Download Link: hxxp://www.antispyshield.com/download.php?advid=177 hxxp://managedns404.com/ie6 File Name: AntiSpywareShieldSetup.exe VirusTotal Result: 14/32 (43.75%) AntiVir 7.8.0.8 2008.04.21 ADSPY/AdSpy.Gen Avast 4.8.1169.0 2008.04.21 Win32:FraudLoad-P AVG 7.5.0.516 2008.04.21 Adware Generic3.BTK BitDefender 7.2 2008.04.21 Adware.SpySheriff.KM CAT-QuickHeal 9.50 2008.04.19 Trojan.AntiSpy.gen F-Prot 4.4.2.54 2008.04.20 W32/SpySher.AW F-Secure 6.70.13260.0 2008.04.21 Trojan-Downloader.Win32.FraudLoad.oj Ikarus T3.1.1.26.0 2008.04.21 Trojan-Downloader.Win32.FraudLoad.oj Kaspersky 7.0.0.125 2008.04.21 Trojan-Downloader.Win32.FraudLoad.oj NOD32v2 3043 2008.04.21 a variant of Win32/Adware.SpySheriff Prevx1 V2 2008.04.21 AntiSpywareShield:Spyware-a Symantec 10 2008.04.21 AntiSpywareShield VirusBuster 4.3.26:9 2008.04.21 Trojan.DL.FraudLoad.I Webwasher-Gateway 6.6.2 2008.04.21 Ad-Spyware.AdSpy.Gen File Info: File size: 53760 bytes MD5...: 553596164aeec2c98d52bd20ae7d05d4 SHA1..: 955ea627e2295514a66590d795ffee59b0987620 SHA256: 7d29f9070de9873ba3c978ac0547547b8a156283668ca266f5febd75526d0c6f SHA512: ae11f0a0e2a6f0426f0a6e570470668a57d8ee0ea6bd934df8fad692a1e3b940 22365de074e1794ce4ebf02d58ad5bf4fb9c10f05116b8ea11b610f23b56df7a ***** PE Header **************************************************** Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0003 Time/Date stamp: 4804D348 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 010F Magic: 010B Linker version (major): 06 Linker version (minor): 00 Size of code: 00004E00 Size of initialized data: 00008800 Size of uninitialized data: 00000000 Address of entry point: 00003004 Base of code: 00001000 Base of data: 00006000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00010000 Size of headers: 00000400 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 ***** PE Sections ************************************************** Section VirtSize VirtAddr PhysSize PhysAddr Flags .text 00004C96 00001000 00004E00 00000400 E0040020 .data 00001278 00006000 00000C00 00005200 C0000040 .rsrc 00007348 00008000 00007400 00005E00 40000040 ***** PE Structure ************************************************* entrypointaddress.: 0x403004 timedatestamp.....: 0x4804d348 (Tue Apr 15 16:09:44 2008) machinetype.......: 0x14c (I386) ***** Imports ****************************************************** > KERNEL32.dll: Sleep, GetVolumeInformationA, CreateThread, GetStringTypeA, LCMapStringW, LCMapStringA, MultiByteToWideChar, LoadLibraryA, GetProcAddress, GetOEMCP, GetACP, GetCPInfo, ExitProcess, GetFileType, GetStdHandle, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, WideCharToMultiByte, CreateDirectoryA, CreateFileA, WriteFile, CloseHandle, FreeEnvironmentStringsW, FreeEnvironmentStringsA, GetModuleFileNameA, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetStringTypeW, RtlUnwind, WinExec, HeapAlloc, HeapReAlloc, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, HeapDestroy, HeapCreate, VirtualFree, HeapFree, VirtualAlloc > USER32.dll: CopyRect, IsChild, IsWindowVisible, SendMessageA, EnableWindow, SetWindowTextA, MessageBoxA, DialogBoxParamA, GetParent, GetDesktopWindow, GetWindowRect, GetDlgItem, OffsetRect, SetWindowPos, wsprintfA > ADVAPI32.dll: RegCreateKeyExA, RegQueryValueExA, RegCloseKey > WSOCK32.dll: -, -, -, -, -, -, - > COMCTL32.dll: InitCommonControlsEx Process Details: Process: AntiSpywareShield.exe Pid: 1000 \Default \BaseNamedObjects \KnownDlls \Windows \BaseNamedObjects\AntiSpywareShield \BaseNamedObjects\crypt32LogoffEvent \BaseNamedObjects\userenv: User Profile setup event File Accessed: \Device\Afd\Endpoint \Device\KsecDD \Device\Tcp C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LSLV2TOT C:\Program Files\AntiSpywareShield C:\WINDOWS C:\WINDOWS\system32\drivers\etc C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82 Mutant: \BaseNamedObjects\ContentFilter_Perf_Library_Lock_PID_3e8 \BaseNamedObjects\ContentIndex_Perf_Library_Lock_PID_3e8 \BaseNamedObjects\ISAPISearch_Perf_Library_Lock_PID_3e8 \BaseNamedObjects\MSDTC_Perf_Library_Lock_PID_3e8 \BaseNamedObjects\mvmkgnevfnei_1000 \BaseNamedObjects\ovmkgnevfnei_1000 \BaseNamedObjects\PerfDisk_Perf_Library_Lock_PID_3e8 \BaseNamedObjects\PerfNet_Perf_Library_Lock_PID_3e8 \BaseNamedObjects\PerfOS_Perf_Library_Lock_PID_3e8 \BaseNamedObjects\PerfProc_Perf_Library_Lock_PID_3e8 \BaseNamedObjects\PSched_Perf_Library_Lock_PID_3e8 \BaseNamedObjects\RemoteAccess_Perf_Library_Lock_PID_3e8 \BaseNamedObjects\RSVP_Perf_Library_Lock_PID_3e8 \BaseNamedObjects\Spooler_Perf_Library_Lock_PID_3e8 \BaseNamedObjects\TapiSrv_Perf_Library_Lock_PID_3e8 \BaseNamedObjects\Tcpip_Perf_Library_Lock_PID_3e8 \BaseNamedObjects\TermService_Perf_Library_Lock_PID_3e8 \BaseNamedObjects\WmiApRpl_Perf_Library_Lock_PID_3e8 \BaseNamedObjects\__R_00000000001a_SMem__ \BaseNamedObjects\Perflib_Perfdata_3e8 Semaphore: \BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D} \BaseNamedObjects\shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57} \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1} Thread: AntiSpywareShield.exe(1000): 116 AntiSpywareShield.exe(1000): 1164 AntiSpywareShield.exe(1000): 1168 AntiSpywareShield.exe(1000): 1196 AntiSpywareShield.exe(1000): 1880 AntiSpywareShield.exe(1000): 1944 AntiSpywareShield.exe(1000): 196 AntiSpywareShield.exe(1000): 200 AntiSpywareShield.exe(1000): 2020 AntiSpywareShield.exe(1000): 2024 AntiSpywareShield.exe(1000): 2032 AntiSpywareShield.exe(1000): 428 AntiSpywareShield.exe(1000): 840 AntiSpywareShield.exe(1000): 932 AntiSpywareShield.exe(1000): 940 Files Created: -------------- C:\Documents and Settings\Administrator\Desktop\AntiSpywareShield.lnk 2KB C:\Documents and Settings\Administrator\Start Menu\Programs\AntiSpywareShield 1KB C:\Documents and Settings\Administrator\Start Menu\Programs\AntiSpywareShield\AntiSpywareShield.lnk 2KB C:\Documents and Settings\Administrator\Start Menu\Programs\AntiSpywareShield\Uninstall.lnk 2KB C:\Program Files\AntiSpywareShield 1KB C:\Program Files\AntiSpywareShield\AntiSpywareShield.exe 442KB C:\Program Files\AntiSpywareShield\AntiSpywareShield.lic 1KB C:\Program Files\AntiSpywareShield\AntiSpywareShield0.ad 411KB C:\Program Files\AntiSpywareShield\AntiSpywareShield0.dll 58KB C:\Program Files\AntiSpywareShield\AntiSpywareShield1.ad 34KB C:\Program Files\AntiSpywareShield\AntiSpywareShield1.dll 46KB C:\Program Files\AntiSpywareShield\AntiSpywareShield3.dll 41KB C:\Program Files\AntiSpywareShield\Uninstall.exe 128KB Registry Entries Created: ------------------------- HKEY_CURRENT_USER\Software\AntiSpywareShield HKEY_CURRENT_USER\Software\AntiSpywareShield AutomaticStartup dword:00000001 HKEY_CURRENT_USER\Software\AntiSpywareShield EnableScheduledScan dword:00000001 HKEY_CURRENT_USER\Software\AntiSpywareShield HScheduledScan dword:00000001 HKEY_CURRENT_USER\Software\AntiSpywareShield MScheduledScan dword:00000001 HKEY_CURRENT_USER\Software\AntiSpywareShield PreviousMark dword:00000002 HKEY_CURRENT_USER\Software\AntiSpywareShield Uninstall "C:\Program Files\AntiSpywareShield" HKEY_CURRENT_USER\Software\AntiSpywareShield Previous hex:70,24,df,c1,68,a4,c8,01, HKEY_CURRENT_USER\Software\AntiSpywareShield\Scan HKEY_CURRENT_USER\Software\AntiSpywareShield\Scan AutomaticDeletion dword:00000000 HKEY_CURRENT_USER\Software\AntiSpywareShield\Updates HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AntiSpywareShield "C:\Program Files\AntiSpywareShield\AntiSpywareShield.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiSpywareShield HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiSpywareShield DisplayIcon "C:\Program Files\AntiSpywareShield\AntiSpywareShield.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiSpywareShield DisplayName "AntiSpywareShield" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiSpywareShield URLInfoAbout "hxxp://www.AntiSpyShield.com/" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiSpywareShield HelpLink "hxxp://www.AntiSpyShield.com/" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiSpywareShield UninstallString "C:\Program Files\AntiSpywareShield\Uninstall.exe" HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\AntiSpywareShield HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\AntiSpywareShield AutomaticStartup dword:00000001 HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\AntiSpywareShield EnableScheduledScan dword:00000001 HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\AntiSpywareShield HScheduledScan dword:00000001 HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\AntiSpywareShield MScheduledScan dword:00000001 HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\AntiSpywareShield PreviousMark dword:00000002 HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\AntiSpywareShield Uninstall "C:\Program Files\AntiSpywareShield" HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\AntiSpywareShield Previous hex:70,24,df,c1,68,a4,c8,01, HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\AntiSpywareShield\Scan HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\AntiSpywareShield\Scan AutomaticDeletion dword:00000000 HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\AntiSpywareShield\Updates HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\Microsoft\Internet Explorer\Search HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\Microsoft\Windows\CurrentVersion\Run AntiSpywareShield "C:\Program Files\AntiSpywareShield\AntiSpywareShield.exe" Network Activity: 2016 AntiSpywareShieldSetup-> 1241 TCP E:\Infected\AntiSpywareShieldSetup.exe Downloads the actual installer and installs the Rogue AntiSpyware. Extra Info: The link hxxp://managedns404.com/ie6 shows a fake 'The page cannot be displayed' error and suggests the following: Please try the following: * Install AntiSpyware Shield software to clean your PC. * If you typed the page address in the Address bar, make sure that it is spelled correctly. * To check your connection settings, click the Tools menu, and then click Internet Options. On the Connections tab, click Settings. The settings should match those provided by your local area network (LAN) administrator or Internet service provider (ISP). * If your Network Administrator has enabled it, Microsoft Windows can examine your network and automatically discover network connection settings. If you would like Windows to try and discover them, click Detect Network Settings * Some sites require 128-bit connection security. Click the Help menu and then click About Internet Explorer to determine what strength security you have installed. * If you are trying to reach a secure site, make sure your Security settings can support it. Click the Tools menu, and then click Internet Options. On the Advanced tab, scroll to the Security section and check settings for SSL 2.0, SSL 3.0, TLS 1.0, PCT 1.0. * Download AntiSpyware Shield to remove spyware and adware threats. It fakes the IE security warning bar of IE and puts a link of the malware AntiSpyWare Shield. It says the following warning: The page you are looking for is probably blocked by adware/spyware on your PC. Remove it with AntiSpyware Shield software. Click here. Clicking any of the links in the fake error message downloads the file AntiSpywareShieldSetup.exe