avast 1 of 7 av's to find up this PUP...

[polonus]

See: http://zulu.zscaler.com/submission/show/ea69409c2f70546beaa4dbe95f28dca9-1350850564
See: https://www.virustotal.com/url/316cc8552014da34d359c8f965740bd25983861c357c4dbc8223edd187bbb11a/analysis/1350850707/
See: https://www.virustotal.com/file/af555d9175418042a445b67b6df17291ef6d8fc49117352f23a2f880f526d69b/analysis/1350850714/
avast detects as Win32:Toggle-A [PUP]
For domain detection see: http://www.urlvoid.com/scan/pf.phpnuke.org
Various IP involved:
646302   2012-10-21   pf.phpnuke dot .org      188.165.2.127      178.32.28.133      94.23.168.5   ASN for all three IPs 16276
   hxtp://pf.phpnuke.org/s/2/6/26887-660901-mirc.exe?iv=2012090216
See: http://urlquery.net/report.php?id=243207

polonus

[Pondus]

it should have been 8...as Norman also detect it as winpe/Zulu.CX
and Malwarebytes as PUP:Bundleinstaller.PHP.....and not default marked for removal

[polonus]

Hi Pondus,

As always thanks for your additional scan info. Good thing to hear that detection for this PUP is growing,

polonus