobot	2008.12.4.1500	2008.12.04	-
VirusBuster	4.5.11.0	2008.12.04	-

Additional information
File size: 92160 bytes
MD5…: fee0e37423003b91f88e7de59315227e
SHA1..: 4cbd05efbe9d15623f2b158c05401094df870514
SHA256: b8d3d3cba90b31c116110299572e1a2c40e762cd0a77228d0807e0e73ccfac59
SHA512: 27da0d7c08f9a96f9306300cb5e08d71175829dbc07e7d944fba449ca52b4e7f 404022f0b6cd43d565e6517d8eb1cf6ae3e1926bc9532a0d74c04eb7c7282cc8
ssdeep: 1536:0JDgM6NUzcNmsV96njEknHzzSiAUtuevce7SeovDLkWxOEY3q7VoagHf:0J MXazsmsVIjxaMvce7Se4kW4Xa7Voa
PEiD..: -
TrID..: File type identification Win32 Executable Generic (38.4%) Win32 Dynamic Link Library (generic) (34.1%) Win16/32 Executable Delphi generic (9.3%) Generic Win/DOS Executable (9.0%) DOS Executable Generic (9.0%)

Antivirus 2009

Host: cool-porntube.com
IP: 74.50.117.68

Whois:

OrgName:    NOC4Hosts Inc.
OrgID:      NOC4H
Address:    400 N Tampa St
Address:    #1025
City:       Tampa
StateProv: FL
PostalCode: 33602
Country:    US

Other sites on this IP:

1. Avg-online-scanner.com
2. Avira-online-scan.com
3. Best-pornobox.com
4. Cool-downloadz.net
5. Cool-tube.net
6. Download-goodsoft.com
7. Free-download-basez.com
8. Great-celebs4you.com
9. Juga-tube.com
10. Onlineupgradesoft.com
11. Ox-tube.com
12. Prof-virus-scanner.com
13. Sc-win-online-antivirus.com
14. Scanav-on-net.com
15. Smart-tube.net
16. Statsdetails.com
17. Top-software-bazes.com
18. Tube-ax.com
19. Universel-software.com
20. Upgrade-soft-ware-now.com
21. Xp-vista-scanner-pro.com

Host: codecdownload.allfilesherefordownload.com
IP: 91.203.93.81

Whois:

netname:        ZHITOMIR-NET
descr:          pool for co-location customers
country:        UA
admin-c:        ML7676-RIPE
tech-c:         ML7676-RIPE
status:         ASSIGNED PI
mnt-by:         UATELECOM-MNT

Host: antivirus-bestscanner.com
IP: 64.20.38.90

Whois:

OrgName:    Interserver, Inc
OrgID:      INTER-83
Address:    110 Meadowlands Pkwy
Address:    1st Floor
City:       Secaucus
StateProv: NJ
PostalCode: 07094
Country:    US

Host: secured-download.com
IP: 89.149.195.60

Whois:

netname:        NETDIRECT-NET
descr:          netdirekt e.K.
remarks:        INFRA-AW
country:        DE
admin-c:        WW200-RIPE
tech-c:         SR614-RIPE
status:         ASSIGNED PA
mnt-by:         NETDIRECT-MNT
mnt-lower:      NETDIRECT-MNT
mnt-routes:     NETDIRECT-MNT
source:         RIPE # Filtered

person:       Wiethold Wagner
address:      netdirekt e. K.
address:      Kleyer Strasse 79 / Tor 14
address:      60326 Frankfurt
address:      DE
phone:        +49 69 90556880
fax-no:       +49 69 905568822

Host: digipayments-soft.com
IP: 69.10.44.207

Whois:

OrgName:    Interserver, Inc
OrgID:      INTER-83
Address:    110 Meadowlands Pkwy
Address:    1st Floor
City:       Secaucus
StateProv: NJ
PostalCode: 07094
Country:    US

ReferralServer: rwhois://rwhois.trouble-free.net:4321

NetRange:   69.10.32.0 - 69.10.63.255
CIDR:       69.10.32.0/19
NetName:    INTERSERVER
NetHandle: NET-69-10-32-0-1
Parent:     NET-69-0-0-0-0
NetType:    Direct Allocation
NameServer: DNS.TROUBLE-FREE.NET
NameServer: DNS2.TROUBLE-FREE.NET
Comment:    Please use for all abuse reports
RegDate:    2007-04-11
Updated:    2008-03-19

Host: protectionpaymentsite.com
IP: 207.226.175.117

Whois for protectionpaymentsite.com

Domain Name: PROTECTIONPAYMENTSITE.COM

Registrant:
    N/A
    Viktor Temchenko        (temchenkoviktor@googlemail.com)
    Pr. Geroev Tryda
    Kharkov
    Kharkiv Oblast,01001
    UA
    Tel. +380.936328480

Creation Date: 03-Nov-2008
Expiration Date: 03-Nov-2009

Domain servers in listed order:
    erdomain.mars.orderbox-dns.com
    erdomain.earth.orderbox-dns.com
    erdomain.venus.orderbox-dns.com
    erdomain.mercury.orderbox-dns.com
Administrative Contact:
    N/A
    Viktor Temchenko        (temchenkoviktor@googlemail.com)
    Pr. Geroev Tryda
    Kharkov
    Kharkiv Oblast,01001
    UA
    Tel. +380.936328480

Technical Contact:
    N/A
    Viktor Temchenko        (temchenkoviktor@googlemail.com)
    Pr. Geroev Tryda
    Kharkov
    Kharkiv Oblast,01001
    UA
    Tel. +380.936328480

Billing Contact:
    N/A
    Viktor Temchenko        (temchenkoviktor@googlemail.com)
    Pr. Geroev Tryda
    Kharkov
    Kharkiv Oblast,01001
    UA
    Tel. +380.936328480

Whois for IP 207.226.175.117 :

OrgName:    Beyond The Network America, Inc.
OrgID:      BNA-42
Address:    450 Springpark PL
Address:    Suite 100
City:       Herdon
StateProv: VA
PostalCode: 20170
Country:    US

NetRange:   207.226.0.0 - 207.226.255.255
CIDR:       207.226.0.0/16
NetName:    BTN-CIDR3
NetHandle: NET-207-226-0-0-1
Parent:     NET-207-0-0-0-0
NetType:    Direct Allocation
NameServer: NS.CAIS.COM
NameServer: NS2.CAIS.COM
Comment:    Rwhois information on assignments from this block available from
Comment:    rwhois.cais.net 4321
RegDate:    1996-10-16
Updated:    2004-11-12

Antivirus 2009

Tags: Antivirus 2009, Interserver, netdirect, NOC4Hosts, rogue antivirus, ZHITOMIR
Posted in Fake Codec, Malware | No Comments »

Fake Codec - changing your google sponsored links

Saturday, September 13th, 2008

Fake Codec - changing your google sponsored links. Stay away from following sites and use Kaspersky to remove this malware http://cleanthe.net/how-to-remove-virus/

fake codec

File Setup_v.2.123.exe received on 09.12.2008 17:09:20 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2008.9.13.0	2008.09.12	-
AntiVir	7.8.1.28	2008.09.12	-
Authentium	5.1.0.4	2008.09.12	-
Avast	4.8.1195.0	2008.09.12	-
AVG	8.0.0.161	2008.09.12	-
BitDefender	7.2	2008.09.12	-
CAT-QuickHeal	9.50	2008.09.12	-
ClamAV	0.93.1	2008.09.12	-
DrWeb	4.44.0.09170	2008.09.12	-
eSafe	7.0.17.0	2008.09.11	-
eTrust-Vet	31.6.6086	2008.09.12	-
Ewido	4.0	2008.09.12	-
F-Prot	4.4.4.56	2008.09.12	-
F-Secure	8.0.14332.0	2008.09.12	-
Fortinet	3.113.0.0	2008.09.12	-
GData	19	2008.09.12	-
Ikarus	T3.1.1.34.0	2008.09.12	Trojan-Dropper.Win32.Cefyns.A
K7AntiVirus	7.10.453	2008.09.12	-
Kaspersky	7.0.0.125	2008.09.12	-
McAfee	5382	2008.09.11	-
Microsoft	1.3903	2008.09.12	TrojanDropper:Win32/Cefyns.A
NOD32v2	3437	2008.09.12	-
Norman	5.80.02	2008.09.12	-
Panda	9.0.0.4	2008.09.12	Suspicious file
PCTools	4.4.2.0	2008.09.12	-
Prevx1	V2	2008.09.12	-
Rising	20.61.42.00	2008.09.12	-
Sophos	4.33.0	2008.09.12	-
Sunbelt	3.1.1628.1	2008.09.12	-
Symantec	10	2008.09.12	-
TheHacker	6.3.0.9.077	2008.09.10	-
TrendMicro	8.700.0.1004	2008.09.12	-
VBA32	3.12.8.5	2008.09.12	-
ViRobot	2008.9.12.1375	2008.09.12	-
VirusBuster	4.5.11.0	2008.09.12	-
Webwasher-Gateway	6.6.2	2008.09.12	-

Additional information
File size: 208896 bytes
MD5…: ca884dd69ed8b9f48d89445ee35bda42
SHA1..: a5ff24086df04c6db79acf7a69eebe23c1be099a
SHA256: 574f8810e4b808426029df7b862fb0973aac91b6e01470b940daeed042b470b9
SHA512: 1bd59818b3dac1b37f53672b17891316709e45e31f842f890d978206f8e5c45e a9bfeb2f5713e4cbd845303272c43570c3a4d30502d4013c4eea3c3eb492a81a
PEiD..: Armadillo v1.71
TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0×4034d0 timedatestamp…..: 0×48a44c8a (Thu Aug 14 15:17:30 2008) machinetype…….: 0×14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0×1000 0×265c 0×3000 5.37 9becb55336a9a57df422ed84a868273e .rdata 0×4000 0×606 0×1000 2.34 f40126a0a2f1aa7c5eedb23943f61c2a .data 0×5000 0×2d660 0×2e000 7.88 44be5e43e6fd9de2d6001754dbd4013e ( 5 imports ) > KERNEL32.dll: CreateFileA, lstrlenA, GetTempPathA, FindAtomA, GetCurrentThread, GetConsoleTitleA, DeleteFileA, lstrcatA, ExitProcess, CreateProcessA, WriteFile, GetLocalTime, GetTempFileNameA, lstrcpyA, GetShortPathNameA, GetModuleFileNameA, MoveFileExA, MoveFileA, GetModuleHandleA, GetSystemDirectoryA, FreeLibrary, GetProcAddress, LoadLibraryA, CreateDirectoryA, SystemTimeToFileTime, CloseHandle, GetTickCount, SetFileTime, lstrcpynA, GetStartupInfoA > ADVAPI32.dll: RegSetValueExA, GetUserNameA, RegCreateKeyA, RegCloseKey > USER32.dll: GetCursor, GetDC, GetClassLongA, IsWindowVisible > SHELL32.dll: SHGetSpecialFolderPathA > MSVCRT.dll: _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, memset, __2@YAPAXI@Z, strlen, exit, _exit, _XcptFilter, _acmdln, __getmainargs, _initterm, __setusermatherr ( 0 exports )

fake codec

Host: yourlizsite.com
IP: 89.149.220.184

Whois:

netname:        NETDIRECT-NET
descr:          netdirekt e.K.
remarks:        INFRA-AW
country:        DE
person:       Wiethold Wagner
address:      netdirekt e. K.
address:      Kleyer Strasse 79 / Tor 14
address:      60326 Frankfurt
address:      DE
phone:        +49 69 90556880
fax-no:       +49 69 905568822
e-mail:       info@netdirect.de

Other sites in this IP:

1. Bestpornmgp.org
2. Bestpornox.com
3. Bloguner.com
4. Muwp2.info
5. Onlymegas.com
6. Vs4basel.com
7. Vs4breguet.com
8. Vs4cartier.com
9. Vs4epos.com
10. Vs4hublot.com
11. Youjizsite.com
12. Youjizzsite.com
13. Yourdealsnow.com
14. Yourlizsite.com

Host: xmlsucker.com
IP: 69.31.129.122

Whois

OrgName:    nLayer Communications, Inc.
OrgID:      NLAYE
Address:    209 W. Jackson Blvd
Address:    Suite 700
City:       Chicago
StateProv: IL
PostalCode: 60606-6936
Country:    US

OrgAbuseHandle: NAD4-ARIN
OrgAbuseName:   nLayer Abuse Department
OrgAbusePhone: +1-312-698-4800
OrgAbuseEmail: abuse@nlayer.net

Other sites in this IP:

1. Vsvs.biz
2. Vsvs.org
3. Xmlsucker.com

Host: gremit.com
IP: 66.232.97.19

OrgName:    NOC4Hosts Inc.
OrgID:      NOC4H
Address:    400 N Tampa St
Address:    #1025
City:       Tampa
StateProv: FL
PostalCode: 33602
Country:    US
RAbuseHandle: NAA7-ARIN
RAbuseName:   Noc4Hosts Abuse Admin
RAbusePhone: +1-877-801-1443
RAbuseEmail:   abise@noc4host.com

Other sites in this IP:

1. Gremit.com
2. Ini7.com
3. Prolnx.info
4. Rtlinkx.com
5. Updatersys.com

fake codec

Tags: Fake Codec, netdirect, nLayer Communications, NOC4Hosts
Posted in Fake Codec | No Comments »

Antivirus 2009 rogue antivirus application

Monday, September 8th, 2008

Antivirus 2009 is a rogue antivirus application. Stay away from Antivirus 2009 domains and products!

Antivirus 2009

File AV2009Install_880649.exe received on 09.08.2008 18:45:39 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2008.9.6.0	2008.09.08	-
AntiVir	7.8.1.28	2008.09.08	-
Authentium	5.1.0.4	2008.09.07	-
Avast	4.8.1195.0	2008.09.08	-
AVG	8.0.0.161	2008.09.08	-
BitDefender	7.2	2008.09.08	-
CAT-QuickHeal	9.50	2008.09.06	-
ClamAV	0.93.1	2008.09.08	-
DrWeb	4.44.0.09170	2008.09.08	-
eSafe	7.0.17.0	2008.09.07	-
eTrust-Vet	31.6.6077	2008.09.08	-
Ewido	4.0	2008.09.08	-
F-Prot	4.4.4.56	2008.09.07	-
F-Secure	8.0.14332.0	2008.09.08	-
Fortinet	3.112.0.0	2008.09.08	-
GData	19	2008.09.08	-
Ikarus	T3.1.1.34.0	2008.09.08	-
K7AntiVirus	7.10.446	2008.09.08	-
Kaspersky	7.0.0.125	2008.09.08	-
McAfee	5378	2008.09.05	-
Microsoft	1.3903	2008.09.08	-
NOD32v2	3426	2008.09.08	-
Norman	5.80.02	2008.09.08	-
Panda	9.0.0.4	2008.09.07	-
PCTools	4.4.2.0	2008.09.08	-
Prevx1	V2	2008.09.08	Fraudulent Security Program
Rising	20.61.02.00	2008.09.08	-
Sophos	4.33.0	2008.09.08	-
Sunbelt	3.1.1616.1	2008.09.07	-
Symantec	10	2008.09.08	AntiVirus2009
TheHacker	6.3.0.8.075	2008.09.06	-
TrendMicro	8.700.0.1004	2008.09.08	Cryp_FakeAV
VBA32	3.12.8.5	2008.09.08	-
ViRobot	2008.9.8.1367	2008.09.08	-
VirusBuster	4.5.11.0	2008.09.08	-
Webwasher-Gateway	6.6.2	2008.09.08	-

Additional information
File size: 137728 bytes
MD5…: b19cfc63fdcf283dc6e5f26f6726fa96
SHA1..: 44bb199f182e705800031c260442ef35e1d198cb
SHA256: 761c6f0a360787fc35c82fe1c1dbfd39026b13df3bf67cd34387edfd66b7fb78
SHA512: 0cf1139157a81ccb31f02911f45e3b5ad9f31c04b7a7d716c4711f9a73936827 f8f18c0dc6f53227520c5831118492eb1efa00fba48fdb9408c039955e4e3ad1
PEiD..: -
TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) VXD Driver (0.1%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0×4013a8 timedatestamp…..: 0×45b1e5ac (Sat Jan 20 09:49:32 2007) machinetype…….: 0×14c (I386) ( 7 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0×1000 0×8544 0×8600 0.76 c8ffc38a92209561fcbbdc27762392ab .data 0xa000 0×208544f 0×12600 6.43 41e5046c031bbc6314372b49563a394d .tls 0×2090000 0×98 0×200 0.00 bf619eac0cdf3f68d496ea9344137e8b .rdata 0×2091000 0×818 0xa00 0.06 18861ad1353611b05ac3d34f4d040790 .idata 0×2092000 0×88a 0xa00 2.92 4595dacaa944dc978a1109fc16d64cd7 .reloc 0×2093000 0×6c7 0×800 0.00 c99a74c555371a433d121f551d6c6398 .rsrc 0×2094000 0×4983 0×4a00 4.87 6018c49da28d8a40d60c05e6fa332977 ( 3 imports ) > KERNEL32.DLL: GlobalFree, Sleep, GetLastError, SetLastError, OpenFile, WriteFile, DeleteAtom, GetFileTime, CreateProcessA, DeleteFileW, GetCommandLineA, GetComputerNameA, GetConsoleMode, ExitThread, GetCPInfo, OpenFileMappingA, FindFirstFileA, ReadFile, CreateThread, ReadConsoleA, DeleteFileA, GetFileSize, GetStdHandle, FindAtomA > USER32.DLL: EndDialog, CopyRect, IsWindow, DrawTextA, LoadMenuA, IsMenu, DialogBoxParamA, CloseWindow > COMCTL32.DLL: ImageList_AddIcon, ImageList_Create, DrawStatusText, InitCommonControls, CreateStatusWindow, ImageList_Copy, CreateStatusWindowW ( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=D7629DD7002CD5541AA0028FCE8DB500CA8954E0

Antivirus 2009

Host: megatradetds0.com
IP: 89.18.166.210
Whois of IP 89.18.166.210 distibuting rogue antivirus Antivirus 2009 :

route:          89.18.160.0/19
descr:          Reasonnet Route Object
origin:         AS25525
mnt-by:         MNT-REASONNET
source:         RIPE # Filtered

Host: freeonlinescanner9.com
IP: 89.149.209.251

Whois:

org-name:       netdirect
org-type:       LIR
address:        netdirekt e. K.
                Kleyer Strasse 79 / Tor 14
                60326 Frankfurt
                Germany
phone:          +49 69 90556880
fax-no:         +49 69 905568822
e-mail:         ripe@netdirekt.de

Host: altawebgl-500.com
IP: 89.149.209.251

Whois:

org-name:       netdirect
org-type:       LIR
address:        netdirekt e. K.
                Kleyer Strasse 79 / Tor 14
                60326 Frankfurt
                Germany
phone:          +49 69 90556880
fax-no:         +49 69 905568822
e-mail:         ripe@netdirekt.de

Host: masterspitetds09.com
IP: 89.149.209.251

Whois:

org-name:       netdirect
org-type:       LIR
address:        netdirekt e. K.
                Kleyer Strasse 79 / Tor 14
                60326 Frankfurt
                Germany
phone:          +49 69 90556880
fax-no:         +49 69 905568822
e-mail:         ripe@netdirekt.de

Host: winupdates-server.com
IP: 89.18.189.44

Whois:

netname:        PCEXTREME
descr:          PCextreme BVV
country:        NL
admin-c:        PB8076-RIPE
tech-c:         PB8076-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-PCEXTREME
mnt-by:         MNT-REASONNET
mnt-routes:     MNT-REASONNET
source:         RIPE # Filtered

role:           PCextreme BV
address:        Londensekaai 1
address:        4331JG Middelburg
address:        The Netherlands
abuse-mailbox: abuse@pcextreme.nl

Host: trustedpaymenssite.com
IP: 89.149.209.251

Whois:

org-name:       netdirect
org-type:       LIR
address:        netdirekt e. K.
                Kleyer Strasse 79 / Tor 14
                60326 Frankfurt
                Germany
phone:          +49 69 90556880
fax-no:         +49 69 905568822
e-mail:         ripe@netdirekt.de

Host: secure.innovagest2000sl.com
IP: 207.226.175.126

Whois of IP 207.226.175.126 selling rogue antivirus Antivirus 2009 :

OrgName: Beyond The Network America, Inc.
OrgID: BNA-42
Address: 450 Springpark PL
Address: Suite 100
City: Herdon
StateProv: VA
PostalCode: 20170
Country: US

Antivirus 2009

Tags: Antivirus 2009, Beyond The Network America, netdirect, PCEXTREME, rogue antivirus
Posted in Malware, Rogues | No Comments »

Antivrus XP 2008 rogue antivirus software

Saturday, August 30th, 2008

Antivrus XP 2008 rogue antivirus software. Stay away from Antivirus XP 2008 domains and products!

Antivirus XP 2008

File HDVideoCodec_ver1.5000.0.exe received on 08.30.2008 14:57:09 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2008.8.29.0	2008.08.29	-
AntiVir	7.8.1.23	2008.08.29	TR/Dldr.Zlob.Gen
Authentium	5.1.0.4	2008.08.30	-
Avast	4.8.1195.0	2008.08.30	-
AVG	8.0.0.161	2008.08.29	-
BitDefender	7.2	2008.08.30	-
CAT-QuickHeal	9.50	2008.08.29	-
ClamAV	0.93.1	2008.08.30	-
DrWeb	4.44.0.09170	2008.08.30	-
eSafe	7.0.17.0	2008.08.28	-
eTrust-Vet	31.6.6057	2008.08.29	-
Ewido	4.0	2008.08.30	-
F-Prot	4.4.4.56	2008.08.29	-
F-Secure	7.60.13501.0	2008.08.30	Suspicious:W32/Malware!Gemini
Fortinet	3.14.0.0	2008.08.30	-
GData	19	2008.08.30	-
Ikarus	T3.1.1.34.0	2008.08.30	-
K7AntiVirus	7.10.432	2008.08.29	-
Kaspersky	7.0.0.125	2008.08.30	-
McAfee	5373	2008.08.29	-
Microsoft	1.3807	2008.08.25	-
NOD32v2	3401	2008.08.30	-
Norman	5.80.02	2008.08.29	-
Panda	9.0.0.4	2008.08.30	-
PCTools	4.4.2.0	2008.08.30	-
Prevx1	V2	2008.08.30	-
Rising	20.59.51.00	2008.08.30	-
Sophos	4.33.0	2008.08.30	-
Sunbelt	3.1.1592.1	2008.08.29	-
Symantec	10	2008.08.30	-
TheHacker	6.3.0.6.068	2008.08.30	-
TrendMicro	8.700.0.1004	2008.08.29	-
VBA32	3.12.8.4	2008.08.30	-
ViRobot	2008.8.30.1357	2008.08.30	-
VirusBuster	4.5.11.0	2008.08.29	-
Webwasher-Gateway	6.6.2	2008.08.29	Trojan.Dldr.Zlob.Gen

Additional information
File size: 73744 bytes
MD5…: b80faf46733fbfbe1d159da5d8f42ced
SHA1..: e9233af85800bedd8f5cbdae7cb46d5389455f39
SHA256: 6700703bb1348b4a938d22db9e355e8383e116739172389b811dd71b74b41e7c
SHA512: 5157cabad81628b8f532600141a85ee1cdbc95931503625794008773a22765c4 5071d3b8c3417219519c12fe321a5026759d5aead52a4b5a645cfc318c9afbd5
PEiD..: -
TrID..: File type identification Win32 Executable MS Visual C++ (generic) (65.2%) Win32 Executable Generic (14.7%) Win32 Dynamic Link Library (generic) (13.1%) Generic Win/DOS Executable (3.4%) DOS Executable Generic (3.4%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0×403ce0 timedatestamp…..: 0×48b935aa (Sat Aug 30 11:57:30 2008) machinetype…….: 0×14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0×1000 0×9c1e 0xa000 6.55 426a8a8c28538887181747a80f185d44 .rdata 0xb000 0×40a4 0×5000 4.60 0df3cca6910ced4c5d481372ce4177cf .data 0×10000 0×1858 0×1000 2.36 4a0eaf8806525a0b8f7014f49641c452 .rsrc 0×12000 0xb0 0×1000 3.06 3d3a7a1efbcbff194582c5f5e1ecfd75 ( 2 imports ) > KERNEL32.dll: HeapAlloc, GetProcessHeap, LoadLibraryA, GetProcAddress, SetLastError, FreeLibrary, GetVersionExA, HeapFree, GetLastError, GetCurrentProcess, lstrlenA, lstrcatA, GetCurrentThread, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, GetModuleHandleA, TlsGetValue, TlsSetValue, GetCurrentThreadId, LCMapStringA, WideCharToMultiByte, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, LeaveCriticalSection, EnterCriticalSection, ExitProcess, Sleep, GetLocaleInfoA, InitializeCriticalSection, WriteFile, GetStdHandle, GetModuleFileNameA, VirtualFree, VirtualAlloc, HeapReAlloc, RtlUnwind, RaiseException > USER32.dll: wsprintfA ( 0 exports )

Antivirus XP 2008

File scan.exe received on 08.30.2008 14:59:04 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2008.8.29.0	2008.08.29	-
AntiVir	7.8.1.23	2008.08.29	-
Authentium	5.1.0.4	2008.08.30	-
Avast	4.8.1195.0	2008.08.30	-
AVG	8.0.0.161	2008.08.29	-
BitDefender	7.2	2008.08.30	-
CAT-QuickHeal	9.50	2008.08.29	(Suspicious) - DNAScan
ClamAV	0.93.1	2008.08.30	-
DrWeb	4.44.0.09170	2008.08.30	-
eSafe	7.0.17.0	2008.08.28	Suspicious File
eTrust-Vet	31.6.6057	2008.08.29	-
Ewido	4.0	2008.08.30	-
F-Prot	4.4.4.56	2008.08.29	-
F-Secure	7.60.13501.0	2008.08.30	-
Fortinet	3.14.0.0	2008.08.30	-
GData	19	2008.08.30	-
Ikarus	T3.1.1.34.0	2008.08.30	-
K7AntiVirus	7.10.432	2008.08.29	-
Kaspersky	7.0.0.125	2008.08.30	-
McAfee	5373	2008.08.29	-
Microsoft	1.3807	2008.08.25	-
NOD32v2	3401	2008.08.30	-
Norman	5.80.02	2008.08.29	W32/Tibs.gen226
Panda	9.0.0.4	2008.08.30	-
PCTools	4.4.2.0	2008.08.30	-
Prevx1	V2	2008.08.30	-
Rising	20.59.51.00	2008.08.30	-
Sophos	4.33.0	2008.08.30	-
Sunbelt	3.1.1592.1	2008.08.30	-
Symantec	10	2008.08.30	-
TheHacker	6.3.0.6.068	2008.08.30	-
TrendMicro	8.700.0.1004	2008.08.29	-
VBA32	3.12.8.4	2008.08.30	-
ViRobot	2008.8.30.1357	2008.08.30	-
VirusBuster	4.5.11.0	2008.08.29	-
Webwasher-Gateway	6.6.2	2008.08.29	-

Additional information
File size: 50688 bytes
MD5…: 6b32a74fbc1f2b9bd5a9c86bb52427c5
SHA1..: 2803dc43b49ce31c3de54041b1b0cc42adef359c
SHA256: 4251140a5fd688fcd5cb395a93a7ee6efc2c01c346f3f97d53415643a88901ac
SHA512: c6843d1cb69d7be1bfa7508035b5df0ba9076945caaabceaba8f25ff0977a68f 23ddfbc1e50e4c25984f403266f66222c8b061b6331c318de60ac239ea0b2fc4
PEiD..: -
TrID..: File type identification Win32 Executable Generic (38.4%) Win32 Dynamic Link Library (generic) (34.2%) Clipper DOS Executable (9.1%) Generic Win/DOS Executable (9.0%) DOS Executable Generic (9.0%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0×402258 timedatestamp…..: 0×48a5bf02 (Fri Aug 15 17:38:10 2008) machinetype…….: 0×14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0×1000 0xae44 0×7800 7.99 4e6ad154cd9fc2335c847ee81b7f2bbe .rdata 0xc000 0×3200 0×1800 7.96 a1f8cd5bfc1d48e52b4f7b3cb6b9a519 .data 0×10000 0xbea 0×200 7.57 2e1f36802fe10ad3a411ab12b550cfb3 .rsrc 0×11000 0xf000 0×3000 6.62 aaae96e43c99de829c0a0e495f4dc23c ( 4 imports ) > gdi32.dll: SetRelAbs, StretchBlt, SetICMMode, ResetDCW, UpdateColors, SaveDC, TextOutW, SetDIBColorTable > wsock32.dll: bind, WSAStartup, listen > kernel32.dll: CreatePipe, TerminateProcess, VirtualProtect > shell32.dll: SHAppBarMessage, StrRChrIA, StrStrIA ( 0 exports )

Antivirus XP 2008

Host: directcubeone.net
IP: 78.157.143.217

Whois of IP 78.157.143.217 distibuting rogue antivirus Antivirurus XP 2008 :

1. Hqsextube08.com
2. Hqvideoporn.com
3. Myadultcube.com
4. Mydirectcube.com
5. Mydirecttube.com
6. Pornotube8.net
7. Tube28.net
8. Adultvideotubes.net
9. Dasongs.net
10. Directcubeone.net
11. Directcubetwo.net
12. Pornotube30.net
13. Tube40.net

Host: www.avxp-2008.net
IP: 78.159.99.79
Whois of IP 78.159.99.79 distibuting rogue antivirus Antivirurus XP 2008 :

org-name:       netdirect
org-type:       LIR
address:        netdirekt e. K.
                Kleyer Strasse 79 / Tor 14
                60326 Frankfurt
                Germany
phone:          +49 69 90556880
fax-no:         +49 69 905568822
e-mail:         ripe@netdirekt.de

Host: secure.innovagest2000sl.com
IP: 207.226.175.126

Whois of IP 207.226.175.126 selling rogue antivirus Antivirurus XP 2008 :

OrgName:    Beyond The Network America, Inc.
OrgID:      BNA-42
Address:    450 Springpark PL
Address:    Suite 100
City:       Herdon
StateProv: VA
PostalCode: 20170
Country:    US

Antivirus XP 2008

Tags: Antivrus XP 2008, Beyond The Network America, netdirect, rogue antivirus
Posted in Malware, Rogues | No Comments »

Antivirus XP 2008 rogue antivirus application

Saturday, August 30th, 2008

Antivirus XP 2008 rogue antivirus application. Stay away from it and following IPs and Hosts.

Antivirus XP 2008

File scan.exe received on 08.30.2008 13:06:52 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2008.8.29.0	2008.08.29	-
AntiVir	7.8.1.23	2008.08.29	-
Authentium	5.1.0.4	2008.08.30	-
Avast	4.8.1195.0	2008.08.29	-
AVG	8.0.0.161	2008.08.29	-
BitDefender	7.2	2008.08.30	-
CAT-QuickHeal	9.50	2008.08.29	(Suspicious) - DNAScan
ClamAV	0.93.1	2008.08.30	-
DrWeb	4.44.0.09170	2008.08.29	-
eSafe	7.0.17.0	2008.08.28	Suspicious File
eTrust-Vet	31.6.6057	2008.08.29	-
Ewido	4.0	2008.08.30	-
F-Prot	4.4.4.56	2008.08.29	-
F-Secure	7.60.13501.0	2008.08.30	-
Fortinet	3.14.0.0	2008.08.30	-
GData	19	2008.08.30	-
Ikarus	T3.1.1.34.0	2008.08.30	-
K7AntiVirus	7.10.432	2008.08.29	-
Kaspersky	7.0.0.125	2008.08.30	-
McAfee	5373	2008.08.29	-
Microsoft	1.3807	2008.08.25	-
NOD32v2	3401	2008.08.30	-
Norman	5.80.02	2008.08.29	W32/Tibs.gen226
Panda	9.0.0.4	2008.08.30	-
PCTools	4.4.2.0	2008.08.29	-
Prevx1	V2	2008.08.30	-
Rising	20.59.51.00	2008.08.30	-
Sophos	4.33.0	2008.08.30	-
Sunbelt	3.1.1592.1	2008.08.30	-
Symantec	10	2008.08.30	-
TheHacker	6.3.0.6.068	2008.08.30	-
TrendMicro	8.700.0.1004	2008.08.29	-
VBA32	3.12.8.4	2008.08.29	-
ViRobot	2008.8.30.1357	2008.08.30	-
VirusBuster	4.5.11.0	2008.08.29	-
Webwasher-Gateway	6.6.2	2008.08.29	-

Additional information
File size: 50688 bytes
MD5…: 41442666798fc30da033359d7b475f05
SHA1..: f90a719b602e458bf14e24784daa6fd436e775d0
SHA256: 184051c2fd18c6f0103671636e7a5004342b00d603da999cce25fea67ebba545
SHA512: 1228785b2b6e1876f6951e1c0e671a9cfd21a62624ef6c5fc05a1869676b934c 0167f62212e14d9719a1f42c355f1b2017e47d7304bfcbd1811675dd39751e80
PEiD..: -
TrID..: File type identification Win32 Executable Generic (38.4%) Win32 Dynamic Link Library (generic) (34.2%) Clipper DOS Executable (9.1%) Generic Win/DOS Executable (9.0%) DOS Executable Generic (9.0%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0×402171 timedatestamp…..: 0×48a5bf02 (Fri Aug 15 17:38:10 2008) machinetype…….: 0×14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0×1000 0xaf88 0×7800 7.99 f8e711fcb67ea390b2a9b7289be108b2 .rdata 0xc000 0×3736 0×1800 7.97 ce8c17d698c01066abff96217b5541f6 .data 0×10000 0xe2c 0×200 7.58 2b86b9c461a62aed54d73f43b4f491f3 .rsrc 0×11000 0xf000 0×3000 6.62 d440a5c0c81f823115e0ada3b96fa6cb ( 4 imports ) > gdi32.dll: SetRelAbs, StretchBlt, SetICMMode, ResetDCW, UpdateColors, SaveDC, TextOutW, SetDIBColorTable > wsock32.dll: bind, WSAStartup, listen > kernel32.dll: CreatePipe, TerminateProcess, VirtualProtect > shell32.dll: SHAppBarMessage, StrRChrIA, StrStrIA ( 0 exports )

Antivirus XP 2008

Host: www.avxp-2008.net
IP: 78.159.96.16

Whois of IP 78.159.96.16 distibuting rogue antivirus Antivirurus XP 2008 :

org-name:       netdirect
org-type:       LIR
address:        netdirekt e. K.
                Kleyer Strasse 79 / Tor 14
                60326 Frankfurt
                Germany
phone:          +49 69 90556880
fax-no:         +49 69 905568822
e-mail:         ripe@netdirekt.de

Host: stat.avxp-2008.net
IP: 78.159.96.16

Whois of IP 78.159.96.16 distibuting rogue antivirus Antivirurus XP 2008 :

org-name:       netdirect
org-type:       LIR
address:        netdirekt e. K.
                Kleyer Strasse 79 / Tor 14
                60326 Frankfurt
                Germany
phone:          +49 69 90556880
fax-no:         +49 69 905568822
e-mail:         ripe@netdirekt.de

Host: secure.innovagest2000sl.com
IP: 207.226.175.126

Whois of IP 207.226.175.126 selling rogue antivirus Antivirurus XP 2008 :

OrgName:    Beyond The Network America, Inc.
OrgID:      BNA-42
Address:    450 Springpark PL
Address:    Suite 100
City:       Herdon
StateProv: VA
PostalCode: 20170
Country:    US

Antivirus XP 2008

Tags: Antivirus XP 2008, Beyond The Network America, netdirect, rogue antivirus
Posted in Malware, Rogues | No Comments »

Antivirus 2009 rogue antivirus application

Tuesday, August 26th, 2008

Antivirus 2009 is a rogue antivirus application. Here are some fake scanning pages of Antivirus 2009.

Antivirus 2009

File AV2009Install_12345.exe received on 08.26.2008 17:13:42 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2008.8.21.0	2008.08.26	-
AntiVir	7.8.1.23	2008.08.26	-
Authentium	5.1.0.4	2008.08.26	-
Avast	4.8.1195.0	2008.08.26	-
AVG	8.0.0.161	2008.08.26	-
BitDefender	7.2	2008.08.26	-
CAT-QuickHeal	9.50	2008.08.26	-
ClamAV	0.93.1	2008.08.26	-
DrWeb	4.44.0.09170	2008.08.26	-
eSafe	7.0.17.0	2008.08.26	-
eTrust-Vet	31.6.6049	2008.08.26	-
Ewido	4.0	2008.08.26	-
F-Prot	4.4.4.56	2008.08.26	-
Fortinet	3.14.0.0	2008.08.26	-
GData	19	2008.08.26	-
Ikarus	T3.1.1.34.0	2008.08.26	-
K7AntiVirus	7.10.428	2008.08.25	-
Kaspersky	7.0.0.125	2008.08.26	-
McAfee	5369	2008.08.25	FakeAlert-AB.dldr.gen
Microsoft	1.3807	2008.08.25	-
NOD32v2	3389	2008.08.26	-
Norman	5.80.02	2008.08.26	-
Panda	9.0.0.4	2008.08.25	-
PCTools	4.4.2.0	2008.08.26	-
Prevx1	V2	2008.08.26	Malicious Software
Rising	20.59.11.00	2008.08.26	-
Sophos	4.32.0	2008.08.26	-
Sunbelt	3.1.1582.1	2008.08.26	-
Symantec	10	2008.08.26	-
TheHacker	6.3.0.6.060	2008.08.23	-
TrendMicro	8.700.0.1004	2008.08.26	-
VBA32	3.12.8.4	2008.08.25	-
ViRobot	2008.8.26.1350	2008.08.26	-
VirusBuster	4.5.11.0	2008.08.26	-
Webwasher-Gateway	6.6.2	2008.08.26	-

Additional information
File size: 133120 bytes
MD5…: 0c0b43584f3522e6a2023833a5af1a9a
SHA1..: 310eee277788abc1cc2b50e6a678ff0b9ea6ab76
SHA256: 1006ce988a192b3a32fb09e1d1c7ed86e2468f8c75cfe3b0303a8b9e0bd89673
SHA512: e5d415f97688c482700be200e92f2a0dd56a0a7bb4e9b939ea1804599e65ef02 b536863bb3e43142019d2c59a010c2c8c991a376f424c4bf8580d077afa02a09
PEiD..: -
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0×4013a6 timedatestamp…..: 0×4583dcbc (Sat Dec 16 11:47:08 2006) machinetype…….: 0×14c (I386) ( 6 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0×1000 0×6536 0×6600 0.96 ad80882966d6133320105996886e5b23 .data 0×8000 0×101945c 0×12600 6.42 9badb4aca48c35245bfcaad314a2788f .tls 0×1022000 0×66 0×200 0.00 bf619eac0cdf3f68d496ea9344137e8b .rdata 0×1023000 0×218 0×400 0.16 611d2fdd742169c02e37e972b55b3bc5 .idata 0×1024000 0×727 0×800 3.74 9d536a158c847a1065dccc01ffaff143 .rsrc 0×1025000 0×969f 0×6800 5.80 84711226c12bd68ac896666a56a31690 ( 4 imports ) > KERNEL32.DLL: DeleteFileW, DeleteAtom, GetCPInfo, FindFirstFileA, GetCommandLineA, CreateProcessA, GetFileSize, ReadFile, WriteFile, CreateThread, ReadConsoleA, GetLastError, DeleteFileA, Sleep, SetLastError, GlobalFree, GetComputerNameA, OpenFile, FindAtomA, OpenFileMappingA, GetStdHandle, GetConsoleMode, ExitThread > USER32.DLL: DrawIconEx, EndDialog, DialogBoxParamA, CloseWindow, DrawTextA, GetDC > ADVAPI32.DLL: RegSetValueW, RegDeleteValueW, RegDeleteValueA, RegEnumKeyA, RegQueryValueA, RegDeleteKeyW, RegCreateKeyW, RegOpenKeyExA > COMCTL32.DLL: ImageList_AddIcon, CreateToolbarEx, ImageList_Copy, ImageList_DragEnter, ImageList_DrawEx, ImageList_GetIconSize, ImageList_Add ( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=E219F4C400D3CB0B08E802F70B8A5100788DA69E
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=0c0b43584f3522e6a2023833a5af1a9a

Antivirus 2009

Host: greatvideo3.com
IP: 84.16.252.73
Whois of IP 84.16.252.73 distributing fake antivirus Antivirus 2009 :

descr:        netdirect Frankfurt, DE
origin:       AS28753
org:          ORG-nA8-RIPE
mnt-lower:    NETDIRECT-MNT
mnt-routes:   NETDIRECT-MNT
mnt-by:       NETDIRECT-MNT
source:       RIPE # Filtered

organisation:   ORG-nA8-RIPE
org-name:       netdirect
org-type:       LIR
address:        netdirekt e. K.
                Kleyer Strasse 79 / Tor 14
                60326 Frankfurt
                Germany
phone:          +49 69 90556880
fax-no:         +49 69 905568822
e-mail:         ripe@netdirekt.de

Host: internet-defense2009.com
IP: 84.16.252.73

Whois of IP 84.16.252.73 distributing fake antivirus Antivirus 2009 :

descr:        netdirect Frankfurt, DE
origin:       AS28753
org:          ORG-nA8-RIPE
mnt-lower:    NETDIRECT-MNT
mnt-routes:   NETDIRECT-MNT
mnt-by:       NETDIRECT-MNT
source:       RIPE # Filtered

organisation:   ORG-nA8-RIPE
org-name:       netdirect
org-type:       LIR
address:        netdirekt e. K.
                Kleyer Strasse 79 / Tor 14
                60326 Frankfurt
                Germany
phone:          +49 69 90556880
fax-no:         +49 69 905568822
e-mail:         ripe@netdirekt.de

Host: antivirus-2009pro.com
IP: 208.88.53.114

Whois of IP 208.88.53.114 distributing fake antivirus Antivirus 2009 :

org-name:       UkrTeleGroup Ltd.
org-type:       LIR
address:        UkrTeleGroup Ltd.
                Mechnikova 58/5
                65029 Odessa
                Ukraine
phone:          +380487311011
fax-no:         +380487502499
mnt-ref:        UKRTELE-MNT
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
source:         RIPE # Filtered

person:         Andrew Sotov
address:        Mechnikova 58/5 65029 Odessa
abuse-mailbox: abuse@ukrtelegroup.com.ua
phone:          +380631508855
nic-hdl:        UA481-RIPE
source:         RIPE # Filtered

Other sites on this IP:

1. Antivirus2009-scanner.com
2. Antivirus2009professional.com

Antivirus 2009

Host: secure.extrabilling.com
IP: 216.195.56.148

Whois of IP 216.195.56.148 selling fake antivirus Antivirus 2009 :

OrgName:    APS Telecom
OrgID:      APSTE
Address:    8130 SW BEAVERTON-HILLSDALE HWY
City:       PORTLAND
StateProv: OR
PostalCode: 97225
Country:    US

NetRange:   216.195.32.0 - 216.195.63.255
CIDR:       216.195.32.0/19
NetName:    APS-EPSI
NetHandle: NET-216-195-32-0-1
Parent:     NET-216-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.3FN.NET
NameServer: NS2.3FN.NET
Comment:    send abuse issues to abuse@3fn.net, send network
Comment:    issue to noc@3fn.bet
RegDate:    2003-11-05
Updated:    2004-09-17

Other sites on IP 216.195.56.148 selling fake antivirus Antivirus 2009 :

1. Adult-billing.com
2. Billhlp.com
3. Billingcenteronline.com
4. Billinghost.net
5. Billingintegrator.com
6. Billingmill.com
7. Billingserviceonline.com
8. Billingsquad.net
9. Billingsvc.com
10. Billinternet.com
11. Billsvc.com
12. Ccbillhelp.com
13. Ccbillservice.com
14. Ccbillsvc.com
15. Customerhlp.com
16. Ebillingcenter.com
17. Extrabilling.com
18. Fantazybill.com
19. Legalbillingsystems.com
20. Mainbillingcenter.com
21. Orderhlp.com
22. Paymentbit.com
23. Paymentbit.net
24. Paymentforge.com
25. Quickdownloadpro.com
26. Safepaymentsonline.com
27. Software-payment.com
28. Spankyhosting.com
29. Support-wizard.com
30. Supporthlp.com
31. Truebillingservices.com
32. Ultimatepayment.com
33. Eglobalbilling.com

Antivirus 2009

Tags: 3FN, Antivirus 2009, netdirect, rogue antivirus
Posted in Malware, Rogues | No Comments »

XP Antivirus 2008

Monday, August 4th, 2008

XP Antivirus 2008 is a rogue Antispyware application.

Here are some fake scanning pages. DO NOT download any software from this domain(s).

File XPAinstall_881234.exe received on 08.04.2008 16:01:28 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2008.7.29.1	2008.08.04	-
AntiVir	7.8.1.15	2008.08.04	TR/Crypt.CFI.Gen
Authentium	5.1.0.4	2008.08.03	-
Avast	4.8.1195.0	2008.08.04	-
AVG	8.0.0.156	2008.08.03	-
BitDefender	7.2	2008.08.04	Trojan.FakeAlert.XL
CAT-QuickHeal	9.50	2008.08.02	-
ClamAV	0.93.1	2008.08.04	-
DrWeb	4.44.0.09170	2008.08.04	-
eSafe	7.0.17.0	2008.08.03	-
eTrust-Vet	31.6.6007	2008.08.04	-
Ewido	4.0	2008.08.04	-
F-Prot	4.4.4.56	2008.08.03	-
F-Secure	7.60.13501.0	2008.08.04	-
Fortinet	3.14.0.0	2008.08.04	-
GData	2.0.7306.1023	2008.08.04	-
Ikarus	T3.1.1.34.0	2008.08.04	-
K7AntiVirus	7.10.402	2008.08.02	-
Kaspersky	7.0.0.125	2008.08.04	-
McAfee	5352	2008.08.01	-
Microsoft	1.3807	2008.08.04	Program:Win32/Antivirus2008
NOD32v2	3324	2008.08.04	-
Norman	5.80.02	2008.08.04	-
Panda	9.0.0.4	2008.08.03	-
PCTools	4.4.2.0	2008.08.04	-
Prevx1	V2	2008.08.04	-
Rising	20.56.02.00	2008.08.04	-
Sophos	4.31.0	2008.08.04	-
Sunbelt	3.1.1537.1	2008.08.01	-
Symantec	10	2008.08.04	-
TheHacker	6.2.96.393	2008.08.04	-
TrendMicro	8.700.0.1004	2008.08.04	-
VBA32	3.12.8.2	2008.08.04	Trojan-Downloader.Win32.FraudLoad.vate
ViRobot	2008.8.4.1322	2008.08.04	-
VirusBuster	4.5.11.0	2008.08.03	-
Webwasher-Gateway	6.6.2	2008.08.04	Trojan.Crypt.CFI.Gen

Additional information
File size: 113152 bytes
MD5…: 529739c631258911be7eb9e0e3224f7b
SHA1..: e5887adb870197d2e4b513841ebaf30ae5d13bda
SHA256: b661b3c00d23100fd9abb943066b9a81af63a8629d591445eaa4ea9d224332cc
SHA512: 77f01909d2ef983661006b5bff8be43416f1383ba70ef12ad4a2ee939f0fed6e cf26612c95732207786d8c92d614032b4d7438f89bb74cccb146baaba1e9fbb5
PEiD..: -
PEInfo: PE Structure information( base data ) entrypointaddress.: 0×401163 timedatestamp…..: 0×458ffdbc (Mon Dec 25 16:35:08 2006) machinetype…….: 0×14c (I386) ( 6 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0×1000 0×3735 0×3800 1.24 53ac9810eba70da5b963725e7f597d49 .data 0×5000 0×10856 0×10a00 7.53 99acef6c346c6ae39822152a9cd6b055 .tls 0×16000 0xb 0×200 0.00 bf619eac0cdf3f68d496ea9344137e8b .rdata 0×17000 0xb87 0×200 0.23 16ac84e24467a5da7bcbf69f342ce17d .idata 0×18000 0×69f 0×800 2.05 2bfd00031972539e81fabade08038f5c .rsrc 0×19000 0×14499 0×6600 5.76 cff851500989f6cbb93c4ae18e41f37b ( 2 imports ) > COMCTL32.DLL: ImageList_Create, CreateMappedBitmap, MenuHelp, CreateStatusWindowW, ImageList_GetIconSize, CreateToolbar, InitCommonControls, ImageList_DrawEx, ImageList_GetIcon, ImageList_EndDrag > ADVAPI32.DLL: RegSetValueW, RegQueryValueA, RegEnumKeyExW, RegCreateKeyA, RegDeleteValueW, RegOpenKeyA, RegEnumValueA, RegOpenKeyExA, RegQueryValueExW ( 0 exports )

Host: global-advers.com
IP: 89.149.226.24

descr:          netdirekt e.K.
remarks:        INFRA-AW
country:        DE
admin-c:        WW200-RIPE
tech-c:         SR614-RIPE
status:         ASSIGNED PA
mnt-by:         NETDIRECT-MNT
mnt-lower:      NETDIRECT-MNT
mnt-routes:     NETDIRECT-MNT
source:         RIPE # Filtered

person:       Wiethold Wagner
address:      netdirekt e. K.
address:      Kleyer Strasse 79 / Tor 14
address:      60326 Frankfurt
address:      DE
phone:        +49 69 90556880
fax-no:       +49 69 905568822
e-mail:       info@netdirekt.de

Host : windows-scannernv.com
IP: 89.149.226.24

descr:          netdirekt e.K.
remarks:        INFRA-AW
country:        DE
admin-c:        WW200-RIPE
tech-c:         SR614-RIPE
status:         ASSIGNED PA
mnt-by:         NETDIRECT-MNT
mnt-lower:      NETDIRECT-MNT
mnt-routes:     NETDIRECT-MNT
source:         RIPE # Filtered

person:       Wiethold Wagner
address:      netdirekt e. K.
address:      Kleyer Strasse 79 / Tor 14
address:      60326 Frankfurt
address:      DE
phone:        +49 69 90556880
fax-no:       +49 69 905568822
e-mail:       info@netdirekt.de

Host: protectionxp2009.com
IP: 89.149.197.240

descr:          netdirekt e.K.
remarks:        INFRA-AW
country:        DE
admin-c:        WW200-RIPE
tech-c:         SR614-RIPE
status:         ASSIGNED PA
mnt-by:         NETDIRECT-MNT
mnt-lower:      NETDIRECT-MNT
mnt-routes:     NETDIRECT-MNT
source:         RIPE # Filtered

person:       Wiethold Wagner
address:      netdirekt e. K.
address:      Kleyer Strasse 79 / Tor 14
address:      60326 Frankfurt
address:      DE
phone:        +49 69 90556880
fax-no:       +49 69 905568822
e-mail:       info@netdirekt.de

Other sites on IP 89.149.197.240 hosting of rogue antivirus XP Antivirus 2008

1. Protectionxp2009.com
2. Securedstats.com
3. Virus-webscanner.com
4. Virus9-webscanner.com

Host: updatesantivirus.com
IP: 84.16.252.73

descr:          netdirekt e.K.
remarks:        INFRA-AW
country:        DE
admin-c:        WW200-RIPE
tech-c:         SR614-RIPE
status:         ASSIGNED PA
mnt-by:         NETDIRECT-MNT
mnt-lower:      NETDIRECT-MNT
mnt-routes:     NETDIRECT-MNT
source:         RIPE # Filtered

person:       Wiethold Wagner
address:      netdirekt e. K.
address:      Kleyer Strasse 79 / Tor 14
address:      60326 Frankfurt
address:      DE
phone:        +49 69 90556880
fax-no:       +49 69 905568822
e-mail:       info@netdirekt.de

Host: fastupdateserver.com
IP: 58.65.238.106

netname:      HOSTFRESH
descr:        HostFresh
descr:        Internet Service Provider
country:      HK
admin-c:      PL466-AP
tech-c:       PL466-AP
status:       ALLOCATED PORTABLE
mnt-by:       APNIC-HM
mnt-lower:    MAINT-HK-HOSTFRESH
mnt-routes:   MAINT-HK-HOSTFRESH
remarks:      Please send Spam & Abuse report to
remarks:      abuse@hostfresh.com

Other sites on IP 58.65.238.106 hosting of rogue antivirus XP Antivirus 2008

1. Antispyguard-scanner.com
2. Fastupdateserver.com
3. Fastwebway.com
4. Impressiontracker.com
5. Mcprivate.biz
6. Online-xpcleaner.com
7. Streamhotvideo.com
8. Xpantivirussecurity.com
9. Xpcleanerpro.com

Host: secure.xp-antivirus.com
IP: 207.226.175.123

OrgName:    Beyond The Network America, Inc.
OrgID:      BNA-42
Address:    450 Springpark PL
Address:    Suite 100
City:       Herdon
StateProv: VA
PostalCode: 20170
Country:    US
OrgAbuseHandle: PAD13-ARIN
OrgAbuseName:   PCCW AUP Department
OrgAbusePhone: +1-703-621-1637
OrgAbuseEmail: probinson@pccwglobal.com

Tags: HOSTFRESH, netdirect, rogue Antispyware, XP Antivirus 2008
Posted in Malware, Rogues | No Comments »

Rogue Antispyware - XPAntivirus

Thursday, July 10th, 2008

Win32/Adware.XPAntivirus is a rogue Antispyware/Adware application. From following resourses it is try to get install from atention screen.

Stay away from following IP and hosts!

Get a fake scan on teledisons.com

Host:teledisons.com
IP:89.149.197.240

Whois:

inetnum:        89.149.192.0 - 89.149.255.255
org:            ORG-nA8-RIPE
netname:        DE-NETDIRECT-20060223
descr:          netdirect
country:        DE
organisation:   ORG-nA8-RIPE
org-name:       netdirect
org-type:       LIR
address:        netdirekt e. K.
                Kleyer Strasse 79 / Tor 14
                60326 Frankfurt
                Germany
phone:          +49 69 90556880
fax-no:         +49 69 905568822
e-mail:         ripe@netdirect.de

Other sites on this ip:

1. Securedstats.com
2. Virus-webscanner.com
3. Virus9-webscanner.com

Then downloading fake antivirus installer from

http://spywareadvancedscanner.com/2008/trial/XPAinstall_880532.exe

Host: spywareadvancedscanner.com
IP:89.149.226.24

Whois:

inetnum:        89.149.226.0 - 89.149.227.255
netname:        NETDIRECT-NET
descr:          netdirekt e.K.
remarks:        INFRA-AW
country:        DE
organisation:   ORG-nA8-RIPE
org-name:       netdirect
org-type:       LIR
address:        netdirekt e. K.
                Kleyer Strasse 79 / Tor 14
                60326 Frankfurt
                Germany
phone:          +49 69 90556880
fax-no:         +49 69 905568822
e-mail:         ripe@netdirect.de

Other sites on this ip:

1. Drivemedirect.com
2. Globalreds.com

Then downloading additional binares in stealth mode from
http://antispyguard-scanner.com/download/xpa_2008.exe

Host: antispyguard-scanner.com
IP:58.65.238.106

Whois:

inetnum:      58.65.232.0 - 58.65.239.255
netname:      HOSTFRESH
descr:        HostFresh
descr:        Internet Service Provider
country:      HK
admin-c:      PL466-AP
tech-c:       PL466-AP
status:       ALLOCATED PORTABLE
mnt-by:       APNIC-HM
mnt-lower:    MAINT-HK-HOSTFRESH
mnt-routes:   MAINT-HK-HOSTFRESH
remarks:      Please send Spam & Abuse report to
remarks:      abuse@hostfresh.com

Other sites on this ip:

1. Antispyguard-scanner.com
2. Browserprotectioncenter.com
3. Fastupdateservice.com
4. Fastwebway.com
5. Mcprivate.biz
6. Megacodec.biz
7. Online-xpcleaner.com
8. Securityscannersite.com
9. Streamhotvideo.com
10. Xpantivirussecurity.com
11. Xpcleanerpro.com

Additional tracing hosts

Host: teledisons.com
IP:209.67.214.194

Whois:

OrgName:    Savvis
OrgID:      SAVVI-3
Address:    3300 Regency Parkway
City:       Cary
StateProv: NC
PostalCode: 27511
Country:    US
OrgAbuseHandle: ABUSE11-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone: +1-877-393-7878
OrgAbuseEmail: abuse@savvis.net

Other sites on this ip:

1. Caduta-capello.info
2. Dolce-nera.info
3. Frasi-amicizia.info
4. Fuso-orario.info
5. Liveresponsesite.com
6. Onlinexpsecurity.com
7. Piante-grasse.info
8. Sfondi-amore.info
9. Sfondi-vari.info
10. Turismo-di-pisa.info
11. Updatesantivirus.com
12. Xp-registration.com
13. Xpprotectionsoftware.com

File xpa_2008.exe received on 07.16.2008 14:26:05 (CET)
Antivirus	Version	Last Update	Result
AhnLab-V3	2008.7.16.0	2008.07.16	-
AntiVir	7.8.0.68	2008.07.16	TR/Dldr.FraudLoad.997888
Authentium	5.1.0.4	2008.07.15	-
Avast	4.8.1195.0	2008.07.15	Win32:Trojan-gen {Other}
AVG	7.5.0.516	2008.07.16	Downloader.Generic7.XAI
BitDefender	7.2	2008.07.16	Trojan.Generic.355770
CAT-QuickHeal	9.50	2008.07.15	Trojan.PolyCrypt.m
ClamAV	0.93.1	2008.07.16	-
DrWeb	4.44.0.09170	2008.07.16	Trojan.Fakealert.992
eSafe	7.0.17.0	2008.07.15	-
eTrust-Vet	31.6.5959	2008.07.16	-
Ewido	4.0	2008.07.16	-
F-Prot	4.4.4.56	2008.07.15	-
F-Secure	7.60.13501.0	2008.07.16	Packed.Win32.PolyCrypt.m
Fortinet	3.14.0.0	2008.07.16	PossibleThreat
GData	2.0.7306.1023	2008.07.16	Packed.Win32.PolyCrypt.m
Ikarus	T3.1.1.26.0	2008.07.16	Trojan-Downloader.Win32.FraudLoad
Kaspersky	7.0.0.125	2008.07.16	Packed.Win32.PolyCrypt.m
McAfee	5339	2008.07.15	FakeAlert-AB.gen
Microsoft	1.3704	2008.07.16	Trojan:Win32/Renos.C
NOD32v2	3271	2008.07.16	Win32/Adware.XPAntivirus
Norman	5.80.02	2008.07.16	W32/DLoader.IAXZ
Panda	9.0.0.4	2008.07.15	Adware/Lop
Prevx1	V2	2008.07.16	Fraudulent Security Program
Rising	20.53.22.00	2008.07.16	-
Sophos	4.31.0	2008.07.16	Mal/EncPk-CZ
Sunbelt	3.1.1536.1	2008.07.15	-
Symantec	10	2008.07.16	XPAntivirus
TheHacker	6.2.96.381	2008.07.16	Trojan/PolyCrypt.m
TrendMicro	8.700.0.1004	2008.07.16	-
VBA32	3.12.8.0	2008.07.16	Trojan-Downloader.Win32.FraudLoad.gen
VirusBuster	4.5.11.0	2008.07.15	-
Webwasher-Gateway	6.6.2	2008.07.16	Trojan.Dldr.FraudLoad.997888

Additional information
File size: 997888 bytes
MD5…: 21e57eecbbf76af19a173ff9c5740676
SHA1..: 2757202618da03fb9807c8e753031cb9d0d29877
SHA256: 1318bef28f7a524da044f9ec8c03da409d80bf74dec4dc1af979b56552016c80
SHA512: 3d9ab73dee25c3c19091800ffcf02dbab51f3ed8d3726fb454cf22df48089531 5f9fb1724d63e0f4f5845687411679f7d10b714d61219ea568100711e5a07094
PEiD..: -
PEInfo: PE Structure information( base data ) entrypointaddress.: 0×4011d4 timedatestamp…..: 0×45eb422a (Sun Mar 04 22:03:22 2007) machinetype…….: 0×14c (I386) ( 6 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0×1000 0×339f 0×3400 1.27 89eac0324378b39be2819fff44347cd1 .data 0×5000 0xe5eac 0xe6000 7.82 e8abbb1beb51e8576e92f47121eb76ed .tls 0xeb000 0×3e 0×200 0.00 bf619eac0cdf3f68d496ea9344137e8b .rdata 0xec000 0×18 0×200 0.23 da167ac6851b35a197aa5946bcfbe084 .idata 0xed000 0×32a 0×400 4.07 05ef438e6b047c0a28551acf319f9601 .rsrc 0xee000 0×1f16bd 0×9800 5.07 e9072fdf66d568914d6823fe4e9f48b3 ( 3 imports ) > COMCTL32.DLL: ImageList_Create, DrawStatusText, ImageList_DragEnter, ImageList_GetIconSize, ImageList_LoadImageA, InitCommonControls, ImageList_EndDrag, CreateToolbarEx, ImageList_LoadImageW > ADVAPI32.DLL: RegDeleteKeyA, RegEnumKeyW, RegSetValueW, RegEnumValueW, RegQueryValueExA, RegEnumValueA > GDI32.DLL: SetTextColor, ExcludeClipRect, GetCurrentPositionEx, CreateBitmap, CreateDIBSection, CreateDIBitmap, GetDCOrgEx, CreateCompatibleDC, GetPixel, CreateCompatibleBitmap ( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=70D571A2007510C33A640F404A0EB800C094FC52

Tags: HOSTFRESH, netdirect, NETDIRECT-NET, Win32/Adware.XPAntivirus, XPAinstall_880532.exe, XPAntivirus
Posted in Malware, Rogues | 2 Comments »

Clean The Net

Your guide to Remove Virus

Posts Tagged ‘netdirect’

Antivirus 2009 rogue antivirus application

Antivirus 2009 rogue antivirus application

Fake Codec - changing your google sponsored links

Antivirus 2009 rogue antivirus application

Antivrus XP 2008 rogue antivirus software

Antivirus XP 2008 rogue antivirus application

Antivirus 2009 rogue antivirus application

XP Antivirus 2008

Rogue Antispyware - XPAntivirus

Archives

Tag Cloud

Categories

Recent Posts

Recent Comments

Glossary

Your guide to Remove Virus

Posts Tagged ‘netdirect’

CleanThe.Net Recommends - Kaspersky Antivirus

Archives

Tag Cloud

Categories

Recent Posts

Recent Comments

Glossary