Author Topic: Another fake-av site detected.. (Read 55276 times)

Gargamel360 · « **Reply #60 on:** April 20, 2011, 06:11:06 AM »

Quote from: Krelnadi on April 20, 2011, 06:03:08 AM

I wonder if the people doing the fake AV sites are looking on this forum, seems odd the links go down as soon as someone mentions them,

Most likely it would be gone regardless of what is posted here.

People behind these rogues are criminal ***wipes to whom I would love to introduce my self (in the most physical manner possible).

I'd love to call them stupid, but that would be false. They are savvy, and know how to stay on the move.

Krelnadi · « **Reply #61 on:** April 20, 2011, 06:53:45 AM »

It looks like it is the same people. The "Scare" site always shows up as the same and tries to get you to install a program called Antispy2011.exe

I got no idea which Ad/Banners are doing it though

Coolmario88 · « **Reply #62 on:** April 20, 2011, 09:06:10 AM »

I went to the link again to see if it was down or up.. and it is up.. but the virus tried to install on my pc! but avast blocked the virus from downloading! Thank you so much avast!

polonus · « **Reply #63 on:** April 25, 2011, 04:02:54 PM »

Hi folks,

This one also not detected at VT:
hxtp://antivirus-program-2011.ce.ms/fast-scan
VT scan: http://www.virustotal.com/url-scan/report.html?id=9fa26859f2d3ca0d5485e60aeecf622f-1303732030
VT file scan:
http://www.virustotal.com/file-scan/report.html?id=8445f95b1231d462f181ce570023c501a3046a571e224947757d886f6f8095e1-1303739616
Strange to be found benign here: http://wepawet.iseclab.org/view.php?hash=9fa26859f2d3ca0d5485e60aeecf622f&t=1303739892&type=js
obfuscated and wrapped-protected online (see big chunk of obfuscated code)

see WOT warning: http://www.webutation.net/go/review/antivirus-program-2011.ce.ms

polonus

Pondus · « **Reply #64 on:** April 25, 2011, 05:04:13 PM »

Quote from: polonus on April 25, 2011, 04:02:54 PM

Hi folks,

This one also not detected at VT:
hxtp://antivirus-program-2011.ce.ms/fast-scan
VT scan: http://www.virustotal.com/url-scan/report.html?id=9fa26859f2d3ca0d5485e60aeecf622f-1303732030
VT file scan:
http://www.virustotal.com/file-scan/report.html?id=8445f95b1231d462f181ce570023c501a3046a571e224947757d886f6f8095e1-1303739616
Strange to be found benign here: http://wepawet.iseclab.org/view.php?hash=9fa26859f2d3ca0d5485e60aeecf622f&t=1303739892&type=js
obfuscated and wrapped-protected online (see big chunk of obfuscated code)

see WOT warning: http://www.webutation.net/go/review/antivirus-program-2011.ce.ms

polonus

and the Rogue is only detected by Prevx
http://www.virustotal.com/file-scan/report.html?id=9e05babb97a2bc788887e8c7fe63a8c3be1e12d6a89adb4102ca4f0825fa937e-1303743574

Malwarebytes detect it as - Trojan.FakeAlert.PGen

sample sendt avast

and SUPERAntiSpyware

polonus · « **Reply #65 on:** April 25, 2011, 05:12:03 PM »

Hi Pondus,

We are right on it, man, Kaspersky now also detects this as HEUR:Trojan.Win32.Generic,
see for the newer scan results:
http://www.virustotal.com/file-scan/report.html?id=9e05babb97a2bc788887e8c7fe63a8c3be1e12d6a89adb4102ca4f0825fa937e-1303743685 2 /42 (4.8%)

pol

P.S. We need to have this detection added, because this malware is destructive to system 32 files and then computer will not start up anymore, meaning a re-install,

D

Pondus · « **Reply #66 on:** April 25, 2011, 05:25:30 PM »

and Norman but signature is not released yet - Already detected as W32/Crypt.AVFO

polonus · « **Reply #67 on:** April 26, 2011, 07:39:49 PM »

Hi Pondus,

Another one not detected by avast and norman:
Fave av at hxtp://getip-string02.tk/
VT scan: http://www.virustotal.com/url-scan/report.html?id=7e7ce8aa583331ce372ae657dae41a69-1303831762
detected by Bitdefender...
VT file scan: http://www.virustotal.com/file-scan/report.html?id=465186de9157139f2197a618cda2c461790fa5c52ec3ab68dcc114deb180f7df-1303839353 3/ 41 (7.3%)

polonus

Pondus · « **Reply #68 on:** April 26, 2011, 07:49:42 PM »

and not detected by Malwarebytes

will send sample

EDIT: the rogue is detected by avast

http://www.virustotal.com/file-scan/report.html?id=779abf32ddcad236c09d9937b988332ee4631990a76cd1ac7ca0087a4e9dc08d-1303839832

polonus · « **Reply #69 on:** April 27, 2011, 12:25:06 AM »

Is this a fake av? Scanned here: http://wepawet.iseclab.org/view.php?hash=3387298540e82cf340508865a49b26b8&t=1303856097&type=js

VT url analysis: http://www.virustotal.com/url-scan/report.html?id=3387298540e82cf340508865a49b26b8-1303849006

VT file analysis: http://www.virustotal.com/file-scan/report.html?id=4193f2ef35f027d3947705aab2aa6f8e8aeb84220d9383123d3f48f063ed0da3-1303856209 not detected

See: http://vscan.urlvoid.com/file/bdd6fcfdfc7b324724e5a101c7c3b908/YWxlcnRzLWNsaWVudC1hbGVydHNjbGllbnQtc2gt/

Detected as dangerous site on 3 instances: http://www.urlvoid.com/scan/instantspywareremoval.com

polonus

Coolmario88 · « **Reply #70 on:** April 27, 2011, 12:55:11 AM »

Quote from: polonus on April 27, 2011, 12:25:06 AM

Is this a fake av? Scanned here: http://wepawet.iseclab.org/view.php?hash=3387298540e82cf340508865a49b26b8&t=1303856097&type=js

VT url analysis: http://www.virustotal.com/url-scan/report.html?id=3387298540e82cf340508865a49b26b8-1303849006

VT file analysis: http://www.virustotal.com/file-scan/report.html?id=4193f2ef35f027d3947705aab2aa6f8e8aeb84220d9383123d3f48f063ed0da3-1303856209 not detected

See: http://vscan.urlvoid.com/file/bdd6fcfdfc7b324724e5a101c7c3b908/YWxlcnRzLWNsaWVudC1hbGVydHNjbGllbnQtc2gt/

Detected as dangerous site on 3 instances: http://www.urlvoid.com/scan/instantspywareremoval.com

polonus

Polonus I have a quick question.. If i got a pop up to donwload the program on instantspywareremoval does that mean i have a virus? or is the program safe?

Coolmario88 · « **Reply #71 on:** April 27, 2011, 01:02:19 AM »

Quote from: polonus on April 27, 2011, 12:25:06 AM

Is this a fake av? Scanned here: http://wepawet.iseclab.org/view.php?hash=3387298540e82cf340508865a49b26b8&t=1303856097&type=js

VT url analysis: http://www.virustotal.com/url-scan/report.html?id=3387298540e82cf340508865a49b26b8-1303849006

VT file analysis: http://www.virustotal.com/file-scan/report.html?id=4193f2ef35f027d3947705aab2aa6f8e8aeb84220d9383123d3f48f063ed0da3-1303856209 not detected

See: http://vscan.urlvoid.com/file/bdd6fcfdfc7b324724e5a101c7c3b908/YWxlcnRzLWNsaWVudC1hbGVydHNjbGllbnQtc2gt/

Detected as dangerous site on 3 instances: http://www.urlvoid.com/scan/instantspywareremoval.com

polonus

The Website you listed looks like it wants people to download PCSafeDoctor. I searched google and found a website that has PCSafedoctor on it also. hxxp://www.pcsafedoctor.com/ I wonder if the program is malware or Not

Pondus · « **Reply #72 on:** April 27, 2011, 01:42:23 AM »

you may ask in Malwarebytes form....they usually know...if not they are quick to find out

polonus · « **Reply #73 on:** April 27, 2011, 01:21:59 PM »

Concerning pcsafedoctor, re: http://www.mywot.com/en/forum/11030-pcsafedoctor

polonus

Coolmario88 · « **Reply #74 on:** April 27, 2011, 05:17:16 PM »

My friend on twitter Asked @Microsofthelps about instantspywareremoval site and Here is their tweet about the program.
http://twitter.com/#!/MicrosoftHelps/status/63258439857602560

Author Topic: Another fake-av site detected.. (Read 55276 times)

Gargamel360

Re: Another fake-av site detected..

Krelnadi

Re: Another fake-av site detected..

Coolmario88

Re: Another fake-av site detected..

polonus

Re: Another fake-av site detected..

Pondus

Re: Another fake-av site detected..

polonus

Re: Another fake-av site detected..

Pondus

Re: Another fake-av site detected..

polonus

Re: Another fake-av site detected..

Pondus

Re: Another fake-av site detected..

polonus

Re: Another fake-av site detected..

Coolmario88

Re: Another fake-av site detected..

Coolmario88

Re: Another fake-av site detected..

Pondus

Re: Another fake-av site detected..

polonus

Re: Another fake-av site detected..

Coolmario88

Re: Another fake-av site detected..