Friday, November 30, 2007

VirusProtect 3.8





Registrar of Virprotect.com is ESTDOMAINS, which is well known for fake products.

If your system is infected by Virprotect through Zlob infections, it will display fake warnings in the system tray which will not vanish even if you uninstall the product, it will insist you to purchase the product.

Also the product does not uninstall completely.


Screenshots:

Virprotect.com

VirusProtect 3.8

If you note that the VirusProtectPro variants are no more active.


Virustotal results: 6/32 (18.75%)

The detection rate is very poor, make sure you stay out of this website and the application.

Avast ---> Win32:Spycrush-B
BitDefender ---> Adware.SpyLocked.C
NOD32v2 ---> Win32/Adware.VirusProtectPro
Prevx1 ---> VirusProtectPro:Spyware-All Variants
Sophos ---> Virus ProtectPro Installer
VBA32 ---> Application.Win32.Adware.VirusProtectPro

File size: 3318554 bytes
MD5: baac3692b436b982193bb7895d7405c3
SHA1: ff0de2bed0bd903de9c003e05f3767ee9e35f8f8
packers: Armadillo
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=D81609571AEEC833A360320269C934002DEEC94B

Domain Name: virprotect.com
Status: clientTransferProhibited
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com/
Expiration Date: 2008-10-23
Creation Date: 2007-10-23
Last Update Date: 2007-11-12
Name Servers:
ns1.sigmacode.biz
ns2.sigmacode.biz
ns3.sigmacode.biz
ns4.sigmacode.biz


IP Address: 85.255.119.126
Website Status: active
Server Type: nginx/0.4.13
Cache Date: 2007-11-30 06:33:49 MST
Compare Archived Data: 2007-11-13


Most of them get infected by this app. Now the question is “How to get rid of it?????”

Herez the answer!!!!!!

Juz follow the steps provided in the following link to get rid of the application using “SmitfraudFix”

http://siri.urz.free.fr/Fix/SmitfraudFix.php

The previous versions of Virprotect 3.8 are the PRO versions.

Screenshot of the previous versions are provided below (If it might help your):

VirusProtect PRO 3.3

VirusProtect PRO 3.4

VirusProtect PRO 3.5

VirusProtect PRO 3.6

VirusProtect PRO 3.7


Google



Thursday, November 29, 2007

Online-Guard.net




Online-Guard 2.1


Online-Guard 2.1 is a clone of a well known Rogue application -SpySheriff.

Registrar of Online-Guard.net is ESTDOMAINS, wellknown for producing Useless websites.DoNOT install this application and avoide this website.


Online-Guard.net




Online-Guard 2.1


Virustotal results : 6/32 (18.75%)

AhnLab-V3 ---> Win-Trojan/Spyshield.51200
CAT-QuickHeal ---> FraudTool.SpySheriff.f (Not a Virus)
Ikarus ---> not-a-virus:.FraudTool.Win32.SpySheriff.f
Kaspersky ---> not-a-virus:FraudTool.Win32.SpySheriff.f
Symantec ---> OnlineGuard
VirusBuster ---> Adware.SpySherif.Gen.2

File size: 24064 bytes
MD5: 658474189f62b7a8472473357210be85
SHA1: 6beb36171279b363e88e1de21dbc74a827e7065

Additional information:

Domain Name: online-guard.net
Status: clientTransferProhibited
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL:
http://www.estdomains.com
Expiration Date: 2008-10-25
Creation Date: 2007-10-25
Last Update Date: 2007-11-16
Name Servers: ns1.online-guard.net ns2.online-guard.ne

IP Address: 58.65.238.130
Website Status: active
Server Type: nginx/0.5.33
Cache Date: 2007-11-29 09:58:02 MST
Compare Archived Data: 2007-11-27

Google





Guard-Center.com



Guard-Center 2.1

Guard-Center 2.1 is a clone of a well known Rogue application -SpySheriff.

Registrar of Guard-Center.com is ESTDOMAINS, wellknown for producing Useless websites.

DoNOT install this application and avoide this website.

Guard-Center.com

Guard-Center 2.1


Virustotal results : 4/32 (12.5%)

AhnLab-V3 ---> Win-Trojan/Spyshield.51200
Ikarus ---> not-a-virus:.FraudTool.Win32.SpySheriff.f
Kaspersky ---> not-a-virus:FraudTool.Win32.SpySheriff.f
VirusBuster ---> Adware.SpySherif.Gen.2

File size: 60928 bytes
MD5: 3be4a29f1d5ec78c84b2d35690e7065e
SHA1: dbc320911b4460f6efcd72c0cc48a104360ac1d4


Additional information:

Domain Name: guard-center.com
Status: clientTransferProhibited
Registrar: ESTDOMAINS, INC.
Referral URL:
http://www.estdomains.com

Expiration Date: 2008-10-25
Creation Date: 2007-10-25
Last Update Date: 2007-11-19

Name Servers: ns1.guard-center.com , ns2.guard-center.com


Google



Dr-Protection.com


Dr-Protection 2.1


Dr-Protection is a clone of a well known Rogue application -SpySheriff.

Registrar of Dr-Protection.com is ESTDOMAINS, wellknown for producing Useless websites.

DoNOT install this application and avoide this website.



Dr-Protection.com



Dr-Protection 2.1




Virustotal results: Result: 6/32 (18.75%)

AhnLab-V3 ---> Win-Trojan/Spyshield.51200
CAT-QuickHeal ---> FraudTool.SpySheriff.f (Not a Virus)
Ikarus ---> not-a-virus:.FraudTool.Win32.SpySheriff.f
Kaspersky ---> not-a-virus:FraudTool.Win32.SpySheriff.f
Symantec ---> Downloader.MisleadApp
VirusBuster ---> Adware.SpySherif.Gen.2

Additional Info:

Domain Name: dr-protection.com
Registrar: ESTDOMAINS, INC.

Referral URL: http://www.estdomains.com/
Expiration Date:
2008-11-15
Creation Date: 2007-11-15 Last
Update Date: 2007-11-19
Status: clientTransferProhibited
Name Servers: ns1.dr-protection.com ns2.dr-protection.com


IP Address: 58.65.238.130
Website Status: active
Server Type: nginx/0.5.33
Cache Date: 2007-11-29 08:49:47 MST
Compare Archived Data: 2007-11-27

This Website is BAD


Google



liveantispy.com

Liveantispy 2.1

Liveantispy is a clone of a well known Rogue application -SpySheriff.

Registrar of liveantispy.com is ESTDOMAINS, wellknown for producing Useless websites.

DoNOT install this application and avoide this website.



liveantispy.com




Liveantispy 2.1

Website INfo:
Domain Name: liveantispy.com
Status: clientTransferProhibited
Registrar: ESTDOMAINS, INC.
Referral URL:
http://www.estdomains.com
Expiration Date: 2008-11-19 Creation
Date: 2007-11-19 Last Update Date: 2007-11-19
Name Servers: ns1.liveantispy.com ns2.liveantispy.com


Virustotal results: 4/32 (12.5%)
------------------------------------
AhnLab-V3 ---> Win-Trojan/Spyshield.51200
Ikarus ---> not-a-virus:.FraudTool.Win32.SpySheriff.f
Kaspersky ---> not-a-virus:FraudTool.Win32.SpySheriff.f
VirusBuster ---> Adware.SpySherif.Gen.2

File size: 60928 bytes
MD5: 9ae70301cd5cb35e03db73a8a1de38d3
SHA1: 75342157a0c53d2f29fb35097f476f7436c4687a

As you can see that the Virustotal results are very low, make sure to stay away from this application.


Google



Wednesday, November 28, 2007

Codechq.net

Codechq.net

Another Fake Codec Site from ESTDOMAINS,

Do NOT download any program from this website.

Note that this program is a DNSChanger. It pretends to be a browser add-on for viewing porn which is actually a Trojan Horse program.It has the capability to install a Rootkit on to your computer to re-route your Internet searches through the bad servers to make money for them.

Screenshot:




Following pic would give u info on the DNS it modifies:


Registrar: ESTDOMAINS, INC.



Whois Server: whois.estdomains.com

Referral URL: http://www.estdomains.com/

Expiration Date: 2008-09-21

Creation Date: 2007-09-21 Last

Update Date: 2007-11-26

Name Servers: ns1.codechq.net ns2.codechq.net


Extended Info
IP Address:

64.28.184.183
Website Status: active

Server Type: Apache/2.0.59 (FreeBSD) PHP/5.2.1 with Suhosin-Patch

Cache Date: 2007-11-28 05:10:23 MST

Virustotal Results: Result: 14/32 (43.75%)
-----------------------------------------

My sample is : Codechq1080.exe

AntiVir 7.6.0.34 2007.11.28 HEUR/Malware
Avast 4.7.1074.0 2007.11.27 Win32:Trojan-gen {Other}
AVG 7.5.0.503 2007.11.27 Downloader.Zlob.KF
BitDefender 7.2 2007.11.28 Trojan.Zlob.BYQ
CAT-QuickHeal 9.00 2007.11.27 Win32.Trojan.DNSChanger.abj
Ewido 4.0 2007.11.27 Downloader.Zlob.eie
Fortinet 3.14.0.0 2007.11.28 W32/Zlobar.ABJ!tr
F-Secure 6.70.13030.0 2007.11.28 Trojan.Win32.DNSChanger.adz
Kaspersky 7.0.0.125 2007.11.28 Trojan.Win32.DNSChanger.adz
Prevx1 V2 2007.11.28 Generic.Dropper.xCodec
Sophos 4.23.0 2007.11.28 Troj/Zlobar-Fam
Symantec 10 2007.11.28 Trojan.Zlob
TheHacker 6.2.9.144 2007.11.28 Trojan/Downloader.Zlob.eie
Webwasher-Gateway 6.6.2 2007.11.28 Heuristic.Malware


Additional information:
------------------------
File size: 231553 bytes
MD5: d57546a73be8d902fa6a574452294ee4
SHA1: d20f49022a2cebb350360e7d675ef21aee205e4e
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=675A623B815697AB88DB03AB863BA800ACF0C59E



Google



Tuesday, November 27, 2007

Rich Video Codec V1.6



VideoAccessCodecInstall.exe
videosoftonline.com (Zlob)



Rich Video Codec Is a malicious Trojan program Which adds a toolbar to the Browser, which in turn installs application like:
1. YourPrivacyGuard.
2. ConfidentSurf.
3. ErrorFighter.
4. Adwareremover2007.
5. Securepccleaner.
6. UltimateDefender.
7. UltimateCleaner.
8. Brave-Sentry.
9. performanceoptimizer.
10. Anti-Virus-Pro
11. Trustedantivirus

U could also be taken to the following page aswell : http://www.download.neteu.eu/




If you access videosoftonline.com, you would receive the 4o3 error(as given below), but it still produces the dangerous Trojan(Zlob).




File name : VideoAccessCodecInstall.exe
MD5: 5d2d1f68229abde239fe5e160d6192f0
Virustotal Results: 10/32 (31.25%)
------------------------------------
AntiVir - DR/Zlob.Gen
AVG - Downloader.Zlob
CAT -QuickHeal TrojanDownloader.Zlob.gen
ClamAV - Trojan.Dropper-2557
F-Secure - W32/Zlob.ARDM
Norman - W32/Zlob.ARDM
Rising - Trojan.DL.Win32.Zlob.def
Sophos - Troj/Zlobar-Fam
TheHacker - Trojan/Downloader.gen
Webwasher-Gateway -Trojan.Dropper.Zlob.Gen

Website INFO:
---------------
Domain Name: videosoftonline.com
IP Address: 194.126.174.124
Server Type: ApacheCache
Status: clientTransferProhibited
Registrar: ESTDOMAINS, INC.
Expiration Date: 2008-11-01
Creation Date: 2007-11-01
Name Servers: ns1.videosoftonline.com ns2.videosoftonline.com
Make sure NOT to download any installers from this site.
If your system is infected by this Trojan, you need to remove them as soon as possible as it can disable the Task manager, display settings and many more. It will display all nasty websites too, which would slowdown you computer.


Google