Posts Tagged ‘VDHOST’

« Older Entries

Total Secure 2009 rogue antivirus application

Wednesday, October 22nd, 2008

Total Secure 2009 is a fake - rogue antivirus. To remove that rogue application viruses and antispyware use Kaspersky antivirus - http://cleanthe.net/how-to-remove-virus/

Total Secure 2009

File MediaTubeCodec_ver1.812.0.exe received on 10.22.2008 15:31:16 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.10.22.0 2008.10.22 -
AntiVir 7.9.0.5 2008.10.22 TR/Dldr.Zlob.aajg
Authentium 5.1.0.4 2008.10.22 -
Avast 4.8.1248.0 2008.10.22 -
AVG 8.0.0.161 2008.10.22 -
BitDefender 7.2 2008.10.22 -
CAT-QuickHeal 9.50 2008.10.22 -
ClamAV 0.93.1 2008.10.22 -
DrWeb 4.44.0.09170 2008.10.22 -
eSafe 7.0.17.0 2008.10.19 -
eTrust-Vet 31.6.6162 2008.10.21 -
Ewido 4.0 2008.10.22 -
F-Prot 4.4.4.56 2008.10.22 -
F-Secure 8.0.14332.0 2008.10.22 -
Fortinet 3.113.0.0 2008.10.22 -
GData 19 2008.10.22 -
Ikarus T3.1.1.44.0 2008.10.22 Trojan-Downloader.Zlob
K7AntiVirus 7.10.501 2008.10.21 -
Kaspersky 7.0.0.125 2008.10.22 -
McAfee 5411 2008.10.22 -
Microsoft 1.4005 2008.10.22 TrojanDownloader:Win32/Zlob.gen!CD
NOD32 3545 2008.10.22 -
Norman 5.80.02 2008.10.22 -
Panda 9.0.0.4 2008.10.22 -
PCTools 4.4.2.0 2008.10.22 -
Prevx1 V2 2008.10.22 -
Rising 20.67.22.00 2008.10.22 -
SecureWeb-Gateway 6.7.6 2008.10.22 Trojan.Dldr.Zlob.aajg
Sophos 4.34.0 2008.10.22 -
Sunbelt 3.1.1742.1 2008.10.21 -
Symantec 10 2008.10.22 -
TheHacker 6.3.1.0.123 2008.10.22 -
TrendMicro 8.700.0.1004 2008.10.22 -
VBA32 3.12.8.8 2008.10.22 suspected of Win32.Trojan-Downloader
ViRobot 2008.10.22.1432 2008.10.22 -
VirusBuster 4.5.11.0 2008.10.22 -
Additional information
File size: 77824 bytes
MD5…: c1202919430900fd93e48dd6fab11cd6
SHA1..: 832d6fc07e7d45c3e89d33d04667f651a472ec5d
SHA256: ae993034e5fcdb5839639746f5c6fd59f285e1a0e6b90a014deb0408901e7c96
SHA512: a387584e9ba4db719800462d525c86b5ca4183eae74c7e0d1353977844372c63
3524dc2caf0c0b5605763de593e89952253fc2bfcfd537857da8731e1f2ce460
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×404950
timedatestamp…..: 0×48ff21d6 (Wed Oct 22 12:51:34 2008)
machinetype…….: 0×14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0xadd7 0xb000 6.50 9b73cfbb6a4d4489b8ed47db51cb5657
.rdata 0xc000 0×467c 0×5000 4.80 e6135070d7c2a324e6665662dd569327
.data 0×11000 0×183c 0×1000 2.34 80d441cd7bfce31439da51c0d7736c55
.rsrc 0×13000 0xb0 0×1000 3.06 1fc8e43d261086abf4c231ece0e54239

( 1 imports )
> KERNEL32.dll: HeapAlloc, GetProcessHeap, GetProcAddress, LoadLibraryW, SetLastError, GetLastError, FreeLibrary, HeapFree, GetVersionExA, LoadLibraryA, GetCurrentThread, GetCurrentProcess, lstrlenA, RaiseException, RtlUnwind, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleA, TlsGetValue, TlsSetValue, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, LeaveCriticalSection, EnterCriticalSection, VirtualFree, VirtualAlloc, HeapReAlloc, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, Sleep, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSection, GetLocaleInfoA, GetStringTypeA, MultiByteToWideChar, GetStringTypeW, LCMapStringA, WideCharToMultiByte, LCMapStringW

( 0 exports )

Total Secure 2009

Total Secure 2009

Host: moviesportal2008xxx.com
IP: 72.232.183.154

Whois:
OrgName: Layered Technologies, Inc.
OrgID: LAYER-3
Address: 5085 W Park Blvd
Address: Suite 700
City: Plano
StateProv: TX
PostalCode: 75093
Country: US

Other sites distributing rogue antivirus Total secure 2009:

1. Funnyportal2008p.com
2. Movieportal2008q.com
3. Mp3portal2008p.com
4. Softportal2008p.com
5. Starsportal2008p.com
6. Funnyportal2008xxx.com
7. Funnyportal2008yyy.com
8. Moviesportal2008eee.com
9. Moviesportal2008xxx.com
10. Moviesportal2008yyy.com
11. Moviesportal2008zzz.com
12. Mp3portal2008xxx.com
13. Mp3portal2008yyy.com
14. Softportal2008xxx.com
15. Softportal2008yyy.com
16. Starsportal2008xxx.com
17. Starsportal2008yyy.com

Host: softwaredownload2008hq.com
IP: 78.157.143.250

Whois:

netname: VDHOST
descr: VdHost Ltd.
descr:
country: LV
admin-c: AV2990-RIPE
tech-c: UNHM-RIPE
status: ASSIGNED PA
mnt-by: UN-MNT
source: RIPE # Filtered

role: UltraNet Hostmaster
address: UltraNet SIA
Aizkraukles 23
Riga, LV-1006
Latvia
phone: +371 67543003
fax-no: +371 67594435

Other sites distributing rogue antivirus Total secure 2009:

1. Softdownload2008nm.com
2. Softdownload2008p.com
3. Softdownoad2008name.com
4. Softload2008cx.com
5. Softwaredownload2008gs.com
6. Softwaredownload2008gt.com
7. Softwaredownload2008hq.com
8. Softwaredownload2008hs.com
9. Softwaredownload2008rs.com
10. Softwaredownload2008sq.com
11. Softwaredownload2008st.com
12. Softwaredownload2008tq.com

Host: total-secure2009.com
IP: 200.63.45.55

Whois:

inetnum: 200.63.45/24
status: reallocated
owner: Ricardo Carreras
ownerid: HN-RICA-LACNIC
responsible: Honduras Web
address: P.O.Box: 1142 La Ceiba, #37 street., 1142, 37
address: 00000 - Tegucigalpa - TE
country: HN
phone: +504 9815-3645 []
owner-c: RIC9
tech-c: RIC9
abuse-c: RIC9
created: 20080630
changed: 20080630
inetnum-up: 200.63.40/21

Other sites distributing rogue antivirus Total secure 2009:

1. Total-secure2009.com
2. Windefender-2009.com


Host: viacodecright—2.com
IP: 77.91.227.179

Whois:

person: Pavel Malinkovich
address: Tevosyana 40a-89
address: Electrostal, Moscow Region
address: Russia
phone: +7 495 5434485
abuse-mailbox: abuse@netplace.ru
nic-hdl: PM946-RIPE
source: RIPE # Filtered

Other sites distributing rogue antivirus Total secure 2009:

1. Codecadult23df18.com
2. Hot-sextubedriver2.com
3. Sextubecodec023dfs41.com
4. Viacodecright—2.com


Host: megauplinkbindinstaller.com
IP: 91.203.92.99

Whois:

netname: BASTION-NET
descr: ISP UATelecom
country: EU
org: ORG-TG39-RIPE
admin-c: ML7676-RIPE
tech-c: UNm3-RIPE
status: ASSIGNED PI
mnt-by: UATELECOM-MNT
mnt-lower: UATELECOM-MNT
mnt-routes: UATELECOM-MNT
mnt-domains: UATELECOM-MNT

Other sites distributing rogue antivirus Total secure 2009:

1. Megauplinkbindinstaller.com
2. Theupdatedownload.com

Host: onsafepro—2008.com
IP: 91.203.92.25

Whois:

netname: BASTION-NET
descr: ISP UATelecom
country: EU
org: ORG-TG39-RIPE
admin-c: ML7676-RIPE
tech-c: UNm3-RIPE
status: ASSIGNED PI
mnt-by: UATELECOM-MNT
mnt-lower: UATELECOM-MNT
mnt-routes: UATELECOM-MNT
mnt-domains: UATELECOM-MNT

Other sites distributing rogue antivirus Total secure 2009:

1. Directnameservice—2008.com
2. Onsafepro—2008.com
3. S-avirus.com
4. Viruswebprotect—2008.com


Host: secure.intro-pay.com
IP: 216.40.219.141

Whois:

OrgName: ThePlanet.com Internet Services, Inc.
OrgID: TPCM
Address: 315 Capitol
Address: Suite 205
City: Houston
StateProv: TX
PostalCode: 77002
Country: US

Other sites selling rogue antivirus Total secure 2009:

1. Ds-pay.com
2. Intro-pay.com
3. Ormondsystems.com

Host: protect.trustedantivirus.com
IP: 93.190.139.221

Whois:

netname: WORLDSTREAM
descr: WorldStream IPv4.4
country: NL
admin-c: WS1670-RIPE
tech-c: WS1670-RIPE
status: ASSIGNED PA
mnt-by: MNT-WORLDSTREAM
mnt-by: KABELFOON-MNT
source: RIPE # Filtered

role: WORLDSTREAM DBM
address: Honderdland 111F
address: 2676LT Maasdijk
phone: +31174712117
fax-no: +31174512310

Other sites:

1. Gomyhit.com
2. Gomyron.com
3. Rdrmngr.com
4. Sadafaha.com
5. Vmaff.com

Host: intervarioclick.com
IP: 76.74.249.30

Whois:

OrgName: Peer 1 Network Inc.
OrgID: PER1
Address: 75 Broad Street
Address: 2nd Floor
City: New York
StateProv: NY
PostalCode: 10004
Country: USOrgName: Peer 1 Network Inc.
OrgID: PER1
Address: 75 Broad Street
Address: 2nd Floor
City: New York
StateProv: NY
PostalCode: 10004
Country: US

Other sites:

1. Ad2cash.net
2. Ad2profit.com
3. Adcomatoz.com
4. Adgurman.com
5. Adhokuspokus.com
6. Adnetserver.com
7. Adredired.com
8. Adverdaemon.com
9. Adverlounge.com
10. Adzyclon.com
11. Astalaprofit.com
12. B2adz.com
13. Beststatsever.com
14. Bizadsonline.net
15. Bizadverts.com
16. Bizmarketads.com
17. Blessedads.com
18. Brandmarketads.com
19. Clickadnet.net
20. Friedads.com
21. Glorymarkets.com
22. Greatad.net
23. Hostadserve.com
24. Iddqdmarketing.com
25. Intervarioclick.com
26. Invulnerableads.com
27. Luckyadcoin.com
28. Luckyadsols.com
29. Moneycometrue.com
30. Mythmarketing.com
31. Popadprovider.com
32. Prevedmarketing.com
33. Rocktheads.com
34. Sharpadverts.com
35. Shivanetworking.com
36. Statisticsmanager.com
37. Statsreportserver.com
38. Waytotheprofit.com
39. Widestatsnow.com

Tags: , , , , , , ,
Posted in Malware, Rogues | No Comments »

Antivirus 2009 rogue antivirus application

Wednesday, October 1st, 2008

Antivirus 2009 rogue Antivirus application. Stay aqay from it!

To remove viruses and antispyware use Kaspersky antivirus - http://cleanthe.net/how-to-remove-virus/

Antivirus 2009 

 

File A9installer_77040508.exe received on 10.01.2008 16:43:10 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.10.2.0 2008.10.01 -
AntiVir 7.8.1.34 2008.10.01 -
Authentium 5.1.0.4 2008.09.30 -
Avast 4.8.1248.0 2008.10.01 -
AVG 8.0.0.161 2008.10.01 Generic3.TDJ
BitDefender 7.2 2008.10.01 -
CAT-QuickHeal 9.50 2008.10.01 -
ClamAV 0.93.1 2008.10.01 -
DrWeb 4.44.0.09170 2008.10.01 -
eSafe 7.0.17.0 2008.10.01 -
eTrust-Vet 31.6.6119 2008.09.30 -
Ewido 4.0 2008.10.01 -
F-Prot 4.4.4.56 2008.09.30 -
F-Secure 8.0.14332.0 2008.10.01 -
Fortinet 3.113.0.0 2008.10.01 -
GData 19 2008.10.01 -
Ikarus T3.1.1.34.0 2008.10.01 Win32.SuspectCrc
K7AntiVirus 7.10.479 2008.10.01 -
Kaspersky 7.0.0.125 2008.10.01 Trojan-Downloader.Win32.FraudLoad.vcir
McAfee 5395 2008.10.01 -
Microsoft 1.4005 2008.10.01 TrojanDownloader:Win32/Renos.gen!AF
NOD32 3486 2008.10.01 a variant of Win32/Adware.Antivirus2008.AA
Norman 5.80.02 2008.09.30 -
Panda 9.0.0.4 2008.09.30 -
PCTools 4.4.2.0 2008.10.01 -
Prevx1 V2 2008.10.01 Suspicious
Rising 20.63.62.00 2008.09.28 -
SecureWeb-Gateway 6.7.6 2008.10.01 -
Sophos 4.34.0 2008.10.01 -
Sunbelt 3.1.1675.1 2008.09.27 -
Symantec 10 2008.10.01 AntiVirus2009
TheHacker 6.3.0.9.097 2008.10.01 -
TrendMicro 8.700.0.1004 2008.10.01 -
VBA32 3.12.8.6 2008.09.30 -
ViRobot 2008.10.1.1401 2008.10.01 -
VirusBuster 4.5.11.0 2008.10.01 -
 
Additional information
File size: 153600 bytes
MD5…: 4541299a30dfde1426f4141a302eb5af
SHA1..: 88aa309cd08e6785167a76650bc535d57d98889a
SHA256: 18a96ac0935d26299b87e03fc8a8798e54d35576b90137f22325d076da2648d2
SHA512: 8fe63352519728ffe7bc1f66bf3825e8aea2e0f0e9247ca171787af34d439181
2075a54d0bb65f2d44571f1e8fa767499f79bbf2f2700951cb3da3589906f798
PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.5%)
DOS Executable Generic (49.5%)
VXD Driver (0.7%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information( base data )
entrypointaddress.: 0×402298
timedatestamp…..: 0×46080d14 (Mon Mar 26 18:12:36 2007)
machinetype…….: 0×14c (I386)( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×67ed 0×6800 2.34 9296b044810e17dcf209d885965e6e1e
.rdata 0×8000 0×1a69 0×1c00 0.00 21eb7229dde310fab9cd2dbec6208123
.data 0xa000 0×559280 0×16400 5.99 70d393e1774a3f17459f20ad340eaced
.tls 0×564000 0xb1 0×200 0.00 bf619eac0cdf3f68d496ea9344137e8b
.rdata 0×565000 0xa18 0xc00 0.05 6bd9192abeda4f343bdd6156f4ce80ba
.idata 0×566000 0xbbe 0xc00 0.00 d2a70550489de356a2cd6bfc40711204
.reloc 0×567000 0×326 0×400 0.00 0f343b0931126a20f133d67c2b018a3b
.rsrc 0×568000 0×4bff 0×4c00 4.83 2bc210c4bc462b0858a39783a05eae52

( 0 imports )

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=AFF23D24008F5A0F58BC029D72AF130001E51B61

 
Antivirus 2009

Antivirus 2009

Antivirus 2009
 

Host: win-tech-help.com
IP: 78.157.142.46 and 193.142.244.94

Whois:

netname:        VDHOST
descr:          VdHost Ltd.
descr:          abuse@vdhost.info
country:        LV
role:           UltraNet Hostmaster
address:        UltraNet SIA
                Aizkraukles 23
                Riga, LV-1006
                Latvia
phone:          +371 67543003
fax-no:         +371 67594435

Other sites:

1.  Filescanner-online.com 
2.  Win-system-support.com 
3.  Win-tech-help-center.com 
4.  Win-tech-help.com 
5.  Winsystemsupport.com 
6.  Document-checking.com 
7.  Helpsupportcenter.com 
8.  Img-library.com 
9.  Protection-guide.com 
10.  Protection-wizard.com 

Host: seamastersoft.com
IP: 216.240.134.208

Whois:

ATMLINK, INC. C-COMMUNICATIONS
Host: onlineprivatescan.com
IP: 216.240.134.208

Whois:

ATMLINK, INC. C-COMMUNICATIONS

Host: altawebgl-500.com
IP: 216.240.134.208

Whois:

ATMLINK, INC. C-COMMUNICATIONS

Host: masterspitetds09.com
IP: 216.240.134.208

Whois:

ATMLINK, INC. C-COMMUNICATIONS

Host: securedownloadcenter.com
IP:  89.18.189.44

Whois:

role:           PCextreme BV
address:        Londensekaai 1
address:        4331JG Middelburg
address:        The Netherlands
abuse-mailbox:  abuse@pcextreme.nl

1.  Secureupdatecenter.com 
2.  Webscannertools.com 

Host: trustedpaymenssite.com
IP: 216.240.134.208

role:           PCextreme BV
address:        Londensekaai 1
address:        4331JG Middelburg
address:        The Netherlands
abuse-mailbox:  abuse@pcextreme.nl

Host: secure.xp-antivirus.com
IP: 207.226.175.123

Whois:

OrgName:    Beyond The Network America, Inc.
OrgID:      BNA-42
Address:    450 Springpark PL
Address:    Suite 100
City:       Herdon
StateProv:  VA
PostalCode: 20170
Country:    US

Tags: , , , , ,
Posted in Malware, Rogues | 15 Comments »

VirusRemover2008 another fake antivirus application

Friday, September 26th, 2008

VirusRemover2008 is another fake antivirus application. stay away from it!

To remove viruses and antispyware use Kaspersky antivirus - http://cleanthe.net/how-to-remove-virus/

Virus Remove 2008 

Virus Remove 2008

 

 

File VirusRemover2008_Setup_Free_en.ex received on 09.26.2008 15:15:41 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.9.25.0 2008.09.26 -
AntiVir 7.8.1.34 2008.09.26 ADSPY/AdSpy.Gen
Authentium 5.1.0.4 2008.09.26 -
Avast 4.8.1195.0 2008.09.26 Win32:Adware-gen
AVG 8.0.0.161 2008.09.26 Fake_AntiSpyware.ABC
BitDefender 7.2 2008.09.26 Trojan.FakeAlert.AFM
CAT-QuickHeal 9.50 2008.09.26 FraudTool.VirusRemover.h (Not a Virus)
ClamAV 0.93.1 2008.09.26 -
DrWeb 4.44.0.09170 2008.09.26 Trojan.Fakealert.1199
eSafe 7.0.17.0 2008.09.25 Suspicious File
eTrust-Vet 31.6.6110 2008.09.26 Win32/FakeAV.IA
Ewido 4.0 2008.09.26 Not-A-Virus.PUP.VirusRemover.h
F-Prot 4.4.4.56 2008.09.25 -
F-Secure 8.0.14332.0 2008.09.26 Rogue:W32/VirusRemover2008.B
Fortinet 3.113.0.0 2008.09.26 PossibleThreat
GData 19 2008.09.26 Trojan.FakeAlert.AFM
Ikarus T3.1.1.34.0 2008.09.26 Generic.Win32.Malware.AntiSpywareExpert
K7AntiVirus 7.10.473 2008.09.25 not-a-virus:FraudTool.Win32.VirusRemover.h
Kaspersky 7.0.0.125 2008.09.26 not-a-virus:FraudTool.Win32.VirusRemover.h
McAfee 5392 2008.09.25 Generic.dx
Microsoft 1.3903 2008.09.26 Program:Win32/Winfixer
NOD32 3473 2008.09.26 probably a variant of Win32/Genetik
Norman 5.80.02 2008.09.26 W32/WinFixer.CHE
Panda 9.0.0.4 2008.09.25 Generic Trojan
PCTools 4.4.2.0 2008.09.26 -
Prevx1 V2 2008.09.26 Fraudulent Security Program
Rising 20.63.42.00 2008.09.26 -
SecureWeb-Gateway 6.7.6 2008.09.26 Ad-Spyware.AdSpy.Gen
Sophos 4.34.0 2008.09.26 Troj/FakeVir-FX
Sunbelt 3.1.1668.1 2008.09.24 Trojan.FakeAlert
Symantec 10 2008.09.26 VirusRemover2008
TheHacker 6.3.0.9.094 2008.09.25 Aplicacion/VirusRemover.h
TrendMicro 8.700.0.1004 2008.09.26 -
VBA32 3.12.8.6 2008.09.26 Signed-Hoax.Win32.AntiA
ViRobot 2008.9.26.1393 2008.09.26 Adware.VirusRemover.R.1019344
VirusBuster 4.5.11.0 2008.09.25 -
 
Additional information
File size: 1019344 bytes
MD5…: 2009876000166086cfc62d43b1253b0e
SHA1..: 4032493cc63dea450bdc3ded5d9b65ef72fd950d
SHA256: 8b49cad4e15d9f0422f51c2cf74e471f3fc066ddc18606e47534cc679b729664
SHA512: dc171ee4b01ea11735a193f6aec02a8b838c751eb7ddadef4aadc3ff61186bd8
3a131e9b311dc5da0613527d275164a8a28c429d36d1efef93c3dc7ae7fdcf95
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda’s Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×6fbc30
timedatestamp…..: 0×48c0fbd2 (Fri Sep 05 09:28:50 2008)
machinetype…….: 0×14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0×1000 0×20c000 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0×20d000 0xf0000 0xef200 7.93 68ccd4a828a8ec203b11a01a8ec7e6ef
.rsrc 0×2fd000 0×9000 0×8200 5.56 3b6787c39acc4ddf7f3877a5f7728e85

( 18 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, ExitProcess
> ADVAPI32.dll: RegEnumKeyA
> COMCTL32.dll: -
> comdlg32.dll: GetFileTitleA
> dbghelp.dll: ImageDirectoryEntryToData
> GDI32.dll: Escape
> iphlpapi.dll: GetAdaptersInfo
> MSIMG32.dll: AlphaBlend
> ole32.dll: OleRun
> OLEAUT32.dll: -
> oledlg.dll: -
> RPCRT4.dll: UuidCreate
> SHELL32.dll: ShellExecuteA
> SHLWAPI.dll: StrCmpNIW
> USER32.dll: GetDC
> VERSION.dll: VerQueryValueA
> WININET.dll: InternetOpenA
> WINSPOOL.DRV: ClosePrinter

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=8E31C9D3D0B543C18D3E0FF23356B0004DBED2AE
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=2009876000166086cfc62d43b1253b0e
packers (F-Prot): UPX
packers (Kaspersky): PE_Patch.UPX, UPX

Virus Remove 2008

Host: virusremover2008plus.com
IP: 78.157.142.47 and 92.62.101.67

Whois:

netname:        VDHOST
descr:          VdHost Ltd.
descr:          abuse@vdhost.biz
country:        LV
admin-c:        AV2990-RIPE
tech-c:         UNHM-RIPE
status:         ASSIGNED PA
mnt-by:         UN-MNT
source:         RIPE # Filtered

role:           UltraNet Hostmaster
address:        UltraNet SIA
                Aizkraukles 23
                Riga, LV-1006
                Latvia
phone:          +371 67543003
fax-no:         +371 67594435
e-mail:         hostmaster@ultranet.lv

Other sites on this IP distributing Virus remover 2008 :

1.  Bestsecureexpertcleaner.com 
2.  Bestvirusremover2008.com 
3.  Energysavecenter.com 
4.  Hypersecurefileshredder.com 
5.  Mysecureexpertcleaner.com 
6.  Pcvirusremover2008.com 
7.  Powerfulvirusremover2008.com 
8.  Prosecureexpertcleaner.com 
9.  Prosecureexpertcleanerpro.com 
10.  Registrydoctor2008-online.com 
11.  Registrydoctor2008-pro.com 
12.  Registrydoctor2008-scan.com 
13.  Registrydoctor2008.com 
14.  Registrydoctorpro2008.com 
15.  Secureexpertcleaner.com 
16.  Securefileshred.com 
17.  Securefileshredder.com 
18.  Securefileshredder2009.com 
19.  Securefilesshred.com 
20.  Securefilesshredder.com 
21.  Strongvirusremover2008.com 
22.  Supersecurefileshredder.com 
23.  Topregistrydoctor2008.com 
24.  Virusremover2008.com 
25.  Virusremover2008flash.com 
26.  Virusremover2008plus.com 
27.  Winsecureexpertcleaner.com 
28.  Xpclean2008.com 
29.  Xpfixer2008.com 
30.  Xpfixer2009.com 
31.  Yoursecureexpertcleaner.com 

Host: secure.bestpaymentsolution.net
IP: 67.225.151.247

Whois of IP 67.225.151.247 delling rogue antivirus Virus Remover 2008 :

OrgName:    Liquid Web, Inc.
OrgID:      LQWB
Address:    4210 Creyts Rd.
City:       Lansing
StateProv:  MI
PostalCode: 48917
Country:    US
OrgAbuseHandle: ABUSE551-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-800-580-4985
OrgAbuseEmail:  abuse@liquidweb.com

Virus Remove 2008

Tags: , , , ,
Posted in Malware, Rogues | No Comments »

System Antivirus 2008 rogue antivirus application

Friday, September 26th, 2008

System Antivirus 2008 is a rogue antivirus application. Stay away from it.

To remove viruses and antispyware use Kaspersky antivirus - http://cleanthe.net/how-to-remove-virus/

System Antivirus 2008

File MSCodecLite_1_.7.exe received on 09.26.2008 15:00:47 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.9.25.0 2008.09.26 -
AntiVir 7.8.1.34 2008.09.26 TR/Dldr.Zlob.ibf
Authentium 5.1.0.4 2008.09.26 -
Avast 4.8.1195.0 2008.09.25 -
AVG 8.0.0.161 2008.09.26 Downloader.Generic7.AUED
BitDefender 7.2 2008.09.26 Trojan.Downloader.JKWP
CAT-QuickHeal 9.50 2008.09.26 -
ClamAV 0.93.1 2008.09.26 -
DrWeb 4.44.0.09170 2008.09.26 -
eSafe 7.0.17.0 2008.09.25 -
eTrust-Vet 31.6.6110 2008.09.26 -
Ewido 4.0 2008.09.26 -
F-Prot 4.4.4.56 2008.09.25 -
F-Secure 8.0.14332.0 2008.09.26 Trojan-Downloader:W32/Agent.HQU
Fortinet 3.113.0.0 2008.09.26 -
GData 19 2008.09.26 Trojan.Downloader.JKWP
Ikarus T3.1.1.34.0 2008.09.26 -
K7AntiVirus 7.10.473 2008.09.25 -
Kaspersky 7.0.0.125 2008.09.26 -
McAfee 5392 2008.09.25 -
Microsoft 1.3903 2008.09.26 -
NOD32 3473 2008.09.26 -
Norman 5.80.02 2008.09.26 W32/DLoader.JTMA
Panda 9.0.0.4 2008.09.25 -
PCTools 4.4.2.0 2008.09.26 -
Prevx1 V2 2008.09.26 Malicious Software
Rising 20.63.42.00 2008.09.26 -
SecureWeb-Gateway 6.7.6 2008.09.26 Trojan.Dldr.Zlob.ibf
Sophos 4.34.0 2008.09.26 Troj/Dwnldr-HIG
Sunbelt 3.1.1668.1 2008.09.24 -
Symantec 10 2008.09.26 Downloader
TheHacker 6.3.0.9.094 2008.09.25 -
TrendMicro 8.700.0.1004 2008.09.26 -
VBA32 3.12.8.6 2008.09.26 -
ViRobot 2008.9.26.1393 2008.09.26 -
VirusBuster 4.5.11.0 2008.09.25 -
 
Additional information
File size: 29188 bytes
MD5…: 8546ab756239f39ede7e16619ca3ffa5
SHA1..: c5a971ea4762eb233459816e069705778c5831da
SHA256: dfebee6fd7b2b70d679d8f13fe1cd6370728ce12e7b907ce1184539cae38f50d
SHA512: 52cc57c72d985e34c4701bf5cbbfe8bdf8bdf320ee22bcf85181347b5dc00465
9cfca1a323f3b1231ffea8ba04d24f183f18513e3282a866b9eec68907ab06aa
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
VXD Driver (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×4011ae
timedatestamp…..: 0×48758f1d (Thu Jul 10 04:25:01 2008)
machinetype…….: 0×14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×943 0xa00 4.36 e4651cf4a8fd7debe88a0a9528ad860d
.rdata 0×2000 0×13b5 0×1400 5.40 90dd09251d4fc844a3e7c46216697c39
.reloc 0×4000 0×881 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
.data 0×5000 0xa0b7 0×5000 6.52 ff513c1c3b581c71032d5cbd55cb2a76

( 9 imports )
> GDI32.DLL: DeleteObject, DeleteDC, CloseMetaFile, GetDCOrgEx, SetTextColor, ClearBitmapAttributes, BeginPath, ExtTextOutA, AddFontResourceExW, AddFontResourceW, GetPixel, GetClipBox, GetCurrentPositionEx, AddFontResourceA, AddFontMemResourceEx, ClearBrushAttributes, ExcludeClipRect, RestoreDC
> SHELL32.DLL: SHUpdateImageA, SHUpdateImageW, ExtractIconResInfoW, ExtractIconA, ExtractIconEx, SHDoDragDrop, DragQueryFileW, DragQueryPoint, FindExeDlgProc, SHChangeNotifyDeregister, ExtractIconResInfoA, ShellAboutA, SHDefExtractIconW, RestartDialog, CommandLineToArgvW, DllGetVersion, CheckEscapesW, DragQueryFile, FreeIconList
> COMCTL32.DLL: ImageList_DragMove, ImageList_GetIcon, ImageList_Read, ImageList_Remove, ImageList_LoadImage, ImageList_GetIconSize, ImageList_BeginDrag, ImageList_GetImageCount, ImageList_DrawIndirect, ImageList_DragEnter, ImageList_LoadImageW, ImageList_GetDragImage, ImageList_GetImageRect, ImageList_Merge, ImageList_Draw, ImageList_Create, ImageList_Replace, ImageList_AddMasked, ImageList_DragLeave, ImageList_LoadImageA, ImageList_ReplaceIcon
> KERNEL32.DLL: Sleep, FindAtomA, CreateThread, GetCPInfo, CopyFileA, GetComputerNameA, DeleteFileW, CopyFileW, ExitThread, CopyFileExW, OpenFileMappingA, GetCommandLineA, GetConsoleMode, CopyFileExA, WriteFile, GetLastError, FindFirstFileA
> KERNEL32.DLL: ExitThread, FindAtomA, GetFileTime, GetLastError, CopyFileW, CreateThread, DeleteFileA, FindFirstFileA, CreateDirectoryA, WriteFile, ReadFile, OpenFileMappingA, SetLastError, GetConsoleMode, Sleep, GlobalFree, GetFileSize, CopyFileExA, CopyFileA
> COMCTL32.DLL: InitCommonControls, ImageList_Merge, ImageList_LoadImageW, ImageList_DragMove, ImageList_Create, ImageList_Replace, ImageList_AddMasked, ImageList_DragShowNolock, ImageList_Destroy, ImageList_GetImageRect, ImageList_DrawIndirect, ImageList_DragEnter, ImageList_GetImageInfo, ImageList_ReplaceIcon, ImageList_DragLeave, ImageList_Copy, ImageList_GetDragImage, ImageList_Read, ImageList_DrawEx
> SHELL32.DLL: DragQueryFileAorW, DragQueryPoint, ExtractIconResInfoW, RestartDialog, SHDefExtractIconW, ShellAboutA, SHFindFiles, CommandLineToArgvW, DragAcceptFiles, ExtractIconEx, ExtractIconA, SHChangeNotifyRegister, ExtractIconExA, DllGetVersion, DragQueryFileA, SHUpdateImageA, PathGetShortPath
> KERNEL32.DLL: SetLastError, Sleep, GetCPInfo, DeleteFileW, GetFileTime, GetComputerNameA, WriteFile, ReadFile, CopyFileExW, CreateThread, DeleteFileA, FindAtomA, CopyFileA, GetStdHandle, FindFirstFileA, GetCommandLineA, ReadConsoleA, OpenFile, GetConsoleMode, DeleteAtom, GetFileSize, GetLastError, GlobalFree
> SHELL32.DLL: CheckEscapesA, DragQueryFileAorW, DragQueryFileW, FreeIconList, SHUpdateImageW, DragQueryFileA, CheckEscapesW, SHFindFiles, ExtractIconResInfoW, SHDefExtractIconW, FindExeDlgProc, DragFinish, DllGetVersion, SHChangeNotifyRegister, ExtractIconEx, SHUpdateImageA, ExtractIconA, RestartDialog, ExtractIconExA, SHChangeNotifyDeregister, DragAcceptFiles, DragQueryFile, SHDefExtractIconA, ShellAboutA

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=706BB78804A207DA724800BB68F6C400A499D3B3

 

System Antivirus 2008

Host: tube-777.com
IP: 66.232.126.75

Whois:

OrgName:    NOC4Hosts Inc.
OrgID:      NOC4H
Address:    400 N Tampa St
Address:    #1025
City:       Tampa
StateProv:  FL
PostalCode: 33602
Country:    US

Host: air-tube.net
IP: 66.232.126.75

Whois:

OrgName:    NOC4Hosts Inc.
OrgID:      NOC4H
Address:    400 N Tampa St
Address:    #1025
City:       Tampa
StateProv:  FL
PostalCode: 33602
Country:    US

 

Host: upgrade-your-software.com
IP: 66.232.126.78

Whois:

OrgName:    NOC4Hosts Inc.
OrgID:      NOC4H
Address:    400 N Tampa St
Address:    #1025
City:       Tampa
StateProv:  FL
PostalCode: 33602
Country:    US

Other sites on this IP:

1.  Dowload-best-warez.com 
2.  Best-downloads-arch.com 
3.  Software-download-4free.com 
4.  Upgrade-your-software.com 

Host: download-everything.com
IP: 66.232.126.74

Whois:

OrgName:    NOC4Hosts Inc.
OrgID:      NOC4H
Address:    400 N Tampa St
Address:    #1025
City:       Tampa
StateProv:  FL
PostalCode: 33602
Country:    US

Host: lyox-lib.com
IP: 193.142.244.39

Whois:

inetnum:        193.142.244.0 - 193.142.244.255
netname:        UABSIP-NET
descr:          UAB “SIP”
country:        LT
org:            ORG-SIT1-RIPE
admin-c:        MPLT-RIPE
tech-c:         MPLT-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-HM-PI-MNT
mnt-lower:      RIPE-NCC-HM-PI-MNT
mnt-by:         MPLT-MNT
mnt-by:         SV-MNT
mnt-routes:     MPLT-MNT
mnt-domains:    MPLT-MNT
source:         RIPE # Filtered

organisation:   ORG-SIT1-RIPE
org-name:       UAB “SIT”
org-type:       OTHER
address:        Birutes g.6 LT-91203 Klaipeda, Lietuva
mnt-ref:        MPLT-MNT
mnt-by:         MPLT-MNT
source:         RIPE # Filtered

person:         Marius Parescius
address:        Birutes g.6
address:        LT-91203 Klaipeda, Lietuva
mnt-by:         MPLT-MNT
abuse-mailbox:  rayan.lind@gmail.com
phone:          +370846365881
nic-hdl:        MPLT-RIPE
source:         RIPE # Filtered

Host: image-big-library.com
IP: 78.157.142.119 and 193.142.244.82

netname:        VDHOST
descr:          VdHost Ltd.
descr:          abuse@vdhost.biz
country:        LV
admin-c:        AV2990-RIPE
tech-c:         UNHM-RIPE
status:         ASSIGNED PA
mnt-by:         UN-MNT
source:         RIPE # Filtered

role:           UltraNet Hostmaster
address:        UltraNet SIA
                Aizkraukles 23
                Riga, LV-1006
                Latvia
phone:          +371 67543003
fax-no:         +371 67594435
e-mail:         hostmaster@ultranet.lv

Host: bigimagecatalogue.com
IP: 78.157.142.45

netname:        VDHOST
descr:          VdHost Ltd.
descr:          abuse@vdhost.biz
country:        LV
admin-c:        AV2990-RIPE
tech-c:         UNHM-RIPE
status:         ASSIGNED PA
mnt-by:         UN-MNT
source:         RIPE # Filtered

role:           UltraNet Hostmaster
address:        UltraNet SIA
                Aizkraukles 23
                Riga, LV-1006
                Latvia
phone:          +371 67543003
fax-no:         +371 67594435
e-mail:         hostmaster@ultranet.lv

Host: picturesbase.com
IP: 206.70.210.110

OrgName:    Toys R Us
OrgID:      TRU
Address:    461 From Road
City:       Paramus
StateProv:  NJ
PostalCode: 07652
Country:    US

NetRange:   206.70.0.0 - 206.70.255.255
CIDR:       206.70.0.0/16
NetName:    TRU-COM
NetHandle:  NET-206-70-0-0-1
Parent:     NET-206-0-0-0-0
NetType:    Direct Assignment
NameServer: FTP2.TRU.COM
NameServer: DBRU.BR.NS.ELS-GMS.ATT.NET
NameServer: DMTU.MT.NS.ELS-GMS.ATT.NET
Comment:
RegDate:    1995-07-25
Updated:    2002-03-15

RTechHandle: ZT108-ARIN
RTechName:   Toys R Us
RTechPhone:  +1-973-331-2800
RTechEmail:  dns-admin@toysrus.com

 

Host: pictures-base.com
IP: 23.176.184.238

OrgName:    Internet Assigned Numbers Authority
OrgID:      IANA
Address:    4676 Admiralty Way, Suite 330
City:       Marina del Rey
StateProv:  CA
PostalCode: 90292-6695
Country:    US

NetRange:   23.0.0.0 - 23.255.255.255
CIDR:       23.0.0.0/8
NetName:    RESERVED-23
NetHandle:  NET-23-0-0-0-1
Parent:    
NetType:    IANA Reserved
Comment:   
RegDate:    1984-04-19
Updated:    2002-09-12

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName:   Internet Corporation for Assigned Names and Number
OrgAbusePhone:  +1-310-301-5820
OrgAbuseEmail: 

Host: www.s-av2008.com
IP: 92.62.101.61

inetnum:        92.62.101.0 - 92.62.101.255
netname:        STARLINE_EE
descr:          Starline Web Services
country:        EE
admin-c:        VN268-RIPE
tech-c:         VN268-RIPE
status:         ASSIGNED PA
mnt-by:         AS39823-MNT
source:         RIPE # Filtered

person:         Viktor Norin
address:        Pae 21
address:        Tallinn
address:        Estonia
nic-hdl:        VN268-RIPE
phone:          +3726370911
abuse-mailbox:  abuse@starline.ee

Other Sites:

1.  S-av2008.com 
2.  Sav2008.com 

Host: secure.esafebill.com
IP: 209.8.25.247

Whois of IP 209.8.25.247 selling fake antivirus System Antivirus 2008:

OrgName:    Beyond The Network America, Inc.
OrgID:      BNA-42
Address:    450 Springpark PL
Address:    Suite 100
City:       Herdon
StateProv:  VA
PostalCode: 20170
Country:    US
OrgAbuseHandle: PAD13-ARIN
OrgAbuseName:   PCCW AUP Department
OrgAbusePhone:  +1-703-621-1637
OrgAbuseEmail:  probinson@pccwglobal.com

System Antivirus 2008

 

 

Tags: , , , , , , , ,
Posted in Fake Codec, Malware, Rogues | No Comments »

System Antivirus 2008 rogue AV another hosts

Saturday, September 13th, 2008

System Antivirusm Antivirus 2008 rogue antivirus application. Stay away from it!

To remove viruses and antispyware use Kaspersky antivirus - http://cleanthe.net/how-to-remove-virus/

Some fake scan pages screenshots  of System Antivirus 2008

System Antivirus 2008

 

File antivirus.v.1.0.212.exe received on 09.13.2008 13:31:20 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.9.13.0 2008.09.12 -
AntiVir 7.8.1.28 2008.09.12 -
Authentium 5.1.0.4 2008.09.12 -
Avast 4.8.1195.0 2008.09.12 -
AVG 8.0.0.161 2008.09.12 Downloader.Zlob_r.CE
BitDefender 7.2 2008.09.13 -
CAT-QuickHeal 9.50 2008.09.13 -
ClamAV 0.93.1 2008.09.13 -
DrWeb 4.44.0.09170 2008.09.13 Trojan.DownLoad.4556
eSafe 7.0.17.0 2008.09.11 Suspicious File
eTrust-Vet 31.6.6087 2008.09.12 -
Ewido 4.0 2008.09.13 -
F-Prot 4.4.4.56 2008.09.12 -
F-Secure 8.0.14332.0 2008.09.13 Suspicious:W32/Puper!Gemini
Fortinet 3.113.0.0 2008.09.13 W32/Agent.GBU!tr.dldr
GData 19 2008.09.13 -
Ikarus T3.1.1.34.0 2008.09.13 -
K7AntiVirus 7.10.453 2008.09.12 -
Kaspersky 7.0.0.125 2008.09.13 Trojan.Win32.Crypt.tn
McAfee 5383 2008.09.12 -
Microsoft 1.3903 2008.09.13 TrojanDownloader:Win32/Zlob
NOD32v2 3439 2008.09.13 -
Norman 5.80.02 2008.09.12 -
Panda 9.0.0.4 2008.09.12 Suspicious file
PCTools 4.4.2.0 2008.09.12 -
Prevx1 V2 2008.09.13 Malicious Software
Rising 20.61.42.00 2008.09.12 -
Sophos 4.33.0 2008.09.13 -
Sunbelt 3.1.1633.1 2008.09.13 -
Symantec 10 2008.09.13 -
TheHacker 6.3.0.9.080 2008.09.13 -
TrendMicro 8.700.0.1004 2008.09.12 -
ViRobot 2008.9.12.1375 2008.09.12 -
VirusBuster 4.5.11.0 2008.09.12 -
Webwasher-Gateway 6.6.2 2008.09.13 -
 
Additional information
File size: 75264 bytes
MD5…: b647c2b5622a0cea91816222d96f8331
SHA1..: 6250f43b6e69894f799e25aa46feb7f744aebab5
SHA256: a9560d600875ca6c2671b61aba7add4fb7012e03f552d55bfef14a83e501a93e
SHA512: 89bfaf4d4a8a9accaa6ec18fe00a3f7535ee3ed6c62ec5cef1333fe529ce57de
50926833a092b5dedd0dcd0bb5b794b24505e8b348179acda39742cb93805be6
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×411470
timedatestamp…..: 0×48ca217d (Fri Sep 12 07:59:57 2008)
machinetype…….: 0×14c (I386)

( 2 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×123e4 0×11800 7.94 ac6dd1c0df1c5259459428b3a2c99aab
.rdata 0×14000 0×8d6 0xa00 4.96 729428c62b8765a4ed5a9ce6aa3957e8

( 7 imports )
> KERNEL32.dll: CloseHandle, DeviceIoControl, CreateFileA, GetVolumeInformationA, ExitProcess, TerminateProcess, SetProcessPriorityBoost, SetThreadPriority, GetCurrentThread, SetPriorityClass, GetCurrentProcess, GetEnvironmentVariableA, GetShortPathNameA, GetModuleFileNameA, IsBadWritePtr, GetComputerNameA, WriteFile, lstrlenA, lstrcpynA, GetTickCount, lstrcatA, lstrcpyA, GetTempPathA, GetVersionExA, Sleep, CreateProcessA
> USER32.dll: wsprintfA, SendMessageA, FindWindowA
> SHELL32.dll: SHChangeNotify, SHGetSpecialFolderPathA, ShellExecuteExA
> MSVCRT.dll: sprintf, atol, strncpy, atoi, __3@YAXPAX@Z, __2@YAPAXI@Z, strstr, rand, __CxxFrameHandler, strncat, _strdup, _except_handler3
> MSVCP60.dll: __Tidy@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEX_N@Z, __Grow@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAE_NI_N@Z, _npos@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@2IB, __Xlen@std@@YAXXZ, __Eos@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEXI@Z, __1_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@XZ, __C@_1___Nullstr@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@CAPBDXZ@4DB, _assign@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@PBDI@Z
> SHLWAPI.dll: PathGetDriveNumberA
> WININET.dll: InternetReadFile, HttpQueryInfoA, InternetOpenUrlA, InternetOpenA, InternetCloseHandle

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=46DEABAE006B7DC42669014C6C5D9600BDCECB7C
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=b647c2b5622a0cea91816222d96f8331

System Antivirus 2008

Host: online-av-scan.com
IP: 74.50.117.89

Whois Record of IP 74.50.117.89 distributing rogue antivirus application System Antivirus 2008:

OrgName:    NOC4Hosts Inc.
OrgID:      NOC4H
Address:    400 N Tampa St
Address:    #1025
City:       Tampa
StateProv:  FL
PostalCode: 33602
Country:    US
RAbuseHandle: NAA7-ARIN
RAbuseName:   Noc4Hosts Abuse Admin
RAbusePhone:  +1-877-801-1443
RAbuseEmail:   abise@noc4host.com

Other sites of IP 74.50.117.89 distributing rogue antivirus application System Antivirus 2008:

1.  1st-tube.com 
2.  Anothersoftportal.net 
3.  Anothersoftportal08.net 
4.  Anothersoftportal09.net 
5.  Best-cracks.com 
6.  Celebs-on-video.com 
7.  Cleansoftportal.net 
8.  Codechost.com 
9.  Codecupgrade.com 
10.  Crack-land.com 
11.  Crackundeground.com 
12.  Freemoviesdb.net 
13.  Hot-porn-tube2007.net 
14.  Hot-porn-tube2009.net 
15.  Just-tube.com 
16.  Karachun.net 
17.  Muzdownload.com 
18.  Oldpromoz.net 
19.  Oldsoftupd.net 
20.  Online-av-scan.com 
21.  Porn-tube-2008.com 
22.  Porntubev20.com 
23.  Scanner-tool.com 
24.  Showconz.com 
25.  Softupdat.com 
26.  Surf-scanner.com 
27.  Updatehost.com 
28.  Cleansoftportal2009.net 
29.  Hot-porn-tube-2008.net 
30.  Trustedsoftportal2008.net 
31.  Justdomain08.net 
32.  Trustedsoftportal2009.net 

Host: img-library.com
IP: 78.157.142.46 and 193.142.244.82

Whois:

netname:        VDHOST
descr:          VdHost Ltd.
descr:          abuse@vdhost.biz
country:        LV
admin-c:        AV2990-RIPE
tech-c:         UNHM-RIPE
status:         ASSIGNED PA
mnt-by:         UN-MNT
source:         RIPE # Filtered

role:           UltraNet Hostmaster
address:        UltraNet SIA
                Aizkraukles 23
                Riga, LV-1006
                Latvia
phone:          +371 67543003
fax-no:         +371 67594435
e-mail:         hostmaster@ultranet.lv

Other sites:

1.  Document-checking.com 
2.  Helpsupportcenter.com 
3.  Img-library.com 
4.  Protection-guide.com 
5.  Protection-list.com 
6.  Protection-wizard.com 

Host: bigimagecatalogue.com
IP: 78.157.142.45
Whois:

netname:        VDHOST
descr:          VdHost Ltd.
descr:          abuse@vdhost.biz
country:        LV
admin-c:        AV2990-RIPE
tech-c:         UNHM-RIPE
status:         ASSIGNED PA
mnt-by:         UN-MNT
source:         RIPE # Filtered

role:           UltraNet Hostmaster
address:        UltraNet SIA
                Aizkraukles 23
                Riga, LV-1006
                Latvia
phone:          +371 67543003
fax-no:         +371 67594435
e-mail:         hostmaster@ultranet.lv

Host: bestnetwok.net
IP: 67.19.7.117 and 67.19.120.141

OrgName:    ThePlanet.com Internet Services, Inc.
OrgID:      TPCM
Address:    315 Capitol
Address:    Suite 205
City:       Houston
StateProv:  TX
PostalCode: 77002
Country:    US

Host: www.sav2008.com
IP: 92.62.101.61

OrgName:    RIPE Network Coordination Centre
OrgID:      RIPE
Address:    P.O. Box 10096
City:       Amsterdam
StateProv: 
PostalCode: 1001EB
Country:    NL

 

Host: secure.esafebill.com
IP: 209.8.25.247

Whois of IP 209.8.25.247 selling fake antivirus System Antivirus 2008:

OrgName:    Beyond The Network America, Inc.
OrgID:      BNA-42
Address:    450 Springpark PL
Address:    Suite 100
City:       Herdon
StateProv:  VA
PostalCode: 20170
Country:    US
OrgAbuseHandle: PAD13-ARIN
OrgAbuseName:   PCCW AUP Department
OrgAbusePhone:  +1-703-621-1637
OrgAbuseEmail:  probinson@pccwglobal.com

System Antivirus 2008

Tags: , , , , , ,
Posted in Malware, Rogues | No Comments »

System Antivirus 2008 rogue antivirus application

Saturday, September 13th, 2008

System Antivirus 2008 is a rogue antivirus application. Stay away from it IPs and hosts!

Use Kaspersky antivirus to remove virus - http://cleanthe.net/how-to-remove-virus/

 

System Antivirus 2008

File zcodec.1121.exe received on 09.12.2008 17:09:38 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.9.13.0 2008.09.12 -
AntiVir 7.8.1.28 2008.09.12 -
Authentium 5.1.0.4 2008.09.12 -
Avast 4.8.1195.0 2008.09.12 -
AVG 8.0.0.161 2008.09.12 Downloader.Zlob_r.CE
BitDefender 7.2 2008.09.12 -
CAT-QuickHeal 9.50 2008.09.12 -
ClamAV 0.93.1 2008.09.12 -
DrWeb 4.44.0.09170 2008.09.12 -
eSafe 7.0.17.0 2008.09.11 Suspicious File
eTrust-Vet 31.6.6086 2008.09.12 -
Ewido 4.0 2008.09.12 -
F-Prot 4.4.4.56 2008.09.12 -
F-Secure 8.0.14332.0 2008.09.12 Suspicious:W32/Puper!Gemini
Fortinet 3.113.0.0 2008.09.12 -
GData 19 2008.09.12 -
Ikarus T3.1.1.34.0 2008.09.12 -
K7AntiVirus 7.10.453 2008.09.12 -
Kaspersky 7.0.0.125 2008.09.12 -
McAfee 5382 2008.09.11 -
Microsoft 1.3903 2008.09.12 -
NOD32v2 3437 2008.09.12 -
Norman 5.80.02 2008.09.12 -
Panda 9.0.0.4 2008.09.12 Suspicious file
PCTools 4.4.2.0 2008.09.12 -
Prevx1 V2 2008.09.12 Suspicious
Rising 20.61.42.00 2008.09.12 -
Sophos 4.33.0 2008.09.12 -
Sunbelt 3.1.1628.1 2008.09.12 -
Symantec 10 2008.09.12 -
TheHacker 6.3.0.9.077 2008.09.10 -
TrendMicro 8.700.0.1004 2008.09.12 -
VBA32 3.12.8.5 2008.09.12 -
ViRobot 2008.9.12.1375 2008.09.12 -
VirusBuster 4.5.11.0 2008.09.12 -
Webwasher-Gateway 6.6.2 2008.09.12 -
 
Additional information
File size: 75264 bytes
MD5…: e389cf405ca911bc993f5124e280f7d3
SHA1..: 4717059c0bc3f43770d7df04170908853bd81486
SHA256: 073f6f93f2507572be8350c5f9bd4d23b9ac03d9478119bee1d9df9e038cf385
SHA512: db14c1966d748ceb25a821504e40d4c3af3b909f06db14fe902acbdfc0f6420b
f47d0eaf03addfc119bc6b8d049b2fca0dfe31a42537057ac952c9bb1b6f462f
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×411470
timedatestamp…..: 0×48ca217d (Fri Sep 12 07:59:57 2008)
machinetype…….: 0×14c (I386)

( 2 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×123e4 0×11800 7.94 375b9f2c7ef97ccec07d8e2529b59a5c
.rdata 0×14000 0×8d6 0xa00 4.96 729428c62b8765a4ed5a9ce6aa3957e8

( 7 imports )
> KERNEL32.dll: CloseHandle, DeviceIoControl, CreateFileA, GetVolumeInformationA, ExitProcess, TerminateProcess, SetProcessPriorityBoost, SetThreadPriority, GetCurrentThread, SetPriorityClass, GetCurrentProcess, GetEnvironmentVariableA, GetShortPathNameA, GetModuleFileNameA, IsBadWritePtr, GetComputerNameA, WriteFile, lstrlenA, lstrcpynA, GetTickCount, lstrcatA, lstrcpyA, GetTempPathA, GetVersionExA, Sleep, CreateProcessA
> USER32.dll: wsprintfA, SendMessageA, FindWindowA
> SHELL32.dll: SHChangeNotify, SHGetSpecialFolderPathA, ShellExecuteExA
> MSVCRT.dll: sprintf, atol, strncpy, atoi, __3@YAXPAX@Z, __2@YAPAXI@Z, strstr, rand, __CxxFrameHandler, strncat, _strdup, _except_handler3
> MSVCP60.dll: __Tidy@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEX_N@Z, __Grow@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAE_NI_N@Z, _npos@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@2IB, __Xlen@std@@YAXXZ, __Eos@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEXI@Z, __1_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@XZ, __C@_1___Nullstr@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@CAPBDXZ@4DB, _assign@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@PBDI@Z
> SHLWAPI.dll: PathGetDriveNumberA
> WININET.dll: InternetReadFile, HttpQueryInfoA, InternetOpenUrlA, InternetOpenA, InternetCloseHandle

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=7EEDF8660078D09E267D014C6C5D96007CFF0740

System Antivirus 2008

Host: hot-porn-tube-2008.com
IP: 66.232.105.232

Whois Record of IP 66.232.105.232 distributing rogue antivirus application System Antivirus 2008:

OrgName:    NOC4Hosts Inc.
OrgID:      NOC4H
Address:    400 N Tampa St
Address:    #1025
City:       Tampa
StateProv:  FL
PostalCode: 33602
Country:    US

Other sites distributing rogue antivirus application System Antivirus 2008:

1.  Allcrackshere.com 
2.  Anothersoftportal09.com 
3.  Best-dvd-archive.com 
4.  Celebs-on-video.net 
5.  Freesoftportal.com 
6.  Hot-porn-tube2007.com 
7.  Hot-porn-tube2008.com 
8.  Hot-porn-tube2009.com 
9.  Online-av-scanner.com 
10.  Hot-porn-tube-2008.com 
11.  Justdomain08.com 

 

Host: img-library.com
IP: 78.157.142.46 and 193.142.244.82

Whois:

netname:        VDHOST
descr:          VdHost Ltd.
descr:          abuse@vdhost.biz
country:        LV
admin-c:        AV2990-RIPE
tech-c:         UNHM-RIPE
status:         ASSIGNED PA
mnt-by:         UN-MNT
source:         RIPE # Filtered

role:           UltraNet Hostmaster
address:        UltraNet SIA
                Aizkraukles 23
                Riga, LV-1006
                Latvia
phone:          +371 67543003
fax-no:         +371 67594435
e-mail:         hostmaster@ultranet.lv

Other sites distributing rogue antivirus application System Antivirus 2008:

1.  Document-checking.com 
2.  Helpsupportcenter.com 
3.  Img-library.com 
4.  Protection-guide.com 
5.  Protection-list.com 
6.  Protection-wizard.com 

Host: bigimagecatalogue.com
IP: 78.157.142.45


Whois:

netname:        VDHOST
descr:          VdHost Ltd.
descr:          abuse@vdhost.biz
country:        LV
admin-c:        AV2990-RIPE
tech-c:         UNHM-RIPE
status:         ASSIGNED PA
mnt-by:         UN-MNT
source:         RIPE # Filtered

role:           UltraNet Hostmaster
address:        UltraNet SIA
                Aizkraukles 23
                Riga, LV-1006
                Latvia
phone:          +371 67543003
fax-no:         +371 67594435
e-mail:         hostmaster@ultranet.lv

Host: bestnetwok.net
IP: 67.19.7.117 and 67.19.120.141

OrgName:    ThePlanet.com Internet Services, Inc.
OrgID:      TPCM
Address:    315 Capitol
Address:    Suite 205
City:       Houston
StateProv:  TX
PostalCode: 77002
Country:    US

Host: www.sav2008.com
IP: 92.62.101.61

Whois Record of IP 92.62.101.61 distributing rogue antivirus application System Antivirus 2008:

OrgName:    RIPE Network Coordination Centre
OrgID:      RIPE
Address:    P.O. Box 10096
City:       Amsterdam
StateProv: 
PostalCode: 1001EB
Country:    NL

 

Host: secure.esafebill.com
IP: 209.8.25.247

Whois of IP 209.8.25.247 selling fake antivirus System Antivirus 2008:

OrgName:    Beyond The Network America, Inc.
OrgID:      BNA-42
Address:    450 Springpark PL
Address:    Suite 100
City:       Herdon
StateProv:  VA
PostalCode: 20170
Country:    US
OrgAbuseHandle: PAD13-ARIN
OrgAbuseName:   PCCW AUP Department
OrgAbusePhone:  +1-703-621-1637
OrgAbuseEmail:  probinson@pccwglobal.com

 

System Antivirus 2008

System Antivirus 2008

System Antivirus 2008

Tags: , , , , ,
Posted in Malware, Rogues | No Comments »

Antivirus PRO XP rogue antivirus application

Wednesday, September 10th, 2008

Antivirus PRO XP is a rogue antivirus application. Stay away from IPS and domains of Antivirus PRO XP.

Antivirus PRO XP

File setup_1_2_.exe received on 09.10.2008 15:06:45 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.9.6.0 2008.09.10 -
AntiVir 7.8.1.28 2008.09.10 -
Authentium 5.1.0.4 2008.09.10 -
Avast 4.8.1195.0 2008.09.10 -
AVG 8.0.0.161 2008.09.10 -
BitDefender 7.2 2008.09.10 -
CAT-QuickHeal 9.50 2008.09.10 -
ClamAV 0.93.1 2008.09.10 -
DrWeb 4.44.0.09170 2008.09.10 -
eSafe 7.0.17.0 2008.09.10 -
eTrust-Vet 31.6.6082 2008.09.10 -
Ewido 4.0 2008.09.10 -
F-Prot 4.4.4.56 2008.09.09 -
F-Secure 8.0.14332.0 2008.09.10 -
Fortinet 3.112.0.0 2008.09.10 -
GData 19 2008.09.10 -
Ikarus T3.1.1.34.0 2008.09.10 -
K7AntiVirus 7.10.450 2008.09.10 -
Kaspersky 7.0.0.125 2008.09.10 -
McAfee 5380 2008.09.09 -
Microsoft 1.3903 2008.09.10 -
NOD32v2 3429 2008.09.09 -
Norman 5.80.02 2008.09.10 -
Panda 9.0.0.4 2008.09.09 -
PCTools 4.4.2.0 2008.09.10 -
Prevx1 V2 2008.09.10 -
Rising 20.61.22.00 2008.09.10 -
Sophos 4.33.0 2008.09.10 -
Sunbelt 3.1.1616.1 2008.09.09 -
Symantec 10 2008.09.10 -
TheHacker 6.3.0.9.077 2008.09.10 -
TrendMicro 8.700.0.1004 2008.09.10 -
VBA32 3.12.8.5 2008.09.10 -
ViRobot 2008.9.10.1371 2008.09.10 -
VirusBuster 4.5.11.0 2008.09.09 -
Webwasher-Gateway 6.6.2 2008.09.10 -
 
Additional information
File size: 94208 bytes
MD5…: 31dd9005169d5f7dc9c8c68cfb120ceb
SHA1..: a9f491a83998e4181ec6b51716a23dda945de10a
SHA256: 6a1fe4bfe17375b2545520a6e1f4fbd43aad525304e61c22623754e343aad581
SHA512: 262e6809c6967717111fcd8d4c41a691f7652099b3d9ff6f24730fa36ed10b35
d5ccfb586727ba054eeabb0b582288ad6d0bd34ec8781e3f3008a96491ed61c8
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×401350
timedatestamp…..: 0×45ab79ea (Mon Jan 15 12:56:10 2007)
machinetype…….: 0×14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×5ddb 0×5e00 0.89 2f87fe85d212148e2f2d244c161d9cf1
.data 0×7000 0xe739 0xe800 7.54 2fbe3e5c51f142d1bac5bfa1ee14d7be
.tls 0×16000 0×17fe1a9 0×600 0.00 53e979547d8c2ea86560ac45de08ae25
.rdata 0×1815000 0×1c27 0×1200 0.04 355e7e8cbe6bc97d51bfa8283925f936
.idata 0×1817000 0xa06 0xc00 3.97 9e94c865922ff383e3d1cfac66cd4695

( 3 imports )
> GDI32.DLL: DeleteDC, DeleteObject, CreateCompatibleBitmap, CreateBitmap, SetTextColor, CreateCompatibleDC, GetClipBox, RestoreDC, GetPixel, CreatePenIndirect, CreateDIBSection, GetPixel, CreateHalftonePalette, GetCurrentPositionEx, CreateBrushIndirect, CreateDIBitmap, ExtTextOutA, GetBrushOrgEx, CreatePalette, GetDCOrgEx, CreateSolidBrush, GetBitmapBits, ExcludeClipRect, CreateFontIndirectA
> KERNEL32.DLL: WriteFile, GetStdHandle, GetConsoleMode, DeleteAtom, ReadConsoleA, FindAtomA, SetLastError, DeleteFileA, CreateProcessA, GetLastError, OpenFile, GlobalFree, Sleep, ReadFile, GetFileSize, FindFirstFileA, OpenFileMappingA, DeleteFileW, GetCPInfo, GetComputerNameA, GetCommandLineA, CreateThread, GetFileTime, ExitThread
> COMCTL32.DLL: ImageList_DragEnter, ImageList_Create, CreateStatusWindowW, CreateUpDownControl, ImageList_AddIcon, ImageList_EndDrag, CreateToolbarEx, ImageList_LoadImageW, ImageList_GetIconSize, ImageList_DrawEx, ImageList_Destroy, CreateToolbar, CreateStatusWindow, ImageList_GetIcon, InitCommonControls, ImageList_Copy, DllGetVersion, ImageList_LoadImageA, ImageList_Add, DrawStatusTextW, DrawStatusText, CreateMappedBitmap, MenuHelp, ImageList_Draw

( 0 exports )

Antivirus PRO XP

Antivirus PRO XP

Host: scan.antispyware-free-scanner.com
IP: 85.255.119.149

Whois of IP  85.255.119.149 distributing fake antivirus Antivirus PRO XP :

netname:        UkrTeleGroup
descr:          UkrTeleGroup Ltd.
admin-c:        UA481-RIPE
tech-c:         UA481-RIPE
country:        UA

Host:  files.as-pro-xp-download.com
IP: 78.157.142.79

Whois of IP  78.157.142.79 distributing fake antivirus Antivirus PRO XP :

netname:        VDHOST
descr:          VdHost Ltd.
descr:          abuse@vdhost.biz
country:        LV

Host: int.azsxdcqwe.com
IP: 193.142.244.194

Whois:

netname:        UABSIP-NET
descr:          UAB “SIP”
country:        LT

Host: int.mjnhbgvf.com
IP: 193.142.244.145

Whois:

netname:        UABSIP-NET
descr:          UAB “SIP”
country:        LT

Host: sales.buy-antispyware-pro-xp.com
IP: 216.195.42.223

Whois:

OrgName:    APS Telecom
OrgID:      APSTE
Address:    8130 SW BEAVERTON-HILLSDALE HWY
City:       PORTLAND
StateProv:  OR
PostalCode: 97225
Country:    US
Comment:    send abuse issues to ,abuse@3fn.net

 

Host: secure.paymentbit.net
IP: 216.195.56.175

Whois of IP 216.195.56.175 domain secure.paymentbit.net selling rogue antivirus Antivirus PRO XP :

OrgID:      APSTE
Address:    8130 SW BEAVERTON-HILLSDALE HWY
City:       PORTLAND
StateProv:  OR
PostalCode: 97225
Country:    US

NetRange:   216.195.32.0 - 216.195.63.255
CIDR:       216.195.32.0/19
NetName:    APS-EPSI
NetHandle:  NET-216-195-32-0-1
Parent:     NET-216-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.3FN.NET
NameServer: NS2.3FN.NET
Comment:    send abuse issues to abuse@3fn.net , send network

RTechHandle: NSW-ARIN
RTechName:   Swen, Nash
RTechPhone:  +1-800-539-8209
RTechEmail : noc@apxnoctelecom.com

Antivirus PRO XP

Tags: , , , , ,
Posted in Malware, Rogues | 2 Comments »

Virus Remover 2008 fake antivirus applicatiin

Wednesday, September 10th, 2008

Virus Remover 2008 fake antivirus applicatiin. Stay away from it!

Virus Remove 2008

File VirusRemover2008_Setup_Free_en.ex received on 09.10.2008 14:03:26 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.9.6.0 2008.09.10 -
AntiVir 7.8.1.28 2008.09.10 ADSPY/AdSpy.Gen
Authentium 5.1.0.4 2008.09.10 -
Avast 4.8.1195.0 2008.09.10 -
AVG 8.0.0.161 2008.09.10 Fake_AntiSpyware.ABC
BitDefender 7.2 2008.09.10 -
CAT-QuickHeal 9.50 2008.09.10 -
ClamAV 0.93.1 2008.09.10 -
DrWeb 4.44.0.09170 2008.09.10 Trojan.Fakealert.1199
eSafe 7.0.17.0 2008.09.10 Suspicious File
eTrust-Vet 31.6.6080 2008.09.09 -
Ewido 4.0 2008.09.10 -
F-Prot 4.4.4.56 2008.09.09 W32/FakeAlert.O.gen!Eldorado
F-Secure 8.0.14332.0 2008.09.10 -
Fortinet 3.112.0.0 2008.09.10 PossibleThreat
GData 19 2008.09.10 -
Ikarus T3.1.1.34.0 2008.09.10 Generic.Win32.Malware.AntiSpywareExpert
K7AntiVirus 7.10.450 2008.09.10 -
Kaspersky 7.0.0.125 2008.09.10 -
McAfee 5380 2008.09.09 -
Microsoft 1.3903 2008.09.10 Program:Win32/Winfixer
NOD32v2 3429 2008.09.09 probably a variant of Win32/Genetik
Norman 5.80.02 2008.09.09 W32/WinFixer.CHE
Panda 9.0.0.4 2008.09.09 Suspicious file
PCTools 4.4.2.0 2008.09.09 -
Prevx1 V2 2008.09.10 Fraudulent Security Program
Rising 20.61.22.00 2008.09.10 -
Sophos 4.33.0 2008.09.10 -
Sunbelt 3.1.1616.1 2008.09.09 PCPrivacyCleaner (v)
Symantec 10 2008.09.10 VirusRemover2008
TheHacker 6.3.0.9.077 2008.09.10 -
TrendMicro 8.700.0.1004 2008.09.10 -
VBA32 3.12.8.5 2008.09.10 Signed-Hoax.Win32.AntiA
ViRobot 2008.9.10.1371 2008.09.10 -
VirusBuster 4.5.11.0 2008.09.09 -
Webwasher-Gateway 6.6.2 2008.09.10 Ad-Spyware.AdSpy.Gen
Additional information
File size: 1019344 bytes
MD5…: 2009876000166086cfc62d43b1253b0e
SHA1..: 4032493cc63dea450bdc3ded5d9b65ef72fd950d
SHA256: 8b49cad4e15d9f0422f51c2cf74e471f3fc066ddc18606e47534cc679b729664
SHA512: dc171ee4b01ea11735a193f6aec02a8b838c751eb7ddadef4aadc3ff61186bd8
3a131e9b311dc5da0613527d275164a8a28c429d36d1efef93c3dc7ae7fdcf95
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda’s Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×6fbc30
timedatestamp…..: 0×48c0fbd2 (Fri Sep 05 09:28:50 2008)
machinetype…….: 0×14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0×1000 0×20c000 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0×20d000 0xf0000 0xef200 7.93 68ccd4a828a8ec203b11a01a8ec7e6ef
.rsrc 0×2fd000 0×9000 0×8200 5.56 3b6787c39acc4ddf7f3877a5f7728e85

( 18 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, ExitProcess
> ADVAPI32.dll: RegEnumKeyA
> COMCTL32.dll: -
> comdlg32.dll: GetFileTitleA
> dbghelp.dll: ImageDirectoryEntryToData
> GDI32.dll: Escape
> iphlpapi.dll: GetAdaptersInfo
> MSIMG32.dll: AlphaBlend
> ole32.dll: OleRun
> OLEAUT32.dll: -
> oledlg.dll: -
> RPCRT4.dll: UuidCreate
> SHELL32.dll: ShellExecuteA
> SHLWAPI.dll: StrCmpNIW
> USER32.dll: GetDC
> VERSION.dll: VerQueryValueA
> WININET.dll: InternetOpenA
> WINSPOOL.DRV: ClosePrinter

( 0 exports )
packers (Kaspersky): PE_Patch.UPX, UPX
packers (F-Prot): UPX
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=8E31C9D3D0B543C18D3E0FF23356B0004DBED2AE

Virus Remove 2008

Host: virusremover2008.com
IP: 78.157.142.47

Whois of IP 78.157.142.47 distibuting rogue antivirus Virus Remover 2008 :

netname:        VDHOST
descr:          VdHost Ltd.
descr:          abuse@vdhost.biz
country:        LV

Other sites of IP 78.157.142.47 distibuting rogue antivirus Virus Remover 2008 :

1.  Bestsecureexpertcleaner.com
2.  Bestvirusremover2008.com
3.  Energysavecenter.com
4.  Hypersecurefileshredder.com
5.  Mysecureexpertcleaner.com
6.  Pcvirusremover2008.com
7.  Powerfulvirusremover2008.com
8.  Prosecureexpertcleaner.com
9.  Prosecureexpertcleanerpro.com
10.  Registrydoctor2008-online.com
11.  Registrydoctor2008-pro.com
12.  Registrydoctor2008-scan.com
13.  Registrydoctor2008.com
14.  Registrydoctorpro2008.com
15.  Secureexpertcleaner.com
16.  Securefileshred.com
17.  Securefileshredder.com
18.  Securefileshredder2009.com
19.  Securefilesshred.com
20.  Securefilesshredder.com
21.  Strongvirusremover2008.com
22.  Supersecurefileshredder.com
23.  Topregistrydoctor2008.com
24.  Virusremover2008.com
25.  Virusremover2008flash.com
26.  Virusremover2008plus.com
27.  Winsecureexpertcleaner.com
28.  Xpclean2008.com
29.  Xpfixer2008.com
30.  Yoursecureexpertcleaner.com

Host: download.virusremover2008.com
IP: 67.228.177.143 and 67.228.177.146

Whois of IP 67.228.177.143 distibuting rogue antivirus Virus Remover 2008 :

OrgName:    SoftLayer Technologies Inc.
OrgID:      SOFTL
Address:    1950 N Stemmons Freeway
City:       Dallas
StateProv:  TX
PostalCode: 75207
Country:    US

Host: secure.bestpaymentsolution.net
IP: 67.225.151.247

Whois of IP 67.225.151.247 delling rogue antivirus Virus Remover 2008 :

OrgName:    Liquid Web, Inc.
OrgID:      LQWB
Address:    4210 Creyts Rd.
City:       Lansing
StateProv:  MI
PostalCode: 48917
Country:    US
OrgAbuseHandle: ABUSE551-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-800-580-4985
OrgAbuseEmail:  abuse@liquidweb.com

Virus Remove 2008

Virus Remove 2008

Tags: , , , ,
Posted in Malware, Rogues | No Comments »

SpyGuarder rogue antivirus application

Thursday, September 4th, 2008

SpyGuarder is a rogue antivirus application. Stay away from SpyGuarder domains and products!

SpyGuarder

SpyGuarder

File wmcodec_update.exe received on 09.04.2008 15:48:11 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.9.4.2 2008.09.04 -
AntiVir 7.8.1.28 2008.09.04 -
Authentium 5.1.0.4 2008.09.03 -
Avast 4.8.1195.0 2008.09.04 -
AVG 8.0.0.161 2008.09.04 -
BitDefender 7.2 2008.09.04 Trojan.Zlob.CQW
CAT-QuickHeal 9.50 2008.09.02 Backdoor.Small.fax
ClamAV 0.93.1 2008.09.04 Trojan.FakeAlert-566
DrWeb 4.44.0.09170 2008.09.04 -
eSafe 7.0.17.0 2008.09.03 -
eTrust-Vet 31.6.6069 2008.09.04 -
Ewido 4.0 2008.09.03 -
F-Prot 4.4.4.56 2008.09.03 -
F-Secure 8.0.14332.0 2008.09.04 -
Fortinet 3.14.0.0 2008.09.03 -
GData 19 2008.09.04 -
Ikarus T3.1.1.34.0 2008.09.04 Virus.Trojan.Win32.BHO.egw
K7AntiVirus 7.10.439 2008.09.03 Trojan-Downloader.Win32.Agent.hec
Kaspersky 7.0.0.125 2008.09.04 -
McAfee 5376 2008.09.03 -
Microsoft 1.3903 2008.09.04 Trojan:Win32/Zlob.AR
NOD32v2 3414 2008.09.04 -
Norman 5.80.02 2008.09.04 Malware.DJFR
Panda 9.0.0.4 2008.09.03 -
PCTools 4.4.2.0 2008.09.03 -
Prevx1 V2 2008.09.04 -
Rising 20.60.31.00 2008.09.04 -
Sophos 4.33.0 2008.09.04 Mal/FakeAV-D
Sunbelt 3.1.1582.1 2008.09.02 -
Symantec 10 2008.09.04 -
TheHacker 6.3.0.8.072 2008.09.04 Backdoor/Small.foh
TrendMicro 8.700.0.1004 2008.09.04 -
VBA32 3.12.8.4 2008.09.03 -
ViRobot 2008.9.4.1363 2008.09.04 -
VirusBuster 4.5.11.0 2008.09.03 -
Webwasher-Gateway 6.6.2 2008.09.04 -
 
Additional information
File size: 122390 bytes
MD5…: abf543521bf36ce95603ecc4ea4928b9
SHA1..: c37d06b8c4f168c2ecfcc0b101ab1a31a5b77667
SHA256: ab2905f65a3579f6ef14ff35c72955c8d1272e9626b5db0c4f1a6261ea0a9d01
SHA512: c291a71026596d9e058d7142c56991083573dcde32ff8ab5c08f497e516e04d9
c1132e613a627893b90adae25032fad883ef480ae729c463e607d9aa88293bd6
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×4030ed
timedatestamp…..: 0×473efc39 (Sat Nov 17 14:35:37 2007)
machinetype…….: 0×14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×5b22 0×5c00 6.47 fb692891d6592365eb18f6b3bbfa5d2e
.rdata 0×7000 0×129c 0×1400 5.05 165e3e874dc59c8a96748c6f4d0f4207
.data 0×9000 0×25cb8 0×400 5.12 c5c4701871042863b95b9217c002c503
.ndata 0×2f000 0xa000 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0×39000 0×6c8 0×800 2.92 f6366612209bf47196d50e045e245de9

( 8 imports )
> KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
> USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
> GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
> SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
> ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
> COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create
> ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

( 0 exports )

 

Google search redirects to fake resualts with fake codec and rogue antivirus application :

SpyGuarder
SpyGuarder
SpyGuarder

File LcodecPlus_1_.v.1.0.exe received on 09.04.2008 16:21:46 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.9.4.2 2008.09.04 -
AntiVir 7.8.1.28 2008.09.04 TR/Dldr.Agent.afdr
Authentium 5.1.0.4 2008.09.03 -
Avast 4.8.1195.0 2008.09.04 Win32:Trojan-gen {Other}
AVG 8.0.0.161 2008.09.04 Downloader.Zlob.ABMU
BitDefender 7.2 2008.09.04 -
CAT-QuickHeal 9.50 2008.09.02 -
ClamAV 0.93.1 2008.09.04 -
DrWeb 4.44.0.09170 2008.09.04 -
eSafe 7.0.17.0 2008.09.03 -
eTrust-Vet 31.6.6069 2008.09.04 -
Ewido 4.0 2008.09.03 -
F-Prot 4.4.4.56 2008.09.03 -
F-Secure 8.0.14332.0 2008.09.04 -
Fortinet 3.14.0.0 2008.09.03 -
GData 19 2008.09.04 Win32:Trojan-gen
Ikarus T3.1.1.34.0 2008.09.04 -
K7AntiVirus 7.10.439 2008.09.03 -
Kaspersky 7.0.0.125 2008.09.04 -
McAfee 5376 2008.09.03 -
Microsoft 1.3903 2008.09.04 TrojanDownloader:Win32/Renos.AY
NOD32v2 3414 2008.09.04 -
Norman 5.80.02 2008.09.04 W32/DLoader.JGND
Panda 9.0.0.4 2008.09.03 -
PCTools 4.4.2.0 2008.09.04 -
Prevx1 V2 2008.09.04 Suspicious
Rising 20.60.31.00 2008.09.04 -
Sophos 4.33.0 2008.09.04 -
Sunbelt 3.1.1582.1 2008.09.02 -
Symantec 10 2008.09.04 Trojan Horse
TheHacker 6.3.0.8.072 2008.09.04 -
TrendMicro 8.700.0.1004 2008.09.04 Possible_DLDER
VBA32 3.12.8.5 2008.09.04 -
ViRobot 2008.9.4.1363 2008.09.04 -
VirusBuster 4.5.11.0 2008.09.04 -
Webwasher-Gateway 6.6.2 2008.09.04 Trojan.Dldr.Agent.afdr
 
Additional information
File size: 92676 bytes
MD5…: df9d21dd8e0756c2bdcd91206cec62a0
SHA1..: ed9751165e51f5091c91dcc7e3da21b2a238db0b
SHA256: a5db751be6f721747f4e6194ff18144cf844103cf25672ad25e00989c0e63736
SHA512: 1db788b58c8f47e2589c8a8cd020b2e7c1d62234c5fef4aa51f9c368f835e360
b5752cf035577bfd266f0a001cf2217331894a878ff2b0f90dd5b6cf295fd9e1
PEiD..: Armadillo v1.71
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×415586
timedatestamp…..: 0×48be44f1 (Wed Sep 03 08:04:01 2008)
machinetype…….: 0×14c (I386)

( 2 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×1516c 0×14e00 7.85 1143b0bbcdbdd31c4d006d4322b233e4
.rdata 0×17000 0×168e 0×1800 5.30 14f22af244993f864affac527a596983

( 11 imports )
> WININET.dll: HttpQueryInfoA, InternetQueryDataAvailable, InternetOpenUrlA, HttpOpenRequestA, InternetConnectA, InternetCrackUrlA, InternetCloseHandle, InternetReadFile, HttpSendRequestA, InternetOpenA, InternetSetOptionA
> SHLWAPI.dll: PathFileExistsA, PathGetDriveNumberA
> snmpapi.dll: SnmpUtilOidCpy
> MSVCRT.dll: __3@YAXPAX@Z, __2@YAPAXI@Z, __CxxFrameHandler, strncat, sprintf, _except_handler3, strstr, _strdup, _strlwr, wcslen, _CxxThrowException, __1type_info@@UAE@XZ, div, strncpy, _exit, _XcptFilter, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _onexit, __dllonexit, _controlfp, __set_app_type, __p__fmode, __p__commode, memmove, _adjust_fdiv
> KERNEL32.dll: GetCurrentProcess, GetStartupInfoA, InterlockedDecrement, lstrlenA, LocalFree, MultiByteToWideChar, SetFilePointer, ReadFile, GetModuleFileNameA, CreateProcessA, WriteFile, TerminateProcess, DeviceIoControl, WideCharToMultiByte, GetEnvironmentVariableA, GetComputerNameA, GetVersion, CreateFileA, GetModuleHandleA, VirtualAlloc, VirtualFree, CloseHandle, GetTempPathA, SetLastError, GetLastError, GetVolumeInformationA, LoadLibraryA, GetProcAddress, GetTickCount, FreeLibrary
> USER32.dll: CharToOemA
> ADVAPI32.dll: GetUserNameA
> SHELL32.dll: SHGetSpecialFolderPathA, ShellExecuteExA
> ole32.dll: CoInitialize, CLSIDFromString, CoUninitialize, CoCreateInstance, OleRun, CLSIDFromProgID
> OLEAUT32.dll: -, -, -, -
> MSVCP60.dll: __Grow@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAE_NI_N@Z, _assign@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z, __Copy@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEXI@Z, _assign@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@PBDI@Z, _append@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z, _append@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@PBDI@Z, __Hstd@@YA_AV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@0@ABV10@PBD@Z, __1_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@XZ, __Xlen@std@@YAXXZ, __Hstd@@YA_AV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@0@ABV10@0@Z, __Hstd@@YA_AV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@0@DABV10@@Z, __Split@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEXXZ, __Xran@std@@YAXXZ, _npos@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@2IB, __C@_1___Nullstr@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@CAPBDXZ@4DB, __Eos@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEXI@Z, _c_str@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QBEPBDXZ, __Freeze@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEXXZ, _find@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QBEIPBDII@Z, __Tidy@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEX_N@Z

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=F278B78104B29C326AA6017A3A0E01002B4A660A
File spyguarder_install.exe received on 09.04.2008 16:24:50 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.9.4.2 2008.09.04 -
AntiVir 7.8.1.28 2008.09.04 TR/Dldr.FraudLoa.VZ
Authentium 5.1.0.4 2008.09.03 -
Avast 4.8.1195.0 2008.09.04 Win32:Trojan-gen {Other}
AVG 8.0.0.161 2008.09.04 I-Worm/Stration.HFA
BitDefender 7.2 2008.09.04 BehavesLike:Trojan.Downloader
CAT-QuickHeal 9.50 2008.09.02 Downloader.FraudLoad.dd (Not a Virus)
ClamAV 0.93.1 2008.09.04 -
DrWeb 4.44.0.09170 2008.09.04 Trojan.DownLoad.3665
eSafe 7.0.17.0 2008.09.03 Suspicious File
eTrust-Vet 31.6.6069 2008.09.04 -
Ewido 4.0 2008.09.03 Not-A-Virus.Downloader.Win32.FraudLoad.dd
F-Prot 4.4.4.56 2008.09.03 -
F-Secure 8.0.14332.0 2008.09.04 Downloader.Win32.FraudLoad.dd
Fortinet 3.14.0.0 2008.09.03 W32/Heuri.E!tr.dldr
GData 19 2008.09.04 Win32:Trojan-gen
Ikarus T3.1.1.34.0 2008.09.04 BehavesLike.Trojan-Downloader
K7AntiVirus 7.10.439 2008.09.03 not-a-virus:Downloader.Win32.FraudLoad.dd
Kaspersky 7.0.0.125 2008.09.04 not-a-virus:Downloader.Win32.FraudLoad.dd
McAfee 5376 2008.09.03 Downloader.gen.a
Microsoft 1.3903 2008.09.04 -
NOD32v2 3414 2008.09.04 Win32/Adware.WinXDefender
Norman 5.80.02 2008.09.04 -
Panda 9.0.0.4 2008.09.03 Suspicious file
PCTools 4.4.2.0 2008.09.04 RogueAntiSpyware.WinxDefender
Prevx1 V2 2008.09.04 Fraudulent Security Program
Rising 20.60.31.00 2008.09.04 -
Sophos 4.33.0 2008.09.04 Mal/Heuri-E
Sunbelt 3.1.1582.1 2008.09.02 -
Symantec 10 2008.09.04 -
TheHacker 6.3.0.8.072 2008.09.04 Aplicacion/FraudLoad.dd
TrendMicro 8.700.0.1004 2008.09.04 PAK_Generic.001
VBA32 3.12.8.5 2008.09.04 Downloader.Win32.FraudLoad.dd
ViRobot 2008.9.4.1363 2008.09.04 -
VirusBuster 4.5.11.0 2008.09.04 -
Webwasher-Gateway 6.6.2 2008.09.04 Trojan.Dldr.FraudLoa.VZ
 
Additional information
File size: 16896 bytes
MD5…: 6d0301822685e1e9c5db0526ac6c711f
SHA1..: 51e9a7dd0ab1a62f2f30ee27593cf06a744dff6a
SHA256: ab78f8c6dd5be3b0cb4440c834ff71a9182ce02678baaeb07c0f4352177c32e8
SHA512: 232647447d5bca8da4152e2787b040d21adabcc471f14940cd180f8e97dbd9fd
c65de914890c1237a7b656bd9644162be0b3a86c52db3b477ff2b4b97e1d87be
PEiD..: -
TrID..: File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda’s Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×40a050
timedatestamp…..: 0×4863b4a1 (Thu Jun 26 15:24:17 2008)
machinetype…….: 0×14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0×1000 0×6000 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0×7000 0×4000 0×3200 7.86 fe7db2aaaf5168b1619c82fdecb2357a
.rsrc 0xb000 0×1000 0xc00 4.68 2d1625beecedcb81fd289c7036ab531c

( 8 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> ADVAPI32.dll: RegCloseKey
> COMCTL32.dll: InitCommonControlsEx
> GDI32.dll: SetBkColor
> ole32.dll: OleInitialize
> SHELL32.dll: ShellExecuteA
> urlmon.dll: URLDownloadToFileA
> USER32.dll: EndPaint

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=37D888F3002D56BF42D60009F8EF2900BC298D4C
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=6d0301822685e1e9c5db0526ac6c711f
packers (Kaspersky): PE_Patch.UPX, UPX
packers (F-Prot): UPX

SpyGuarder

Host: favoredmovie.com
IP : 78.157.143.191

Whois of IP 78.157.143.191  distributing rogue antivirus SpyGuarder :

netname:        VDHOST
descr:          VdHost Ltd.
descr:          abuse@vdhost.biz
country:        LV
admin-c:        AV2990-RIPE
tech-c:         UNHM-RIPE
status:         ASSIGNED PA
mnt-by:         UN-MNT
source:         RIPE # Filtered

role:           UltraNet Hostmaster
address:        UltraNet SIA
                Aizkraukles 23
                Riga, LV-1006
                Latvia
phone: