Posts Tagged ‘Total Secure 2009’

Total Secure 2009 rogue antivirus application

Friday, October 24th, 2008

Total Secure 2009 is a rogue antivirus application. To remove that rogue application viruses and antispyware use Kaspersky antivirus - http://cleanthe.net/how-to-remove-virus/

 

Total Secure 2009

File c-setup.exe received on 10.24.2008 16:31:46 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.10.24.3 2008.10.24 -
AntiVir 7.9.0.7 2008.10.24 TR/Drop.Agent.yic
Authentium 5.1.0.4 2008.10.24 -
Avast 4.8.1248.0 2008.10.24 -
AVG 8.0.0.161 2008.10.24 SHeur.CQEW
BitDefender 7.2 2008.10.24 -
CAT-QuickHeal 9.50 2008.10.24 TrojanDropper.Agent.yic
ClamAV 0.93.1 2008.10.24 -
DrWeb 4.44.0.09170 2008.10.24 -
eSafe 7.0.17.0 2008.10.23 Suspicious File
eTrust-Vet 31.6.6167 2008.10.24 -
Ewido 4.0 2008.10.24 -
F-Prot 4.4.4.56 2008.10.24 -
F-Secure 8.0.14332.0 2008.10.24 Trojan-Dropper.Win32.Agent.yic
Fortinet 3.113.0.0 2008.10.24 -
GData 19 2008.10.24 -
Ikarus T3.1.1.44.0 2008.10.24 -
K7AntiVirus 7.10.506 2008.10.24 -
Kaspersky 7.0.0.125 2008.10.24 Trojan-Dropper.Win32.Agent.yic
McAfee 5414 2008.10.24 -
Microsoft 1.4005 2008.10.24 TrojanDownloader:Win32/Renos.DU
NOD32 3552 2008.10.24 Win32/Adware.IeDefender.NHO
Norman 5.80.02 2008.10.23 W32/Agent.IZVC
Panda 9.0.0.4 2008.10.24 Suspicious file
PCTools 4.4.2.0 2008.10.24 -
Prevx1 V2 2008.10.24 -
Rising 21.00.42.00 2008.10.24 -
SecureWeb-Gateway 6.7.6 2008.10.24 Trojan.Drop.Agent.yic
Sophos 4.34.0 2008.10.24 -
Sunbelt 3.1.1749.1 2008.10.23 -
Symantec 10 2008.10.24 -
TheHacker 6.3.1.0.126 2008.10.23 -
TrendMicro 8.700.0.1004 2008.10.24 PAK_Generic.001
VBA32 3.12.8.8 2008.10.22 -
ViRobot 2008.10.24.1436 2008.10.24 -
VirusBuster 4.5.11.0 2008.10.23 -
 
Additional information
File size: 48135 bytes
MD5…: 39f14093b64189e252c24d1c17658f30
SHA1..: 30573ec06fe14035b2d9da0299188fea49ef883a
SHA256: 5dcde2ed59d7db60fa1aa5eca9df583a744e5d094e7de2c7fc28d21f55bd7338
SHA512: 1a2f735208b3528c21de41f86ccbb29be85bec771cf8187aa4f7d67b8484f393
cab506192516a78d3dc187c1738b24143ce8905bfe2654c34b7c48646b10d95e
PEiD..: -
TrID..: File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda’s Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information( base data )
entrypointaddress.: 0×427150
timedatestamp…..: 0×48ff95ff (Wed Oct 22 21:07:11 2008)
machinetype…….: 0×14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0×1000 0×1b000 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0×1c000 0xc000 0xb400 7.87 ab363fb92010fd6a38beeef47cfdc293
.rsrc 0×28000 0×1000 0×400 2.62 96a887e72bc0e48e22add259d7316cec

( 3 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> ADVAPI32.dll: RegCloseKey
> SHELL32.dll: ShellExecuteA

( 0 exports )
packers (Kaspersky): PE_Patch.UPX, UPX
packers (F-Prot): embedded, UPX

Total Secure 2009

File TotalSecure2009.exe received on 10.24.2008 16:32:12 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.10.24.3 2008.10.24 -
AntiVir 7.9.0.7 2008.10.24 DR/Fraud.TotalSecure2009.AC
Authentium 5.1.0.4 2008.10.24 -
Avast 4.8.1248.0 2008.10.24 -
AVG 8.0.0.161 2008.10.24 Generic3.YXE
BitDefender 7.2 2008.10.24 Trojan.FakeAlert.AKC
CAT-QuickHeal 9.50 2008.10.24 -
ClamAV 0.93.1 2008.10.24 -
DrWeb 4.44.0.09170 2008.10.24 Trojan.Fakealert.origin
eSafe 7.0.17.0 2008.10.23 -
eTrust-Vet 31.6.6167 2008.10.24 -
Ewido 4.0 2008.10.24 -
F-Prot 4.4.4.56 2008.10.24 -
F-Secure 8.0.14332.0 2008.10.24 FraudTool.Win32.TotalSecure2009.ac
Fortinet 3.113.0.0 2008.10.24 -
GData 19 2008.10.24 Trojan.FakeAlert.AKC
Ikarus T3.1.1.44.0 2008.10.24 Trojan.Win32.Delflob.I
K7AntiVirus 7.10.506 2008.10.24 -
Kaspersky 7.0.0.125 2008.10.24 not-a-virus:FraudTool.Win32.TotalSecure2009.ac
McAfee 5414 2008.10.24 -
Microsoft 1.4005 2008.10.24 Trojan:Win32/Delflob.I
NOD32 3552 2008.10.24 probably a variant of Win32/Adware.IeDefender.NHA
Norman 5.80.02 2008.10.23 -
Panda 9.0.0.4 2008.10.24 -
PCTools 4.4.2.0 2008.10.24 -
Prevx1 V2 2008.10.24 Fraudulent Security Program
Rising 21.00.42.00 2008.10.24 -
SecureWeb-Gateway 6.7.6 2008.10.24 Trojan.Dropper.Fraud.TotalSecure2009.AC
Sophos 4.34.0 2008.10.24 IE Defender
Sunbelt 3.1.1749.1 2008.10.23 Total Secure 2009
Symantec 10 2008.10.24 TotalSecure2009
TheHacker 6.3.1.0.126 2008.10.23 -
TrendMicro 8.700.0.1004 2008.10.24 -
VBA32 3.12.8.8 2008.10.22 -
ViRobot 2008.10.24.1436 2008.10.24 -
VirusBuster 4.5.11.0 2008.10.23 -
 
Additional information
File size: 1672740 bytes
MD5…: 09bfa3c3fdf5d18552ad7930a552ff1c
SHA1..: f1ed3fecceb665e17a353177098437ed9aee9036
SHA256: 41c2296f3d20eeb7154f5df5d0c1e3efba461d9527e63dbaf178be8d20d419cb
SHA512: 309908af0a4e835bfb40b22c1e680e7795eedd43d1d96c072d760393ec3ae420
c7cc232a97e038dcbf2ee520e95c9f5678b8473ecbadc938e1c78ea191c3a50b
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information( base data )
entrypointaddress.: 0×4030b4
timedatestamp…..: 0×4878f227 (Sat Jul 12 18:04:23 2008)
machinetype…….: 0×14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×57ec 0×5800 6.48 a06acff3c3236138ef0c89710413f34c
.rdata 0×7000 0×1190 0×1200 5.18 0f7b157b78f399340e80aa07581634eb
.data 0×9000 0×1af58 0×400 4.59 17047dc18ec7b67a9dd51dc161e64f03
.ndata 0×24000 0×9000 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0×2d000 0×67b8 0×6800 5.56 e1d3fb8a988fd65e26b7af9e40097eaf

( 8 imports )
> KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
> USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
> GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
> SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
> ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
> COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create
> ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=5829EF4D24000463867C1925256D5F00FEF16BFF

Total Secure 2009
Total Secure 2009

Host: videofreeforonline.com
IP: 91.203.92.97

Whois:

netname:        BASTION-NET
descr:          ISP UATelecom
country:        EU
org:            ORG-TG39-RIPE
admin-c:        ML7676-RIPE
tech-c:         UNm3-RIPE
status:         ASSIGNED PI
mnt-by:         UATELECOM-MNT
mnt-lower:      UATELECOM-MNT
mnt-routes:     UATELECOM-MNT
mnt-domains:    UATELECOM-MNT

Other sites distributing rogue antivirus Total secure 2009:

1.  Mybestmp3portal.com 
2.  Videofreeforonline.com 

Host: gensoftdownload.com
IP: 91.203.93.25

Whois:

netname:        BASTION-NET
descr:          ISP UATelecom
country:        EU
org:            ORG-TG39-RIPE
admin-c:        ML7676-RIPE
tech-c:         UNm3-RIPE
status:         ASSIGNED PI
mnt-by:         UATELECOM-MNT
mnt-lower:      UATELECOM-MNT
mnt-routes:     UATELECOM-MNT
mnt-domains:    UATELECOM-MNT

Host: megauplinkbindinstaller.com
IP: 91.203.92.99

Whois:

netname:        BASTION-NET
descr:          ISP UATelecom
country:        EU
org:            ORG-TG39-RIPE
admin-c:        ML7676-RIPE
tech-c:         UNm3-RIPE
status:         ASSIGNED PI
mnt-by:         UATELECOM-MNT
mnt-lower:      UATELECOM-MNT
mnt-routes:     UATELECOM-MNT
mnt-domains:    UATELECOM-MNT

Other sites distributing rogue antivirus Total secure 2009:

1.  Megauplinkbindinstaller.com 
2.  Theupdatedownload.com 

Host: easynetsearch.com
IP: 205.252.166.169

Whois:

OrgName:    Beyond The Network America, Inc.
OrgID:      BNA-42
Address:    450 Springpark PL
Address:    Suite 100
City:       Herdon
StateProv:  VA
PostalCode: 20170
Country:    US

Host: theupdatedownload.com
IP: 91.203.92.99

Whois:

netname:        BASTION-NET
descr:          ISP UATelecom
country:        EU
org:            ORG-TG39-RIPE
admin-c:        ML7676-RIPE
tech-c:         UNm3-RIPE
status:         ASSIGNED PI
mnt-by:         UATELECOM-MNT
mnt-lower:      UATELECOM-MNT
mnt-routes:     UATELECOM-MNT
mnt-domains:    UATELECOM-MNT

Other sites:

1.  Megauplinkbindinstaller.com 
2.  Theupdatedownload.com 

Host: total-secure2009.com
IP: 200.63.45.55

Whois:

status:      reallocated
owner:       Ricardo Carreras
ownerid:     HN-RICA-LACNIC
responsible: Honduras Web
address:     P.O.Box: 1142 La Ceiba, #37 street., 1142, 37
address:     00000 - Tegucigalpa - TE
country:     HN
phone:       +504  9815-3645 []
owner-c:     RIC9
tech-c:      RIC9
abuse-c:     RIC9
created:     20080630
changed:     20080630
inetnum-up:  200.63.40/21

Other sites:

1.  Total-secure2009.com 
2.  Windefender-2009.com 

Host: secure.intro-pay.com
IP: 216.40.219.141

Whois:

OrgName:    ThePlanet.com Internet Services, Inc.
OrgID:      TPCM
Address:    315 Capitol
Address:    Suite 205
City:       Houston
StateProv:  TX
PostalCode: 77002
Country:    US

Other sites selling rogue antivirus Total secure 2009:

1.  Ds-pay.com 
2.  Intro-pay.com 
3.  Ormondsystems.com 

 

Total Secure 2009

Tags: , , , , ,
Posted in Malware, Rogues | No Comments »

Total Secure 2009 rogue antivirus application

Wednesday, October 22nd, 2008

Total Secure 2009 is a fake - rogue antivirus. To remove that rogue application viruses and antispyware use Kaspersky antivirus - http://cleanthe.net/how-to-remove-virus/

Total Secure 2009

File MediaTubeCodec_ver1.812.0.exe received on 10.22.2008 15:31:16 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.10.22.0 2008.10.22 -
AntiVir 7.9.0.5 2008.10.22 TR/Dldr.Zlob.aajg
Authentium 5.1.0.4 2008.10.22 -
Avast 4.8.1248.0 2008.10.22 -
AVG 8.0.0.161 2008.10.22 -
BitDefender 7.2 2008.10.22 -
CAT-QuickHeal 9.50 2008.10.22 -
ClamAV 0.93.1 2008.10.22 -
DrWeb 4.44.0.09170 2008.10.22 -
eSafe 7.0.17.0 2008.10.19 -
eTrust-Vet 31.6.6162 2008.10.21 -
Ewido 4.0 2008.10.22 -
F-Prot 4.4.4.56 2008.10.22 -
F-Secure 8.0.14332.0 2008.10.22 -
Fortinet 3.113.0.0 2008.10.22 -
GData 19 2008.10.22 -
Ikarus T3.1.1.44.0 2008.10.22 Trojan-Downloader.Zlob
K7AntiVirus 7.10.501 2008.10.21 -
Kaspersky 7.0.0.125 2008.10.22 -
McAfee 5411 2008.10.22 -
Microsoft 1.4005 2008.10.22 TrojanDownloader:Win32/Zlob.gen!CD
NOD32 3545 2008.10.22 -
Norman 5.80.02 2008.10.22 -
Panda 9.0.0.4 2008.10.22 -
PCTools 4.4.2.0 2008.10.22 -
Prevx1 V2 2008.10.22 -
Rising 20.67.22.00 2008.10.22 -
SecureWeb-Gateway 6.7.6 2008.10.22 Trojan.Dldr.Zlob.aajg
Sophos 4.34.0 2008.10.22 -
Sunbelt 3.1.1742.1 2008.10.21 -
Symantec 10 2008.10.22 -
TheHacker 6.3.1.0.123 2008.10.22 -
TrendMicro 8.700.0.1004 2008.10.22 -
VBA32 3.12.8.8 2008.10.22 suspected of Win32.Trojan-Downloader
ViRobot 2008.10.22.1432 2008.10.22 -
VirusBuster 4.5.11.0 2008.10.22 -
Additional information
File size: 77824 bytes
MD5…: c1202919430900fd93e48dd6fab11cd6
SHA1..: 832d6fc07e7d45c3e89d33d04667f651a472ec5d
SHA256: ae993034e5fcdb5839639746f5c6fd59f285e1a0e6b90a014deb0408901e7c96
SHA512: a387584e9ba4db719800462d525c86b5ca4183eae74c7e0d1353977844372c63
3524dc2caf0c0b5605763de593e89952253fc2bfcfd537857da8731e1f2ce460
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×404950
timedatestamp…..: 0×48ff21d6 (Wed Oct 22 12:51:34 2008)
machinetype…….: 0×14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0xadd7 0xb000 6.50 9b73cfbb6a4d4489b8ed47db51cb5657
.rdata 0xc000 0×467c 0×5000 4.80 e6135070d7c2a324e6665662dd569327
.data 0×11000 0×183c 0×1000 2.34 80d441cd7bfce31439da51c0d7736c55
.rsrc 0×13000 0xb0 0×1000 3.06 1fc8e43d261086abf4c231ece0e54239

( 1 imports )
> KERNEL32.dll: HeapAlloc, GetProcessHeap, GetProcAddress, LoadLibraryW, SetLastError, GetLastError, FreeLibrary, HeapFree, GetVersionExA, LoadLibraryA, GetCurrentThread, GetCurrentProcess, lstrlenA, RaiseException, RtlUnwind, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleA, TlsGetValue, TlsSetValue, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, LeaveCriticalSection, EnterCriticalSection, VirtualFree, VirtualAlloc, HeapReAlloc, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, Sleep, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSection, GetLocaleInfoA, GetStringTypeA, MultiByteToWideChar, GetStringTypeW, LCMapStringA, WideCharToMultiByte, LCMapStringW

( 0 exports )

Total Secure 2009

Total Secure 2009

Host: moviesportal2008xxx.com
IP: 72.232.183.154

Whois:
OrgName: Layered Technologies, Inc.
OrgID: LAYER-3
Address: 5085 W Park Blvd
Address: Suite 700
City: Plano
StateProv: TX
PostalCode: 75093
Country: US

Other sites distributing rogue antivirus Total secure 2009:

1. Funnyportal2008p.com
2. Movieportal2008q.com
3. Mp3portal2008p.com
4. Softportal2008p.com
5. Starsportal2008p.com
6. Funnyportal2008xxx.com
7. Funnyportal2008yyy.com
8. Moviesportal2008eee.com
9. Moviesportal2008xxx.com
10. Moviesportal2008yyy.com
11. Moviesportal2008zzz.com
12. Mp3portal2008xxx.com
13. Mp3portal2008yyy.com
14. Softportal2008xxx.com
15. Softportal2008yyy.com
16. Starsportal2008xxx.com
17. Starsportal2008yyy.com

Host: softwaredownload2008hq.com
IP: 78.157.143.250

Whois:

netname: VDHOST
descr: VdHost Ltd.
descr:
country: LV
admin-c: AV2990-RIPE
tech-c: UNHM-RIPE
status: ASSIGNED PA
mnt-by: UN-MNT
source: RIPE # Filtered

role: UltraNet Hostmaster
address: UltraNet SIA
Aizkraukles 23
Riga, LV-1006
Latvia
phone: +371 67543003
fax-no: +371 67594435

Other sites distributing rogue antivirus Total secure 2009:

1. Softdownload2008nm.com
2. Softdownload2008p.com
3. Softdownoad2008name.com
4. Softload2008cx.com
5. Softwaredownload2008gs.com
6. Softwaredownload2008gt.com
7. Softwaredownload2008hq.com
8. Softwaredownload2008hs.com
9. Softwaredownload2008rs.com
10. Softwaredownload2008sq.com
11. Softwaredownload2008st.com
12. Softwaredownload2008tq.com

Host: total-secure2009.com
IP: 200.63.45.55

Whois:

inetnum: 200.63.45/24
status: reallocated
owner: Ricardo Carreras
ownerid: HN-RICA-LACNIC
responsible: Honduras Web
address: P.O.Box: 1142 La Ceiba, #37 street., 1142, 37
address: 00000 - Tegucigalpa - TE
country: HN
phone: +504 9815-3645 []
owner-c: RIC9
tech-c: RIC9
abuse-c: RIC9
created: 20080630
changed: 20080630
inetnum-up: 200.63.40/21

Other sites distributing rogue antivirus Total secure 2009:

1. Total-secure2009.com
2. Windefender-2009.com


Host: viacodecright—2.com
IP: 77.91.227.179

Whois:

person: Pavel Malinkovich
address: Tevosyana 40a-89
address: Electrostal, Moscow Region
address: Russia
phone: +7 495 5434485
abuse-mailbox: abuse@netplace.ru
nic-hdl: PM946-RIPE
source: RIPE # Filtered

Other sites distributing rogue antivirus Total secure 2009:

1. Codecadult23df18.com
2. Hot-sextubedriver2.com
3. Sextubecodec023dfs41.com
4. Viacodecright—2.com


Host: megauplinkbindinstaller.com
IP: 91.203.92.99

Whois:

netname: BASTION-NET
descr: ISP UATelecom
country: EU
org: ORG-TG39-RIPE
admin-c: ML7676-RIPE
tech-c: UNm3-RIPE
status: ASSIGNED PI
mnt-by: UATELECOM-MNT
mnt-lower: UATELECOM-MNT
mnt-routes: UATELECOM-MNT
mnt-domains: UATELECOM-MNT

Other sites distributing rogue antivirus Total secure 2009:

1. Megauplinkbindinstaller.com
2. Theupdatedownload.com

Host: onsafepro—2008.com
IP: 91.203.92.25

Whois:

netname: BASTION-NET
descr: ISP UATelecom
country: EU
org: ORG-TG39-RIPE
admin-c: ML7676-RIPE
tech-c: UNm3-RIPE
status: ASSIGNED PI
mnt-by: UATELECOM-MNT
mnt-lower: UATELECOM-MNT
mnt-routes: UATELECOM-MNT
mnt-domains: UATELECOM-MNT

Other sites distributing rogue antivirus Total secure 2009:

1. Directnameservice—2008.com
2. Onsafepro—2008.com
3. S-avirus.com
4. Viruswebprotect—2008.com


Host: secure.intro-pay.com
IP: 216.40.219.141

Whois:

OrgName: ThePlanet.com Internet Services, Inc.
OrgID: TPCM
Address: 315 Capitol
Address: Suite 205
City: Houston
StateProv: TX
PostalCode: 77002
Country: US

Other sites selling rogue antivirus Total secure 2009:

1. Ds-pay.com
2. Intro-pay.com
3. Ormondsystems.com

Host: protect.trustedantivirus.com
IP: 93.190.139.221

Whois:

netname: WORLDSTREAM
descr: WorldStream IPv4.4
country: NL
admin-c: WS1670-RIPE
tech-c: WS1670-RIPE
status: ASSIGNED PA
mnt-by: MNT-WORLDSTREAM
mnt-by: KABELFOON-MNT
source: RIPE # Filtered

role: WORLDSTREAM DBM
address: Honderdland 111F
address: 2676LT Maasdijk
phone: +31174712117
fax-no: +31174512310

Other sites:

1. Gomyhit.com
2. Gomyron.com
3. Rdrmngr.com
4. Sadafaha.com
5. Vmaff.com

Host: intervarioclick.com
IP: 76.74.249.30

Whois:

OrgName: Peer 1 Network Inc.
OrgID: PER1
Address: 75 Broad Street
Address: 2nd Floor
City: New York
StateProv: NY
PostalCode: 10004
Country: USOrgName: Peer 1 Network Inc.
OrgID: PER1
Address: 75 Broad Street
Address: 2nd Floor
City: New York
StateProv: NY
PostalCode: 10004
Country: US

Other sites:

1. Ad2cash.net
2. Ad2profit.com
3. Adcomatoz.com
4. Adgurman.com
5. Adhokuspokus.com
6. Adnetserver.com
7. Adredired.com
8. Adverdaemon.com
9. Adverlounge.com
10. Adzyclon.com
11. Astalaprofit.com
12. B2adz.com
13. Beststatsever.com
14. Bizadsonline.net
15. Bizadverts.com
16. Bizmarketads.com
17. Blessedads.com
18. Brandmarketads.com
19. Clickadnet.net
20. Friedads.com
21. Glorymarkets.com
22. Greatad.net
23. Hostadserve.com
24. Iddqdmarketing.com
25. Intervarioclick.com
26. Invulnerableads.com
27. Luckyadcoin.com
28. Luckyadsols.com
29. Moneycometrue.com
30. Mythmarketing.com
31. Popadprovider.com
32. Prevedmarketing.com
33. Rocktheads.com
34. Sharpadverts.com
35. Shivanetworking.com
36. Statisticsmanager.com
37. Statsreportserver.com
38. Waytotheprofit.com
39. Widestatsnow.com

Tags: , , , , , , ,
Posted in Malware, Rogues | No Comments »

Total Secure 2009 rogue antivirus application

Monday, September 22nd, 2008

Total Secure 2009 is a rogue antivirus application. Stay away from it IPs and hosts!

Use Kaspersky antivirus to remove virus - http://cleanthe.net/how-to-remove-virus/

Total Secure 2009

Total Secure 2009

Total Secure 2009

Total Secure 2009

Total Secure 2009

 

File c-setup.exe received on 09.22.2008 17:13:36 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.9.19.2 2008.09.22 -
AntiVir 7.8.1.34 2008.09.22 -
Authentium 5.1.0.4 2008.09.22 -
Avast 4.8.1195.0 2008.09.22 -
AVG 8.0.0.161 2008.09.22 -
BitDefender 7.2 2008.09.22 -
CAT-QuickHeal 9.50 2008.09.20 -
ClamAV 0.93.1 2008.09.22 -
DrWeb 4.44.0.09170 2008.09.22 -
eSafe 7.0.17.0 2008.09.22 -
eTrust-Vet 31.6.6099 2008.09.22 -
Ewido 4.0 2008.09.22 -
F-Prot 4.4.4.56 2008.09.21 -
F-Secure 8.0.14332.0 2008.09.22 -
Fortinet 3.113.0.0 2008.09.22 -
GData 19 2008.09.22 -
Ikarus T3.1.1.34.0 2008.09.22 -
K7AntiVirus 7.10.467 2008.09.22 -
Kaspersky 7.0.0.125 2008.09.22 -
McAfee 5388 2008.09.19 -
Microsoft 1.3903 2008.09.22 TrojanDownloader:Win32/Renos.DU
NOD32v2 3460 2008.09.22 probably a variant of Win32/Adware.IeDefender.NGU
Norman 5.80.02 2008.09.19 -
Panda 9.0.0.4 2008.09.22 Suspicious file
PCTools 4.4.2.0 2008.09.22 -
Prevx1 V2 2008.09.22 Cloaked Malware
Rising 20.63.02.00 2008.09.22 -
Sophos 4.33.0 2008.09.22 Troj/Agent-HRZ
Sunbelt 3.1.1653.1 2008.09.20 -
Symantec 10 2008.09.22 -
TheHacker 6.3.0.9.090 2008.09.20 -
TrendMicro 8.700.0.1004 2008.09.22 -
VBA32 3.12.8.5 2008.09.22 -
ViRobot 2008.9.22.1387 2008.09.22 -
VirusBuster 4.5.11.0 2008.09.22 -
Webwasher-Gateway 6.6.2 2008.09.22 -
 
Additional information
File size: 151559 bytes
MD5…: 162684237b34eeea62f9f8de736f2e53
SHA1..: 0195397f8e0652a0c00f84890770ad5fb6cc9ada
SHA256: b235e2983dabd96cddadc8f80ac44882deafacb25618d5292f801535e95e4ef6
SHA512: 3223d206c1f246cf5dfd3b599cd118fb423bb680bfd781d1f293edd5df7c5fe7
bdfa175c44285ad7c17bd88bf30de1ee697aca10412d89d77f40d73f4ef11e85
PEiD..: Armadillo v1.71
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information( base data )
entrypointaddress.: 0×4021a9
timedatestamp…..: 0×48d77f94 (Mon Sep 22 11:20:52 2008)
machinetype…….: 0×14c (I386)( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×3bde 0×4000 6.35 145487ab1008509208af63ca99390e16
.rdata 0×5000 0xafc 0×1000 4.27 6db462107aa0edecc59e9bc57027f025
.data 0×6000 0xa1c 0×1000 0.96 66be5f4d8c6ab578df33b98851dcffd2
.rsrc 0×7000 0×1d7f8 0×1e000 4.87 3aebbab7e0a11f73172e59e0c2187ada

( 3 imports )
> KERNEL32.dll: FreeResource, LockResource, LoadResource, FindResourceA, ReadFile, SetFilePointer, SizeofResource, GetSystemDirectoryA, GetModuleFileNameA, GetStringTypeA, LCMapStringW, LCMapStringA, MultiByteToWideChar, DeleteFileA, CreateFileA, WriteFile, CloseHandle, GetFileSize, GetLocalTime, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, HeapFree, HeapAlloc, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, GetCPInfo, GetACP, GetOEMCP, GetProcAddress, LoadLibraryA, GetStringTypeW
> SHELL32.dll: SHGetSpecialFolderLocation, SHGetPathFromIDListA, ShellExecuteA
> ADVAPI32.dll: RegQueryValueExA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegOpenKeyExA

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=DEE2D48D07A9928550390296B096A000C29242E1
packers (F-Prot): embedded
File TotalSecure2009.exe received on 09.22.2008 17:15:52 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.9.19.2 2008.09.22 -
AntiVir 7.8.1.34 2008.09.22 -
Authentium 5.1.0.4 2008.09.22 -
Avast 4.8.1195.0 2008.09.22 -
AVG 8.0.0.161 2008.09.22 -
BitDefender 7.2 2008.09.22 -
CAT-QuickHeal 9.50 2008.09.20 -
ClamAV 0.93.1 2008.09.22 -
DrWeb 4.44.0.09170 2008.09.22 -
eSafe 7.0.17.0 2008.09.22 -
eTrust-Vet 31.6.6099 2008.09.22 -
Ewido 4.0 2008.09.22 -
F-Prot 4.4.4.56 2008.09.21 -
F-Secure 8.0.14332.0 2008.09.22 -
Fortinet 3.113.0.0 2008.09.22 -
GData 19 2008.09.22 -
Ikarus T3.1.1.34.0 2008.09.22 -
K7AntiVirus 7.10.467 2008.09.22 -
Kaspersky 7.0.0.125 2008.09.22 -
McAfee 5388 2008.09.19 -
Microsoft 1.3903 2008.09.22 -
NOD32v2 3460 2008.09.22 -
Norman 5.80.02 2008.09.19 -
Panda 9.0.0.4 2008.09.22 -
PCTools 4.4.2.0 2008.09.22 -
Prevx1 V2 2008.09.22 -
Rising 20.63.02.00 2008.09.22 -
Sophos 4.33.0 2008.09.22 IE Defender
Sunbelt 3.1.1653.1 2008.09.20 -
Symantec 10 2008.09.22 -
TheHacker 6.3.0.9.090 2008.09.20 -
TrendMicro 8.700.0.1004 2008.09.22 -
VBA32 3.12.8.5 2008.09.22 -
ViRobot 2008.9.22.1387 2008.09.22 -
VirusBuster 4.5.11.0 2008.09.22 -
Webwasher-Gateway 6.6.2 2008.09.22 -
 
Additional information
File size: 1949638 bytes
MD5…: eac3c2b05fed56183fa2da884b7913ee
SHA1..: a7a82bbeec9939cdd56c724f6bb8738445eada8c
SHA256: a0fed9a6433eca8b2d05a501f1a10e2e33f46823bf2862e54cd90646cf5808d9
SHA512: 4c2f462f6a58b57ec9de4f9afaec0e7dc62be836ce6240cf32b0b5fb8a8a1da7
34c5368556b637e6664588f774e364d46d5703d2dfe96114a639224377341d5d
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information( base data )
entrypointaddress.: 0×4030b4
timedatestamp…..: 0×4878f227 (Sat Jul 12 18:04:23 2008)
machinetype…….: 0×14c (I386)( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×57ec 0×5800 6.48 a06acff3c3236138ef0c89710413f34c
.rdata 0×7000 0×1190 0×1200 5.18 0f7b157b78f399340e80aa07581634eb
.data 0×9000 0×1af58 0×400 4.59 17047dc18ec7b67a9dd51dc161e64f03
.ndata 0×24000 0×9000 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0×2d000 0×42c0 0×4400 5.83 2d51bf4ac683af918d43b3e1f3df9401

( 8 imports )
> KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
> USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
> GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
> SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
> ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
> COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create
> ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

( 0 exports )

 

Host: videofreeforonline.com
IP: 91.203.92.97
Whois:

inetnum:        91.203.92.0 - 91.203.95.255
netname:        BASTION-NET
descr:          ISP UATelecom
country:        EU
org:            ORG-TG39-RIPE
admin-c:        ML7676-RIPE
tech-c:         UNm3-RIPE
status:         ASSIGNED PI
mnt-by:         UATELECOM-MNT
mnt-lower:      UATELECOM-MNT
mnt-routes:     UATELECOM-MNT
mnt-domains:    UATELECOM-MNT
remarks:        *************************************************
remarks:        * For spam/abuse/security issues please contact *
remarks:        * abuse@uatelecom.com.ua                        *

Host: www.mp3sale.ru
IP: 78.140.145.6

Whois:

org-name:       WebaZilla B.V.
org-type:       LIR
address:        WebaZilla B.V.
                Postbus 19115
                3501DC Utrecht
                Netherlands
phone:          +31612253464
fax-no:         +31303100299
e-mail:         ripe@webazilla.com

 

Host: goldvipclub.com
IP: 66.11.154.210

Whois:

OrgName:    Canadawebhosting
OrgID:      CANAD-9
Address:    9 - 3151 Lakeshore Road
Address:    Suite 409
City:       Kelowna
StateProv:  BC
PostalCode: V1W-3S9
Country:    CA

OrgAbuseHandle: CWHAE-ARIN
OrgAbuseName:   Canada Web Hosting AUP Enforcement
OrgAbusePhone:  +1-877-587-2771
OrgAbuseEmail:  abuse@canadawebhosting.com

 

Host: total-secure2009.com
IP: 200.63.45.55

status:      reallocated
owner:       Ricardo Carreras
ownerid:     HN-RICA-LACNIC
responsible: Honduras Web
address:     P.O.Box: 1142 La Ceiba, #37 street., 1142, 37
address:     000000 - Tegucigalpa - TE
country:     HN
phone:       +504  9815-3645 []
created:     20080630
changed:     20080630

Total Secure 2009

Total Secure 2009

Tags: , , , , ,
Posted in Fake Codec, Malware, Rogues | No Comments »

Total Secure 2009 rogue antivirus application

Monday, September 8th, 2008

Total Secure 2009 is a rogue antivirus application. Stay away from Total Secure 2009 domains and products!

Total Secure 2009

File TotalSecure2009.exe received on 09.08.2008 18:52:19 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.9.6.0 2008.09.08 -
AntiVir 7.8.1.28 2008.09.08 -
Authentium 5.1.0.4 2008.09.07 -
Avast 4.8.1195.0 2008.09.08 -
AVG 8.0.0.161 2008.09.08 -
BitDefender 7.2 2008.09.08 -
CAT-QuickHeal 9.50 2008.09.06 -
ClamAV 0.93.1 2008.09.08 -
DrWeb 4.44.0.09170 2008.09.08 -
eSafe 7.0.17.0 2008.09.07 -
eTrust-Vet 31.6.6077 2008.09.08 -
Ewido 4.0 2008.09.08 -
F-Prot 4.4.4.56 2008.09.07 -
F-Secure 8.0.14332.0 2008.09.08 -
Fortinet 3.112.0.0 2008.09.08 -
GData 19 2008.09.08 -
Ikarus T3.1.1.34.0 2008.09.08 -
K7AntiVirus 7.10.446 2008.09.08 -
Kaspersky 7.0.0.125 2008.09.08 -
McAfee 5378 2008.09.05 -
Microsoft 1.3903 2008.09.08 Trojan:Win32/Delflob.I
NOD32v2 3426 2008.09.08 -
Norman 5.80.02 2008.09.08 -
Panda 9.0.0.4 2008.09.07 -
PCTools 4.4.2.0 2008.09.08 -
Prevx1 V2 2008.09.08 -
Rising 20.61.02.00 2008.09.08 -
Sophos 4.33.0 2008.09.08 IE Defender
Sunbelt 3.1.1616.1 2008.09.07 -
Symantec 10 2008.09.08 -
TheHacker 6.3.0.8.075 2008.09.06 -
TrendMicro 8.700.0.1004 2008.09.08 -
VBA32 3.12.8.5 2008.09.08 -
ViRobot 2008.9.8.1367 2008.09.08 -
VirusBuster 4.5.11.0 2008.09.08 -
Webwasher-Gateway 6.6.2 2008.09.08 -
 
Additional information
File size: 1542743 bytes
MD5…: 254366961b24e840e48431ea3071847d
SHA1..: faf8af28cc71b0c8bd95e7517d6fe39c269ece15
SHA256: fed3d171795d622e18b7cd6fe3b70017e5bbd13afba5e23147bacc91147bd850
SHA512: 2c04a6f287ee3e868ab5f45a276d2d8dfd7989aa591b1e41534177ecfcdffe2c
df3edae4ab3ac82ed5985492ebcfc8d45bbfce082eaeec779d5e1650f9dff7a0
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (75.0%)
Win32 Executable Generic (16.9%)
Generic Win/DOS Executable (3.9%)
DOS Executable Generic (3.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information( base data )
entrypointaddress.: 0×4030b4
timedatestamp…..: 0×4878f227 (Sat Jul 12 18:04:23 2008)
machinetype…….: 0×14c (I386)( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×57ec 0×5800 6.48 a06acff3c3236138ef0c89710413f34c
.rdata 0×7000 0×1190 0×1200 5.18 0f7b157b78f399340e80aa07581634eb
.data 0×9000 0×1af58 0×400 4.59 17047dc18ec7b67a9dd51dc161e64f03
.ndata 0×24000 0×9000 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0×2d000 0×27950 0×27a00 7.70 1eb6e976cee1a96726741a0ef32e832c( 8 imports )
> KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
> USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
> GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
> SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
> ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
> COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create
> ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

( 0 exports )

Total Secure 2009

Total Secure 2009

 

Host: gothotvidtosee.com
IP: 91.203.92.97


Whois of IP 91.203.92.97 distibuting rogue antivirus Total Secure 2009 :

netname:        BASTION-NET
descr:          ISP UATelecom
country:        EU
org:            ORG-TG39-RIPE
admin-c:        ML7676-RIPE
tech-c:         UNm3-RIPE
status:         ASSIGNED PI
mnt-by:         UATELECOM-MNT
mnt-lower:      UATELECOM-MNT
mnt-routes:     UATELECOM-MNT
mnt-domains:    UATELECOM-MNT
remarks:        *************************************************
remarks:        * For spam/abuse/security issues please contact *
remarks:        * abuse@uatelecom.com.ua        

Other sites of IP 91.203.92.97 distibuting rogue antivirus Total Secure 2009 :

1.  Mysoftwarefreezone.com 
2.  Myveryprivatevid.com 
3.  Secure-order-box.com 
4.  Thefreemusicmp3.com 
5.  Cometoseemyshow.com 

Host: getqtysoftware.com
IP: 91.203.93.25
Whois:

netname:        BASTION-NET
descr:          ISP UATelecom
country:        EU
org:            ORG-TG39-RIPE
admin-c:        ML7676-RIPE
tech-c:         UNm3-RIPE
status:         ASSIGNED PI
mnt-by:         UATELECOM-MNT
mnt-lower:      UATELECOM-MNT
mnt-routes:     UATELECOM-MNT
mnt-domains:    UATELECOM-MNT
remarks:        *************************************************
remarks:        * For spam/abuse/security issues please contact *
remarks:        *                     

Host: thevid11.com
IP: 91.203.92.99

Whois:

netname:        BASTION-NET
descr:          ISP UATelecom
country:        EU
org:            ORG-TG39-RIPE
admin-c:        ML7676-RIPE
tech-c:         UNm3-RIPE
status:         ASSIGNED PI
mnt-by:         UATELECOM-MNT
mnt-lower:      UATELECOM-MNT
mnt-routes:     UATELECOM-MNT
mnt-domains:    UATELECOM-MNT
remarks:        *************************************************
remarks:        * For spam/abuse/security issues please contact *
remarks:        *                     

1.  Thevid11.com 
2.  Thevid22.com 

Host: checksystem-online.com
IP: 91.203.92.100
Whois:

netname:        BASTION-NET
descr:          ISP UATelecom
country:        EU
org:            ORG-TG39-RIPE
admin-c:        ML7676-RIPE
tech-c:         UNm3-RIPE
status:         ASSIGNED PI
mnt-by:         UATELECOM-MNT
mnt-lower:      UATELECOM-MNT
mnt-routes:     UATELECOM-MNT
mnt-domains:    UATELECOM-MNT
remarks:        *************************************************
remarks:        * For spam/abuse/security issues please contact *
remarks:        *                     

Host: totsec2009.com
IP: 91.203.92.98

Whois of IP 91.203.92.98 distibuting rogue antivirus Total Secure 2009 :

netname:        BASTION-NET
descr:          ISP UATelecom
country:        EU
org:            ORG-TG39-RIPE
admin-c:        ML7676-RIPE
tech-c:         UNm3-RIPE
status:         ASSIGNED PI
mnt-by:         UATELECOM-MNT
mnt-lower:      UATELECOM-MNT
mnt-routes:     UATELECOM-MNT
mnt-domains:    UATELECOM-MNT
remarks:        *************************************************
remarks:        * For spam/abuse/security issues please contact *
remarks:        *                     

Host: totalsecuredownload.com
IP: 89.187.48.178

Whois of IP 89.187.48.178 distibuting rogue antivirus Total Secure 2009 :

inetnum:        89.187.48.0 - 89.187.49.255
netname:        WHS-48
descr:          Web Hosting Service
country:        MD
admin-c:        VK1556-RIPE
tech-c:         VK1556-RIPE
status:         ASSIGNED PA
mnt-by:         MONITORING-MNT
source:         RIPE # Filtered

person:         Vadim Karai
address:        Moldova
e-mail:        
phone:          +37377765741
nic-hdl:        VK1556-RIPE
source:         RIPE # Filtered

 

Host: secure2.segpay.com
IP: 72.32.60.179
Whois:

OrgName:    Rackspace.com, Ltd.
OrgID:      RSPC
Address:    9725 Datapoint Drive
Address:    Suite 100
City:       San Antonio
StateProv:  TX
PostalCode: 78229
Country:    US
OrgAbuseHandle: ABUSE45-ARIN
OrgAbuseName:   Abuse Desk
OrgAbusePhone:  +1-210-892-4000
OrgAbuseEmail: 

Other sites on this IP:

1.  Segpay.biz 
2.  Segpay.com 
3.  Segpay.info 
4.  Segpay.net 
5.  Segpay.org 
6.  Segpay.us 
7.  Segpayeu.biz 
8.  Segpayeu.com 
9.  Segpayeu.info 
10.  Segpayeu.net 
11.  Segpayeu.org 
12.  Segpayus.biz 
13.  Segpayus.com 
14.  Segpayus.info 
15.  Segpayus.net 
16.  Segpayus.us 
17.  Segregatedpayments.biz 
18.  Segregatedpayments.info 
19.  Segregatedpayments.net 
20.  Segregatedpayments.org 
21.  Segregatedpayments.us 
22.  Segregatedpaymentseu.biz 
23.  Segregatedpaymentseu.com 
24.  Segregatedpaymentseu.info 
25.  Segregatedpaymentseu.net 
26.  Segregatedpaymentseu.org 
27.  Segregatedpaymentsus.biz 
28.  Segregatedpaymentsus.com 
29.  Segregatedpaymentsus.info 
30.  Segregatedpaymentsus.net 
31.  Segregatedpaymentsus.org 
32.  Segregatedpaymentsus.us 
33.  Tmmsegpay.com 

Total Secure 2009

Total Secure 2009

Tags: , , ,
Posted in Malware, Rogues | No Comments »

DNS Changer and WinSpyProtect, Virus Remover 2008, Total Secure 2009

Monday, September 1st, 2008

WinSpyProtect, Virus Remover 2008, Total Secure 2009 is a rogue antivirus application. Stay away from following IPS and Domains!

DNS Changer use following IPs for DNS - 85.255.116.87 85.255.112.234

Whois:

netname:        UkrTeleGroup
descr:          UkrTeleGroup Ltd.
person:         Andrew Sotov
address:        Mechnikova 58/5 65029 Odessa
abuse-mailbox:  abuse@urktelegroup.com.ua

DNS Changer and WinSpyProtect, Virus Remover 2008, Total Secure 2009

 

File codecpack.exe received on 09.01.2008 17:08:51 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.8.29.0 2008.09.01 -
AntiVir 7.8.1.23 2008.09.01 -
Authentium 5.1.0.4 2008.09.01 -
Avast 4.8.1195.0 2008.09.01 -
AVG 8.0.0.161 2008.09.01 -
BitDefender 7.2 2008.09.01 -
CAT-QuickHeal 9.50 2008.08.29 -
ClamAV 0.93.1 2008.09.01 -
DrWeb 4.44.0.09170 2008.09.01 -
eSafe 7.0.17.0 2008.08.31 Suspicious File
eTrust-Vet 31.6.6062 2008.09.01 -
Ewido 4.0 2008.09.01 -
F-Prot 4.4.4.56 2008.09.01 -
F-Secure 7.60.13501.0 2008.09.01 Suspicious:W32/Puper!Gemini
Fortinet 3.14.0.0 2008.09.01 -
GData 19 2008.09.01 -
Ikarus T3.1.1.34.0 2008.09.01 Trojan-Downloader.Win32.Zlob.ams
K7AntiVirus 7.10.435 2008.09.01 -
Kaspersky 7.0.0.125 2008.09.01 -
McAfee 5373 2008.08.29 -
Microsoft 1.3807 2008.08.25 TrojanDownloader:Win32/Zlob.AMS
NOD32v2 3404 2008.09.01 -
Norman 5.80.02 2008.09.01 -
Panda 9.0.0.4 2008.08.31 -
PCTools 4.4.2.0 2008.09.01 -
Prevx1 V2 2008.09.01 Malware Dropper
Rising 20.60.01.00 2008.09.01 -
Sophos 4.33.0 2008.09.01 -
Sunbelt 3.1.1592.1 2008.08.30 -
Symantec 10 2008.09.01 -
TheHacker 6.3.0.8.069 2008.09.01 -
TrendMicro 8.700.0.1004 2008.09.01 -
VBA32 3.12.8.4 2008.08.31 -
ViRobot 2008.9.1.1359 2008.09.01 -
VirusBuster 4.5.11.0 2008.09.01 -
Webwasher-Gateway 6.6.2 2008.09.01 -
 
Additional information
File size: 80896 bytes
MD5…: 85c92c4df6e6bb7ff2998f63e88fd0b1
SHA1..: ed2a018614361143e8d9f76618f964ed8e6dccfb
SHA256: 369ff1d590c9a16187e8431f3412d390da28f4eb3b1ed855788cd9faa7df23ab
SHA512: 043ffafe64d654b86a8bbeff1c5cc888a7f2b834fce2893dfd75891ad6c5da70
7d7af48ed746e3ba23370c7ec2e412e1070bece664dd04f452462f853f13d75e
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×412990
timedatestamp…..: 0×48bad79f (Sun Aug 31 17:40:47 2008)
machinetype…….: 0×14c (I386)

( 2 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×138ec 0×12e00 7.95 3e64a6af30ccf7b2eceb72ef9f7ccda5
.rdata 0×15000 0×8fa 0xa00 5.05 529afbde6d7f55003c5e2761537108e1

( 7 imports )
> KERNEL32.dll: ExitProcess, TerminateProcess, SetProcessPriorityBoost, SetThreadPriority, GetCurrentThread, SetPriorityClass, GetCurrentProcess, GetEnvironmentVariableA, GetShortPathNameA, GetModuleFileNameA, IsBadWritePtr, GetComputerNameA, GetVolumeInformationA, lstrlenA, GetLastError, OpenProcess, GetTickCount, GetVersionExA, Sleep, GetTempPathA, lstrcatA, lstrcpyA, CreateProcessA, CloseHandle, CreateFileA, DeviceIoControl, WriteFile
> USER32.dll: FindWindowA, SendMessageA, wsprintfA
> SHELL32.dll: ShellExecuteExA, SHChangeNotify, SHGetSpecialFolderPathA
> MSVCRT.dll: sprintf, strncpy, _except_handler3, atoi, rand, __3@YAXPAX@Z, __2@YAPAXI@Z, strstr, __CxxFrameHandler, strncat, _strdup, atol
> MSVCP60.dll: _assign@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@PBDI@Z, __Tidy@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEX_N@Z, __Grow@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAE_NI_N@Z, _npos@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@2IB, __Xlen@std@@YAXXZ, __Eos@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEXI@Z, __C@_1___Nullstr@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@CAPBDXZ@4DB, __1_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@XZ
> SHLWAPI.dll: PathGetDriveNumberA
> WININET.dll: HttpQueryInfoA, InternetOpenUrlA, InternetOpenA, InternetReadFile, InternetCloseHandle

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=040154EE0090B91A3CDD016DC015DA0007BC08EB
File soft.exe received on 09.01.2008 17:19:35 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.8.29.0 2008.09.01 -
AntiVir 7.8.1.23 2008.09.01 ADSPY/AdSpy.Gen
Authentium 5.1.0.4 2008.09.01 -
Avast 4.8.1195.0 2008.09.01 -
BitDefender 7.2 2008.09.01 -
CAT-QuickHeal 9.50 2008.08.29 -
ClamAV 0.93.1 2008.09.01 -
DrWeb 4.44.0.09170 2008.09.01 -
eSafe 7.0.17.0 2008.08.31 -
eTrust-Vet 31.6.6062 2008.09.01 -
Ewido 4.0 2008.09.01 -
F-Prot 4.4.4.56 2008.09.01 -
Fortinet 3.14.0.0 2008.09.01 -
GData 19 2008.09.01 -
Ikarus T3.1.1.34.0 2008.09.01 -
K7AntiVirus 7.10.435 2008.09.01 -
Kaspersky 7.0.0.125 2008.09.01 -
McAfee 5373 2008.08.29 -
Microsoft 1.3807 2008.08.25 Trojan:Win32/Delflob.I
NOD32v2 3404 2008.09.01 a variant of Win32/Adware.IeDefender.NGU
Norman 5.80.02 2008.09.01 -
Panda 9.0.0.4 2008.08.31 -
Prevx1 V2 2008.09.01 -
Rising 20.60.01.00 2008.09.01 -
Sophos 4.33.0 2008.09.01 IE Defender
Sunbelt 3.1.1592.1 2008.08.30 -
Symantec 10 2008.09.01 -
TheHacker 6.3.0.8.069 2008.09.01 -
TrendMicro 8.700.0.1004 2008.09.01 PAK_Generic.001
VBA32 3.12.8.4 2008.08.31 -
ViRobot 2008.9.1.1359 2008.09.01 -
VirusBuster 4.5.11.0 2008.09.01 -
Webwasher-Gateway 6.6.2 2008.09.01 Ad-Spyware.AdSpy.Gen
 
Additional information
File size: 1002102 bytes
MD5…: 6cf8f7f985e018b9179dfe825dfdf9f6
SHA1..: 17d801b04fb9cbbb3ac5f33169c63bdcd99ef3f0
SHA256: 012498ec0d5bcf177bfd9f891eadbc7a5a636e032f493de5f9984195b7349d99
SHA512: 25b4a5ea30594316d8d2e51fb4b5bcb8b75641184969eee26639dd0e9c4df87e
ab932dd2212a3b5615f8a315198e045b6d1d1ddeb49c8d5e89d5f9383ea89ee4
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×4030b4
timedatestamp…..: 0×4878f227 (Sat Jul 12 18:04:23 2008)
machinetype…….: 0×14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×57ec 0×5800 6.48 a06acff3c3236138ef0c89710413f34c
.rdata 0×7000 0×1190 0×1200 5.18 0f7b157b78f399340e80aa07581634eb
.data 0×9000 0×1af58 0×400 4.59 17047dc18ec7b67a9dd51dc161e64f03
.ndata 0×24000 0×9000 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0×2d000 0×4a18 0×4c00 5.80 7eb604fe23314a0c7701ead06a1ad62f

( 8 imports )
> KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
> USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
> GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
> SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
> ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
> COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create
> ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

( 0 exports )
packers (Kaspersky): PE_Patch.UPX, UPX
File VRM_Free.exe received on 08.31.2008 02:37:47 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.8.29.0 2008.08.29 -
AntiVir 7.8.1.23 2008.08.30 ADSPY/AdSpy.Gen
Authentium 5.1.0.4 2008.08.30 -
Avast 4.8.1195.0 2008.08.30 -
AVG 8.0.0.161 2008.08.30 WinFixer.AWF
BitDefender 7.2 2008.08.31 Adware.VirusRemover.B
CAT-QuickHeal 9.50 2008.08.29 Trojan.DelfInject.gen
ClamAV 0.93.1 2008.08.30 -
DrWeb 4.44.0.09170 2008.08.30 -
eSafe 7.0.17.0 2008.08.28 -
eTrust-Vet 31.6.6057 2008.08.29 -
Ewido 4.0 2008.08.30 -
F-Prot 4.4.4.56 2008.08.30 -
F-Secure 7.60.13501.0 2008.08.31 -
Fortinet 3.14.0.0 2008.08.30 W32/FakeAlert.MNH!tr
GData 19 2008.08.31 -
Ikarus T3.1.1.34.0 2008.08.31 Generic.Win32.Malware.AntiSpywareExpert
K7AntiVirus 7.10.433 2008.08.30 -
Kaspersky 7.0.0.125 2008.08.31 -
McAfee 5373 2008.08.29 -
Microsoft 1.3807 2008.08.25 VirTool:Win32/DelfInject.gen!AF
NOD32v2 3401 2008.08.30 -
Norman 5.80.02 2008.08.29 W32/WinFixer.CET
Panda 9.0.0.4 2008.08.30 -
PCTools 4.4.2.0 2008.08.30 -
Prevx1 V2 2008.08.31 Malicious Software
Rising 20.59.51.00 2008.08.30 -
Sophos 4.33.0 2008.08.30 -
Sunbelt 3.1.1592.1 2008.08.30 VirusRescue
Symantec 10 2008.08.31 VirusRemover2008
TheHacker 6.3.0.6.068 2008.08.30 -
TrendMicro 8.700.0.1004 2008.08.29 TROJ_FAKEAV.IN
VBA32 3.12.8.4 2008.08.30 Signed-Hoax.Win32.AntiA
ViRobot 2008.8.30.1357 2008.08.30 -
VirusBuster 4.5.11.0 2008.08.30 Packed/newStub
Webwasher-Gateway 6.6.2 2008.08.30 Ad-Spyware.AdSpy.Gen
 
Additional information
File size: 828880 bytes
MD5…: 3c1be08c6566695fd279b79d4d75a1d1
SHA1..: f6ec3c97645861e71a0d704f7eea72304d7f9e38
SHA256: 154b35f56ed26a30303554350d6d7f6a344d46044e61d64bd88e172710ead415
SHA512: e14fbe41a5a525b2a626e5a6b2971dd453a185591a6ace636e1cbf00f24e7db3
beba8a861dad6fb193f0a101edffa3fba6ecf5aec00688541f94a9cc0100be77
PEiD..: BobSoft Mini Delphi -> BoB / BobSoft
TrID..: File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×13445158
timedatestamp…..: 0×45038fa8 (Sun Sep 10 04:08:08 2006)
machinetype…….: 0×14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0×1000 0×41e0 0×4200 6.50 2c3dc0aac6416e0a4b030b52c5127c49
DATA 0×6000 0×120 0×200 3.15 ba5e357828807cc905cdd530f8e103bb
BSS 0×7000 0×701 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0×8000 0×3f0 0×400 4.32 d6267a2fa60209ba5be0d9e650d41437
.tls 0×9000 0×8 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0xa000 0×18 0×200 0.27 e4fa44608fa987bdf9f4f71d21ac1732
.reloc 0xb000 0×4c0 0×600 5.79 b95c537b005e0a29677333125b44c9b5
.rsrc 0xc000 0xc3bb4 0xc3c00 7.99 fcb7f65aa62a871764222fe2d5ca0e74

( 6 imports )
> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, GetThreadLocale, GetStartupInfoA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
> user32.dll: GetKeyboardType, MessageBoxA
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey
> kernel32.dll: TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
> kernel32.dll: SetErrorMode, LoadLibraryA, GetProcAddress, GetModuleFileNameA, GetFileType
> winmm.dll: PlaySoundA

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=4C325446D0D73C77A51C0C68C1B5DD00E37515FF
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=3c1be08c6566695fd279b79d4d75a1d1
File soft.exe received on 09.01.2008 17:27:06 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.9.2.0 2008.09.01 -
AntiVir 7.8.1.23 2008.09.01 TR/Fakealert.Gen.1.203
Authentium 5.1.0.4 2008.09.01 -
Avast 4.8.1195.0 2008.09.01 Win32:Trojan-gen {Other}
AVG 8.0.0.161 2008.09.01 Downloader.FraudLoad.L
BitDefender 7.2 2008.09.01 Trojan.FakeAlert.Gen.1
CAT-QuickHeal 9.50 2008.08.29 -
ClamAV 0.93.1 2008.09.01 -
DrWeb 4.44.0.09170 2008.09.01 -
eSafe 7.0.17.0 2008.08.31 -
eTrust-Vet 31.6.6062 2008.09.01 -
Ewido 4.0 2008.09.01 -
F-Prot 4.4.4.56 2008.09.01 -
F-Secure 7.60.13501.0 2008.09.01 Trojan-Downloader.Win32.FraudLoad.vbfc
Fortinet 3.14.0.0 2008.09.01 W32/FraudLoad.VBFC!tr.dldr
GData 19 2008.09.01 Trojan-Downloader.Win32.FraudLoad.vbfc
Ikarus T3.1.1.34.0 2008.09.01 -
K7AntiVirus 7.10.435 2008.09.01 Trojan-Downloader.Win32.FraudLoad.vbfc
Kaspersky 7.0.0.125 2008.09.01 Trojan-Downloader.Win32.FraudLoad.vbfc
McAfee 5373 2008.08.29 -
Microsoft 1.3807 2008.08.25 Program:Win32/XPAntiVirus
NOD32v2 3404 2008.09.01 -
Norman 5.80.02 2008.09.01 W32/DLoader.JDNI
Panda 9.0.0.4 2008.08.31 -
PCTools 4.4.2.0 2008.09.01 Trojan-Downloader.MisleadApp!sd6
Prevx1 V2 2008.09.01 Fraudulent Security Program
Rising 20.60.01.00 2008.09.01 -
Sophos 4.33.0 2008.09.01 Troj/FakeAV-CH
Sunbelt 3.1.1592.1 2008.08.30 Trojan-Downloader.Win32.FraudLoad.vbfc
Symantec 10 2008.09.01 Downloader.MisleadApp
TheHacker 6.3.0.8.069 2008.09.01 -
TrendMicro 8.700.0.1004 2008.09.01 -
VBA32 3.12.8.4 2008.08.31 -
ViRobot 2008.9.1.1359 2008.09.01 Trojan.Win32.Downloader.94720.K
VirusBuster 4.5.11.0 2008.09.01 -
Webwasher-Gateway 6.6.2 2008.09.01 Trojan.Fakealert.Gen.1.203
 
Additional information
File size: 94720 bytes
MD5…: 852eaacfb096afe7b72fe04cebe3612d
SHA1..: ab0691a0ea4ab7b312370a0fdb6b1f7bf54a8c9c
SHA256: 9b114e340c52da0e9c173c125d696a4d04ee9d28a189f28978d7dfaace5961ff
SHA512: d187317786866607450ee09b552fdeb118750227b268607f1c34115216c9d6ae
a5e20f7446d0a62302da11e5a5a460910ae13e382a56fc85abb58a05324f904f
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×40138a
timedatestamp…..: 0×45d624d2 (Fri Feb 16 21:40:34 2007)
machinetype…….: 0×14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×5e65 0×6000 0.93 13396a8f58c2a987070b574b9bbc4fc9
.data 0×7000 0xea0d 0xec00 7.71 74e7d257ac610d9db8a25df386693b49
.tls 0×16000 0×14e9303 0×600 0.00 53e979547d8c2ea86560ac45de08ae25
.rdata 0×1500000 0×1ed3 0×1200 0.04 c76870371ceb07787cbc5ab184d301a9
.idata 0×1502000 0×7cf 0×800 5.11 4e2e076f9008932c8d45fc8ed9d48d09

( 3 imports )
> GDI32.DLL: GetCurrentPositionEx, RestoreDC, CreateSolidBrush, ExtTextOutA, ExcludeClipRect, CreateDIBitmap, CreateBitmap, CreateCompatibleBitmap, DeleteDC, GetClipBox, CreateCompatibleDC, GetDCOrgEx, CreateBrushIndirect, SetTextColor, CreateDIBSection, CreateFontIndirectA, GetBitmapBits, DeleteObject, CreatePalette, CreateHalftonePalette, GetPixel, CreatePenIndirect, GetBrushOrgEx, GetPixel
> KERNEL32.DLL: GetCommandLineA, GetFileSize, ReadConsoleA, GetConsoleMode, OpenFileMappingA, GetFileTime, OpenFile, DeleteAtom, Sleep, GetLastError, WriteFile, FindFirstFileA, SetLastError, CreateThread, GetComputerNameA, ReadFile, GetStdHandle, GetCPInfo, FindAtomA, CreateProcessA, GlobalFree, DeleteFileW, ExitThread, DeleteFileA
> COMCTL32.DLL: ImageList_Add, CreateMappedBitmap, ImageList_GetIconSize, ImageList_Copy, ImageList_Draw, CreateStatusWindow, ImageList_AddIcon, ImageList_DrawEx, ImageList_Create, CreateStatusWindowW, DrawStatusText, CreateToolbar, CreateUpDownControl, MenuHelp, ImageList_EndDrag, InitCommonControls, ImageList_DragEnter, ImageList_LoadImageW, ImageList_GetIcon, ImageList_Destroy, CreateToolbarEx, ImageList_LoadImageA, DrawStatusTextW, DllGetVersion

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=3D1AF82E00E7D936721A01B5998AB700CE74AEDF
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=852eaacfb096afe7b72fe04cebe3612d

DNS Changer and WinSpyProtect, Virus Remover 2008, Total Secure 2009

DNS Changer and WinSpyProtect, Virus Remover 2008, Total Secure 2009

DNS Changer and WinSpyProtect, Virus Remover 2008, Total Secure 2009

DNS Changer and WinSpyProtect, Virus Remover 2008, Total Secure 2009

DNS Changer and WinSpyProtect, Virus Remover 2008, Total Secure 2009

DNS Changer and WinSpyProtect, Virus Remover 2008, Total Secure 2009

Host: 1st-tube.com
IP: 74.50.117.89

Whois:

OrgName:    NOC4Hosts Inc.
OrgID:      NOC4H
Address:    400 N Tampa St
Address:    #1025
City:       Tampa
StateProv:  FL
PostalCode: 33602
Country:    US
RAbuseHandle: NAA7-ARIN
RAbuseName:   Noc4Hosts Abuse Admin
RAbusePhone:  +1-877-801-1443
RAbuseEmail:   abuse@noc4hosts.com

Other sites:

1.  oldsoftupd.net 
2.  Anothersoftportal.net 
3.  Best-cracks.com 
4.  Celebs-on-video.com 
5.  Codechost.com 
6.  Codecupgrade.com 
7.  Crack-land.com 
8.  Crackundeground.com 
9.  Freemoviesdb.net 
10.  Hot-porn-tube2007.net 
11.  Just-tube.com 
12.  Karachun.net 
13.  Oldpromoz.net 
14.  Oldsoftupd.net 
15.  Online-av-scan.com 
16.  Porn-tube-2008.com 
17.  Porntubev20.com 
18.  Scanner-tool.com 
19.  Showconz.com 
20.  Softupdat.com 
21.  Surf-scanner.com 
22.  Updatehost.com 
23.     Karachun.net

 

Host: wotcodec.com
IP: 64.28.182.56

OrgName:    Cernel, Inc
OrgID:      CERNE-3
Address:    23404 W. Lyons Ave #223
City:       Santa Clarita
StateProv:  CA
PostalCode: 91321
Country:    USRAbuseHandle: ABUSE1052-ARIN
RAbuseName:   Abuse department
RAbusePhone:  +1-661-347-0577
RAbuseEmail:   abuse@cernel.com

 
Host : img-library.com
IP : 85.255.117.252 and 193.142.244.82

Whois:

org-name:       UkrTeleGroup Ltd.
org-type:       LIR
address:        UkrTeleGroup Ltd.
                Mechnikova 58/5
                65029 Odessa
                Ukraine
phone:          +380487311011
fax-no:         +380487502499
mnt-ref:        UKRTELE-MNT
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
source:         RIPE # Filtered

person:         Andrew Sotov
address:        Mechnikova 58/5 65029 Odessa
abuse-mailbox:  abuse@ukrtelegroup.com.ua

Other sites:

1.  Document-checking.com 
2.  Helpsupportcenter.com 
3.  Img-library.com 
4.  Protection-wizard.com 

Host: any-pictures.com
IP: 85.255.117.12

Host: bigimagecatalogue.com
IP : 85.255.117.13

Whois:

org-name:       UkrTeleGroup Ltd.
org-type:       LIR
address:        UkrTeleGroup Ltd.
                Mechnikova 58/5
                65029 Odessa
                Ukraine
phone:          +380487311011
fax-no:         +380487502499
mnt-ref:        UKRTELE-MNT
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
source:         RIPE # Filtered

person:         Andrew Sotov
address:        Mechnikova 58/5 65029 Odessa
abuse-mailbox:  abuse@ukrtelegroup.com.ua

Host: thefreescanner.com
IP: 91.203.92.98
Whois:

netname:        BASTION-NET
descr:          ISP UATelecom
country:        EU
org:            ORG-TG39-RIPE
admin-c:        ML7676-RIPE
tech-c:         UNm3-RIPE
status:         ASSIGNED PI
mnt-by:         UATELECOM-MNT
mnt-lower:      UATELECOM-MNT
mnt-routes:     UATELECOM-MNT
mnt-domains:    UATELECOM-MNT
remarks:        *************************************************
remarks:        * For spam/abuse/security issues please contact *
remarks:        *                     abuse@uatelecom.com.ua

Host: totalsecure2009.com
IP: 91.203.93.25

Whois:

netname:        BASTION-NET
descr:          ISP UATelecom
country:        EU
org:            ORG-TG39-RIPE
admin-c:        ML7676-RIPE
tech-c:         UNm3-RIPE
status:         ASSIGNED PI
mnt-by:         UATELECOM-MNT
mnt-lower:      UATELECOM-MNT
mnt-routes:     UATELECOM-MNT
mnt-domains:    UATELECOM-MNT
remarks:        *************************************************
remarks:        * For spam/abuse/security issues please contact *
remarks:        *                     abuse@uatelecom.com.ua

Host: scan.secure-online-antivirus.com
IP: 69.50.186.15

OrgName:    InterCage, Inc.
OrgID:      INTER-359
Address:    810 Oak Grove Road #86
City:       Concord
StateProv:  CA
PostalCode: 94518
Country:    US
OrgAbuseHandle: ABUSE735-ARIN
OrgAbuseName:   Abuse Department
OrgAbusePhone:  +1-925-550-3947
OrgAbuseEmail:  abuse@intercage.org

Host: secure-order-box.com
IP: 77.244.220.141
Whois:

person:         Network Admins  RZT-SERVICE
address:        191011 Saint-Petersburg, Russia
address:        Lomonosova sq. 1
phone:          +78123142643
e-mail:         rztncc@sysadmins.spb.ru
nic-hdl:        RZT1-RIPE
mnt-by:         RZT-MNT
source:         RIPE # Filtered

Other sites:

1.  Checksystem-online.com 
2.  Myveryprivatevid.com 
3.  Secure-order-box.com 
4.  Thevid11.com 
5.  Thevid22.com 
6.  Thevidfuck.com 
7.  Totalsecure2009.com 

Host: virusremover2008.com
IP:  89.149.227.50

descr:          netdirect Frankfurt, DE
origin:         AS28753
org:            ORG-nA8-RIPE
mnt-lower:      NETDIRECT-MNT
mnt-routes:     NETDIRECT-MNT
mnt-by:         NETDIRECT-MNT
source:         RIPE # Filtered

organisation:   ORG-nA8-RIPE
org-name:       netdirect
org-type:       LIR
address:        netdirekt e. K.
                Kleyer Strasse 79 / Tor 14
                60326 Frankfurt
                Germany
phone:          +49 69 90556880
fax-no:         +49 69 905568822
e-mail:         ripe@netdirekt.de

Other sites:

1.  Bestsecureexpertcleaner.com 
2.  Bestxpclean2008.com 
3.  Energysavecenter.com 
4.  Hypersecurefileshredder.com 
5.  My-xpclean2008.com 
6.  Mysecureexpertcleaner.com 
7.  Myxpclean2008.com 
8.  Prosecureexpertcleaner.com 
9.  Prosecureexpertcleanerpro.com 
10.  Registrydoctor2008-online.com 
11.  Registrydoctor2008-pro.com 
12.  Registrydoctor2008-scan.com 
13.  Registrydoctor2008.com 
14.  Registrydoctorpro2008.com 
15.  Secureexpertcleaner.com 
16.  Securefileshred.com 
17.  Securefileshredder.com 
18.  Securefileshredder2009.com 
19.  Securefilesshred.com 
20.  Securefilesshredder.com 
21.  Supersecurefileshredder.com 
22.  Topregistrydoctor2008.com 
23.  Virusremover2008.com 
24.  Winsecureexpertcleaner.com 
25.  Xp-clean-2008.com 
26.  Xpclean2008.com 
27.  Xpclean2008pro.com 
28.  Xpfixer2008.com 
29.  Yoursecureexpertcleaner.com 

Host: scan.winspywarescanner.com
IP: 71.6.202.216

OrgID:      CALI
Address:    8929A COMPLEX DRIVE
City:       SAN DIEGO
StateProv:  CA
PostalCode: 92123
Country:    US

ReferralServer: rwhois://rwhois.cari.net:4321

NetRange:   71.6.128.0 - 71.6.255.255
CIDR:       71.6.128.0/17
NetName:    CARI-5
NetHandle:  NET-71-6-128-0-1
Parent:     NET-71-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.ASPADMIN.COM
NameServer: NS2.ASPADMIN.COM
Comment:   
RegDate:    2006-02-01
Updated:    2006-09-19

RTechHandle: IC63-ARIN
RTechName:   System Administration
RTechPhone:  +1-858-974-5080
RTechEmail:   sysadmins@cari.net

 

Host: secure.bestpaymentsolution.net
IP: 84.243.253.220

Whois of IP 84.243.253.220 selling rogue antispyware PcPrivacyCleaner :

inetnum:        84.243.253.0 - 84.243.253.255
netname:        GFX-CUST-WORLDSTREAM
descr:          WorldStream ip-block 3
org:            ORG-WS14-RIPE
country:        NL
admin-c:        GFX-RIPE
tech-c:         GFX-RIPE
status:         ASSIGNED PA
mnt-by:         GFX-MNT
source:         RIPE # Filtered

organisation:   ORG-WS14-RIPE
org-name:       WorldStream2
org-type:       OTHER
address:        Dijkweg 127c
address:        2675 AC  Honselersdijk
address:        The Netherlands
phone:          +31 70 755 1131
abuse-mailbox:  abuse@worldstream.nl

Other sites on this IP 84.243.253.220 selling rogue antispyware  :

1.  Anonymbrowser.com
2.  Best-payments.net
3.  Bestpaymentsolution.net
4.  Billingbit.com
5.  Billingbridge.com
6.  Blablahost.com
7.  Direct-billing.com
8.  Errordigger.com
9.  Errorinspector.com
10. Internetsupernanny.com
11. Passwordinspector.com
12. Pctotaldefender.com
13. Sellmosoft.net
14. Softwarepayments.net
15. Statsgod.com
23.  Pcadvancedprivacysuite.com
24.  Pcprivacycleaner.com
25.  Pcprivacycleanerpro.com
26.  Personalpccleaner.com
27.  Swiftpcprivacycleaner.com
28.  Yourpcprivacycleaner.com

Host: secure.paymentbit.net
IP: 216.195.56.175

Whois of IP 216.195.56.175 domain secure.paymentbit.net selling rogue antivirus Virus Remover 2008:

OrgID:      APSTE
Address:    8130 SW BEAVERTON-HILLSDALE HWY
City:       PORTLAND
StateProv:  OR
PostalCode: 97225
Country:    US

NetRange:   216.195.32.0 - 216.195.63.255
CIDR:       216.195.32.0/19
NetName:    APS-EPSI
NetHandle:  NET-216-195-32-0-1
Parent:     NET-216-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.3FN.NET
NameServer: NS2.3FN.NET
Comment:    send abuse issues to abuse@3fn.net , send network

RTechHandle: NSW-ARIN
RTechName:   Swen, Nash
RTechPhone:  +1-800-539-8209
RTechEmail : noc@apxnoctelecom.com

DNS Changer and WinSpyProtect, Virus Remover 2008, Total Secure 2009

DNS Changer and WinSpyProtect, Virus Remover 2008, Total Secure 2009

DNS Changer and WinSpyProtect, Virus Remover 2008, Total Secure 2009

Tags: , , , , , , , , ,
Posted in Malware, Rogues | No Comments »

Total Secure 2009 fake antivirus application

Saturday, August 30th, 2008

Total Secure 2009 fake antivirus application. Stay away from following domains.

 Total Secure 2009

 

File TotalSecure2009.exe received on 08.30.2008 14:28:23 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.8.29.0 2008.08.29 -
AntiVir 7.8.1.23 2008.08.29 ADSPY/AdSpy.Gen
Authentium 5.1.0.4 2008.08.30 -
Avast 4.8.1195.0 2008.08.30 -
AVG 8.0.0.161 2008.08.29 Agent.AAOP
BitDefender 7.2 2008.08.30 -
CAT-QuickHeal 9.50 2008.08.29 -
ClamAV 0.93.1 2008.08.30 -
DrWeb 4.44.0.09170 2008.08.30 -
eSafe 7.0.17.0 2008.08.28 -
eTrust-Vet 31.6.6057 2008.08.29 -
Ewido 4.0 2008.08.30 -
F-Prot 4.4.4.56 2008.08.29 -
F-Secure 7.60.13501.0 2008.08.30 -
Fortinet 3.14.0.0 2008.08.30 -
GData 19 2008.08.30 -
Ikarus T3.1.1.34.0 2008.08.30 -
K7AntiVirus 7.10.432 2008.08.29 -
Kaspersky 7.0.0.125 2008.08.30 -
McAfee 5373 2008.08.29 -
Microsoft 1.3807 2008.08.25 Trojan:Win32/Delflob.I
NOD32v2 3401 2008.08.30 -
Norman 5.80.02 2008.08.29 -
Panda 9.0.0.4 2008.08.30 -
PCTools 4.4.2.0 2008.08.29 -
Prevx1 V2 2008.08.30 -
Rising 20.59.51.00 2008.08.30 -
Sophos 4.33.0 2008.08.30 -
Sunbelt 3.1.1592.1 2008.08.30 -
Symantec 10 2008.08.30 -
TheHacker 6.3.0.6.068 2008.08.30 -
TrendMicro 8.700.0.1004 2008.08.29 -
VBA32 3.12.8.4 2008.08.30 -
ViRobot 2008.8.30.1357 2008.08.30 -
VirusBuster 4.5.11.0 2008.08.29 -
Webwasher-Gateway 6.6.2 2008.08.29 Ad-Spyware.AdSpy.Gen
 
Additional information
File size: 3824510 bytes
MD5…: 02a18d7e8dc15a53b8830bdcd68e7fe4
SHA1..: db1bacb07ec0efc09fb92f7754c9d710cff8b81f
SHA256: 3c695062c752bff7cebe138d24d8e52ba2dda6c3e85629da899931abbec06095
SHA512: fd33f9beec3fd70e02d144904f59fb2a91b54b995caea31fe105f696462cb800
163d3f784a5caffa8e860396f5712f2186505f0ee73a789b1f9740bff79f4b21
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information( base data )
entrypointaddress.: 0×4030b4
timedatestamp…..: 0×4878f227 (Sat Jul 12 18:04:23 2008)
machinetype…….: 0×14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×57ec 0×5800 6.48 a06acff3c3236138ef0c89710413f34c
.rdata 0×7000 0×1190 0×1200 5.18 0f7b157b78f399340e80aa07581634eb
.data 0×9000 0×1af58 0×400 4.59 17047dc18ec7b67a9dd51dc161e64f03
.ndata 0×24000 0×9000 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0×2d000 0×4c50 0×4e00 5.76 72cb416871c201559b851222549a2c7f

( 8 imports )
> KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
> USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
> GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
> SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
> ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
> COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create
> ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

( 0 exports )
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=02a18d7e8dc15a53b8830bdcd68e7fe4

Total Secure 2009

Host: totalsecure2009.com
IP: 77.244.220.141
Whois of IP 77.244.220.141 distibuting rogue antivirus Total Secure 2009:

netname:        PRIMENET1
descr:          Allocation for our customer PrimeNet
country:        RU
person:         Network Admins  RZT-SERVICE
address:        191011 Saint-Petersburg, Russia
address:        Lomonosova sq. 1
phone:          +78123142643
e-mail:         rztncc@sysadmins.spb.ru

Other sites of IP 77.244.220.141 distibuting rogue antivirus Total Secure 2009:

1.  Checksystem-online.com 
2.  Thevidfuck.com 
3.  Thefreescanner.com
4.  Checksystem-online.com
5.  Secure-order-box.com

Total Secure 2009

Total Secure 2009

Tags: , ,
Posted in Uncategorized | No Comments »